RELEASE: Postwhite 0.1.0

Hi

I've just released the first version of Postwhite, a policy server for  
Postfix which implements whitelisting. These per-recipient whitelists  
are entirely managed by use of emails.

http://www.bitcetera.com/products/postwhite

Here's a real-life example of what Postwhite does:

Arthur‘s main email address [hidden email] is great for everyday use,  
but he doesn‘t want to pollute it by using it for mailing lists,  
websites, online shopping and such. Postwhite to the rescue! Arthur  
creates a virtual email address [hidden email] which is delivered  
to the same mailbox.

Initially, all incoming emails will be rejected, so when Arthur  
decides to join the Betelgeuse mailing list (digest), his whitelist  
has to learn about this. Arthur sends an empty email to [hidden email]
  which puts Postwhite into learning mode for a limited period of  
time. In learning mode, Postwhite allows and delivers any incoming  
mails, yet it delivers a followup notification message along with it.  
When the first email from the Betelgeuse mailing list comes in, Arthur  
simply replies to the corresponding notification message thus adding  
Betelgeuse to the whitelist.

It's still a very early version and maybe not yet fit for high traffic  
MTAs. But I'd love to hear what you think about the idea and  
implementation of Postwhite. And I have quite a few ideas for future  
features (see FAQ) provided there's public interest and maybe even  
some sponsor.

Postwhite is written in Ruby, "all in one file" and thus very easy to  
install. There's also an ebuild available for Gentoo Linux users. (The  
ebuild is in queue for inclusion in the Gentoo Sunrise Overlay within  
the next few days.)

Cheers, -sven

On Thursday 24 July 2008 12:37, Sven Schwyn wrote: You appear to have missed the next step where spammers scrape Arthur's list
mail address from the mailing list archives and use it as the Mail From
address in spam they send to him.

Scott K

On Fri, 25 Jul 2008 06:32:13 am Scott Kitterman wrote:
> You appear to have missed the next step where spammers scrape Arthur's list
> mail address from the mailing list archives and use it as the Mail From
> address in spam they send to him.
>
> Scott K

Just need to make sure the list owner has deployed SPF and DKIM before
then :-)

--

Daniel Black
--
Proudly a Gentoo Linux User.
Gnu-PG/PGP signed and encrypted email preferred
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x76677097
GPG Signature D934 5397 A84A 6366 9687  9EB2 861A 4ABA 7667 7097

On Fri, July 25, 2008 12:28, Daniel Black wrote:

> Just need to make sure the list owner has deployed SPF and DKIM before
> then :-)

does not help here, its the maillist USER that should provide a spf on
domain he is sending from, then the maillist-owner can reject forged mails
to the maillist, that is step one :-)

number 2 is that maillist can have spf on the maillist return-path olso to
make shure maillist sender does not send direct with the return-path on
maillist without have seen it on maillist

now trying dkim

--
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098

On Fri, 25 Jul 2008 20:28:45 +1000 Daniel Black
<[hidden email]> wrote:
>On Fri, 25 Jul 2008 06:32:13 am Scott Kitterman wrote:
>> You appear to have missed the next step where spammers scrape Arthur's
list
>> mail address from the mailing list archives and use it as the Mail From
>> address in spam they send to him.
>>
>> Scott K
>
>Just need to make sure the list owner has deployed SPF and DKIM before
>then :-)
>
My first thought when I read that was 'or' not 'and'.  My second was, 'Not
really'.

Based on the example, he's whitelisting based on Rcpt To. In my counter
example the local domain is being used in both Mail From and Rcpt To, so
the only domain's SPF that might enter into this is his own.  SPF can be
used to reject such messages, but there are other ways to do it for your
own domains.

The policy service does not have access to the message body, so no DKIM
either.

A domain level whitelist function based on SPF Pass or good DKIM signatures
would potentially be useful (no way to do the latter in a policy server in
any case), but that doesn't seem to be what's on offer here.

Scott K

On Fri, July 25, 2008 14:05, Scott Kitterman wrote:

> Based on the example, he's whitelisting based on Rcpt To. In my counter
> example the local domain is being used in both Mail From and Rcpt To, so

dont test spf on this 2 headers

> the only domain's SPF that might enter into this is his own.

wroung, see headers from this maillist

> SPF can be used to reject such messages, but there are other ways to
> do it for your own domains.

i have seen one sending back bounces to maillist with my email as return-path

very cleever done when i see the bounce

> The policy service does not have access to the message body, so no DKIM
> either.

yes a shame dkim does not integrade well, but atleast if it works in
postfix we can downgrade to sendmail and keep our milter setup stilll
going, with is not bad at all

> A domain level whitelist function based on SPF Pass or good DKIM
> signatures would potentially be useful (no way to do the latter
> in a policy server in any case), but that doesn't seem to be
> what's on offer here.

policyd-weight have missed spf and greylist for so long now, if this was
weighted 2 then it was good, do greylist when spf fail, or skip greylist
when spf pass

--
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098

On Thu, 24 Jul 2008 16:32:13, Scott Kitterman wrote
> You appear to have missed the next step where spammers scrape  
> Arthur's list
> mail address from the mailing list archives and use it as the Mail  
> From
> address in spam they send to him.

That won't work because Arthur can't send any messages to himself  
unless he puts his own domain or email on the whitelist. Command mails  
from/to yourself are DISCARDED unless they are sent with SASL  
authentication.

What you could do on the other hand is use the list's domain as a  
forged sender. However, at this stage no spam I get is doing this  
which is why I ignored this case for 0.1.0. (Besides, I don't think of  
Postwhite as a magic stick, more another brick in the wall. For me, it  
cuts SPAMs down from 10 per day to 1 per week at this point.)

DKIM can't be added to a policy server by design. SPF on the other  
hand is doable. And it should do the trick because Postwhite only  
makes sense if you subscribe to a digest that comes from the list  
owner and not from the original sender. (Postwhite by design is  
worthless if you subscribe to a mailinglist's "individual mails"  
instead of a digest.)

In addition, the client_name or reverse_client_name could be recorded  
along with the whitelist entry to kick forged mails sent via another  
MTA. The only flipside to this is that should the list owner for  
whatever reason change the MTA, the whitelist would no longer deliver.  
The same, however, is true if the list changes its domain. A weekly  
automatic status message which lists these cases could at least alert  
the user that he might have missed someting. Good thing about mailing  
lists - they all have archives.

Thanks for your thoughts, more, please :-)

PS:
I'll be offline till Tuesday.

Sven Schwyn wrote:
> Hi
>
> I've just released the first version of Postwhite, a policy server for
> Postfix which implements whitelisting. These per-recipient whitelists
> are entirely managed by use of emails.
It's a nice thought - and I like seeing something controlled via e-mail
instead of modifying config files or maps.  However, something which
might be more beneficial for day-to-day operations (instead of
subscriptions) would to automatically whitelist recipients from
authorized senders.  So once someone within your organization sends
someone else a message - replies are immediately accepted.

You might want to take a look at how ASSP performs this and other
operations.  While I love what ASSP has done for my installs with
Postfix - I'd also like to see a Postfix policy server implementation
instead of ASSP's proxy method.
--
Daniel