local_check_relay berfore dnsbl
in [Sendmail]
|
Prev: Milter rejecting far too many emails
Next: O Poder do DOIS: Uma rota simples ao Sucesso... Responda para você mesmo essas perguntas: Você pode adquirir um Pacote Standard por mês por US$20 dólares? Você pode afiliar todos os meses DUAS pessoas que façam o mesmo que VOCÊ? BEM... Se você foc
From: ait on 18 Jan 2010 05:00 Hello list! Is it possible to put custom Local_check_relay rules before dnsbl checks? For example, I've created 'SLocal_check_relay' rules (checking for the regex match on words like "ppp, adsl, dialup", etc.), but it looks like dnsbl checks are being performed before my rule. It would be much better to have my regex checks occure before DNS lookup in blacklists, thus reducing excessive connections. Thanks in advance.
From: Andrzej Adam Filip on 18 Jan 2010 08:15 ait <ait.meijin(a)gmail.com> wrote: > Is it possible to put custom Local_check_relay rules before dnsbl > checks? > > For example, I've created 'SLocal_check_relay' rules (checking for the > regex match on words like "ppp, adsl, dialup", etc.), but it looks > like dnsbl checks are being performed before my rule. > It would be much better to have my regex checks occure before DNS > lookup in blacklists, thus reducing excessive connections. FEATURE(`enhdnsbl') [ cf/feature/enhdnsbl.m4 file ] uses divert(8) to put its R lines in right place of sendmail.cf. You can use divert(8) in sendmail.mc before any FEATURE(`enhdnsbl') to consult Local_check_relay rule set before later enhdnsbl checks or insert your own R lines. sendmail.mc: divert(8) # put your checks/rule set consulting here divert(-1) -- [pl>en Andrew] Andrzej Adam Filip : anfi(a)onet.eu : Andrzej.Filip(a)gmail.com My only love sprung from my only hate! Too early seen unknown, and known too late! -- William Shakespeare, "Romeo and Juliet"
From: Andrzej Adam Filip on 19 Jan 2010 06:05 ait <ait.meijin(a)gmail.com> wrote: > On Jan 18, 4:15 pm, Andrzej Adam Filip <a...(a)onet.eu> wrote: >> ait <ait.mei...(a)gmail.com> wrote: >> > Is it possible to put custom Local_check_relay rules before dnsbl >> > checks? >> >> > For example, I've created 'SLocal_check_relay' rules (checking for the >> > regex match on words like "ppp, adsl, dialup", etc.), but it looks >> > like dnsbl checks are being performed before my rule. >> > It would be much better to have my regex checks occure before DNS >> > lookup in blacklists, thus reducing excessive connections. >> >> FEATURE(`enhdnsbl') [ cf/feature/enhdnsbl.m4 file ] uses divert(8) to >> put its R lines in right place of sendmail.cf. You can use divert(8) in >> sendmail.mc before any FEATURE(`enhdnsbl') to consult >> Local_check_relay rule set before later enhdnsbl checks >> or insert your own R lines. >> >> sendmail.mc: >> >> divert(8) >> # put your checks/rule set consulting here >> divert(-1) >> > > Thanks so much for your help, Andrzej! > > Looks like it worked, but anyway the behavior of checks is really odd. > > For example, I can see a spam connection from a node > 219.64.195.35.static-pune.vsnl.net.in. > Ok, it gets rejected on ruleset=check_rcpt (I have feature > delay_checks enabled) by dnsbl feature: ...SPAM from 219.64.195.35 > blocked... > > But actually it should have been rejected by my regex check: > > divert(8) > LOCAL_CONFIG > Kcheckhost regex -a(a)MATCH -f (static|ppp|dynamic|cable|broadband) > > LOCAL_RULESETS > SLocal_check_rcpt > R$* $: $&{client_name} > R$* $: $(checkhost $1 $) > R(a)MATCH $#error $@ 5.7.1 $: "550 Access denied" > > divert(-1) > ... > [...] 1) -a flag of regexp means "append tag on successful match" It is not "replace on match" as you interpreted. Try R$*@MATCH $#error $@ 5.7.1 $: "550 Access denied" R$* $: OKSOFAR 2) *For rejecting* you may consider using $&{client_ptr} (sendmail-8.13.0+) instead of $&{client_name}. client_name requires "closed loop of PTR->A DNS records". client_ptr reports "PTR lookup" only. P.S. A) I would not use such rules as you try myself, but feel free to try/search :-) B) Do you use MIMEDEfang milter for AS and AV checks? -- [pl>en Andrew] Andrzej Adam Filip : anfi(a)onet.eu : Andrzej.Filip(a)gmail.com Open-Sendmail: http://open-sendmail.sourceforge.net/ Small is beautiful. -- Schumacher's Dictum
From: Res on 19 Jan 2010 06:12 Run milter-regex On Mon, 18 Jan 2010, ait wrote: > For example, I can see a spam connection from a node > 219.64.195.35.static-pune.vsnl.net.in. > Ok, it gets rejected on ruleset=check_rcpt (I have feature > delay_checks enabled) by dnsbl feature: ...SPAM from 219.64.195.35 > blocked... > > But actually it should have been rejected by my regex check: -- Res "What does Windows have that Linux doesn't?" - One hell of a lot of bugs!
From: ait on 19 Jan 2010 08:53 On Jan 19, 2:05 pm, Andrzej Adam Filip <a...(a)onet.eu> wrote: > ait <ait.mei...(a)gmail.com> wrote: > > On Jan 18, 4:15 pm, Andrzej Adam Filip <a...(a)onet.eu> wrote: > >> ait <ait.mei...(a)gmail.com> wrote: > >> > Is it possible to put custom Local_check_relay rules before dnsbl > >> > checks? > > >> > For example, I've created 'SLocal_check_relay' rules (checking for the > >> > regex match on words like "ppp, adsl, dialup", etc.), but it looks > >> > like dnsbl checks are being performed before my rule. > >> > It would be much better to have my regex checks occure before DNS > >> > lookup in blacklists, thus reducing excessive connections. > > >> FEATURE(`enhdnsbl') [ cf/feature/enhdnsbl.m4 file ] uses divert(8) to > >> put its R lines in right place of sendmail.cf. You can use divert(8) in > >> sendmail.mc before any FEATURE(`enhdnsbl') to consult > >> Local_check_relay rule set before later enhdnsbl checks > >> or insert your own R lines. > > >> sendmail.mc: > > >> divert(8) > >> # put your checks/rule set consulting here > >> divert(-1) > > > Thanks so much for your help, Andrzej! > > > Looks like it worked, but anyway the behavior of checks is really odd. > > > For example, I can see a spam connection from a node > > 219.64.195.35.static-pune.vsnl.net.in. > > Ok, it gets rejected on ruleset=check_rcpt (I have feature > > delay_checks enabled) by dnsbl feature: ...SPAM from 219.64.195.35 > > blocked... > > > But actually it should have been rejected by my regex check: > > > divert(8) > > LOCAL_CONFIG > > Kcheckhost regex -a(a)MATCH -f (static|ppp|dynamic|cable|broadband) > > > LOCAL_RULESETS > > SLocal_check_rcpt > > R$* $: $&{client_name} > > R$* $: $(checkhost $1 $) > > R(a)MATCH $#error $@ 5.7.1 $: "550 Access denied" > > > divert(-1) > > ... > > [...] > > 1) -a flag of regexp means "append tag on successful match" > It is not "replace on match" as you interpreted. Try > > R$*@MATCH $#error $@ 5.7.1 $: "550 Access denied" > R$* $: OKSOFAR Ok, got it. I wonder how the hell it worked before, assuming that my tag was always appended? :) > 2) *For rejecting* you may consider using $&{client_ptr} > (sendmail-8.13.0+) instead of $&{client_name}. > > client_name requires "closed loop of PTR->A DNS records". > client_ptr reports "PTR lookup" only. Sounds reasonable. Thanks! ;) > P.S. > A) I would not use such rules as you try myself, but feel free to > try/search :-) It's kinda sinister to get such advice from _you_. :) Can you please explain what's the problem with these rules? Actually this regex check and dnsbl checks are doing a good job on our mx, keeping the spam amount at a very low level. And the actual regular expression is much longer than I provided as an example. B) > B) Do you use MIMEDEfang milter for AS and AV checks? > Nope. We have found out that aforementioned checks are enough for our requirements. The load on the mx is not very high.
|
Next
|
Last
Pages: 1 2 Prev: Milter rejecting far too many emails Next: O Poder do DOIS: Uma rota simples ao Sucesso... Responda para você mesmo essas perguntas: Você pode adquirir um Pacote Standard por mês por US$20 dólares? Você pode afiliar todos os meses DUAS pessoas que façam o mesmo que VOCÊ? BEM... Se você foc |