dnl dnl проверка наличия записи рилея в реверсной зоне DNS dnl dnl NO - не проводить проверку dnl REJECT - возврата клиенту кода 5xx, если запись отсутствует в реверсной зоне dnl и 451 в случае проблем с резолвингом dnl DEFER - возврата клиенту кода 451 dnl WARN - вывод в лог файл предупреждения dnl GREYLIST:XX - добавить XX баллов к счетчику опционального greylisting'а dnl REJECT:XX - добавить XX баллов к счетчику опционального reject'а dnl DELAY:XX - задержка XX секунд перед ответом на RCPT TO dnl QUARANTINE - принять письмо с сохранением в карантин без доставки получателям dnl MAIL - проверка резолвинга в acl_smtp_mail dnl RCPT - проверка резолвинга в acl_smtp_rcpt dnl define(`confCHECK_RELAY_RESOLVE', `WARN')dnl dnl dnl действия WARN, GREYLIST:XX, REJECT:XX и DELAY:XX можно указывать одновременно через пробел dnl dnl проверка совпадения записей рилея в прямой и реверсной зонах DNS dnl (проверка работает только если переменная confCHECK_RELAY_RESOLVE не установлена в NO) dnl NO - не проводить проверку dnl REJECT - возврата клиенту кода 5xx dnl DEFER - возврата клиенту кода 451 dnl WARN - вывод в лог файл предупреждения dnl GREYLIST:XX - добавить XX баллов к счетчику опционального greylisting'а dnl REJECT:XX - добавить XX баллов к счетчику опционального reject'а dnl DELAY:XX - задержка XX секунд перед ответом на RCPT TO dnl QUARANTINE - принять письмо с сохранением в карантин без доставки получателям dnl define(`confCHECK_RELAY_FORGED', `WARN')dnl dnl dnl действия WARN, GREYLIST:XX, REJECT:XX и DELAY:XX можно указывать одновременно через пробел dnl dnl исключеня из проверки резолвинга в реверсной зоне (список) dnl NO - не делать исключений из проверки резолвинга в реверсной зоне dnl AUTH - не проводить проверку аутентифицированных отправителей dnl RELAY_FROM - не проводить проверку исходящих сообщений dnl ACCESS - не проводить проверку для хостов, указанных в CONFDIR/access-relay со значением ok dnl WARN - вывод в лог файл предупреждения при проблемах в резолвингом для исключаемых хостов dnl define(`confCHECK_RELAY_RESOLVE_SKIP', `AUTH RELAY_FROM')dnl dnl в confCHECK_RELAY_RESOLVE_SKIP могут быть указаны несколько значений, разделеные пробелом dnl dnl exim должен быть скомпилирован с поддержкой dnsdb dnl ifelse_strstr(confCONTENT_SCANNING_QUARANTINE, `PERSONAL',`dnl define(`_TMP_', `NORMALIZE_ACTION_PERSONAL_QUARANTINE(confCHECK_RELAY_RESOLVE)')dnl ',`dnl define(`_TMP_', `NORMALIZE_ACTION(confCHECK_RELAY_RESOLVE)')dnl ')dnl define(`confCHECK_RELAY_RESOLVE', _TMP_)dnl # Проверка резолвинга рилея в реверсной зоне DNS warn set acl_m0 = no_skip ifelse_strstr(confCHECK_RELAY_RESOLVE_SKIP, `AUTH', `dnl warn authenticated = * set acl_m0 = skip ') ifelse_strstr(confCHECK_RELAY_RESOLVE_SKIP, `RELAY_FROM', `dnl warn hosts = +relay_from_hosts set acl_m0 = skip ') ifelse_strstr(confCHECK_RELAY_RESOLVE_SKIP, `ACCESS', `dnl warn condition = ${lookup{$sender_host_address}iplsearch{CONFDIR/access-relay}\ {${if eq{${lc:$value}}{ok}{yes}{no}}}\ {no}} set acl_m0 = skip ') ifelse_strstr(confAUTH_RESULTS_ADD, `NO', `', `dnl warn condition = ${if eq{$acl_m0}{skip}{no}{yes}} condition = ${if eq{$sender_host_name}{}{no}{yes}} set acl_m_auth_results = ${acl_m_auth_results};\n\tiprev=pass policy.iprev=$sender_host_address ($sender_host_name) ') dnl ifelse_strstr(confAUTH_RESULTS_ADD, `NO', `', `') define(`confCHECK_RELAY_RESOLVE_DEFER',`NO') ifelse_strstr(confCHECK_RELAY_RESOLVE` ', `reject ', `define(`confCHECK_RELAY_RESOLVE_DEFER',`YES')') ifelse_strstr(confCHECK_RELAY_RESOLVE, `defer', `define(`confCHECK_RELAY_RESOLVE_DEFER',`YES')') ifelse_strstr(confCHECK_RELAY_FORGED` ', `reject ', `define(`confCHECK_RELAY_RESOLVE_DEFER',`YES')') ifelse_strstr(confCHECK_RELAY_FORGED, `defer', `define(`confCHECK_RELAY_RESOLVE_DEFER',`YES')') # временные проблемы резолвинга записи рилея в реверсной зоне DNS ifelse_strstr(confCHECK_RELAY_RESOLVE_SKIP, `WARN', `dnl # для исключаемых из проверки возвращаем warn warn condition = ${if eq{$acl_m0}{skip}{yes}{no}} condition = ${if eq{$sender_host_name}{}{yes}{no}} condition = ${if eq{$host_lookup_failed}{0}{yes}{no}} log_message = Could not resolve PTR record for $sender_host_address add_header = X-Warn-Resolve: Could not resolve PTR record for $sender_host_address ') dnl ifelse_strstr(confAUTH_RESULTS_ADD, `NO', `', `dnl warn condition = ${if eq{$acl_m0}{skip}{no}{yes}} condition = ${if eq{$sender_host_name}{}{yes}{no}} condition = ${if eq{$host_lookup_failed}{0}{yes}{no}} set acl_m_auth_results = ${acl_m_auth_results};\n\tiprev=temperror policy.iprev=$sender_host_address ') dnl ifelse_strstr(confAUTH_RESULTS_ADD, `NO', `', `') ifelse_strstr(confCHECK_RELAY_RESOLVE_DEFER, `NO', `dnl # для неисключаемых из проверки возвращаем warn, # если в confCHECK_RELAY_RESOLVE и confCHECK_RELAY_FORGED нет reject или defer warn condition = ${if eq{$acl_m0}{skip}{no}{yes}} condition = ${if eq{$sender_host_name}{}{yes}{no}} condition = ${if eq{$host_lookup_failed}{0}{yes}{no}} log_message = Could not resolve PTR record for $sender_host_address add_header = X-Warn-Resolve: Could not resolve PTR record for $sender_host_address ', `dnl # для неисключаемых из проверки возвращаем defer, # если в confCHECK_RELAY_RESOLVE или confCHECK_RELAY_FORGED есть reject или defer defer condition = ${if eq{$acl_m0}{skip}{no}{yes}} condition = ${if eq{$sender_host_name}{}{yes}{no}} condition = ${if eq{$host_lookup_failed}{0}{yes}{no}} log_message = Could not resolve PTR record for $sender_host_address message = Access temporarily denied. Could not resolve PTR record for $sender_host_address ') dnl # несовпадение записи рилея в прямой и реверсной зонах DNS warn set acl_m1 = condition = ${if eq{$sender_host_name}{}{yes}{no}} condition = ${if eq{$host_lookup_failed}{1}{yes}{no}} condition = ${if eq{$acl_c_RR}{}{no}{yes}} set acl_m1 = forged condition = ${if eq{$acl_m0}{skip}{yes}{no}} ifelse_strstr(confCHECK_RELAY_RESOLVE_SKIP, `WARN', ` # возвращаем warn для исключений log_message = IP name forged for $sender_host_address add_header = X-Warn-Resolve: IP name forged for $sender_host_address ') set acl_m1 = warn condition = ${if eq{$acl_m1}{forged}{yes}{no}} ifelse_strstr(confAUTH_RESULTS_ADD, `NO', `', `dnl set acl_m_auth_results = ${acl_m_auth_results};\n\tiprev=fail policy.iprev=$sender_host_address ') dnl ifelse_strstr(confAUTH_RESULTS_ADD, `NO', `', `') ifelse_strstr(confCHECK_RELAY_FORGED, `pause=', `dnl delay = EXTRACT(`pause', confCHECK_RELAY_FORGED)`'s set acl_m_spam_action = ${acl_m_spam_action}\t\ delay=EXTRACT(`pause', confCHECK_RELAY_FORGED)`'s\t\t\ IP name forged for $sender_host_address\n log_message = IP name forged for $sender_host_address; message delayed for EXTRACT(`pause', confCHECK_RELAY_FORGED)`'s ') dnl ifelse_strstr(confCHECK_RELAY_FORGED, `delay=', `') ifelse_strstr(confCHECK_RELAY_FORGED, `warn', `dnl add_header = X-Warn-Resolve: IP name forged for $sender_host_address ') dnl ifelse_strstr(confCHECK_RELAY_FORGED, `warn', `') ifelse_strstr(confCHECK_RELAY_FORGED, `quarantine', `dnl ifelse_strstr(confCHECK_RELAY_FORGED` ', `reject ', `dnl dnl quarantine and reject accept condition = ${if eq{$acl_m1}{forged}{yes}{no}} log_message = message will be quarantined and rejected: IP name forged for $sender_host_address set acl_m_fakereject = \ message will be quarantined and rejected: IP name forged for $sender_host_address\ |X-Quarantine-Resolve: IP name forged for $sender_host_address\ |IP name forged for $sender_host_address set acl_m_add_x_orig_rcpt = yes set acl_m_quarantined = $acl_m_quarantined envelope ',`dnl ifelse_strstr(confCHECK_RELAY_FORGED` ', `reject ', `') dnl quarantine and !reject warn condition = ${if eq{$acl_m1}{forged}{yes}{no}} log_message = message will be quarantined: IP name forged for $sender_host_address add_header = X-Quarantine-Resolve: IP name forged for $sender_host_address set acl_m_add_x_orig_rcpt = yes set acl_m_quarantined = $acl_m_quarantined envelope accept condition = ${if eq{$acl_m1}{forged}{yes}{no}} ') dnl ifelse_strstr(confCHECK_RELAY_FORGED` ', `reject ', `') ',`dnl ifelse_strstr(confCHECK_RELAY_FORGED, `quarantine', `') ifelse_strstr(confCHECK_RELAY_FORGED` ', `reject ', ` # !quarantine and reject deny condition = ${if eq{$acl_m1}{forged}{yes}{no}} message = IP name forged for $sender_host_address ') dnl ifelse_strstr(confCHECK_RELAY_FORGED` ', `reject ', `') ifelse_strstr(confCHECK_RELAY_FORGED, `defer', ` dnl defer defer condition = ${if eq{$acl_m1}{forged}{yes}{no}} log_message = IP name forged for $sender_host_address message = Access temporarily denied. \ IP name forged for $sender_host_address ') dnl ifelse_strstr(confCHECK_RELAY_FORGED, `defer', `') ') dnl ifelse_strstr(confCHECK_RELAY_FORGED, `quarantine', `') ifelse_strstr(confCHECK_RELAY_FORGED, `warn', `dnl ifelse_strstr(confCHECK_RELAY_FORGED, `pause=', `', `dnl warn condition = ${if eq{$acl_m1}{forged}{yes}{no}} log_message = IP name forged for $sender_host_address ') dnl ifelse_strstr(confCHECK_RELAY_FORGED, `delay=', `') ') dnl ifelse_strstr(confCHECK_RELAY_FORGED, `warn', `') ifelse_strstr(confCHECK_RELAY_FORGED, `greylist=', `dnl ifelse(confGREYLIST, `OPTIONAL', `dnl warn condition = ${if eq{$acl_m1}{forged}{yes}{no}} set acl_m_optional_greylist = \ scores=${eval:${extract{scores}{$acl_m_optional_greylist}}+EXTRACT(`greylist', confCHECK_RELAY_FORGED)} \ log_message="${extract{log_message}{$acl\n_c8}} greylisted due to IP name forged for $sender_host_address;" set acl_m_spam_action = ${acl_m_spam_action}\t\ greylist scores=EXTRACT(`greylist', confCHECK_RELAY_FORGED)\t\ IP name forged for $sender_host_address\n ') dnl ifelse(confGREYLIST, `OPTIONAL', `') ') dnl ifelse_strstr(confCHECK_RELAY_FORGED, `greylist=', `') ifelse_strstr(confCHECK_RELAY_FORGED, `reject=', `dnl ifdef(`confOPTIONAL_REJECT', `ifelse(confOPTIONAL_REJECT, `NO', `dnl', `dnl warn condition = ${if eq{$acl_m1}{forged}{yes}{no}} set acl_m_optional_reject = \ scores=${eval:${extract{scores}{$acl_m_optional_reject}}+EXTRACT(`reject', confCHECK_RELAY_FORGED)} \ log_message="${extract{log_message}{$acl_m_optional_reject}} rejected due to IP name forged for $sender_host_address;" set acl_m_spam_action = ${acl_m_spam_action}\t\ reject scores=EXTRACT(`reject', confCHECK_RELAY_FORGED)\t\t\ IP name forged for $sender_host_address\n ')') dnl ifdef(`confOPTIONAL_REJECT', `ifelse(confOPTIONAL_REJECT, `NO', `', `')') ') dnl ifelse_strstr(confCHECK_RELAY_FORGED, `reject=', `') # отсутствие записи рилея в реверсной зоне DNS warn set acl_m1 = condition = ${if eq{$sender_host_name}{}{yes}{no}} condition = ${if eq{$host_lookup_failed}{1}{yes}{no}} condition = ${if eq{$acl_c_RR}{}{yes}{no}} set acl_m1 = failed condition = ${if eq{$acl_m0}{skip}{yes}{no}} ifelse_strstr(confCHECK_RELAY_RESOLVE_SKIP, `WARN', ` # возвращаем warn для исключений log_message = IP name lookup failed for $sender_host_address add_header = X-Warn-Resolve: IP name lookup failed for $sender_host_address ') set acl_m1 = warn condition = ${if eq{$acl_m1}{forged}{yes}{no}} ifelse_strstr(confAUTH_RESULTS_ADD, `NO', `', `dnl set acl_m_auth_results = ${acl_m_auth_results};\n\tiprev=permerror (no ptr) policy.iprev=$sender_host_address ') dnl ifelse_strstr(confAUTH_RESULTS_ADD, `NO', `', `') ifelse_strstr(confCHECK_RELAY_RESOLVE, `pause=', `dnl delay = EXTRACT(`pause', confCHECK_RELAY_RESOLVE)`'s set acl_m_spam_action = ${acl_m_spam_action}\t\ delay=EXTRACT(`pause', confCHECK_RELAY_RESOLVE)`'s\t\t\ IP name lookup failed for $sender_host_address\n log_message = IP name lookup failed for $sender_host_address; message delayed for EXTRACT(`pause', confCHECK_RELAY_RESOLVE)`'s ') dnl ifelse_strstr(confCHECK_RELAY_RESOLVE, `pause=', `') ifelse_strstr(confCHECK_RELAY_RESOLVE, `warn', `dnl add_header = X-Warn-Resolve: IP name lookup failed for $sender_host_address ') dnl ifelse_strstr(confCHECK_RELAY_RESOLVE, `warn', `') ifelse_strstr(confCHECK_RELAY_RESOLVE, `quarantine', `dnl ifelse_strstr(confCHECK_RELAY_RESOLVE` ', `reject ', `dnl dnl quarantine and reject accept condition = ${if eq{$acl_m1}{failed}{yes}{no}} log_message = message will be quarantined and rejected: IP name lookup failed for $sender_host_address set acl_m_fakereject = \ message will be quarantined and rejected: IP name lookup failed for $sender_host_address\ |X-Quarantine-Resolve: IP name lookup failed for $sender_host_address\ |IP name lookup failed for $sender_host_address set acl_m_add_x_orig_rcpt = yes set acl_m_quarantined = $acl_m_quarantined envelope ',`dnl ifelse_strstr(confCHECK_RELAY_RESOLVE` ', `reject ', `') dnl quarantine and !reject warn condition = ${if eq{$acl_m1}{failed}{yes}{no}} log_message = message will be quarantined: IP name lookup failed for $sender_host_address add_header = X-Quarantine-Resolve: IP name lookup failed for $sender_host_address set acl_m_add_x_orig_rcpt = yes set acl_m_quarantined = $acl_m_quarantined envelope accept condition = ${if eq{$acl_m1}{failed}{yes}{no}} ') dnl ifelse_strstr(confCHECK_RELAY_RESOLVE` ', `reject ', `') ',`dnl ifelse_strstr(confCHECK_RELAY_RESOLVE, `quarantine', `') ifelse_strstr(confCHECK_RELAY_RESOLVE` ', `reject ', ` dnl !quarantine and reject deny condition = ${if eq{$acl_m1}{failed}{yes}{no}} message = IP name lookup failed for $sender_host_address ') dnl ifelse_strstr(confCHECK_RELAY_RESOLVE` ', `reject ', `') ifelse_strstr(confCHECK_RELAY_RESOLVE, `defer', ` dnl defer defer condition = ${if eq{$acl_m1}{failed}{yes}{no}} message = Access temporarily denied. \ = IP name lookup failed for $sender_host_address ') dnl ifelse_strstr(confCHECK_RELAY_RESOLVE, `defer', `') ') dnl ifelse_strstr(confCHECK_RELAY_RESOLVE, `quarantine', `') ifelse_strstr(confCHECK_RELAY_RESOLVE, `warn', `dnl ifelse_strstr(confCHECK_RELAY_RESOLVE, `pause=', `', `dnl warn condition = ${if eq{$acl_m1}{failed}{yes}{no}} log_message = IP name lookup failed for $sender_host_address ') dnl ifelse_strstr(confCHECK_RELAY_RESOLVE, `delay=', `') ') dnl ifelse_strstr(confCHECK_RELAY_RESOLVE, `warn', `') ifelse_strstr(confCHECK_RELAY_RESOLVE, `greylist=', `dnl ifelse(confGREYLIST, `OPTIONAL', `dnl warn condition = ${if eq{$acl_m1}{failed}{yes}{no}} set acl_m_optional_greylist = \ scores=${eval:${extract{scores}{$acl_m_optional_greylist}}+EXTRACT(`greylist', confCHECK_RELAY_RESOLVE)} \ log_message="${extract{log_message}{$acl_m_optional_greylist}} greylisted due to IP name failed for $sender_host_address;" set acl_m_spam_action = ${acl_m_spam_action}\t\ greylist scores=EXTRACT(`greylist', confCHECK_RELAY_RESOLVE)\t\ IP name lookup failed for $sender_host_address\n ') dnl ifelse(confGREYLIST, `OPTIONAL', `') ') dnl ifelse_strstr(confCHECK_RELAY_RESOLVE, `greylist=', `') ifelse_strstr(confCHECK_RELAY_RESOLVE, `reject=', `dnl ifdef(`confOPTIONAL_REJECT', `ifelse(confOPTIONAL_REJECT, `NO', `dnl', `dnl warn condition = ${if eq{$acl_m1}{failed}{yes}{no}} set acl_m_optional_reject = \ scores=${eval:${extract{scores}{$acl_m_optional_reject}}+EXTRACT(`reject', confCHECK_RELAY_RESOLVE)} \ log_message="${extract{log_message}{$acl_m_optional_reject}} rejected due to IP name failed for $sender_host_address;" set acl_m_spam_action = ${acl_m_spam_action}\t\ reject scores=EXTRACT(`reject', confCHECK_RELAY_RESOLVE)\t\t\ IP name lookup failed for $sender_host_address\n ')') dnl ifdef(`confOPTIONAL_REJECT', `ifelse(confOPTIONAL_REJECT, `NO', `', `')') ') dnl ifelse_strstr(confCHECK_RELAY_RESOLVE, `reject=', `')