## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
##
-admin : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-antiharassment : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-books : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-cdvendors : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-cloudaccounts : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-community : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-consultants : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-da-manager : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-data-protection : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-diversity : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-events : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-ftp-master : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-ftpmaster : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-hostmaster : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-iana : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-leader : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-keyring-maint : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-mailer-daemon : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-merchandise : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-mirrors : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-nagios : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-new-maintainer : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-override-change : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-partners : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-patents : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-preinstallvendors : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-press : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-treasurer : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-trademark : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-salsa-admin : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-wat : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-wbadm : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-webmaster : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
+admin : bogusmx.rfc-clueless.org/$sender_address_domain
+antiharassment : bogusmx.rfc-clueless.org/$sender_address_domain
+books : bogusmx.rfc-clueless.org/$sender_address_domain
+cdvendors : bogusmx.rfc-clueless.org/$sender_address_domain
+cloudaccounts : bogusmx.rfc-clueless.org/$sender_address_domain
+community : bogusmx.rfc-clueless.org/$sender_address_domain
+consultants : bogusmx.rfc-clueless.org/$sender_address_domain
+da-manager : bogusmx.rfc-clueless.org/$sender_address_domain
+data-protection : bogusmx.rfc-clueless.org/$sender_address_domain
+diversity : bogusmx.rfc-clueless.org/$sender_address_domain
+events : bogusmx.rfc-clueless.org/$sender_address_domain
+ftp-master : bogusmx.rfc-clueless.org/$sender_address_domain
+ftpmaster : bogusmx.rfc-clueless.org/$sender_address_domain
+hostmaster : bogusmx.rfc-clueless.org/$sender_address_domain
+iana : bogusmx.rfc-clueless.org/$sender_address_domain
+leader : bogusmx.rfc-clueless.org/$sender_address_domain
+keyring-maint : bogusmx.rfc-clueless.org/$sender_address_domain
+mailer-daemon : bogusmx.rfc-clueless.org/$sender_address_domain
+merchandise : bogusmx.rfc-clueless.org/$sender_address_domain
+mirrors : bogusmx.rfc-clueless.org/$sender_address_domain
+nagios : bogusmx.rfc-clueless.org/$sender_address_domain
+new-maintainer : bogusmx.rfc-clueless.org/$sender_address_domain
+override-change : bogusmx.rfc-clueless.org/$sender_address_domain
+partners : bogusmx.rfc-clueless.org/$sender_address_domain
+patents : bogusmx.rfc-clueless.org/$sender_address_domain
+preinstallvendors : bogusmx.rfc-clueless.org/$sender_address_domain
+press : bogusmx.rfc-clueless.org/$sender_address_domain
+treasurer : bogusmx.rfc-clueless.org/$sender_address_domain
+trademark : bogusmx.rfc-clueless.org/$sender_address_domain
+salsa-admin : bogusmx.rfc-clueless.org/$sender_address_domain
+wat : bogusmx.rfc-clueless.org/$sender_address_domain
+wbadm : bogusmx.rfc-clueless.org/$sender_address_domain
+webmaster : bogusmx.rfc-clueless.org/$sender_address_domain
# These are in HELO acl so that they are only run once. They increment a counter,
# so we don't want it to increment per rcpt to.
+ # high trust
warn dnslists = list.dnswl.org&0.0.0.3
log_message = Hit on list.dnswl.org for $sender_host_address
set acl_c_scr = ${eval:$acl_c_scr-30}
+ # >= medium trust
warn dnslists = list.dnswl.org&0.0.0.2
log_message = Hit on list.dnswl.org for $sender_host_address
set acl_c_scr = ${eval:$acl_c_scr-20}
+ # any form of listing
warn dnslists = list.dnswl.org
log_message = Hit on list.dnswl.org for $sender_host_address
set acl_c_scr = ${eval:$acl_c_scr-10}
condition = ${if eq{$host_lookup_failed}{1}}
set acl_c_scr = ${eval:$acl_c_scr+20}
+ # HELO looks like a dynamic address (with RDNS match)
warn !hosts = +debianhosts
condition = ${if eq{$host_lookup_failed}{0}}
condition = ${if match{$sender_host_name}{\N(^[^\.]*[0-9]\-+[0-9]|^[^\.]*[0-9]{5,}[^\.]|^([^\.]+\.)?[0-9][^ \.]*\.[^\.]+\..+\.[a-z]|^[^\.]*[0-9]\.[^\.]*[0-9]-[0-9]|^(dyn|cable|dhcp|dialup|ppp|adsl)[^\.]*[0-9])\N}}
set acl_c_scr = ${eval:$acl_c_scr+20}
+ # HELO looks like a dynamic address
warn !hosts = +debianhosts
condition = ${if match{$sender_helo_name}{\N(^[^\.]*[0-9]\-+[0-9]|^[^\.]*[0-9]{5,}[^\.]|^([^\.]+\.)?[0-9][^ \.]*\.[^\.]+\..+\.[a-z]|^[^\.]*[0-9]\.[^\.]*[0-9]-[0-9]|^(dyn|cable|dhcp|dialup|ppp|adsl)[^\.]*[0-9])\N}}
set acl_c_scr = ${eval:$acl_c_scr+20}
+ # mail from a dynamic IP address range
warn !hosts = +debianhosts
dnslists = dul.dnsbl.sorbs.net
set acl_c_scr = ${eval:$acl_c_scr+15}
domains = +handled_domains
!hosts = +debianhosts : WHITELIST
+ deny message = host $sender_host_address is listed in $dnslist_domain; see $dnslist_text
+ dnslists = noserver.dnsbl.sorbs.net
+ domains = +handled_domains
+ !hosts = +debianhosts : WHITELIST
+
<%- end -%>
deny message = domain $sender_address_domain is listed in $dnslist_domain; see $dnslist_text
dnslists = ${if match_domain{$domain}{+virtual_domains}\
domains = +handled_domains
!hosts = +debianhosts : WHITELIST
+ deny message = domain $sender_address_domain is listed in $dnslist_domain; see $dnslist_text
+ dnslists = nomail.rhsbl.sorbs.net/$sender_address_domain
+ domains = +handled_domains
+ !hosts = +debianhosts : WHITELIST
+
<%- unless @use_smarthost -%>
deny domains = +handled_domains
local_parts = ${if match_domain{$domain}{+virtual_domains}\