dnl
dnl проверка резолвинга домена верхнего уровня аргумента команды HELO
dnl NO		- не проверять резолвинг домена верхнего уровня команды HELO
dnl DROP	- возврат клиенту кода 5xx и обрыв соединения
dnl REJECT	- возврат клиенту кода 5xx
dnl DEFER	- возврат клиенту кода 4xx
dnl WARN	- вывод в лог файл предупреждения
dnl QUARANTINE	- принять письмо с сохранением в карантин без доставки получателям
dnl PAUSE=XX	- пауза XX секунд
dnl GREYLIST=XX	- добавить XX баллов к счетчику опционального greylisting'а
dnl REJECT=XX	- добавить XX баллов к счетчику опционального reject'а
dnl define(`confCHECK_HELO_TOP_LEVEL', `NO')dnl
dnl
dnl из проверки исключаются известные домены:
dnl define(`confCHECK_HELO_TOP_LEVEL_SKIP', `aaa:aarp:abarth:abb:abbott:abbvie:abc:able:abogado:abudhabi:ac:academy:accenture:accountant:accountants:aco:actor:ad:ads:adult:ae:aeg:aero:aetna:af:afl:africa:ag:agakhan:agency:ai:aig:airbus:airforce:airtel:akdn:al:alfaromeo:alibaba:alipay:allfinanz:allstate:ally:alsace:alstom:am:amazon:americanexpress:americanfamily:amex:amfam:amica:amsterdam:analytics:android:anquan:anz:ao:aol:apartments:app:apple:aq:aquarelle:ar:arab:aramco:archi:army:arpa:art:arte:as:asda:asia:associates:at:athleta:attorney:au:auction:audi:audible:audio:auspost:author:auto:autos:avianca:aw:aws:ax:axa:az:azure:ba:baby:baidu:banamex:bananarepublic:band:bank:bar:barcelona:barclaycard:barclays:barefoot:bargains:baseball:basketball:bauhaus:bayern:bb:bbc:bbt:bbva:bcg:bcn:bd:be:beats:beauty:beer:bentley:berlin:best:bestbuy:bet:bf:bg:bh:bharti:bi:bible:bid:bike:bing:bingo:bio:biz:bj:black:blackfriday:blockbuster:blog:bloomberg:blue:bm:bms:bmw:bn:bnpparibas:bo:boats:boehringer:bofa:bom:bond:boo:book:booking:bosch:bostik:boston:bot:boutique:box:br:bradesco:bridgestone:broadway:broker:brother:brussels:bs:bt:build:builders:business:buy:buzz:bv:bw:by:bz:bzh:ca:cab:cafe:cal:call:calvinklein:cam:camera:camp:canon:capetown:capital:capitalone:car:caravan:cards:care:career:careers:cars:casa:case:cash:casino:cat:catering:catholic:cba:cbn:cbre:cbs:cc:cd:center:ceo:cern:cf:cfa:cfd:cg:ch:chanel:channel:charity:chase:chat:cheap:chintai:christmas:chrome:church:ci:cipriani:circle:cisco:citadel:citi:citic:city:cityeats:ck:cl:claims:cleaning:click:clinic:clinique:clothing:cloud:club:clubmed:cm:cn:co:coach:codes:coffee:college:cologne:com:comcast:commbank:community:company:compare:computer:comsec:condos:construction:consulting:contact:contractors:cooking:cookingchannel:cool:coop:corsica:country:coupon:coupons:courses:cpa:cr:credit:creditcard:creditunion:cricket:crown:crs:cruise:cruises:cu:cuisinella:cv:cw:cx:cy:cymru:cyou:cz:dabur:dad:dance:data:date:dating:datsun:day:dclk:dds:de:deal:dealer:deals:degree:delivery:dell:deloitte:delta:democrat:dental:dentist:desi:design:dev:dhl:diamonds:diet:digital:direct:directory:discount:discover:dish:diy:dj:dk:dm:dnp:do:docs:doctor:dog:domains:dot:download:drive:dtv:dubai:dunlop:dupont:durban:dvag:dvr:dz:earth:eat:ec:eco:edeka:edu:education:ee:eg:email:emerck:energy:engineer:engineering:enterprises:epson:equipment:er:ericsson:erni:es:esq:estate:et:etisalat:eu:eurovision:eus:events:exchange:expert:exposed:express:extraspace:fage:fail:fairwinds:faith:family:fan:fans:farm:farmers:fashion:fast:fedex:feedback:ferrari:ferrero:fi:fiat:fidelity:fido:film:final:finance:financial:fire:firestone:firmdale:fish:fishing:fit:fitness:fj:fk:flickr:flights:flir:florist:flowers:fly:fm:fo:foo:food:foodnetwork:football:ford:forex:forsale:forum:foundation:fox:fr:free:fresenius:frl:frogans:frontdoor:frontier:ftr:fujitsu:fun:fund:furniture:futbol:fyi:ga:gal:gallery:gallo:gallup:game:games:gap:garden:gay:gb:gbiz:gd:gdn:ge:gea:gent:genting:george:gf:gg:ggee:gh:gi:gift:gifts:gives:giving:gl:glass:gle:global:globo:gm:gmail:gmbh:gmo:gmx:gn:godaddy:gold:goldpoint:golf:goo:goodyear:goog:google:gop:got:gov:gp:gq:gr:grainger:graphics:gratis:green:gripe:grocery:group:gs:gt:gu:guardian:gucci:guge:guide:guitars:guru:gw:gy:hair:hamburg:hangout:haus:hbo:hdfc:hdfcbank:health:healthcare:help:helsinki:here:hermes:hgtv:hiphop:hisamitsu:hitachi:hiv:hk:hkt:hm:hn:hockey:holdings:holiday:homedepot:homegoods:homes:homesense:honda:horse:hospital:host:hosting:hot:hoteles:hotels:hotmail:house:how:hr:hsbc:ht:hu:hughes:hyatt:hyundai:ibm:icbc:ice:icu:id:ie:ieee:ifm:ikano:il:im:imamat:imdb:immo:immobilien:in:inc:industries:infiniti:info:ing:ink:institute:insurance:insure:int:international:intuit:investments:io:ipiranga:iq:ir:irish:is:ismaili:ist:istanbul:it:itau:itv:jaguar:java:jcb:je:jeep:jetzt:jewelry:jio:jll:jm:jmp:jnj:jo:jobs:joburg:jot:joy:jp:jpmorgan:jprs:juegos:juniper:kaufen:kddi:ke:kerryhotels:kerrylogistics:kerryproperties:kfh:kg:kh:ki:kia:kids:kim:kinder:kindle:kitchen:kiwi:km:kn:koeln:komatsu:kosher:kp:kpmg:kpn:kr:krd:kred:kuokgroup:kw:ky:kyoto:kz:la:lacaixa:lamborghini:lamer:lancaster:lancia:land:landrover:lanxess:lasalle:lat:latino:latrobe:law:lawyer:lb:lc:lds:lease:leclerc:lefrak:legal:lego:lexus:lgbt:li:lidl:life:lifeinsurance:lifestyle:lighting:like:lilly:limited:limo:lincoln:link:lipsy:live:living:lk:llc:llp:loan:loans:locker:locus:lol:london:lotte:lotto:love:lpl:lplfinancial:lr:ls:lt:ltd:ltda:lu:lundbeck:luxe:luxury:lv:ly:ma:madrid:maif:maison:makeup:man:management:mango:map:market:marketing:markets:marriott:marshalls:maserati:mattel:mba:mc:mckinsey:md:me:med:media:meet:melbourne:meme:memorial:men:menu:merckmsd:mg:mh:miami:microsoft:mil:mini:mint:mit:mitsubishi:mk:ml:mlb:mls:mm:mma:mn:mo:mobi:mobile:moda:moe:moi:mom:monash:money:monster:mormon:mortgage:moscow:moto:motorcycles:mov:movie:mp:mq:mr:ms:msd:mt:mtn:mtr:mu:museum:music:mutual:mv:mw:mx:my:mz:na:nab:nagoya:name:natura:navy:nba:nc:ne:nec:net:netbank:netflix:network:neustar:new:news:next:nextdirect:nexus:nf:nfl:ng:ngo:nhk:ni:nico:nike:nikon:ninja:nissan:nissay:nl:no:nokia:northwesternmutual:norton:now:nowruz:nowtv:np:nr:nra:nrw:ntt:nu:nyc:nz:obi:observer:office:okinawa:olayan:olayangroup:oldnavy:ollo:om:omega:one:ong:onl:online:ooo:open:oracle:orange:org:organic:origins:osaka:otsuka:ott:ovh:pa:page:panasonic:paris:pars:partners:parts:party:passagens:pay:pccw:pe:pet:pf:pfizer:pg:ph:pharmacy:phd:philips:phone:photo:photography:photos:physio:pics:pictet:pictures:pid:pin:ping:pink:pioneer:pizza:pk:pl:place:play:playstation:plumbing:plus:pm:pn:pnc:pohl:poker:politie:porn:post:pr:pramerica:praxi:press:prime:pro:prod:productions:prof:progressive:promo:properties:property:protection:pru:prudential:ps:pt:pub:pw:pwc:py:qa:qpon:quebec:quest:racing:radio:re:read:realestate:realtor:realty:recipes:red:redstone:redumbrella:rehab:reise:reisen:reit:reliance:ren:rent:rentals:repair:report:republican:rest:restaurant:review:reviews:rexroth:rich:richardli:ricoh:ril:rio:rip:ro:rocher:rocks:rodeo:rogers:room:rs:rsvp:ru:rugby:ruhr:run:rw:rwe:ryukyu:sa:saarland:safe:safety:sakura:sale:salon:samsclub:samsung:sandvik:sandvikcoromant:sanofi:sap:sarl:sas:save:saxo:sb:sbi:sbs:sc:sca:scb:schaeffler:schmidt:scholarships:school:schule:schwarz:science:scot:sd:se:search:seat:secure:security:seek:select:sener:services:seven:sew:sex:sexy:sfr:sg:sh:shangrila:sharp:shaw:shell:shia:shiksha:shoes:shop:shopping:shouji:show:showtime:si:silk:sina:singles:site:sj:sk:ski:skin:sky:skype:sl:sling:sm:smart:smile:sn:sncf:so:soccer:social:softbank:software:sohu:solar:solutions:song:sony:soy:spa:space:sport:spot:sr:srl:ss:st:stada:staples:star:statebank:statefarm:stc:stcgroup:stockholm:storage:store:stream:studio:study:style:su:sucks:supplies:supply:support:surf:surgery:suzuki:sv:swatch:swiss:sx:sy:sydney:systems:sz:tab:taipei:talk:taobao:target:tatamotors:tatar:tattoo:tax:taxi:tc:tci:td:tdk:team:tech:technology:tel:temasek:tennis:teva:tf:tg:th:thd:theater:theatre:tiaa:tickets:tienda:tiffany:tips:tires:tirol:tj:tjmaxx:tjx:tk:tkmaxx:tl:tm:tmall:tn:to:today:tokyo:tools:top:toray:toshiba:total:tours:town:toyota:toys:tr:trade:trading:training:travel:travelchannel:travelers:travelersinsurance:trust:trv:tt:tube:tui:tunes:tushu:tv:tvs:tw:tz:ua:ubank:ubs:ug:uk:unicom:university:uno:uol:ups:us:uy:uz:va:vacations:vana:vanguard:vc:ve:vegas:ventures:verisign:versicherung:vet:vg:vi:viajes:video:vig:viking:villas:vin:vip:virgin:visa:vision:viva:vivo:vlaanderen:vn:vodka:volkswagen:volvo:vote:voting:voto:voyage:vu:vuelos:wales:walmart:walter:wang:wanggou:watch:watches:weather:weatherchannel:webcam:weber:website:wed:wedding:weibo:weir:wf:whoswho:wien:wiki:williamhill:win:windows:wine:winners:wme:wolterskluwer:woodside:work:works:world:wow:ws:wtc:wtf:xbox:xerox:xfinity:xihuan:xin:xxx:xyz:yachts:yahoo:yamaxun:yandex:ye:yodobashi:yoga:yokohama:you:youtube:yt:yun:za:zappos:zara:zero:zip:zm:zone:zuerich:zw')dnl
dnl получить свежий список TLD можно следующей командой:
dnl wget http://data.iana.org/TLD/tlds-alpha-by-domain.txt -O - | grep -v -e '--' | grep -v '^ *#' | sort | tr '[:upper:]' '[:lower:]' | perl -p -e 's/\n/:/'
dnl
dnl действие при defer'ах резолвера
dnl NO		- не игнорировать defer'ы резолвера
dnl YES		- игнорировать defer'ы резолвера
dnl define(`confCHECK_HELO_TOP_LEVEL_DEFER_OK', `YES')dnl
dnl

define(`confACL_DNSDB', `1')dnl

# Проверка существования домена первого уровня из HELO

# из проверки исключаются литералы
	warn	set acl_m0	=
		set acl_m1	=
		condition	= ${if match{$sender_helo_name}{\N^\[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\]$\N}{yes}{no}}
		set acl_m0	= skip

# из проверки исключаются известные домены первого уровня
	warn	condition	= ${if eq{$acl_m0}{skip}{no}{yes}}
		condition	= ${if match{$sender_helo_name}{\N(?i)^.+\.(replace_char(confCHECK_HELO_TOP_LEVEL_SKIP, `:', `|'))$\N}{yes}{no}}
		set acl_m0	= skip

# из проверки исключаются однословные домены
	warn	condition	= ${if eq{$acl_m0}{skip}{no}{yes}}
		condition	= ${if match{$sender_helo_name}{\N^[^\.]+$\N}{yes}{no}}
		set acl_m0	= skip

# из проверки исключаются HELO, в явном виде указанные в access-helo со значениями skip или ok
	warn	condition	= ${if eq{$acl_m0}{skip}{no}{yes}}
		condition	= ${if match{${lookup{$sender_helo_name}wildlsearch{CONFDIR/access-helo}}}{\N^\S*(skip|ok)\s*$\N}{yes}{no}}
		set acl_m0	= skip

# пытаемся отрезолвить top level domain из HELO
	warn	condition	= ${if eq{$acl_m0}{skip}{no}{yes}}
		acl		= acl_dnsdb ns=${sg{$sender_helo_name}{\N^.+\.([a-zA-Z]+)\N}{\$1}}
		condition	= ${if eq{$acl_m_dnsdb_result}{defer}{no}{yes}}

ifdef(`confCHECK_HELO_TOP_LEVEL_DEFER_OK', `ifelse(confCHECK_HELO_TOP_LEVEL_DEFER_OK, `NO', `dnl
	defer	condition	= ${if eq{$acl_m0}{skip}{no}{yes}}
		condition	= ${if eq{$acl_m_dnsdb_result}{defer}{yes}{no}}
		log_message	= Could not resolve NS records for top level domain of $sender_helo_name
		message		= Could not resolve NS records for top level domain of $sender_helo_name
', `
	warn	condition	= ${if eq{$acl_m0}{skip}{no}{yes}}
		condition	= ${if eq{$acl_m_dnsdb_result}{defer}{yes}{no}}
		set acl_m0	= skip
		set acl_m1	=
')')

	warn	condition	= ${if eq{$acl_m0}{skip}{no}{yes}}
		condition	= ${if eq{$acl_m_dnsdb_result}{}{no}{yes}}
		log_message	= New top level domain has been found: ${sg{$sender_helo_name}{\N^.+\.([a-zA-Z]+)\N}{\$1}}
		set acl_m1	=

	warn	condition	= ${if eq{$acl_m0}{skip}{no}{yes}}
		condition	= ${if eq{$acl_m_dnsdb_result}{}{yes}{no}}
ifelse_strstr(confCONTENT_SCANNING_QUARANTINE, `PERSONAL',`dnl
		set acl_m1	= NORMALIZE_ACTION_PERSONAL_QUARANTINE(confCHECK_HELO_TOP_LEVEL)
',`dnl
		set acl_m1	= NORMALIZE_ACTION(confCHECK_HELO_TOP_LEVEL)
')dnl
		set acl_m1	= ${sg{$acl_m1 }{\N\b([^=\s\d]+)(\s)\N}{\$1=00\$2}}
		# message	= $acl_m2
		# log_message	= $acl_m0
		set acl_m2	= HELO top level domain does not resolve
		set acl_m0	= NS lookup failed for top level HELO domain ${sg{$sender_helo_name}{\N^.+\.([a-zA-Z]+)\N}{\$1}}

ifdef(`confENTERPRISE_USER', `dnl
	warn	condition	= ${if match{$acl_m1}{submit_mysql}{yes}{no}}
ENTERPRISE(`mysql', `submit', `helo', `unknown top level', `$sender_helo_name', `0')
	warn	condition	= ${if match{$acl_m1}{submit_sqlite}{yes}{no}}
ENTERPRISE(`sqlite', `submit', `helo', `unknown top level', `$sender_helo_name', `0')
	warn	condition	= ${if match{$acl_m1}{submit_rbl}{yes}{no}}
dnl ENTERPRISE(`rbl',   `update', `mx.org.ua', `helo.rbl.mx.org.ua', `unknown top level', `$sender_helo_name')
ENTERPRISE(`rbl',   `submit', `helo', `unknown top level', `$sender_helo_name')
') dnl

	# pause
	warn	condition	= ${if eq{${extract{pause}{$acl_m1}}}{}{no}{yes}}
		delay		= ${extract{pause}{$acl_m1}}s
		set acl_m_spam_action	= ${acl_m_spam_action}\t\
				delay=${extract{pause}{$acl_m1}}s\t\t\
				$acl_m0\n
		log_message	= $acl_m0; message delayed for ${extract{pause}{$acl_m1}}s

	# warning
	warn	condition	= ${if match{$acl_m1}{warn}{yes}{no}}
		add_header	= X-Warn-HELO-Blacklisted: ${if eq{$acl_m2}{}{HELO $sender_helo_name is blacklisted}{$acl_m2}}

ifelse(confFAKE_REJECT, `NO', `', `dnl
	# quarantine and reject
	accept	condition	= ${if eq{${extract{quarantine}{$acl_m1}}}{00}{yes}{no}}
		condition	= ${if eq{${extract{reject}{$acl_m1}}}{00}{yes}{no}}
		log_message	= $acl_m0
		set acl_m_fakereject	= \
				message will be quarantined and rejected: $acl_m0\
				|X-Quarantine-HELO: $acl_m0\
				|$acl_m2
		set acl_m_add_x_orig_rcpt = yes
		set acl_m_quarantined = $acl_m_quarantined envelope
') dnl ifelse(confFAKE_REJECT, `NO', `', `')
	# quarantine and !reject
	warn	condition	= ${if eq{${extract{quarantine}{$acl_m1}}}{00}{yes}{no}}
		condition	= ${if eq{${extract{reject}{$acl_m1}}}{00}{no}{yes}}
		log_message	= message will be quarantined: $acl_m0
		add_header	= X-Quarantine-HELO: $acl_m0
		set acl_m_add_x_orig_rcpt = yes
		set acl_m_quarantined = $acl_m_quarantined envelope
	accept	condition	= ${if eq{${extract{quarantine}{$acl_m1}}}{00}{yes}{no}}
		condition	= ${if eq{${extract{reject}{$acl_m1}}}{00}{no}{yes}}
	# !quarantine and reject
	deny	condition	= ${if eq{${extract{reject}{$acl_m1}}}{00}{yes}{no}}
		message		= ${if eq{$acl_m2}{}{Invalid greeting used}{$acl_m2}}
		log_message	= $acl_m0

	# defer
	defer	condition	= ${if match{$acl_m1}{defer}{yes}{no}}
		message		= ${if eq{$acl_m2}{}{Invalid greeting used}{$acl_m2}}
		log_message	= $acl_m0

	# drop
	drop	condition	= ${if match{$acl_m1}{drop}{yes}{no}}
		message		= ${if eq{$acl_m2}{}{Invalid greeting used}{$acl_m2}}
		log_message	= $acl_m0

	# warning
	warn	condition	= ${if match{$acl_m1}{warn}{yes}{no}}
		condition	= ${if eq{${extract{pause}{$acl_m1}}}{}{yes}{no}}
		log_message	= $acl_m0

ifelse(confGREYLIST, `OPTIONAL', `dnl
	# greylist в случае неизвестного top level домена HELO
	# greylist if sender HELO top level domain does not resolve
	warn	condition	= ${if eq{${extract{greylist}{$acl_m1}}}{}{no}{yes}}
		set acl_m_optional_greylist	= \
				scores=${eval:${extract{scores}{$acl_m_optional_greylist}}+${extract{greylist}{$acl_m1}}} \
				log_message="${extract{log_message}{$acl_m_optional_greylist}} $acl_m0;"
		set acl_m_spam_action	= ${acl_m_spam_action}\t\
				greylist scores=${extract{greylist}{$acl_m1}}\t\
				$acl_m0\n
') dnl ifelse(confGREYLIST, `OPTIONAL', `')
ifdef(`confOPTIONAL_REJECT', `ifelse(confOPTIONAL_REJECT, `NO', `dnl', `dnl
	# optional reject в случае неизвестного top level домена HELO
	# optional reject if sender HELO top level domain does not resolve
	warn	condition	= ${if eq{${extract{reject}{$acl_m1}}}{}{no}{yes}}
		condition	= ${if eq{${extract{reject}{$acl_m1}}}{00}{no}{yes}}
		set acl_m_optional_reject	= \
				scores=${eval:${extract{scores}{$acl_m_optional_reject}}+${extract{reject}{$acl_m1}}} \
				log_message="${extract{log_message}{$acl_m_optional_reject}}\n\t$acl_m0;"
		set acl_m_spam_action	= ${acl_m_spam_action}\t\
				reject scores=${extract{reject}{$acl_m1}}\t\t\
				$acl_m0\n
')') dnl ifdef(`confOPTIONAL_REJECT', `ifelse(confOPTIONAL_REJECT, `NO', `', `')')