We recently ran into an issue where we were getting mail from a domain
that had an A record that resolved to private IP space. Not a big issue
in most circumstances, but since we do store-n-forward spam filtering it
became a slight problem because our customer's MTA recognized the
sending domain being private IP space and 550'd the message, thus
leaving us holding the bag as it were.
As a result of the above I developed an ACL to catch these and reject
them. There probably isn't a great demand for such a beast, but I
though I'd share it.
In the main section of the config file add:
---snip---
hostlist rfc1918_hosts = 10.0.0.0/8:172.16.0.0/12:192.168.0.0/16
---snip---
In the ACL used to for acl_smtp_mail:
---snip---
warn set acl_m_senderDomainMx = ${lookup dnsdb{>:
mxh=$sender_address_domain}{$value}}
deny condition = ${if def:acl_m_senderDomainMx}
condition = ${if forall\
{${lookup dnsdb{>:
a=$acl_m_senderDomainMx}{$value}}}\
{match_ip{$item}{+rfc1918_hosts}}{true}{false}}
message = All available mail destinations are private IP(s).
log_message = Sender Rejected, All available MX hosts are
private IPs.
deny condition = ${if !def:acl_m_senderDomainMx}
condition = ${if forall\
{${lookup dnsdb{>:
a=$sender_address_domain}{$value}}}\
{match_ip{$item}{+rfc1918_hosts}}{true}{false}}
message = All available mail destinations are private IP(s).
log_message = All available A records are private IPs.
---snip---
Of course any comments/questions/improvements are welcome.
-Bryan Rawlins
OnlyMyEmail