190792Sgshapirodivert(-1)
290792Sgshapiro#
3261194Sgshapiro# Copyright (c) 2001-2002, 2005 Proofpoint, Inc. and its suppliers.
490792Sgshapiro#	All rights reserved.
590792Sgshapiro#
690792Sgshapiro# By using this file, you agree to the terms and conditions set
790792Sgshapiro# forth in the LICENSE file which can be found at the top level of
890792Sgshapiro# the sendmail distribution.
990792Sgshapiro#
1090792Sgshapiro#
1190792Sgshapiro
1290792Sgshapirodnl ##	This is a modified enhdnsbl, loosely based on the
1390792Sgshapirodnl ##	original.
1490792Sgshapirodnl ##
1590792Sgshapirodnl ##	Use it as follows
1690792Sgshapirodnl ##
1790792Sgshapirodnl ##	HACK(dnsblaccess, domain, optional-message, tempfail-message, keytag)
1890792Sgshapirodnl ##
1990792Sgshapirodnl ##	The first argument (domain) is required.  The other arguments
2090792Sgshapirodnl ##	are optional and have reasonable defaults.  The
2190792Sgshapirodnl ##	optional-message is the error message given in case of a
2290792Sgshapirodnl ##	match.  The default behavior for a tempfail is to accept the
2390792Sgshapirodnl ##	email.  A tempfail-message value of `t' temporarily rejects
2490792Sgshapirodnl ##	with a default message.  Otherwise the value should be your
2590792Sgshapirodnl ##	own message.  The keytag is used to lookup the access map to
2690792Sgshapirodnl ##	further refine the result.  I recommend a qualified keytag
27363466Sgshapirodnl ##	(containing a ".") as less likely to accidentally conflict with
2890792Sgshapirodnl ##	other access tags.
2990792Sgshapirodnl ##
3090792Sgshapirodnl ##	This is best illustrated with an example.  Please do not use
3190792Sgshapirodnl ##	the example, as it refers to a bogus lookup list.
3290792Sgshapirodnl ##
3390792Sgshapirodnl ##	Suppose that you use
3490792Sgshapirodnl ##
3590792Sgshapirodnl ##	HACK(dnsblaccess, `rbl.bogus.org',`',`t',bogus.tag)
3690792Sgshapirodnl ##
3790792Sgshapirodnl ##	and suppose that your access map contains the entries
3890792Sgshapirodnl ##
3990792Sgshapirodnl ##	bogus.tag:127.0.0.2	REJECT
4098121Sgshapirodnl ##	bogus.tag:127.0.0.3	error:dialup mail from %1: listed at %2
4190792Sgshapirodnl ##	bogus.tag:127.0.0.4	OK
4290792Sgshapirodnl ##	bogus.tag:127		REJECT
4390792Sgshapirodnl ##	bogus.tag:		OK
4490792Sgshapirodnl ##
4590792Sgshapirodnl ##	If an SMTP connection is received from 123.45.6.7, sendmail
4690792Sgshapirodnl ##	will lookup the A record for 7.6.45.123.bogus.org.  If there
4790792Sgshapirodnl ##	is a temp failure for the lookup, sendmail will generate a
4890792Sgshapirodnl ##	temporary failure with a default message.  If there is no
4990792Sgshapirodnl ##	A-record for this lookup, then the mail is treated as if the
5090792Sgshapirodnl ##	HACK line were not present.  If the lookup returns 127.0.0.2,
5190792Sgshapirodnl ##	then a default message rejects the mail.  If it returns
5290792Sgshapirodnl ##	127.0.0.3, then the message
5398121Sgshapirodnl ##	"dialup mail from 123.45.6.7: listed at rbl.bogus.org"
5490792Sgshapirodnl ##	is used to reject the mail.  If it returns 127.0.0.4, the
5590792Sgshapirodnl ##	mail is processed as if there were no HACK line.  If the
5690792Sgshapirodnl ##	address returned is something else beginning with 127.*, the
5790792Sgshapirodnl ##	mail is rejected with a default error message.  If the
5890792Sgshapirodnl ##	address returned does not begin 127, then the mail is
5990792Sgshapirodnl ##	processed as if the HACK line were not present.
6090792Sgshapiro
6190792Sgshapirodivert(0)
62266527SgshapiroVERSIONID(`$Id: dnsblaccess.m4,v 1.7 2013-11-22 20:51:18 ca Exp $')
6390792Sgshapiroifdef(`_ACCESS_TABLE_', `dnl',
6490792Sgshapiro	`errprint(`*** ERROR: dnsblaccess requires FEATURE(`access_db')
6590792Sgshapiro')')
6690792Sgshapiroifdef(`_EDNSBL_R_',`dnl',`dnl
6790792Sgshapirodefine(`_EDNSBL_R_', `1')dnl ## prevent multiple redefines of the map.
6890792SgshapiroLOCAL_CONFIG
69363466Sgshapiro# map for enhanced DNS based blocklist lookups
7090792SgshapiroKednsbl dns -R A -a. -T<TMP> -r`'ifdef(`EDNSBL_TO',`EDNSBL_TO',`5')
7190792Sgshapiro')
7290792Sgshapirodivert(-1)
7390792Sgshapirodefine(`_EDNSBL_SRV_', `ifelse(len(X`'_ARG_),`1',`blackholes.mail-abuse.org',_ARG_)')dnl
7498121Sgshapirodefine(`_EDNSBL_MSG_', `ifelse(len(X`'_ARG2_),`1',`"550 Rejected: " $`'&{client_addr} " listed at '_EDNSBL_SRV_`"',`_ARG2_')')dnl
7590792Sgshapirodefine(`_EDNSBL_MSG_TMP_', `ifelse(_ARG3_,`t',`"451 Temporary lookup failure of " $`'&{client_addr} " at '_EDNSBL_SRV_`"',`_ARG3_')')dnl
7690792Sgshapirodefine(`_EDNSBL_KEY_', `ifelse(len(X`'_ARG4_),`1',`dnsblaccess',_ARG4_)')dnl
7790792Sgshapirodivert(8)
7890792Sgshapiro# DNS based IP address spam list _EDNSBL_SRV_
7990792SgshapiroR$*			$: $&{client_addr}
8090792Sgshapirodnl IPv6?
8190792SgshapiroR$-.$-.$-.$-		$: <?> $(ednsbl $4.$3.$2.$1._EDNSBL_SRV_. $: OK $) <>$1.$2.$3.$4
8290792SgshapiroR<?>OK<>$*		$: OKSOFAR
8390792SgshapiroR<?>$+<TMP><>$*		$: <? <TMPF>>
8490792SgshapiroR<?>$* $- .<>$*		<$(access _EDNSBL_KEY_`:'$1$2 $@$3 $@`'_EDNSBL_SRV_ $: ? $)> $1 <>$3
8590792SgshapiroR<?>$* <>$*		$:<$(access _EDNSBL_KEY_`:' $@$2 $@`'_EDNSBL_SRV_ $: ? $)> <>$2
8690792Sgshapiroifelse(len(X`'_ARG3_),`1',
8790792Sgshapiro`R<$*<TMPF>>$*		$: TMPOK',
88157001Sgshapiro`R<$*<TMPF>>$*		$#error $@ 4.4.3 $: _EDNSBL_MSG_TMP_')
8990792SgshapiroR<$={Accept}>$*		$: OKSOFAR
9090792SgshapiroR<ERROR:$-.$-.$-:$+> $*	$#error $@ $1.$2.$3 $: $4
9190792SgshapiroR<ERROR:$+> $*		$#error $: $1
9290792SgshapiroR<DISCARD> $*		$#discard $: discard
9390792SgshapiroR<$*> $*		$#error $@ 5.7.1 $: _EDNSBL_MSG_
9490792Sgshapirodivert(-1)
95