Dns verify callouts

The  library provides a collection of mapping callouts that can be used to validate and/or resolve domains names or IP addresses via the DNS or local host tables. (Exactly what sources are used, and in what order, is controlled at the operating system level, usually by settings in  .) Three basic types of operations are provided:

 DNS A/AAAA record and host table lookups for domain names. 

 DNS PTR record and host table lookups for IP addresses. 

 TXT record lookups for checking IP addresses against blacklists. 



For example,  can be used to verify that an entry in DNS or host tables exists for the domain used in the SMTP   command, or to  look up an IP address in a blacklist supplied by such services  as MAPS and ORBS. The message can be rejected or accepted based on the presence or absence of a corresponding DNS record.

IMPORTANT NOTE: Performing DNS existence checks may result in the rejection of some valid messages. For instance, this could include mail from legitimate sites that simply have not yet registered their domain name, or during  periods of bad information in DNS.

The  library has several routines that can be called:

 

 (new in 7.0.5.34) 

 

 

 </li>

 (new in 8.0.1.2) </li>

 (new in 8.0.1.2) </li>

 (new in 8.0.2.2) </li>

</ul>

These routines are each described in the sections below.

Note that your mapping tables with   callouts can be tested by  using the   utility.

The routine
The  routine does a name lookup in the local host tables and an A/AAAA lookup in the DNS. One possible use for this is to check to make sure the domain from the SMTP  command actually exists. Any mapping table action can be taken if the lookup succeeds, fails, or returns an error.

The  routine&#x27;s argument is four strings  separated by "&#x7c;", as follows: domainname&#x5b;&#x7c;success&#x5b;&#x7c;failure&#x5b;&#x7c;unknown&#x5d;&#x5d;&#x5d; <dl>

<dt>   </dt>

<dd> The name to look up in the DNS and local host tables. </dd>

<dt>   (optional) </dt>

<dd> If specified, it is the mapping table string to return if      is found. If not specified, the default    is " ". </dd>

<dt> (optional) </dt>

<dd> If specified, it is the mapping table string to return if       is not      found. If not specified, the default is " ". </dd>

<dt>   (optional) </dt>

<dd> If specified, it is the mapping table string to return if there was a    temporary DNS failure during the lookup operation. If not specified, and the      string was specified, that string is used. If neither    are specified, the  default is " ". </dd>

</dl>

Note that in the mapping table any &#x27;s you wish to return need to  be doubled. For example, to specify " ", you need to put in " ".

An alternate separator can be used instead of " ". To specify an alternate separator, insert it as the first character of  the routine&#x27;s argument. For example, to specify " " as the separator, use the following syntax: +domainname+success+failure+unknown The  ,  , and   strings can contain the following format  characters:

The following example shows a simple   mapping  table entry to verify that the sender&#x27;s hostname exists in the DNS or local host tables: SEND_ACCESS &#x2a;tcp_&#x2a;&#x7c;&#x2a;@&#x2a;&#x7c;&#x2a;&#x7c;&#x2a;        \ $C$&#x5b;IMTA_LIB:dns_verify,dns_verify,$3&#x7c;$$Y&#x7c;$$NInvalid$ host:$ $$3$-$ %e&#x5d;$E The following example shows a   mapping table  entry that performs a check against a hypothetical DNS blacklist dnsbl.example.net PORT_ACCESS TCP&#x7c;&#x2a;&#x7c;25&#x7c;&#x2a;.&#x2a;.&#x2a;.&#x2a;&#x7c;&#x2a;    \ $C$&#x5b;IMTA_LIB:dns_verify,dns_verify,\ $4.$3.$2.$1.dnsbl.example.net&#x7c;$$N500$ IP$ blacklisted&#x7c;$$Y

The routine
The  routine is identical to , except that it restricts its results to IPv4 addresses.

The routine
The  routine is identical to , except that it restricts its results to IPv6 addresses.

The routine
The  routine does an IPv4/IPv6 address lookup in the DNS and/or host tables. Any mapping table action can be taken if the lookup succeeds, fails, or returns an error.

The  routine&#x27;s argument is four strings  separated by " ", as follows: ip-address&#x5b;&#x7c;success&#x5b;&#x7c;failure&#x5b;&#x7c;unknown&#x5d;&#x5d;&#x5d; <dl>

<dt>   </dt>

<dd> The IPv4/IPv6 address to be looked up,    without any enclosing brackets or prefixes. </dd>

<dt>   (optional) </dt>

<dd> If specified, it is the mapping table string to return if      is found. If not specified, the default    is " ". </dd>

<dt>   (optional) </dt>

<dd> If specified, it is the mapping table string to return if       is not      found. If not specified, the default is " ". </dd>

<dt>   (optional) </dt>

<dd> If specified, it is the mapping table string to return if there was a    temporary DNS failure during the lookup operation. If not specified, and the      string was specified, that string is used. If neither    are specified, the  default is " ". </dd>

</dl>

The  routine supports the same alternate delimiter and substitution strings as the   routine described above.

The and    routines
The  and    routines are used to perform queries for DNS entries with well-defined blacklist semantics and return pre-defined success, failure, and  unknown messages. The same operation can be performed using the   routine, but with more complicated setup.

The  routine is designed for use in the    mapping table. The  routine  is used in the  ,   , and similar mapping tables.

The  and    routines perform the same type of  action as the   Dispatcher option. Using the routine allows you more control over which connections trigger the DNS lookups.

The  and    routines&#x27; argument is three strings  separated by " ", as follows: ip-address,domainname&#x5b;,text-string&#x5d; <dl>

<dt>   </dt>

<dd> The IP address that you want to check against the blackhole list </dd>

<dt>   </dt>

<dd> The name of the blackhole list to check against, e.g., </dd>

<dt>   (optional) </dt>

<dd> If specified, it is the text to return if no TXT record is available. If      not specified, the default       is " ". </dd>

</dl>

The  and    routines check the given list for the IP address. For example, if   is , and    is   , either of   or    looks up the following name:. They first look up the TXT record for that name, and if it is not available, they look up the A record.

The following examples illustrate the use of these routines. MAIL_ACCESS TCP&#x7c;&#x2a;&#x7c;25&#x7c;&#x2a;&#x7c;&#x2a;&#x7c;&#x2a;&#x7c;&#x2a;&#x7c;tcp_local&#x7c;&#x2a;&#x7c;&#x2a;&#x7c;&#x2a; \ $C$&#x5b;IMTA_LIB:dns_verify,dns_verify_domain,$1,bl.spamcop.net&#x5d;$E PORT_ACCESS TCP&#x7c;&#x2a;&#x7c;25&#x7c;&#x2a;&#x7c;&#x2a;    \ $C$&#x5b;IMTA_LIB:dns_verify,dns_verify_domain_port,$1,bl.spamcop.net&#x5d;$E The approximate equivalent of the previous    example using  the   routine would be something like: MAIL_ACCESS TCP&#x7c;&#x2a;&#x7c;25&#x7c;&#x2a;.&#x2a;.&#x2a;.&#x2a;&#x7c;&#x2a;&#x7c;&#x2a;&#x7c;&#x2a;&#x7c;tcp_local&#x7c;&#x2a;&#x7c;&#x2a;&#x7c;&#x2a;   \ $C$&#x5b;IMTA_LIB:dns_verify,dns_verify,+$4.$3.$2.$1.bl.spamcop.net+\ $$N$$X5.7.1&#x7c;Blocked$ -$ see$ http://spamcop.net/bl.shtml?$$1.$$2.$$3.$$4+$$Y&#x5d;$E

The  routine performs the same DNS  lookup as the   and    routines, but instead of rejecting  the message if the DNS entry exists, it adds a new header line to the  message. The  routine can be used in  any of the sender or recipient access mapping tables.

The  routine&#x27;s argument is four  strings separated by " ", as follows: ip-address,domainname&#x5b;,text-string&#x5b;,header&#x5d;&#x5d; The  ,  , and   arguments are the same as for    and.   is optional. If specified, it is a string containing the header name, and other optional text, to include before  the TXT record string or   value. The header name must be one that the MTA recognizes. The default is " ".

The following example shows an    mapping table entry    to query  : ORIG_MAIL_ACCESS TCP&#x7c;&#x2a;&#x7c;25&#x7c;&#x2a;&#x7c;&#x2a;&#x7c;&#x2a;&#x7c;&#x2a;&#x7c;&#x2a;&#x7c;&#x2a;&#x7c;&#x2a;&#x7c;&#x2a; \ $C$&#x5b;IMTA_LIB:dns_verify,dns_verify_domain_warn,$1,\ bl.spamcop.net,spamcop.net:$ entry$ found$ for$ $$1,\ X-Dispatcher:$ SPAMfilter$ (spamcop.net):$ &#x5d;$E For a source IP address of 127.0.0.2, this example would return $Y$AX-Dispatcher: SPAMfilter (spamcop.net): Blocked - see http://spamcop.net/bl.shtml?127.0.0.2 This is then added as a header to the message. One way to act on this is to create a  system-wide,  channel, or  user   Sieve filter containing a Sieve action along the lines of: if header :contains "X-Dispatcher" "SPAMfilter" { discard; }

New in MS 8.0.2.2. The  routine performs an MX record lookup on the specified domain. Unlike the other DNS routines described in this section, the routine argument consists solely of the domain to look up. The routine succeeds if the lookup is successful and returns the "first" MX record using the same algorithm the MTA uses to determine record order. An empty string is returned if the lookup succeeds but no MX records are found.

The routine fails if the specified domain cannot be found in the DNS. A temporary failure condition is returned if the DNS operation fails with a temporary error.

One possible use of this routine is to determine if a given domain is serviced by a particular collection of servers - which can then be used to implement a limited form of MX rollup. For example, a mapping that will determine if a given domain is handled by Office 365 servers could (at preent) be coded as: OUTLOOK_MX &#x2a;                        $E$&#x5b;IMTA_LIB:dns_verify,dns_get_first_mx,$0&#x5d;$C &#x2a;.protection.outlook.com $Y This mapping could in turn be called from either a rewrite rule or a  to route messages to a special channel configured to deliver to an appropriate set of MXes regardless of destination domain.

See also:
 * Callout routines