Next: Reserved Words, Previous: Preprocessor, Up: MFL [Contents][Index]
In this section we will discuss a working example of the filter script file. For the ease of illustration, it is divided in several sections. Each section is prefaced with a comment explaining its function.
This filter assumes that the mailfromd.conf file contains the following:
relayed-domain-file (/etc/mail/sendmail.cw,
/etc/mail/relay-domains);
io-timeout 33;
database cache {
negative-expire-interval 1 day;
positive-expire-interval 2 weeks;
};
Of course, the exact parameter settings may vary, what is important
is that they be declared. See Mailfromd Configuration, for a
description of mailfromd configuration file syntax.
Now, let’s return to the script. Its first part defines the configuration settings for this host:
#pragma regex +extended +icase set mailfrom_address "<>" set ehlo_domain "gnu.org.ua"
The second part loads the necessary source modules:
require 'status' require 'dns' require 'rateok'
Next we define envfrom handler. In the first two rules, it
accepts all mails coming from the null address and from the machines
which we relay:
prog envfrom
do
if $f = ""
accept
elif relayed hostname($client_addr)
accept
elif hostname($client_addr) = $client_addr
reject 550 5.7.7 "IP address does not resolve"
Next rule rejects all messages coming from hosts with dynamic IP addresses. A regular expression used to catch such hosts is not 100% fail-proof, but it tries to cover most existing host naming patterns:
elif hostname($client_addr) matches
".*(adsl|sdsl|hdsl|ldsl|xdsl|dialin|dialup|\
ppp|dhcp|dynamic|[-.]cpe[-.]).*"
reject 550 5.7.1 "Use your SMTP relay"
Messages coming from the machines whose host names contain something similar to an IP are subject to strict checking:
elif hostname($client_addr) matches
".*[0-9]{1,3}[-.][0-9]{1,3}[-.][0-9]{1,3}[-.][0-9]{1,3}.*"
on poll host $client_addr for $f do
when success:
pass
when not_found or failure:
reject 550 5.1.0 "Sender validity not confirmed"
when temp_failure:
tempfail
done
If the sender domain is relayed by any of the ‘yahoo.com’
or ‘nameserver.com’ ‘MX’s, no checks are performed. We
will greylist this message in envrcpt handler:
elif $f mx fnmatches "*.yahoo.com"
or $f mx fnmatches "*.namaeserver.com"
pass
Finally, if the message does not meet any of the above conditions, it is verified by the standard procedure:
else
on poll $f do
when success:
pass
when not_found or failure:
reject 550 5.1.0 "Sender validity not confirmed"
when temp_failure:
tempfail
done
fi
At the end of the handler we check if the sender-client pair does not exceed allowed mail sending rate:
if not rateok("$f-$client_addr", interval("1 hour 30 minutes"), 100)
tempfail 450 4.7.0 "Mail sending rate exceeded. Try again later"
fi
done
Next part defines the envrcpt handler. Its primary purpose
is to greylist messages from some domains that could not be checked
otherwise:
prog envrcpt
do
set gltime 300
if $f mx fnmatches "*.yahoo.com"
or $f mx fnmatches "*.namaeserver.com"
and not dbmap("/var/run/whitelist.db", $client_addr)
if greylist("$client_addr-$f-$rcpt_addr", gltime)
if greylist_seconds_left = gltime
tempfail 450 4.7.0
"You are greylisted for %gltime seconds"
else
tempfail 450 4.7.0
"Still greylisted for " .
%greylist_seconds_left . " seconds"
fi
fi
fi
done
Next: Reserved Words, Previous: Preprocessor, Up: MFL [Contents][Index]