You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Jem Berkes <jb...@users.pc9.org> on 2005/08/19 01:11:57 UTC
Supporting RBL in mod_smtpd
Here is my current plan for introducing the RBL support in mod_smtpd, using
the existing mod_dnsbl_lookup which I posted earlier. This way of
accomplishing the RBL support should not require any code modification to
mod_smtpd itself. Nick and Rian, let me know if I should be going about
this a different way?
I thought the most modular fashion would be to create a mod_smtpd_rbl that
registers the following mod_smtpd hooks:
smtpd_run_connect (might deny service to connecting IP, per request_rec)
smtpd_run_mail (might deny service to this envelope domain, per loc)
These would query whitelists and blacklists, whatever is available.
I don't mind whipping up this bridging mod_smtpd_rbl module, but if it
seems excessive to introduce a new module for this purpose then the other
way of doing this would be to add the RBL supporting code into mod_smtpd
itself.
Either way it's done, RBLs are still not required and mod_dnsbl_lookup does
not have to be present for mod_smtpd to function normally. However, adding
a new bridging module has the advantage of leaving mod_smtpd code alone and
taking advantage of the hooks interface.
Re: Supporting RBL in mod_smtpd
Posted by Jem Berkes <jb...@users.pc9.org>.
> > smtpd_run_connect (might deny service to connecting IP, per
> > request_rec)
> > smtpd_run_mail (might deny service to this envelope domain, per loc)
> +1
> ...
> Don't do this just yet, mod_smtpd is changing completely! completely =
> structures/io. I should commit my changes very soon so you can start
> working on this.
OK, I'll watch for the changes. Make sure you keep what I need though :)
smtpd_run_connect should somehow pass the address of the peer (currently
that's within the request_rec)
smtp_run_mail should still pass the MAIL FROM address the peer specifies,
it currently comes in the char* loc.
As long as this data is still available to me and I can return a code to
reject the mail, we should be good to go. Somewhat trivial I hope.
Committed mod_smtpd/trunk/mod_smtpd_rbl and mod_dnsbl_lookup
Posted by Jem Berkes <jb...@users.pc9.org>.
> Hopefully later today I should have this completely done and checked in.
I waited for Rian to update the mod_smtpd structures, and I have now
checked in my code for RBL functionality. There are README files in both
directories describing use. However could someone tell me how to properly
use mod_smtpd.h and dnsbl_lookup.h in the build process? I've copied them
between directories but this can't be the right way to do it.
https://svn.apache.org/repos/asf/httpd/mod_smtpd/trunk/mod_smtpd_rbl/
- Adds RBL whitelisting and blacklisting to mod_smtpd, either
rejecting client IPs upon connection (DNSBL) or envelope sender
domains (RHSBL). By hooking into Rian's smtp this remains totally
modular and does not alter mod_smtpd itself.
https://svn.apache.org/repos/asf/httpd/mod_smtpd/trunk/mod_dnsbl_lookup/
- Does the actual DNSBL and RHSBL lookups, supporting rather advanced
configuration in the form of distinct query chains. Many chains can
be defined so admins can use chains for different purposes. Flags to
the lookup functions allow different query styles, such as either
stopping on one match or querying everything and returning a table of
response details.
Sample configuration for mod_smtpd + mod_smtpd_rbl + mod_dnsbl_lookup
# Enable mod_smtpd
SmtpProtocol On
# Define whitelist and blacklist chains for mod_smtpd_rbl
SmtpWhitelist mywhitelist
SmtpBlacklist myblacklist
# Enable mod_dnsbl_lookup
DnsblLookups On
# The zones and chains for mod_dnsbl_lookup
RhsblZone myblacklist rhsbl.ahbl.org. 127.0.0.2
RhsblZone myblacklist abuse.rfc-ignorant.org. 127.0.0.4
DnsblZone myblacklist sbl.spamhaus.org. any
DnsblZone myblacklist cbl.abuseat.org. any
Re: Supporting RBL in mod_smtpd
Posted by Rian Hunter <ri...@MIT.EDU>.
On Aug 19, 2005, at 9:58 AM, Brian J. France wrote:
>
> On Aug 18, 2005, at 6:22 PM, Rian Hunter wrote:
>
>> Don't do this just yet, mod_smtpd is changing completely!
>> completely = structures/io. I should commit my changes very soon
>> so you can start working on this.
>>
>
> Any ETA on this? I will be on a 4 hour flight on Monday and was
> going to download svn head to play with and try to start building
> some modules.
Hopefully later today I should have this completely done and checked in.
-rian
Re: Supporting RBL in mod_smtpd
Posted by Rian Hunter <ri...@MIT.EDU>.
On Aug 18, 2005, at 7:11 PM, Jem Berkes wrote:
> Here is my current plan for introducing the RBL support in
> mod_smtpd, using
> the existing mod_dnsbl_lookup which I posted earlier. This way of
> accomplishing the RBL support should not require any code
> modification to
> mod_smtpd itself. Nick and Rian, let me know if I should be going
> about
> this a different way?
>
> I thought the most modular fashion would be to create a
> mod_smtpd_rbl that
> registers the following mod_smtpd hooks:
> smtpd_run_connect (might deny service to connecting IP, per
> request_rec)
> smtpd_run_mail (might deny service to this envelope domain, per loc)
+1
> These would query whitelists and blacklists, whatever is available.
>
> I don't mind whipping up this bridging mod_smtpd_rbl module, but if it
> seems excessive to introduce a new module for this purpose then the
> other
> way of doing this would be to add the RBL supporting code into
> mod_smtpd
> itself.
Don't do this just yet, mod_smtpd is changing completely! completely
= structures/io. I should commit my changes very soon so you can
start working on this.
>
> Either way it's done, RBLs are still not required and
> mod_dnsbl_lookup does
> not have to be present for mod_smtpd to function normally. However,
> adding
> a new bridging module has the advantage of leaving mod_smtpd code
> alone and
> taking advantage of the hooks interface.
>
+1
-rian