dnl dnl проверка наличия записи рилея в реверсной зоне DNS dnl dnl NO - не проводить проверку dnl REJECT - возврата клиенту кода 5xx, если запись отсутствует в реверсной зоне dnl и 451 в случае проблем с резолвингом dnl DEFER - возврата клиенту кода 451 dnl WARN - вывод в лог файл предупреждения dnl GREYLIST:XX - добавить XX баллов к счетчику опционального greylisting'а dnl REJECT:XX - добавить XX баллов к счетчику опционального reject'а dnl DELAY:XX - задержка XX секунд перед ответом на RCPT TO dnl define(`confCHECK_RELAY_RESOLVE', `WARN')dnl dnl dnl действия WARN, GREYLIST:XX, REJECT:XX и DELAY:XX можно указывать одновременно через пробел dnl dnl проверка совпадения записей рилея в прямой и реверсной зонах DNS dnl (проверка работает только если переменная confCHECK_RELAY_RESOLVE не установлена в NO) dnl NO - не проводить проверку dnl REJECT - возврата клиенту кода 5xx dnl DEFER - возврата клиенту кода 451 dnl WARN - вывод в лог файл предупреждения dnl GREYLIST:XX - добавить XX баллов к счетчику опционального greylisting'а dnl REJECT:XX - добавить XX баллов к счетчику опционального reject'а dnl DELAY:XX - задержка XX секунд перед ответом на RCPT TO dnl define(`confCHECK_RELAY_FORGED', `WARN')dnl dnl dnl действия WARN, GREYLIST:XX, REJECT:XX и DELAY:XX можно указывать одновременно через пробел dnl dnl исключеня из проверки резолвинга в реверсной зоне (список) dnl NO - не делать исключений из проверки резолвинга в реверсной зоне dnl AUTH - не проводить проверку аутентифицированных отправителей dnl RELAY_FROM - не проводить проверку исходящих сообщений dnl ACCESS - не проводить проверку для хостов, указанных в CONFDIR/access-relay со значением ok dnl WARN - вывод в лог файл предупреждения при проблемах в резолвингом для исключаемых хостов dnl define(`confCHECK_RELAY_RESOLVE_SKIP', `AUTH RELAY_FROM')dnl dnl в confCHECK_RELAY_RESOLVE_SKIP могут быть указаны несколько значений, разделеные пробелом dnl dnl exim должен быть скомпилирован с поддержкой dnsdb dnl define(`_TMP_', `NORMALIZE_ACTION(confCHECK_RELAY_RESOLVE)')dnl define(`confCHECK_RELAY_RESOLVE', _TMP_)dnl # Проверка резолвинга рилея в реверсной зоне DNS warn set acl_m0 = no_skip ifelse_strstr(confCHECK_RELAY_RESOLVE_SKIP, `AUTH', `dnl warn authenticated = * set acl_m0 = skip ') ifelse_strstr(confCHECK_RELAY_RESOLVE_SKIP, `RELAY_FROM', `dnl warn hosts = +relay_from_hosts set acl_m0 = skip ') ifelse_strstr(confCHECK_RELAY_RESOLVE_SKIP, `ACCESS', `dnl warn condition = ${lookup{$sender_host_address}iplsearch{CONFDIR/access-relay}\ {${if eq{${lc:$value}}{ok}{yes}{no}}}\ {no}} set acl_m0 = skip ') define(`confCHECK_RELAY_RESOLVE_DEFER',`NO') ifelse_strstr(confCHECK_RELAY_RESOLVE, `reject', `define(`confCHECK_RELAY_RESOLVE_DEFER',`YES')') ifelse_strstr(confCHECK_RELAY_RESOLVE, `defer', `define(`confCHECK_RELAY_RESOLVE_DEFER',`YES')') ifelse_strstr(confCHECK_RELAY_FORGED, `reject', `define(`confCHECK_RELAY_RESOLVE_DEFER',`YES')') ifelse_strstr(confCHECK_RELAY_FORGED, `defer', `define(`confCHECK_RELAY_RESOLVE_DEFER',`YES')') # временные проблемы резолвинга записи рилея в реверсной зоне DNS ifelse_strstr(confCHECK_RELAY_RESOLVE_SKIP, `WARN', `dnl # для исключаемых из проверки возвращаем warn warn condition = ${if eq{$acl_m0}{skip}{yes}{no}} condition = ${if eq{$sender_host_name}{}{yes}{no}} condition = ${if eq{$host_lookup_failed}{0}{yes}{no}} # condition = ${if eq{$host_lookup_deferred}{1}{yes}{no}} log_message = Cannot resolve PTR record for $sender_host_address add_header = X-Warn-Resolve: Cannot resolve PTR record for $sender_host_address ') dnl ifelse_strstr(confCHECK_RELAY_RESOLVE_DEFER, `NO', `dnl # для неисключаемых из проверки возвращаем warn, # если в confCHECK_RELAY_RESOLVE и confCHECK_RELAY_FORGED нет reject или defer warn condition = ${if eq{$acl_m0}{skip}{no}{yes}} condition = ${if eq{$sender_host_name}{}{yes}{no}} condition = ${if eq{$host_lookup_failed}{0}{yes}{no}} # condition = ${if eq{$host_lookup_deferred}{1}{yes}{no}} log_message = Cannot resolve PTR record for $sender_host_address add_header = X-Warn-Resolve: Cannot resolve PTR record for $sender_host_address ', `dnl # для неисключаемых из проверки возвращаем defer, #если в confCHECK_RELAY_RESOLVE или confCHECK_RELAY_FORGED есть reject или defer defer condition = ${if eq{$acl_m0}{skip}{no}{yes}} condition = ${if eq{$sender_host_name}{}{yes}{no}} condition = ${if eq{$host_lookup_failed}{0}{yes}{no}} # condition = ${if eq{$host_lookup_deferred}{1}{yes}{no}} log_message = Cannot resolve PTR record for $sender_host_address message = Access temporarily denied. Cannot resolve PTR record for $sender_host_address ') dnl # несовпадение записи рилея в прямой и реверсной зонах DNS ifelse_strstr(confCHECK_RELAY_RESOLVE_SKIP, `WARN', ` # возвращаем warn для исключений warn condition = ${if eq{$acl_m0}{skip}{yes}{no}} condition = ${if eq{$sender_host_name}{}{yes}{no}} condition = ${if eq{$host_lookup_failed}{1}{yes}{no}} condition = ${if eq{$acl_c_RR}{}{no}{yes}} log_message = IP name forged for $sender_host_address add_header = X-Warn-Resolve: IP name forged for $sender_host_address ') ifelse_strstr(confCHECK_RELAY_FORGED, `pause=', `dnl warn condition = ${if eq{$acl_m0}{skip}{no}{yes}} condition = ${if eq{$sender_host_name}{}{yes}{no}} condition = ${if eq{$host_lookup_failed}{1}{yes}{no}} condition = ${if eq{$acl_c_RR}{}{no}{yes}} delay = EXTRACT(`pause', confCHECK_RELAY_FORGED)`'s set acl_m15 = ${acl_m15}\t\ delay=EXTRACT(`pause', confCHECK_RELAY_FORGED)`'s\t\t\ IP name forged for $sender_host_address\n ') dnl ifelse_strstr(confCHECK_RELAY_FORGED, `delay=', `') ifelse(confCHECK_RELAY_FORGED, `reject', ` # в confCHECK_RELAY_FORGED указан reject или deny deny condition = ${if eq{$acl_m0}{skip}{no}{yes}} condition = ${if eq{$sender_host_name}{}{yes}{no}} condition = ${if eq{$host_lookup_failed}{1}{yes}{no}} condition = ${if eq{$acl_c_RR}{}{no}{yes}} message = IP name forged for $sender_host_address ',` ifelse(confCHECK_RELAY_FORGED, `defer', ` # в confCHECK_RELAY_FORGED указан defer defer condition = ${if eq{$acl_m0}{skip}{no}{yes}} condition = ${if eq{$sender_host_name}{}{yes}{no}} condition = ${if eq{$host_lookup_failed}{1}{yes}{no}} condition = ${if eq{$acl_c_RR}{}{no}{yes}} log_message = IP name forged for $sender_host_address message = Access temporarily denied. \ IP name forged for $sender_host_address ',` # в confCHECK_RELAY_FORGED не указаны reject, deny и defer warn condition = ${if eq{$acl_m0}{skip}{no}{yes}} condition = ${if eq{$sender_host_name}{}{yes}{no}} condition = ${if eq{$host_lookup_failed}{1}{yes}{no}} condition = ${if eq{$acl_c_RR}{}{no}{yes}} add_header = X-Warn-Resolve: IP name forged for $sender_host_address ifelse_strstr(confCHECK_RELAY_FORGED, `warn', `dnl log_message = IP name forged for $sender_host_address\ ifelse_strstr(confCHECK_RELAY_FORGED, `pause=', `; message delayed for EXTRACT(`pause', confCHECK_RELAY_FORGED)`'s') ') dnl ifelse_strstr(confCHECK_RELAY_FORGED, `warn', `') ifelse_strstr(confCHECK_RELAY_FORGED, `greylist=', `dnl ifelse(confGREYLIST, `OPTIONAL', `dnl set acl_c8 = \ scores=${eval:${extract{scores}{$acl_c8}}+EXTRACT(`greylist', confCHECK_RELAY_FORGED)} \ log_message="${extract{log_message}{$acl\n_c8}} greylisted due to IP name forged for $sender_host_address;" set acl_m15 = ${acl_m15}\t\ greylist scores=EXTRACT(`greylist', confCHECK_RELAY_FORGED)\t\ IP name forged for $sender_host_address\n ') dnl ifelse(confGREYLIST, `OPTIONAL', `') ') dnl ifelse_strstr(confCHECK_RELAY_FORGED, `greylist=', `') ifelse_strstr(confCHECK_RELAY_FORGED, `reject=', `dnl ifdef(`confOPTIONAL_REJECT', `ifelse(confOPTIONAL_REJECT, `NO', `dnl', `dnl set acl_c6 = \ scores=${eval:${extract{scores}{$acl_c6}}+EXTRACT(`reject', confCHECK_RELAY_FORGED)} \ log_message="${extract{log_message}{$acl_c6}} rejected due to IP name forged for $sender_host_address;" set acl_m15 = ${acl_m15}\t\ reject scores=EXTRACT(`reject', confCHECK_RELAY_FORGED)\t\t\ IP name forged for $sender_host_address\n ')') dnl ifdef(`confOPTIONAL_REJECT', `ifelse(confOPTIONAL_REJECT, `NO', `', `')') ') dnl ifelse_strstr(confCHECK_RELAY_FORGED, `reject=', `') ') dnl ifelse(confCHECK_RELAY_FORGED, `defer', `') ') dnl ifelse(confCHECK_RELAY_FORGED, `reject', `') # отсутствие записи рилея в реверсной зоне DNS ifelse_strstr(confCHECK_RELAY_RESOLVE_SKIP, `WARN', ` # возвращаем warn для исключений warn condition = ${if eq{$acl_m0}{skip}{yes}{no}} condition = ${if eq{$sender_host_name}{}{yes}{no}} condition = ${if eq{$host_lookup_failed}{1}{yes}{no}} condition = ${if eq{$acl_c_RR}{}{yes}{no}} log_message = IP name lookup failed for $sender_host_address add_header = X-Warn-Resolve: IP name lookup failed for $sender_host_address ') ifelse_strstr(confCHECK_RELAY_RESOLVE, `pause=', `dnl warn condition = ${if eq{$acl_m0}{skip}{no}{yes}} condition = ${if eq{$sender_host_name}{}{yes}{no}} condition = ${if eq{$host_lookup_failed}{1}{yes}{no}} condition = ${if eq{$acl_c_RR}{}{yes}{no}} delay = EXTRACT(`pause', confCHECK_RELAY_RESOLVE)`'s set acl_m15 = ${acl_m15}\t\ delay=EXTRACT(`pause', confCHECK_RELAY_RESOLVE)`'s\t\t\ IP name lookup failed for $sender_host_address\n ') dnl ifelse_strstr(confCHECK_RELAY_RESOLVE, `pause=', `') ifelse(confCHECK_RELAY_RESOLVE, `reject', ` # в confCHECK_RELAY_RESOLVE указан reject или deny deny condition = ${if eq{$acl_m0}{skip}{no}{yes}} condition = ${if eq{$sender_host_name}{}{yes}{no}} condition = ${if eq{$host_lookup_failed}{1}{yes}{no}} condition = ${if eq{$acl_c_RR}{}{yes}{no}} message = IP name lookup failed for $sender_host_address ',` ifelse(confCHECK_RELAY_RESOLVE, `defer', ` # в confCHECK_RELAY_RESOLVE указан defer defer condition = ${if eq{$acl_m0}{skip}{no}{yes}} condition = ${if eq{$sender_host_name}{}{yes}{no}} condition = ${if eq{$host_lookup_failed}{1}{yes}{no}} condition = ${if eq{$acl_c_RR}{}{yes}{no}} message = Access temporarily denied. \ = IP name lookup failed for $sender_host_address ',` # в confCHECK_RELAY_RESOLVE не указаны reject, deny и defer warn condition = ${if eq{$acl_m0}{skip}{no}{yes}} condition = ${if eq{$sender_host_name}{}{yes}{no}} condition = ${if eq{$host_lookup_failed}{1}{yes}{no}} condition = ${if eq{$acl_c_RR}{}{yes}{no}} add_header = X-Warn-Resolve: IP name lookup failed for $sender_host_address ifelse_strstr(confCHECK_RELAY_RESOLVE, `warn', `dnl log_message = IP name lookup failed for $sender_host_address\ ifelse_strstr(confCHECK_RELAY_RESOLVE, `pause=', `; message delayed for EXTRACT(`pause', confCHECK_RELAY_RESOLVE)`'s') ') dnl ifelse_strstr(confCHECK_RELAY_RESOLVE, `warn', `') ifelse_strstr(confCHECK_RELAY_RESOLVE, `greylist=', `dnl ifelse(confGREYLIST, `OPTIONAL', `dnl set acl_c8 = \ scores=${eval:${extract{scores}{$acl_c8}}+EXTRACT(`greylist', confCHECK_RELAY_RESOLVE)} \ log_message="${extract{log_message}{$acl_c8}} greylisted due to IP name failed for $sender_host_address;" set acl_m15 = ${acl_m15}\t\ greylist scores=EXTRACT(`greylist', confCHECK_RELAY_RESOLVE)\t\ IP name lookup failed for $sender_host_address\n ') dnl ifelse(confGREYLIST, `OPTIONAL', `') ') dnl ifelse_strstr(confCHECK_RELAY_RESOLVE, `greylist=', `') ifelse_strstr(confCHECK_RELAY_RESOLVE, `reject=', `dnl ifdef(`confOPTIONAL_REJECT', `ifelse(confOPTIONAL_REJECT, `NO', `dnl', `dnl set acl_c6 = \ scores=${eval:${extract{scores}{$acl_c6}}+EXTRACT(`reject', confCHECK_RELAY_RESOLVE)} \ log_message="${extract{log_message}{$acl_c6}} rejected due to IP name failed for $sender_host_address;" set acl_m15 = ${acl_m15}\t\ reject scores=EXTRACT(`reject', confCHECK_RELAY_RESOLVE)\t\t\ IP name lookup failed for $sender_host_address\n ')') dnl ifdef(`confOPTIONAL_REJECT', `ifelse(confOPTIONAL_REJECT, `NO', `', `')') ') dnl ifelse_strstr(confCHECK_RELAY_RESOLVE, `reject=', `') ') dnl ifelse(confCHECK_RELAY_RESOLVE, `defer', `') ') dnl ifelse(confCHECK_RELAY_RESOLVE, `reject', `')