190792Sgshapirodivert(-1) 290792Sgshapiro# 3261194Sgshapiro# Copyright (c) 2001-2002, 2005 Proofpoint, Inc. and its suppliers. 490792Sgshapiro# All rights reserved. 590792Sgshapiro# 690792Sgshapiro# By using this file, you agree to the terms and conditions set 790792Sgshapiro# forth in the LICENSE file which can be found at the top level of 890792Sgshapiro# the sendmail distribution. 990792Sgshapiro# 1090792Sgshapiro# 1190792Sgshapiro 1290792Sgshapirodnl ## This is a modified enhdnsbl, loosely based on the 1390792Sgshapirodnl ## original. 1490792Sgshapirodnl ## 1590792Sgshapirodnl ## Use it as follows 1690792Sgshapirodnl ## 1790792Sgshapirodnl ## HACK(dnsblaccess, domain, optional-message, tempfail-message, keytag) 1890792Sgshapirodnl ## 1990792Sgshapirodnl ## The first argument (domain) is required. The other arguments 2090792Sgshapirodnl ## are optional and have reasonable defaults. The 2190792Sgshapirodnl ## optional-message is the error message given in case of a 2290792Sgshapirodnl ## match. The default behavior for a tempfail is to accept the 2390792Sgshapirodnl ## email. A tempfail-message value of `t' temporarily rejects 2490792Sgshapirodnl ## with a default message. Otherwise the value should be your 2590792Sgshapirodnl ## own message. The keytag is used to lookup the access map to 2690792Sgshapirodnl ## further refine the result. I recommend a qualified keytag 27363466Sgshapirodnl ## (containing a ".") as less likely to accidentally conflict with 2890792Sgshapirodnl ## other access tags. 2990792Sgshapirodnl ## 3090792Sgshapirodnl ## This is best illustrated with an example. Please do not use 3190792Sgshapirodnl ## the example, as it refers to a bogus lookup list. 3290792Sgshapirodnl ## 3390792Sgshapirodnl ## Suppose that you use 3490792Sgshapirodnl ## 3590792Sgshapirodnl ## HACK(dnsblaccess, `rbl.bogus.org',`',`t',bogus.tag) 3690792Sgshapirodnl ## 3790792Sgshapirodnl ## and suppose that your access map contains the entries 3890792Sgshapirodnl ## 3990792Sgshapirodnl ## bogus.tag:127.0.0.2 REJECT 4098121Sgshapirodnl ## bogus.tag:127.0.0.3 error:dialup mail from %1: listed at %2 4190792Sgshapirodnl ## bogus.tag:127.0.0.4 OK 4290792Sgshapirodnl ## bogus.tag:127 REJECT 4390792Sgshapirodnl ## bogus.tag: OK 4490792Sgshapirodnl ## 4590792Sgshapirodnl ## If an SMTP connection is received from 123.45.6.7, sendmail 4690792Sgshapirodnl ## will lookup the A record for 7.6.45.123.bogus.org. If there 4790792Sgshapirodnl ## is a temp failure for the lookup, sendmail will generate a 4890792Sgshapirodnl ## temporary failure with a default message. If there is no 4990792Sgshapirodnl ## A-record for this lookup, then the mail is treated as if the 5090792Sgshapirodnl ## HACK line were not present. If the lookup returns 127.0.0.2, 5190792Sgshapirodnl ## then a default message rejects the mail. If it returns 5290792Sgshapirodnl ## 127.0.0.3, then the message 5398121Sgshapirodnl ## "dialup mail from 123.45.6.7: listed at rbl.bogus.org" 5490792Sgshapirodnl ## is used to reject the mail. If it returns 127.0.0.4, the 5590792Sgshapirodnl ## mail is processed as if there were no HACK line. If the 5690792Sgshapirodnl ## address returned is something else beginning with 127.*, the 5790792Sgshapirodnl ## mail is rejected with a default error message. If the 5890792Sgshapirodnl ## address returned does not begin 127, then the mail is 5990792Sgshapirodnl ## processed as if the HACK line were not present. 6090792Sgshapiro 6190792Sgshapirodivert(0) 62266527SgshapiroVERSIONID(`$Id: dnsblaccess.m4,v 1.7 2013-11-22 20:51:18 ca Exp $') 6390792Sgshapiroifdef(`_ACCESS_TABLE_', `dnl', 6490792Sgshapiro `errprint(`*** ERROR: dnsblaccess requires FEATURE(`access_db') 6590792Sgshapiro')') 6690792Sgshapiroifdef(`_EDNSBL_R_',`dnl',`dnl 6790792Sgshapirodefine(`_EDNSBL_R_', `1')dnl ## prevent multiple redefines of the map. 6890792SgshapiroLOCAL_CONFIG 69363466Sgshapiro# map for enhanced DNS based blocklist lookups 7090792SgshapiroKednsbl dns -R A -a. -T<TMP> -r`'ifdef(`EDNSBL_TO',`EDNSBL_TO',`5') 7190792Sgshapiro') 7290792Sgshapirodivert(-1) 7390792Sgshapirodefine(`_EDNSBL_SRV_', `ifelse(len(X`'_ARG_),`1',`blackholes.mail-abuse.org',_ARG_)')dnl 7498121Sgshapirodefine(`_EDNSBL_MSG_', `ifelse(len(X`'_ARG2_),`1',`"550 Rejected: " $`'&{client_addr} " listed at '_EDNSBL_SRV_`"',`_ARG2_')')dnl 7590792Sgshapirodefine(`_EDNSBL_MSG_TMP_', `ifelse(_ARG3_,`t',`"451 Temporary lookup failure of " $`'&{client_addr} " at '_EDNSBL_SRV_`"',`_ARG3_')')dnl 7690792Sgshapirodefine(`_EDNSBL_KEY_', `ifelse(len(X`'_ARG4_),`1',`dnsblaccess',_ARG4_)')dnl 7790792Sgshapirodivert(8) 7890792Sgshapiro# DNS based IP address spam list _EDNSBL_SRV_ 7990792SgshapiroR$* $: $&{client_addr} 8090792Sgshapirodnl IPv6? 8190792SgshapiroR$-.$-.$-.$- $: <?> $(ednsbl $4.$3.$2.$1._EDNSBL_SRV_. $: OK $) <>$1.$2.$3.$4 8290792SgshapiroR<?>OK<>$* $: OKSOFAR 8390792SgshapiroR<?>$+<TMP><>$* $: <? <TMPF>> 8490792SgshapiroR<?>$* $- .<>$* <$(access _EDNSBL_KEY_`:'$1$2 $@$3 $@`'_EDNSBL_SRV_ $: ? $)> $1 <>$3 8590792SgshapiroR<?>$* <>$* $:<$(access _EDNSBL_KEY_`:' $@$2 $@`'_EDNSBL_SRV_ $: ? $)> <>$2 8690792Sgshapiroifelse(len(X`'_ARG3_),`1', 8790792Sgshapiro`R<$*<TMPF>>$* $: TMPOK', 88157001Sgshapiro`R<$*<TMPF>>$* $#error $@ 4.4.3 $: _EDNSBL_MSG_TMP_') 8990792SgshapiroR<$={Accept}>$* $: OKSOFAR 9090792SgshapiroR<ERROR:$-.$-.$-:$+> $* $#error $@ $1.$2.$3 $: $4 9190792SgshapiroR<ERROR:$+> $* $#error $: $1 9290792SgshapiroR<DISCARD> $* $#discard $: discard 9390792SgshapiroR<$*> $* $#error $@ 5.7.1 $: _EDNSBL_MSG_ 9490792Sgshapirodivert(-1) 95