ietf-clear
[Top] [All Lists]

[ietf-clear] CSV implementation for Exim 4.

2004-12-10 07:16:33
I'd appreciate it if someone could glance at this and check it's
correct. To be used standalone as HELO ACL or if there's an existing
HELO ACL is can be invoked as 'require acl = check_csv' from there.

No attempt at checking the authentication (accreditation) parts yet.
You'd want to filter it and you'd have to deal with multiple PTR
records... either it wants doing in C code rather than with a
configuration hack, or at _least_ I'd need more coffee first :) 

check_csv:
  # Find CSV record.
  require  set acl_m1 = ${lookup dnsdb{srv=_client._smtp.$sender_helo_name}}

  # If there's none, accept the HELO name.
  accept condition = ${if eq {$acl_m1}{} {1}}

  # Check the CSV record. Each SRV record should match {^1 [0123] 0} or we 
  # treat it as no record at all.
  accept condition = ${if !match{\n$acl_m1} {^(\n1 [0123] 0 [^\n]*)*\$} {1}}

  # Extract good hosts (1 2 0 <hostname>)
  require  set acl_m2 = ${sg {\n$acl_m1} \
                             {\n([0-9]+) ([0-9]+) ([0-9]+) ([^\n]*)} \
                             {\N${if eq{$1$2$3}{120} {:$4}}\N} \
                        }
  # Extract hosts which are authorised, but not to be used for authentication
  # (1 3 0 <hostname>)
  require  set acl_m3 = ${sg {\n$acl_m1} \
                             {\n([0-9]+) ([0-9]+) ([0-9]+) ([^\n]*)} \
                             {\N${if eq{$1$2$3}{130} {:$4}}\N} \
                        }
  # Extract explicitly denied hosts (1 [01] 0 <hostname>)
  require  set acl_m4 = ${sg {\n$acl_m1} \
                             {\n([0-9]+) ([0-9]+) ([0-9]+) ([^\n]*)} \
                             {\N${if match{$1$2$3.$4}{1[01]0\.(.*)} {:$1}}\N} \
                        }
  # Note there's a leading colon on these, but we wouldn't have accepted an 
empty HELO anyway.
  deny  hosts = $acl_m4
        message = CSV record for $sender_helo_name explicitly forbids 
$sender_host_address

  deny  message = CSV record for $sender_helo_name does not include 
$sender_host_address
        !hosts = $acl_m2$acl_m3

  accept


-- 
dwmw2