mirror of
https://github.com/freebsd/freebsd-src
synced 2024-11-05 18:22:52 +00:00
improve anti-spam rulesets: check_relay, check_mail, check_rcpt.
break each ruleset into identified sections. (called groups). note which groups can be reordered. each group accepts and returns the same strings, as much as possible. reactivate Paul Vixie's RBL (in check_mail) add rules to limit mail relaying to a list of hosts and domains in the R class (check_rcpt, not active on hub.freebsd.org) Submitted by: jmb
This commit is contained in:
parent
8ac5e37330
commit
26da30bbbc
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=31467
3 changed files with 134 additions and 40 deletions
|
@ -25,5 +25,8 @@ install:
|
|||
.if exists(/etc/mail/denyip.local)
|
||||
makemap -o hash /etc/mail/denyip < /etc/mail/denyip.local
|
||||
.endif
|
||||
.if exists(/etc/mail/fakenames)
|
||||
makemap hash /etc/mail/fakenames < /etc/mail/fakenames
|
||||
.endif
|
||||
|
||||
all: default install
|
||||
|
|
|
@ -3,12 +3,14 @@
|
|||
Introduction:
|
||||
The FreeBSD Project filters spam, unsolicited commerical
|
||||
e-mail, from its mailing lists. The filter has two parts: databases
|
||||
and rulesets. We have added three rulesets to /etc/sendmail.cf,
|
||||
check_relay and check_mail and xlat. (xlat is for testing only, as
|
||||
explained in /etc/mail/sendmail.cf.additions.) These rulesets use
|
||||
two databases. The denyip, a list of IP addresses, and spamsites,
|
||||
a list of domains. We do not accept mail from any machine that
|
||||
matches a entry in either database.
|
||||
and rulesets. We have rulesets to /etc/sendmail.cf, check_rcpt,
|
||||
check_relay, check_rbl, check_mail and xlat. (xlat is for testing
|
||||
only, as explained in /etc/mail/sendmail.cf.additions.) These
|
||||
rulesets use three databases. The denyip, a list of IP addresses,
|
||||
spamsites, a list of domains, and fakenames, a list of bogus
|
||||
usernames (such as investor and success). We do not accept mail
|
||||
from any machine that matches a entry in either database, or usersr
|
||||
in the fakenames database.
|
||||
|
||||
Filtering at your site:
|
||||
To filter spam at your site you need to:
|
||||
|
@ -55,11 +57,24 @@ for every message filtered. The lines will be similar to one of
|
|||
these two log entries:
|
||||
|
||||
Check_mail rejects:
|
||||
"Oct 15 02:43:26 hub sendmail[6565]: CAA06565: ruleset=check_mail,
|
||||
Oct 15 02:43:26 hub sendmail[6565]: CAA06565: ruleset=check_mail,
|
||||
arg1=<announce@martianconsulate.com>, relay=xxx.isp.net [###.###.###.###],
|
||||
reject=521 <announce@martianconsulate.com>"
|
||||
reject=521 <announce@martianconsulate.com>
|
||||
|
||||
Nov 30 15:56:37 hub sendmail[15058]: PAA15058: ruleset=check_mail,
|
||||
arg1=<ultramax@s2.eddelwissl.NET>, relay=relay.somewhere.com
|
||||
[###.###.###.###], reject=451 <ultramax@s2.eddelwissl.NET>... Domain
|
||||
does not resolve
|
||||
|
||||
|
||||
Check_relay rejects:
|
||||
Oct 19 04:45:24 hub sendmail[3503]: NOQUEUE: ruleset=check_relay,
|
||||
arg1=imsp015.netvigator.com, arg2=205.252.144.206, relay=root@localhost,
|
||||
reject=521 blocked.contact postmaster@FreeBSD.ORG
|
||||
|
||||
check_rcpt reject:
|
||||
Nov 30 15:04:08 hub sendmail[12390]: PAA12390: ruleset=check_rcpt,
|
||||
arg1=investor@100percent.per.year.com, relay=newfed.frb.gov
|
||||
[198.3.221.5], reject=553 investor@100percent.per.year.com...
|
||||
521<investor@100percent.per.year.com>#blocked.contact postmaster
|
||||
Sun Nov 16 11:40:53 PST 1997
|
||||
|
|
|
@ -1,40 +1,116 @@
|
|||
# list of hosts and domains for whom we relay mail.
|
||||
# all .forward hosts, domains must be listed in this file.
|
||||
# same for hosts and domains in /etc/aliases
|
||||
FR-o /etc/sendmail.cR
|
||||
|
||||
# database declarations
|
||||
Kdenyip hash -o -a.REJECT /etc/mail/denyip.db
|
||||
Kfakenames hash -o -a.REJECT /etc/mail/fakenames.db
|
||||
Kspamsites hash -o -a.REJECT /etc/mail/spamsites.db
|
||||
|
||||
# called with host.tld and IP address of connecting host.
|
||||
# ip address must NOT be in the "denyip" database
|
||||
Scheck_relay
|
||||
R$* $| [$+ $1 $| $2 should not be needed
|
||||
R$* $| $+] $1 $| $2 same (bat 2nd ed p510)
|
||||
R$* $| $* $: $1 $| $(denyip $2 $)
|
||||
R$* $| $*.REJECT $#error $: 521 blocked. contact postmaster@FreeBSD.ORG ($2)
|
||||
# host must *not* be in the "spamsites" database
|
||||
R$+.$+.$+ $| $* $2.$3 $| $4
|
||||
R$+.$+ $| $* $: $(spamsites $1.$2 $) $| $3
|
||||
R$*.REJECT $| $* $#error $: 521 blocked. contact postmaster@FreeBSD.ORG ($1)
|
||||
# Host must be resolvable, currently not used at hub.freebsd.org
|
||||
#R$* $| $* $: <?> <$1 $| $2> $>3 foo@$1
|
||||
#R<?> <$*> $*<@$*.> $: $1
|
||||
#R<?> <$*> $*<@$*> $#error $: 451 Domain does not resolve ($1)
|
||||
|
||||
# called with envelope sender, "Mail From: xxx", of SMTP conversation
|
||||
# helper rulsesets; useful for debugging sendmail configurations
|
||||
#
|
||||
Scheck_mail
|
||||
R$* $: <?> $>3 $1
|
||||
R<?> $* < @ $+ . > $: $2
|
||||
# R<?> $* < @ $+ > $#error $: "451 Domain does not resolve"
|
||||
R<?> $* < @ $+ > $: $2
|
||||
R$+.$+.$+ $2.$3
|
||||
R$* $: $(spamsites $1 $: OK $)
|
||||
ROK $@ OK
|
||||
R$+.REJECT $#error $: 521 $1
|
||||
#
|
||||
Scheck_rbl
|
||||
# lookup up an ip address in the Realtime Blackhole List.
|
||||
R$-.$-.$-.$- $: $(host $4.$3.$2.$1.rbl.maps.vix.com $:OK $)
|
||||
|
||||
# for testing check_relay and check_mail
|
||||
# if we type "$|", sendmail will split this into two tokens "$" and "|"
|
||||
# this rule glues prevent sendmail from splitting "$|"
|
||||
# to use: /usr/sbin/sendmail -bt
|
||||
# host.domain.tld $| 111.222.333.444
|
||||
Sxlat
|
||||
Sxlat # for sendmail -bt
|
||||
# sendmail treats "$" and "|" as two distinct tokens
|
||||
# this rule "pastes" them together into one token
|
||||
# and then calls check_relay.
|
||||
R$* $$| $* $: $1 $| $2
|
||||
R$* $| $* $@ $>check_relay $1 $| $2
|
||||
|
||||
Scheck_relay
|
||||
# called with "hostname.tld $| IP address" of connecting host.
|
||||
# hostname.tld is the fully-qualified domain name
|
||||
# IP address is dotted-quad with surrounding "[]" brackets.
|
||||
#
|
||||
# each group of rules in this ruleset is independent.
|
||||
# each accepts and return "hostname.tld $| IP address"
|
||||
# use the ones that you want comment out the rest
|
||||
# you may rearrange the groups but not the rules in each group.
|
||||
# each group is preceded and followed by a comment
|
||||
#
|
||||
# host must NOT be in the "spamsites" database--BEGIN
|
||||
R$* $| $* $: <$1 $| $2> $1
|
||||
R<$*> $+.$+.$+ <$1> $3.$4
|
||||
R<$*> $+.$+ $: <$1> $(spamsites $2.$3 $)
|
||||
R<$*> $*.REJECT $#error $: "521 blocked. contact postmaster@FreeBSD.ORG"
|
||||
R<$*> $* $: $1
|
||||
# host must NOT be in the "spamsites" database--END
|
||||
# ip address must NOT be in the "denyip" database--BEGIN
|
||||
R$* $| $* $: $1 $| $(denyip $2 $)
|
||||
R$* $| $*.REJECT $#error $: "521 blocked. contact postmaster@FreeBSD.ORG"
|
||||
# ip address must NOT be in the "denyip" database--END
|
||||
# Host must resolve--BEGIN
|
||||
R$* $| $* $: <$1 $| $2> $>3 foo@$1
|
||||
R<$*> $*<@$*.> $: $1
|
||||
R<$*> $*<@$*> $#error $: "451 Domain does not resolve"
|
||||
# Host must resolve--END
|
||||
R$* $@ OK
|
||||
|
||||
Scheck_mail
|
||||
# called with envelope sender (everything after ":") in
|
||||
# "Mail From: xxx", of SMTP conversation
|
||||
# may or may not have "<" ">"
|
||||
# the groups of rules in this ruleset ARE NOT independent.
|
||||
# "remove all RFC-822 comments" must come first
|
||||
# "Paul Vixie's RBL" must be last
|
||||
# you may rearrange the other rules.
|
||||
#
|
||||
# use the ones that you want comment out the rest
|
||||
# each group is preceded and followed by a comment
|
||||
#
|
||||
# remove all RFC-822 comments--BEGIN
|
||||
# MUST be first rule in check_mail rulseset.
|
||||
R$* $: $>3 $1
|
||||
# remove all RFC-822 comments--END
|
||||
# mail must come from a DNS resolvable host--BEGIN
|
||||
R$* < @ $+ . > $: $1 @ $2
|
||||
R$* < @ $+ > $#error $: "451 Domain does not resolve"
|
||||
# mail must come from a DNS resolvable host--END
|
||||
# mail must NOT come from a known source of spam--BEGIN
|
||||
# resolved. second check: one of the know spam sources?
|
||||
R$+ @$+ $: <$1@$2> $1 @$2
|
||||
R<$*> $+ @$+.$+.$+ <$1> $4.$5
|
||||
R<$*> $* $: $(spamsites $2 $: OK $)
|
||||
R$+.REJECT $#error $: 521 $1
|
||||
R<$*> $* $: $1
|
||||
# mail must NOT come from a known source of spam--END
|
||||
# ip address must NOT be in Paul Vixie's RBL--BEGIN
|
||||
R$* $: $1 $: $(dequote "" $&{client_addr} $)
|
||||
R$* $: $>check_rbl $1
|
||||
R$*.com. $#error $: "550 Mail refused, see http://maps.vix.com/rbl"
|
||||
# ip address must NOT be in Paul Vixie's RBL--END
|
||||
R$* $@ OK
|
||||
|
||||
Scheck_rcpt
|
||||
# called with envelope recipient (everything after ":") in
|
||||
# "Rcpt To: xxx", of SMTP conversation
|
||||
# may or may not have "<" ">" and or RFC-822 comments.
|
||||
# let ruleset 3 clean this up for us.
|
||||
#
|
||||
# do NOT reorder these two groups of rules.
|
||||
# restrict mail relaying to host and domains listed in /etc/sendmail.cR
|
||||
#
|
||||
# mail must NOT be addressed "fakenames"--BEGIN
|
||||
R$* $: <$1> $>3 $1
|
||||
R<$*> $+ < @ $+ > $: <$1> $(fakenames $2 $: OK $)
|
||||
R$+.REJECT $#error $: 521 $1
|
||||
R<$*> $* $: $1
|
||||
# mail must NOT be addressed "fakenames"--END
|
||||
# mail must come from or go to this machine or machines we allow to relay--BEGIN
|
||||
# R$* $: $>Parse0 $>3 $1
|
||||
# R$+ < @ $* . > $* $: $1 < @ $2 >
|
||||
# R<$+ @ $=w> $@ OK
|
||||
# R<$+ @ $* $=R> $@ OK
|
||||
# R$* $: $(dequote "" $&{client_name} $)
|
||||
# R$=w $@ OK
|
||||
# R$* $=R $@ OK
|
||||
# R$@ $@ OK
|
||||
# R$* $#error $: "550 Relaying Denied"
|
||||
# mail must come from or go to this machine or machines we allow to relay--BEGIN
|
||||
R$* $@ OK
|
||||
|
||||
|
|
Loading…
Reference in a new issue