Hi,
First of all, thank you for reading this message.
Some time ago, I had a lot of problems with bounces being received,
because the From field was forged by spammers.
I did this by following
http://psg.com/%7Ebrian/software/authbounce/configure-authbounce.txt.
However, as this message states, it's not a very good solution, some
problems are being caused by it.
I was wondering, I now have this:
<do some RBL stuff>
# default at end of acl causes a "deny", but line below will give
# an explicit error message:
deny message = relay not permitted
# ACL that is used after the DATA command
check_message:
deny senders = :
condition = ${if ! eq{$recipients_count}{1}{1}}
message = Bounces must have only a single recipient
deny senders = :
! condition = ${if match \
{$message_body $message_body_end} \
{[xX]-bounce-key:\\s*BOUNCE_ID;${rxquote:${lc:$recipients}};(\\d+);(\\w+)} \
{${if eq {$2} \
{${length_8:${md5:BOUNCE_ID;${lc:$recipients};$1;BOUNCE_SECRET}}} \
{${if <{${sg{${eval:$tod_epoch-$1}}{-}{}}}{864000}{1}}}}}}
message = Bounce does not contain a valid X-bounce-key signature
so not accepting message
accept
But what I want to try now, is creating compatibility for the widly used
'Disposition' header, so all messages with this tag (or
'Disposition-Notification-To' tag) should be accepted before the
bounce-key is checked (which is created by using the headers_add on
remote_smtp time).
But my knowledge of the ACL system isn't very more than just being able
to read most of it.
Could something like this work?
# ACL that is used after the DATA command
check_message:
deny senders = :
condition = ${if ! eq{$recipients_count}{1}{1}}
message = Bounces must have only a single recipient
accept senders = :
regex = [dD]isposition.*:
deny senders = :
! condition = ${if match \
{$message_body $message_body_end} \
{[xX]-bounce-key:\\s*BOUNCE_ID;${rxquote:${lc:$recipients}};(\\d+);(\\w+)} \
{${if eq {$2} \
{${length_8:${md5:BOUNCE_ID;${lc:$recipients};$1;BOUNCE_SECRET}}} \
{${if <{${sg{${eval:$tod_epoch-$1}}{-}{}}}{864000}{1}}}}}}
message = Bounce does not contain a valid X-bounce-key signature
so not accepting message
accept
That way I accept messages, which aren't yet processed by the bounce-key
check, which sometimes won't contain the bounce key, but will most
likely have Disposition somewhere in the message (header or body).
But if this would work, all messages with the word disposition with a
':' after it, will just be accepted, so I also want to add a condition;
the bounce-key should *not* exist. That way messages without an bounce
key, but with disposition will be accepted, and other messages will just
be checked by the standard bounce-key checker.
Am I on the right track here?
If not, could anyone perhaps kick me to the right track?
--
Regards,
Sebastian Berm