# Policy based filter database for smtpserver # # Syntax: # # key [attribute value]... [= tag] # # Where: # # 'key' is # - a domain name optionally preceded by a dot (.) # - an IP address expression in canonical nn.nn.nn.nn/prefix form. # Unspecified bits must be 0. # - any arbitrary word referred as 'tag' at the rigth side # 'tag' may be any key of this database # 'attribute' and 'value' are tokens. They are used by server() do # make decisions. # # Semantics: # # The server() zmsh function called by smtpserver to check the client host, # the sender's and recipients' addresses. Server() looks for name and address # of client host as well as domain part of sender and recipient addresses in # this database. It uses the retrieved attributes to make decisions on # accepting or rejecting the incoming mail. # # If looking for 'foo.bar.edu' and exact match failed the database driver # called 'longestmatch' (derived drom pathalias driver) looks for # '.bar.edu', '.edu' and '.' as well. (Patch for router/db.c is required.) # Therefore the order of entries is indifferent. # # When searching an IP address the entry with the most common (leftside) bits # is returned. So you can have a 0.0.0.0/0 entry what specifies the default # addributes for all unlisted IP addresses. # # '=' is a special attribute. # The notation '= tag' means "See also at 'tag'". If server() doesn't # find the requested attribute of the object, it will replace object name # with 'tag' and restarts search. # Useful if tags that are not real domain names syntactically differ # from RFC-821 domains. So no risk of confusion domain names and tags. # Here is an example configuration, assumed the following decision # chain of server(). # # if (IP address of SMTP client has 'rejectnet +' attribute) then # any further conversation refused # if (name of SMTP client has 'rejectnet +' attribute) then # any further conversation refused # else if (sender's domain has 'rejectsource +' attribute) then # sender rejected, any further conversation refused # else if (IP address of SMTP client has 'relaycustnet +' attribute) then # sender accepted, recipients not checked # else if (name of SMTP client has 'relaycustnet +' attribute) then # sender accepted, recipients not checked # else if (sender's domain has 'relaycustomer +' attribute) then # sender accepted, recipients not checked # else if (recipient's domain has 'relaytarget +' attribute) then # recipient accepted # else # this recipient refused ############ # Generally we refuse SMTP connections from host in private address space # and refuse mails to or from if nn.nn.nn.nn is a # private IP address... _private_address rejectnet + rejectsource + relaycustomer - relaytarget - [172.16.0.0]/12 = _private_address [192.168.0.0]/16 = _private_address [10.0.0.0]/8 = _private_address # ...but hosts in the address range 192.168.16.0-192.168.17.255 may be # our SMTP clients. [192.168.16.0]/23 rejectnet - = _private_address # Hosts of our organization can do anything... sztaki.hu = _full_rights .sztaki.hu = _full_rights 192.84.225.0/24 = _our_network 192.84.226.0/23 = _our_network 192.84.228.0/23 = _our_network _our_network = _full_rights _full_rights rejectnet - relaycustnet + relaycustomer + relaytarget + # ... except that no use to relaying for dial-up hosts # Note: we use a domain name as tag. .dial.sztaki.hu relaytarget - = .sztaki.hu # ... and we have a misconfigured SMTP client somewhere 192.84.225.1/24 rejectnet + = _our_network # # We are MX for some UUCP nodes .uucp.iif.hu relaytarget + # # Thanks, no bulk mails! Drop them even if addressed to us. nobody.com = _bulk_mail .nobody.com = _bulk_mail nodomain.com = _bulk_mail .nodomain.com = _bulk_mail _bulk_mail rejectsource + # # We are not relaying between off-site hosts . relaycustomer - relaytarget - 0.0.0.0/0 relaycustomer - relaytarget -