On Fri, 2004-12-10 at 10:01 -0800, Douglas Otis wrote:
I could suggest the Port field being zero might be excluded from your
comparison, as this field may change to include general policy
assertions. With that in mind, it might be better to ignore this
field.
OK, new version. We're also a bit more picky about the text we find in
the hostname part of a SRV record and about stray colons.
I've included an attempt at DNA too, although it doesn't actually work
because Exim assumes you're using an IP address if you ask for a PTR
record to be looked up. In any case, I don't quite understand what I'd
do with the information which I get from the hosts _own_ nominated
reputation service. We should surely be using our own trusted services
for that?
check_csa:
# Don't force everyone to include localhost in their CSA record,
# just so that connections to the local MTA work properly.
accept hosts = localhost
# Find CSA record.
warn set acl_m1 = ${lookup dnsdb{srv=_client._smtp.$sender_helo_name}}
# If there's no CSA record, accept the HELO name.
accept condition = ${if eq {$acl_m1}{} {1}}
# Check the CSA record. Each SRV record should match {^1 [0123] [0-9]+
<hostname>}
# or we treat it as no record at all. The uncommented <hostname> regex is
taken from
# the Exim default dns_check_names_pattern; the commented version below is the
# UTF-8 version of same. Switch them over if you use the 'allow_utf8_domains'
option
# to allow Exim to use raw UTF-8 in DNS.
accept condition = ${if !match{\n$acl_m1} {(?i)^(\n1 [0123] [0-9]+ \
(?>(?(2)\.|())[^\W_](?>[a-z0-9-]*[^\W_])?)+\
#
(?>(?(2)\.|())[_a-z0-9\xc0-\xff](?>[-_a-z0-9\x80-\xff]*[_a-z0-9\x80-\xbf])?)+\
)*\$} {1}}
# Extract good hosts (1 2 x <hostname>)
warn set acl_m2 = ${sg {${sg {${sg {${sg {$acl_m1} \
{(?m)^1 ([0-9]+) [0-9]+ (.*)\$} \
{\N${if eq{$1}{2} {$2}}\N} \
}} {[\n]+}{:}}} {^:}{}}} {:\$}{} }
# Extract hosts which are authorised, but not to be used for authentication
# (1 3 x <hostname>)
warn set acl_m3 = ${sg {${sg {${sg {${sg {$acl_m1} \
{(?m)^1 ([0-9]+) [0-9]+ (.*)\$} \
{\N${if eq{$1}{3} {$2}}\N} \
}} {[\n]+}{:}}} {^:}{}}} {:\$}{} }
# Extract explicitly denied hosts (1 [01] x <hostname>)
warn set acl_m4 = ${sg {${sg {${sg {${sg {$acl_m1} \
{(?m)^1 ([0-9]+) [0-9]+ (.*)\$} \
{\N${if or {{eq{$1}{0}} {eq{$1}{1}}} {$2}}\N} \
}} {[\n]+}{:}}} {^:}{}}} {:\$}{} }
deny hosts = $acl_m4
message = CSA record for $sender_helo_name explicitly forbids
$sender_host_address
deny message = CSA record for $sender_helo_name does not include
$sender_host_address
!hosts = $acl_m2
!hosts = $acl_m3
# Don't forget the 'accept' at the end, after....
# DNA checks here as proof of concept. The ptr lookup doesn't work because
# Exim attempts to reverse the hostname and then adds .in-addr.arpa to it.
# Also because it's not clear what we'd actually do with it if we _did_ have
# access to the information from the reputation service(s) which the sending
# host chooses for itself.
#
# # Avoid DNA checks for hosts with 'Weight' field of 3.
# accept hosts = $acl_m3
#
# # Now look for DNA record, for hosts which may use it for authentication.
#
# # Look up the reputation service(s) which this host wants us to use for it.
# warn set acl_c0 = ${lookup dnsdb{ptr=$sender_helo_name}}
#
# accept condition = ${if eq {$acl_c0}{} {1}}
#
# # Extract the PTR records which start '_vouch._smtp.'
# warn set acl_c1 = {${sg{\n$acl_c0} \
# {(?i)(\n_vouch\\._smtp\\.([^\n]*)|\n[^\n]*)} \
# {\N${if !eq{$2}{} {\n$2}}\N}}
#
# # .. and bail if there are none.
# accept condition = ${if eq {$acl_c1}{} {1}}
#
# warn set acl_c2 = ${sg {${sg{$acl_c1} \
# {(?m)^(.*)\$} \
# {\N${lookup dnsdb{txt=$sender_helo_name.$1}}\N} \
# }} {^\n}{}}
accept
--
dwmw2