Hostlist Entry Formatting
Added 3 months ago
In MailCleaner, there are several features which allow for policies on a hostname or IP basis. Here we will discuss the acceptable formats for these input boxes and some shorthands that are available to improve functionality beyond a static list.
List of input fields that this applies to¶
- Domains->[domain]->Advanced features->All IP lists
- SMTP->SMTP checks->Don't check these hosts
- SMTP->SMTP checks->Don't check these hosts for SPF or DMARC
- SMTP->Connection control->Allow connection from hosts
- SMTP->Connection control->Allow external relaying for these hosts
- SMTP->Connection control->Reject connection from these hosts
- SMTP->Resources control->No rate limiting for these hosts
- Anti-Spam->Global settings->TrustedSources->Trusted IPs/Networks
- Content protection->HTML controls->Trusted IPs/Networks
- Services->Web interfaces->Allowed IP/ranges
- Services->SNMP monitoring->Allowed IP/ranges
- Services->Database->Allowed IP/ranges
Unless otherwise specified, each of these boxes will accept a plain hostname which will use rDNS when necessary to check if the IP is applicable.
IP addresses and ranges of IPs¶
Each box will allow for either a single IPv4 or IPv6 address, or one of these with a CIDR suffix to indicate a range. Some examples of these include:
- 126.96.36.199 - A single IP
- 192.168.0.0/24 - A block of IPs including anything that starts with '192.168.0.'
- 10.0.0.0/8 - A block of IPs including anything that starts with '10.'
- 0.0.0.0/0 - All possible IPs
Note that the shorthand '*' is also equivalent to '0.0.0.0/0'.
Any textbox which accepts a list of hostnames or IPs will also accept shorthand suffixes which corrosponds to a DNS lookup.
The available shorthands are:
- /a - Resolves the A record for the provided hostname
- /aaaa - Resolves the AAAA record for the provided hostname
- /mx - Resolves the A and AAAA records for all MX entries for that hostname
- /spf - Resolves the A and AAAA for all allowed SPF hosts. Ignores fails and softfails.
Here is an example for each:
- mailcleaner.net/a expands to 188.8.131.52
- mailcleaner.net/aaaa expands to 2001:918:ffd1:0:5054:ff:fef8:e218
- mailcleaner.net/mx expands to 184.108.40.206 220.127.116.11 2001:918:ffd1:0:2000:0:2000:99 18.104.22.168 22.214.171.124 126.96.36.199 2001:918:ffd1:0:2000:0:3000:97
- mailcleaner.net/spf expands to 188.8.131.52/24 184.108.40.206/27 220.127.116.11/24 18.104.22.168/24 22.214.171.124/24 126.96.36.199/26 2001:0918:FFD1::/48 188.8.131.52/29 184.108.40.206/24 220.127.116.11/28 18.104.22.168/29 22.214.171.124/28 126.96.36.199/26 188.8.131.52/28
Every time the relevant configuration file is dumped, it will expand all of these shorthands to a set of IP ranges and will remove any duplicates before writing the configuration file. As a result, if the DNS information changes, it will take until the next service restart for these changes to be noticed. Services are restarted at least once daily during the installation of updates at 22:30 (machine time) every evening.
If you would like to test these shorthands before saving them, there is a script which utilizes the expansion library. You can use it to see what the record you are looking up will expand to, or use it to manually run an SPF test:
Usage: /usr/mailcleaner/bin/dns_lookup.pl [a|aaaa|mx|spf] domain <ip> a query A record aaaa query AAAA record mx query MX record spf query SPF record domain the domain to query ip (optional) check if given IP is in the list of results