From: Alain Thivillon (atrominet.net)
Date: Tue Sep 16 2003 - 05:26:25 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

"Peter H. Coffin" <hellsopninehells.com> écrivait (wrote) :

> On Mon, Sep 15, 2003 at 08:40:25PM -0500, Jay Maynard wrote:
> > Now that Verisign is returning a valid A record for every .COM and .NET
> > domain name, how do I reject mail that points at that IP address for domains
> > mentioned in the headers? (The equivalent to check_*_access.) The IP address
> > in question is 64.94.110.11. I suppose I can set up a local DNS zone for the
> > purpose, with one entry, but that seems to be a bit overkill.
>
> All the more reason to be using sender verification, I guess.

AFAIK, the only known way is to use smtpd_policy_proxy with DNS lookup.
You should use postfix snapshot, there is a patch against sample server
provided in examples.

--- examples/smtpd-policy/smtpd-policy.pl.old Wed Jul 16 16:43:11 2003
+++ examples/smtpd-policy/smtpd-policy.pl Tue Sep 16 12:22:00 2003
-3,6 +3,7
 use DB_File;
 use Fcntl;
 use Sys::Syslog qw(:DEFAULT setlogsock);
+use Net::DNS;
 
 #
 # Usage: smtpd-policy.pl [-v]
-64,7 +65,7
 # that can run out of space.
 #
 $database_name="/var/mta/smtpd-policy.db";
-$greylist_delay=3600;
+$greylist_delay=10;
 
 #
 # Syslogging options for verbose mode and for fatal errors.
-75,6 +76,7
 $syslog_facility="mail";
 $syslog_options="pid";
 $syslog_priority="info";
+$res = undef;
 
 #
 # Demo SMTPD access policy routine. The result is an action just like
-84,6 +86,33
 sub smtpd_access_policy {
     my($key, $time_stamp, $now);
 
+ # Check if A points to Verisign wildcard
+ my $query = undef;
+ if (($attr{"recipient"} =~ /\([^\]+)$/) &&
+ defined($query = $res->query($1,"A"))) {
+ foreach my $rr ($query->answer) {
+ if (($rr->type eq 'A') and
+ ($rr->address =~ /^\Q64.94.110.\E/)) {
+ return "454 Verisign stolen recipient domain";
+ }
+ }
+ }
+ else {
+ syslog $syslog_priority, "pb query ". $attr{"recipient"};
+ }
+ if (($attr{"sender"} =~ /\([^\]+)$/) &&
+ defined($query = $res->query($1,"A"))) {
+ foreach my $rr ($query->answer) {
+ if (($rr->type eq 'A') and
+ ($rr->address =~ /^\Q64.94.110.\E/)) {
+ return "454 Verisign stolen sender domain";
+ }
+ }
+ }
+ else {
+ syslog $syslog_priority, "pb query ". $attr{"sender"};
+ }
+
     # Open the database on the fly.
     open_database() unless $database_obj;
 
-96,6 +125,7
     if ($time_stamp == 0) {
         $time_stamp = $now;
         update_database($key, $time_stamp);
+ return "dunno";
     }
 
     # Specify DUNNO instead of OK so that the check_policy_service restriction
-199,6 +229,7
 # Unbuffer standard output.
 #
 select((select(STDOUT), $| = 1)[0]);
+$res = Net::DNS::Resolver->new;
 
 #
 # Receive a bunch of attributes, evaluate the policy, send the result.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]