2005-05-25 22:07:58 +02:00
|
|
|
#!perl -w
|
|
|
|
|
2006-03-09 13:37:25 +01:00
|
|
|
=head1 NAME
|
|
|
|
|
2006-12-07 11:29:41 +01:00
|
|
|
dnsbl - handle DNS BlackList lookups
|
2006-03-09 13:37:25 +01:00
|
|
|
|
|
|
|
=head1 DESCRIPTION
|
|
|
|
|
2006-12-07 11:29:41 +01:00
|
|
|
Plugin that checks the IP address of the incoming connection against
|
|
|
|
a configurable set of RBL services.
|
2006-03-09 13:37:25 +01:00
|
|
|
|
|
|
|
=cut
|
|
|
|
|
2002-07-15 14:16:10 +02:00
|
|
|
sub register {
|
2005-05-25 22:07:58 +02:00
|
|
|
my ($self, $qp, $denial ) = @_;
|
|
|
|
if ( defined $denial and $denial =~ /^disconnect$/i ) {
|
|
|
|
$self->{_dnsbl}->{DENY} = DENY_DISCONNECT;
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
$self->{_dnsbl}->{DENY} = DENY;
|
|
|
|
}
|
2005-07-07 06:17:39 +02:00
|
|
|
|
2002-07-15 14:16:10 +02:00
|
|
|
}
|
|
|
|
|
2005-07-07 06:17:39 +02:00
|
|
|
sub hook_connect {
|
2002-07-15 14:16:10 +02:00
|
|
|
my ($self, $transaction) = @_;
|
2002-09-10 15:42:06 +02:00
|
|
|
|
2002-07-15 14:16:10 +02:00
|
|
|
my $remote_ip = $self->qp->connection->remote_ip;
|
|
|
|
|
2004-03-04 05:33:47 +01:00
|
|
|
# perform RBLSMTPD checks to mimic Dan Bernstein's rblsmtpd
|
|
|
|
if (defined($ENV{'RBLSMTPD'})) {
|
|
|
|
if ($ENV{'RBLSMTPD'} ne '') {
|
2004-04-27 12:05:41 +02:00
|
|
|
$self->log(LOGINFO, "RBLSMTPD=\"$ENV{'RBLSMTPD'}\" for $remote_ip");
|
2004-03-04 05:33:47 +01:00
|
|
|
return DECLINED;
|
|
|
|
} else {
|
2004-04-27 12:05:41 +02:00
|
|
|
$self->log(LOGINFO, "RBLSMTPD set, but empty for $remote_ip");
|
2004-03-04 05:33:47 +01:00
|
|
|
return DECLINED;
|
|
|
|
}
|
|
|
|
} else {
|
2004-04-27 12:05:41 +02:00
|
|
|
$self->log(LOGDEBUG, "RBLSMTPD not set for $remote_ip");
|
2004-03-04 05:33:47 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
my $allow = grep { s/\.?$/./; $_ eq substr($remote_ip . '.', 0, length $_) } $self->qp->config('dnsbl_allow');
|
|
|
|
return DECLINED if $allow;
|
|
|
|
|
|
|
|
my %dnsbl_zones = map { (split /:/, $_, 2)[0,1] } $self->qp->config('dnsbl_zones');
|
2002-09-10 15:42:06 +02:00
|
|
|
return DECLINED unless %dnsbl_zones;
|
2002-09-10 15:36:58 +02:00
|
|
|
|
2002-07-15 14:16:10 +02:00
|
|
|
my $reversed_ip = join(".", reverse(split(/\./, $remote_ip)));
|
|
|
|
|
|
|
|
# we should queue these lookups in the background and just fetch the
|
|
|
|
# results in the first rcpt handler ... oh well.
|
|
|
|
|
|
|
|
my $res = new Net::DNS::Resolver;
|
2004-11-27 08:02:23 +01:00
|
|
|
$res->tcp_timeout(30);
|
|
|
|
$res->udp_timeout(30);
|
|
|
|
|
2002-09-10 18:36:45 +02:00
|
|
|
my $sel = IO::Select->new();
|
2002-09-10 15:36:58 +02:00
|
|
|
|
2006-12-16 10:46:12 +01:00
|
|
|
my $dom;
|
2002-07-15 14:16:10 +02:00
|
|
|
for my $dnsbl (keys %dnsbl_zones) {
|
2004-03-04 05:33:47 +01:00
|
|
|
# fix to find A records, if the dnsbl_zones line has a second field 20/1/04 ++msp
|
2006-12-16 10:46:12 +01:00
|
|
|
$dom->{"$reversed_ip.$dnsbl"} = 1;
|
2004-03-04 05:33:47 +01:00
|
|
|
if (defined($dnsbl_zones{$dnsbl})) {
|
2004-03-05 13:46:24 +01:00
|
|
|
$self->log(LOGDEBUG, "Checking $reversed_ip.$dnsbl for A record in the background");
|
2004-03-04 05:33:47 +01:00
|
|
|
$sel->add($res->bgsend("$reversed_ip.$dnsbl"));
|
|
|
|
} else {
|
2004-03-05 13:46:24 +01:00
|
|
|
$self->log(LOGDEBUG, "Checking $reversed_ip.$dnsbl for TXT record in the background");
|
2004-03-04 05:33:47 +01:00
|
|
|
$sel->add($res->bgsend("$reversed_ip.$dnsbl", "TXT"));
|
|
|
|
}
|
2002-09-10 15:36:58 +02:00
|
|
|
}
|
|
|
|
|
2002-09-10 18:36:45 +02:00
|
|
|
$self->qp->connection->notes('dnsbl_sockets', $sel);
|
2006-12-16 10:46:12 +01:00
|
|
|
$self->qp->connection->notes('dnsbl_domains', $dom);
|
2002-09-10 15:36:58 +02:00
|
|
|
|
|
|
|
return DECLINED;
|
|
|
|
}
|
|
|
|
|
|
|
|
sub process_sockets {
|
|
|
|
my ($self) = @_;
|
|
|
|
|
|
|
|
my $conn = $self->qp->connection;
|
|
|
|
|
|
|
|
return $conn->notes('dnsbl')
|
|
|
|
if $conn->notes('dnsbl');
|
|
|
|
|
2004-03-04 05:33:47 +01:00
|
|
|
my %dnsbl_zones = map { (split /:/, $_, 2)[0,1] } $self->qp->config('dnsbl_zones');
|
|
|
|
|
2002-09-10 15:36:58 +02:00
|
|
|
my $res = new Net::DNS::Resolver;
|
2004-11-27 08:08:46 +01:00
|
|
|
$res->tcp_timeout(30);
|
|
|
|
$res->udp_timeout(30);
|
|
|
|
|
2002-09-10 18:36:45 +02:00
|
|
|
my $sel = $conn->notes('dnsbl_sockets') or return "";
|
2006-12-16 10:46:12 +01:00
|
|
|
my $dom = $conn->notes('dnsbl_domains');
|
2004-03-04 05:33:47 +01:00
|
|
|
my $remote_ip = $self->qp->connection->remote_ip;
|
2002-09-10 15:36:58 +02:00
|
|
|
|
|
|
|
my $result;
|
|
|
|
|
2004-03-05 13:46:24 +01:00
|
|
|
$self->log(LOGDEBUG, "waiting for dnsbl dns");
|
2002-09-10 18:36:45 +02:00
|
|
|
|
2004-03-04 05:33:47 +01:00
|
|
|
# don't wait more than 8 seconds here
|
|
|
|
my @ready = $sel->can_read(8);
|
2002-09-10 18:36:45 +02:00
|
|
|
|
2004-03-05 13:46:24 +01:00
|
|
|
$self->log(LOGDEBUG, "DONE waiting for dnsbl dns, got " , scalar @ready, " answers ...") ;
|
2003-03-18 10:20:26 +01:00
|
|
|
return '' unless @ready;
|
2002-09-10 18:36:45 +02:00
|
|
|
|
|
|
|
for my $socket (@ready) {
|
|
|
|
my $query = $res->bgread($socket);
|
2003-03-18 10:20:26 +01:00
|
|
|
$sel->remove($socket);
|
2002-09-10 15:36:58 +02:00
|
|
|
undef $socket;
|
|
|
|
|
2002-09-10 18:36:45 +02:00
|
|
|
my $dnsbl;
|
|
|
|
|
2002-07-15 14:16:10 +02:00
|
|
|
if ($query) {
|
|
|
|
my $a_record = 0;
|
|
|
|
foreach my $rr ($query->answer) {
|
2002-09-10 18:36:45 +02:00
|
|
|
my $name = $rr->name;
|
2006-12-16 10:46:12 +01:00
|
|
|
$self->log(LOGDEBUG, "name $name");
|
|
|
|
next unless $dom->{$name};
|
|
|
|
$self->log(LOGDEBUG, "name $name was queried");
|
|
|
|
$a_record = 1 if $rr->type eq "A";
|
2002-09-10 18:36:45 +02:00
|
|
|
($dnsbl) = ($name =~ m/(?:\d+\.){4}(.*)/) unless $dnsbl;
|
|
|
|
$dnsbl = $name unless $dnsbl;
|
2002-07-15 14:16:10 +02:00
|
|
|
next unless $rr->type eq "TXT";
|
2004-03-05 13:46:24 +01:00
|
|
|
$self->log(LOGDEBUG, "got txt record");
|
2002-07-15 14:16:10 +02:00
|
|
|
$result = $rr->txtdata and last;
|
|
|
|
}
|
2004-03-04 05:33:47 +01:00
|
|
|
#$a_record and $result = "Blocked by $dnsbl";
|
|
|
|
|
|
|
|
if ($a_record) {
|
|
|
|
if (defined $dnsbl_zones{$dnsbl}) {
|
|
|
|
$result = $dnsbl_zones{$dnsbl};
|
|
|
|
#$result =~ s/%IP%/$ENV{'TCPREMOTEIP'}/g;
|
|
|
|
$result =~ s/%IP%/$remote_ip/g;
|
|
|
|
} else {
|
|
|
|
# shouldn't get here?
|
|
|
|
$result = "Blocked by $dnsbl";
|
|
|
|
}
|
|
|
|
}
|
2002-07-15 14:16:10 +02:00
|
|
|
}
|
|
|
|
else {
|
2004-03-05 13:46:24 +01:00
|
|
|
$self->log(LOGERROR, "$dnsbl query failed: ", $res->errorstring)
|
2002-07-15 14:16:10 +02:00
|
|
|
unless $res->errorstring eq "NXDOMAIN";
|
|
|
|
}
|
2002-09-10 18:36:45 +02:00
|
|
|
|
2003-06-10 12:03:58 +02:00
|
|
|
if ($result) {
|
|
|
|
#kill any other pending I/O
|
|
|
|
$conn->notes('dnsbl_sockets', undef);
|
2004-03-04 05:33:47 +01:00
|
|
|
$result = join("\n", $self->qp->config('dnsbl_rejectmsg'), $result);
|
2003-06-10 12:03:58 +02:00
|
|
|
return $conn->notes('dnsbl', $result);
|
|
|
|
}
|
2002-07-15 14:16:10 +02:00
|
|
|
}
|
|
|
|
|
2003-03-18 10:20:26 +01:00
|
|
|
if ($sel->count) {
|
|
|
|
# loop around if we have dns blacklists left to see results from
|
|
|
|
return $self->process_sockets();
|
|
|
|
}
|
|
|
|
|
2003-06-10 12:03:58 +02:00
|
|
|
# er, the following code doesn't make much sense anymore...
|
|
|
|
|
2002-09-10 18:36:45 +02:00
|
|
|
# if there was more to read; then forget it
|
|
|
|
$conn->notes('dnsbl_sockets', undef);
|
2002-09-10 15:36:58 +02:00
|
|
|
|
|
|
|
return $conn->notes('dnsbl', $result);
|
2002-07-15 14:16:10 +02:00
|
|
|
|
|
|
|
}
|
|
|
|
|
2005-07-07 06:17:39 +02:00
|
|
|
sub hook_rcpt {
|
2006-04-07 20:58:02 +02:00
|
|
|
my ($self, $transaction, $rcpt, %param) = @_;
|
2005-06-22 16:08:57 +02:00
|
|
|
my $connection = $self->qp->connection;
|
2004-03-04 05:33:47 +01:00
|
|
|
|
|
|
|
# RBLSMTPD being non-empty means it contains the failure message to return
|
|
|
|
if (defined ($ENV{'RBLSMTPD'}) && $ENV{'RBLSMTPD'} ne '') {
|
|
|
|
my $result = $ENV{'RBLSMTPD'};
|
2005-06-22 16:08:57 +02:00
|
|
|
my $remote_ip = $connection->remote_ip;
|
2004-03-04 05:33:47 +01:00
|
|
|
$result =~ s/%IP%/$remote_ip/g;
|
2005-05-25 22:07:58 +02:00
|
|
|
return ($self->{_dnsbl}->{DENY},
|
|
|
|
join(" ", $self->qp->config('dnsbl_rejectmsg'), $result));
|
2004-03-04 05:33:47 +01:00
|
|
|
}
|
|
|
|
|
2002-09-10 15:36:58 +02:00
|
|
|
my $note = $self->process_sockets;
|
2005-06-22 16:08:57 +02:00
|
|
|
my $whitelist = $connection->notes('whitelisthost');
|
Changes by jpeacock@cpan.org (John Peacock)
o plugins/check_badmailfromto
- New plugin in the style of check_badmailfrom, which matches a pair
of FROM/TO and makes it seem like the recipient's address no longer
exists (but only from the matching sender's point of view). Useful
for stalkers and other harassment cases.
o plugins/dns_whitelist_soft
- New plugin to provide a DNS-based whitelist (good for distributed
sites).
o various files
- Replaced tab character with 8 spaces and adjusted line breaks for
better readability.
Changes by mct@toren.net (Michael C. Toren)
o lib/Qpsmtpd/SMTP.pm
- Assumes a MAIL FROM value of "<#@[]>" (utilized by qmail to
indicate a null sender when generating a doublebounce message)
is equivalent to "<>". Previously qpsmtpd complained that the
value could not be parsed.
- Adds LOGIN to the default list of supported auth mechanisms.
The documentation in Auth.pm indicated that auth-login was not
currently supported due to lack of functionality, however I can
confirm that LOGIN appears to work fine as tested by using msmtp
(http://msmtp.sourceforge.net/). Are there any indications that
LOGIN support is actually broken in the current implementation?
- Removes the "X-Qpsmtpd-Auth: True" header appended when a message
has been sent by an authenticated user. One problem with such a
header is that it's impossible to say which SMTP hop added it,
and it provides no information which could be used to backtrack
the transaction. I grepped through my mail archives a bit
looking for how other MTAs handled the problem, and decided it
would be best to place this information in the Received: header:
Received: from remotehost (HELO remotehost) (192.168.42.42)
(smtp-auth username foo, mechanism cram-md5)
by mail.netisland.net (qpsmtpd/0.28) with ESMTP; <date>
o lib/Qpsmtpd/Auth.pm:
- Documentation update for the arguments passed to an auth
handler; previously the $mechanism argument was not mentioned,
which threw off the argument offsets.
- Documentation update for auth-login removing the warning
that auth-login is not currently supported due to lack of
functionality.
- Fix to execute a generic auth hook when a more specific
auth-$mechanism hook does not exist. (Previously posted
to the list last week.)
- Upon authentication, sets $session->{_auth_user} and
$session->{_auth_mechanism} so that SMTP.pm can include them
in the Received: header.
o plugins/queue/qmail-queue
- Added a timestamp and the qmail-queue qp identifier to the
"Queued!" 250 message, for compatibility with qmail-smtpd, which
can be very useful for tracking message delivery from machine to
machine. For example, the new 250 message might be:
250 Queued! 1105927468 qp 3210 <1105927457@netisland.net>
qmail-smtpd returns:
250 ok 1106546213 qp 7129
Additionally, for consistency angle brackets are placed around
the Message-ID displayed in the 250 if they were missing in the
message header.
o plugins/check_badmailfrom:
- Changed the error message from "Mail from $bad not accepted
here" to "sorry, your envelope sender is in my badmailfrom
list", for compatibility with qmail-smtpd. I didn't see any
reason to share with the sender the value of $bad, especially
for situations where the sender was rejected resulting from a
wildcard.
o plugins/check_earlytalker:
o plugins/require_resolvable_fromhost:
- No longer checks for earlytalkers or resolvable senders if the
connection note "whitelistclient" is set, which is nice for
helping backup MX hosts empty their queue faster.
o plugins/count_unrecognized_commands:
- Return code changed from DENY_DISCONNECT, which isn't valid in
an unrecognized_command hook, to DENY, which in this context
drops the connection anyway. (Previously posted to the list
last week.)
git-svn-id: https://svn.perl.org/qpsmtpd/trunk@356 958fd67b-6ff1-0310-b445-bb7760255be9
2005-01-28 04:30:50 +01:00
|
|
|
if ( $note ) {
|
|
|
|
if ( $rcpt->user =~ /^(?:postmaster|abuse|mailer-daemon|root)$/i ) {
|
2005-06-22 16:08:57 +02:00
|
|
|
$self->log(LOGWARN, "Don't blacklist special account: ".$rcpt->user);
|
Changes by jpeacock@cpan.org (John Peacock)
o plugins/check_badmailfromto
- New plugin in the style of check_badmailfrom, which matches a pair
of FROM/TO and makes it seem like the recipient's address no longer
exists (but only from the matching sender's point of view). Useful
for stalkers and other harassment cases.
o plugins/dns_whitelist_soft
- New plugin to provide a DNS-based whitelist (good for distributed
sites).
o various files
- Replaced tab character with 8 spaces and adjusted line breaks for
better readability.
Changes by mct@toren.net (Michael C. Toren)
o lib/Qpsmtpd/SMTP.pm
- Assumes a MAIL FROM value of "<#@[]>" (utilized by qmail to
indicate a null sender when generating a doublebounce message)
is equivalent to "<>". Previously qpsmtpd complained that the
value could not be parsed.
- Adds LOGIN to the default list of supported auth mechanisms.
The documentation in Auth.pm indicated that auth-login was not
currently supported due to lack of functionality, however I can
confirm that LOGIN appears to work fine as tested by using msmtp
(http://msmtp.sourceforge.net/). Are there any indications that
LOGIN support is actually broken in the current implementation?
- Removes the "X-Qpsmtpd-Auth: True" header appended when a message
has been sent by an authenticated user. One problem with such a
header is that it's impossible to say which SMTP hop added it,
and it provides no information which could be used to backtrack
the transaction. I grepped through my mail archives a bit
looking for how other MTAs handled the problem, and decided it
would be best to place this information in the Received: header:
Received: from remotehost (HELO remotehost) (192.168.42.42)
(smtp-auth username foo, mechanism cram-md5)
by mail.netisland.net (qpsmtpd/0.28) with ESMTP; <date>
o lib/Qpsmtpd/Auth.pm:
- Documentation update for the arguments passed to an auth
handler; previously the $mechanism argument was not mentioned,
which threw off the argument offsets.
- Documentation update for auth-login removing the warning
that auth-login is not currently supported due to lack of
functionality.
- Fix to execute a generic auth hook when a more specific
auth-$mechanism hook does not exist. (Previously posted
to the list last week.)
- Upon authentication, sets $session->{_auth_user} and
$session->{_auth_mechanism} so that SMTP.pm can include them
in the Received: header.
o plugins/queue/qmail-queue
- Added a timestamp and the qmail-queue qp identifier to the
"Queued!" 250 message, for compatibility with qmail-smtpd, which
can be very useful for tracking message delivery from machine to
machine. For example, the new 250 message might be:
250 Queued! 1105927468 qp 3210 <1105927457@netisland.net>
qmail-smtpd returns:
250 ok 1106546213 qp 7129
Additionally, for consistency angle brackets are placed around
the Message-ID displayed in the 250 if they were missing in the
message header.
o plugins/check_badmailfrom:
- Changed the error message from "Mail from $bad not accepted
here" to "sorry, your envelope sender is in my badmailfrom
list", for compatibility with qmail-smtpd. I didn't see any
reason to share with the sender the value of $bad, especially
for situations where the sender was rejected resulting from a
wildcard.
o plugins/check_earlytalker:
o plugins/require_resolvable_fromhost:
- No longer checks for earlytalkers or resolvable senders if the
connection note "whitelistclient" is set, which is nice for
helping backup MX hosts empty their queue faster.
o plugins/count_unrecognized_commands:
- Return code changed from DENY_DISCONNECT, which isn't valid in
an unrecognized_command hook, to DENY, which in this context
drops the connection anyway. (Previously posted to the list
last week.)
git-svn-id: https://svn.perl.org/qpsmtpd/trunk@356 958fd67b-6ff1-0310-b445-bb7760255be9
2005-01-28 04:30:50 +01:00
|
|
|
}
|
|
|
|
elsif ( $whitelist ) {
|
2005-06-22 16:08:57 +02:00
|
|
|
$self->log(LOGWARN, "Whitelist overrode blacklist: $whitelist");
|
|
|
|
}
|
|
|
|
elsif ( $connection->relay_client() ) {
|
|
|
|
$self->log(LOGWARN, "Don't blacklist relay/auth clients");
|
Changes by jpeacock@cpan.org (John Peacock)
o plugins/check_badmailfromto
- New plugin in the style of check_badmailfrom, which matches a pair
of FROM/TO and makes it seem like the recipient's address no longer
exists (but only from the matching sender's point of view). Useful
for stalkers and other harassment cases.
o plugins/dns_whitelist_soft
- New plugin to provide a DNS-based whitelist (good for distributed
sites).
o various files
- Replaced tab character with 8 spaces and adjusted line breaks for
better readability.
Changes by mct@toren.net (Michael C. Toren)
o lib/Qpsmtpd/SMTP.pm
- Assumes a MAIL FROM value of "<#@[]>" (utilized by qmail to
indicate a null sender when generating a doublebounce message)
is equivalent to "<>". Previously qpsmtpd complained that the
value could not be parsed.
- Adds LOGIN to the default list of supported auth mechanisms.
The documentation in Auth.pm indicated that auth-login was not
currently supported due to lack of functionality, however I can
confirm that LOGIN appears to work fine as tested by using msmtp
(http://msmtp.sourceforge.net/). Are there any indications that
LOGIN support is actually broken in the current implementation?
- Removes the "X-Qpsmtpd-Auth: True" header appended when a message
has been sent by an authenticated user. One problem with such a
header is that it's impossible to say which SMTP hop added it,
and it provides no information which could be used to backtrack
the transaction. I grepped through my mail archives a bit
looking for how other MTAs handled the problem, and decided it
would be best to place this information in the Received: header:
Received: from remotehost (HELO remotehost) (192.168.42.42)
(smtp-auth username foo, mechanism cram-md5)
by mail.netisland.net (qpsmtpd/0.28) with ESMTP; <date>
o lib/Qpsmtpd/Auth.pm:
- Documentation update for the arguments passed to an auth
handler; previously the $mechanism argument was not mentioned,
which threw off the argument offsets.
- Documentation update for auth-login removing the warning
that auth-login is not currently supported due to lack of
functionality.
- Fix to execute a generic auth hook when a more specific
auth-$mechanism hook does not exist. (Previously posted
to the list last week.)
- Upon authentication, sets $session->{_auth_user} and
$session->{_auth_mechanism} so that SMTP.pm can include them
in the Received: header.
o plugins/queue/qmail-queue
- Added a timestamp and the qmail-queue qp identifier to the
"Queued!" 250 message, for compatibility with qmail-smtpd, which
can be very useful for tracking message delivery from machine to
machine. For example, the new 250 message might be:
250 Queued! 1105927468 qp 3210 <1105927457@netisland.net>
qmail-smtpd returns:
250 ok 1106546213 qp 7129
Additionally, for consistency angle brackets are placed around
the Message-ID displayed in the 250 if they were missing in the
message header.
o plugins/check_badmailfrom:
- Changed the error message from "Mail from $bad not accepted
here" to "sorry, your envelope sender is in my badmailfrom
list", for compatibility with qmail-smtpd. I didn't see any
reason to share with the sender the value of $bad, especially
for situations where the sender was rejected resulting from a
wildcard.
o plugins/check_earlytalker:
o plugins/require_resolvable_fromhost:
- No longer checks for earlytalkers or resolvable senders if the
connection note "whitelistclient" is set, which is nice for
helping backup MX hosts empty their queue faster.
o plugins/count_unrecognized_commands:
- Return code changed from DENY_DISCONNECT, which isn't valid in
an unrecognized_command hook, to DENY, which in this context
drops the connection anyway. (Previously posted to the list
last week.)
git-svn-id: https://svn.perl.org/qpsmtpd/trunk@356 958fd67b-6ff1-0310-b445-bb7760255be9
2005-01-28 04:30:50 +01:00
|
|
|
}
|
|
|
|
else {
|
2005-05-25 22:07:58 +02:00
|
|
|
return ($self->{_dnsbl}->{DENY}, $note);
|
Changes by jpeacock@cpan.org (John Peacock)
o plugins/check_badmailfromto
- New plugin in the style of check_badmailfrom, which matches a pair
of FROM/TO and makes it seem like the recipient's address no longer
exists (but only from the matching sender's point of view). Useful
for stalkers and other harassment cases.
o plugins/dns_whitelist_soft
- New plugin to provide a DNS-based whitelist (good for distributed
sites).
o various files
- Replaced tab character with 8 spaces and adjusted line breaks for
better readability.
Changes by mct@toren.net (Michael C. Toren)
o lib/Qpsmtpd/SMTP.pm
- Assumes a MAIL FROM value of "<#@[]>" (utilized by qmail to
indicate a null sender when generating a doublebounce message)
is equivalent to "<>". Previously qpsmtpd complained that the
value could not be parsed.
- Adds LOGIN to the default list of supported auth mechanisms.
The documentation in Auth.pm indicated that auth-login was not
currently supported due to lack of functionality, however I can
confirm that LOGIN appears to work fine as tested by using msmtp
(http://msmtp.sourceforge.net/). Are there any indications that
LOGIN support is actually broken in the current implementation?
- Removes the "X-Qpsmtpd-Auth: True" header appended when a message
has been sent by an authenticated user. One problem with such a
header is that it's impossible to say which SMTP hop added it,
and it provides no information which could be used to backtrack
the transaction. I grepped through my mail archives a bit
looking for how other MTAs handled the problem, and decided it
would be best to place this information in the Received: header:
Received: from remotehost (HELO remotehost) (192.168.42.42)
(smtp-auth username foo, mechanism cram-md5)
by mail.netisland.net (qpsmtpd/0.28) with ESMTP; <date>
o lib/Qpsmtpd/Auth.pm:
- Documentation update for the arguments passed to an auth
handler; previously the $mechanism argument was not mentioned,
which threw off the argument offsets.
- Documentation update for auth-login removing the warning
that auth-login is not currently supported due to lack of
functionality.
- Fix to execute a generic auth hook when a more specific
auth-$mechanism hook does not exist. (Previously posted
to the list last week.)
- Upon authentication, sets $session->{_auth_user} and
$session->{_auth_mechanism} so that SMTP.pm can include them
in the Received: header.
o plugins/queue/qmail-queue
- Added a timestamp and the qmail-queue qp identifier to the
"Queued!" 250 message, for compatibility with qmail-smtpd, which
can be very useful for tracking message delivery from machine to
machine. For example, the new 250 message might be:
250 Queued! 1105927468 qp 3210 <1105927457@netisland.net>
qmail-smtpd returns:
250 ok 1106546213 qp 7129
Additionally, for consistency angle brackets are placed around
the Message-ID displayed in the 250 if they were missing in the
message header.
o plugins/check_badmailfrom:
- Changed the error message from "Mail from $bad not accepted
here" to "sorry, your envelope sender is in my badmailfrom
list", for compatibility with qmail-smtpd. I didn't see any
reason to share with the sender the value of $bad, especially
for situations where the sender was rejected resulting from a
wildcard.
o plugins/check_earlytalker:
o plugins/require_resolvable_fromhost:
- No longer checks for earlytalkers or resolvable senders if the
connection note "whitelistclient" is set, which is nice for
helping backup MX hosts empty their queue faster.
o plugins/count_unrecognized_commands:
- Return code changed from DENY_DISCONNECT, which isn't valid in
an unrecognized_command hook, to DENY, which in this context
drops the connection anyway. (Previously posted to the list
last week.)
git-svn-id: https://svn.perl.org/qpsmtpd/trunk@356 958fd67b-6ff1-0310-b445-bb7760255be9
2005-01-28 04:30:50 +01:00
|
|
|
}
|
|
|
|
}
|
2002-07-15 14:16:10 +02:00
|
|
|
return DECLINED;
|
Changes by jpeacock@cpan.org (John Peacock)
o plugins/check_badmailfromto
- New plugin in the style of check_badmailfrom, which matches a pair
of FROM/TO and makes it seem like the recipient's address no longer
exists (but only from the matching sender's point of view). Useful
for stalkers and other harassment cases.
o plugins/dns_whitelist_soft
- New plugin to provide a DNS-based whitelist (good for distributed
sites).
o various files
- Replaced tab character with 8 spaces and adjusted line breaks for
better readability.
Changes by mct@toren.net (Michael C. Toren)
o lib/Qpsmtpd/SMTP.pm
- Assumes a MAIL FROM value of "<#@[]>" (utilized by qmail to
indicate a null sender when generating a doublebounce message)
is equivalent to "<>". Previously qpsmtpd complained that the
value could not be parsed.
- Adds LOGIN to the default list of supported auth mechanisms.
The documentation in Auth.pm indicated that auth-login was not
currently supported due to lack of functionality, however I can
confirm that LOGIN appears to work fine as tested by using msmtp
(http://msmtp.sourceforge.net/). Are there any indications that
LOGIN support is actually broken in the current implementation?
- Removes the "X-Qpsmtpd-Auth: True" header appended when a message
has been sent by an authenticated user. One problem with such a
header is that it's impossible to say which SMTP hop added it,
and it provides no information which could be used to backtrack
the transaction. I grepped through my mail archives a bit
looking for how other MTAs handled the problem, and decided it
would be best to place this information in the Received: header:
Received: from remotehost (HELO remotehost) (192.168.42.42)
(smtp-auth username foo, mechanism cram-md5)
by mail.netisland.net (qpsmtpd/0.28) with ESMTP; <date>
o lib/Qpsmtpd/Auth.pm:
- Documentation update for the arguments passed to an auth
handler; previously the $mechanism argument was not mentioned,
which threw off the argument offsets.
- Documentation update for auth-login removing the warning
that auth-login is not currently supported due to lack of
functionality.
- Fix to execute a generic auth hook when a more specific
auth-$mechanism hook does not exist. (Previously posted
to the list last week.)
- Upon authentication, sets $session->{_auth_user} and
$session->{_auth_mechanism} so that SMTP.pm can include them
in the Received: header.
o plugins/queue/qmail-queue
- Added a timestamp and the qmail-queue qp identifier to the
"Queued!" 250 message, for compatibility with qmail-smtpd, which
can be very useful for tracking message delivery from machine to
machine. For example, the new 250 message might be:
250 Queued! 1105927468 qp 3210 <1105927457@netisland.net>
qmail-smtpd returns:
250 ok 1106546213 qp 7129
Additionally, for consistency angle brackets are placed around
the Message-ID displayed in the 250 if they were missing in the
message header.
o plugins/check_badmailfrom:
- Changed the error message from "Mail from $bad not accepted
here" to "sorry, your envelope sender is in my badmailfrom
list", for compatibility with qmail-smtpd. I didn't see any
reason to share with the sender the value of $bad, especially
for situations where the sender was rejected resulting from a
wildcard.
o plugins/check_earlytalker:
o plugins/require_resolvable_fromhost:
- No longer checks for earlytalkers or resolvable senders if the
connection note "whitelistclient" is set, which is nice for
helping backup MX hosts empty their queue faster.
o plugins/count_unrecognized_commands:
- Return code changed from DENY_DISCONNECT, which isn't valid in
an unrecognized_command hook, to DENY, which in this context
drops the connection anyway. (Previously posted to the list
last week.)
git-svn-id: https://svn.perl.org/qpsmtpd/trunk@356 958fd67b-6ff1-0310-b445-bb7760255be9
2005-01-28 04:30:50 +01:00
|
|
|
|
2002-07-15 14:16:10 +02:00
|
|
|
}
|
|
|
|
|
2005-07-07 06:17:39 +02:00
|
|
|
sub hook_disconnect {
|
2002-09-10 15:36:58 +02:00
|
|
|
my ($self, $transaction) = @_;
|
|
|
|
|
2002-09-10 18:49:10 +02:00
|
|
|
$self->qp->connection->notes('dnsbl_sockets', undef);
|
2002-09-10 15:36:58 +02:00
|
|
|
|
2002-07-15 14:16:10 +02:00
|
|
|
return DECLINED;
|
|
|
|
}
|
|
|
|
|
|
|
|
1;
|
2004-03-04 05:33:47 +01:00
|
|
|
|
2005-05-25 22:07:58 +02:00
|
|
|
=head1 Usage
|
|
|
|
|
|
|
|
Add the following line to the config/plugins file:
|
|
|
|
|
|
|
|
dnsbl [disconnect]
|
|
|
|
|
|
|
|
If you want to immediately drop the connection (since some blacklisted
|
|
|
|
servers attempt multiple sends per session), add the optional keyword
|
|
|
|
"disconnect" (case insensitive) to the config line. In most cases, an
|
|
|
|
IP address that is listed should not be given the opportunity to begin
|
|
|
|
a new transaction, since even the most volatile blacklists will return
|
|
|
|
the same answer for a short period of time (the minimum DNS cache period).
|
|
|
|
|
2004-03-04 05:33:47 +01:00
|
|
|
=head1 Configuration files
|
|
|
|
|
|
|
|
This plugin uses the following configuration files. All of these are optional.
|
|
|
|
However, not specifying dnsbl_zones is like not using the plugin at all.
|
|
|
|
|
|
|
|
=over 4
|
|
|
|
|
|
|
|
=item dnsbl_zones
|
|
|
|
|
|
|
|
Normal ip based dns blocking lists ("RBLs") which contain TXT records are
|
|
|
|
specified simply as:
|
|
|
|
|
|
|
|
relays.ordb.org
|
|
|
|
spamsources.fabel.dk
|
|
|
|
|
|
|
|
To configure RBL services which do not contain TXT records in the DNS,
|
|
|
|
but only A records (e.g. the RBL+ at http://www.mail-abuse.org), specify your
|
|
|
|
own error message to return in the SMTP conversation after a colon e.g.
|
|
|
|
|
|
|
|
rbl-plus.mail-abuse.org:You are listed at - http://http://www.mail-abuse.org/cgi-bin/lookup?%IP%
|
|
|
|
|
|
|
|
The string %IP% will be replaced with the IP address of incoming connection.
|
|
|
|
Thus a fully specified file could be:
|
|
|
|
|
|
|
|
sbl-xbl.spamhaus.org
|
|
|
|
list.dsbl.org
|
|
|
|
rbl-plus.mail-abuse.ja.net:Listed by rbl-plus.mail-abuse.ja.net - see <URL:http://www.mail-abuse.org/cgi-bin/lookup?%IP%>
|
|
|
|
relays.ordb.org
|
|
|
|
|
|
|
|
=item dnsbl_allow
|
|
|
|
|
|
|
|
List of allowed ip addresses that bypass RBL checking. Format is one entry per line,
|
|
|
|
with either a full IP address or a truncated IP address with a period at the end.
|
|
|
|
For example:
|
|
|
|
|
|
|
|
192.168.1.1
|
|
|
|
172.16.33.
|
|
|
|
|
|
|
|
NB the environment variable RBLSMTPD is considered before this file is
|
|
|
|
referenced. See below.
|
|
|
|
|
|
|
|
=item dnsbl_rejectmsg
|
|
|
|
|
|
|
|
A textual message that is sent to the sender on an RBL failure. The TXT record
|
|
|
|
from the RBL list is also sent, but this file can be used to indicate what
|
|
|
|
action the sender should take.
|
|
|
|
|
|
|
|
For example:
|
|
|
|
|
|
|
|
If you think you have been blocked in error, then please forward
|
|
|
|
this entire error message to your ISP so that they can fix their problems.
|
|
|
|
The next line often contains a URL that can be visited for more information.
|
|
|
|
|
|
|
|
=back
|
|
|
|
|
|
|
|
=head1 Environment Variables
|
|
|
|
|
|
|
|
=head2 RBLSMTPD
|
|
|
|
|
|
|
|
The environment variable RBLSMTPD is supported and mimics the behaviour of
|
|
|
|
Dan Bernstein's rblsmtpd. The exception to this is the '-' char at the
|
|
|
|
start of RBLSMTPD which is used to force a hard error in Dan's rblsmtpd.
|
|
|
|
NB I don't really see the benefit
|
|
|
|
of using a soft error for a site in an RBL list. This just complicates
|
|
|
|
things as it takes 7 days (or whatever default period) before a user
|
|
|
|
gets an error email back. In the meantime they are complaining that their
|
|
|
|
emails are being "lost" :(
|
|
|
|
|
|
|
|
=over 4
|
|
|
|
|
|
|
|
=item RBLSMTPD is set and non-empty
|
|
|
|
|
|
|
|
The contents are used as the SMTP conversation error.
|
|
|
|
Use this for forcibly blocking sites you don't like
|
|
|
|
|
|
|
|
=item RBLSMTPD is set, but empty
|
|
|
|
|
|
|
|
In this case no RBL checks are made.
|
|
|
|
This can be used for local addresses.
|
|
|
|
|
|
|
|
=item RBLSMTPD is not set
|
|
|
|
|
|
|
|
All RBL checks will be made.
|
|
|
|
This is the setting for remote sites that you want to check against RBL.
|
|
|
|
|
|
|
|
=back
|
|
|
|
|
|
|
|
=head1 Revisions
|
|
|
|
|
|
|
|
See: http://cvs.perl.org/viewcvs/qpsmtpd/plugins/dnsbl
|
|
|
|
|
|
|
|
=cut
|