Blacklists

Hi,

Please make sure to always list what version of messaging server you are using (imsimta version).

> I need to implement blacklists in Messaging Server.

What type of blacklists? You can implement blocking based on IP blacklists (such as SORBS) using the dns_verify plugin. Blacklists based on sender or receiver addresses or email domains can be implemented using general database callouts.

> Is it possible to configure mapping tables

> (SEND_ACCESS) to load blacklists from LDAP?

Do you mean some kind of callout to LDAP to see whether a value is listed? This would be slower of course then a general database callout.

> Do you know better method to implement blacklists

> (addresses have to be loaded from LDAP)?

An example of what you would like to block would be helpful and what kind of structure you were thinking with respect to listing the values in LDAP.

Shane.

shane_hjorth at 2007-7-7 1:02:32 >

I found in Administration Guide:

"Some of the configuration, for instance the mappings, aliases, and the general, reverse, and forward lookup tables are reloadable. Changes to these files can be activated by recompiling the configuration and issuing the imsimta reload command."

Solution with general database is not acceptable for me, because our users should be able to modify addresses in their black lists.

Mayby it is possible to fulfil this requirement with LDAP.

Has anyone configure mapping table to load addresses from LDAP?

Best regards,

e4rd

e2rd at 2007-7-7 1:02:32 >

Hi,

Could you explain me how does the LDAP callout from mapping table work?

Why is it so performance-expensive?

I need an examplary mapping table entry that configure LDAP callout (for performance testing).

Every user could have 0..n entries in LDAP with blacklists addressess (attribute called 'blacklist').

Best regards,

e2rd

e2rd at 2007-7-7 1:02:32 >

Hi Shane,

Our customer doesn't accept the solution with filters (sieve rules) because:

1. if the filter is configured to reject blacklisted addresses/domains then our MTA sends an e-mail with rejection info. If an e-mail comes from invalid address then our MTA becomes a spammer (!),

2. if the filter is configured to discard blacklisted addresses/domains then sender which is on user's blacklist don't get information that his message was discarded (that is not accepted).

The solution would be blocking blacklisted addresses on SMTP tier.

I need information how to configure Messaging Server to implement this functionality or information that it is impossible in our version.

Best regards,

e2rd

e2rd at 2007-7-7 1:02:32 >

Our customer want to implement blocking blacklisted addresses/domains based on SMTP.

Rejection information for blacklisted sender is required, but it can't be an e-mail from our MTA.

Our MTA should send SMTP rejection and blacklisted sender should get rejection information from his MTA.

I think mapping tables work in this way.

But I need to implement blacklists separate for every user and users should be able to modify their blacklists.

Is it possible using general database callouts or only solution are mapping tables with LDAP callouts?

Could you give me some exemplary mapping table entry that implements loading blacklisted address from ldap?

Do you know some other solution that fulfil our customer's requirements?

Best regards,

e2rd

e2rd at 2007-7-7 1:02:32 >

Hi,

I had a bit of a play with the idea of storing blacklist information on a per user basis in the directory and this is what I came up with:

Step 1:

- Create new attributes called blacklistemailaddr & blacklistemaildomain

- Create new objectclass called emailblacklist containing above attributes

Step 2:

- Add entries to user e.g.

uid=user001, ou=People, o=domain1.com, o=isp

objectclass=emailblacklist

mail=user001@domain1.com

blacklistemaildomain=gmail.com

blacklistemailaddr=test@hotmail.com

Step 3:

- Add appropriate mappings table rule (you will need to customise the base, in my case it's set to o=isp)

ORIG_SEND_ACCESS

tcp_local|*@*|*|*$C$]ldap:///o=isp?mail?sub?(&(|(mail=$3)(mailalternateaddress=$3)(mailequiv alentaddress=$3))(|(blacklis

temailaddr=$0@$1)(blacklistemaildomain=$1)))[$N$ has$ blacklisted$ your$ address$E

Step 4:

- Rebuild mapping table (./imsimta cnbuild) and test

bash-2.05# ./imsimta test -mapping

Enter table name: ORIG_SEND_ACCESS

Input string: tcp_local|test@hotmail.com|tcp_intranet|user001@domain1.com

Output string: user001@domain1.com has blacklisted your address

Output flags: [0, 'N' (78)]

Step 4:

- 'real-world' test

bash-3.00$ telnet mailhost.com 25

220 mailhost.com -- Server ESMTP (Sun Java System Messaging Server 6.2-7.04 (built Aug 17 2006))

mail from: test@hotmail.com

250-2.5.0 No HELO/EHLO seen; continuing anyway, [10.11.12.13].

250 2.5.0 Address Ok.

rcpt to: user001@domain1.com

550 5.7.1 user001@domain1.com has blacklisted your address

So this seems to fulfill your requirement. I leave it as an exercise to the reader on how to create an interface to add the attributes into the users entry. The performance hits due to the mapping rule are unknown (but as Jay mentioned earlier, they could be quite large).

Also to be considered is whether the rule should be checked before/after expansion i.e. if you send to a mailing list with 300 people, should you check based on the mailing list (if it has blacklist addr/domain) or for each individual recipient of that list? Which option you choose will determine the best table for the mapping rule.

Regards,

Shane.

shane_hjorth at 2007-7-7 1:02:32 >

Hi Shane,

Thank you for your answer.

I made steps 1-3.

When I test it using imsimta test -mapping i get:

Output string = Input string

Output flags: [ ]

or

Output string:

Output flags: [0]

I suppose that my LDAP URL:

*|*@*|*|* $C$]ldap:///o=eranet.pl,o=eranet.pl?mail?sub?(&(|(mail=$3)(mailalternateadd ress=$3)(mailequiv alentaddress=$3))(|(blacklistemailaddr=$0@$1)(blacklistemaildomain=$1)))[$N$ has$ blacklisted$ your$ address$E

is incorrect.

In my LDAP logs I can't see any callout.

I add LDAP_HOST and LDAP_PORT in my option.dat, but it does't help.

I try to change my LDAP URL to:

*|*@*|*|* $C$ldap://host:port/ou=People,o=eranet.pl,o=eranet.pl?mail?sub?(&(|(mail=$3 )(mailalternateaddress=$3)(mailequiv alentaddress=$3))(|(blacklistemailaddr=$0@$1)(blacklistemaildomain=$1)))[$N$ has$ blacklisted$ your$ address$E

but it also doesn't work.

How to test the LDAP URL?

Best regards,

e2rd

e2rd at 2007-7-7 1:02:32 >

Hi,

Happy to help. On the question of testing the LDAP URL, I went through a trial/error process of starting with a small simple ldap query for the mapping entry, running the imsimta test -mapping command (after rebuilding the MTA config of course) and then seeing what the directory server received returned (directory server access logs).

If there was no query sent to the directory server, there is most likely a syntax error with the query (missing "(" or something like that).

Any feedback on the performance/usability of ldap based blacklists would be useful to other forum readers I am sure.

Shane.

shane_hjortha at 2007-7-21 15:20:32 >

Hi,

I'm not sure if it is possible to switch-channel based on a mapping table match (I haven't seen an example of this myself and scanning through the documentation didn't show an appropriate tag).

At this point I don't see any simple answer to your issue. A whitelist could be implemented at the filtering step, how are you doing this currently (i.e. what currently filters 'spam' into a spam folder?)

Shane.

shane_hjortha at 2007-7-21 15:20:32 >