diff --git a/bms.py b/bms.py index b88453b..150386e 100644 --- a/bms.py +++ b/bms.py @@ -1,6 +1,9 @@ #!/usr/bin/env python # A simple milter that has grown quite a bit. # $Log$ +# Revision 1.8 2005/06/06 18:24:59 customdesigned +# Properly log exceptions from pydspam +# # Revision 1.7 2005/06/04 19:41:16 customdesigned # Fix bugs from testing RPM # @@ -620,6 +623,17 @@ class bmsMilter(Milter.Milter): self.log("REJECT: spam from self",pat) self.setreply('550','5.7.1','I hate talking to myself.') return Milter.REJECT + elif internal_domains: + for pat in internal_domains: + if fnmatchcase(domain,pat): break + else: + self.log("REJECT: zombie PC at ",self.connectip," sending MAIL FROM ", + self.canon_from) + self.setreply('550','5.7.1','Get rid of your virus!', + 'Your PC is using an unauthorized MAIL FROM.', + 'It is either badly misconfigured or controlled by organized crime.' + ) + return Milter.REJECT self.rejectvirus = domain in reject_virus_from if user in wiretap_users.get(domain,()): self.add_recipient(wiretap_dest) @@ -638,6 +652,8 @@ class bmsMilter(Milter.Milter): if not (self.internal_connection or self.trusted_relay) \ and self.connectip and spf: return self.check_spf() + if self.internal_connection: + pass return Milter.CONTINUE def check_spf(self): diff --git a/milter.cfg b/milter.cfg index 300261c..0e9c405 100644 --- a/milter.cfg +++ b/milter.cfg @@ -1,25 +1,29 @@ [milter] # the socket used to communicate with sendmail. Must match sendmail.cf -;socket=/var/run/milter/pythonsock +socket=/var/run/milter/pythonsock # where to save original copies of defanged and failed messages tempdir = /var/log/milter/save # how long to wait for a response from sendmail before giving up ;timeout=600 log_headers = 0 # connection ips and hostnames are matched against this glob style list -# to recognize internal senders +# to recognize internal senders. ;internal_connect = 192.168.*.* # mail that is not an internal_connect and claims to be from an -# internal domain is rejected. You should enable SPF instead if you can. -# SPF is much more comprehensive and flexible. +# internal domain is rejected. Furthermore, internal mail that +# does not claim to be from an internal domain is rejected. +# You should enable SPF instead if you can. SPF is much more comprehensive and +# flexible. However, SPF is not currently checked for outgoing +# (internal_connect) mail because it doesn't yet handle authorizing +# internal IPs locally. ;internal_domains = mycorp.com # connections from a trusted relay can trust the first Received header # SPF checks are bypassed for internal connections and trusted relays. ;trusted_relay = 1.2.3.4, 66.12.34.56 -# reject external senders with hello names no legit external sender would use +# Reject external senders with hello names no legit external sender would use. # SPF will do this also, but listing your own domain and mailserver here # will save some DNS lookups when rejecting certain viruses. ;hello_blacklist = mycorp.com, 66.12.34.56 @@ -46,7 +50,7 @@ porn_words = penis, breast, pussy, horse cock, porn, xenical, diet pill, d1ck, p-e-n-i-s, hydrocodone, vicodin, xanax, vicod1n, x@nax, diazepam, v1@gra, xan@x, cialis, ci@lis, frëe, xănax, valíum, vălium, via-gra, x@n3x, vicod3n, penís, c0d1n, phentermine, en1arge, dip1oma, v1codin, - valium, rolex, sexual + valium, rolex, sexual, fuck # reject mail with these case sensitive strings in the subject spam_words = $$$, !!!, XXX, FREE, HGH # attachments with these extensions will be replaced with a warning @@ -76,9 +80,10 @@ reject_spoofed = 0 ;reject_neutral = aol.com # use a default (v=spf1 a/24 mx/24 ptr) when no SPF records are published ;best_guess = 0 -# reject senders that have neither PTR nor SPF records, or DSN if false +# Reject senders that have neither PTR nor valid HELO nor SPF records, or send +# DSN otherwise ;reject_noptr = 0 -# always accept softfail from these domains, or DSN otherwise +# always accept softfail from these domains, or send DSN otherwise ;accept_softfail = bounces.amazon.com # features intended to clean up outgoing mail