Herron has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/378717 )

Change subject: MX: Add zen.spamhaus.org DNSBL check to MTA rcpt acl
......................................................................

MX: Add zen.spamhaus.org DNSBL check to MTA rcpt acl

Today messages from hosts listed in zen.spamhaus.org are given a spam score
of ~3.5. In some cases this allows messages from known spam sources to
continue onward towards delivery.

This change will warn (for the purposes of testing) if a blacklisted host
connects directly to the wikimedia.org mx systems. Pending successful
testing, a follow-up change will update the acl action from warn to delay
and drop (with a useful 5xx error message).

Bug: T175879
Change-Id: I0ba0441097e69784e582fb98a6d742b984ef348d
---
M modules/role/templates/exim/exim4.conf.mx.erb
1 file changed, 7 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/17/378717/1

diff --git a/modules/role/templates/exim/exim4.conf.mx.erb 
b/modules/role/templates/exim/exim4.conf.mx.erb
index 5ef35c7..7cf76d4 100644
--- a/modules/role/templates/exim/exim4.conf.mx.erb
+++ b/modules/role/templates/exim/exim4.conf.mx.erb
@@ -156,6 +156,13 @@
        # Check whether the sender address domain exists
        require verify = sender
 
+       # Drop connections from IP addresses listed in DNSBL
+       # This is a warn for testing. After testing...
+       #       * Change to delay & drop
+       #       * Change log_message to message
+       warn log_message = $sender_host_address is listed by $dnslist_domain 
($dnslist_value: $dnslist_text)
+               dnslists = zen.spamhaus.org
+
        accept
 
 acl_check_connect:

-- 
To view, visit https://gerrit.wikimedia.org/r/378717
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I0ba0441097e69784e582fb98a6d742b984ef348d
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Herron <kher...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to