Mailing List Archive: exim: users

DCC ACL patch

Index | Next | Previous | View Threaded

wbreyha at gmx

Jan 12, 2008, 11:53 AM

Post #1 of 6 (1125 views)
Permalink

DCC ACL patch

Hi!

I've done a patch for exim to integrate DCC/greyd-checking into exim ACLs
some time ago. Since it works fine here for some time now I'll make it
available for everybody interested.

With the patch exim is able to query dccifd for greylisting results and the
X-DCC Header within the DATA ACL.

The patch is based on code from Tom Kistners exiscan (ACL integration) and
the DCC local_scan patch from Christopher Bodenstein.

It's available for version 4.69 at
http://www.blafasel.at/exim-dccacl/

A small readme is included.

Regards, Wolfgang Breyha
--
Wolfgang Breyha <wbreyha [at] gmx> | http://www.blafasel.at/
Vienna University Computer Center | Austria

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

tom at duncanthrax

Jan 13, 2008, 12:45 AM

Post #2 of 6 (1036 views)
Permalink

Re: DCC ACL patch [In reply to]

Wolfgang Breyha schrieb:

> I've done a patch for exim to integrate DCC/greyd-checking into exim ACLs
> some time ago. Since it works fine here for some time now I'll make it
> available for everybody interested.
>
> With the patch exim is able to query dccifd for greylisting results and the
> X-DCC Header within the DATA ACL.

Looks nicely ifdeffed :) I presume you would not mind me checking this
into CVS?

/tom

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

cb at physicman

Jan 16, 2008, 4:40 AM

Post #3 of 6 (1029 views)
Permalink

Re: DCC ACL patch [In reply to]

On Sat, 12 Jan 2008 20:53:55 +0100
Wolfgang Breyha <wbreyha [at] gmx> wrote:

> Hi!
>
Hi Wolfgang,

> I've done a patch for exim to integrate DCC/greyd-checking into exim ACLs
> some time ago. Since it works fine here for some time now I'll make it
> available for everybody interested.
>
> With the patch exim is able to query dccifd for greylisting results and the
> X-DCC Header within the DATA ACL.
>
Wow! Great job!
You've done what I've always been too lazy to do, thanks! :)

I'm not too sure how you actually use it as I had some trouble
replacing the local_scan by an ACL.

Therefore, I rewrote a bit your patch (basically removed everything
related to rebuilding the recipients list and I also added return
values for dcc_result which weren't set apparently), so that I can now
have an ACL like this:

warn dcc = *
add_header = $dcc_header

deny message = Rejected by DCC
condition = ${if eq{$dcc_result}{R}{1}{0}}

I haven't tested it for long yet but so far it seems to be working fine.

Attached is a patch for your patched exim ;)
A full diff against a vanilla 4.69 can be found at

http://www.physicman.net/projects/exim/dcc-exim-acl-4.69.patch

Best regards,

Chris

--
,''`. Christopher `Physicman' Bodenstein <cb [at] physicman>
: :' : Physicman.Net : http://www.physicman.net/
`. `' Debian GNU/Hurd : http://www.debian.org/ports/hurd
`- The IPv6 Portal : http://www.ipv6tf.org/

Attachments:

exim469-dcc.reworked.patch (6.75 KB)

wbreyha at gmx

Jan 16, 2008, 6:05 AM

Post #4 of 6 (1032 views)
Permalink

Re: DCC ACL patch [In reply to]

Physicman wrote, on 16.01.2008 13:40:
> Wow! Great job!
> You've done what I've always been too lazy to do, thanks! :)

;-) It's a pleasure that it's usefull for others, too:)

> I'm not too sure how you actually use it as I had some trouble
> replacing the local_scan by an ACL.

I use DCC for both counting and greylisting. dccifd (-Gon) returns the
greylisting results.

The DATA ACL starts with
warn dcc = *
set acl_m6 = yes

acl_m6 is combined with several triggers like RBL entries or exim checks later
to do selective greylisting. eg:

defer condition = $acl_m6
hosts = ! +system_hosts
!verify = reverse_host_lookup

That's why i defined dcc_result first and never implemented it finally;-)

> Therefore, I rewrote a bit your patch (basically removed everything
> related to rebuilding the recipients list and I also added return
> values for dcc_result which weren't set apparently), so that I can now
> have an ACL like this:

Wasn't that part commented already? But yes, my patch is very close to my
needs here currently.

One "special feature" i didn't mention in the readme is the
dcc_direct_header_add = yes

If you use spamd within DATA ACL and call dcc before, you can set this to add
the X-DCC-Header "in deep" to the spool file. In this way spamd already sees
the header (what's not the case if add_header was used) and simple matching
rules can be used instead of the full SpamAssassin DCC module. eg:
header __XXDCC_HIGH_BODY X-DCC-xx-Metrics =~ /^.*Body=\d{6,}\s+Fuz.*$/
header __XXDCC_HIGH_FUZ1 X-DCC-xx-Metrics =~ /^.*Fuz1=\d{6,}\s+Fuz.*$/
header __XXDCC_HIGH_FUZ2 X-DCC-xx-Metrics =~ /^.*Fuz2=\d{6,}$/

This also prevents double counts etc....

> warn dcc = *
> add_header = $dcc_header
>
> deny message = Rejected by DCC
> condition = ${if eq{$dcc_result}{R}{1}{0}}
>
> I haven't tested it for long yet but so far it seems to be working fine.
>
> Attached is a patch for your patched exim ;)
> A full diff against a vanilla 4.69 can be found at

Fine! I'll try to get the patch and documentation reworked again on weekend
and send it to Tom Kistner for CVS inclusion. The main reason why I released
the patch mostly "as is" was that I wanted to wait for feedback first.

Greetings,
Wolfgang
--
Wolfgang Breyha <wbreyha [at] gmx> | http://www.blafasel.at/
Vienna University Computer Center | Austria

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

cb at physicman

Jan 22, 2008, 6:31 AM

Post #5 of 6 (1019 views)
Permalink

Re: DCC ACL patch [In reply to]

Hi Wolfgang,

On Wed, 16 Jan 2008 15:05:33 +0100
Wolfgang Breyha <wbreyha [at] gmx> wrote:

> I use DCC for both counting and greylisting. dccifd (-Gon) returns the
> greylisting results.
[snip]
> That's why i defined dcc_result first and never implemented it finally;-)
>
Ah ok, I understand better now. Nice to hear the think is actually
working with greylisting (as I never tried it myself) :D

> > Therefore, I rewrote a bit your patch (basically removed everything
> > related to rebuilding the recipients list and I also added return
> > values for dcc_result which weren't set apparently), so that I can now
> > have an ACL like this:
>
> Wasn't that part commented already? But yes, my patch is very close to my
> needs here currently.
>
That was actually part of the problems I had. Some parts where
commented but not others so that in the end some counters weren't
updated and thus the return value wasn't right.

> One "special feature" i didn't mention in the readme is the
> dcc_direct_header_add = yes
>
> If you use spamd within DATA ACL and call dcc before, you can set this to add
> the X-DCC-Header "in deep" to the spool file. In this way spamd already sees
> the header (what's not the case if add_header was used) and simple matching
> rules can be used instead of the full SpamAssassin DCC module. eg:
> header __XXDCC_HIGH_BODY X-DCC-xx-Metrics =~ /^.*Body=\d{6,}\s+Fuz.*$/
> header __XXDCC_HIGH_FUZ1 X-DCC-xx-Metrics =~ /^.*Fuz1=\d{6,}\s+Fuz.*$/
> header __XXDCC_HIGH_FUZ2 X-DCC-xx-Metrics =~ /^.*Fuz2=\d{6,}$/
>
> This also prevents double counts etc....
>
That sounds very nice. Do you set the "dcc_direct_header_add = yes"
right into the ACL then?
BTW, I'm now wondering if it would be interesting to split the results
and to return separate values for Body, Fuz1 & Fuz2 to exim. What do
you think?

> > I haven't tested it for long yet but so far it seems to be working fine.
> >
I've now tested it some more and also deployed it on some more heavily
used servers and no problems so far.

> Fine! I'll try to get the patch and documentation reworked again on weekend
> and send it to Tom Kistner for CVS inclusion. The main reason why I released
> the patch mostly "as is" was that I wanted to wait for feedback first.
>
That would be great. Let me know if I can help in some way. :)

Cheers,

> Greetings,
> Wolfgang

Chris

--
,''`. Christopher `Physicman' Bodenstein <cb [at] physicman>
: :' : Physicman.Net : http://www.physicman.net/
`. `' Debian GNU/Hurd : http://www.debian.org/ports/hurd
`- The IPv6 Portal : http://www.ipv6tf.org/

wbreyha at gmx

Aug 17, 2009, 7:36 AM

Post #6 of 6 (779 views)
Permalink

Re: DCC ACL patch [In reply to]

Hi!

Physicman wrote, on 22.01.2008 15:31:
> On Wed, 16 Jan 2008 15:05:33 +0100
> Wolfgang Breyha <wbreyha [at] gmx> wrote:
>> Fine! I'll try to get the patch and documentation reworked again on weekend
>> and send it to Tom Kistner for CVS inclusion. The main reason why I released
>> the patch mostly "as is" was that I wanted to wait for feedback first.
>>
> That would be great. Let me know if I can help in some way. :)

Well, it took me a "little longer" then a weekend, but I rewrote my DCC patch
and put it on again here:
http://www.blafasel.at/exim-dccacl/

I had to change and rework the return codes, too. So everybody using my patch
and using
defer dcc = *
to greylist MUST change that to
defer !dcc = *
now, to get the same results.

I also added a new "feature" (or hack). If
$acl_m_dcc_add_header
is filled with some headers before dcc is called, these headers are added "in
deep" as well. I for myself use that to pass the ClamAV result to SpamAssassin
to check for the great sanesecurity patterns there.

Maybe there's a better solution for adding headers in the middle of DATA which
are passed to later ACL stages like SpamAssassin, but this one works pretty
nice;-) Working on a RAM disc (exim scan folder) is highly recommended.

Since Tom added my older patch to the CVS maybe one of the devs can add this
one, too?

Regards, Wolfgang Breyha
--
Wolfgang Breyha <wbreyha [at] gmx> | http://www.blafasel.at/
Vienna University Computer Center | Austria

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads