NDR strategy

Jan-Peter Koopmann Jan-Peter.Koopmann at SECEIDOS.DE
Tue Feb 3 12:38:40 GMT 2004

Hi Martin,

> JP
> have you got this script and the exim settings? I'd love to 
> setup this on our exim system.

sure. On the DC we use the following vbs script:

const FILENAME= "whitelist-adresses.txt"                       'File
name for exporting data from AD
"LDAP://yourserver/DC=intern,DC=youractivedirectory,DC=de" 'LDAP query
to Active Directory, where 
Dim con, com, rs, fso, f
   Set fso = CreateObject("Scripting.FileSystemObject")
   Set f = fso.OpenTextFile(FILENAME, 2, True) ' ForReading = 1,
ForWriting = 2, ForAppending = 8
    Set con = CreateObject("ADODB.Connection")
    Set com = CreateObject("ADODB.Command")
    con.Provider = "ADsDSOObject"
    con.Open "Active Directory Provider"
    Set com.ActiveConnection = con
  com.CommandText = "select proxyAddresses from '" & LDAPQUERY & "'
where objectClass= 'user' or objectClass='group' order by sn " 
  com.Properties("Page Size") = 1000
    Set rs = com.Execute
    While Not rs.EOF
      TProxyAddresses = rs.Fields("proxyAddresses")
      If Not IsNull(TProxyAddresses) Then
        TProxyAddressesCount = UBound(TProxyAddresses)
        For i = 0 To TProxyAddressesCount 
           If LCase(Left(TProxyAddresses(i),4))="smtp" Then
                        f.Write lcase(trim(Mid(TProxyAddresses(i),6))) &
                   End If
      End iF

This script is running every 30 minutes. You will have to adjust the
LDAPQUERY to suit your DC structure of course. If whitelist-adresses.txt
differs from the old version we scp it to our exim server in the DMZ.

On that server we check for a new version, convert the .txt into a .map
and then convert that to a cdb. The .txt file has the format

Validemail at yourdomain.com

We simply change that to

validemail at yourdomain.com 1

and then convert this to a cdb using this little script (which we use
for all kinds of cdbs...)

#! /usr/bin/perl

while(<>) {
        # skip comments
        next if /^\s*#/;

        # skip empty lines
        next if /^\s*$/;

        # chop off trailing newline

        # delete leading whitespace

        # retrieve key and value from the input line
        ($key, $value) = split(/:\s*/, $_, 2);

        # emit cdbmake input line
        printf "+%d,%d:%s->%s\n", length($key), length($value), $key,
print "\n";

After this all you need to do is run cdbmake and store the cdb to the
location you want it.

In Exims configure (the incoming one obvisously) we define a domainlist

domainlist check_rcpt_domains = yourdomain1 : yourdomain2 

Only mails for domains in this list will be checked against the
whitelist. In the rcpt_acl you need to put

  accept  domains       = +check_rcpt_domains
          message       = user unknown
          recipients    = cdb;/usr/local/etc/exim/whitelist-rcpt.cdb

And that's it. Moreover we manually maintain a blacklist for the e-mails
that exist in the company but should not be able to receive mails from
the internet.

I hope this gives you a kick start.


More information about the MailScanner mailing list