Mercurial > notdcc
comparison misc/hackmc @ 0:c7f6b056b673
First import of vendor version
| author | Peter Gervai <grin@grin.hu> |
|---|---|
| date | Tue, 10 Mar 2009 13:49:58 +0100 |
| parents | |
| children |
comparison
equal
deleted
inserted
replaced
| -1:000000000000 | 0:c7f6b056b673 |
|---|---|
| 1 #! /bin/sh -e | |
| 2 | |
| 3 # This kludge of a shell script warps a sendmail.cf produced from a .mc file | |
| 4 # to report some spam to the Distributed Checksum Clearinghouse (DCC) | |
| 5 # in addition to rejecting it. | |
| 6 # | |
| 7 # Mail that is rejected by a sendmail access_db is reported via dccm to | |
| 8 # a DCC server as extremely bulky. Error messages in the access_db | |
| 9 # file must start with "DCC:" or they will be ignored by this mechanism. | |
| 10 | |
| 11 # This script should be run in the sendmail cf/cf directory, and given a list | |
| 12 # of .mc files, as in | |
| 13 # cd cf/cf | |
| 14 # .../misc/hackmc -AROT ../m4/cf.m4 local.mc > local.cf | |
| 15 | |
| 16 # It seems to work on sendmail.cf generated for sendmail versions 8.11 | |
| 17 # through 8.14.3. There is no guarantee that it will work with other | |
| 18 # versions. You must compare the result of this script with the unmodified | |
| 19 # sendmail.cf. | |
| 20 | |
| 21 | |
| 22 # This script "denatures" RCS keywords in its output so that revisions of | |
| 23 # the resulting sendmail.cf can be archived with RCS without losing | |
| 24 # the original RCS lines from the Sendmail organization. | |
| 25 | |
| 26 # In addition to sending mail blacklisted by the sendmail access_db to | |
| 27 # the DCC, the following can also be turned on: | |
| 28 | |
| 29 # -x turn on debugging | |
| 30 | |
| 31 # -A send mail with bogus Mail_From domain names to the DCC instead of | |
| 32 # only rejecting it. | |
| 33 | |
| 34 # -R silently discard unauthorized relay attempts after reporting them | |
| 35 # to the DCC. This mechanism also implies -f to ensure that relay | |
| 36 # attempts do not leak if dccm is not running. | |
| 37 | |
| 38 # -r reject unauthorized relay attempts after reporting them | |
| 39 # to the DCC. This mechanism also implies -f to ensure that relayed | |
| 40 # attempts do not leak if dccm is not running. | |
| 41 | |
| 42 # -D add a local rule that rejects mail from SMTP clients without reverse | |
| 43 # DNS and reports the mail as spam to the DCC. | |
| 44 # This has a fairly high false positive rate. | |
| 45 | |
| 46 # -O modify the sendmail rules to treat access_db "OK" and "RELAY" | |
| 47 # or "Spam:...FRIEND" entries as whitelisting the message. | |
| 48 | |
| 49 # -M modify the sendmail rules generated by FEATURE(badmx), FEATURE(dnsbl), | |
| 50 # and Feature(enhdnsbl) so that mail that is rejected by sendmail | |
| 51 # is reported via dccm to a DCC server as extremely bulky. | |
| 52 | |
| 53 # -T modify the sendmail rules to trust (whitelist) mail from users | |
| 54 # authenticated with an SMTP AUTH TRUST_AUTH_MECH() mechanism or from | |
| 55 # SMTP clients with certificates verified with START TLS. | |
| 56 # If STMP-AUTH used, TRUST_AUTH_MECH must be set in the .mc file and | |
| 57 # sendmail must be built with SASL or otherwise have working SMTP auth. | |
| 58 # FEATURE(`delay_checks') must NOT be used. | |
| 59 | |
| 60 # -f if dccm fails, reject mail with a temporary failure status code | |
| 61 # instead of passing it. This changes the default FEATURE(dcc) | |
| 62 # parameters. See dcc.m4. | |
| 63 | |
| 64 # -m m4 | |
| 65 # specifies the path to the m4 program as well as any m4 args | |
| 66 # such as `hackmc -m4 "/usr/bin/m4 -D_CF_DIR_=/usr/share/sendmail/cf/"` | |
| 67 | |
| 68 | |
| 69 | |
| 70 # Copyright (c) 2008 by Rhyolite Software, LLC | |
| 71 # | |
| 72 # This agreement is not applicable to any entity which sells anti-spam | |
| 73 # solutions to others or provides an anti-spam solution as part of a | |
| 74 # security solution sold to other entities, or to a private network | |
| 75 # which employs the DCC or uses data provided by operation of the DCC | |
| 76 # but does not provide corresponding data to other users. | |
| 77 # | |
| 78 # Permission to use, copy, modify, and distribute this software without | |
| 79 # changes for any purpose with or without fee is hereby granted, provided | |
| 80 # that the above copyright notice and this permission notice appear in all | |
| 81 # copies and any distributed versions or copies are either unchanged | |
| 82 # or not called anything similar to "DCC" or "Distributed Checksum | |
| 83 # Clearinghouse". | |
| 84 # | |
| 85 # Parties not eligible to receive a license under this agreement can | |
| 86 # obtain a commercial license to use DCC by contacting Rhyolite Software | |
| 87 # at sales@rhyolite.com. | |
| 88 # | |
| 89 # A commercial license would be for Distributed Checksum and Reputation | |
| 90 # Clearinghouse software. That software includes additional features. This | |
| 91 # free license for Distributed ChecksumClearinghouse Software does not in any | |
| 92 # way grant permision to use Distributed Checksum and Reputation Clearinghouse | |
| 93 # software | |
| 94 # | |
| 95 # THE SOFTWARE IS PROVIDED "AS IS" AND RHYOLITE SOFTWARE, LLC DISCLAIMS ALL | |
| 96 # WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES | |
| 97 # OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL RHYOLITE SOFTWARE, LLC | |
| 98 # BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES | |
| 99 # OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, | |
| 100 # WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, | |
| 101 # ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS | |
| 102 # SOFTWARE. | |
| 103 # Rhyolite Software DCC 1.3.103-1.43 $Revision$ | |
| 104 | |
| 105 USAGE="`basename $0`: [-xfARrDOMT] [-m m4] file1.mc file2.mc ..." | |
| 106 M4=m4 | |
| 107 DNS1='#' | |
| 108 DNS2='#' | |
| 109 RELAY='#' | |
| 110 NOTSPAM='#' | |
| 111 AUTH='#' | |
| 112 # fail temporarily if dccm is not running. | |
| 113 # Add F=T to reject mail when dccm is dead, | |
| 114 # but only if there is not already an F=x setting | |
| 115 TEMPFAIL='#' | |
| 116 TEMPFAIL0='/F=/!s/S=[^ ,]*/&, F=T/' | |
| 117 RDNS='#' | |
| 118 DNSBL1='#' | |
| 119 DNSBL2='#' | |
| 120 | |
| 121 while getopts "xm:fARrDOMT" c; do | |
| 122 case $c in | |
| 123 x) set -x;; | |
| 124 m) M4="$OPTARG";; | |
| 125 f) TEMPFAIL=$TEMPFAIL0;; | |
| 126 A) | |
| 127 DNS1='s/$#error $@ \([.0-9]*\) $: "\(5.*[Dd]omain name required.*\)/$# $(macro {dcc_isspam} $@ "\1 \2" Sent to DCC" $) TODCC/' | |
| 128 DNS2='s/$#error $@ \([.0-9]*\) $: "\(5.*Domain of sender.*\)/$# $(macro {dcc_isspam} $@ "\1 \2" Sent to DCC" $) TODCC/' | |
| 129 ;; | |
| 130 R) | |
| 131 RELAY='s/$#error $@ [.0-9]* $: "5[.0-9 ]*\(Relaying denied.*\)/$# $(macro {dcc_isspam} $@ "DISCARD: \1" Sent to DCC" $) TODCC/' | |
| 132 TEMPFAIL=$TEMPFAIL0 | |
| 133 ;; | |
| 134 r) | |
| 135 RELAY='s/$#error $@ [.0-9]* $: "5[.0-9 ]*\(Relaying denied.*\)/$# $(macro {dcc_isspam} $@ "REJECT: \1" Sent to DCC" $) TODCC/' | |
| 136 TEMPFAIL=$TEMPFAIL0 | |
| 137 ;; | |
| 138 D) RDNS= | |
| 139 ;; | |
| 140 M) | |
| 141 DNSBL1='/^# DNS based IP address spam list/,/^$/s/$#error .* $: *"\(.*\)/$@ $(macro {dcc_isspam} $@ "\1" Sent to DCC" $) TODCC/' | |
| 142 DNSBL2='s/$#error .* $: *"\(.*MX record.*\)/$@ $(macro {dcc_isspam} $@ "\1" Sent to DCC" $) TODCC/' | |
| 143 ;; | |
| 144 T) AUTH= | |
| 145 ;; | |
| 146 O) NOTSPAM='s/^R<\$={Accept}> *<*\$\*>* *[^ ]*/& $(macro {dcc_notspam} $@ $1 $)/' | |
| 147 ;; | |
| 148 *) echo 1>&2 "$USAGE"; exit 1;; | |
| 149 esac | |
| 150 done | |
| 151 shift `expr $OPTIND - 1 || true` | |
| 152 | |
| 153 ( | |
| 154 # work hard to have only one Local_check_mail or Local_check_relay definition | |
| 155 # by prepending our rules to the first definitions | |
| 156 echo LOCAL_RULESETS | |
| 157 if test -z "$RDNS"; then | |
| 158 if test `$M4 $* 2>/dev/null| grep '^SLocal_check_relay' | wc -l` -lt 2; then | |
| 159 echo SLocal_check_relay | |
| 160 fi | |
| 161 fi | |
| 162 if test -z "$AUTH"; then | |
| 163 if test `$M4 $* 2>/dev/null| grep '^SLocal_check_mail' | wc -l` -lt 2; then | |
| 164 echo SLocal_check_mail | |
| 165 fi | |
| 166 fi | |
| 167 ) | $M4 $* - \ | |
| 168 | sed -e 's/\$\(Id:.*\)\$/\1/' -e 's/\$\(Revision:.*\)\$/\1/' \ | |
| 169 -e "${DNS1}" -e "${DNS2}" -e "${RELAY}" -e "${NOTSPAM}" \ | |
| 170 -e "${DNSBL1}" -e "${DNSBL2}" \ | |
| 171 \ | |
| 172 -e '/^Xdcc/{' -e "$TEMPFAIL" -e '}' \ | |
| 173 \ | |
| 174 -e '# add the access.db hook' \ | |
| 175 -e '/^R<$={Accept}>/a\ | |
| 176 R<DCC:$*> $* $# $(macro {dcc_isspam} $@ $1": Sent to DCC" $) TODCC' \ | |
| 177 \ | |
| 178 -e "# remove extra quotes" -e'/TODCC/s/""//' \ | |
| 179 \ | |
| 180 -e "/^S${RDNS}check_relay/,/^SLocal_check_relay/{" \ | |
| 181 -e '/^SLocal_check_relay/a\ | |
| 182 # reject mail from clients without reverse DNS and report it as spam to the DCC\ | |
| 183 R$* $: <$&{client_resolve}> $1\ | |
| 184 R<FAIL> $* $# $(macro {dcc_isspam} $@ "SMTP client "$&{client_addr}" has no reverse DNS name" $) TODCC\ | |
| 185 R<$*> $* $: $2\ | |
| 186 \ | |
| 187 ' \ | |
| 188 -e '}' \ | |
| 189 \ | |
| 190 -e "/^S${AUTH}check_mail/,/^SLocal_check_mail/{" \ | |
| 191 -e '/^SLocal_check_mail/a\ | |
| 192 # mail from an SMTP client with a verified TLS cert is not spam for dccm\ | |
| 193 R$* $: <$&{verify}> $1\ | |
| 194 R<OK> $* $: $(macro {dcc_notspam} $@ STARTTLS verified $) <> $1\ | |
| 195 # mail authenticated with SMTP AUTH for relaying is also not spam for dccm\ | |
| 196 R<$*> $* $: <$&{auth_type}> $2\ | |
| 197 R<$={TrustAuthMech}> $* $: $(macro {dcc_notspam} $@ authenticated $) <> $2\ | |
| 198 R<$*> $* $: $2\ | |
| 199 \ | |
| 200 ' \ | |
| 201 -e '}' |