1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
|
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML>
<HEAD>
<TITLE>Juniper man pages - smtpd Address Checking rules</TITLE>
</HEAD>
<BODY>
<H3><IMG SRC="../../gifs/Juniper_Icon_Flash.gif" ALIGN="middle">
<A HREF="../../juniper/"><B>Juniper</B></A> man pages
- smtpd Address Checking</H3>
<HR>
<H3>SMTPD version 2 Address Checking rules</H3>
<P>
The address check file, when enabled is read for each RCPT line
in the SMTP dialogue. Each rule is checked with the current
source (SMTP client machine and possibly user from ident)
and the current FROM: and RCPT: addresses. rules are
read from top to bottom of the file, and the first match
stops the check, with the action determined by the first
field of the rule.
<P>
Anything on a line after a pound sign (#) is ignored as a comment.
<P>
An address check rule line has four fields:
<BR>
<TT>[allow|deny|noto]:SourceList:FromList:ToList[:XXX message for deny/noto]</TT>
<P>
The first field must normally be one of the strings "allow","deny", or
"noto". This determines the disposition of a message which matches a the
rule. A matching "allow" rule allows the smtp connection to proceed. A
matching "deny" rule will terminate the smtp connection when matched with a
failure, and the message will not be delivered to *any* of it's recipients.
A "noto" rule will prevent the delivery of a message to the matching
combination, failing that RCPT command, and returning a 550 code in the SMTP
dialogue, but will allow delivery to continue if other rules allow further
recipients. If NODO_DELAY and DENY_DELAY are set nonzero in the makefile
at compile time, there are two additional rule keywords; "noto_delay", and
"deny_delay". These rules function exactely like a noto or deny, except
that smtpd will sleep for the delay amount before returning the error
code to the client, causing a "pregnant pause" in the SMTP dialogue.
<P>
The Second Field is a List of Source Patterns, separated by white space.
These match against the incoming SMTP connection's originating hostname,
IP address and possibly username returned by an ident call.
<P>
The Third field is a list of Address Patterns, separated by white space.
These match against the MAIL FROM: portion of the smtp dialogue.
<P>
The Fourth field is a list of Address Patterns, separated by white space.
These match against the RCPT TO: portion of the smtp dialogue.
<P>
The Fifth field is optional, and if present is used on matching the rule
if it is a deny or noto rule. It should be the complete smtp
dialogue message to be sent to the remote smtp client. It should start with
an appropriate smtp error code. The following substitutions are made in
the string:
<UL>
<LI><TT>%F</TT> is replaced with the MAIL FROM: address.
<LI><TT>%T</TT> is replaced with the RCPT TO: address.
<LI><TT>%H</TT> is replaced with the connecting hostname, or "UNKNOWN"
<LI><TT>%U</TT> is replaced with the connecting user from ident, or "UNKNOWN"
<LI><TT>%I</TT> is replaced with the connecting host IP address.
</UL>
<P>
For a rule to match a match must be successfully made against all
three lists. A match against a list occurs when any of the patterns
in it match. EXCEPT, the keyword "EXCEPT" may be used in a list
to indicate exceptions to matches: For example:
<BR>
<TT>pattern1 pattern2 pattern3 EXCEPT pattern4</TT>
<BR>
will match against any string that matches pattern1 pattern2 or pattern3,
except for those that also match pattern4.
<P>
all characters in patterns except in specials must be lower case.
lower case letters in patterns match against both upper and lower case
letters in sources. '*' in a pattern matches 0 or more characters. If
smtpd was compiled with USE_REGEX set in the makefile, a pattern may
be enclosed in slashes "//", to indicate that it is a POSIX style
regular expression, which is matched against case insensitively.
<H3>Source Patterns:</H3>
A Source Pattern is a pattern to match the source of a connection. It
consistes of two parts, and optional user part, with an ampersand(@),
followed by the required host part. Each part is treated
independently. The user part (If present) will check against the user
value returned by smtpd performing an ident query to the connecting
machine. No ident query is made unless a rule requests one. The Host
Part matches against the hostname or IP address of the connecting
machine. IP addresses may be specified using a netmask of the form
a.b.c.d/bits. Each part may consist of the following specials:
<UL>
<LI>ALL matches everything, including empty string
<LI>KNOWN matches a known reply from the network, in the case of
resolved hostnames or ident values.
<LI>UNKNOWN matches an unknown reply from the network, in the case of
resolved hostnames or ident values.
<LI>TRUSTED matches a connection arriving on a trusted interface
(If smtpd was compiled with JUNIPER_SUPPORT and you are
running on an machien with the Juniper firewall toolkit)
<LI>UNTRUSTED matches a connection arriving on an untrusted interface
(If smtpd was compiled with JUNIPER_SUPPORT and you are
running on an machien with the Juniper firewall toolkit)
<LI>NS=pattern matches a connection arriving from a source whose nameserver
or mail exchanger matches pattern. (if NS_MATCH set to 1 in Makefile)
</UL>
<H3>Example Source Patterns:</H3>
<LI><TT>hobbes.obtuse.com</TT> - matches only a connection from machine
"hobbes.obtuse.com" (or "HoBBeS.obTuSe.CoM")
<LI><TT>*obtuse.com</TT> - matches any hostname ending in "obtuse.com"
(hobbes.obtuse.com or hobbes.AcutelyObtuse.com)
<LI><TT>KNOWN</TT> - Matches only machines whose address resolves
to a hostname.
<LI><TT>UNKNOWN</TT> - Matches only machines whose address does not
resolve to a hostname.
<LI><TT>UKKNOWN EXCEPT TRUSTED</TT> - Matches a connection from a machine
whose address does not resolve to a hostname, except if the connection is via
a trusted interface.
<LI><TT>KNOWN@KNOWN</TT> - Matches only machines whose address resolves
AND returns something as the user via ident.
(No ident call is made by smtpd unless a rule
requires one)
<LI><TT>129.128.13.2</TT> - Matches a connection from host IP 129.128.13.2
<LI><TT>129.128.13.0/24</TT> - Matches a connection from class C 129.128.13.
<LI><TT>129.128.13.*</TT> - Matches a connection from class C 129.128.13.
<LI><TT>beck@hobbes.obtuse.com</TT> - matches only a connection from machine
"hobbes.obtuse.com", with ident returned
as "beck" (or "bEcK").
<LI><TT>KNOWN@hobbes.obtuse.com</TT> - matches only a connection from machine
"hobbes.obtuse.com", with any known ident
value.
<LI><TT>UNKNOWN@hobbes.obtuse.com</TT> - matches only a connection from machine
"hobbes.obtuse.com", with any unknown ident
value.
</UL>
<H3>Address patterns:</H3>
An address pattern may consist of a user and host part, separated
by an ampersand (@). Each part or the whole pattern may consist
of one of the following specials:
<UL>
<LI>ALL matches everything, including empty string
<LI>USER ** (special) means this part must match the ident user for the connection.
<LI>NS=pattern to match Nameserver or MX, may apper on right of @, or by itself.
(if NS_MATCH set to 1 in Makefile)
</UL>
<H3>Address pattern examples:</H3>
<UL>
<LI><TT>ALL</TT> matches anything.
<LI><TT>spamford@cyberpromo.com</TT> matches "spamford@cyberpromo.com"
<LI><TT>ALL@cyberpromo.com</TT> matches any address from "cyberpromo.com"
<LI><TT>*@cyberpromo.com</TT> same as above
<LI><TT>ALL@*cyberpromo.com</TT> matches any address from anything ending in
cyberpromo.com.
<LI><TT>ALL@NS=*cyberpromo.com</TT> matches any address where the RHS uses
a nameserver or MX ending in "cyberpromo.com".
<LI><TT>sales@ALL</TT> matches "sales" from anywhere.
<LI><TT>USER@obtuse.com</TT> The ident reply from the connecting host must be
(case insensitively) the user part of the address
that ends in obtuse.com.
<LI><TT>/^[0-9]+@.*$/</TT> (assuming USE_REGEX = 1 when built) Match any addressthat is all numbers in the user part
</UL>
<H3>Example Rules:</H3>
<TT><PRE>
#Allow anything from anywhere to an address ending in obtuse.com:
allow:ALL:ALL:ALL@*obtuse.com
#don't allow unregistered hosts, unless via a trusted interface
deny:UNKNOWN EXCEPT TRUSTED:ALL:ALL
#deny mail from anything ending in .cyberpromo.com
deny:ALL:*.cyberpromo.com:ALL
#and deny anything relayed by a host ending in .cyberpromo.com
deny:*.cyberpromo.com:ALL:ALL
#Simple ident example, useful *only* if you can trust the ident
#value returnd by the machine. (You can't unless you control it
#or trust the person that does not to make it lie)
#Allow mail if the user part of the FROM address matches ident.
allow:KNOWN@idents.trusted.here:USER@idents.trusted.here:ALL
# A more complex example. The typical university case of making
# sure users don't subscribe other users to majordomo mailing lists by
# forging mail via smtp.
# allow users that mta's run as to send anything
allow:root@ALL daemon@all uucp@all:ALL:ALL
# other known users can send to majordomo only as themselves according
# to ident.
allow:KNOWN@ALL:USER@ALL:majordomo@ALL
# Below shows a custom message too
deny:ALL:ALL:majordomo@ALL:550 You can't send majordomo mail from %F when you are %U@%H (ip %I).
# The normal antispam case, assumes JUNIPER_SUPPORT,
# We trust everything from inside on a trusted interface to go out
allow:UNTRUSTED:ALL:ALL
# DNS registerd clients can talk to me, with mail for my domains
allow:KNOWN:ALL:*my.domain *myother.domain
# unregistered clients get punted.
deny:UNKNOWN:ALL:ALL
# otherwise mail to nonlocal users won't get relayed.
noto:ALL:ALL:ALL
</PRE></TT>
<P>
<H4>About NS= rules</H4>
The NS= rules match things in a somewhat strange way. Namely,
they will chop off bits from the left of what they are given until
they find something with a record for it. Specifically, if you are
looking for an <tt>NS=*cyberpromo.com</tt>, and the address you are
matching against is <tt>someone@completely.bogus.cyberpromo.com</tt>,
the NS=match will try first "completely.bogus.cyberpromo.com", then
"bogus.cyberpromo.com", and then finally "cyberpromo.com", for which
it will find cyberpromo's nameserver and mx records.
The exception to this is the case of <TT>NS=UNKNOWN</TT> or
<TT>NS=KNOWN</TT>. These will match whether a host, or rhs of an address
is known or unknown to the dns. A host is UNKNOWN if:
<UL>
<LI> a gethostbyname() call fails to find a hostent for it, AND
no Nameserver (NS) or Mail Exchanger (MX) records may be found
for it in the DNS.
</UL>
When you specify <TT>NS=KNOWN</TT> or <TT>NS=UNKNOWN</TT>
smtpd will not attempt to work it's way down the string to find out
who owns it. i.e. <TT>completely.bogus.cyberpromo.com</TT> would match
<TT>NS=*cyberpromo.com</TT>, but would not match <TT>NS=KNOWN</TT>, and
would match <TT>NS=UNKNOWN</TT>.
The major effect of this is that the following rule:
<BR>
<TT>noto:ALL:NS=UNKNOWN:ALL</TT>
<BR>
Should effectively block any mail that gives a MAIL FROM:
address in the smtp dialogue with no hope of being replyable to via
smtp from your machine.
<BR><BR>
<DT><B>BUGS</B>
<DD>
<BR> <EM>Mistakes in these rules can discard legitimate mail and annoy your
users and other postmasters a very great deal!</EM>. When combined with
custom return codes it is possible to write rules that completely break the
smtp protocol. It is important to test your rules out and be absolutely sure
they do exactly what you want and no more.
<BR><BR>
<DT><B>NOTES</B>
<DD>
<BR>
<TT>smtpd</TT> and <TT>smtpfwdd</TT> are also available separately from
<A HREF="../../juniper/"><B>Juniper</B></A>
under quite friendly copyright terms.
It can be obtained using anonymous <TT>ftp</TT> in the directory
<A HREF="ftp://ftp.obtuse.com/pub/smtpd"><TT>ftp://ftp.obtuse.com/pub/smtpd</TT></A>.
<BR><BR>
<DT><B>SEE ALSO</B>
<DD>
<BR><TT><A HREF="juniperd.html">juniperd</A></TT>
<BR><TT><A HREF="smtpfwdd.html">smtpfwdd</A></TT>
<BR><TT><A HREF="smtpd.html">smtpd</A></TT>
</DL>
<HR>
<H3><A HREF="http://www.obtuse.com/"><IMG SRC="../../gifs/Obtuse_Icon_Flash.gif" ALIGN="middle"> Obtuse Systems Corporation</A></H3>
Copyright © 1996 - Obtuse Systems Corporation
<BR>All rights reserved
<BR><BR>
<i>Use of the <A HREF="../../juniper/"><B>Juniper</B></A> software is covered by the
terms and conditions of the
<A HREF="../../juniper/order/license_agreement.html">Juniper License Agreement</A>.
If you do not agree to and accept the terms of this agreement then you may
not use the software.</i>
<BR><BR>
<A HREF="/cgi-bin/validate_me">Validate this page</A>.
</BODY>
</HTML>
|
