dnl dnl встречная проверка адреса отправителя dnl dnl NO - не проводить проверку dnl WARN - вывода в лог файл предупреждения и добавление поля X-Warn-Sender-Verify dnl QUARANTINE - принять письмо с сохранением в карантин без доставки получателям dnl REJECT - возврата клиенту кода 5xx dnl define(`confVERIFY_SENDER', `REJECT')dnl dnl dnl считать встречную проверку законченной неудачно только если 5xx получен на этапе RCPT To dnl define(`confVERIFY_SENDER_FAILED_ONLY_ON_RCPT_TO_STAGE', `YES')dnl dnl dnl исключения из встречной проверки адреса отправителя dnl NO - не делать исключений dnl AUTH - исключать аутентифицированных отправителей dnl RELAY - исключать рилеи, перечисленные в CONFDIR/skip_verify_sender_relay dnl MAIL - исключать адреса отправителей, перечисленные в CONFDIR/skip_verify_sender_mail dnl RCPT - исключать адреса получателей, перечисленные в CONFDIR/skip_verify_sender_rcpt dnl SPF_PASS - делать исключение, если проверка соответствия SPF записи выполнена успешно dnl define(`confVERIFY_SENDER_SKIP', `RELAY AUTH MAIL RCPT')dnl dnl dnl величина таймаута при проверке отправителя dnl define(`confVERIFY_SENDER_TIMEOUT', `120s')dnl dnl dnl дополнительные параметры, используемые при встречной проверке отправителя dnl define(`confVERIFY_SENDER_PARAMETERS', `')dnl dnl define(`confVERIFY_SENDER_PARAMETERS', `postmaster_mailfrom=postmaster@${qualify_domain}')dnl dnl dnl файл с перечисленными адресами/доменами получателей, для которых при verify sender надо использовать defer=ok dnl пример: dnl define(`confVERIFY_SENDER_DEFER_OK_RCPT', `CONFDIR/verify_sender_defer_ok_rcpt')dnl dnl список указывается в виде: dnl domain : addr1 : addr2 : addr3 dnl пример: dnl my.domain.com : user : info : admin dnl my.another.domain.com : !user : * dnl dnl файл с перечисленными доменами/адресами отправителей, для которых при verify sender надо использовать defer=ok dnl пример: dnl define(`confVERIFY_SENDER_DEFER_OK_MAIL', `CONFDIR/verify_sender_defer_ok_mail')dnl dnl список указывается в виде: dnl domain : addr1 : addr2 : addr3 dnl пример: dnl sender.domain.com : user : info : admin dnl dnl игнорирование временных ошибок при встречной проверке отправителя при приеме писем, отправленных из PHP функции mail dnl NO - не игноировать defer'ы при встречной проверке отправителя при приеме писем от PHP функции mail dnl YES - не игноировать defer'ы при встречной проверке отправителя при приеме писем от PHP функции mail dnl define(`confVERIFY_SENDER_DEFER_OK_PHP', `NO') dnl исключение из встречной проверки производится, если: dnl - для доменной части адреса отправителя не прописаны MX записи dnl - A запись домена отправителя совпадает с IP адресом хоста отправителя dnl - локальная часть адреса отправителя равна www, apache или nobody dnl dnl список локальных частей адресов отправителей можно дополнять, при этом необходимо использовать символ pipe в качестве разделителя dnl define(`confVERIFY_SENDER_DEFER_OK_PHP_SENDER_LOCAL_PARTS', `www|apache|nobody') dnl dnl домены получателей, для которых будет применятся игнорирование dnl временных ошибок при встречной проверке отправителя при приеме dnl писем, отправленных из PHP функции mail: dnl define(`confVERIFY_SENDER_DEFER_OK_PHP_DOMAINS', `+local_domains') dnl при использовании данной функции на транзитном рилее, принимающем всю dnl входящую почту получателей и пересылающем ее далее, целесообразно dnl дополнять значение переменной confVERIFY_SENDER_DEFER_OK_PHP_DOMAINS dnl списком рилеемых доменов: dnl define(`confVERIFY_SENDER_DEFER_OK_PHP_DOMAINS', `+local_domains : +relay_to_domains') dnl dnl опциональная предварительная проверка существования адресов получателей dnl из рилеемых доменов перед проведением встречной проверки адреса отправителя dnl при использовании пересылки помеченных спамовых писем получателям из dnl рилеемых доменов dnl NO - не использовать предварительную проверку сущестования адресов получателей из рилеемых доменов dnl YES - не использовать предварительную проверку сущестования адресов получателей из рилеемых доменов dnl define(`confVERIFY_RECIPIENT_BEFORE_VERIFY_SENDER', `YES') dnl данная проверка необходима, чтобы при доставке помеченных спамовых dnl писем получателям из рилеемых доменов избежать формирования bounce dnl message в случае несуществования как адреса отправителя, так и адреса dnl получателя. dnl следует принимать во внимание, что данная проверка производится dnl безусловно с параметром defer_ok. dnl поэтому прокешированный результат этой проверки может быть бесполезен dnl при проведении штатной проверки существования адресов получателей из dnl рилеемых доменов, т. е. по сути будет проведено две таких проверки. dnl именно поэтому существует возможность отключения данной проверки. dnl также следует понимать, что данная проверка производится только при dnl включенных опциях confSECONDARY_RELAY, confQUARANTINED_SEND_TO_RELAYTO_DOMAINS dnl и наличии слова PERSONAL в значении опции confCONTENT_SCANNING_QUARANTINE dnl ifelse(SECTION, `MAIN', `dnl ifelse_strstr(confVERIFY_SENDER_SKIP, `RELAY', `dnl hostlist skip_verify_sender = <; +ignore_defer ; +ignore_unknown ; 127.0.0.1/8`'ifelse_strstr(confIPv6, `YES', ` ; ::1') ; CONFDIR/skip_verify_sender_relay ')dnl dnl ifdef(`confVERIFY_SENDER_DEFER_OK_RCPT', `', `define(`confVERIFY_SENDER_DEFER_OK_RCPT', `')')dnl ifdef(`confVERIFY_SENDER_DEFER_OK_MAIL', `', `define(`confVERIFY_SENDER_DEFER_OK_MAIL', `')')dnl define(`confVERIFY_SENDER_PARAMETERS_TMP',`') ifdef(`confVERIFY_SENDER_PARAMETERS', `ifelse(X`'confVERIFY_SENDER_PARAMETERS, `X', `', `define(`confVERIFY_SENDER_PARAMETERS_TMP', `,'confVERIFY_SENDER_PARAMETERS)')') ')dnl ifelse(SECTION, `MAIN', `') ifelse(SECTION, `ACL_CHECK_RCPT', `dnl # Проверка адреса отправителя warn set acl_m_verify_sender_skip = ifelse_strstr(confVERIFY_SENDER_SKIP, `RELAY', `dnl warn hosts = +skip_verify_sender set acl_m_verify_sender_skip = yes ')dnl ifelse_strstr(confVERIFY_SENDER_SKIP, `RELAY', `') ifelse_strstr(confVERIFY_SENDER_SKIP, `AUTH', `dnl warn authenticated = * set acl_m_verify_sender_skip = yes ')dnl ifelse_strstr(confVERIFY_SENDER_SKIP, `AUTH', `') ifelse_strstr(confVERIFY_SENDER_SKIP, `MAIL', `dnl warn condition = ${if eq{$acl_m_verify_sender_skip}{}{yes}{no}} senders = @@wildlsearch;CONFDIR/skip_verify_sender_mail set acl_m_verify_sender_skip = yes warn condition = ${if eq{$acl_m_verify_sender_skip}{}{yes}{no}} condition = ${lookup{$sender_address}wildlsearch{CONFDIR/skip_verify_sender_mail}{yes}{no}} set acl_m_verify_sender_skip = yes ')dnl ifelse_strstr(confVERIFY_SENDER_SKIP, `MAIL', `') ifelse_strstr(confVERIFY_SENDER_SKIP, `RCPT', `dnl warn condition = ${if eq{$acl_m_verify_sender_skip}{}{yes}{no}} recipients = @@wildlsearch;CONFDIR/skip_verify_sender_rcpt set acl_m_verify_sender_skip = yes ')dnl ifelse_strstr(confVERIFY_SENDER_SKIP, `RCPT', `') ifelse_strstr(confVERIFY_SENDER_SKIP, `SPF_PASS', `dnl ifdef(`confSPF2', `ifelse(confSPF2, `NO', `dnl', `dnl warn condition = ${if eq{$acl_m_verify_sender_skip}{}{yes}{no}} acl = acl_spf_pass condition = ${if eq{$acl_m_spf_result}{pass}{yes}{no}} set acl_m_verify_sender_skip = yes ')')dnl ifdef(`confSPF2', `ifelse(confSPF2, `NO', `dnl', `')') ')dnl ifelse_strstr(confVERIFY_SENDER_SKIP, `SPF_PASS', `') warn set acl_m_verify_sender_defer_ok = ifelse(len(X`'confVERIFY_SENDER_DEFER_OK_RCPT), `1', `dnl', `dnl warn condition = ${if eq{$acl_m_verify_sender_skip}{}{yes}{no}} condition = ${if eq{$acl_m_verify_sender_defer_ok}{}{yes}{no}} recipients = @@wildlsearch;confVERIFY_SENDER_DEFER_OK_RCPT set acl_m_verify_sender_defer_ok = yes ') dnl ifelse(len(X`'confVERIFY_SENDER_DEFER_OK_RCPT), `1', `') ifelse(len(X`'confVERIFY_SENDER_DEFER_OK_MAIL), `1', `dnl', `dnl warn condition = ${if eq{$acl_m_verify_sender_skip}{}{yes}{no}} condition = ${if eq{$acl_m_verify_sender_defer_ok}{}{yes}{no}} senders = @@wildlsearch;confVERIFY_SENDER_DEFER_OK_MAIL set acl_m_verify_sender_defer_ok = yes ') dnl ifelse(len(X`'confVERIFY_SENDER_DEFER_OK_MAIL), `1', `') ifelse(confVERIFY_SENDER_DEFER_OK_PHP, `NO', `', ` warn condition = ${if eq{$acl_m_verify_sender_skip}{}{yes}{no}} condition = ${if eq{$received_protocol}{local}{no}{yes}} condition = ${if isip4{$sender_host_address}{yes}{no}} condition = ${if eq{$acl_m_verify_sender_defer_ok}{}{yes}{no}} domains = confVERIFY_SENDER_DEFER_OK_PHP_DOMAINS condition = ${if match{$sender_address_local_part}{\N^(confVERIFY_SENDER_DEFER_OK_PHP_SENDER_LOCAL_PARTS)$\N}{yes}{no}} condition = ${if eq{${lookup dnsdb{mx=$sender_address_domain}}}{}{yes}{no}} set acl_m1 = ${lookup dnsdb{>: a=$sender_address_domain}} condition = ${if eq{$acl_m1}{}{no}{yes}} condition = ${if forany{$acl_m1}{eq{$item}{$sender_host_address}}{yes}{no}} set acl_m_verify_sender_defer_ok = yes ifelse_strstr(confIPv6, `YES', `dnl warn condition = ${if eq{$acl_m_verify_sender_skip}{}{yes}{no}} condition = ${if eq{$received_protocol}{local}{no}{yes}} condition = ${if isip6{$sender_host_address}{yes}{no}} condition = ${if eq{$acl_m_verify_sender_defer_ok}{}{yes}{no}} domains = confVERIFY_SENDER_DEFER_OK_PHP_DOMAINS condition = ${if match{$sender_address_local_part}{\N^(confVERIFY_SENDER_DEFER_OK_PHP_SENDER_LOCAL_PARTS)$\N}{yes}{no}} condition = ${if eq{${lookup dnsdb{mx=$sender_address_domain}}}{}{yes}{no}} set acl_m1 = ${lookup dnsdb{>: aaaa=$sender_address_domain}} condition = ${if eq{$acl_m1}{}{no}{yes}} condition = ${if forany{<; $acl_m1}{eq{\ # ${sg{${sg{${sg{$item}{\N:0+\N}{:}}}{\N::+\N}{::}}}{\N^0+\N}{}}\ ${ipv6norm:$item}\ }{$acl_c_sender_host_address_ipv6_compact}}{yes}{no}} set acl_m_verify_sender_defer_ok = yes ') dnl ifelse_strstr(confIPv6, `YES', `') ') dnl ifelse(confVERIFY_SENDER_DEFER_OK_PHP, `NO', `', `') warn set acl_m_verify_sender_action = condition = ${if eq{$acl_m_verify_sender_skip}{}{yes}{no}} acl = acl_normalize_action "confVERIFY_SENDER" set acl_m_verify_sender_action = ${sg{$acl_m_normalize_action_result }{\N\b([^=\s\d]+)(\s)\N}{\$1=00\$2}} ifdef(`confSECONDARY_RELAY', `ifelse(confSECONDARY_RELAY, `NO', `dnl', `dnl ifelse_strstr(confCONTENT_SCANNING_QUARANTINE, `PERSONAL', `dnl ifdef(`confQUARANTINED_SEND_TO_RELAYTO_DOMAINS', `ifelse(confQUARANTINED_SEND_TO_RELAYTO_DOMAINS, `NO', `dnl', `dnl ifdef(`confVERIFY_RECIPIENT_BEFORE_VERIFY_SENDER', `ifelse(confVERIFY_RECIPIENT_BEFORE_VERIFY_SENDER, `NO', `dnl', `dnl # quarantine deny condition = ${if eq{${extract{quarantine}{$acl_m_verify_sender_action}}}{00}{yes}{no}} condition = ${if eq{$acl_m_skip_verify_recipient}{yes}{no}{yes}} domains = +relay_to_domains ! recipients = @@wildlsearch;CONFDIR/skip_verify_recipient ! verify = recipient/callout=use_sender,confVERIFY_RECIPIENT_TIMEOUT,defer_ok condition = ${if or{{eq{$recipient_verify_failure}{recipient}}{eq{$recipient_verify_failure}{route}}}{yes}{no}} message = Unrouteable address${if eq{$acl_verify_message}{Unrouteable address}{}{ ($acl_verify_message)}} ')') dnl ifdef(`confVERIFY_RECIPIENT_BEFORE_VERIFY_SENDER', `ifelse(confVERIFY_RECIPIENT_BEFORE_VERIFY_SENDER, `NO', `', `')') ')') dnl ifdef(`confQUARANTINED_SEND_TO_RELAYTO_DOMAINS', `ifelse(confQUARANTINED_SEND_TO_RELAYTO_DOMAINS, `NO', `', `')') ') dnl ifelse_strstr(confCONTENT_SCANNING_QUARANTINE, `PERSONAL', `') ')') dnl ifdef(`confSECONDARY_RELAY', `ifelse(confSECONDARY_RELAY, `NO', `', `')') warn condition = ${if eq{$acl_m_verify_sender_skip}{yes}{no}{yes}} set acl_m_domain_bak = $acl_m_domain set acl_m_local_part_bak = $acl_m_local_part set acl_m_sender_address_bak = $acl_m_sender_address set acl_m_sender_address_domain_bak = $acl_m_sender_address_domain set acl_m_sender_address_local_part_bak = $acl_m_sender_address_local_part set acl_m_domain = $acl_m_sender_address_domain set acl_m_local_part = $acl_m_sender_address_local_part set acl_m_sender_address = set acl_m_sender_address_domain = set acl_m_sender_address_local_part = # warn and !quarantine and !reject warn condition = ${if eq{${extract{warn}{$acl_m_verify_sender_action}}}{00}{yes}{no}} condition = ${if eq{${extract{quarantine}{$acl_m_verify_sender_action}}}{00}{no}{yes}} condition = ${if eq{${extract{reject}{$acl_m_verify_sender_action}}}{00}{no}{yes}} acl = acl_sender_verify warn condition = ${if eq{${extract{warn}{$acl_m_verify_sender_action}}}{00}{yes}{no}} condition = ${if eq{${extract{quarantine}{$acl_m_verify_sender_action}}}{00}{no}{yes}} condition = ${if eq{${extract{reject}{$acl_m_verify_sender_action}}}{00}{no}{yes}} condition = ${if eq{$acl_m_verify_sender_result}{failed}{yes}{no}} add_header = X-Warn-Sender-Verify: ${if eq{$acl_m_verify_sender_skip}{}{sender address verify failed}{sender domain verify failed}} log_message = ${if eq{$acl_m_verify_sender_skip}{}{Sender address verify failed}{Sender domain verify failed}} warn condition = ${if eq{${extract{warn}{$acl_m_verify_sender_action}}}{00}{yes}{no}} condition = ${if eq{${extract{quarantine}{$acl_m_verify_sender_action}}}{00}{no}{yes}} condition = ${if eq{${extract{reject}{$acl_m_verify_sender_action}}}{00}{no}{yes}} condition = ${if eq{$acl_m_verify_sender_result}{deferred}{yes}{no}} add_header = X-Warn-Sender-Verify: sender verify deffered log_message = Sender verify deffered set acl_m_domain = $acl_m_domain_bak set acl_m_local_part = $acl_m_local_part_bak set acl_m_sender_address = $acl_m_sender_address_bak set acl_m_sender_address_domain = $acl_m_sender_address_domain_bak set acl_m_sender_address_local_part = $acl_m_sender_address_local_part_bak # quarantine and !reject warn condition = ${if eq{${extract{quarantine}{$acl_m_verify_sender_action}}}{00}{yes}{no}} condition = ${if eq{${extract{reject}{$acl_m_verify_sender_action}}}{00}{no}{yes}} acl = acl_sender_verify defer condition = ${if eq{${extract{quarantine}{$acl_m_verify_sender_action}}}{00}{yes}{no}} condition = ${if eq{${extract{reject}{$acl_m_verify_sender_action}}}{00}{no}{yes}} condition = ${if eq{$acl_m_verify_sender_result}{deferred}{yes}{no}} message = Could not complete sender verify callout log_message = Could not complete sender verify callout set acl_m_domain = $acl_m_domain_bak set acl_m_local_part = $acl_m_local_part_bak set acl_m_sender_address = $acl_m_sender_address_bak set acl_m_sender_address_domain = $acl_m_sender_address_domain_bak set acl_m_sender_address_local_part = $acl_m_sender_address_local_part_bak warn condition = ${if eq{${extract{quarantine}{$acl_m_verify_sender_action}}}{00}{yes}{no}} condition = ${if eq{${extract{reject}{$acl_m_verify_sender_action}}}{00}{no}{yes}} condition = ${if eq{$acl_m_verify_sender_result}{failed}{yes}{no}} add_header = X-Quarantine-Sender-Verify: ${if eq{$acl_m_verify_sender_skip}{}{sender address verify failed}{sender domain verify failed}} log_message = message will be quarantined: ${if eq{$acl_m_verify_sender_skip}{}{sender address verify failed}{sender domain verify failed}} set acl_m_add_x_orig_rcpt = yes set acl_m_quarantined = $acl_m_quarantined envelope accept condition = ${if eq{${extract{quarantine}{$acl_m_verify_sender_action}}}{00}{yes}{no}} condition = ${if eq{${extract{reject}{$acl_m_verify_sender_action}}}{00}{no}{yes}} condition = ${if eq{$acl_m_verify_sender_result}{failed}{yes}{no}} # quarantine and reject warn condition = ${if eq{${extract{quarantine}{$acl_m_verify_sender_action}}}{00}{yes}{no}} condition = ${if eq{${extract{reject}{$acl_m_verify_sender_action}}}{00}{yes}{no}} acl = acl_sender_verify defer condition = ${if eq{${extract{quarantine}{$acl_m_verify_sender_action}}}{00}{yes}{no}} condition = ${if eq{${extract{reject}{$acl_m_verify_sender_action}}}{00}{yes}{no}} condition = ${if eq{$acl_m_verify_sender_result}{deferred}{yes}{no}} message = Could not complete sender verify callout log_message = Could not complete sender verify callout set acl_m_domain = $acl_m_domain_bak set acl_m_local_part = $acl_m_local_part_bak set acl_m_sender_address = $acl_m_sender_address_bak set acl_m_sender_address_domain = $acl_m_sender_address_domain_bak set acl_m_sender_address_local_part = $acl_m_sender_address_local_part_bak accept condition = ${if eq{${extract{quarantine}{$acl_m_verify_sender_action}}}{00}{yes}{no}} condition = ${if eq{${extract{reject}{$acl_m_verify_sender_action}}}{00}{yes}{no}} condition = ${if eq{$acl_m_verify_sender_result}{failed}{yes}{no}} log_message = message will be quarantined and rejected: ${if eq{$acl_m_verify_sender_skip}{}{sender address verify failed}{sender domain verify failed}} set acl_m_fakereject = \ message will be quarantined and rejected: ${if eq{$acl_m_verify_sender_skip}{}{sender address verify failed}{sender domain verify failed}}\ |X-Quarantine-Sender-Verify: ${if eq{$acl_m_verify_sender_skip}{}{sender address verify failed}{sender domain verify failed}}\ |${if eq{$acl_m_verify_sender_skip}{}{sender address verify failed}{sender domain verify failed}} set acl_m_add_x_orig_rcpt = yes set acl_m_quarantined = $acl_m_quarantined envelope # !quarantine and reject deny condition = ${if eq{${extract{quarantine}{$acl_m_verify_sender_action}}}{00}{no}{yes}} condition = ${if eq{${extract{reject}{$acl_m_verify_sender_action}}}{00}{yes}{no}} acl = acl_sender_verify ifelse(confVERIFY_SENDER_FAILED_ONLY_ON_RCPT_TO_STAGE, `YES', ` condition = ${if or{\ {eq{$sender_verify_failure}{route}}\ {eq{$sender_verify_failure}{recipient}}\ }{yes}{no}} ') dnl ifelse(confVERIFY_SENDER_FAILED_ONLY_ON_RCPT_TO_STAGE, `YES', `') log_message = ${if eq{$acl_m_verify_sender_skip}{}{Sender address verify failed}{Sender domain verify failed}} set acl_m_domain = $acl_m_domain_bak set acl_m_local_part = $acl_m_local_part_bak set acl_m_sender_address = $acl_m_sender_address_bak set acl_m_sender_address_domain = $acl_m_sender_address_domain_bak set acl_m_sender_address_local_part = $acl_m_sender_address_local_part_bak ') dnl ifelse(SECTION, `ACL_CHECK_RCPT', `') ifelse(SECTION, `ACLS_ADDITIONAL', `dnl acl_sender_verify: # acl_m_verify_sender_result - результат встречной проверки отправителя accept set acl_m_verify_sender_result = deferred ! verify = sender${if eq{$acl_m_verify_sender_skip}{yes}{}{/callout=confVERIFY_SENDER_TIMEOUT`'confVERIFY_SENDER_PARAMETERS_TMP${if eq{$acl_m_verify_sender_defer_ok}{yes}{,defer_ok}{}}}} ifelse(confVERIFY_SENDER_FAILED_ONLY_ON_RCPT_TO_STAGE, `YES', ` condition = ${if or{\ {eq{$sender_verify_failure}{route}}\ {eq{$sender_verify_failure}{recipient}}\ }{yes}{no}} ') dnl ifelse(confVERIFY_SENDER_FAILED_ONLY_ON_RCPT_TO_STAGE, `YES', `') set acl_m_verify_sender_result = failed set acl_m_domain = $acl_m_domain_bak set acl_m_local_part = $acl_m_local_part_bak set acl_m_sender_address = $acl_m_sender_address_bak set acl_m_sender_address_domain = $acl_m_sender_address_domain_bak set acl_m_sender_address_local_part = $acl_m_sender_address_local_part_bak warn \ set acl_m_domain = $acl_m_domain_bak set acl_m_local_part = $acl_m_local_part_bak set acl_m_sender_address = $acl_m_sender_address_bak set acl_m_sender_address_domain = $acl_m_sender_address_domain_bak set acl_m_sender_address_local_part = $acl_m_sender_address_local_part_bak accept set acl_m_verify_sender_result = ') dnl ifelse(SECTION, `ACLS_ADDITIONAL', `')