0

We have an anti-spam system that sometimes create false-positives. When reported, we verify and whitelist the domains or IPs that have been wrongly triggered. However, I'd like to automate this by making a script that do the following when someones from our server sends a message:

-> if the sender is hosted on our server -> grab the sender and recipient -> type the command 'spfbl superwhite add "recipient@domain.tld>sender@domain.tld" '.

Its very important that the system filters only senders hosted on our cPanel servers (so we may use the /etc/localdomains file).. but I have no idea on how to start this.

Anyone have any ideas?

Much appreciated.

UPDATE

I've managed to do that with the script provided by kondybas with some changes:

Section: PREROUTERS
whitelister:
  driver    = accept
  domains    = !+local_domains
  condition = ${if match_domain{$sender_address_domain}{+local_domains}}
  transport = whlist
no_more

-

Section: TRANSPORTSTART
whlist:
  driver  = pipe
  command = /var/spool/exim/autoWH $local_part@$domain

And the /var/spool/exim/autoWH file:

#!/bin/sh

# Debug:
echo "Args recebidos: \$1 = $1" >> /var/spool/exim/log-transport.log

# Magica:
/var/spool/exim/spfbl.sh white sender $1
####

Everything in exim owned folder so I dont have permissions problems.

Oops.. problem: using those parameters, exim is not delivering the mail as its trying to make a localdelivery: local delivery failed

rnehme
  • 15
  • 6
  • Have you already configured SMTP authentication for clients from hosted domains? – Kondybas Jul 21 '16 at 17:38
  • Hi, yes, only authenticated mail is enabled on our server. – rnehme Jul 22 '16 at 19:07
  • What do you mean with `sender is hosted on our server`? Sender is local on your host? Or, maybe, sender is remote/authenticated but have return-path from domain hosted on our server? – Kondybas Jul 23 '16 at 09:23
  • I mean, every message local or remote/authenticated, or, every message legit being sent from users on my server.. – rnehme Jul 25 '16 at 12:44

1 Answers1

1

Just add the router and transport like this:

begin routers
whitelister:
  driver    = accept
  domain    = !+local_domains
  condition = ${if inlist{$sender_address_domain}{+local_domains}}
  transport = whlist
  unseen

and transport:

begin transports
whlist:
  driver  = pipe
  command = spfbl superwhite add "$address_data > $sender_address_data"

UPDATE

The better approach is to invoke some shell script instead of direct utility invocation. At least you haven't restart exim each time you modify the script:

begin transports
whlist:
  driver  = pipe
  command = /path/to/script $address_data $sender_address_data

Then the script should be like this:

#!/bin/sh

# Debugging info:
echo "Received args are: \$1 = $1 and \$2 = $2" >> /path/to/transport.log

# The magic:
/path/to/spfbl superwhite add "$1 > $2"
####
Kondybas
  • 6,964
  • 2
  • 20
  • 24
  • Much appreciated! i'll try out!! – rnehme Jul 26 '16 at 19:18
  • May be you have to invoke `spfbl` via sudo because of permissions. In some cases you can set desired EUID directly in the transport: `user = spbfl` or similar. – Kondybas Jul 27 '16 at 08:29
  • Hi, thanks for help. Unfortunately, didn't worked the way I did: http://prntscr.com/byre5r and http://prntscr.com/byrfrf – rnehme Jul 28 '16 at 19:41
  • I changed the transport to this but it seems that it isnt being triggered: http://prntscr.com/bys1zv – rnehme Jul 28 '16 at 20:25
  • I've edit my answer – Kondybas Jul 29 '16 at 18:46
  • Hi, thanks for that, I think its better also. But, the transport unfortunately still not being triggered by the exim (manually from shell the command is working, and i've put the log file and the bash script on /var/spool/exim folder). I've changed the 'domain' to 'domains' because i think its just mistype. – rnehme Jul 31 '16 at 22:24
  • Hi, two problems: the condition and the $address_data. I'll try fix the condition and the $address_data I've changed to $local_part@$domain (this part worked). – rnehme Jul 31 '16 at 23:16
  • Done.. editing answer. – rnehme Jul 31 '16 at 23:27
  • Oops.. didn't worked! The system is trying to do a localdelivery instead of correctly routing the message. – rnehme Aug 01 '16 at 00:06
  • Router need a verb `unseen`, I've edit an answer again. – Kondybas Aug 01 '16 at 05:42