This is a proposal for
check_mail
from
Tom Smith
I've made some adjustments to your rules with the following net results:
1) A class "{abusers}" containing both domains and full user addresses.
Mail from any listed user or domain (or any subdomain within it) will be
rejected with:
571 Mail from <offender> refused here.
Note that the error messages are not quoted in order to allow the
<offender> substitution.
2) A class "{OKdomains}" containing unresolvable sender domains that should
still be permitted delivery
3) An option to allow spam to be delivered or relayed to selected users
(requires the use of check_compat instead of check_mail)
4) Removal of possible intermediate routing hosts. Especially for DECnet users,
a class "{gateways}" containing relays that might pass on actual sender
addresses within quotes.
5) Order the rules to exit as early as possible and to return permanent
failures (571) rather than temporary (418) ones for unresolvable but
known spammer addresses
6) IP addresses:
- Permanent failure (518) on syntactically invalid addresses
- Option to pass all syntactically valid addresses (default), or
to fail unresolved syntactically valid addresses
There should really be some additonal M4 macros ("confXXX", etc.) to remove
site-specific data (path names and class definitons) from this FEATURE file.
==========================================================================
cf/feature/nospam.m4
--------------------
dnl
dnl NOTE: This file contains local configuration information
dnl
LOCAL_CONFIG
#
# List of known spammers
F{abusers}-o /etc/sendmail.abusers
#
# Domains that won't resolve but that we let in anyway
F{OKdomains}-o /etc/sendmail.OKdomains
#
# List of local recipients who do not want mail filtered
# (requires check_compat ruleset)
F{wantsjunk}-o /etc/sendmail.wantsjunk
#
# Gateway relays that might give you quoted addresses: "user@domain"@gateway
# (e.g., SMTP->DECnet gateways if you're running MAIL11)
#C{gateways}gate1.dnet firewall.dnet
C{gateways}
LOCAL_RULESETS
## Note: Choose either check_mail or check_compat
## check_compat checks after the whole message has been transmitted and
## sends a DSN back to the sender (which then bounces back to you and
## defeats the whole purpose). However, if you have spam lovers,
## you are stuck with check_compat
## See RFC 1893 for error codes
Scheck_mail
#Scheck_compat
# If you use check_compat, add this preamble:
## If the recipient wants all mail, just send it
#R$* $| < $={wantsjunk} > $@ <OK>
#R$* $| $={wantsjunk} $@ <OK>
#R$* $| < $={wantsjunk} @ $=w > $@ <OK>
#R$* $| $={wantsjunk} @ $=w $@ <OK>
#R$* $| $* $: $1 remove recipient address
# end of check_compat preamble
#
R$* $: $>3 $1 make domain canonical
R$* < @ $=w . > $>3 $1 ...@here -> ... (remove local domains)
R$* < @ $={gateways} . > $>3 $1 remove other known intermediate relays
R$- $: $>3 $(dequote $1 $) dequote "foo" and canonify again
R$- $@ <OK> just a username left. OK.
R<@> $@ <OK> special case
#
# Check first for real and phony domains we know we do not want
# (This keeps the known phony domains from retrying with an unresolved name error)
R$* < @ $={abusers} . > $* $#error $@ 5.7.1 $: 571 Mail from $2 refused here.
R$* < @ $={abusers} > $* $#error $@ 5.7.1 $: 571 Mail from $2 refused here.
R$* < @ $+ . $={abusers} . > $* $#error $@ 5.7.1 $: 571 Mail from $3 refused here.
R$* < @ $+ . $={abusers} > $* $#error $@ 5.7.1 $: 571 Mail from $3 refused here.
#
# Check for full user addresses
# convert back to u@domain (and remove the trailing dot)
R$* $: $>4 $1
R$={abusers} $#error $@ 5.7.1 $: 571 Mail from $1 refused here.
R$* <$={abusers}> $* $#error $@ 5.7.1 $: 571 Mail from $2 refused here.
#
# The known offenders are out of the way.
# Now check for valid domain name (incompatible with DeliveryMode=defer)
R$* $: $>3 $1 canonify again
# look up syntactically valid IP addresses
R$* <@ [ $- .$- . $- .$- ] > $* $: $1 < @ $[ [ $2.$3.$4.$5 ] $] > $6
R$* < @ $+ . > $* $@ <OK> resolved domains pass
R$* < @ $={OKdomains} > $* $@ <OK> unresolvable domains that are OK pass
R$* < @ $+ . $={OKdomains} > $* $@ <OK> unresolvable subdomains that are OK pass
#
# Pick one of the following three rules
# PTR records are often missing in the real world.
# (1) Let all unresolved but syntactically valid raw IP addresses through (safe):
R$* < @ [ $- . $- . $- .$- ] > $* $@ <OK>
# (2) Give a temporary failure on an unresolved but syntactically valid raw IP address (fussy):
#R$* < @ [ $- . $- . $- .$- ] > $* $#error $@ 4.1.8 $: 418 Sender IP address unresolvable. Check your DNS configuration.
# (3) Give a permanent failure on an unresolved but syntactically valid raw IP address (ruthless):
#R$* < @ [ $- . $- . $- .$- ] > $* $#error $@ 5.1.8 $: 518 Sender IP address unresolvable. Check your DNS configuration.
# Reject all other unresolved IP addresses with a permanent failure:
R$* < @ [ $* ] > $* $#error $@ 5.1.8 $: 518 Sender IP address invalid. Check your configuration.
#
# Anything that remains should be unresolved and refused (but make sure)
# The following (418) causes the message to be deferred
# and retried until the timeout period expires (i.e., it forgives temporary DNS failures)
R$* < @ $+ > $* $#error $@ 4.1.8 $: 418 Sender host name unresolvable. Check your configuration.
# 571 is instead a permanent "Delivery not authorized, message refused" error
#R$* < @ $+ > $* $#error $@ 5.1.8 $: 518 Sender host name unresolvable. Check your configuration.