Hardening hMailServer - The ongoing saga!

[udgesbou]

Hey palinka,
perhaps you can help me by another question.

Can i exclude IPs from beeing checked from the script? Like whitelisting or so?
If it's possible, how can i do this?


Thank you!

[palinka]

Hey palinka,
perhaps you can help me by another question.

Can i exclude IPs from beeing checked from the script? Like whitelisting or so?
If it's possible, how can i do this?


Thank you!

Sure. There's a couple of ways.

First, always exclude local mail and backup from tests that should be for incoming mail, or tests for untrusted IPs.

Code: Select all

Sub OnClientConnect(oClient)

	REM - Exclude Backup-MX & local LAN from test
	If (Left(oClient.IPAddress, 12) = "184.105.182.") Then Exit Sub ' junkemailfilter.com backup mx
	If (Left(oClient.IPAddress, 11) = "192.168.22.") Then Exit Sub  ' local LAN
	If oClient.IPAddress = "127.0.0.1" Then Exit Sub                ' localhost
	
	'
	' Continue processing incoming connections
	'

End Sub

Secondly, I made a whitelisting function to check IPs against WL-RBLs. This requires RvdH's DNS Resolver: https://d-fault.nl/files

Code: Select all

Function IsWhitelisted(strIP) : IsWhitelisted = False

	Dim a : a = Split(strIP, ".")
	Dim strLookup, strRegEx
	Dim IsWLMailSpike, IsWLHostKarma, IsWLNSZones, IsWLSPFBL, IsWLSpamDonkey, IsWLIPSWhitelisted
	
	With CreateObject("DNSLibrary.DNSResolver")
		strLookup = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".rep.mailspike.net")
	End With
	strRegEx = "^127\.0\.0\.(19|20)$" '18=Good, 19=Very Good, 20=Excellent Reputation
	IsWLMailSpike = Lookup(strRegEx, strLookup)

	With CreateObject("DNSLibrary.DNSResolver")
		strLookup = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".hostkarma.junkemailfilter.com")
	End With
	strRegEx = "^127\.0\.0\.(1|5)$" '1=Good, 5=NoBL
	IsWLHostKarma = Lookup(strRegEx, strLookup)

	With CreateObject("DNSLibrary.DNSResolver")
		strLookup = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".wl.nszones.com")
	End With
	strRegEx = "^127\.0\.0\.5$" '5=whitelisted
	IsWLNSZones = Lookup(strRegEx, strLookup)

	With CreateObject("DNSLibrary.DNSResolver")
		strLookup = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".dnswl.spfbl.net")
	End With
	strRegEx = "^127\.0\.0\.(2|3|4|5)$" '2=excellent rep, 3=indispensable public service, 4=corp email (no marketing), 5=safe bulk mail
	IsWLSPFBL = Lookup(strRegEx, strLookup)

	With CreateObject("DNSLibrary.DNSResolver")
		strLookup = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".dnsbl.spamdonkey.com")
	End With
	strRegEx = "^126\.0\.0\.0$" '126.0.0.0=whitelisted
	IsWLSpamDonkey = Lookup(strRegEx, strLookup)

	With CreateObject("DNSLibrary.DNSResolver")
		strLookup = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".ips.whitelisted.org")
	End With
	strRegEx = "^127\.0\.0\.2$" '2=whitelisted
	IsWLIPSWhitelisted = Lookup(strRegEx, strLookup)

	If (IsWLMailSpike OR IsWLHostKarma OR IsWLNSZones OR IsWLSPFBL OR IsWLSpamDonkey OR IsWLIPSWhitelisted) Then ISWhitelisted = True

End Function


If NOT(IsWhitelisted(strIP)) Then
	'
	' do stuff here to non-whitelisted IPs
	'
End If

-- or - like above --

	REM - Exclude Backup-MX & local LAN from test
	If (Left(oClient.IPAddress, 12) = "184.105.182.") Then Exit Sub ' junkemailfilter.com backup mx
	If (Left(oClient.IPAddress, 11) = "192.168.22.") Then Exit Sub  ' local LAN
	If oClient.IPAddress = "127.0.0.1" Then Exit Sub                ' localhost
	If IsWhitelisted(strIP) Then Exit Sub

I use the IsWhitelisted function to exclude from geoip testing with the idea that I can ban many countries with geoip, but still allow whitelisted IPs from banned countries through.

[udgesbou]

Secondly, I made a whitelisting function to check IPs against WL-RBLs. This requires RvdH's DNS Resolver: https://d-fault.nl/files

Code: Select all

Function IsWhitelisted(strIP) : IsWhitelisted = False

	Dim a : a = Split(strIP, ".")
	Dim strLookup, strRegEx
	Dim IsWLMailSpike, IsWLHostKarma, IsWLNSZones, IsWLSPFBL, IsWLSpamDonkey, IsWLIPSWhitelisted
	
	With CreateObject("DNSLibrary.DNSResolver")
		strLookup = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".rep.mailspike.net")
	End With
	strRegEx = "^127\.0\.0\.(19|20)$" '18=Good, 19=Very Good, 20=Excellent Reputation
	IsWLMailSpike = Lookup(strRegEx, strLookup)

	With CreateObject("DNSLibrary.DNSResolver")
		strLookup = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".hostkarma.junkemailfilter.com")
	End With
	strRegEx = "^127\.0\.0\.(1|5)$" '1=Good, 5=NoBL
	IsWLHostKarma = Lookup(strRegEx, strLookup)

	With CreateObject("DNSLibrary.DNSResolver")
		strLookup = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".wl.nszones.com")
	End With
	strRegEx = "^127\.0\.0\.5$" '5=whitelisted
	IsWLNSZones = Lookup(strRegEx, strLookup)

	With CreateObject("DNSLibrary.DNSResolver")
		strLookup = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".dnswl.spfbl.net")
	End With
	strRegEx = "^127\.0\.0\.(2|3|4|5)$" '2=excellent rep, 3=indispensable public service, 4=corp email (no marketing), 5=safe bulk mail
	IsWLSPFBL = Lookup(strRegEx, strLookup)

	With CreateObject("DNSLibrary.DNSResolver")
		strLookup = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".dnsbl.spamdonkey.com")
	End With
	strRegEx = "^126\.0\.0\.0$" '126.0.0.0=whitelisted
	IsWLSpamDonkey = Lookup(strRegEx, strLookup)

	With CreateObject("DNSLibrary.DNSResolver")
		strLookup = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".ips.whitelisted.org")
	End With
	strRegEx = "^127\.0\.0\.2$" '2=whitelisted
	IsWLIPSWhitelisted = Lookup(strRegEx, strLookup)

	If (IsWLMailSpike OR IsWLHostKarma OR IsWLNSZones OR IsWLSPFBL OR IsWLSpamDonkey OR IsWLIPSWhitelisted) Then ISWhitelisted = True

End Function


If NOT(IsWhitelisted(strIP)) Then
	'
	' do stuff here to non-whitelisted IPs
	'
End If

-- or - like above --

	REM - Exclude Backup-MX & local LAN from test
	If (Left(oClient.IPAddress, 12) = "184.105.182.") Then Exit Sub ' junkemailfilter.com backup mx
	If (Left(oClient.IPAddress, 11) = "192.168.22.") Then Exit Sub  ' local LAN
	If oClient.IPAddress = "127.0.0.1" Then Exit Sub                ' localhost
	If IsWhitelisted(strIP) Then Exit Sub

I use the IsWhitelisted function to exclude from geoip testing with the idea that I can ban many countries with geoip, but still allow whitelisted IPs from banned countries through.

Yeah this is what i am looking for.

Do i have to put this in "Eventhandler.vbs" or "Handler.vbs"?
And where can i define the whitelisted IPs, for example 94.105.266.80?


Thanks

[palinka]

Secondly, I made a whitelisting function to check IPs against WL-RBLs. This requires RvdH's DNS Resolver: https://d-fault.nl/files

Code: Select all

Function IsWhitelisted(strIP) : IsWhitelisted = False

	Dim a : a = Split(strIP, ".")
	Dim strLookup, strRegEx
	Dim IsWLMailSpike, IsWLHostKarma, IsWLNSZones, IsWLSPFBL, IsWLSpamDonkey, IsWLIPSWhitelisted
	
	With CreateObject("DNSLibrary.DNSResolver")
		strLookup = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".rep.mailspike.net")
	End With
	strRegEx = "^127\.0\.0\.(19|20)$" '18=Good, 19=Very Good, 20=Excellent Reputation
	IsWLMailSpike = Lookup(strRegEx, strLookup)

	With CreateObject("DNSLibrary.DNSResolver")
		strLookup = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".hostkarma.junkemailfilter.com")
	End With
	strRegEx = "^127\.0\.0\.(1|5)$" '1=Good, 5=NoBL
	IsWLHostKarma = Lookup(strRegEx, strLookup)

	With CreateObject("DNSLibrary.DNSResolver")
		strLookup = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".wl.nszones.com")
	End With
	strRegEx = "^127\.0\.0\.5$" '5=whitelisted
	IsWLNSZones = Lookup(strRegEx, strLookup)

	With CreateObject("DNSLibrary.DNSResolver")
		strLookup = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".dnswl.spfbl.net")
	End With
	strRegEx = "^127\.0\.0\.(2|3|4|5)$" '2=excellent rep, 3=indispensable public service, 4=corp email (no marketing), 5=safe bulk mail
	IsWLSPFBL = Lookup(strRegEx, strLookup)

	With CreateObject("DNSLibrary.DNSResolver")
		strLookup = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".dnsbl.spamdonkey.com")
	End With
	strRegEx = "^126\.0\.0\.0$" '126.0.0.0=whitelisted
	IsWLSpamDonkey = Lookup(strRegEx, strLookup)

	With CreateObject("DNSLibrary.DNSResolver")
		strLookup = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".ips.whitelisted.org")
	End With
	strRegEx = "^127\.0\.0\.2$" '2=whitelisted
	IsWLIPSWhitelisted = Lookup(strRegEx, strLookup)

	If (IsWLMailSpike OR IsWLHostKarma OR IsWLNSZones OR IsWLSPFBL OR IsWLSpamDonkey OR IsWLIPSWhitelisted) Then ISWhitelisted = True

End Function


If NOT(IsWhitelisted(strIP)) Then
	'
	' do stuff here to non-whitelisted IPs
	'
End If

-- or - like above --

	REM - Exclude Backup-MX & local LAN from test
	If (Left(oClient.IPAddress, 12) = "184.105.182.") Then Exit Sub ' junkemailfilter.com backup mx
	If (Left(oClient.IPAddress, 11) = "192.168.22.") Then Exit Sub  ' local LAN
	If oClient.IPAddress = "127.0.0.1" Then Exit Sub                ' localhost
	If IsWhitelisted(strIP) Then Exit Sub

I use the IsWhitelisted function to exclude from geoip testing with the idea that I can ban many countries with geoip, but still allow whitelisted IPs from banned countries through.

Yeah this is what i am looking for.

Do i have to put this in "Eventhandler.vbs" or "Handler.vbs"?
And where can i define the whitelisted IPs, for example 94.105.266.80?


Thanks

It goes in eventhandlers.vbs.

YOU don't define anything. These are public RBLs doing the checking for you. They define their own whitelists.

[udgesbou]

It goes in eventhandlers.vbs.

YOU don't define anything. These are public RBLs doing the checking for you. They define their own whitelists.

Okay, but i one IP i want to exclude from checking.

And where can i define the whitelisted IPs, for example 94.105.266.80?

Is this what i have to do?

Code: Select all

Sub OnClientConnect(oClient)

	REM - Exclude Backup-MX & local LAN from test
	If (Left(oClient.IPAddress, 12) = "94.105.266.80") Then Exit Sub ' MY IP THAT I WANT TO EXLUDE
	If (Left(oClient.IPAddress, 11) = "192.168.22.") Then Exit Sub  ' local LAN
	If oClient.IPAddress = "127.0.0.1" Then Exit Sub                ' localhost
	
	'
	' Continue processing incoming connections
	'

End Sub

Greetings

[palinka]

It goes in eventhandlers.vbs.

YOU don't define anything. These are public RBLs doing the checking for you. They define their own whitelists.

Okay, but i one IP i want to exclude from checking.

And where can i define the whitelisted IPs, for example 94.105.266.80?

Is this what i have to do?

Code: Select all

Sub OnClientConnect(oClient)

	REM - Exclude Backup-MX & local LAN from test
	If (Left(oClient.IPAddress, 12) = "94.105.266.80") Then Exit Sub ' MY IP THAT I WANT TO EXLUDE
	If (Left(oClient.IPAddress, 11) = "192.168.22.") Then Exit Sub  ' local LAN
	If oClient.IPAddress = "127.0.0.1" Then Exit Sub                ' localhost
	
	'
	' Continue processing incoming connections
	'

End Sub

Greetings

Yes.

[tunis]

Is this what i have to do?

Code: Select all

Sub OnClientConnect(oClient)

	REM - Exclude Backup-MX & local LAN from test
	If (Left(oClient.IPAddress, 12) = "94.105.266.80") Then Exit Sub ' MY IP THAT I WANT TO EXLUDE
	If (Left(oClient.IPAddress, 11) = "192.168.22.") Then Exit Sub  ' local LAN
	If oClient.IPAddress = "127.0.0.1" Then Exit Sub                ' localhost
	
	'
	' Continue processing incoming connections
	'

End Sub

Greetings

For specific IP use

Code: Select all

If oClient.IPAddress = "94.105.266.80" Then Exit Sub ' MY IP THAT I WANT TO EXLUDE

Left are only used for ranges (length of charts to compare from left)

[udgesbou]

Hey,
since two days i can't connect to my hMailServer via Outlook, Android Mail or so.

I think one reason could be my geoblocking. I only allowed ip addresses from germany.

But in my "hmailserver_events.log" i only get these results:

Code: Select all

12260	"2022-12-06 11:14:24.036"	"- GeoLookup(60.217.75.70) = zz"
4252	"2022-12-06 11:43:14.268"	"- GeoLookup(91.15.34.229) = zz"
4252	"2022-12-06 11:43:34.471"	"- GeoLookup(80.187.102.198) = zz"

The hmailserver.log looks like this at 11:43:14:

Code: Select all

"DEBUG"	4252	"2022-12-06 11:43:14.236"	"Creating session 38"
"TCPIP"	4252	"2022-12-06 11:43:14.252"	"TCP - 91.15.34.229 connected to MYIPADDRESS:465."
"DEBUG"	4252	"2022-12-06 11:43:14.252"	"Executing event OnClientConnect"
"DEBUG"	4252	"2022-12-06 11:43:14.268"	"Event completed"
"DEBUG"	4252	"2022-12-06 11:43:14.268"	"Ending session 37"

I only got "zz". I tried it from differet IPs from Germany, but i only got "zz" and not "de". It is since the 04.12.2022.

Can anyone help me, how i can fix that?


Thanks in advance

[RvdH]

Looks like countries.nerd.dk has some issue, might be temporary or maybe it is permanently gone (don't think it was maintained actively anyway)

; <<>> DiG 9.16.34 <<>> 100.232.204.81.zz.countries.nerd.dk TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 47380
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 98c1cb9aed04b11101000000638f23d8396910e6ca9806ce (good)
;; QUESTION SECTION:
;100.232.204.81.zz.countries.nerd.dk. IN TXT

;; Query time: 15 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Dec 06 12:13:28 W. Europe Standard Time 2022
;; MSG SIZE rcvd: 92



Maybe you could substitute it with country.junkemailfilter.com?

; <<>> DiG 9.16.34 <<>> 100.232.204.81.country.junkemailfilter.com TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16008
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: ebb327ea90df677401000000638f2515af071c78656b0bd3 (good)
;; QUESTION SECTION:
;100.232.204.81.country.junkemailfilter.com. IN TXT

;; ANSWER SECTION:
100.232.204.81.country.junkemailfilter.com. 21600 IN TXT "nl"

;; Query time: 1633 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Dec 06 12:18:45 W. Europe Standard Time 2022
;; MSG SIZE rcvd: 114

[udgesbou]

Looks like countries.nerd.dk has some issue, might be temporary or maybe it is permanently gone (don't think it was maintained actively anyway)

; <<>> DiG 9.16.34 <<>> 100.232.204.81.zz.countries.nerd.dk TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 47380
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 98c1cb9aed04b11101000000638f23d8396910e6ca9806ce (good)
;; QUESTION SECTION:
;100.232.204.81.zz.countries.nerd.dk. IN TXT

;; Query time: 15 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Dec 06 12:13:28 W. Europe Standard Time 2022
;; MSG SIZE rcvd: 92

Oh okay, thanks for your very fast research and reply.

Is there any alternatie known which could possibly use?


EDIT:

Maybe you could substitute it with country.junkemailfilter.com?

; <<>> DiG 9.16.34 <<>> 100.232.204.81.country.junkemailfilter.com TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16008
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: ebb327ea90df677401000000638f2515af071c78656b0bd3 (good)
;; QUESTION SECTION:
;100.232.204.81.country.junkemailfilter.com. IN TXT

;; ANSWER SECTION:
100.232.204.81.country.junkemailfilter.com. 21600 IN TXT "nl"

;; Query time: 1633 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Dec 06 12:18:45 W. Europe Standard Time 2022
;; MSG SIZE rcvd: 114

Oh this could be an option, so i have to change "zz.countries.nerd.dk" to "country.junkemailfilter.com"?

[RvdH]

I think there is a slight difference between them for England, if i remember right is discovered by countries.nerd.dk as "uk" whereas country.junkemailfilter.com returns "gb" (might be more irregularities)

[RvdH]

Oh this could be an option, so i have to change "zz.countries.nerd.dk" to "country.junkemailfilter.com"?

Yep, that should be enough

[udgesbou]

I think there is a slight difference between them for England, if i remember right is discovered by countries.nerd.dk as "uk" whereas country.junkemailfilter.com returns "gb" (might be more irregularities)

Okay, but i would only allow connections from germany anyway, so i would only need the return for germany. Is it possible to research this somewhere? Or is it "de"?

Yep, that should be enough

Okay so it should look like this?:
EventHandlers.vbs

Code: Select all

Function GetDatabaseObject()
   Dim oApp : Set oApp = CreateObject("hMailServer.Application")
   Call oApp.Authenticate(ADMIN, PASSWORD)
   Set GetDatabaseObject = oApp.Database
End Function

Function GeoLookup(strIP) : GeoLookup = "zz"
   Dim a, element, group, strLookup
   a = Split(strIP, ".")
   With CreateObject("DNSLibrary.DNSResolver")
      strLookup = .TXT(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & "country.junkemailfilter.com")
   End With
   If Trim(strLookup) = "" Then
      EventLog.Write( "- GeoLookup(" & strIP & ") = " & GeoLookup )
      Exit Function
   End If
   group = Split(strLookup, vbCrLf)
   If UBound(group) > 0 Then
      For Each element In group
         If (Trim(element) <> "") Then EventLog.Write( "- GeoLookup(" & strIP & ") = " & element )
      Next
   Else
      GeoLookup = group(0)
   End If
End Function

'******************************************************************************************************************************
'********** hMailServer Triggers                                                                                     **********
'******************************************************************************************************************************

Sub OnClientConnect(oClient)
   '
   '   Exclude local LAN from test
   '
   If (Left(oClient.IPAddress, 12) = "MYIPADDRESS") Then Exit Sub ' MEDIUM Cloud
   If (Left(oClient.IPAddress, 10) = "192.168.0.") Then Exit Sub ' Local
   '
   '   Only allow non-SMTP connect from "Rigsfællesskabet"/"Naalagaaffeqatigiit"/"Ríkisfelagsskapurin" = The Danish Realm.
   '   zz = N/A, dk = Denmark, gl = Greenland, fo = Faroe Islands
   '
   If (oClient.Port <> 25) Then
      If (InStr("de", GeoLookup(oClient.IPAddress)) = 0) Then
         '
         '   Add unauthorized access to IDS registry
         '
         Call idsAddIP(oClient.IPAddress, oClient.Port)
         Result.Value = 1
         Exit Sub
      End If
   End If
   '
   '   Only test SMTP traffic on defined ports 25, 587 and 465.
   '   Register IP address in IDS registry.
   '
   If (InStr("|25|587|465|", oClient.Port) > 0) Then Call idsAddIP(oClient.IPAddress, 0)
End Sub

'* Sub OnHELO(oClient)
'* End Sub

Or should it be called something else? ".zz.country.junkemailfilter.com"?

This is the actuall EventHandlers.vbs:

Code: Select all

Function GetDatabaseObject()
   Dim oApp : Set oApp = CreateObject("hMailServer.Application")
   Call oApp.Authenticate(ADMIN, PASSWORD)
   Set GetDatabaseObject = oApp.Database
End Function

Function GeoLookup(strIP) : GeoLookup = "zz"
   Dim a, element, group, strLookup
   a = Split(strIP, ".")
   With CreateObject("DNSLibrary.DNSResolver")
      strLookup = .TXT(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".zz.countries.nerd.dk")
   End With
   If Trim(strLookup) = "" Then
      EventLog.Write( "- GeoLookup(" & strIP & ") = " & GeoLookup )
      Exit Function
   End If
   group = Split(strLookup, vbCrLf)
   If UBound(group) > 0 Then
      For Each element In group
         If (Trim(element) <> "") Then EventLog.Write( "- GeoLookup(" & strIP & ") = " & element )
      Next
   Else
      GeoLookup = group(0)
   End If
End Function

'******************************************************************************************************************************
'********** hMailServer Triggers                                                                                     **********
'******************************************************************************************************************************

Sub OnClientConnect(oClient)
   '
   '   Exclude local LAN from test
   '
   If (Left(oClient.IPAddress, 12) = "MYIPADDRESS") Then Exit Sub ' MEDIUM Cloud
   If (Left(oClient.IPAddress, 10) = "192.168.0.") Then Exit Sub ' Local
   '
   '   Only allow non-SMTP connect from "Rigsfællesskabet"/"Naalagaaffeqatigiit"/"Ríkisfelagsskapurin" = The Danish Realm.
   '   zz = N/A, dk = Denmark, gl = Greenland, fo = Faroe Islands
   '
   If (oClient.Port <> 25) Then
      If (InStr("de", GeoLookup(oClient.IPAddress)) = 0) Then
         '
         '   Add unauthorized access to IDS registry
         '
         Call idsAddIP(oClient.IPAddress, oClient.Port)
         Result.Value = 1
         Exit Sub
      End If
   End If
   '
   '   Only test SMTP traffic on defined ports 25, 587 and 465.
   '   Register IP address in IDS registry.
   '
   If (InStr("|25|587|465|", oClient.Port) > 0) Then Call idsAddIP(oClient.IPAddress, 0)
End Sub

'* Sub OnHELO(oClient)
'* End Sub

[RvdH]

it is "de"

; <<>> DiG 9.16.34 <<>> 229.34.15.91.country.junkemailfilter.com TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37014
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 7129c829559b875901000000638f28e333e400f7fa7c13bd (good)
;; QUESTION SECTION:
;229.34.15.91.country.junkemailfilter.com. IN TXT

;; ANSWER SECTION:
229.34.15.91.country.junkemailfilter.com. 21600 IN TXT "de"

;; Query time: 281 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Dec 06 12:34:59 W. Europe Standard Time 2022
;; MSG SIZE rcvd: 112

[RvdH]

Country Code List
Junk Email Filter now provides a country code IP lookup. Just used the standard IP lookup (reversed) and read the TXT record and it returns a 2 character country code.

4.3.2.1.country.junkemailfilter.com TXT
Return code of "zz" means the country is unknown.

https://wiki.junkemailfilter.com/index. ... _DNS_Lists

[udgesbou]

it is "de"

Thank you!

I tried this EventHandlers.vbs Config, but the result is still "zz"

Code: Select all

Function GetDatabaseObject()
   Dim oApp : Set oApp = CreateObject("hMailServer.Application")
   Call oApp.Authenticate(ADMIN, PASSWORD)
   Set GetDatabaseObject = oApp.Database
End Function

Function GeoLookup(strIP) : GeoLookup = "zz"
   Dim a, element, group, strLookup
   a = Split(strIP, ".")
   With CreateObject("DNSLibrary.DNSResolver")
      strLookup = .TXT(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".zz.country.junkemailfilter.com")
   End With
   If Trim(strLookup) = "" Then
      EventLog.Write( "- GeoLookup(" & strIP & ") = " & GeoLookup )
      Exit Function
   End If
   group = Split(strLookup, vbCrLf)
   If UBound(group) > 0 Then
      For Each element In group
         If (Trim(element) <> "") Then EventLog.Write( "- GeoLookup(" & strIP & ") = " & element )
      Next
   Else
      GeoLookup = group(0)
   End If
End Function

'******************************************************************************************************************************
'********** hMailServer Triggers                                                                                     **********
'******************************************************************************************************************************

Sub OnClientConnect(oClient)
   '
   '   Exclude local LAN from test
   '
   If (Left(oClient.IPAddress, 12) = "MYIPADDRESS") Then Exit Sub ' MEDIUM Cloud
   If (Left(oClient.IPAddress, 10) = "192.168.0.") Then Exit Sub ' Local
   '
   '   Only allow non-SMTP connect from "Rigsfællesskabet"/"Naalagaaffeqatigiit"/"Ríkisfelagsskapurin" = The Danish Realm.
   '   zz = N/A, dk = Denmark, gl = Greenland, fo = Faroe Islands
   '
   If (oClient.Port <> 25) Then
      If (InStr("de", GeoLookup(oClient.IPAddress)) = 0) Then
         '
         '   Add unauthorized access to IDS registry
         '
         Call idsAddIP(oClient.IPAddress, oClient.Port)
         Result.Value = 1
         Exit Sub
      End If
   End If
   '
   '   Only test SMTP traffic on defined ports 25, 587 and 465.
   '   Register IP address in IDS registry.
   '
   If (InStr("|25|587|465|", oClient.Port) > 0) Then Call idsAddIP(oClient.IPAddress, 0)
End Sub

'* Sub OnHELO(oClient)
'* End Sub

I tried it with different german-IPs

Or it ".zz.country.junkemailfilter.com" the wrong address?

[RvdH]

Yes, read above

[udgesbou]

4.3.2.1.country.junkemailfilter.com TXT

So i have to use this "4.3.2.1.country.junkemailfilter.com TXT" or "4.3.2.1.country.junkemailfilter.com"?

I read also in Wiki, but i am a big noob in such things

[RvdH]

Code: Select all

   With CreateObject("DNSLibrary.DNSResolver")
      strLookup = .TXT(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".country.junkemailfilter.com")
   End With

[udgesbou]

Code: Select all

   With CreateObject("DNSLibrary.DNSResolver")
      strLookup = .TXT(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".country.junkemailfilter.com")
   End With

OMG, now it works, i can connect to my hMailServer
Thank you very very much for for help and your patience.

In hmailserver_events.log i got still the result "zz", but i can connects and receive and send mails. I dont know why i got no "de" as result?

[RvdH]

Code: Select all

   With CreateObject("DNSLibrary.DNSResolver")
      strLookup = .TXT(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".country.junkemailfilter.com")
   End With

OMG, now it works, i can connect to my hMailServer
Thank you very very much for for help and your patience.

In hmailserver_events.log i got still the result "zz", but i can connects and receive and send mails. I dont know why i got no "de" as result?

That sounds weird, did you reload scripts?

[RvdH]

Ah, i see... EventLog.Write is only called when none or multiple entries are returned.... not for successful lookups

Not even sure if multiple is possible here, the lookup against nerds.dk had the odd behavior to sometimes return multiple results, example: "nl" and "eu"

[udgesbou]

That sounds weird, did you reload scripts?

Yeah, I reload Scripts and restart hmailserver, but still result "zz"

Ah, i see... EventLog.Write is only called when none or multiple entries are returned.... not for successful lookups

Not even sure if multiple is possible here, the lookup against nerds.dk had the odd behavior to sometimes return multiple results, example: "nl" and "eu"

Oh dear, I don't know what that mean

[RvdH]

It only logs failures as said before, if you like to log successful lookups change the function like:

Code: Select all

Function GeoLookup(strIP) : GeoLookup = "zz"
   Dim a, element, group, strLookup
   a = Split(strIP, ".")
   With CreateObject("DNSLibrary.DNSResolver")
      strLookup = .TXT(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".country.junkemailfilter.com")
   End With
   If Trim(strLookup) = "" Then
      EventLog.Write( "- GeoLookup(" & strIP & ") = " & GeoLookup )
      Exit Function
   End If
   group = Split(strLookup, vbCrLf)
   If UBound(group) > 0 Then
      For Each element In group
         If (Trim(element) <> "") Then EventLog.Write( "- GeoLookup(" & strIP & ") = " & element )
      Next
   Else
      EventLog.Write( "- GeoLookup(" & strIP & ") = " & group(0))
      GeoLookup = group(0)
   End If
End Function

[udgesbou]

It only logs failures as said before, if you like to log successful lookups change the function like:

Code: Select all

Function GeoLookup(strIP) : GeoLookup = "zz"
   Dim a, element, group, strLookup
   a = Split(strIP, ".")
   With CreateObject("DNSLibrary.DNSResolver")
      strLookup = .TXT(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".country.junkemailfilter.com")
   End With
   If Trim(strLookup) = "" Then
      EventLog.Write( "- GeoLookup(" & strIP & ") = " & GeoLookup )
      Exit Function
   End If
   group = Split(strLookup, vbCrLf)
   If UBound(group) > 0 Then
      For Each element In group
         If (Trim(element) <> "") Then EventLog.Write( "- GeoLookup(" & strIP & ") = " & element )
      Next
   Else
      EventLog.Write( "- GeoLookup(" & strIP & ") = " & group(0))
      GeoLookup = group(0)
   End If
End Function

That works pretty well, thank you very very much my friend

[RvdH]

[mattg]

ActiveX object DNSLibrary can be obtained from https://d-fault.nl/files/DNSResolverCom ... .3.exe.zip

Link is broken

I see that RvdH has listed newer versions
https://d-fault.nl/files

[RvdH]

ActiveX object DNSLibrary can be obtained from https://d-fault.nl/files/DNSResolverCom ... .3.exe.zip

Link is broken

I see that RvdH has listed newer versions
https://d-fault.nl/files

I created a redirect DNSResolverComponent_1.3.exe.zip to DNSResolverComponent_1.3.1.2.exe.zip

DNSResolverComponent_1.3.1.2 uses UDP and requires .NET 3.5 (using HeijdenDNS)
DNSResolverComponent_1.4.1.2 uses TCP and requires .NET 4.5 (using HeijdenDNS)
DNSResolverComponent_1.4.5.0 is a complete rewrite with more options, eg: you can choose bewteen UDP and TCP, TCP fallback, set UDP packet size and requires .NET 4.5 (using DnsClient.NET)

(i think )



1.4.5.0

This object has 28 public functions:

-- SetTimeout(<int [1-10]>) * default 1
-- SetRetries(<int [1-10]>) * default 3
-- SetRecursion(<bool>) * default true
-- SetServer(<string IPv4 or IPv6>) * default none
-- SetEdnsPacketSize(<int [512-4096]>) * default 4096
-- SetTcpFallback(<bool>) * default true
-- SetTcpOnly(<bool>) * default false

-- GetTimeout() * returns Timeout value
-- GetRetries() * returns Retries value
-- GetRecursion() * returns Recursion value
-- GetServer() * returns Server value (if any)
-- GetEdnsPacketSize() * returns edns packet size value
-- GetTcpFallback() * returns TCPFallback value
-- GetTcpOnly() * returns TCPOnly value

-- Version() * returns the version number
-- Help() * shows this help
-- IPv4A(<Domain name>) * query IPv4 A-Record(s)
-- A(<Domain name>) * same as IPv4A (deprecated)
-- DNSLookup(<Domain name>) * same as IPv4A (deprecated)
-- IPv6A(<Domain name>) * query IPv6 A-Record(s)
-- AAAA(<Domain name>) * same as IPv6A (deprecated)
-- CAA(<Domain name>) * query CAA-Record
-- CNAME(<Domain name>) * query CNAME-Record(s)
-- MX(<Domain name>) * query MX-Record(s)
-- NS(<Domain name>) * query NS-Record(s)
-- PTR(<IP address>) * query PTR-Record
-- SOA(<Domain name>) * query SOA-Record
-- TXT(<Domain name>) * query TXT-Record(s)

Example:

Code: Select all

Private Const DnsServer = "127.0.0.1"
Private Const DnsExtendedDnsBufferSize = 1232
Private Const DnsTimeOut = 5
Private Const DnsRetries = 2


With CreateObject("DNSLibrary.DNSResolver")
    .SetServer(DnsServer)
    .SetEdnsPacketSize(DnsExtendedDnsBufferSize)
    .SetTimeout(DnsTimeOut)
    .SetRetries(DnsRetries)
    strLookup = .TXT(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".country.junkemailfilter.com")
End With

[Jorgo]

Too sad about countries.nerd.dk, but there seems to be an alternative for country blocking with country.junkemailfilter.com

Unfortunately, I am not as sophisticated as many here so I have to take little baby steps in how I change my setup. I'm gathering that I cannot simply swap out my country-based DNS blacklists in hmailserver by replacing, say "cn.countries.nerd.dk" by "country.junkemailfilter.com". One is testing for a country and if the result is "yes" then the message is rejected whereas with country.junkemailfilter.com there are no predefined IP blocks so the answer to the query is not "yes" nor "no" but "country".

Hm. So what you are doing now is letting a script do the lifting of getting the country first and then checking the result against white- or black-listed countries in your own config? That would be the way for me, unfortunately I cannot simply allow connections from country but need a few more as well as to not shut out Goggle, Hootmail, etc. Perferably, white-listing should be used and all other countries rejected. However, I have no idea how to use external programs for this, like the "resolver". Could someone give me a pointer where I can read up on this? I'm not running hmailserver on Windows server though, just a workstation.

[Jorgo]

The inbuilt DNS blacklist thing is really great, though, as it let's you use finegrained reactions via scoring. Too bad country.junkemailfilter.com can't be used with that directly!

Edit: Hang on, hang on... I feel a tingle in my toes...

Is this supposed to work?

https://imgur.com/a/siuEk9s

[palinka]

The inbuilt DNS blacklist thing is really great, though, as it let's you use finegrained reactions via scoring. Too bad country.junkemailfilter.com can't be used with that directly!

Edit: Hang on, hang on... I feel a tingle in my toes...

Is this supposed to work?

https://imgur.com/a/siuEk9s

No, that won't work because the answer will be an IP address like 127.0.0.2. The reply will be NX domain always.

If you can make a query work using nslookup, then it will work as a custom dnsbl like you tried to do with it.

Your best bet is to try to make the script above work, or if you prefer using local query with mysql, then you can check this one out: viewtopic.php?f=9&t=34496

[Jorgo]

Thanks, you seem to be on top of it. Although I'm running MySQL in MariaDB flavour, the thread you referenced unfortunately is very long, still seems to be ongoing and I can't make out which post contains the complete final script. Probably should be in .sql format so it could be imported into the database but all that is a bit over my head.

[Jorgo]

OK, I've got logging working, same as @udgesbou above. Now I would like to immediately disconnect any country not in my whitelist. In his script I see

Code: Select all

'******************************************************************************************************************************
'********** hMailServer Triggers                                                                                     **********
'******************************************************************************************************************************

Sub OnClientConnect(oClient)
   '
   '   Exclude local LAN from test
   '
   If (Left(oClient.IPAddress, 12) = "MYIPADDRESS") Then Exit Sub ' MEDIUM Cloud
   If (Left(oClient.IPAddress, 10) = "192.168.0.") Then Exit Sub ' Local
   '
   '   Only allow non-SMTP connect from "Rigsfællesskabet"/"Naalagaaffeqatigiit"/"Ríkisfelagsskapurin" = The Danish Realm.
   '   zz = N/A, dk = Denmark, gl = Greenland, fo = Faroe Islands
   '
   If (oClient.Port <> 25) Then
      If (InStr("de", GeoLookup(oClient.IPAddress)) = 0) Then
         '
         '   Add unauthorized access to IDS registry
         '
         Call idsAddIP(oClient.IPAddress, oClient.Port)
         Result.Value = 1
         Exit Sub
      End If
   End If

that "Only allow Danish Realm" is commented but then it seems to target only "de". I guess I would expand the country list like

Code: Select all

    If (InStr("de|us|fr"", GeoLookup(oClient.IPAddress)) = 0) Then

Also, for the Call to idsAddIP I guess I have to backtrack to @SorenR 's original concept from 2019 and start experimenting...

[Jorgo]

Alright, does anyone spot syntax errors or call nonsense?

Code: Select all

Function GeoLookup(strIP) : GeoLookup = "zz"
   Dim a, element, group, strLookup
   a = Split(strIP, ".")
   With CreateObject("DNSLibrary.DNSResolver")
      strLookup = .TXT(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".country.junkemailfilter.com")
   End With
   If Trim(strLookup) = "" Then
      EventLog.Write( "- GeoLookup(" & strIP & ") = " & GeoLookup )
      Exit Function
   End If
   group = Split(strLookup, vbCrLf)
   If UBound(group) > 0 Then
      For Each element In group
         If (Trim(element) <> "") Then EventLog.Write( "- GeoLookup(" & strIP & ") = " & element )
      Next
   Else
      EventLog.Write( "- GeoLookup(" & strIP & ") = " & group(0))
      GeoLookup = group(0)
   End If
End Function

'******************************************************************************************************************************
'********** hMailServer Triggers                                                                                     **********
'******************************************************************************************************************************
Sub OnClientConnect(oClient)
   '   Autoban unwanted countries for 1 day
   '
   '   1. Exclude local LAN from test
   '
   If (Left(oClient.IPAddress, 12) = "MYIPADDRESS") Then Exit Sub ' MEDIUM Cloud
   If (Left(oClient.IPAddress, 10) = "192.168.0.") Then Exit Sub ' Local
   If (Left(oClient.IPAddress, 10) = "192.168.1.") Then Exit Sub
   If (Left(oClient.IPAddress, 9) = "127.0.0.1") Then Exit Sub
   '
   '   2. Only allow non-SMTP connections from some countries (remember where you might be in your holidays + VPN!)
   '   Examples: zz = N/A, de = Germany, us = USA, nl = Holland, be = Belgium, fr = France, at = Austria, ch = Switzerland
   '
   If (oClient.Port <> 25) Then
      If (InStr("de|us|at", GeoLookup(oClient.IPAddress)) = 0) Then
         Result.Value = 1
         EventLog.Write(oClient.IPAddress & vbTab & oClient.Port)
         Call AutoBan(oClient.IPAddress, "InStr" & oClient.Port, 1, "d")
         Exit Sub
      End If
   End If
   '
   '   3. Only allow SMTP connections from some countries (breaking RFC)
   '
   If (oClient.Port = (25|587|465)) Then
      If (InStr("de|us|be|nl|fr|at|ch)", GeoLookup(oClient.IPAddress)) = 0) Then
         Result.Value = 1
         EventLog.Write(oClient.IPAddress & vbTab & oClient.Port)
         Call AutoBan(oClient.IPAddress, "InStr" & oClient.Port, 1, "d")
         Exit Sub
      End If
   End If
   '
End Sub

Sub AutoBan(sIPAddress, sReason, iDuration, sType)
    Dim oApp : Set oApp = CreateObject("hMailServer.Application")
    Call oApp.Authenticate(ADMINISTRATOR, MYPASSWORD)
    With LockFile(oApp.Settings.Directories.TempDirectory & "\autoban.lck")
       On Error Resume Next
       oApp.Settings.SecurityRanges.Refresh
       If (oApp.Settings.SecurityRanges.ItemByName("Auto-ban: (" & sReason & ") " & sIPAddress) Is Nothing) Then
          With oApp.Settings.SecurityRanges.Add
             .Name = "Auto-ban: (" & sReason & ") " & IPAddress
             .LowerIP = sIPAddress
             .UpperIP = sIPAddress
             .Priority = 20
             .Expires = True
             .ExpiresTime = DateAdd(sType, iDuration, Now())
             .Save
          End With
       End If
       On Error Goto 0
       .Close
    End With
End Sub

[RvdH]

my experience, country.junkemailfilter.com is not that accurate, i had several NL based IP's being blocked

https://github.com/RvdHout/GeoLite2SQL (basically the same as https://github.com/palinkas-jo-reggelt/GeoLite2SQL, but with original database format/column names and MySQL.Data.dll embedded)
https://www.hmailserver.com/forum/viewt ... 67#p244167

[palinka]

https://github.com/RvdHout/GeoLite2SQL

I had a peek at your code and noticed something. I was going to post an issue on your github but issues don't seem to be available on this repository. Anyway:

https://github.com/RvdHout/GeoLite2SQL/ ... L.ps1#L210

You should change the url to your own github address because if you make changes, no one that has downloaded it will know. And if I make changes, your downloaders will think there was an update when there wasn't.

[RvdH]

https://github.com/RvdHout/GeoLite2SQL

I had a peek at your code and noticed something. I was going to post an issue on your github but issues don't seem to be available on this repository. Anyway:

https://github.com/RvdHout/GeoLite2SQL/ ... L.ps1#L210

You should change the url to your own github address because if you make changes, no one that has downloaded it will know. And if I make changes, your downloaders will think there was an update when there wasn't.

Good one, better now?

[palinka]

https://github.com/RvdHout/GeoLite2SQL

I had a peek at your code and noticed something. I was going to post an issue on your github but issues don't seem to be available on this repository. Anyway:

https://github.com/RvdHout/GeoLite2SQL/ ... L.ps1#L210

You should change the url to your own github address because if you make changes, no one that has downloaded it will know. And if I make changes, your downloaders will think there was an update when there wasn't.

Good one, better now?

Yeah, looks good. Address resolves properly. Don't forget to update version.txt when you make updates.

I wonder if there's some github api function that can do this automatically.