1MILTER-REGEX(8)           BSD System Manager's Manual          MILTER-REGEX(8)
2

NAME

4     milter-regex — sendmail milter plugin for regular expression filtering
5

SYNOPSIS

7     milter-regex [-d] [-c config] [-f facility] [-j dirname] [-l loglevel]
8                  [-m number] [-p pipe] [-u user] [-G group] [-P mode]
9                  [-U user]
10

DESCRIPTION

12     The milter-regex plugin can be used with the milter API of sendmail(8) to
13     filter mails using regular expressions matching SMTP envelope parameters
14     and mail headers and body.
15
16     The options are as follows:
17
18     -d         Don't detach from controlling terminal and produce verbose
19                debug output on stdout.
20
21     -c config  Use the specified configuration file instead of the default,
22                /etc/mail/milter-regex.conf.
23
24     -f facility
25                Use the specified syslog facility instead of the default, dae‐
26                mon.
27
28     -j dirname
29                Change root to the specified directory.
30
31     -l loglevel
32                Only log messages up to and including the specified level.
33                See syslog(3) for the numerical values, e.g. the default
34                LOG_INFO=6.
35
36     -m number  Ignore mail body after the specified number of lines.
37
38     -p pipe    Use the specified pipe to interface sendmail(8).  Default is
39                unix:/var/spool/milter-regex/sock.
40
41     -u user    Run as the specified user instead of the default, mregex.
42                When milter-regex is started as root, it calls setuid(2) to
43                drop privileges.  The non-privileged user should have read
44                access to the configuration file and read-write access to the
45                pipe.
46
47     -G group   Set the group ID of the pipe.
48
49     -P mode    Set the permissions of the pipe to the specified mode instead
50                of the default, 0600.
51
52     -U user    Set the user ID of the pipe.
53

SENDMAIL CONFIGURATION

55     The plugin needs to be registered in the sendmail(8) configuration, by
56     adding the following lines to the .mc file
57
58           INPUT_MAIL_FILTER(`milter-regex',
59                   `S=unix:/var/spool/milter-regex/sock, T=S:30s;R:2m')
60
61     rebuilding /etc/mail/sendmail.cf from the .mc file using m4(1), and
62     restarting sendmail(8).
63

PLUGIN CONFIGURATION

65     The configuration file consists of rules that, when matched, cause
66     sendmail(8) to reject mails.  Emtpy lines and lines starting with # are
67     ignored, as well as leading whitespace (blanks, tabs).  Trailing back‐
68     slashes can be used to wrap long rules into multiple lines.  Each rule
69     starts with one of the following commands:
70
71     reject <message>
72           Subsequent rules cause the mail to be rejected with a permanent
73           error consisting of the specified text part.  The SMTP reply con‐
74           sists of the three-digit code 554 (RFC 2821 "command rejected for
75           policy reasons"), the extended reply code 5.7.1 (RFC 1893 "Perma‐
76           nent Failure", "Security or Policy Status", "Delivery not autho‐
77           rized, message refused") and the text part (which defaults to "Com‐
78           mand rejected", if not specified).  This is a permanent failure,
79           which causes the sender to remove the message from its queue with‐
80           out trying to retransmit, commonly generating a bounce message to
81           the sender.
82
83     tempfail <message>
84           Subsequent matching rules cause the mail to be rejected with a tem‐
85           porary error consisting of the specified text part.  The SMTP reply
86           consists of the three-digit code 451 (RFC 2821 "Requested action
87           aborted: local error in processing"), the extended reply code 4.7.1
88           (RFC 1893 "Persistent Transient Failure", "Security or Policy Sta‐
89           tus", "Delivery not authorized, message refused") and the text part
90           (which defaults to "Please try again later", if not specified).
91           This is a temporary failure, which causes the sender to keep the
92           message in its queue and try to retransmit it, commonly for several
93           days.
94
95     discard
96           Subsequent matching rules cause the mail to be accepted but then
97           discarded silently.  Note that connect and helo rules should not
98           use discard.
99
100     quarantine <message>
101           Subsequent matching rules cause the mail to be quarantined in
102           sendmail(8).
103
104     accept
105           Subsequent matching rules cause the mail to be accepted without
106           further rule evaluation.  Can be used for whitelist criteria.
107
108     A command is followed by one or more expressions, each causing the previ‐
109     ous command to be executed when matched.  The following expressions can
110     be used:
111
112     connect <hostname> <address>
113           Reject the connection if both the sender's hostname and address
114           match the specified regular expressions.  The numerical address is
115           either dotted-quad (IPv4) or coloned-hex (IPv6).  The hostname is
116           the result of a DNS reverse resolution of the numerical address
117           (which sendmail(8) performs independantly of the milter plugin).
118           When resolution fails, the hostname contains the numerical address
119           in square brackets.
120
121     helo <name>
122           Reject the connection if the sender supplied HELO name matches the
123           specified regular expression.  Commonly, the sender supplies his
124           fully-qualified hostname as HELO name.
125
126     envfrom <address>
127           Reject the mail if the sender supplied envelope MAIL FROM address
128           matches the specified regular expression.  Addresses commonly have
129           the form <user@host.doma.in>.
130
131     envrcpt <address>
132           Reject the mail if the sender supplied envelope RCPT TO address
133           matches the specified regular expression.
134
135     header <name> <value>
136           Reject the mail if a header matches the specified name and value.
137           For instance, the header "Subject: Test" matches name Subject and
138           value Test.
139
140     body <line>
141           Reject the mail if a body line matches the specified regular
142           expression.
143
144     macro <name> <value>
145           Reject the mail if a sendmail macro value matches.
146
147     The plugin regularly checks the configuration file for modification and
148     reloads it automatically.  Signals like SIGHUP will terminate the plugin,
149     according to the milter signal handler.  The plugin reacts to any kind of
150     error, like syntax errors in the configuration file, by failing open,
151     accepting all messages.  When the plugin is not running, sendmail(8) will
152     accept all messages.
153

REGULAR EXPRESSIONS

155     The regular expressions used in the configuration rules are enclosed in
156     arbitrary delimiters, no further escaping is needed.
157
158     The first character of an argument is taken as the delimiter, and all
159     subsequent characters up to the next occurance of the same delimiter are
160     taken literally as the regular expression.  Since the delimiter itself
161     cannot be part of the regular expression (no escaping is supported), a
162     delimiter must be chosen that doesn't occur in the regular expression
163     itself.  Each argument can use a different delimiter, all characters
164     except spaces and tabs are valid.
165
166     Two immediately adjacent delimiters form an empty regular expression,
167     which always matches and requires no regexec(3) call.  This can be used
168     in rules requiring multiple arguments, to match only some arguments.
169
170     See re_format(7) for a detailed description of basic and extended regular
171     expressions.
172
173     Optionally, the following flags can be used after the closing delimiter:
174     e    Extended regular expression.  This sets REG_EXTENDED for regcomp(3).
175     i    Ignore upper/lower case.  This sets REG_ICASE.
176     n    Not matching.  Reverses the matching result, i.e. the mail is
177          rejected if the regular expression does not match.
178

BOOLEAN EXPRESSIONS

180     A rule can consist of either a simple term or more complex expressions.
181     A term has the form
182
183     header /From/ /domain/i
184
185     and expressions can be built combining terms with operators "and", "or",
186     "not" and parentheses, as in
187
188     header /From/ /domain/i and body /money/
189     ( not header /From/ /domain/ ) and ( body /sex/ or body /fast/ )
190
191     Operator precedence should not be relied on, instead parentheses should
192     be used to resolve any ambiguities (they usually produce syntax errors
193     from the parser).
194

MACROS

196     Macros allow to store terms or expressions as a name, and $name can be
197     used as term within other rules, expressions or macro definitions.  Exam‐
198     ple:
199
200     friends         = header /^Received$/ /^from [^ ]*(ork.net|home.com)/e
201     attachments     = header ,^Content-Type$, ,multipart/mixed, and \
202                         body ,^Content-Type: application/,
203     executables     = $attachments and body ,name=".*.(pif|exe|scr)"$,e
204
205     reject "executable attachment from non-friends"
206     $executables and not $friends
207
208     Macro names must begin with a letter and may contain alphanumeric charac‐
209     ters and punctuation characters.  Reserved keywords (like "reject" or
210     "header") cannot be used as macro names.  Macros must be defined before
211     use, the definition must precede the use in the configuration file, read
212     from top to bottom.
213

EVALUATION

215     Rules are evaluated in the order specified in the configuration file,
216     from top to bottom.  When a rule matches, the corresponding action is
217     taken, that is the last action specified before the matching rule.
218
219     The plugin evaluates the rules every time a line of mail (or envelope) is
220     received.  As soon as a rule matches, the action is taken immediately,
221     possibly before the entire mail is received, even if further lines might
222     possibly make other rules match, too.  This means the first rule matching
223     chronologically has precedence.
224
225     If evaluation for a line of mail makes two (or more) rules match, the
226     rule that comes first in the configuration file has precedence.
227
228     Boolean expressions are short-circuit evaluated, that means "a or b"
229     becomes true as soon as one of the terms is true and "a and b" becomes
230     false as soon as one of the terms is false, even if the other term is not
231     known, possibly because the relevant mail line has not been received yet.
232

EXAMPLES

234     # /etc/mail/milter-regex.conf example
235
236     # Accept anything encrypted, just to demonstrate sendmail macros
237     accept
238     macro /tls_version/ /TLSv/
239
240     tempfail "Sender IP address not resolving"
241     connect /\[.*\]/ //
242
243     reject "Malformed HELO (not a domain, no dot)"
244     helo /\./n
245
246     reject "Malformed RCPT TO (not an email address, not <.*@.*>)"
247     envrcpt /<(.*@.*|Postmaster)>/ein
248
249     reject "HTML mail not accepted"
250     # use comma as delimiter here, as / occurs within RE
251     header /^Content-type$/i ,^text/html,i
252     body ,^Content-type: text/html,i
253
254     # Swen worm
255     discard
256     header /^(TO|FROM|SUBJECT)$/e //
257     header /^Content-type$/i /boundary="Boundary_(ID_/i
258     header /^Content-type$/i /boundary="[a-z]*"/
259     body ,^Content-type: audio/x-wav; name="[a-z]*\.[a-z]*",i
260
261     # Some nasty spammer
262     reject "Business Corp spam, get lost"
263     body /^Business Corp. for W.& L. AG/i and \
264             ( body /043.*317.*0285/ or body /0041.43.317.02.85/ )
265
266

LOGGING

268     milter-regex sends log messages to syslogd(8) using facility daemon and,
269     with increasing verbosity, level err, notice, info and debug.  The fol‐
270     lowing syslog.conf(5) section can be used to log messages to a dedicated
271     file:
272
273     !milter-regex
274     daemon.err;daemon.notice        /var/log/milter-regex
275

GRAMMAR

277     Syntax for milter-regex in BNF:
278
279     file            = ( rule | macro ) file
280     rule            = action expr-list
281     action          = "reject" msg | "tempfail" msg | "discard" |
282                       "quarantine" msg | "accept"
283     msg             = ( '"' | "'" ) string ( '"' | "'" )
284     expr-list       = expr [ expr-list ]
285     expr            = term | term "and" expr | term "or" expr | "not" term
286     term            = '(' expr ')' | "connect" arg arg | "helo" arg |
287                       "envfrom" arg | "envrcpt" arg | "header" arg arg |
288                       "body" arg | "macro" arg arg | '$' name
289     arg             = del regex del flags
290     del             = '/' | ',' | '-' | ...
291     flags           = [ 'e' ] [ 'i' ] [ 'n' ]
292     macro           = name '=' expr
293

FILES

295     /etc/mail/milter-regex.conf
296

SEE ALSO

298     mailstats(1), regex(3), syslog(3), syslog.conf(5), re_format(7),
299     sendmail(8), syslogd(8)
300
301     Simple Mail Transfer Protocol, RFC 2821.
302
303     Enhanced Mail System Status Codes, RFC 1893.
304

HISTORY

306     The first version of milter-regex was written in 2003.  Boolean expres‐
307     sion evaluation was added in 2004.
308

AUTHORS

310     Daniel Hartmeier ⟨daniel@benzedrine.cx⟩
311
312BSD                           September 24, 2003                           BSD
Impressum