1.7b 10/26/03
-------------
1. Fixed a few minor bugs.
2. Added "url" parameter for access control (ACL). This parameter is for "body" rules only and will
be ignored in a header context. This parameter tells sentinel to run ACL rules against URL strings
only in a message body. All URL strings will be decoded before to run ACL's. The sample is below:
--
[body]
body1:body1:bannedURLS:/.*/
...
[actions]
bannedURLs:acl:url:/etc/mail/milter/bannedURLS.lst
--
3. Added new option "d" for regular expressions. If you defined your regex
like "/viagra|valium|xanax/d", then it'll be running against decoded html
content (html content without numeric entities). Therefore, the sequences
"&#nnn;" will be decoded before to run either regex or body ACL's. You can
combine this option with option "s". Of course, it's working for "text/html"
only. This option will be ignored in case of "text/plain" content.
Below is an example how to run ACL against HTML content with stripped tags
and decoded numeric entities:
--
[body]
body1:body1:tabooBody:/.*/ds
...
[actions]
tabooBody:acl:/etc/mail/milter/tabooBody.lst
--
where tabooBody.lst is something like below:
--
viagra
Online Pharmacy
xanox
phentermine
prozac
valium
Vicodin
...
--
1.6.10b 10/19/03
----------------
1. Fixed several bugs in the MIME parser.
2. Access control (ACL) now can accept one more parameter in action definition.
Typically it's back reference to subexpression in regular expression of
event calling this ACL. Like an example below:
--
[headers]
Received: rcvd1:rcvd1:blackRelays:/^from.*\((.+)\s+\[.*\]( \(may be forged\))?\)\s+by\s+mx[1-9]\.mycompany\.com/i
...
[actions]
blackRelays:acl:${1}:/etc/mail/milter/blackRelays.lst
--
If you omit first parameter ("${1}" for example above), ACL will apply to entire header.
Like below:
--
[actions]
blackRelays:acl:/etc/mail/milter/blackRelays.lst
--
Please note, it does not work for body rules. Will implement it in next release.
3. Added one more global parameter max_parse_txt. This parameter tells sentinel not to process
"body" rules for "text/plain" or "text/html" message part if content length for this part
is greater than "max_parse_txt". This parameter must be specified in bytes. The deafult
value is 1M. For example:
--
[global]
max_parse_txt:524288
--
1.6.5b 06/09/03
---------------
1. Did some fixes which eliminate ambiguities with names in Content-Type/Content-Disposition
headers. These fixes apply to "[attachments]" chapter only.
2. Access Control List (acl) actions now will trigger events with the same names
in case of positive result for ACL. It may be helpful for references to ACL's
from another events. Like below:
--
[headers]
Subject: subj1:subj1,whitelist:removetag:/^SPAM: (.*)/
EnvelopeFrom: efrom1:efrom1:whitelist:/.*/
--
3. Added new option "s" for regular expressions. If you defined your regex
like "/viagra|valium|xanax/s", then it'll be running against stripped
html content (html content without html tags). It means all html tags will
be taken out from html content before to run appropriate regular expression.
Of course, it's working for "text/html" only. This option will be ignored in
case of "text/plain" content. Hope it'll be good treatment against such tricks
as "viagra".
Example:
--
[body]
body1:body1:quarantine:/viagra|valium|xanax/is
--
1.6.4b 04/19/03
---------------
1. I've decided do not use native posix regex C-lib calls. I've just tired
to troubleshoot bugs in all these lame native OS regex implementations.
If you expect your sentinel to be stable, please consider to install
and utilize PCRE (Perl-compatible regular expression library) written by
Philip Hazel . It's very stable and fast. Thanks Philip
for his great job! BTW I've got 5 (in certain cases even 10) performance
gain in compare with native solaris regex. But most important thing is
stability. Please read INSTALL for more info how to download PCRE and
compile sentinel. Current makefiles are adapted to utilize PCRE rather
than native regex.
2. Added new "action" "acl" Access Control List. See README for details.
This "action" will allow to define external (outside of sentinel.cf)
lists, which can be utilized either as "white lists" or as "black lists".
It depends of context and final action for "acl". These external lists,
which are regular text files, can consist domains, addresses, banned URL's,
and etc. They can be called either from header or body context.
1.6.3b 02/08/03
---------------
Added new functionality. First of all it's "INCLUDE" directive. See README for
details. Then it's new action "resolv" that's very effective in case of spammer
does not have real name in Inet or tries to fake his host name in smtp "HELO".
For example on your internal layer smtp server, that accepts connections from
external layer relay mx1.mycompany.com, you can define it like below:
--
[headers]
Received:
rcvd2:rcvd2:helo(quarantine):/^from\s+([^ \t]+)\s+\((unknown\s+)?\[(\d+\.\d+\.\d+\.\d+)\]\)\s+by\s+mx[1-3]\.mycompany\.com/i
[actions]
quarantine:quarantine:/var/spool/quarantine/sentinel/%Y%m%d
helo(quarantine):resolv:${1}, ${3}
--
The rules above will quarantine all messages from a host that has IP w/o PTR record
in DNS and faked name in smtp "HELO", i.e. name does not comply with IP.
Currently this feature is restricted to "headers" chapter only, i.e. I don't know
how it could be helpful somewhere else besides "Received" headers. Though I'm
going to add "HELO" handler. Hope in next release. It means this feature will be
available in "helo" chapter and you can use it on external layer relays as well.
1.6.2b 12/08/02
---------------
Fixed the bug that caused ambiguity in case of negative events in event list and
an "accept" action. As a result it might cause "accept" action to be lower priority
than discard/reject. Thanks Ross Bergman for bug report.
1.6.1b 11/23/02
---------------
Further optimization in order to gain better performance.
Especially for heavy loaded "body" rules and massive junk emails.
1.6b 11/02/02
-------------
This release has a new functionality. Now you can define "negative events"
in event lists, like "!some_event". Symbol "!" is a sign of negative event.
For instance the rule below
--
addr2:addr2,!addr1:ordb(rejectordb):/^(\d+)\.(\d+)\.(\d+)\.(\d+)/
--
means "run an action ordb(rejectordb) only if event addr2 is matched and
event addr1 isn't matched". In other words:
--
if (addr2 == true && addr1 == false)
then
run ordb(rejectordb)
endif
--
Multiple negative events are allowed in a list. Like below
--
addr2:addr2,!addr1,!addr3,!addr4:ordb(rejectordb):/^(\d+)\.(\d+)\.(\d+)\.(\d+)/
--
Very simple configuration below is a real sample how "negative events"
could be used to distinguish internal "outbound" and external "inbound"
smtp connections.
--
[global]
tmp:/var/tmp
log:/var/log/sentinel.log
user:smmsp
group:smmsp
max_nofiles:512
max_soconn:30
[hosts]
haddr1:haddr1:null:/^(192\.168\.|172\.16\.|10\.)/
# It does not make any sense to do ordb lookup for internal hosts
haddr2:haddr2,!haddr1:ordb(rejectordb):/^(\d+)\.(\d+)\.(\d+)\.(\d+)/
[actions]
ordb(rejectordb):rbl:${4}.${3}.${2}.${1}.relays.ordb.org.
rejectordb:reject:Rejected according to ORDB Realtime Blackhole List for IP address ${1}.${2}.${3}.${4} (see http://ordb.org/lookup/?host=${1}.${2}.${3}.${4}).
null:null
--
1.5.4b 10/19/02
---------------
Sentinel was fooling by malformed header attributes like below.
--
Content-Type: audio/x-midi;
name=SUNDAY 5TH MAY.doc.scr
--
The problem was with unquoted names that consist whitespaces inside.
It was misleading sentinel to truncate such names to short ones, like "SUNDAY"
for the sample above. Though such headers are against RFC1521, some MUA might
pick the up and run dangerous code. Fixed. Thanks Thomas Sandford for noting
this problem and bringing to my attention.
1.5.3b 10/08/02
---------------
1. Fixed the bug that caused some discard and reject actions to be ignored
for EnvelopeFrom rules in some conditions for alone events.
For example the rule:
EnvelopeFrom: efrom1:efrom1:discard:/opt-in@some\.domain\.com/i
would be ignored at the end of smfi_eoh() call.
Though the rules
EnvelopeFrom: efrom1:efrom1:quarantine(discard):/opt-in@some\.domain\.com/i
or
EnvelopeFrom: efrom1:efrom1,rcvd1:discard:/opt-in@some\.domain\.com/i
were working fine.
1.5.2b 09/20/02
---------------
1. Fixed the bug that caused debug info was writing into syslog instead
of STDOUT in case of sentinel was running without "-d" option and "debug"
parameter was not defined.
2. replaced all strtok() calls to reentrant strtok_r() even for
smfParseConfig().
3. Added explicit message->amask declaration for mlfi_connect().
1.5.1b 07/28/02
---------------
1. This quick release is as my apology for undocumented changes in
"quarantine" action behavior. This version supports formatted
date/time string for directory specification in "quarantine"
action. If you would like to preserve the behavior of 1.5b
version, you'll have to redefine "quarantine" action like below:
quarantine:quarantine:/var/spool/quarantine/%Y%m%d
If you don't, just leave it as it was before.
See more info regarding date/time format in README.
1.5b 07/26/02
-------------
1. Extended debug and log features. Now it's possibly to specify either
file or syslog for both debug and log output. See README for details.
2. Separated debug and log output by new global parameter "debug".
3. Extended "-t" option. New option "-f" allows to specify a file with
a real message inside. Sentinel will simulate all SMFI calls in order
to check/debug your configuration on a real message. See README for
details.
4. Various minor changes for mlfi_connection/mlfi_envfrom/mlfi_envrcpt that
might improve the performance considerably in case of "accept" actions
for connection/envfrom/envrcpt events.
5. Various fixes that make multipart bodies parsing more tolerant to a different
kind of malformed attachments.
6. Added smfi_progress() call for "body" rules. This might be helpful for
a big txt/html messages processing, especially if your "body" set is
big enough. Should help to prevent premature timeouts during long
milter-side operations. See INSTALL for further instructions.
1.4b 07/03/02
-------------
1. Fixed the bug that caused some spam messages with malformed "multipart" bodies
passed through a filter.
2. Fixed the bug in the configuration parser that caused crash in case of
an empty event in first string of header definition.
3. Added more robust debug output for "-v[1-3]" option.
4. Added "-t" option for testing a configuration.
5. Added some perl-like extentions for regular expressions.
See README for details.