Hostlist Entry Formatting

MailCleaner Support
Added 5 days ago

In MailCleaner, there are several features which allow for policies on a hostname or IP basis. Here we will discuss the acceptable formats for these input boxes and some shorthands that are available to improve functionality beyond a static list.

List of input fields that this applies to

  • Domains->[domain]->Advanced features->All IP lists
  • SMTP->SMTP checks->Don't check these hosts
  • SMTP->SMTP checks->Don't check these hosts for SPF or DMARC
  • SMTP->Connection control->Allow connection from hosts
  • SMTP->Connection control->Allow external relaying for these hosts
  • SMTP->Connection control->Reject connection from these hosts
  • SMTP->Resources control->No rate limiting for these hosts
  • Anti-Spam->Global settings->TrustedSources->Trusted IPs/Networks
  • Content protection->HTML controls->Trusted IPs/Networks
  • Services->Web interfaces->Allowed IP/ranges
  • Services->SNMP monitoring->Allowed IP/ranges
  • Services->Database->Allowed IP/ranges

Hostnames

Unless otherwise specified, each of these boxes will accept a plain hostname which will use rDNS when necessary to check if the IP is applicable.

IP addresses and ranges of IPs

Each box will allow for either a single IPv4 or IPv6 address, or one of these with a CIDR suffix to indicate a range. Some examples of these include:

  • 1.1.1.1 - A single IP
  • 192.168.0.0/24 - A block of IPs including anything that starts with '192.168.0.'
  • 10.0.0.0/8 - A block of IPs including anything that starts with '10.'
  • 0.0.0.0/0 - All possible IPs

Note that the shorthand '*' is also equivalent to '0.0.0.0/0'.

DNS shorthands

Any textbox which accepts a list of hostnames or IPs will also accept shorthand suffixes which corrosponds to a DNS lookup.

The available shorthands are:

  • /a - Resolves the A record for the provided hostname
  • /aaaa - Resolves the AAAA record for the provided hostname
  • /mx - Resolves the A and AAAA records for all MX entries for that hostname
  • /spf - Resolves the A and AAAA for all allowed SPF hosts. Ignores fails and softfails.

Here is an example for each:

  • mailcleaner.net/a expands to 193.246.63.192
  • mailcleaner.net/aaaa expands to 2001:918:ffd1:0:5054:ff:fef8:e218
  • mailcleaner.net/mx expands to 193.246.63.99 193.246.63.102 2001:918:ffd1:0:2000:0:2000:99 195.176.194.13 195.176.194.32 193.246.63.97 2001:918:ffd1:0:2000:0:3000:97
  • mailcleaner.net/spf expands to 195.176.194.0/24 195.81.131.64/27 193.246.63.0/24 195.65.49.0/24 194.6.183.0/24 194.158.17.0/26 2001:0918:FFD1::/48 62.50.76.40/29 62.133.56.0/24 62.50.76.16/28 194.150.21.200/29 62.50.74.80/28 195.143.101.0/26 62.50.73.144/28

Every time the relevant configuration file is dumped, it will expand all of these shorthands to a set of IP ranges and will remove any duplicates before writing the configuration file. As a result, if the DNS information changes, it will take until the next service restart for these changes to be noticed. Services are restarted at least once daily during the installation of updates at 22:30 (machine time) every evening.

If you would like to test these shorthands before saving them, there is a script which utilizes the expansion library. You can use it to see what the record you are looking up will expand to, or use it to manually run an SPF test:

Usage: /usr/mailcleaner/bin/dns_lookup.pl [a|aaaa|mx|spf] domain <ip>

    a       query A record
    aaaa    query AAAA record
    mx      query MX record
    spf     query SPF record
    domain  the domain to query
    ip      (optional) check if given IP is in the list of results