Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Merge remote branch 'origin/master' into godsflaw

  • Loading branch information...
commit 0e053b8abac144c60f9724cfe2bf627e9df8acef 2 parents 319e47e + 58eae88
@godsflaw godsflaw authored
View
1  config/mail_from.access.blacklist
@@ -0,0 +1 @@
+# addresses are matched exactly as written on each line.
View
5 config/mail_from.access.blacklist_regex
@@ -0,0 +1,5 @@
+# Does the same thing as the blacklist file, but each line is a regex.
+# Each line is also anchored for you, meaning '^' + regex + '$' is added for
+# you. If you need to get around this restriction, you may use a '.*' at
+# either the start or the end of your regex. This should help prevent people
+# from writing overly permissive rules on accident.
View
2  config/mail_from.access.ini
@@ -0,0 +1,2 @@
+[general]
+deny_msg=bad sender address.
View
1  config/mail_from.access.whitelist
@@ -0,0 +1 @@
+# Hostnames and IPs are matched exactly as written on each line.
View
5 config/mail_from.access.whitelist_regex
@@ -0,0 +1,5 @@
+# Does the same thing as the whitelist file, but each line is a regex.
+# Each line is also anchored for you, meaning '^' + regex + '$' is added for
+# you. If you need to get around this restriction, you may use a '.*' at
+# either the start or the end of your regex. This should help prevent people
+# from writing overly permissive rules on accident.
View
1  config/rcpt_to.access.blacklist
@@ -0,0 +1 @@
+# addresses are matched exactly as written on each line.
View
5 config/rcpt_to.access.blacklist_regex
@@ -0,0 +1,5 @@
+# Does the same thing as the blacklist file, but each line is a regex.
+# Each line is also anchored for you, meaning '^' + regex + '$' is added for
+# you. If you need to get around this restriction, you may use a '.*' at
+# either the start or the end of your regex. This should help prevent people
+# from writing overly permissive rules on accident.
View
2  config/rcpt_to.access.ini
@@ -0,0 +1,2 @@
+[general]
+deny_msg=bad recipient address.
View
1  config/rcpt_to.access.whitelist
@@ -0,0 +1 @@
+# addresses are matched exactly as written on each line.
View
5 config/rcpt_to.access.whitelist_regex
@@ -0,0 +1,5 @@
+# Does the same thing as the whitelist file, but each line is a regex.
+# Each line is also anchored for you, meaning '^' + regex + '$' is added for
+# you. If you need to get around this restriction, you may use a '.*' at
+# either the start or the end of your regex. This should help prevent people
+# from writing overly permissive rules on accident.
View
54 docs/plugins/mail_from.access.md
@@ -0,0 +1,54 @@
+mail_from.access
+===================
+
+This plugin will evaluate the address against a set of white and black lists.
+The lists are applied in the following way:
+
+mail_from.access.whitelist (pass)
+mail_from.access.whitelist_regex (pass)
+mail_from.access.blacklist (block)
+mail_from.access.blacklist_regex (block)
+
+Configuration mail_from.access.ini
+-------------------------------------
+
+General configuration file for this plugin.
+
+* mail_from.access.general.deny_msg
+
+ Text to send the user on reject (text).
+
+
+Configuration mail_from.access.whitelist
+-------------------------------------------
+
+The whitelist is mostly to counter blacklist entries that match more than
+what one would want. This file should be used for a specific address,
+one per line, that should bypass blacklist checks.
+NOTE: We heavily suggest tailoring blacklist entries to be as accurate as
+possible and never using whitelists. Nevertheless, if you need whitelists,
+here they are.
+
+Configuration mail_from.access.whitelist_regex
+-------------------------------------------------
+
+Does the same thing as the whitelist file, but each line is a regex.
+Each line is also anchored for you, meaning '^' + regex + '$' is added for
+you. If you need to get around this restriction, you may use a '.*' at
+either the start or the end of your regex. This should help prevent people
+from writing overly permissive rules on accident.
+
+Configuration mail_from.access.blacklist
+-------------------------------------------
+
+This file should be used for a specific address, one per line, that should
+fail on connect.
+
+Configuration mail_from.access.blacklist_regex
+-------------------------------------------------
+
+Does the same thing as the blacklist file, but each line is a regex.
+Each line is also anchored for you, meaning '^' + regex + '$' is added for
+you. If you need to get around this restriction, you may use a '.*' at
+either the start or the end of your regex. This should help prevent people
+from writing overly permissive rules on accident.
View
6 docs/plugins/mail_from.blocklist.md
@@ -1,7 +1,11 @@
mail_from.blocklist
===================
-This mail blocks MAIL_FROM addresses in a list.
+This plugin blocks MAIL_FROM addresses in a list.
+
+NOTE: If all you need is to deny mail based on the exact address, this plugin
+will work just fine. If you want to customize the deny message, add blocks
+based on a regex, or add whitelists, please use the mail_from.access plugin.
Configuration
-------------
View
54 docs/plugins/rcpt_to.access.md
@@ -0,0 +1,54 @@
+rcpt_to.access
+===================
+
+This plugin blocks RCPT_TO addresses in a list or regex.
+This plugin will evaluate the RCPT_TO address against a set of white and black
+lists. The lists are applied in the following way:
+
+rcpt_to.access.whitelist (pass)
+rcpt_to.access.whitelist_regex (pass)
+rcpt_to.access.blacklist (block)
+rcpt_to.access.blacklist_regex (block)
+
+Configuration rcpt_to.access.ini
+-------------------------------------
+
+General configuration file for this plugin.
+
+* rcpt_to.access.general.deny_msg
+
+ Text to send the user on reject (text).
+
+Configuration rcpt_to.access.whitelist
+-------------------------------------------
+
+The whitelist is mostly to counter blacklist entries that match more than
+what one would want. This file should be used for a specific address
+one per line, that should bypass blacklist checks.
+NOTE: We heavily suggest tailoring blacklist entries to be as accurate as
+possible and never using whitelists. Nevertheless, if you need whitelists,
+here they are.
+
+Configuration rcpt_to.access.whitelist_regex
+-------------------------------------------------
+
+Does the same thing as the whitelist file, but each line is a regex.
+Each line is also anchored for you, meaning '^' + regex + '$' is added for
+you. If you need to get around this restriction, you may use a '.*' at
+either the start or the end of your regex. This should help prevent people
+from writing overly permissive rules on accident.
+
+Configuration rcpt_to.access.blacklist
+-------------------------------------------
+
+This file should be used for a specific address, one per line, that should
+fail on connect.
+
+Configuration rcpt_to.access.blacklist_regex
+-------------------------------------------------
+
+Does the same thing as the blacklist file, but each line is a regex.
+Each line is also anchored for you, meaning '^' + regex + '$' is added for
+you. If you need to get around this restriction, you may use a '.*' at
+either the start or the end of your regex. This should help prevent people
+from writing overly permissive rules on accident.
View
6 docs/plugins/rcpt_to.blocklist.md
@@ -1,7 +1,11 @@
rcpt_to.blocklist
===================
-This mail blocks RCPT_TO addresses in a list.
+This plugin blocks RCPT_TO addresses in a list.
+
+NOTE: If all you need is to deny mail based on the exact address, this plugin
+will work just fine. If you want to customize the deny message, add blocks
+based on a regex, or add whitelists, please use the rcpt_to.access plugin.
Configuration
-------------
View
20 plugins/connect.rdns_access.js
@@ -54,9 +54,10 @@ exports.rdns_access = function(next, connection) {
' against connect.rdns_access.blacklist');
if (_in_blacklist(connection, plugin, connection.remote_ip)) {
- connection.logdebug(plugin, "Rejecting, matched: " + connection.remote_ip);
- return next(DENY, connection.remote_host.toLowerCase() + ' [' +
- connection.remote_ip + '] ' + plugin.deny_msg);
+ connection.logdebug(plugin, "Rejecting, matched: " +
+ connection.remote_ip);
+ return next(DENYDISCONNECT, connection.remote_host.toLowerCase() +
+ ' [' + connection.remote_ip + '] ' + plugin.deny_msg);
}
}
@@ -66,9 +67,10 @@ exports.rdns_access = function(next, connection) {
' against connect.rdns_access.blacklist');
if (_in_blacklist(connection, plugin, connection.remote_host.toLowerCase())) {
- connection.logdebug(plugin, "Rejecting, matched: " + connection.remote_host);
- return next(DENY, connection.remote_host.toLowerCase() + ' [' +
- connection.remote_ip + '] ' + plugin.deny_msg);
+ connection.logdebug(plugin, "Rejecting, matched: " +
+ connection.remote_host);
+ return next(DENYDISCONNECT, connection.remote_host.toLowerCase() +
+ ' [' + connection.remote_ip + '] ' + plugin.deny_msg);
}
}
@@ -78,7 +80,8 @@ exports.rdns_access = function(next, connection) {
function _in_whitelist(connection, plugin, host) {
var i;
for (i in plugin.wl) {
- connection.logdebug(plugin, 'checking ' + host + ' against ' + plugin.wl[i]);
+ connection.logdebug(plugin, 'checking ' + host + ' against ' +
+ plugin.wl[i]);
if (plugin.wl[i].toLowerCase() === host) {
return 1;
@@ -100,7 +103,8 @@ function _in_whitelist(connection, plugin, host) {
function _in_blacklist(connection, plugin, host) {
var i;
for (i in plugin.bl) {
- connection.logdebug(plugin, 'checking ' + host + ' against ' + plugin.bl[i]);
+ connection.logdebug(plugin, 'checking ' + host + ' against ' +
+ plugin.bl[i]);
if (plugin.bl[i].toLowerCase() === host) {
return 1;
View
99 plugins/mail_from.access.js
@@ -0,0 +1,99 @@
+// mail_from.access plugin
+
+exports.register = function() {
+ var i;
+ var config = this.config.get('mail_from.access.ini');
+ this.wl = this.config.get('mail_from.access.whitelist', 'list');
+ this.bl = this.config.get('mail_from.access.blacklist', 'list');
+ this.deny_msg = config.general && (config.general['deny_msg'] ||
+ 'Connection rejected.');
+ var white_regex =
+ this.config.get('mail_from.access.whitelist_regex', 'list');
+ var black_regex =
+ this.config.get('mail_from.access.blacklist_regex', 'list');
+
+ if (white_regex.length) {
+ this.wlregex = new RegExp('^(?:' + white_regex.join('|') + ')$', 'i');
+ }
+
+ if (black_regex.length) {
+ this.blregex = new RegExp('^(?:' + black_regex.join('|') + ')$', 'i');
+ }
+
+ this.register_hook('mail', 'mail_from_access');
+}
+
+exports.mail_from_access = function(next, connection, params) {
+ var plugin = this;
+ var mail_from = params[0].address();
+
+ // address whitelist checks
+ if (mail_from) {
+ connection.logdebug(plugin, 'checking ' + mail_from +
+ ' against mail_from.access.whitelist');
+
+ if (_in_whitelist(connection, plugin, mail_from)) {
+ connection.logdebug(plugin, "Allowing " + mail_from);
+ return next();
+ }
+ }
+
+ // address blacklist checks
+ if (mail_from) {
+ connection.logdebug(plugin, 'checking ' + mail_from +
+ ' against mail_from.access.blacklist');
+
+ if (_in_blacklist(connection, plugin, mail_from)) {
+ connection.logdebug(plugin, "Rejecting, matched: " + mail_from);
+ return next(DENY, mail_from + ' ' + plugin.deny_msg);
+ }
+ }
+
+ return next();
+}
+
+function _in_whitelist(connection, plugin, address) {
+ var i;
+ for (i in plugin.wl) {
+ connection.logdebug(plugin, 'checking ' + address + ' against ' +
+ plugin.wl[i]);
+
+ if (plugin.wl[i] === address) {
+ return 1;
+ }
+ }
+
+ if (plugin.wlregex) {
+ connection.logdebug(plugin, 'checking ' + address + ' against ' +
+ plugin.wlregex.source);
+
+ if (address.match(plugin.wlregex)) {
+ return 1;
+ }
+ }
+
+ return 0;
+}
+
+function _in_blacklist(connection, plugin, address) {
+ var i;
+ for (i in plugin.bl) {
+ connection.logdebug(plugin, 'checking ' + address + ' against ' +
+ plugin.bl[i]);
+
+ if (plugin.bl[i] === address) {
+ return 1;
+ }
+ }
+
+ if (plugin.blregex) {
+ connection.logdebug(plugin, 'checking ' + address + ' against ' +
+ plugin.blregex.source);
+
+ if (address.match(plugin.blregex)) {
+ return 1;
+ }
+ }
+
+ return 0;
+}
View
2  plugins/mail_from.is_resolvable.js
@@ -64,7 +64,7 @@ exports.hook_mail = function(next, connection, params) {
// Handle MX records that are IP addresses
// This is invalid - but a lot of MTAs allow it.
if (/^\d+\.\d+\.\d+\.\d+$/.test(addr.exchange)) {
- connection.logwarn(plugin, domain + ': invalid MX ' + addr.exchange)
+ connection.logwarn(plugin, domain + ': invalid MX ' + addr.exchange);
if (config.main.allow_mx_ip) {
a_records[addr.exchange] = 1;
}
View
99 plugins/rcpt_to.access.js
@@ -0,0 +1,99 @@
+// rcpt_to.access plugin
+
+exports.register = function() {
+ var i;
+ var config = this.config.get('rcpt_to.access.ini');
+ this.wl = this.config.get('rcpt_to.access.whitelist', 'list');
+ this.bl = this.config.get('rcpt_to.access.blacklist', 'list');
+ this.deny_msg = config.general && (config.general['deny_msg'] ||
+ 'Connection rejected.');
+ var white_regex =
+ this.config.get('rcpt_to.access.whitelist_regex', 'list');
+ var black_regex =
+ this.config.get('rcpt_to.access.blacklist_regex', 'list');
+
+ if (white_regex.length) {
+ this.wlregex = new RegExp('^(?:' + white_regex.join('|') + ')$', 'i');
+ }
+
+ if (black_regex.length) {
+ this.blregex = new RegExp('^(?:' + black_regex.join('|') + ')$', 'i');
+ }
+
+ this.register_hook('rcpt', 'rcpt_to_access');
+}
+
+exports.rcpt_to_access = function(next, connection, params) {
+ var plugin = this;
+ var rcpt_to = params[0].address();
+
+ // address whitelist checks
+ if (rcpt_to) {
+ connection.logdebug(plugin, 'checking ' + rcpt_to +
+ ' against rcpt_to.access.whitelist');
+
+ if (_in_whitelist(connection, plugin, rcpt_to)) {
+ connection.logdebug(plugin, "Allowing " + rcpt_to);
+ return next();
+ }
+ }
+
+ // address blacklist checks
+ if (rcpt_to) {
+ connection.logdebug(plugin, 'checking ' + rcpt_to +
+ ' against rcpt_to.access.blacklist');
+
+ if (_in_blacklist(connection, plugin, rcpt_to)) {
+ connection.logdebug(plugin, "Rejecting, matched: " + rcpt_to);
+ return next(DENY, rcpt_to + ' ' + plugin.deny_msg);
+ }
+ }
+
+ return next();
+}
+
+function _in_whitelist(connection, plugin, address) {
+ var i;
+ for (i in plugin.wl) {
+ connection.logdebug(plugin, 'checking ' + address + ' against ' +
+ plugin.wl[i]);
+
+ if (plugin.wl[i] === address) {
+ return 1;
+ }
+ }
+
+ if (plugin.wlregex) {
+ connection.logdebug(plugin, 'checking ' + address + ' against ' +
+ plugin.wlregex.source);
+
+ if (address.match(plugin.wlregex)) {
+ return 1;
+ }
+ }
+
+ return 0;
+}
+
+function _in_blacklist(connection, plugin, address) {
+ var i;
+ for (i in plugin.bl) {
+ connection.logdebug(plugin, 'checking ' + address + ' against ' +
+ plugin.bl[i]);
+
+ if (plugin.bl[i] === address) {
+ return 1;
+ }
+ }
+
+ if (plugin.blregex) {
+ connection.logdebug(plugin, 'checking ' + address + ' against ' +
+ plugin.blregex.source);
+
+ if (address.match(plugin.blregex)) {
+ return 1;
+ }
+ }
+
+ return 0;
+}
Please sign in to comment.
Something went wrong with that request. Please try again.