Hostlist Entry Formatting
Added 9 months ago
In MailCleaner, there are several features which allow for policies on a hostname or IP basis. Here we will discuss the acceptable formats for these input boxes and some shorthands that are available to improve functionality beyond a static list.
List of input fields that this applies to¶
- Domains->[domain]->Advanced features->All IP lists
- SMTP->SMTP checks->Don't check these hosts
- SMTP->SMTP checks->Don't check these hosts for SPF or DMARC
- SMTP->Connection control->Allow connection from hosts
- SMTP->Connection control->Allow external relaying for these hosts
- SMTP->Connection control->Reject connection from these hosts
- SMTP->Resources control->No rate limiting for these hosts
- Anti-Spam->Global settings->TrustedSources->Trusted IPs/Networks
- Content protection->HTML controls->Trusted IPs/Networks
- Services->Web interfaces->Allowed IP/ranges
- Services->SNMP monitoring->Allowed IP/ranges
- Services->Database->Allowed IP/ranges
Unless otherwise specified, each of these boxes will accept a plain hostname which will use rDNS when necessary to check if the IP is applicable.
IP addresses and ranges of IPs¶
Each box will allow for either a single IPv4 or IPv6 address, or one of these with a CIDR suffix to indicate a range. Some examples of these include:
- 220.127.116.11 - A single IP
- 192.168.0.0/24 - A block of IPs including anything that starts with '192.168.0.'
- 10.0.0.0/8 - A block of IPs including anything that starts with '10.'
- 0.0.0.0/0 - All possible IPs
Note that the shorthand '*' is also equivalent to '0.0.0.0/0'.
If you want to list a large block of IPs but have one or two in that block which should be treated as exceptions, you can do so with a '!' prefix like:
192.168.0.0/24 !192.168.0.255 !192.168.0.0/30
This will make an exception for the individual IP as well as the block '192.168.0.0/30' (the range 192.168.0.0 - 192.168.0.3).
Not all services used in MailCleaner actually understand this exception syntax natively, so what happens on the back-end is that after all IP ranges are collected, they are simplified, then IP math is done to break or remove any ranges where the exceptions exist. The result is that the equivalent expanded list of all positive matches gets dumped to the config file every time that the service is restarted.
Any textbox which accepts a list of hostnames or IPs will also accept shorthand suffixes which corrosponds to a DNS lookup.
The available shorthands are:
- /a - Resolves the A record for the provided hostname
- /aaaa - Resolves the AAAA record for the provided hostname
- /mx - Resolves the A and AAAA records for all MX entries for that hostname
- /spf - Resolves the A and AAAA for all allowed SPF hosts. Ignores fails and softfails.
Here is an example for each:
- mailcleaner.net/a expands to 18.104.22.168
- mailcleaner.net/aaaa expands to 2001:918:ffd1:0:5054:ff:fef8:e218
- mailcleaner.net/mx expands to 22.214.171.124 126.96.36.199 2001:918:ffd1:0:2000:0:2000:99 188.8.131.52 184.108.40.206 220.127.116.11 2001:918:ffd1:0:2000:0:3000:97
- mailcleaner.net/spf expands to 18.104.22.168/24 22.214.171.124/27 126.96.36.199/24 188.8.131.52/24 184.108.40.206/24 220.127.116.11/26 2001:0918:FFD1::/48 18.104.22.168/29 22.214.171.124/24 126.96.36.199/28 188.8.131.52/29 184.108.40.206/28 220.127.116.11/26 18.104.22.168/28
Every time the relevant configuration file is dumped, it will expand all of these shorthands to a set of IP ranges and will remove any duplicates before writing the configuration file. As a result, if the DNS information changes, it will take until the next service restart for these changes to be noticed. Services are restarted at least once daily during the installation of updates at 22:30 (machine time) every evening.
If you would like to test these shorthands before saving them, there is a script which utilizes the expansion library. You can use it to see what the record you are looking up will expand to, or use it to manually run an SPF test:
Usage: /usr/mailcleaner/bin/dns_lookup.pl [a|aaaa|mx|spf] domain <ip> a query A record aaaa query AAAA record mx query MX record spf query SPF record domain the domain to query ip (optional) check if given IP is in the list of results