Mercurial > notdcc
view misc/hackmc @ 0:c7f6b056b673
First import of vendor version
author | Peter Gervai <grin@grin.hu> |
---|---|
date | Tue, 10 Mar 2009 13:49:58 +0100 |
parents | |
children |
line wrap: on
line source
#! /bin/sh -e # This kludge of a shell script warps a sendmail.cf produced from a .mc file # to report some spam to the Distributed Checksum Clearinghouse (DCC) # in addition to rejecting it. # # Mail that is rejected by a sendmail access_db is reported via dccm to # a DCC server as extremely bulky. Error messages in the access_db # file must start with "DCC:" or they will be ignored by this mechanism. # This script should be run in the sendmail cf/cf directory, and given a list # of .mc files, as in # cd cf/cf # .../misc/hackmc -AROT ../m4/cf.m4 local.mc > local.cf # It seems to work on sendmail.cf generated for sendmail versions 8.11 # through 8.14.3. There is no guarantee that it will work with other # versions. You must compare the result of this script with the unmodified # sendmail.cf. # This script "denatures" RCS keywords in its output so that revisions of # the resulting sendmail.cf can be archived with RCS without losing # the original RCS lines from the Sendmail organization. # In addition to sending mail blacklisted by the sendmail access_db to # the DCC, the following can also be turned on: # -x turn on debugging # -A send mail with bogus Mail_From domain names to the DCC instead of # only rejecting it. # -R silently discard unauthorized relay attempts after reporting them # to the DCC. This mechanism also implies -f to ensure that relay # attempts do not leak if dccm is not running. # -r reject unauthorized relay attempts after reporting them # to the DCC. This mechanism also implies -f to ensure that relayed # attempts do not leak if dccm is not running. # -D add a local rule that rejects mail from SMTP clients without reverse # DNS and reports the mail as spam to the DCC. # This has a fairly high false positive rate. # -O modify the sendmail rules to treat access_db "OK" and "RELAY" # or "Spam:...FRIEND" entries as whitelisting the message. # -M modify the sendmail rules generated by FEATURE(badmx), FEATURE(dnsbl), # and Feature(enhdnsbl) so that mail that is rejected by sendmail # is reported via dccm to a DCC server as extremely bulky. # -T modify the sendmail rules to trust (whitelist) mail from users # authenticated with an SMTP AUTH TRUST_AUTH_MECH() mechanism or from # SMTP clients with certificates verified with START TLS. # If STMP-AUTH used, TRUST_AUTH_MECH must be set in the .mc file and # sendmail must be built with SASL or otherwise have working SMTP auth. # FEATURE(`delay_checks') must NOT be used. # -f if dccm fails, reject mail with a temporary failure status code # instead of passing it. This changes the default FEATURE(dcc) # parameters. See dcc.m4. # -m m4 # specifies the path to the m4 program as well as any m4 args # such as `hackmc -m4 "/usr/bin/m4 -D_CF_DIR_=/usr/share/sendmail/cf/"` # Copyright (c) 2008 by Rhyolite Software, LLC # # This agreement is not applicable to any entity which sells anti-spam # solutions to others or provides an anti-spam solution as part of a # security solution sold to other entities, or to a private network # which employs the DCC or uses data provided by operation of the DCC # but does not provide corresponding data to other users. # # Permission to use, copy, modify, and distribute this software without # changes for any purpose with or without fee is hereby granted, provided # that the above copyright notice and this permission notice appear in all # copies and any distributed versions or copies are either unchanged # or not called anything similar to "DCC" or "Distributed Checksum # Clearinghouse". # # Parties not eligible to receive a license under this agreement can # obtain a commercial license to use DCC by contacting Rhyolite Software # at sales@rhyolite.com. # # A commercial license would be for Distributed Checksum and Reputation # Clearinghouse software. That software includes additional features. This # free license for Distributed ChecksumClearinghouse Software does not in any # way grant permision to use Distributed Checksum and Reputation Clearinghouse # software # # THE SOFTWARE IS PROVIDED "AS IS" AND RHYOLITE SOFTWARE, LLC DISCLAIMS ALL # WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES # OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL RHYOLITE SOFTWARE, LLC # BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES # OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, # WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, # ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS # SOFTWARE. # Rhyolite Software DCC 1.3.103-1.43 $Revision$ USAGE="`basename $0`: [-xfARrDOMT] [-m m4] file1.mc file2.mc ..." M4=m4 DNS1='#' DNS2='#' RELAY='#' NOTSPAM='#' AUTH='#' # fail temporarily if dccm is not running. # Add F=T to reject mail when dccm is dead, # but only if there is not already an F=x setting TEMPFAIL='#' TEMPFAIL0='/F=/!s/S=[^ ,]*/&, F=T/' RDNS='#' DNSBL1='#' DNSBL2='#' while getopts "xm:fARrDOMT" c; do case $c in x) set -x;; m) M4="$OPTARG";; f) TEMPFAIL=$TEMPFAIL0;; A) DNS1='s/$#error $@ \([.0-9]*\) $: "\(5.*[Dd]omain name required.*\)/$# $(macro {dcc_isspam} $@ "\1 \2" Sent to DCC" $) TODCC/' DNS2='s/$#error $@ \([.0-9]*\) $: "\(5.*Domain of sender.*\)/$# $(macro {dcc_isspam} $@ "\1 \2" Sent to DCC" $) TODCC/' ;; R) RELAY='s/$#error $@ [.0-9]* $: "5[.0-9 ]*\(Relaying denied.*\)/$# $(macro {dcc_isspam} $@ "DISCARD: \1" Sent to DCC" $) TODCC/' TEMPFAIL=$TEMPFAIL0 ;; r) RELAY='s/$#error $@ [.0-9]* $: "5[.0-9 ]*\(Relaying denied.*\)/$# $(macro {dcc_isspam} $@ "REJECT: \1" Sent to DCC" $) TODCC/' TEMPFAIL=$TEMPFAIL0 ;; D) RDNS= ;; M) DNSBL1='/^# DNS based IP address spam list/,/^$/s/$#error .* $: *"\(.*\)/$@ $(macro {dcc_isspam} $@ "\1" Sent to DCC" $) TODCC/' DNSBL2='s/$#error .* $: *"\(.*MX record.*\)/$@ $(macro {dcc_isspam} $@ "\1" Sent to DCC" $) TODCC/' ;; T) AUTH= ;; O) NOTSPAM='s/^R<\$={Accept}> *<*\$\*>* *[^ ]*/& $(macro {dcc_notspam} $@ $1 $)/' ;; *) echo 1>&2 "$USAGE"; exit 1;; esac done shift `expr $OPTIND - 1 || true` ( # work hard to have only one Local_check_mail or Local_check_relay definition # by prepending our rules to the first definitions echo LOCAL_RULESETS if test -z "$RDNS"; then if test `$M4 $* 2>/dev/null| grep '^SLocal_check_relay' | wc -l` -lt 2; then echo SLocal_check_relay fi fi if test -z "$AUTH"; then if test `$M4 $* 2>/dev/null| grep '^SLocal_check_mail' | wc -l` -lt 2; then echo SLocal_check_mail fi fi ) | $M4 $* - \ | sed -e 's/\$\(Id:.*\)\$/\1/' -e 's/\$\(Revision:.*\)\$/\1/' \ -e "${DNS1}" -e "${DNS2}" -e "${RELAY}" -e "${NOTSPAM}" \ -e "${DNSBL1}" -e "${DNSBL2}" \ \ -e '/^Xdcc/{' -e "$TEMPFAIL" -e '}' \ \ -e '# add the access.db hook' \ -e '/^R<$={Accept}>/a\ R<DCC:$*> $* $# $(macro {dcc_isspam} $@ $1": Sent to DCC" $) TODCC' \ \ -e "# remove extra quotes" -e'/TODCC/s/""//' \ \ -e "/^S${RDNS}check_relay/,/^SLocal_check_relay/{" \ -e '/^SLocal_check_relay/a\ # reject mail from clients without reverse DNS and report it as spam to the DCC\ R$* $: <$&{client_resolve}> $1\ R<FAIL> $* $# $(macro {dcc_isspam} $@ "SMTP client "$&{client_addr}" has no reverse DNS name" $) TODCC\ R<$*> $* $: $2\ \ ' \ -e '}' \ \ -e "/^S${AUTH}check_mail/,/^SLocal_check_mail/{" \ -e '/^SLocal_check_mail/a\ # mail from an SMTP client with a verified TLS cert is not spam for dccm\ R$* $: <$&{verify}> $1\ R<OK> $* $: $(macro {dcc_notspam} $@ STARTTLS verified $) <> $1\ # mail authenticated with SMTP AUTH for relaying is also not spam for dccm\ R<$*> $* $: <$&{auth_type}> $2\ R<$={TrustAuthMech}> $* $: $(macro {dcc_notspam} $@ authenticated $) <> $2\ R<$*> $* $: $2\ \ ' \ -e '}'