Trace: » Policy Database

Policy Database
- Introduction
- How database is looked up
Current data defined at policy database

Policy Database

Introduction

The syntax of this file is very simple but flexible and strong. Its idea is very similar to that one found at sendmail access database.

Entries syntax is :

Prefix:Key          Value

where,

Prefix - is the kind of information we're looking for.
Key - is the key of the information
Value - is the value associated with the Prefix and Key

An example of already implemented kind of entries follows :

j-policy.txt

CtrlChan:DEFAULT           REJECT
CtrlChan:127.0.0.1         OK
CtrlChan:194.21.16.16      OK
#
ConnRate:DEFAULT           15
ConnRate:127.0.0.1         1000
ConnRate:LOCAL             500
ConnRate:DOMAIN            300
#
NetClass:199.199.123       DOMAIN
NetClass:192.168           LOCAL
#
BadMX:192.168              ERROR:421:4.5.1:DNS problems... Try later !
BadMX:192.168.128.200      OK
BadMX:saveinternet.net     ERROR:421:4.5.1:Too busy now... Try later !
#

Basically, query follows the rule : ”if the given key exists, its associated value is returned”. But if the key is an IP address, a domain or hostname or an email, other possible keys are looked up looking for an existing one. j-chkmail applies almost the same logic as does sendmail with its access database.

There are three cases : IP addresses, host names and e-mail addresses.

If the key is an IP address, consecutive queries are donne in its full address and all networks enclosing that address. The same logic is applied if the key is a domain or hostname. If the key is an email, consecutive queries using this same logic is applied first to the full email address, to domain part and finally to the user part.

How it works

if (key is e-mail)
  query full key
  if found return result
end if

extract domain part
if (domain part is IP address)
  query IP address and network addresses
  if found return best matching result
else 
  query domains and sub domains
  if found return best matching result
end if

if (key is e-mail)
  query user part
  if found return result
end if

query default value 
if found return result

Another situation appear when looking for “sets”, e.g., when j-chkmail wants to check if it must do content filtering for a message, it uses the full envelope data :

Client IP address - used with Connect prefix
Client hostname - used with Connect prefix
Envelope From address - used with From prefix
Envelope To Address - used with To prefix

When used with triplets, the tags will have three values : prefixConnect, prefixFrom, and prefixTo.

The function used to evaluate the access function uses four parameters :

The client hostname is used only when the IP address isn't found.

Values which may be associated to each entry are : YES, NO, YES-QUICK and NO-QUICK.

When YES-QUICK or NO-QUICK are found, evaluation stops immediately.

Databases entries keys are formed as follows :

prefix + Connect + : + IP           -> GreyCheckConnect:1.2.3           YES 
prefix + Connect + : + Hostname     -> GreyCheckConnect:yahoo.com       NO
prefix + From    + : + From address -> GreyCheckFrom:joe@j-chkmail.org  YES-QUICK
prefix + To      + : + To address   -> GreyCheckTo:joe@                 NO

The evaluation algorithm looks like

How it works

result = NO
if queryDatabase(prefix, "Connect", IP, &value)
  result = value
  if result == YES-QUICK  return YES
  if result == NO-QUICK   return NO
else
  if queryDatabase(prefix, "Connect", Hostname, &value)
    result = value
    if result == YES-QUICK  return YES
    if result == NO-QUICK   return NO
  else
    if queryDatabase(prefix, "Connect", "DEFAULT", &value)
      result = value
      if result == YES-QUICK  return YES
      if result == NO-QUICK   return NO
    endif
  endif
endif
      
if queryDatabase(prefix, "From", From, &value)
  result = value
  if result == YES-QUICK  return YES
  if result == NO-QUICK   return NO
else
  if queryDatabase(prefix, "From", "DEFAULT", &value)

    result = value
    if result == YES-QUICK  return YES
    if result == NO-QUICK   return NO
  endif
endif

if queryDatabase(prefix, "To", To, &value)
  result = value
  if result == YES-QUICK  return YES
  if result == NO-QUICK   return NO
else
  if queryDatabase(prefix, "To", DEFAULT, &value)
    result = value
    if result == YES-QUICK  return YES
    if result == NO-QUICK   return NO
  endif
endif

if result == YES-QUICK  result = YES
if result == NO-QUICK   result =  NO

return result

Current data defined at policy database

Defining networks classes

NetClass - this prefix allows you to define known IP addresses or IP networks. The syntax is :

NetClass:key      value

Key maybe one of :

IP address
IP network prefix
hostname
domain name

Value represents the class to which you'll class the key. There are three static predefined known classes : LOCAL, DOMAIN and FRIEND, but you can define other classes if these three classes aren't enough.

Examples :

j-policy.txt

# predefined classes
NetClass:10               LOCAL 
NetClass:199.201          DOMAIN 
NetClass:1.2.3.4          FRIEND
NetClass:domain.com       DOMAIN
# locally defined classes
NetClass:10.1             DEPMATH
NetClass:10.2             DEPPHYS
NetClass:10.3             DEPCHEM
...

Authenticated SMTP connections fall into an special network class : AUTH. AUTH class is considered a dynamic network class to which are assigned the same rigths than LOCAL network class.

Defining Limits per SMTP client

The limits are for ten minutes

ConnRate	How many SMTP connexions opened on a 10 minutes sliding window
ConnOpen	How many SMTP connexions opened simultaneously

j-policy.txt

ConnRate:LOCAL                300
ConnRate:DOMAIN               200
ConnRate:FRIEND               30
ConnRate:DEFAULT              15
ConnRate:10.3                 400
ConnRate:domain.com           2
ConnRate:DEPMATH              400

RcptRate:LOCAL                300
RcptRate:DOMAIN               200
RcptRate:FRIEND               100
RcptRate:DEFAULT              25
RcptRate:10.3                 400
RcptRate:domain.com           2 
RcptRate:DEPMATH              400

ConnOpen:LOCAL                30
ConnOpen:DOMAIN               30
ConnOpen:FRIEND               15
ConnOpen:DEFAULT              10
ConnOpen:10.3                 40
ConnOpen:domain.com           2
ConnOpen:DEPMATH              35

Greylisting

GreyCheckConnect, GreyCheckFrom and GreyCheckTo

Default policy : enabled - exceptions defined at j-policy database

GreyCheckConnect:default               YES
GreyCheckConnect:MATH                  NO-QUICK
GreyCheckConnect:1.2.3.4               NO-QUICK
GreyCheckFrom:john@friend.com          NO-QUICK
GreyCheckFrom:spammer.com              YES-QUICK
GreyCheckTo:postmaster@mydomain.com    NO

Default policy : disabled - exceptions defined at j-policy database

GreyCheckConnect:default               NO
GreyCheckFrom:spammer.com              YES-QUICK
GreyCheckTo:postmaster@mydomain.com    NO
GreyCheckTo:Alice@mydomain.com         YES
GreyCheckTo:Bob@mydomain.com           YES
GreyCheckTo:Charles@mydomain.com       YES

Greylisting is never applied to predefined known networks

GreyEquivDomain Equivalent domains - messages from one domain come from a mail server of the other domain

Defining rules for message content checking

ContentCheckConnect, ContentCheckFrom and ContentCheckTo
XFilesCheckConnect, XFilesCheckFrom and XFilesCheckTo
VirusCheckConnect, VirusCheckFrom and VirusCheckTo
RejectShortMsgsConnect, RejectShortMsgsFrom and RejectShortMsgsTo

Our list server has done a lot of checking. So, don't worry, be happy..

# sympa mailing list server
ContentCheckConnect:X.X.X.115         NO-QUICK
XFilesCheckConnect:X.X.X.115          NO-QUICK
VirusCheckConnect:X.X.X.115           NO-QUICK
RejectShortMsgsTo:joe@example.com     NO

xxxxx

Quarantine(Connect|From|To)

xxxxx

GreydAccess

xxxxx

CtrlChan

xxxxx

SpamTrap

BadMX

BadMX

doc/reference/policy_database.txt · Last modified: 2009/01/04 21:45 by martins