[MediaWiki-commits] [Gerrit] operations/puppet[production]: MX: Add zen.spamhaus.org DNSBL check to MTA rcpt acl

Mon, 18 Sep 2017 07:55:35 -0700 

Herron has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/378717 )

Change subject: MX: Add zen.spamhaus.org DNSBL check to MTA rcpt acl
......................................................................


MX: Add zen.spamhaus.org DNSBL check to MTA rcpt acl

Today messages from hosts listed in zen.spamhaus.org are given a spam score
of ~3.5. In some cases this allows messages from known spam sources to
continue onward towards delivery.

This change will warn (for the purposes of testing) if a blacklisted host
connects directly to the wikimedia.org mx systems. Pending successful
testing, a follow-up change will update the acl action from warn to delay
and drop (with a useful 5xx error message).

Bug: T175879
Change-Id: I0ba0441097e69784e582fb98a6d742b984ef348d
---
M modules/role/templates/exim/exim4.conf.mx.erb
1 file changed, 7 insertions(+), 0 deletions(-)

Approvals:
  Herron: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/modules/role/templates/exim/exim4.conf.mx.erb 
b/modules/role/templates/exim/exim4.conf.mx.erb
index 5ef35c7..7cf76d4 100644
--- a/modules/role/templates/exim/exim4.conf.mx.erb
+++ b/modules/role/templates/exim/exim4.conf.mx.erb
@@ -156,6 +156,13 @@
        # Check whether the sender address domain exists
        require verify = sender
 
+       # Drop connections from IP addresses listed in DNSBL
+       # This is a warn for testing. After testing...
+       #       * Change to delay & drop
+       #       * Change log_message to message
+       warn log_message = $sender_host_address is listed by $dnslist_domain 
($dnslist_value: $dnslist_text)
+               dnslists = zen.spamhaus.org
+
        accept
 
 acl_check_connect:

-- 
To view, visit https://gerrit.wikimedia.org/r/378717
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I0ba0441097e69784e582fb98a6d742b984ef348d
Gerrit-PatchSet: 2
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Herron <[email protected]>
Gerrit-Reviewer: Giuseppe Lavagetto <[email protected]>
Gerrit-Reviewer: Herron <[email protected]>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to