[exim] Catching sending domains that resolve to RFC1918 IP s…

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Bryan Rawlins
Dátum:  
Címzett: exim-users
Tárgy: [exim] Catching sending domains that resolve to RFC1918 IP space
We recently ran into an issue where we were getting mail from a domain
that had an A record that resolved to private IP space. Not a big issue
in most circumstances, but since we do store-n-forward spam filtering it
became a slight problem because our customer's MTA recognized the
sending domain being private IP space and 550'd the message, thus
leaving us holding the bag as it were.

As a result of the above I developed an ACL to catch these and reject
them. There probably isn't a great demand for such a beast, but I
though I'd share it.

In the main section of the config file add:
---snip---
hostlist rfc1918_hosts = 10.0.0.0/8:172.16.0.0/12:192.168.0.0/16
---snip---

In the ACL used to for acl_smtp_mail:
---snip---
warn    set acl_m_senderDomainMx = ${lookup dnsdb{>: 
mxh=$sender_address_domain}{$value}}


deny    condition = ${if def:acl_m_senderDomainMx}
            condition = ${if forall\
                              {${lookup dnsdb{>: 
a=$acl_m_senderDomainMx}{$value}}}\


{match_ip{$item}{+rfc1918_hosts}}{true}{false}}
          message = All available mail destinations are private IP(s).
          log_message = Sender Rejected, All available MX hosts are 
private IPs.


deny    condition = ${if !def:acl_m_senderDomainMx}
            condition = ${if forall\
                            {${lookup dnsdb{>: 
a=$sender_address_domain}{$value}}}\
                            {match_ip{$item}{+rfc1918_hosts}}{true}{false}}
            message = All available mail destinations are private IP(s).
            log_message = All available A records are private IPs.
---snip---



Of course any comments/questions/improvements are welcome.

-Bryan Rawlins
OnlyMyEmail