[Mimedefang] $helo filter checks
dr john halewood
john at unidec.co.uk
Mon Oct 20 09:53:44 EDT 2003
On Monday 20 Oct 2003 1:16 pm, Ole Holm Nielsen wrote:
>Can someone kindly provide a correct and complete working filter_relay
>subroutine which only needs to be customized with our server's IP-address ?
The following example (which was mostly hacked/stolen from bits published on
this mailing list, does exactly that. It also rejects spoofed mail pretending
to be from my domain which actually comes from outside, and finally rejects
mails who send the HELO as my own server's IP address (not uncommon).
sub filter_relay {
my ($hostip, $hostname, $helo) = @_;
my $addr = '';
my $network_string = '';
my $mask_string = '';
my $thelo = $helo;
my $ip = $hostip;
my $host = $hostname;
# List networks that should be exempt from all filtering by
# putting their network/mask pairs into the exempt_subnets
# associative array. (Follow the example for the loopback.)
my %exempt_subnets = (
'127.0.0.0', '255.0.0.0', # loopback
'192.168.1.0', '255.255.255.0', # internal
'195.166.19.0', '255.255.255.0', # external
);
# If the address of the connecting client falls within one of
# the subnets defined by %exempt_subnets, then bypass all
# further filtering.
$addr = inet_aton $hostip;
while (($network_string, $mask_string) = each %exempt_subnets) {
my $network = inet_aton $network_string;
my $mask = inet_aton $mask_string;
if (($addr & $mask) eq $network) {
return ('ACCEPT_AND_NO_MORE_FILTERING', 'ok');
}
}
# Now check to see if someone on the internet is pretending to be ourselves
if ( $thelo =~ /example.com$/i ) {
if ($hostip ne "127\.0\.0\.1" and $hostip !~ /^195\.166\.20\./ and
$hostip !~ /^195\.166\.19\./ ) {
md_syslog('info', "Host $hostip ($hostname) said HELO $helo");
return("REJECT", "Go Away $hostip is not part of example.com");
}
}
#finally check for servers pretending to be this one. If they claim to
#be my IP address and aren't, drop them.
if ( $helo =~ /^195.166.19.11$/i ) {
if ($hostip ne "195\.166\.19\.11") {
return("REJECT", "Rejected: $helo is not a valid HELO/EHLO
response.");
}
}
# The client isn't in an exempt subnet and isn't lying about who it is;
# filtering should continue.
return ('CONTINUE', 'ok');
}
This should get you going to being with
cheers
john
More information about the MIMEDefang
mailing list