Vetinari's $HOME


dnswl_org_local - lookup information locally


The dnswl_org_local plugin uses the whitelist from to set a connection note (dnswl_org_local) based on the score of the result.

You need the rsynced generic-dnswl database on disk (or any other file with the same format), see on how to fetch it. Once the file changes on disk, this plugin will reread it in hook_pre_connection.


Arguments for this plugin are key / value pairs, valid arguments are

header (1|0)

This will add a X-DNSWL: header with the score (or No if not whitelisted) to the message when set to a true value. Defaults to false, i.e. not to add a header.


This specifies the full path to the generic-dnswl database. This is the only required argument.

ignore_fail (1|0)

Do not set a connection note if host is not found, useful if this plugin is running a second time with a smaller override list (use this for all but the first if you're running this plugin more than once). Defaults to false.

wl_conn SCORE

Set the connection note whitelisthost if the dnswl score is greater or equal than SCORE. This note is read by several plugins from the qpsmtpd core distribution (like check_earlytalker, greylisting, dnsbl,...)


Other plugins can get the score via

  my $score = $self->qp->connection->notes('dnswl');
  $score = defined $score ? $score : -1;

All other dnswl info about the connection can be found in the dnswl-info connection note:

  my $info = $self->qp->connection->notes('dnswl-info');
  if (exists $info->{id}) {
      # valid keys:
      #    id ( ID), 
      #    domain (name or hostname), 
      #    cat_id (category id),
      #    category (category name),
      #    score (numerical score),
      #    mask (32bit netmask)...
      ## to get dnswl net/mask entry:
      ## $ip   = $self->qp->connection->remote_ip;
      ## $net  = join(".", unpack("C4", pack("C4", split(/\./, $ip)) & $mask));
      ## $mask = index(unpack("B*", $mask), "0", 0);
      ## $entry = "$net/". (($mask < 0) : 32 : $mask);


This plugin will add a memory footprint of ca. 12 MiB per process for keeping the whitelist in memory.

If adds network masks < 16 (read: 15, 14, ...) the lookup mechanism has to be expanded.

To override scores locally load this plugin a second time with a modified subset of the database, put something like this in the plugins file:

 dnswl   file /var/lib/qpsmtpd/generic-dnswl
 dnswl:0 file /var/lib/qpsmtpd/local ignore_fail 1

To set some hosts more trusted than given in the DB we use something like

 CHANGED=$( stat -c '%Y' $DNSWL_BASE/generic-dnswl ) 
 rsync --times\* $DNSWL_BASE/
 if [ $CHANGED -lt $(  stat -c '%Y' $DNSWL_BASE/generic-dnswl ) ]; then
    awk -F";" -vOFS=";" '$4 ~ /^(debian|ubuntu|freedesktop)[.]/ {
            $3 = "med";
            print $0
        }' > $DNSWL_BASE/local < $DNSWL_BASE/generic-dnswl
    echo ";10;hi;local;0" >> $DNSWL_BASE/local

To set an entry to untrusted at all, just set $3 to some invalid value, i.e. not "none", "low", "med" or "hi". Preferred value is "No".

Add local whitelisted hosts as needed to the local DB, e.g like above

  echo ";10;hi;local;0" >> $DNSWL_BASE/local