Stoppt die Vorratsdatenspeicherung! Jetzt klicken &handeln! Willst du auch an der Aktion teilnehmen? Hier findest du alle relevanten Infos und Materialien:
Toppoint - Logo

Startseite
Der Verein
Angebot
Veranstaltungen
Info/FAQ
Mitglieder-Bereichmember area
• Config-Center
  • mySQL-Datenbanken
  • Forward u. Vacation
  • Mailfilter
    • Hilfe
    • Original Manpage
  • Adressänderung
  • Passwort ändern
• Webmail
• Login
Impressum
Gästebuch
Suche
Sitemap

Druckversion

Suche:

Für Toppoint-Mitglieder

User:

Passwort:


(SSL)
Hilfe ?

Mailfilter-Config-Center Hilfe

Juniper man pages - smtpd Address Checking

SMTPD version 2 Address Checking rules

The address check file, when enabled is read for each RCPT line in the SMTP dialogue. Each rule is checked with the current source (SMTP client machine and possibly user from ident) and the current FROM: and RCPT: addresses. rules are read from top to bottom of the file, and the first match stops the check, with the action determined by the first field of the rule.

Anything on a line after a pound sign (#) is ignored as a comment.

An address check rule line has four fields:
[allow|deny|noto]:SourceList:FromList:ToList[:XXX message for deny/noto]

The first field must normally be one of the strings "allow","deny", or "noto". This determines the disposition of a message which matches a the rule. A matching "allow" rule allows the smtp connection to proceed. A matching "deny" rule will terminate the smtp connection when matched with a failure, and the message will not be delivered to *any* of it's recipients. A "noto" rule will prevent the delivery of a message to the matching combination, failing that RCPT command, and returning a 550 code in the SMTP dialogue, but will allow delivery to continue if other rules allow further recipients. If NODO_DELAY and DENY_DELAY are set nonzero in the makefile at compile time, there are two additional rule keywords; "noto_delay", and "deny_delay". These rules function exactely like a noto or deny, except that smtpd will sleep for the delay amount before returning the error code to the client, causing a "pregnant pause" in the SMTP dialogue.

The Second Field is a List of Source Patterns, separated by white space. These match against the incoming SMTP connection's originating hostname, IP address and possibly username returned by an ident call.

The Third field is a list of Address Patterns, separated by white space. These match against the MAIL FROM: portion of the smtp dialogue.

The Fourth field is a list of Address Patterns, separated by white space. These match against the RCPT TO: portion of the smtp dialogue.

The Fifth field is optional, and if present is used on matching the rule if it is a deny or noto rule. It should be the complete smtp dialogue message to be sent to the remote smtp client. It should start with an appropriate smtp error code. The following substitutions are made in the string:

  • %F is replaced with the MAIL FROM: address.
  • %T is replaced with the RCPT TO: address.
  • %H is replaced with the connecting hostname, or "UNKNOWN"
  • %U is replaced with the connecting user from ident, or "UNKNOWN"
  • %I is replaced with the connecting host IP address.

For a rule to match a match must be successfully made against all three lists. A match against a list occurs when any of the patterns in it match. EXCEPT, the keyword "EXCEPT" may be used in a list to indicate exceptions to matches: For example:
pattern1 pattern2 pattern3 EXCEPT pattern4
will match against any string that matches pattern1 pattern2 or pattern3, except for those that also match pattern4.

all characters in patterns except in specials must be lower case. lower case letters in patterns match against both upper and lower case letters in sources. '*' in a pattern matches 0 or more characters. If smtpd was compiled with USE_REGEX set in the makefile, a pattern may be enclosed in slashes "//", to indicate that it is a POSIX style regular expression, which is matched against case insensitively.

Source Patterns:

A Source Pattern is a pattern to match the source of a connection. It consistes of two parts, and optional user part, with an ampersand(@), followed by the required host part. Each part is treated independently. The user part (If present) will check against the user value returned by smtpd performing an ident query to the connecting machine. No ident query is made unless a rule requests one. The Host Part matches against the hostname or IP address of the connecting machine. IP addresses may be specified using a netmask of the form a.b.c.d/bits. Each part may consist of the following specials:
  • ALL matches everything, including empty string
  • KNOWN matches a known reply from the network, in the case of resolved hostnames or ident values.
  • UNKNOWN matches an unknown reply from the network, in the case of resolved hostnames or ident values.
  • TRUSTED matches a connection arriving on a trusted interface (If smtpd was compiled with JUNIPER_SUPPORT and you are running on an machien with the Juniper firewall toolkit)
  • UNTRUSTED matches a connection arriving on an untrusted interface (If smtpd was compiled with JUNIPER_SUPPORT and you are running on an machien with the Juniper firewall toolkit)
  • NS=pattern matches a connection arriving from a source whose nameserver or mail exchanger matches pattern. (if NS_MATCH set to 1 in Makefile)

Example Source Patterns:

  • hobbes.obtuse.com - matches only a connection from machine "hobbes.obtuse.com" (or "HoBBeS.obTuSe.CoM")
  • *obtuse.com - matches any hostname ending in "obtuse.com" (hobbes.obtuse.com or hobbes.AcutelyObtuse.com)
  • KNOWN - Matches only machines whose address resolves to a hostname.
  • UNKNOWN - Matches only machines whose address does not resolve to a hostname.
  • UKKNOWN EXCEPT TRUSTED - Matches a connection from a machine whose address does not resolve to a hostname, except if the connection is via a trusted interface.
  • KNOWN@KNOWN - Matches only machines whose address resolves AND returns something as the user via ident. (No ident call is made by smtpd unless a rule requires one)
  • 129.128.13.2 - Matches a connection from host IP 129.128.13.2
  • 129.128.13.0/24 - Matches a connection from class C 129.128.13.
  • 129.128.13.* - Matches a connection from class C 129.128.13.
  • beck@hobbes.obtuse.com - matches only a connection from machine "hobbes.obtuse.com", with ident returned as "beck" (or "bEcK").
  • KNOWN@hobbes.obtuse.com - matches only a connection from machine "hobbes.obtuse.com", with any known ident value.
  • UNKNOWN@hobbes.obtuse.com - matches only a connection from machine "hobbes.obtuse.com", with any unknown ident value.

    Address patterns:

    An address pattern may consist of a user and host part, separated by an ampersand (@). Each part or the whole pattern may consist of one of the following specials:
    • ALL matches everything, including empty string
    • USER ** (special) means this part must match the ident user for the connection.
    • NS=pattern to match Nameserver or MX, may apper on right of @, or by itself. (if NS_MATCH set to 1 in Makefile)

    Address pattern examples:

    • ALL matches anything.
    • spamford@cyberpromo.com matches "spamford@cyberpromo.com"
    • ALL@cyberpromo.com matches any address from "cyberpromo.com"
    • *@cyberpromo.com same as above
    • ALL@*cyberpromo.com matches any address from anything ending in cyberpromo.com.
    • ALL@NS=*cyberpromo.com matches any address where the RHS uses a nameserver or MX ending in "cyberpromo.com".
    • sales@ALL matches "sales" from anywhere.
    • USER@obtuse.com The ident reply from the connecting host must be (case insensitively) the user part of the address that ends in obtuse.com.
    • /^[0-9]+@.*$/ (assuming USE_REGEX = 1 when built) Match any addressthat is all numbers in the user part

    Example Rules:

     #Allow anything from anywhere to an address ending in obtuse.com:
 allow:ALL:ALL:ALL@*obtuse.com
 #don't allow unregistered hosts, unless via a trusted interface 
 
 deny:UNKNOWN EXCEPT TRUSTED:ALL:ALL
 
 #deny mail from anything ending in .cyberpromo.com
 deny:ALL:*.cyberpromo.com:ALL
 #and deny anything relayed by a host ending in .cyberpromo.com
 deny:*.cyberpromo.com:ALL:ALL		  
 
 	
 #Simple ident example, useful *only* if you can trust the ident
 #value returnd by the machine. (You can't unless you control it
 #or trust the person that does not to make it lie)	
 #Allow mail if the user part of the FROM address matches ident.  
 allow:KNOWN@idents.trusted.here:USER@idents.trusted.here:ALL
 
 # A more complex example. The typical university case of making
 # sure users don't subscribe other users to majordomo mailing lists by
 # forging mail via smtp.
 # allow users that mta's run as to send anything
 allow:root@ALL daemon@all uucp@all:ALL:ALL
 # other known users can send to majordomo only as themselves according
 # to ident.
 allow:KNOWN@ALL:USER@ALL:majordomo@ALL
 # Below shows a custom message too
 deny:ALL:ALL:majordomo@ALL:550 You can't send majordomo mail from %F when you are %U@%H (ip %I). 
 
 
 # The normal antispam case, assumes JUNIPER_SUPPORT,
 # We trust everything from inside on a trusted interface to go out
 allow:UNTRUSTED:ALL:ALL
 # DNS registerd clients can talk to me, with mail for my domains
 allow:KNOWN:ALL:*my.domain *myother.domain
 # unregistered clients get punted.
 deny:UNKNOWN:ALL:ALL
 # otherwise mail to nonlocal users won't get relayed.
 noto:ALL:ALL:ALL

    About NS= rules

    The NS= rules match things in a somewhat strange way. Namely, they will chop off bits from the left of what they are given until they find something with a record for it. Specifically, if you are looking for an NS=*cyberpromo.com, and the address you are matching against is someone@completely.bogus.cyberpromo.com, the NS=match will try first "completely.bogus.cyberpromo.com", then "bogus.cyberpromo.com", and then finally "cyberpromo.com", for which it will find cyberpromo's nameserver and mx records. The exception to this is the case of NS=UNKNOWN or NS=KNOWN. These will match whether a host, or rhs of an address is known or unknown to the dns. A host is UNKNOWN if:
    • a gethostbyname() call fails to find a hostent for it, AND no Nameserver (NS) or Mail Exchanger (MX) records may be found for it in the DNS.
    When you specify NS=KNOWN or NS=UNKNOWN smtpd will not attempt to work it's way down the string to find out who owns it. i.e. completely.bogus.cyberpromo.com would match NS=*cyberpromo.com, but would not match NS=KNOWN, and would match NS=UNKNOWN. The major effect of this is that the following rule:
    noto:ALL:NS=UNKNOWN:ALL
    Should effectively block any mail that gives a MAIL FROM: address in the smtp dialogue with no hope of being replyable to via smtp from your machine.

    BUGS

    Mistakes in these rules can discard legitimate mail and annoy your users and other postmasters a very great deal!. When combined with custom return codes it is possible to write rules that completely break the smtp protocol. It is important to test your rules out and be absolutely sure they do exactly what you want and no more.

    • Toppoint e.V.
    Tel.: 562136 • Data: 22192320
    Impressum
    		Diese Seite wird realisiert durch den Einsatz von phpCMSphpCMS
    $Revision: 1.4 $ $Date: 2004/10/30 13:54:01 $

    Counter:915370 seit 05.03.2003, diese Seite:1095
    		Valid HTML 4.01! Valid HTML 4.01