 ACCESS_CHECK ============  A     An SMTP client access validation callout for Message Exchange    PREREQUISITE SOFTWARE  =====================        One of the following: #         OpenVMS Alpha V6.2 or later 2         OpenVMS Industry Standard 64 E8.2 or later  /     Message Exchange for OpenVMS, V5.4 or later    DESCRIPTION  ===========   D     This kit contains the source code and pre-built shareable imagesF     for ACCESS_CHECK, an add-on callout for MX V5.4 and later that canD     be used for validating the host names advertised by clients that     connect to the SMTP server.        Installation     ------------  G     To use the pre-built images provided in this kit, you must be using G     a version of OpenVMS listed in the PREREQUISITE SOFTWARE section of C     this document.  Start by copying the appropriate image for your A     system to an appropriate directory.  For example, to copy the 1     Alpha image to your MX executables directory:   9     $ COPY ACCESS_CHECK.ALPHA_EXE MX_EXE:ACCESS_CHECK.EXE   B     Or, if you are running a mixed-architecture cluster, you could!     use any or all of the images:   =     $ COPY ACCESS_CHECK.VAX_EXE MX_ROOT:[EXE]ACCESS_CHECK.EXE E     $ COPY ACCESS_CHECK.ALPHA_EXE MX_ROOT:[ALPHA_EXE]ACCESS_CHECK.EXE C     $ COPY ACCESS_CHECK.IA64_EXE MX_ROOT:[IA64_EXE]ACCESS_CHECK.EXE   A     Edit your system startup procedure(s) to define the following (     logical name *before* MX is started:  L     $ DEFINE/SYSTEM/EXEC MX_SITE_CLIENT_ACCESS_CHECK MX_EXE:ACCESS_CHECK.EXE  B     To have the checks take effect on a running system, define theG     above-mentioned logical name, then shutdown and restart the MX SMTP      server:   L     $ DEFINE/SYSTEM/EXEC MX_SITE_CLIENT_ACCESS_CHECK MX_EXE:ACCESS_CHECK.EXE     $ mcp := $MX_EXE:MCP     $ MCP SHUTDOWN SMTP_SERVER)     $ @SYS$STARTUP:MX_STARTUP SMTP_SERVER   F     If you are running the SMTP server on multiple nodes in a cluster,F     you will need to execute the above commands on each node where the     SMTP server is running.        Optional Logical Names     ----------------------  F     The following logical names can be used to control the behavior ofE     the callout.  By default, the callout checks only the domain name E     provided by SMTP clients in the HELO/EHLO command at the start of E     an SMTP session.  If that domain name cannot be validated -- that C     is, if it is not a host name, or the name does not translate to G     the IP address that the client is actually using for the session -- D     the callout will tell the SMTP server to insert a warning in theD     Received: header.  This warning can then be used by spam filtersB     (such as MX's REJMAN rules) to discard or divert messages sent     by the client.  C     You can configure the callout to also check that the IP address 9     of the client translates to a valid domain name with:   5     $ DEFINE/SYSTEM CLIENT_ACCESS_CHECK_PTR any-value   H     The existence of this logical name will cause the callout to perform2     an inverse DNS lookup on the client's address.  H     You can configure the callout to reject messages sent by the client,G     rather than simply flagging them with a warning, with the following      logical names:  ?     $ DEFINE/SYSTEM CLIENT_ACCESS_REJECT_ON_HELO_FAIL any-value   G     The existence of this logical name will cause the callout to reject F     all messages sent by a client whose HELO/EHLO domain name fails to     pass the validation checks.   >     $ DEFINE/SYSTEM CLIENT_ACCESS_REJECT_ON_PTR_FAIL any-value  G     If you have CLIENT_ACCESS_CHECK_PTR enabled, this logical name will G     cause messages sent by clients whose IP addresses fail the inverse- (     address lookup check to be rejected.       Warning Codes      -------------   F     When the callout flags messages with a warning, it provides a codeE     that indicates the type of validation failure that occurred.  The C     warning code is a 4-digit hexadecimal value that is included in E     the Received: header inserted by the SMTP server, after the words      "warning type".   I     The first two digits of the code will either be "00", indicating that H     the client was on an "outside" network, or "01", indicating that the&     client was on an "inside" network.  K     The second two digits indicate the specific type of validation failure:   L     01: Inverse-address lookup failed.  This code is used only when inverse-P         lookups are enabled, and inverse-lookup failure rejections are disabled.  C     02: Internal error -- domain name string could not be obtained.   K     03: Client used an IP address in square brackets (e.g., "[1.2.3.4]") on !         the HELO or EHLO command.   M     04: Client used an unbracketed IP address or an unadorned host name (with L         no dots in it), such as "1.2.3.4" or "hostname".  The unadorned host4         name check is only made for "outside" hosts.  =     05: Internal error -- name-to-address lookup call failed.   J     06: Domain name provided on HELO/EHLO command was not found.  Set only3         if invalid-HELO rejections are not enabled.   J     07: Domain name provided on HELO/EHLO command did not translate to theJ         actual IP address used by the client for the connection.  Set only3         if invalid-HELO rejections are not enabled.   H     Here is an example of using a REJMAN rule to divert messages flaggedJ     with the "06" or "07" failure codes from "outside" hosts to the system     manager:  (     REJMAN> ADD REJECTION/HEADER/REGEX -P             "Received: .*warning type 000[68].*" /FORWARD_TO="system@myhost.com"  	     Notes 	     -----   K     * The callout has a built-in exclusion list that currently includes the M       address range for EBay's mail servers.  EBay's servers advertise domain L       names on their HELO commands that translate to NAT addresses, and alsoM       use NAT addresses for the relevant DNS servers for those domains.  This M       seems broken to me, but needs to be worked around since DNS queries for N       the HELO domain names can easily time out because the NATted DNS serversR       cannot be reached.  If you need to manually configure additional exclusions,O       you can either rebuild the callout from sources, or add a host or network M       to your "inside" network list in MX.  The latter approach won't prevent E       the checks from occurring, but makes the checks less stringent.   K     * You should NOT use this callout if your DNS resolver or server is not L       reliable.  Running a local caching DNS server on the same host as yourL       SMTP server is recommended.  Even with reliable local DNS service, youL       may still get occasional false failure indications, if the DNS serversK       for a client host's domain are unreachable for some reason.  For this G       reason, using the warning-flag mechanism is recommended.  Use the E       rejection mechanism only if you are willing to put up with user 4       complaints about messages not getting through.  F     * The address-to-name (inverse-lookup) namespace in the DNS is notF       necessarily reliably populated.  This callout does not match theF       returned name from an inverse-lookup against the HELO domain forJ       this reason.  Inverse lookups can also fail fairly frequently, which*       is why they are disabled by default.           ------------------------ COPYRIGHT NOTICE  $ Copyright (c) 2008, Matthew Madison.   All rights reserved.  B Redistribution and use in source and binary forms, with or withoutB modification, are permitted provided that the following conditions are met:  :     * Redistributions of source code must retain the aboveA       copyright notice, this list of conditions and the following        disclaimer. =     * Redistributions in binary form must reproduce the above A       copyright notice, this list of conditions and the following E       disclaimer in the documentation and/or other materials provided        with the distribution.B     * Neither the name of the copyright owner nor the names of anyC       other contributors may be used to endorse or promote products ?       derived from this software without specific prior written        permission.   C THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS A "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT E LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR D A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHTE OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, @ SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOTE LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, E DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY C THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT E (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE D OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.