[Mimedefang] Whitelisting Outbound E-Mail Addresses

wrolf.courtney at donovandata.com wrolf.courtney at donovandata.com
Wed Jun 9 12:49:38 EDT 2004 




Eliminating my LDAP stuff (customers are listed in an LDAP database) and
eliminating the stuff related to syncing the database between the two mail
servers:

/etc/cron.d/mail_whitelist:
# run mail whitelisting tool every 15 minutes
PATH=/sbin:/bin:/usr/sbin:/usr/bin
*/15 * * * * root /usr/local/sbin/generate_mail_access

/usr/local/sbin/generate_mail_access:
#!/bin/bash
# Catch any new destination addresses of mail sent out from Donovan
# and permit it in incoming addresses.
#
# Wrolf Courtney 6/13/2002
#
# Updated to use hostname -s WC 5/18/2004

PATH=/usr/local/sbin/:$PATH

cd /etc/mail

maillog2access > access.maillog.$$
comm -23 access.maillog.$$ access.maillog.`hostname -s` | makemap -r -o
hash access.db
sort -u access.maillog.$$ access.maillog.`hostname -s` -o
access.maillog.`hostname -s`
rm access.maillog.$$

/usr/local/sbin/maillog2access:
#
# Outputs to addresses of mail sent out from Donovan
#
# Wrolf Courtney 6/12/2002
#
# Can be used to add to mail access database:
#
# maillog2access | makemap  -r -o hash /etc/mail/access.db
#
# Minor improvents.
# Need to Eliminate bounce addresses.  Ignore messages that are from <>,
# since these are bounces.  WC 6/13/2002
#
# Allow parameter for maillog, defaults to /var/log/maillog
#
# Only whitelist stuff from smtp.donovandata.com
#
# WC 12/13/2002 Whitelist stuff from smtp_tpny01.donovandata.com
# WC 5/2/2002 Whitelist stuff from *.donovandata.com

FILES=$*
[ $# -eq 0 ] && FILES=/var/log/maillog

perl -nae '
$OUTBOUND{$F[5]} = $F[5] if (/relay=.*\.donovandata\.com/ ||
/relay=smtp_tpny01\.talentpartners\.com/) && ! /from=\<\>/;
print "$1\n" if ! /relay=smtp.donovandata.com/ &&
        ! /relay=smtp_tpny01.talentpartners.com/ &&
        ! /relay=mail\d+.messagelabs.com/ &&
        ! /relay=cluster1.us.messagelabs.com/ &&
        ! /relay=.* \[168\.238\.\d+\.\d+\]/ &&
        /stat=Sent/ &&
        / to=(<\S+>).*/ &&
        $OUTBOUND{$F[5]};
' $FILES |
perl -pe '$_ = lc;s/,/\n/g' |
perl -pe 's/^<//;s/>$//;' |
grep -i -v '%' |
grep -i -v '!' |
grep -i -v '^@' |
grep -i -v '^owner' |
grep -i -v 'bounce' |
grep -v -e '-.*-.*-' |
#egrep -v -e '[0-9]{5,}' |
sort -u |
perl -ne 'chomp;print "From:$_  RELAY\n"'

and finally in mimedefang-filter, before and inside sub filter_end():

use DB_File;

# If SpamAssassin found SPAM, append report.  We do it as a separate
# attachment of type text/plain
sub filter_end ($) {
    my($entity) = @_;

    # If you want quarantine reports, uncomment next line
    # send_quarantine_notifications();

    # IMPORTANT NOTE:  YOU MUST CALL send_quarantine_notifications() AFTER
    # ANY PARTS HAVE BEEN QUARANTINED.  SO IF YOU MODIFY THIS FILTER TO
    # QUARANTINE SPAM, REWORK THE LOGIC TO CALL
send_quarantine_notifications()
    # AT THE END!!!

    # No sense doing any extra work
    return if message_rejected();

    # WC 9/3/2003
    # Do not spam check e-mail whitelisted in /etc/mail/access.db
    my $access_db = "/etc/mail/access.db";
    tie %access_hash,  'DB_File', $access_db, O_RDONLY;
    my $LHS = $Sender; $LHS =~ s/^<//; $LHS =~ s/>$//;
    $LHS = 'from:' . lc($LHS);
    $RHS = $access_hash{$LHS};
    md_graphdefang_log('access', $LHS, $RHS) if defined($RHS) and $RHS ne
'';
    untie %access_hash;
    return if defined($RHS) and $RHS =~ /^RELAY|^OK/;

mimedefang-bounces at lists.roaringpenguin.com wrote on 06/09/2004 04:18:20
AM:

> Hi Wrolf,
>
> I don't suppose you could share the code you have used to do this. It
> sounds very similar to something I have tried to do, and for the same
> reasons, the DNSBL lists are sometimes too aggressive. My perl is pretty
> weak, and although I'm managing to add domains, like you to the
> access.db file, I feel I could go about it in a better way.
>
> Cheers,
>
> Richard
>
> >
> >
> >For a long time now (before implementing MIMEDefang) I have implemented
> >site-wide whitelisting of the to address of any outbound e-mail.
> >
> >It is reasonable to assume that if one of my users sends someone mail,
then
> >they want a reply.
> >
> >Since my users are a community of interest (corporation), it is also
quite
> >likely that someone else here would want e-mails from that person.
> >
> >I implemented this using the access.db feature of Sendmail, with scripts
> >every five minutes scanning the logs and adding new entries.  It really
got
> >around the problem of overly aggressive DNSBLs - I used to get into
> >explaining what a DNSBL (RBL) is to administrators at our customers and
> >suppliers, had to manually whitelist their server, etc.
> >
> >Users very rarely call me over this now, since if they fail to get an
> >initial e -mail sent to them from a customer, they first try sending one
> >out.  This is a good strategy anyway (customer may have typoed their
> >address, etc.)
> >
> >I would love to see this integrated into MIMEDefang.
> >
> >Wrolf
> >
> >_______________________________________________
> >Visit http://www.mimedefang.org and http://www.canit.ca
> >MIMEDefang mailing list
> >MIMEDefang at lists.roaringpenguin.com
> >http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
> >
> >
> >
>
> --
> Richard Whelan
> Senior Systems Administrator
> PIPEX
>
> Direct:  +44 (0) 1865 381568
> Mobile:  +44 (0) 7786 276020
>
> website: http://www.pipex.net/
>
> This e-mail is subject to: http://www.pipex.net/disclaimer.html
>
> _______________________________________________
> Visit http://www.mimedefang.org and http://www.canit.ca
> MIMEDefang mailing list
> MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

More information about the MIMEDefang mailing list