Introduction
Last Updated: 06 Feb 2018 GMT +8.
A mailfront plugin provides IPv4/IPv6 DNSBL/DNSWL checking of sender's IP address and to defer, reject or accept mails based on its check. This plugin will add its checking results to each mail message header for all mails accepted depending on environment variables configurations.
IMPORTANT: This plugin is written for and tested with mailfront 2.12 but should work with version 1.12 and above.
Environment Configuration
- $DNSBL_CHECK_SKIP
- If set, this plugin will be skipped.
- $RELAYCLIENT
- If set, add to message header and skip the remaining checks. Example of message header added:
X-DNSBL-Check-Result: SKIPPED: $RELAYCLIENT is set for 1.2.3.4
- $RBLSMTPD
- If set and empty, add to message header and skip the remaining checks. If $RBLSMTPD is set and not empty, the reply code is set to 553 if the first character of $RBLSMTPD is "-" otherwise the reply code is set to 451. The reply message will be copied from $RBLSMTPD and will skip "-" if it is the starting character of $RBLSMTPD. Examples of smtp.rules for tcprules:
1.1.1.1:allow,RBLSMTPD=""
2.2.2.2:allow,RBLSMTPD="-Your IP is listed in our denied list."
3.3.3.3:allow,RBLSMTPD="Your IP is listed in our denied list."
- The above will cause this plugin to accept mails from IP 1.1.1.1, reject mails from IP 2.2.2.2 and defer mails from IP 3.3.3.3. Below are the reply to sender's IP 2.2.2.2 and 3.3.3.3 respectively:
553 Your IP is listed in our denied list.
451 Your IP is listed in our denied list.
- Example of message header added for IP 1.1.1.1:
X-DNSBL-Check-Result: SKIPPED: $RBLSMTPD is set and empty for 1.1.1.1
- $RWLDOMAINS
- This is the list of IPv4 servers/domains to check for whitelisting (DNSWL). If $RWLDOMAINS is set and not empty, the domains listed will be used for IPv4 DNSWL checking. Each domain needs to be separated with a space or a comma.
- $RWLDOMAINSFILE
- This is a file with list of IPv4 servers/domains to check for whitelisting (DNSWL). This will only be used if $RWLDOMAINS is not set. i.e. copy the content into $RWLDOMAINS. If $RWLDOMAINSFILE not set will default to /var/qmail/control/rwldomains. Format in this file is one domain per line. Lines started with # are ignored.
- $RWLDOMAINS_IPV6
- This is the list of IPv6 servers/domains to check for whitelisting (DNSWL). If $RWLDOMAINS_IPV6 is set and not empty, the domains listed will be used for IPv6 DNSWL checking. Each domain needs to be separated with a space or a comma.
- $RWLDOMAINSFILE_IPV6
- This is a file with list of IPv6 servers/domains to check for whitelisting (DNSWL). This will only be used if $RWLDOMAINS_IPV6 is not set. i.e. copy the content into $RWLDOMAINS_IPV6. If $RWLDOMAINSFILE_IPV6 not set will default to /var/qmail/control/rwldomains6. Format in this file is one domain per line. Lines started with # are ignored.
- $RBLDOMAINS
- This is the list of IPv4 servers/domains to check for blacklisting (DNSBL). If $RBLDOMAINS is set and not empty, the domains listed will be used for IPv4 DNSBL checking. Each domain needs to be separated with a space or a comma.
- $RBLDOMAINSFILE
- This is a file with list of IPv4 servers/domains to check for blacklisting (DNSBL). This will only be used if $RBLDOMAINS is not set. i.e. copy the content into $RBLDOMAINS. If $RBLDOMAINSFILE not set will default to /var/qmail/control/rbldomains. Format in this file is one domain per line. Lines started with # are ignored.
- $RBLDOMAINS_IPV6
- This is the list of IPv6 servers/domains to check for blacklisting (DNSBL). If $RBLDOMAINS_IPV6 is set and not empty, the domains listed will be used for IPv6 DNSBL checking. Each domain needs to be separated with a space or a comma.
- $RBLDOMAINSFILE_IPV6
- This is a file with list of IPv6 servers/domains to check for blacklisting (DNSBL). This will only be used if $RBLDOMAINS_IPV6 is not set. i.e. copy the content into $RBLDOMAINS_IPV6. If $RBLDOMAINSFILE_IPV6 not set will default to /var/qmail/control/rbldomains6. Format in this file is one domain per line. Lines started with # are ignored.
- NOTE:
- If $RWLDOMAINS and $RBLDOMAINS not set or empty, add to mail message header and skip the IPv4 DNSWL/DNSBL checks. Example of mail header added:
X-DNSBL-Check-Result: SKIPPED: $RWLDOMAINS and $RBLDOMAINS not set or empty for 1.2.3.4
- If $RWLDOMAINS_IPV6 and $RBLDOMAINS_IPV6 not set or empty, add to mail message header and skip the IPv6 DNSWL/DNSBL checks. Example of mail header added:
X-DNSBL-Check-Result: SKIPPED: $RWLDOMAINS_IPV6 and $RBLDOMAINS_IPV6 not set or empty for 1100:2200:3300::4
- $DNSBL_CHECK_REJECT
- If set, sender will be rejected with reply code 553 if sender's IP is listed in one of the $RBLDOMAINS domain. If sender's IP is listed in one of the $RWLDOMAINS domains, mail message will be accepted as this plugin take preference of $RWLDOMAINS domains then $RBLDOMAINS domains.
- $DNSBL_CHECK_DEFER
- If $DNSBL_CHECK_DEFER is set, sender will be rejected with reply code 451 if sender's IP is listed in one of the $RBLDOMAINS domain. If sender's IP is listed in one of the $RWLDOMAINS domains, mail message will be accepted as this plugin take preference of $RWLDOMAINS domains then $RBLDOMAINS domains.
- NOTE: $DNSBL_CHECK_REJECT take preference of $DNSBL_CHECK_DEFER.
- $DNSBL_CHECK_VERBOSE
- If $DNSBL_CHECK_VERBOSE is set, this plugin will log its checking to stderr.
- DEFAULT
- If sender is authenticated, add to message header and skip the DNSWL/DNSBL checks. Example of message header added:
X-DNSBL-Check-Result: SKIPPED: authenticated user from 1.2.3.4
Mails that are rejected/deferred due to blacklist, this plugin will use the first listed domain's TXT record in its reply message. If there isn't such will default to the following:
Sorry, your ip ${PROTO}REMOTEIP is listed in one or more of the DNSBL: $RBLDOMAINS
NOTE: The ${PROTO}REMOTEIP and $RBLDOMAINS will be parsed accordingly.
If sender's IP is listed in one of the $RWLDOMAINS domain, instead of rejecting/deferring mail, mail message will be accepted and all the DNSWL/DNSBL check results will be added to each mail message header.
If $DNSBL_CHECK_REJECT and $DNSBL_CHECK_DEFER not set, all mail message will be accepted with DNSWL/DNSBL check results added to each mail message header.
Sender Action
This plugin starts to check the environment variables configurations and do all its checking for listing in $RWLDOMAINS and $RWLDOMAINS after sender issued the MAIL FROM command.
If sender's IP is listed in one of the $RBLDOMAINS domain and not in any of the $RWLDOMAINS domain, then sender will be rejected/deferred depending whether $DNSBL_CHECK_REJECT or $DNSBL_CHECK_DEFER is set.
Recipient Action
None.
Data Action
All mails pass the DNSBL checks or sender's IP is listed in one of the $RWLDOMAINS domain or $DNSBL_CHECK_DEFER and $DNSBL_CHECK_REJECT are not set, the results will be added to each mail message header.
An example in one of my personal mail headers as I didn't set $DNSBL_CHECK_DEFER or $DNSBL_CHECK_REJECT:
Sorry, your ip ${PROTO}REMOTEIP is listed in one or more of the DNSBL: $RBLDOMAINS
X-DNSBL-Check-Result: FAILED for ip 114.39.67.75
X-DNSBL-Check-Report: rbldomain=zen.spamhaus.org result=http://www.spamhaus.org/query/bl?ip=114.39.67.75
X-DNSBL-Check-Report: rbldomain=cbl.abuseat.org result=Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=114.39.67.75
X-DNSBL-Check-Report: rbldomain=dnsbl.sorbs.net result=Dynamic IP Addresses See: http://www.sorbs.net/lookup.shtml?114.39.67.75
An example of headers for listed in one of the $RWLDOMAINS domain (look for X-DNSWL-Check-Report):
X-DNSBL-Check-Result: PASSED for 1.2.3.4
X-DNSWL-Check-Report: rwldomain=rwl.yourdomain.com result=whitelist IP
X-DNSBL-Check-Report: rbldomain=rbl.list.com result=whatever
NOTE: If sender is authenticated, then this plugin will skip the DNSWL/DNSBL checks and add information about it in the mail header.
Message Action
None.
Requirements
- mailfront version 2.12 or later (might work with earlier version)
- bglibs version 2.03 or later (might work with earlier version)
Installation
- Build and install mailfront
- Switch back to this package
- Adjust the contents of the conf-* files
- Build the sources by running "make"
- Install the plugin by running "make install"
Mailfront Plugins Configuration
Place check-dnsbl in mailfront's plugin list. Depending on your setup:
- edit the smtpfront-qmail shell script and place the string check-dnsbl after add-received
- edit the PLUGINS environment variable and place the string check-dnsbl after add-received
- place the argument check-dnsbl after the add-received of the mailfront command
Set up environment as described in Environment Configuration above.
License
This package is copyright © 2013 Giam Teck Choon or CHOON.NET, and may be copied according to the GNU GENERAL PUBLIC LICENSE (GPL) Version 2 or a later version. A copy of this license is included with this package. This package comes with no warranty of any kind.
Changes
- 10 Jun 2013 GMT +8 : version 0.01
- Initial release
- 23 Jun 2013 GMT +8 : version 0.02
- Fix bug in defer/reject message being corrupted due to freeing not suppose to free tmpstr by using global str estr instead
- Coding style change to 2 SPACING instead of using TAB
- 18 Jul 2013 GMT +8 : version 0.03
- Add IPv6 support
- 02 Sep 2016 GMT +8 : version 0.04
- Change #include <msg/msg.h> to <bglibs/msg.h>
- Makefile: Add variables _ARCH, _LIBDIR, _INCDIR and _RPMOPTFLAGS
- Makefile: Add arch x86_64 support in rpmenv option and tidy up reset option
- Makefile: Add -I$(_INCDIR) and -L$(_LIBDIR) in makeso option
- Makefile: Remove -lbg-sysdeps
- Fix warning: return makes integer from pointer without a cast [enabled by default]
- spec: update version to 0.04
- spec: Update BuildRequires bglibs-devel >= 2.03
- spec: Update BuildRequires mailfront-devel >= 2.12
- spec: Update Requires bglibs >= 2.03
- spec: Update Requires mailfront >= 2.12
- spec: Update description about the tested mailfront version
- spec: Update BuildRequires libowfat-devel >= 0.30
- spec: Update Requires libowfat-shared >= 0.30
- 03 Jul 2017 GMT +8 : version 0.05
- Add variables to handle IPv4 and IPv6 separately
- 06 Feb 2018 GMT +8 : version 0.06
- Recode without using libowfat
- Remove html doc
Download