Juniper man pages - smtpd Address Checking rules

Juniper man pages - smtpd Address Checking

SMTPD version 2 Address Checking rules

The address check file, when enabled is read for each RCPT line in the SMTP dialogue. Each rule is checked with the current source (SMTP client machine and possibly user from ident) and the current FROM: and RCPT: addresses. rules are read from top to bottom of the file, and the first match stops the check, with the action determined by the first field of the rule.

Anything on a line after a pound sign (#) is ignored as a comment.

An address check rule line has four fields:
[allow|deny|noto]:SourceList:FromList:ToList[:XXX message for deny/noto]

The first field must normally be one of the strings "allow","deny", or "noto". This determines the disposition of a message which matches a the rule. A matching "allow" rule allows the smtp connection to proceed. A matching "deny" rule will terminate the smtp connection when matched with a failure, and the message will not be delivered to *any* of it's recipients. A "noto" rule will prevent the delivery of a message to the matching combination, failing that RCPT command, and returning a 550 code in the SMTP dialogue, but will allow delivery to continue if other rules allow further recipients. If NODO_DELAY and DENY_DELAY are set nonzero in the makefile at compile time, there are two additional rule keywords; "noto_delay", and "deny_delay". These rules function exactely like a noto or deny, except that smtpd will sleep for the delay amount before returning the error code to the client, causing a "pregnant pause" in the SMTP dialogue.

The Second Field is a List of Source Patterns, separated by white space. These match against the incoming SMTP connection's originating hostname, IP address and possibly username returned by an ident call.

The Third field is a list of Address Patterns, separated by white space. These match against the MAIL FROM: portion of the smtp dialogue.

The Fourth field is a list of Address Patterns, separated by white space. These match against the RCPT TO: portion of the smtp dialogue.

The Fifth field is optional, and if present is used on matching the rule if it is a deny or noto rule. It should be the complete smtp dialogue message to be sent to the remote smtp client. It should start with an appropriate smtp error code. The following substitutions are made in the string:

%F is replaced with the MAIL FROM: address.
%T is replaced with the RCPT TO: address.
%H is replaced with the connecting hostname, or "UNKNOWN"
%U is replaced with the connecting user from ident, or "UNKNOWN"
%I is replaced with the connecting host IP address.

For a rule to match a match must be successfully made against all three lists. A match against a list occurs when any of the patterns in it match. EXCEPT, the keyword "EXCEPT" may be used in a list to indicate exceptions to matches: For example:
pattern1 pattern2 pattern3 EXCEPT pattern4
will match against any string that matches pattern1 pattern2 or pattern3, except for those that also match pattern4.

all characters in patterns except in specials must be lower case. lower case letters in patterns match against both upper and lower case letters in sources. '*' in a pattern matches 0 or more characters. If smtpd was compiled with USE_REGEX set in the makefile, a pattern may be enclosed in slashes "//", to indicate that it is a POSIX style regular expression, which is matched against case insensitively.

Source Patterns:

A Source Pattern is a pattern to match the source of a connection. It consistes of two parts, and optional user part, with an ampersand(@), followed by the required host part. Each part is treated independently. The user part (If present) will check against the user value returned by smtpd performing an ident query to the connecting machine. No ident query is made unless a rule requests one. The Host Part matches against the hostname or IP address of the connecting machine. IP addresses may be specified using a netmask of the form a.b.c.d/bits. Each part may consist of the following specials:

ALL matches everything, including empty string
KNOWN matches a known reply from the network, in the case of resolved hostnames or ident values.
UNKNOWN matches an unknown reply from the network, in the case of resolved hostnames or ident values.
TRUSTED matches a connection arriving on a trusted interface (If smtpd was compiled with JUNIPER_SUPPORT and you are running on an machien with the Juniper firewall toolkit)
UNTRUSTED matches a connection arriving on an untrusted interface (If smtpd was compiled with JUNIPER_SUPPORT and you are running on an machien with the Juniper firewall toolkit)
NS=pattern matches a connection arriving from a source whose nameserver or mail exchanger matches pattern. (if NS_MATCH set to 1 in Makefile)

Example Source Patterns:

hobbes.obtuse.com - matches only a connection from machine "hobbes.obtuse.com" (or "HoBBeS.obTuSe.CoM")

*obtuse.com - matches any hostname ending in "obtuse.com" (hobbes.obtuse.com or hobbes.AcutelyObtuse.com)

KNOWN - Matches only machines whose address resolves to a hostname.

UNKNOWN - Matches only machines whose address does not resolve to a hostname.

UKKNOWN EXCEPT TRUSTED - Matches a connection from a machine whose address does not resolve to a hostname, except if the connection is via a trusted interface.

KNOWN@KNOWN - Matches only machines whose address resolves AND returns something as the user via ident. (No ident call is made by smtpd unless a rule requires one)

129.128.13.2 - Matches a connection from host IP 129.128.13.2

129.128.13.0/24 - Matches a connection from class C 129.128.13.

129.128.13.* - Matches a connection from class C 129.128.13.

beck@hobbes.obtuse.com - matches only a connection from machine "hobbes.obtuse.com", with ident returned as "beck" (or "bEcK").

KNOWN@hobbes.obtuse.com - matches only a connection from machine "hobbes.obtuse.com", with any known ident value.

UNKNOWN@hobbes.obtuse.com - matches only a connection from machine "hobbes.obtuse.com", with any unknown ident value.

Address patterns:

An address pattern may consist of a user and host part, separated by an ampersand (@). Each part or the whole pattern may consist of one of the following specials:

ALL matches everything, including empty string
USER ** (special) means this part must match the ident user for the connection.
NS=pattern to match Nameserver or MX, may apper on right of @, or by itself. (if NS_MATCH set to 1 in Makefile)

Address pattern examples:

ALL matches anything.
spamford@cyberpromo.com matches "spamford@cyberpromo.com"
ALL@cyberpromo.com matches any address from "cyberpromo.com"
*@cyberpromo.com same as above
ALL@*cyberpromo.com matches any address from anything ending in cyberpromo.com.
ALL@NS=*cyberpromo.com matches any address where the RHS uses a nameserver or MX ending in "cyberpromo.com".
sales@ALL matches "sales" from anywhere.
USER@obtuse.com The ident reply from the connecting host must be (case insensitively) the user part of the address that ends in obtuse.com.
/^[0-9]+@.*$/ (assuming USE_REGEX = 1 when built) Match any addressthat is all numbers in the user part

Example Rules:

#Allow anything from anywhere to an address ending in obtuse.com: allow:ALL:ALL:ALL@*obtuse.com #don't allow unregistered hosts, unless via a trusted interface deny:UNKNOWN EXCEPT TRUSTED:ALL:ALL #deny mail from anything ending in .cyberpromo.com deny:ALL:*.cyberpromo.com:ALL #and deny anything relayed by a host ending in .cyberpromo.com deny:*.cyberpromo.com:ALL:ALL #Simple ident example, useful *only* if you can trust the ident #value returnd by the machine. (You can't unless you control it #or trust the person that does not to make it lie) #Allow mail if the user part of the FROM address matches ident. allow:KNOWN@idents.trusted.here:USER@idents.trusted.here:ALL # A more complex example. The typical university case of making # sure users don't subscribe other users to majordomo mailing lists by # forging mail via smtp. # allow users that mta's run as to send anything allow:root@ALL daemon@all uucp@all:ALL:ALL # other known users can send to majordomo only as themselves according # to ident. allow:KNOWN@ALL:USER@ALL:majordomo@ALL # Below shows a custom message too deny:ALL:ALL:majordomo@ALL:550 You can't send majordomo mail from %F when you are %U@%H (ip %I). # The normal antispam case, assumes JUNIPER_SUPPORT, # We trust everything from inside on a trusted interface to go out allow:UNTRUSTED:ALL:ALL # DNS registerd clients can talk to me, with mail for my domains allow:KNOWN:ALL:*my.domain *myother.domain # unregistered clients get punted. deny:UNKNOWN:ALL:ALL # otherwise mail to nonlocal users won't get relayed. noto:ALL:ALL:ALL

About NS= rules

The NS= rules match things in a somewhat strange way. Namely, they will chop off bits from the left of what they are given until they find something with a record for it. Specifically, if you are looking for an NS=*cyberpromo.com, and the address you are matching against is someone@completely.bogus.cyberpromo.com, the NS=match will try first "completely.bogus.cyberpromo.com", then "bogus.cyberpromo.com", and then finally "cyberpromo.com", for which it will find cyberpromo's nameserver and mx records. The exception to this is the case of NS=UNKNOWN or NS=KNOWN. These will match whether a host, or rhs of an address is known or unknown to the dns. A host is UNKNOWN if:

a gethostbyname() call fails to find a hostent for it, AND no Nameserver (NS) or Mail Exchanger (MX) records may be found for it in the DNS.

When you specify NS=KNOWN or NS=UNKNOWN smtpd will not attempt to work it's way down the string to find out who owns it. i.e. completely.bogus.cyberpromo.com would match NS=*cyberpromo.com, but would not match NS=KNOWN, and would match NS=UNKNOWN. The major effect of this is that the following rule:
noto:ALL:NS=UNKNOWN:ALL
Should effectively block any mail that gives a MAIL FROM: address in the smtp dialogue with no hope of being replyable to via smtp from your machine.

BUGS

Mistakes in these rules can discard legitimate mail and annoy your users and other postmasters a very great deal!. When combined with custom return codes it is possible to write rules that completely break the smtp protocol. It is important to test your rules out and be absolutely sure they do exactly what you want and no more.

NOTES

smtpd and smtpfwdd are also available separately from Juniper under quite friendly copyright terms. It can be obtained using anonymous ftp in the directory ftp://ftp.obtuse.com/pub/smtpd.

SEE ALSO

juniperd
smtpfwdd
smtpd

Obtuse Systems Corporation

Copyright © 1996 - Obtuse Systems Corporation
All rights reserved

Use of the Juniper software is covered by the terms and conditions of the Juniper License Agreement. If you do not agree to and accept the terms of this agreement then you may not use the software.

Validate this page.