Mercurial > notdcc
diff misc/hackmc @ 0:c7f6b056b673
First import of vendor version
| author | Peter Gervai <grin@grin.hu> |
|---|---|
| date | Tue, 10 Mar 2009 13:49:58 +0100 |
| parents | |
| children |
line wrap: on
line diff
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/misc/hackmc Tue Mar 10 13:49:58 2009 +0100 @@ -0,0 +1,201 @@ +#! /bin/sh -e + +# This kludge of a shell script warps a sendmail.cf produced from a .mc file +# to report some spam to the Distributed Checksum Clearinghouse (DCC) +# in addition to rejecting it. +# +# Mail that is rejected by a sendmail access_db is reported via dccm to +# a DCC server as extremely bulky. Error messages in the access_db +# file must start with "DCC:" or they will be ignored by this mechanism. + +# This script should be run in the sendmail cf/cf directory, and given a list +# of .mc files, as in +# cd cf/cf +# .../misc/hackmc -AROT ../m4/cf.m4 local.mc > local.cf + +# It seems to work on sendmail.cf generated for sendmail versions 8.11 +# through 8.14.3. There is no guarantee that it will work with other +# versions. You must compare the result of this script with the unmodified +# sendmail.cf. + + +# This script "denatures" RCS keywords in its output so that revisions of +# the resulting sendmail.cf can be archived with RCS without losing +# the original RCS lines from the Sendmail organization. + +# In addition to sending mail blacklisted by the sendmail access_db to +# the DCC, the following can also be turned on: + +# -x turn on debugging + +# -A send mail with bogus Mail_From domain names to the DCC instead of +# only rejecting it. + +# -R silently discard unauthorized relay attempts after reporting them +# to the DCC. This mechanism also implies -f to ensure that relay +# attempts do not leak if dccm is not running. + +# -r reject unauthorized relay attempts after reporting them +# to the DCC. This mechanism also implies -f to ensure that relayed +# attempts do not leak if dccm is not running. + +# -D add a local rule that rejects mail from SMTP clients without reverse +# DNS and reports the mail as spam to the DCC. +# This has a fairly high false positive rate. + +# -O modify the sendmail rules to treat access_db "OK" and "RELAY" +# or "Spam:...FRIEND" entries as whitelisting the message. + +# -M modify the sendmail rules generated by FEATURE(badmx), FEATURE(dnsbl), +# and Feature(enhdnsbl) so that mail that is rejected by sendmail +# is reported via dccm to a DCC server as extremely bulky. + +# -T modify the sendmail rules to trust (whitelist) mail from users +# authenticated with an SMTP AUTH TRUST_AUTH_MECH() mechanism or from +# SMTP clients with certificates verified with START TLS. +# If STMP-AUTH used, TRUST_AUTH_MECH must be set in the .mc file and +# sendmail must be built with SASL or otherwise have working SMTP auth. +# FEATURE(`delay_checks') must NOT be used. + +# -f if dccm fails, reject mail with a temporary failure status code +# instead of passing it. This changes the default FEATURE(dcc) +# parameters. See dcc.m4. + +# -m m4 +# specifies the path to the m4 program as well as any m4 args +# such as `hackmc -m4 "/usr/bin/m4 -D_CF_DIR_=/usr/share/sendmail/cf/"` + + + +# Copyright (c) 2008 by Rhyolite Software, LLC +# +# This agreement is not applicable to any entity which sells anti-spam +# solutions to others or provides an anti-spam solution as part of a +# security solution sold to other entities, or to a private network +# which employs the DCC or uses data provided by operation of the DCC +# but does not provide corresponding data to other users. +# +# Permission to use, copy, modify, and distribute this software without +# changes for any purpose with or without fee is hereby granted, provided +# that the above copyright notice and this permission notice appear in all +# copies and any distributed versions or copies are either unchanged +# or not called anything similar to "DCC" or "Distributed Checksum +# Clearinghouse". +# +# Parties not eligible to receive a license under this agreement can +# obtain a commercial license to use DCC by contacting Rhyolite Software +# at sales@rhyolite.com. +# +# A commercial license would be for Distributed Checksum and Reputation +# Clearinghouse software. That software includes additional features. This +# free license for Distributed ChecksumClearinghouse Software does not in any +# way grant permision to use Distributed Checksum and Reputation Clearinghouse +# software +# +# THE SOFTWARE IS PROVIDED "AS IS" AND RHYOLITE SOFTWARE, LLC DISCLAIMS ALL +# WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES +# OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL RHYOLITE SOFTWARE, LLC +# BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES +# OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, +# WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, +# ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS +# SOFTWARE. +# Rhyolite Software DCC 1.3.103-1.43 $Revision$ + +USAGE="`basename $0`: [-xfARrDOMT] [-m m4] file1.mc file2.mc ..." +M4=m4 +DNS1='#' +DNS2='#' +RELAY='#' +NOTSPAM='#' +AUTH='#' +# fail temporarily if dccm is not running. +# Add F=T to reject mail when dccm is dead, +# but only if there is not already an F=x setting +TEMPFAIL='#' +TEMPFAIL0='/F=/!s/S=[^ ,]*/&, F=T/' +RDNS='#' +DNSBL1='#' +DNSBL2='#' + +while getopts "xm:fARrDOMT" c; do + case $c in + x) set -x;; + m) M4="$OPTARG";; + f) TEMPFAIL=$TEMPFAIL0;; + A) + DNS1='s/$#error $@ \([.0-9]*\) $: "\(5.*[Dd]omain name required.*\)/$# $(macro {dcc_isspam} $@ "\1 \2" Sent to DCC" $) TODCC/' + DNS2='s/$#error $@ \([.0-9]*\) $: "\(5.*Domain of sender.*\)/$# $(macro {dcc_isspam} $@ "\1 \2" Sent to DCC" $) TODCC/' + ;; + R) + RELAY='s/$#error $@ [.0-9]* $: "5[.0-9 ]*\(Relaying denied.*\)/$# $(macro {dcc_isspam} $@ "DISCARD: \1" Sent to DCC" $) TODCC/' + TEMPFAIL=$TEMPFAIL0 + ;; + r) + RELAY='s/$#error $@ [.0-9]* $: "5[.0-9 ]*\(Relaying denied.*\)/$# $(macro {dcc_isspam} $@ "REJECT: \1" Sent to DCC" $) TODCC/' + TEMPFAIL=$TEMPFAIL0 + ;; + D) RDNS= + ;; + M) + DNSBL1='/^# DNS based IP address spam list/,/^$/s/$#error .* $: *"\(.*\)/$@ $(macro {dcc_isspam} $@ "\1" Sent to DCC" $) TODCC/' + DNSBL2='s/$#error .* $: *"\(.*MX record.*\)/$@ $(macro {dcc_isspam} $@ "\1" Sent to DCC" $) TODCC/' + ;; + T) AUTH= + ;; + O) NOTSPAM='s/^R<\$={Accept}> *<*\$\*>* *[^ ]*/& $(macro {dcc_notspam} $@ $1 $)/' + ;; + *) echo 1>&2 "$USAGE"; exit 1;; + esac +done +shift `expr $OPTIND - 1 || true` + +( +# work hard to have only one Local_check_mail or Local_check_relay definition +# by prepending our rules to the first definitions +echo LOCAL_RULESETS +if test -z "$RDNS"; then + if test `$M4 $* 2>/dev/null| grep '^SLocal_check_relay' | wc -l` -lt 2; then + echo SLocal_check_relay + fi +fi +if test -z "$AUTH"; then + if test `$M4 $* 2>/dev/null| grep '^SLocal_check_mail' | wc -l` -lt 2; then + echo SLocal_check_mail + fi +fi +) | $M4 $* - \ + | sed -e 's/\$\(Id:.*\)\$/\1/' -e 's/\$\(Revision:.*\)\$/\1/' \ + -e "${DNS1}" -e "${DNS2}" -e "${RELAY}" -e "${NOTSPAM}" \ + -e "${DNSBL1}" -e "${DNSBL2}" \ + \ + -e '/^Xdcc/{' -e "$TEMPFAIL" -e '}' \ + \ + -e '# add the access.db hook' \ + -e '/^R<$={Accept}>/a\ +R<DCC:$*> $* $# $(macro {dcc_isspam} $@ $1": Sent to DCC" $) TODCC' \ + \ + -e "# remove extra quotes" -e'/TODCC/s/""//' \ + \ + -e "/^S${RDNS}check_relay/,/^SLocal_check_relay/{" \ + -e '/^SLocal_check_relay/a\ +# reject mail from clients without reverse DNS and report it as spam to the DCC\ +R$* $: <$&{client_resolve}> $1\ +R<FAIL> $* $# $(macro {dcc_isspam} $@ "SMTP client "$&{client_addr}" has no reverse DNS name" $) TODCC\ +R<$*> $* $: $2\ +\ +' \ + -e '}' \ + \ + -e "/^S${AUTH}check_mail/,/^SLocal_check_mail/{" \ + -e '/^SLocal_check_mail/a\ +# mail from an SMTP client with a verified TLS cert is not spam for dccm\ +R$* $: <$&{verify}> $1\ +R<OK> $* $: $(macro {dcc_notspam} $@ STARTTLS verified $) <> $1\ +# mail authenticated with SMTP AUTH for relaying is also not spam for dccm\ +R<$*> $* $: <$&{auth_type}> $2\ +R<$={TrustAuthMech}> $* $: $(macro {dcc_notspam} $@ authenticated $) <> $2\ +R<$*> $* $: $2\ +\ +' \ + -e '}'