Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

dnsbl, POD tweaks, DENY type tests

consolidated POD at top of file
added example options to reject_type POD head
added an example loglevel entry

consolidated DENY[SOFT|DISCONNECT] logic into get_reject_type
added tests for get_reject_type
  • Loading branch information...
commit 9d0c2f846952716975385c1d56306249340ecafe 1 parent ed8ce15
@msimerson msimerson authored
Showing with 141 additions and 124 deletions.
  1. +117 −114 plugins/dnsbl
  2. +24 −10 t/plugin_tests/dnsbl
View
231 plugins/dnsbl
@@ -9,6 +9,115 @@ dnsbl - handle DNS BlackList lookups
Plugin that checks the IP address of the incoming connection against
a configurable set of RBL services.
+=head1 USAGE
+
+Add the following line to the config/plugins file:
+
+ dnsbl [ reject_type disconnect ] [loglevel -1]
+
+=head2 reject_type [ temp | perm ]
+
+To immediately drop the connection (since some blacklisted servers attempt
+multiple sends per session), set I<reject_type disconnect>. In most cases,
+an IP address that is listed should not be given the opportunity to begin a
+new transaction, since even the most volatile blacklists will return the same
+answer for a short period of time (the minimum DNS cache period).
+
+Default: perm
+
+=head2 loglevel
+
+Adjust the quantity of logging for this plugin. See docs/logging.pod
+
+ dnsbl [loglevel -1]
+
+=head1 CONFIG FILES
+
+This plugin uses the following configuration files. All are optional. Not
+specifying dnsbl_zones is like not using the plugin at all.
+
+=head2 dnsbl_zones
+
+Normal ip based dns blocking lists ("RBLs") which contain TXT records are
+specified simply as:
+
+ relays.ordb.org
+ spamsources.fabel.dk
+
+To configure RBL services which do not contain TXT records in the DNS,
+but only A records (e.g. the RBL+ at http://www.mail-abuse.org), specify your
+own error message to return in the SMTP conversation after a colon e.g.
+
+ rbl-plus.mail-abuse.org:You are listed at - http://http://www.mail-abuse.org/cgi-bin/lookup?%IP%
+
+The string %IP% will be replaced with the IP address of incoming connection.
+Thus a fully specified file could be:
+
+ sbl-xbl.spamhaus.org
+ list.dsbl.org
+ rbl-plus.mail-abuse.ja.net:Listed by rbl-plus.mail-abuse.ja.net - see <URL:http://www.mail-abuse.org/cgi-bin/lookup?%IP%>
+ relays.ordb.org
+
+=head2 dnsbl_allow
+
+List of allowed ip addresses that bypass RBL checking. Format is one entry per line,
+with either a full IP address or a truncated IP address with a period at the end.
+For example:
+
+ 192.168.1.1
+ 172.16.33.
+
+NB the environment variable RBLSMTPD is considered before this file is
+referenced. See below.
+
+=head2 dnsbl_rejectmsg
+
+A textual message that is sent to the sender on an RBL failure. The TXT record
+from the RBL list is also sent, but this file can be used to indicate what
+action the sender should take.
+
+For example:
+
+ If you think you have been blocked in error, then please forward
+ this entire error message to your ISP so that they can fix their problems.
+ The next line often contains a URL that can be visited for more information.
+
+=head1 Environment Variables
+
+=head2 RBLSMTPD
+
+The environment variable RBLSMTPD is supported and mimics the behaviour of
+Dan Bernstein's rblsmtpd. The exception to this is the '-' char at the
+start of RBLSMTPD which is used to force a hard error in Dan's rblsmtpd.
+NB I don't really see the benefit
+of using a soft error for a site in an RBL list. This just complicates
+things as it takes 7 days (or whatever default period) before a user
+gets an error email back. In the meantime they are complaining that their
+emails are being "lost" :(
+
+=over 4
+
+=item RBLSMTPD is set and non-empty
+
+The contents are used as the SMTP conversation error.
+Use this for forcibly blocking sites you don't like
+
+=item RBLSMTPD is set, but empty
+
+In this case no RBL checks are made.
+This can be used for local addresses.
+
+=item RBLSMTPD is not set
+
+All RBL checks will be made.
+This is the setting for remote sites that you want to check against RBL.
+
+=back
+
+=head1 Revisions
+
+See: https://github.com/smtpd/qpsmtpd/commits/master/plugins/dnsbl
+
=cut
sub register {
@@ -20,9 +129,6 @@ sub register {
else {
$self->{_args} = { @_ };
};
-
- my $rej = $self->{_args}{reject_type};
- $self->{_dnsbl}{DENY} = (defined $rej && $rej =~ /^disconnect$/i) ? DENY_DISCONNECT : DENY;
}
sub hook_connect {
@@ -207,7 +313,7 @@ sub hook_rcpt {
$result =~ s/%IP%/$remote_ip/g;
my $msg = $self->qp->config('dnsbl_rejectmsg');
$self->log(LOGINFO, "fail: $msg");
- return ($self->{_dnsbl}->{DENY}, join(' ', $msg, $result));
+ return ( $self->get_reject_type(), join(' ', $msg, $result));
}
my $note = $self->process_sockets or return DECLINED;
@@ -222,7 +328,7 @@ sub hook_rcpt {
}
$self->log(LOGINFO, 'fail');
- return ($self->{_dnsbl}->{DENY}, $note);
+ return ( $self->get_reject_type(), $note);
}
sub hook_disconnect {
@@ -233,114 +339,11 @@ sub hook_disconnect {
return DECLINED;
}
-=head1 USAGE
-
-Add the following line to the config/plugins file:
-
- dnsbl [ reject_type disconnect ] [loglevel -1]
-
-=head2 reject_type
-
-To immediately drop the connection (since some blacklisted servers attempt
-multiple sends per session), set the optional argument I<reject_type> to
-"disconnect" on the config/plugin entry. In most cases, an
-IP address that is listed should not be given the opportunity to begin
-a new transaction, since even the most volatile blacklists will return
-the same answer for a short period of time (the minimum DNS cache period).
-
-=head2 loglevel
-
-Adjust the quantity of logging for this plugin. See docs/logging.pod
-
-=head1 CONFIG FILES
-
-=over 4
-
-This plugin uses the following configuration files. All are optional. Not
-specifying dnsbl_zones is like not using the plugin at all.
-
-=item dnsbl_zones
-
-Normal ip based dns blocking lists ("RBLs") which contain TXT records are
-specified simply as:
-
- relays.ordb.org
- spamsources.fabel.dk
-
-To configure RBL services which do not contain TXT records in the DNS,
-but only A records (e.g. the RBL+ at http://www.mail-abuse.org), specify your
-own error message to return in the SMTP conversation after a colon e.g.
-
- rbl-plus.mail-abuse.org:You are listed at - http://http://www.mail-abuse.org/cgi-bin/lookup?%IP%
-
-The string %IP% will be replaced with the IP address of incoming connection.
-Thus a fully specified file could be:
-
- sbl-xbl.spamhaus.org
- list.dsbl.org
- rbl-plus.mail-abuse.ja.net:Listed by rbl-plus.mail-abuse.ja.net - see <URL:http://www.mail-abuse.org/cgi-bin/lookup?%IP%>
- relays.ordb.org
-
-=item dnsbl_allow
-
-List of allowed ip addresses that bypass RBL checking. Format is one entry per line,
-with either a full IP address or a truncated IP address with a period at the end.
-For example:
-
- 192.168.1.1
- 172.16.33.
-
-NB the environment variable RBLSMTPD is considered before this file is
-referenced. See below.
-
-=item dnsbl_rejectmsg
-
-A textual message that is sent to the sender on an RBL failure. The TXT record
-from the RBL list is also sent, but this file can be used to indicate what
-action the sender should take.
-
-For example:
-
- If you think you have been blocked in error, then please forward
- this entire error message to your ISP so that they can fix their problems.
- The next line often contains a URL that can be visited for more information.
-
-=back
-
-=head1 Environment Variables
-
-=head2 RBLSMTPD
-
-The environment variable RBLSMTPD is supported and mimics the behaviour of
-Dan Bernstein's rblsmtpd. The exception to this is the '-' char at the
-start of RBLSMTPD which is used to force a hard error in Dan's rblsmtpd.
-NB I don't really see the benefit
-of using a soft error for a site in an RBL list. This just complicates
-things as it takes 7 days (or whatever default period) before a user
-gets an error email back. In the meantime they are complaining that their
-emails are being "lost" :(
-
-=over 4
-
-=item RBLSMTPD is set and non-empty
-
-The contents are used as the SMTP conversation error.
-Use this for forcibly blocking sites you don't like
-
-=item RBLSMTPD is set, but empty
-
-In this case no RBL checks are made.
-This can be used for local addresses.
-
-=item RBLSMTPD is not set
-
-All RBL checks will be made.
-This is the setting for remote sites that you want to check against RBL.
-
-=back
-
-=head1 Revisions
+sub get_reject_type {
+ my $self = shift;
-See: http://cvs.perl.org/viewcvs/qpsmtpd/plugins/dnsbl
+ return $self->{_args}{reject_type} eq 'temp' ? DENYSOFT
+ : $self->{_args}{reject_type} eq 'disconnect' ? DENY_DISCONNECT
+ : DENY;
+};
-=cut
View
34 t/plugin_tests/dnsbl
@@ -13,6 +13,7 @@ sub register_tests {
$self->register_test('test_ip_whitelisted', 3);
$self->register_test('test_is_set_rblsmtpd', 4);
$self->register_test('test_hook_disconnect', 1);
+ $self->register_test('test_reject_type', 3);
}
sub test_ip_whitelisted {
@@ -21,13 +22,13 @@ sub test_ip_whitelisted {
$self->qp->connection->remote_ip('10.1.1.1');
$self->qp->connection->relay_client(1);
- ok( $self->ip_whitelisted('10.1.1.1'), "ip_whitelisted, +");
+ ok( $self->ip_whitelisted('10.1.1.1'), "yes, +");
$self->qp->connection->relay_client(0);
- ok( ! $self->ip_whitelisted('10.1.1.1'), "ip_whitelisted, -");
+ ok( ! $self->ip_whitelisted('10.1.1.1'), "no, -");
$self->qp->connection->notes('whitelisthost', 'hello honey!');
- ok( $self->ip_whitelisted('10.1.1.1'), "ip_whitelisted, +");
+ ok( $self->ip_whitelisted('10.1.1.1'), "yes, +");
$self->qp->connection->notes('whitelisthost', undef);
};
@@ -35,29 +36,30 @@ sub test_is_set_rblsmtpd {
my $self = shift;
$self->qp->connection->remote_ip('10.1.1.1');
- ok( ! defined $self->is_set_rblsmtpd('10.1.1.1'), "is_set_rblsmtpd, undef");
+ ok( ! defined $self->is_set_rblsmtpd('10.1.1.1'), "undef");
$ENV{RBLSMTPD} = "Yes we can!";
- cmp_ok( 'Yes we can!','eq',$self->is_set_rblsmtpd('10.1.1.1'), "is_set_rblsmtpd, value");
+ cmp_ok( 'Yes we can!','eq',$self->is_set_rblsmtpd('10.1.1.1'), "value");
$ENV{RBLSMTPD} = "Oh yeah?";
- cmp_ok( 'Oh yeah?','eq',$self->is_set_rblsmtpd('10.1.1.1'), "is_set_rblsmtpd, value");
+ cmp_ok( 'Oh yeah?','eq',$self->is_set_rblsmtpd('10.1.1.1'), "value");
$ENV{RBLSMTPD} = '';
- cmp_ok( 1,'==',$self->is_set_rblsmtpd('10.1.1.1'), "is_set_rblsmtpd, empty");
+ cmp_ok( 1,'==',$self->is_set_rblsmtpd('10.1.1.1'), "empty");
};
sub test_hook_connect {
my $self = shift;
my $connection = $self->qp->connection;
+ $connection->relay_client(0); # other tests may leave it enabled
$connection->remote_ip('127.0.0.2'); # standard dnsbl test value
cmp_ok( DECLINED, '==', $self->hook_connect($self->qp->transaction),
- "hook_connect +");
+ "connect +");
- ok($connection->notes('dnsbl_sockets'), "hook_connect, sockets");
- ok($connection->notes('dnsbl_domains'), "hook_connect, domains");
+ ok($connection->notes('dnsbl_sockets'), "sockets +");
+ ok($connection->notes('dnsbl_domains'), "domains +");
}
sub test_hook_rcpt {
@@ -75,3 +77,15 @@ sub test_hook_disconnect {
"hook_disconnect +");
}
+sub test_reject_type {
+ my $self = shift;
+
+ $self->{_args}{reject_type} = undef;
+ cmp_ok( $self->get_reject_type(), '==', DENY, "default");
+
+ $self->{_args}{reject_type} = 'temp';
+ cmp_ok( $self->get_reject_type(), '==', DENYSOFT, "defer");
+
+ $self->{_args}{reject_type} = 'disconnect';
+ cmp_ok( $self->get_reject_type(), '==', DENY_DISCONNECT, "disconnect");
+};
Please sign in to comment.
Something went wrong with that request. Please try again.