314 lines
9.0 KiB
Perl
314 lines
9.0 KiB
Perl
#!perl -w
|
|
|
|
=head1 NAME
|
|
|
|
dnsbl - handle DNS BlackList lookups
|
|
|
|
=head1 DESCRIPTION
|
|
|
|
Plugin that checks the IP address of the incoming connection against
|
|
a configurable set of RBL services.
|
|
|
|
=head1 USAGE
|
|
|
|
Add the following line to the config/plugins file:
|
|
|
|
dnsbl
|
|
|
|
The following options are also availble:
|
|
|
|
=head2 reject [ 0 | 1 | naughty ]
|
|
|
|
dnsbl reject 0 <- do not reject
|
|
|
|
dnsbl reject 1 <- reject
|
|
|
|
dnsbl reject naughty <- See perldoc plugins/naughty
|
|
|
|
Also, when I<reject naughty> is set, DNS queries are processed during connect.
|
|
|
|
=head2 reject_type [ temp | perm | disconnect ]
|
|
|
|
Default: perm
|
|
|
|
To immediately drop the connection (since some blacklisted servers attempt
|
|
multiple sends per session), set I<reject_type disconnect>. In most cases,
|
|
an IP address that is listed should not be given the opportunity to begin a
|
|
new transaction, since even the most volatile blacklists will return the same
|
|
answer for a short period of time (the minimum DNS cache period).
|
|
|
|
=head2 loglevel
|
|
|
|
dnsbl [loglevel -1]
|
|
|
|
Adjust the quantity of logging for this plugin. See docs/logging.pod
|
|
|
|
=head1 CONFIG FILES
|
|
|
|
This plugin uses the following configuration files. All are optional. Not
|
|
specifying dnsbl_zones is like not using the plugin at all.
|
|
|
|
=head2 dnsbl_zones
|
|
|
|
Normal ip based dns blocking lists ("RBLs") which contain TXT records are
|
|
specified simply as:
|
|
|
|
relays.ordb.org
|
|
spamsources.fabel.dk
|
|
|
|
To configure RBL services which do not contain TXT records in the DNS,
|
|
but only A records (e.g. the RBL+ at http://www.mail-abuse.org), specify your
|
|
own error message to return in the SMTP conversation after a colon e.g.
|
|
|
|
rbl-plus.mail-abuse.org:You are listed at - http://http://www.mail-abuse.org/cgi-bin/lookup?%IP%
|
|
|
|
The string %IP% will be replaced with the IP address of incoming connection.
|
|
Thus a fully specified file could be:
|
|
|
|
sbl-xbl.spamhaus.org
|
|
list.dsbl.org
|
|
rbl-plus.mail-abuse.ja.net:Listed by rbl-plus.mail-abuse.ja.net - see <URL:http://www.mail-abuse.org/cgi-bin/lookup?%IP%>
|
|
relays.ordb.org
|
|
|
|
=head2 dnsbl_allow
|
|
|
|
List of allowed ip addresses that bypass RBL checking. Format is one entry per line,
|
|
with either a full IP address or a truncated IP address with a period at the end.
|
|
For example:
|
|
|
|
192.168.1.1
|
|
172.16.33.
|
|
|
|
NB the environment variable RBLSMTPD is considered before this file is
|
|
referenced. See below.
|
|
|
|
=head2 dnsbl_rejectmsg
|
|
|
|
A textual message that is sent to the sender on an RBL failure. The TXT record
|
|
from the RBL list is also sent, but this file can be used to indicate what
|
|
action the sender should take.
|
|
|
|
For example:
|
|
|
|
If you think you have been blocked in error, then please forward
|
|
this entire error message to your ISP so that they can fix their problems.
|
|
The next line often contains a URL that can be visited for more information.
|
|
|
|
=head1 Environment Variables
|
|
|
|
=head2 RBLSMTPD
|
|
|
|
The environment variable RBLSMTPD is supported and mimics the behaviour of
|
|
Dan Bernstein's rblsmtpd. The exception to this is the '-' char at the
|
|
start of RBLSMTPD which is used to force a hard error in Dan's rblsmtpd.
|
|
NB I don't really see the benefit
|
|
of using a soft error for a site in an RBL list. This just complicates
|
|
things as it takes 7 days (or whatever default period) before a user
|
|
gets an error email back. In the meantime they are complaining that their
|
|
emails are being "lost" :(
|
|
|
|
=over 4
|
|
|
|
=item RBLSMTPD is set and non-empty
|
|
|
|
The contents are used as the SMTP conversation error.
|
|
Use this for forcibly blocking sites you don't like
|
|
|
|
=item RBLSMTPD is set, but empty
|
|
|
|
In this case no RBL checks are made.
|
|
This can be used for local addresses.
|
|
|
|
=item RBLSMTPD is not set
|
|
|
|
All RBL checks will be made.
|
|
This is the setting for remote sites that you want to check against RBL.
|
|
|
|
=back
|
|
|
|
=head1 Revisions
|
|
|
|
See: https://github.com/smtpd/qpsmtpd/commits/master/plugins/dnsbl
|
|
|
|
=cut
|
|
|
|
sub register {
|
|
my ($self, $qp) = (shift, shift);
|
|
|
|
if (@_ % 2) {
|
|
$self->{_args}{reject_type} = shift; # backwards compatibility
|
|
}
|
|
else {
|
|
$self->{_args} = {@_};
|
|
}
|
|
|
|
# explicitly state legacy reject behavior
|
|
if (!defined $self->{_args}{reject_type}) {
|
|
$self->{_args}{reject_type} = 'perm';
|
|
}
|
|
if (!defined $self->{_args}{reject}) {
|
|
$self->{_args}{reject} = 1;
|
|
}
|
|
}
|
|
|
|
sub hook_connect {
|
|
my ($self, $transaction) = @_;
|
|
|
|
# perform RBLSMTPD checks to mimic DJB's rblsmtpd
|
|
# RBLSMTPD being non-empty means it contains the failure message to return
|
|
if (defined $ENV{'RBLSMTPD'} && $ENV{'RBLSMTPD'} ne '') {
|
|
my $reject = $self->{_args}{reject};
|
|
return $self->return_env_message() if $reject && $reject eq 'connect';
|
|
}
|
|
|
|
return DECLINED if $self->is_immune();
|
|
return DECLINED if $self->is_set_rblsmtpd();
|
|
return DECLINED if $self->ip_whitelisted();
|
|
|
|
my $dnsbl_zones = $self->get_dnsbl_zones() or return DECLINED;
|
|
my $resolv = $self->get_resolver() or return DECLINED;
|
|
|
|
for my $dnsbl (keys %$dnsbl_zones) {
|
|
|
|
my $query = $self->get_query($dnsbl) or do {
|
|
if ($resolv->errorstring ne 'NXDOMAIN') {
|
|
$self->log(LOGERROR, "$dnsbl query failed: ",
|
|
$resolv->errorstring);
|
|
}
|
|
next;
|
|
};
|
|
|
|
my $a_record = 0;
|
|
my $result;
|
|
foreach my $rr ($query->answer) {
|
|
if ($rr->type eq 'A') {
|
|
$result = $rr->name;
|
|
$self->log(LOGDEBUG,
|
|
"found A for $result with IP " . $rr->address);
|
|
}
|
|
elsif ($rr->type eq 'TXT') {
|
|
$self->log(LOGDEBUG, "found TXT, " . $rr->txtdata);
|
|
$result = $rr->txtdata;
|
|
}
|
|
|
|
next if !$result;
|
|
|
|
$self->adjust_karma(-1);
|
|
|
|
if (!$dnsbl) { ($dnsbl) = ($result =~ m/(?:\d+\.){4}(.*)/); }
|
|
if (!$dnsbl) { $dnsbl = $result; }
|
|
|
|
if ($a_record) {
|
|
if (defined $dnsbl_zones->{$dnsbl}) {
|
|
my $smtp_msg = $dnsbl_zones->{$dnsbl};
|
|
my $remote_ip = $self->qp->connection->remote_ip;
|
|
$smtp_msg =~ s/%IP%/$remote_ip/g;
|
|
return $self->get_reject($smtp_msg, $dnsbl);
|
|
}
|
|
return $self->get_reject("Blocked by $dnsbl");
|
|
}
|
|
|
|
return $self->get_reject($result, $dnsbl);
|
|
}
|
|
}
|
|
|
|
$self->log(LOGINFO, 'pass');
|
|
return DECLINED;
|
|
}
|
|
|
|
sub get_dnsbl_zones {
|
|
my $self = shift;
|
|
|
|
my %dnsbl_zones =
|
|
map { (split /:/, $_, 2)[0, 1] } $self->qp->config('dnsbl_zones');
|
|
if (!%dnsbl_zones) {
|
|
$self->log(LOGDEBUG, "skip, no zones");
|
|
return;
|
|
}
|
|
|
|
$self->{_dnsbl}{zones} = \%dnsbl_zones;
|
|
return \%dnsbl_zones;
|
|
}
|
|
|
|
sub get_query {
|
|
my ($self, $dnsbl) = @_;
|
|
|
|
my $remote_ip = $self->qp->connection->remote_ip;
|
|
my $reversed_ip = join('.', reverse(split(/\./, $remote_ip)));
|
|
|
|
# fix to find A records, if the dnsbl_zones line has a second field 20/1/04 ++msp
|
|
if (defined $self->{_dnsbl}{zones}{$dnsbl}) {
|
|
$self->log(LOGDEBUG, "Checking $reversed_ip.$dnsbl for A record");
|
|
return $self->{_resolver}->query("$reversed_ip.$dnsbl");
|
|
}
|
|
|
|
$self->log(LOGDEBUG, "Checking $reversed_ip.$dnsbl for TXT record");
|
|
return $self->{_resolver}->query("$reversed_ip.$dnsbl", 'TXT');
|
|
}
|
|
|
|
sub is_set_rblsmtpd {
|
|
my $self = shift;
|
|
|
|
my $remote_ip = $self->qp->connection->remote_ip;
|
|
|
|
if (!defined $ENV{'RBLSMTPD'}) {
|
|
$self->log(LOGDEBUG, "RBLSMTPD not set for $remote_ip");
|
|
return;
|
|
}
|
|
|
|
if ($ENV{'RBLSMTPD'} ne '') {
|
|
$self->log(LOGINFO, "RBLSMTPD=\"$ENV{'RBLSMTPD'}\" for $remote_ip");
|
|
return $ENV{'RBLSMTPD'};
|
|
}
|
|
|
|
$self->log(LOGINFO, "RBLSMTPD set, but empty for $remote_ip");
|
|
return 1; # don't return empty string, it evaluates to false
|
|
}
|
|
|
|
sub ip_whitelisted {
|
|
my ($self) = @_;
|
|
|
|
my $remote_ip = $self->qp->connection->remote_ip;
|
|
|
|
return grep {
|
|
s/\.?$/./;
|
|
$_ eq substr($remote_ip . '.', 0, length $_)
|
|
} $self->qp->config('dnsbl_allow');
|
|
}
|
|
|
|
sub return_env_message {
|
|
my $self = shift;
|
|
my $result = $ENV{'RBLSMTPD'};
|
|
my $remote_ip = $self->qp->connection->remote_ip;
|
|
$result =~ s/%IP%/$remote_ip/g;
|
|
my $msg = $self->qp->config('dnsbl_rejectmsg');
|
|
$self->log(LOGINFO, "fail, $msg");
|
|
return ($self->get_reject_type(), join(' ', $msg, $result));
|
|
}
|
|
|
|
sub hook_rcpt {
|
|
my ($self, $transaction, $rcpt, %param) = @_;
|
|
|
|
if ($rcpt->user =~ /^(?:postmaster|abuse|mailer-daemon|root)$/i) {
|
|
$self->log(LOGWARN,
|
|
"skip, don't blacklist special account: " . $rcpt->user);
|
|
|
|
# clear the naughty connection note here, if desired.
|
|
$self->is_naughty(0);
|
|
}
|
|
|
|
return DECLINED;
|
|
}
|
|
|
|
sub get_resolver {
|
|
my $self = shift;
|
|
return $self->{_resolver} if $self->{_resolver};
|
|
$self->log(LOGDEBUG, "initializing Net::DNS::Resolver");
|
|
$self->{_resolver} = Net::DNS::Resolver->new(dnsrch => 0);
|
|
my $timeout = $self->{_args}{timeout} || 30;
|
|
$self->{_resolver}->tcp_timeout($timeout);
|
|
$self->{_resolver}->udp_timeout($timeout);
|
|
return $self->{_resolver};
|
|
}
|
|
|