Postfix/Automatic_whitelisting

From http://archives.neohapsis.com/archives/postfix/2010-01/0555.html

This is for creating an inbound-whitelist, based on addresses that your own users have sent mail to in the past. Read the thread for more ideas and context.

Later, this dude posted his homebrew solution: http://mailfud.org/postpals/

Daniel L. Miller put forth on 1/18/2010 1:30 PM:

>> If you _need_ a home brew solution _now_, start small and inelegant,
>> getting
>> most of the functionality you want/need. This can be done with simple
>> scripts
>> and cron. After it's working relatively well, _then_ spend time
>> creating the
>> "elegant" solution. JMHO.
>>
>
> But the main thing is having OP-maintained lists is exactly what I'm
> trying to avoid and completely misses the point of having an
> auto-whitelist.

How is the above mentioned solution an "OP-maintained" list? The scripts and
cron scheduling would be OP maintained (not much time expended after initial
setup) but once setup the white listing is fully automated. As an example...

Add in the appropriate place in main.cf
        check_sender_access hash:/etc/postfix/auto-whtlst

Set your log rotation for 24 hours so you never have a huge /var/log/mail.log
file to process. Touch /etc/postfix/auto-whtlst and
/etc/postfix/auto-whtlst.raw. Create a script something like this:

/usr/bin/whtlst_gen.sh
#! /bin/sh

# [1] grab all sent to addresses from the current mail log
sed -n -e '/postfix\/smtp\[.*status=sent/s/^.*to=<\([^>]*\).*$/\1/p'
/var/log/mail.log | sort -u > /tmp/sender_addrs.tmp

# merge the new addresses with the current list, eliminate dups
cat /tmp/sender_addrs.tmp /etc/postfix/auto-whtlst.raw
 | sort | uniq > /tmp/wrkng-whtlst.tmp

# keep a copy without "OK" action for next processing iteration
cp /tmp/wrkng-whtlst.tmp /etc/postfix/auto-whtlst.raw

# add "OK" action to each entry, generating new list file
sed 's/$/ OK/g' /etc/auto-whtlst.raw > /etc/postfix/auto-whtlst

# regenerate hash
/usr/sbin/postmap /etc/postfix/auto-whtlst

I'm not a script god, and this could obviously be optimized. I've intentionally
split some things out for easy(er) reading. That said, cron this script or
something similar to run every 5 to 10 minutes, or as often as the OP deems
necessary. On modern hardware, if this site has a moderate mail stream, this
script will execute pretty quickly (seconds) and generate minimal system load
for a short duration. The above script is a concept only, something I just
whipped up. I would think it should work with little modification.

Once implemented, something like this will be fully automatic. It implements
crude sender address verification as it only grabs addresses logged with
status=sent.

It's not "optimal" or "real time" or "elegant", but is simple, easy, quick to
implement, and doesn't burden the system. I would think it would give the OP at
least 90%+ of what he's looking for wrt the requested functionality, although it
does introduce slightly increased exposure to forged sender address spam.

-- 
Stan

[1] Viktor Duchovni contributed the first sed line of this script back in 2004