[ On Thursday, May 29, 2003 at 12:42:26 (-0400), Wakko Warner wrote: ]
> Subject: [Exim] dnslists modification (2nd time)
>
> Usage:
> deny dnslists = some.blacklist.org!=127.0.0.3,127.0.0.4
>
> This is only an example. This means that if the IP is on the blacklist and
> matches the list, it will fail (thus will NOT deny).
FYI you might want to think of using CIDR netmasks in the list. Here's
how I did it for smail.
Smail's code is also GPL so I'm sure you could use it for Exim if you
wish. Note that only the very most recent "snapshot" has a fully
working implementation of the above, so just let me know if you'd like
asccess.
Item Lists
Some variables and attributes with the type of string are
really lists of items (such as hostnames, hostname regular
expressions, IP addresses, etc.). Lists are normally sim-
ply colon (:) separated values. Generally the colon may
be preceded and/or followed by arbitrary whitespace,
though of course in an attribute value (i.e. anywhere
except in the config file) this means the value must be
quoted or the whitespace characters must be each escaped
with a backslash (\).
In some cases an optional semicolon (;) separated sub-
field may be given to given with an item value as well.
In that case the first sub-field is the primary item value
and the second sub-field is, in most cases, a string
treated as an error message or other descriptive text to
be associated with the item. Note that the message text
is not quoted (and is not separately quotable) so it must
not contain another colon (`:') character. Escape pro-
cessing as described above cannot protect a field separa-
tor. Note that in an attribute definition (i.e. anywhere
except in the config file, though currently no attributes
allow sub-fields) if you use the semicolon separator to
specify a sub-field then you must either escape it with a
backslash or enclose the entire attribute definition in
double quotes. The text message may contain semicolons
itself though since it extends to the end of the field
(i.e. to the next colon (`:') character).
Items in a list of hostnames or IP addresses may be
negated by prefixing them with an exclamation mark (!).
When some value is being compared to the items in the list
then a match of a negated item will cause the remainder of
the items in the list to be ignored and for a no-match
condition to be immediately indicated (thus implementing a
``first match wins'' algorithm). For example in a list of
IP addresses the following would match any address in the
range 10.0.0.0 through 10.255.255.255 except 10.1.1.1:
! 10.1.1.1 : 10/8
IP and IP Network Address Representation
As mentioned above some lists may contain strings repre-
senting IP addresses. They are specified in a format com-
patible with inet_net_pton(3). Generally speaking this
means a host may be specified in the standard four-octet
ASCII form, and any CIDR network may be specified by a
four-octet number follwed by a slash (`/') and a number
specifying the number of bits in the network portion.
The magic keyword localnet represents a run-time generated
pattern constructed to represent the classical IP network
for the local address of the current connection. This
keyword is of little use to anyone using either a super-
net, or a subnet of anything larger than a Class C (/24)
network.
Optionally if smail has been compiled with ``HAVE=LIBWHO-
SON'' then there is also support for a magic keyword
whoson which can be used to query a WHOSON server for
additonal IP numbers which are currently authorised to
relay mail remotely via SMTP.
Hostname Regular Expressions
As mentioned above some lists may contain hostname regular
expressions. These are simply regular expression strings
which are matched against hostnames. The expression is
implicitly anchored at the beginning and end of the host-
name.
Note that the backslash character (`\') must be quoted
with itself since it is also the escape character for all
configuration entries.
Note that a case-insensitive match is always done if the
host platform's underlying regular expression library is
POSIX compliant.
And here's an example of IP lists in use for DNS blacklists:
smtp_rbl_domains="\
:dev.null.dk; 127/8\
:dnsbl.njabl.org; 127.0.0.2, 127.0.0.3\
:relays.osirusoft.com; 127.0.0.2, 127.0.0.3, 127.0.0.4, 127.0.0.5, 127.0.0.6, 12
7.0.0.7, 127.0.0.8\
:relays.ordb.org; 127/8\
:list.dsbl.org; 127/8\
:multihop.dsbl.org; 127/8\
:dnsbl.sorbs.net; 127/8\
:orbs.dorkslayers.com; 127.0.0.2\
:spamsources.fabel.dk; 127.0.0.2\
:blackholes.five-ten-sg.com; 127.0.0.2, 127.0.0.3, 127.0.0.4, 127.0.0.5\
:bl.spamcop.net; 127.0.0.2\
:blackholes.easynet.nl; 127.0.0.2\
:dynablock.easynet.nl; 127.0.0.2\
:blacklist.spambag.net; 127.0.0.2\
"
And another example for the greeting ACL (the text portion is sent in
the SMTP error response):
smtp_hello_reject_hosts="\
:63.228.58.3/24;the spammers at freehelpdaily.com. \
By all rights I should be blocking all of USW-INTERACT99, \
however I'll be semi-nice and just whack the /24.\
:168.229.204.254;mail.rih.org, which is running a broken AppleShare mailer \
that doesn't believe an error code from MAIL FROM, and doesn't have \
a decent retry time. Force an early reject to get it to go away. \
If/when they ever upgrade to the supposedly fixed AppleShare IP Mail \
Server 6.0, then we can maybe let them try again.\
:206.26.195.192/26;HAKEN ELECTROMECHANICS (NETBLK-CW-206-26-195-192) -- stockpost.net, you idiots spam postmasters!\
:206.190.224.145/24;NETBLK-MIBX -- you are home of the paid4survey.net spammers, go away!\
:207.67.128/20;VRIO-207-067-128 -- host of spammer etransmail2.com, you may not send mail from that network!\
:207.217.0.0/16;Earthlink -- a spammer haven like no other!\
:209.10.179.0/24;Globix Corporation (NETBLK-GLOBIXBLK3) -- the riffage.com spammer lives there!\
:209.167.79.0/24;Media Synergy Inc. (NETBLK-MEDSYN4UU1) -- the flonetwork.com spammer lives there!\
:209.178.0.0/18;Earthlink -- a spammer haven like no other!\
:211.58.56.0/24;HANARO Telecom hananet.net -- too many open relays!\
:212.175.216.0/24;sim.com.tr (SIM-ELK-NET) -- go away spammer!\
:212.150.46.0/24;BARAK-3 -- barak.net.il is home to too many spammers!\
:212.150.47.0/24;BARAK-3 -- barak.net.il is home to too many spammers!\
:212.150.48.0/24;BARAK-3 -- barak.net.il is home to too many spammers!\
:212.150.49.0/24;BARAK-3 -- barak.net.il is home to too many spammers!\
:216.32.218.0/24;apparently mypoints.com -- you idiots spammed my <abuse> mailbox! (part of NETBLK-ECI-7)\
:216.33.87.0/24;apparently mypoints.com -- you idiots spammed my <abuse> mailbox! (part of NETBLK-ECI-7)\
:216.225/16;Netname FREEI-BLK1, Netblock 216.225.0.0 - 216.225.255.255\
:216.216.0.128/28;ETRACKS.COM spammer, Netname ATWORK-39479-34191, Netblock 216.216.0.128 - 216.216.0.255\
:217.6.124.154/24;Blocking spammer at de.multi-support.com - detailed RIPE assignment missing, assuming /24\
"
--
Greg A. Woods
+1 416 218-0098; <g.a.woods@???>; <woods@???>
Planix, Inc. <woods@???>; VE3TCP; Secrets of the Weird <woods@???>