Skip to content
This repository
Browse code

dnsbl, POD tweaks, DENY type tests

consolidated POD at top of file
added example options to reject_type POD head
added an example loglevel entry

consolidated DENY[SOFT|DISCONNECT] logic into get_reject_type
added tests for get_reject_type
  • Loading branch information...
commit 9d0c2f846952716975385c1d56306249340ecafe 1 parent ed8ce15
Matt Simerson authored May 21, 2012
231  plugins/dnsbl
@@ -9,6 +9,115 @@ dnsbl - handle DNS BlackList lookups
9 9
 Plugin that checks the IP address of the incoming connection against
10 10
 a configurable set of RBL services.
11 11
 
  12
+=head1 USAGE
  13
+
  14
+Add the following line to the config/plugins file:
  15
+
  16
+  dnsbl [ reject_type disconnect ] [loglevel -1]
  17
+
  18
+=head2 reject_type [ temp | perm ]
  19
+
  20
+To immediately drop the connection (since some blacklisted servers attempt
  21
+multiple sends per session), set I<reject_type disconnect>. In most cases,
  22
+an IP address that is listed should not be given the opportunity to begin a
  23
+new transaction, since even the most volatile blacklists will return the same
  24
+answer for a short period of time (the minimum DNS cache period).
  25
+
  26
+Default: perm
  27
+
  28
+=head2 loglevel
  29
+
  30
+Adjust the quantity of logging for this plugin. See docs/logging.pod
  31
+
  32
+  dnsbl [loglevel -1]
  33
+
  34
+=head1 CONFIG FILES
  35
+
  36
+This plugin uses the following configuration files. All are optional. Not
  37
+specifying dnsbl_zones is like not using the plugin at all.
  38
+
  39
+=head2 dnsbl_zones
  40
+
  41
+Normal ip based dns blocking lists ("RBLs") which contain TXT records are
  42
+specified simply as:
  43
+
  44
+  relays.ordb.org
  45
+  spamsources.fabel.dk
  46
+
  47
+To configure RBL services which do not contain TXT records in the DNS,
  48
+but only A records (e.g. the RBL+ at http://www.mail-abuse.org), specify your
  49
+own error message to return in the SMTP conversation after a colon e.g.
  50
+
  51
+  rbl-plus.mail-abuse.org:You are listed at - http://http://www.mail-abuse.org/cgi-bin/lookup?%IP%
  52
+
  53
+The string %IP% will be replaced with the IP address of incoming connection.
  54
+Thus a fully specified file could be:
  55
+
  56
+  sbl-xbl.spamhaus.org
  57
+  list.dsbl.org
  58
+  rbl-plus.mail-abuse.ja.net:Listed by rbl-plus.mail-abuse.ja.net - see <URL:http://www.mail-abuse.org/cgi-bin/lookup?%IP%>
  59
+  relays.ordb.org
  60
+
  61
+=head2 dnsbl_allow
  62
+
  63
+List of allowed ip addresses that bypass RBL checking. Format is one entry per line,
  64
+with either a full IP address or a truncated IP address with a period at the end.
  65
+For example:
  66
+
  67
+  192.168.1.1
  68
+  172.16.33.
  69
+
  70
+NB the environment variable RBLSMTPD is considered before this file is
  71
+referenced. See below.
  72
+
  73
+=head2 dnsbl_rejectmsg
  74
+
  75
+A textual message that is sent to the sender on an RBL failure. The TXT record
  76
+from the RBL list is also sent, but this file can be used to indicate what
  77
+action the sender should take.
  78
+
  79
+For example:
  80
+
  81
+   If you think you have been blocked in error, then please forward
  82
+   this entire error message to your ISP so that they can fix their problems.
  83
+   The next line often contains a URL that can be visited for more information.
  84
+
  85
+=head1 Environment Variables
  86
+
  87
+=head2 RBLSMTPD
  88
+
  89
+The environment variable RBLSMTPD is supported and mimics the behaviour of
  90
+Dan Bernstein's rblsmtpd. The exception to this is the '-' char at the
  91
+start of RBLSMTPD which is used to force a hard error in Dan's rblsmtpd.
  92
+NB I don't really see the benefit
  93
+of using a soft error for a site in an RBL list. This just complicates
  94
+things as it takes 7 days (or whatever default period) before a user
  95
+gets an error email back. In the meantime they are complaining that their
  96
+emails are being "lost" :(
  97
+
  98
+=over 4
  99
+
  100
+=item RBLSMTPD is set and non-empty
  101
+
  102
+The contents are used as the SMTP conversation error.
  103
+Use this for forcibly blocking sites you don't like
  104
+
  105
+=item RBLSMTPD is set, but empty
  106
+
  107
+In this case no RBL checks are made.
  108
+This can be used for local addresses.
  109
+
  110
+=item RBLSMTPD is not set
  111
+
  112
+All RBL checks will be made.
  113
+This is the setting for remote sites that you want to check against RBL.
  114
+
  115
+=back
  116
+
  117
+=head1 Revisions
  118
+
  119
+See: https://github.com/smtpd/qpsmtpd/commits/master/plugins/dnsbl
  120
+
12 121
 =cut
13 122
 
14 123
 sub register {
@@ -20,9 +129,6 @@ sub register {
20 129
     else {
21 130
         $self->{_args} = { @_ };
22 131
     };
23  
-
24  
-    my $rej = $self->{_args}{reject_type};
25  
-    $self->{_dnsbl}{DENY} = (defined $rej && $rej =~ /^disconnect$/i) ? DENY_DISCONNECT : DENY;
26 132
 }
27 133
 
28 134
 sub hook_connect {
@@ -207,7 +313,7 @@ sub hook_rcpt {
207 313
     $result =~ s/%IP%/$remote_ip/g;
208 314
     my $msg =  $self->qp->config('dnsbl_rejectmsg');
209 315
     $self->log(LOGINFO, "fail: $msg");
210  
-    return ($self->{_dnsbl}->{DENY}, join(' ', $msg, $result));
  316
+    return ( $self->get_reject_type(), join(' ', $msg, $result));
211 317
   }
212 318
 
213 319
     my $note = $self->process_sockets or return DECLINED;
@@ -222,7 +328,7 @@ sub hook_rcpt {
222 328
     }
223 329
 
224 330
     $self->log(LOGINFO, 'fail');
225  
-    return ($self->{_dnsbl}->{DENY}, $note);
  331
+    return ( $self->get_reject_type(), $note);
226 332
 }
227 333
 
228 334
 sub hook_disconnect {
@@ -233,114 +339,11 @@ sub hook_disconnect {
233 339
   return DECLINED;
234 340
 }
235 341
 
236  
-=head1 USAGE
237  
-
238  
-Add the following line to the config/plugins file:
239  
-
240  
-  dnsbl [ reject_type disconnect ] [loglevel -1]
241  
-
242  
-=head2 reject_type
243  
-
244  
-To immediately drop the connection (since some blacklisted servers attempt
245  
-multiple sends per session), set the optional argument I<reject_type> to
246  
-"disconnect" on the config/plugin entry. In most cases, an
247  
-IP address that is listed should not be given the opportunity to begin
248  
-a new transaction, since even the most volatile blacklists will return
249  
-the same answer for a short period of time (the minimum DNS cache period).
250  
-
251  
-=head2 loglevel
252  
-
253  
-Adjust the quantity of logging for this plugin. See docs/logging.pod
254  
-
255  
-=head1 CONFIG FILES
256  
-
257  
-=over 4
258  
-
259  
-This plugin uses the following configuration files. All are optional. Not
260  
-specifying dnsbl_zones is like not using the plugin at all.
261  
-
262  
-=item dnsbl_zones
263  
-
264  
-Normal ip based dns blocking lists ("RBLs") which contain TXT records are
265  
-specified simply as:
266  
-
267  
-  relays.ordb.org
268  
-  spamsources.fabel.dk
269  
-
270  
-To configure RBL services which do not contain TXT records in the DNS,
271  
-but only A records (e.g. the RBL+ at http://www.mail-abuse.org), specify your
272  
-own error message to return in the SMTP conversation after a colon e.g.
273  
-
274  
-  rbl-plus.mail-abuse.org:You are listed at - http://http://www.mail-abuse.org/cgi-bin/lookup?%IP%
275  
-
276  
-The string %IP% will be replaced with the IP address of incoming connection.
277  
-Thus a fully specified file could be:
278  
-
279  
-  sbl-xbl.spamhaus.org
280  
-  list.dsbl.org
281  
-  rbl-plus.mail-abuse.ja.net:Listed by rbl-plus.mail-abuse.ja.net - see <URL:http://www.mail-abuse.org/cgi-bin/lookup?%IP%>
282  
-  relays.ordb.org
283  
-
284  
-=item dnsbl_allow
285  
-
286  
-List of allowed ip addresses that bypass RBL checking. Format is one entry per line,
287  
-with either a full IP address or a truncated IP address with a period at the end.
288  
-For example:
289  
-
290  
-  192.168.1.1
291  
-  172.16.33.
292  
-
293  
-NB the environment variable RBLSMTPD is considered before this file is
294  
-referenced. See below.
295  
-
296  
-=item dnsbl_rejectmsg
297  
-
298  
-A textual message that is sent to the sender on an RBL failure. The TXT record
299  
-from the RBL list is also sent, but this file can be used to indicate what
300  
-action the sender should take.
301  
-
302  
-For example:
303  
-
304  
-   If you think you have been blocked in error, then please forward
305  
-   this entire error message to your ISP so that they can fix their problems.
306  
-   The next line often contains a URL that can be visited for more information.
307  
-
308  
-=back
309  
-
310  
-=head1 Environment Variables
311  
-
312  
-=head2 RBLSMTPD
313  
-
314  
-The environment variable RBLSMTPD is supported and mimics the behaviour of
315  
-Dan Bernstein's rblsmtpd. The exception to this is the '-' char at the
316  
-start of RBLSMTPD which is used to force a hard error in Dan's rblsmtpd.
317  
-NB I don't really see the benefit
318  
-of using a soft error for a site in an RBL list. This just complicates
319  
-things as it takes 7 days (or whatever default period) before a user
320  
-gets an error email back. In the meantime they are complaining that their
321  
-emails are being "lost" :(
322  
-
323  
-=over 4
324  
-
325  
-=item RBLSMTPD is set and non-empty
326  
-
327  
-The contents are used as the SMTP conversation error.
328  
-Use this for forcibly blocking sites you don't like
329  
-
330  
-=item RBLSMTPD is set, but empty
331  
-
332  
-In this case no RBL checks are made.
333  
-This can be used for local addresses.
334  
-
335  
-=item RBLSMTPD is not set
336  
-
337  
-All RBL checks will be made.
338  
-This is the setting for remote sites that you want to check against RBL.
339  
-
340  
-=back
341  
-
342  
-=head1 Revisions
  342
+sub get_reject_type {
  343
+    my $self = shift;
343 344
 
344  
-See: http://cvs.perl.org/viewcvs/qpsmtpd/plugins/dnsbl
  345
+    return   $self->{_args}{reject_type} eq 'temp'       ? DENYSOFT
  346
+           : $self->{_args}{reject_type} eq 'disconnect' ? DENY_DISCONNECT
  347
+           : DENY;
  348
+};
345 349
 
346  
-=cut
34  t/plugin_tests/dnsbl
@@ -13,6 +13,7 @@ sub register_tests {
13 13
     $self->register_test('test_ip_whitelisted', 3);
14 14
     $self->register_test('test_is_set_rblsmtpd', 4);
15 15
     $self->register_test('test_hook_disconnect', 1);
  16
+    $self->register_test('test_reject_type', 3);
16 17
 }
17 18
 
18 19
 sub test_ip_whitelisted {
@@ -21,13 +22,13 @@ sub test_ip_whitelisted {
21 22
     $self->qp->connection->remote_ip('10.1.1.1');
22 23
 
23 24
     $self->qp->connection->relay_client(1);
24  
-    ok( $self->ip_whitelisted('10.1.1.1'), "ip_whitelisted, +");
  25
+    ok( $self->ip_whitelisted('10.1.1.1'), "yes, +");
25 26
 
26 27
     $self->qp->connection->relay_client(0);
27  
-    ok( ! $self->ip_whitelisted('10.1.1.1'), "ip_whitelisted, -");
  28
+    ok( ! $self->ip_whitelisted('10.1.1.1'), "no, -");
28 29
 
29 30
     $self->qp->connection->notes('whitelisthost', 'hello honey!');
30  
-    ok( $self->ip_whitelisted('10.1.1.1'), "ip_whitelisted, +");
  31
+    ok( $self->ip_whitelisted('10.1.1.1'), "yes, +");
31 32
     $self->qp->connection->notes('whitelisthost', undef);
32 33
 };
33 34
 
@@ -35,29 +36,30 @@ sub test_is_set_rblsmtpd {
35 36
     my $self = shift;
36 37
 
37 38
     $self->qp->connection->remote_ip('10.1.1.1');
38  
-    ok( ! defined $self->is_set_rblsmtpd('10.1.1.1'), "is_set_rblsmtpd, undef");
  39
+    ok( ! defined $self->is_set_rblsmtpd('10.1.1.1'), "undef");
39 40
 
40 41
     $ENV{RBLSMTPD} = "Yes we can!";
41  
-    cmp_ok( 'Yes we can!','eq',$self->is_set_rblsmtpd('10.1.1.1'), "is_set_rblsmtpd, value");
  42
+    cmp_ok( 'Yes we can!','eq',$self->is_set_rblsmtpd('10.1.1.1'), "value");
42 43
 
43 44
     $ENV{RBLSMTPD} = "Oh yeah?";
44  
-    cmp_ok( 'Oh yeah?','eq',$self->is_set_rblsmtpd('10.1.1.1'), "is_set_rblsmtpd, value");
  45
+    cmp_ok( 'Oh yeah?','eq',$self->is_set_rblsmtpd('10.1.1.1'), "value");
45 46
 
46 47
     $ENV{RBLSMTPD} = '';
47  
-    cmp_ok( 1,'==',$self->is_set_rblsmtpd('10.1.1.1'), "is_set_rblsmtpd, empty");
  48
+    cmp_ok( 1,'==',$self->is_set_rblsmtpd('10.1.1.1'), "empty");
48 49
 };
49 50
 
50 51
 sub test_hook_connect {
51 52
     my $self = shift;
52 53
 
53 54
     my $connection = $self->qp->connection;
  55
+    $connection->relay_client(0);        # other tests may leave it enabled
54 56
     $connection->remote_ip('127.0.0.2'); # standard dnsbl test value
55 57
 
56 58
     cmp_ok( DECLINED, '==', $self->hook_connect($self->qp->transaction),
57  
-        "hook_connect +");
  59
+        "connect +");
58 60
 
59  
-    ok($connection->notes('dnsbl_sockets'), "hook_connect, sockets");
60  
-    ok($connection->notes('dnsbl_domains'), "hook_connect, domains");
  61
+    ok($connection->notes('dnsbl_sockets'), "sockets +");
  62
+    ok($connection->notes('dnsbl_domains'), "domains +");
61 63
 }
62 64
 
63 65
 sub test_hook_rcpt {
@@ -75,3 +77,15 @@ sub test_hook_disconnect {
75 77
         "hook_disconnect +");
76 78
 }
77 79
 
  80
+sub test_reject_type {
  81
+    my $self = shift;
  82
+
  83
+    $self->{_args}{reject_type} = undef;
  84
+    cmp_ok( $self->get_reject_type(), '==', DENY, "default");
  85
+
  86
+    $self->{_args}{reject_type} = 'temp';
  87
+    cmp_ok( $self->get_reject_type(), '==', DENYSOFT, "defer");
  88
+
  89
+    $self->{_args}{reject_type} = 'disconnect';
  90
+    cmp_ok( $self->get_reject_type(), '==', DENY_DISCONNECT, "disconnect");
  91
+};

0 notes on commit 9d0c2f8

Please sign in to comment.
Something went wrong with that request. Please try again.