Topic: How to White List an email address that is blocked by the country code list

[ghorst352]

I currently use SME Server 7.5.1 for our email server at our company and I want to know if there is a way to white list an email address if that address also originates from a country that is being block via the country code list?  I currently have all countries blocked besides Canada an US since all of our email is pretty much locale however I would like to know if there is a white list or some other mechanism that will get scanned first before the country code list since as I understand it the country code list is one of the first things to be scanned.    PS to anybody who replies with the 'obvious' reply which is the email has a wbl, of course it does but does not apply in reference to the country code list.  I have tried that and it does not work in reference to blocked countries.

Thanks. 

[Jáder]

So maybe you should start to search for a way to change order of evaluation: bring WBL (whitelist) first than country code.
I'm not sure what SME uses (qpsmtpd / spamassassin?) for that but I'm sure it's GPL and source code is inside your server. Maybe just changing order for two lines... and you get it done! Think about it... maybe play with it on a virtual machine.
Looks like a lovely Easter holidays project!

[ghorst352]

I'm not sure what your asking?  I have absolutely no clue on how to switch the country code scan to be second or after the wbl, LOL, thats why I started the thread???  I was hoping somebody from SME could lend a helping hand.   

[Jáder]

Ok... so... let me ask you: You feel intrepid today?

This is JUST A GUESS... you should backup ANY file before change it... and if it works, maybe you need to change templates.

Code: [Select]

cd /etc/qpsmtpd
cp plugins plugins.original
vi plugins

now find the GeoIP plugin line and put after the whitelist plugin line

I'm not sure about their names, but if you send me your plugins file (jader.marasca -- gmail) I'll try to help you.

BTW: This is something to do JUST AFTER BE SURE you have a backup... your e-mail system can be broken! Do not save ANY changes till you're sure what you did!

[janet]

bhay3s
(jader should/would know this)

The better way to experiment when unsure what you are doing, is to setup a test server.
Any old hardware will do, or take your main server offline for a little while, swap the hard disk(s) for a single test drive and then install sme OS as a test sytem.
Experiment to your hearts content, for if you ruin the test server it's OK, it's just a test machine. No interruption to the production system.

You could also install a virtual machine (for test purposes) if you have that knowledge.

When you have sorted out the correct changes to make, then try it on the production system, and ALWAYS make a backup first.
It's a good idea to also prove that your whole backup & restore routine works fully by restoring the backup to another test server.
When you have proven that your backup & restore procedures are good, then you can safely make experimental changes to a production server.

[ghorst352]

I appreciate the help but I am not interested that much in beta testing an option to hack the system.   I would think from a development standpoint that somebody from sme server or the plugins dpt etc would be interested in a real life issue that probably alot of admins such as my self would like to see as an option perhaps in the future.  I am way too busy running my network to sit here and beta test.  Easiest solution for right now is just to have the person in Germany forward the email to a company gmail account that has a forwarding rule -> to the internal email address.  Thanks for the help anyways

[Jáder]

I'm curious...and I have spare time... so could you send me that file ?
I do not have GeoIP enabled... neither how to test if I enable it.

The file is /etc/qpsmtpd/plugins

thank you.

Jáder

[piran]

J.
You need to look for badcountries, GeoIP is the overall name.
The (non) issue is that badcountries comes first (for very good reasons).
Also the WBL comes last (for other reasons not least the simple alphabet).
Putting badcountries last (ie after WBL) makes little sense.
Broad brushing nuking an entire country code and then expecting
an exceptionally delicate discriminator to let through a single email
address somewhat beggars belief. Good luck;-)

[Jáder]

In my believe WHITE should prevails... allways, just because this is where you put exceptions, just like this user would like.
Note I'm saying "WHITE list should prevail"...not WBL... just the WHITE list.

[piran]

I can see this both ways. Make it so J.
Your way might be a lot of work... you wanted an Easter job;-)
Got to go, sorry, my SME is being hassled by droids:-|

[ghorst352]

Actually I think I just came up w/ a solution.  Help me on this.  If I was to re-enable the country code as in this case Germany and then ban all email from Germany w/ the WBL using *.gr for example and then whitelist the client in Germany.  I think this is the ticket.  *pats on back.

[Jáder]

Actually I think I just came up w/ a solution.  Help me on this.  If I was to re-enable the country code as in this case Germany and then ban all email from Germany w/ the WBL using *.gr for example and then whitelist the client in Germany.  I think this is the ticket.  *pats on back.

I think this should work... WHITE prevails over BLACK for same plugin (WBL in this case).
BUT The solutions are not the same ...as far I know blockedcountries (GeoIP) do not watch for domain extension to block.
It does a search in a database and do not just read URL.
I'm in Brazil but I have a domain .net


 

[mmccarn]

I don't think that simply changing the order of plugin invocation will have any effect - qpsmtpd is (as I understand it) designed to run multiple checks simultaneously -- if *any* check returns 'DENY', the message is denied.

To use the geoip plugin and allow whitelisting of senders or recipients, you'll have to customize the plugin included in the rpm - /usr/share/qpsmtpd/plugins/check_badcountries

A couple notes:
1) The wiki page includes instructions for downloading and installing an outdated version of the rpm.
2) The plugin itself says that a potential problem is that *all* email from any country included in BadCountries will be denied without warning.

The wiki gives this instruction for installing smeserver-geoip:
cd
wget http://bugs.contribs.org/attachment.cgi?id=1149 -O smeserver-geoip-1.0.0-b1.noarch.rpm

I decided that this looked more appropriate:
cd
wget http://bugs.contribs.org/attachment.cgi?id=2416 -O smeserver-geoip-1.0.0-04.noarch.rpm

Both attachments are attached to this bug:
http://bugs.contribs.org/show_bug.cgi?id=1866

The bug includes a 'source rpm', so you could update the plugin and add this to smecontribs...

As an example, the 'check_earlytalker' plugin honors whitelist requests using this code:
    return DECLINED if ($self->qp->connection->notes('whitelisthost'));

[piran]

Actually I think I just came up w/ a solution.  Help me on this.  If I was to re-enable the country code as in this case Germany and then ban all email from Germany w/ the WBL using *.gr for example and then whitelist the client in Germany.  I think this is the ticket.  *pats on back.

HEED mary ...TEST!
WBL does not use wild cards.

[kruhm]

The bug includes a 'source rpm', so you could update the plugin and add this to smecontribs...

Thanks for the notes, mmccarn. This situation is exactly why I included the SRPM I created in the bug; so people could adjust it when they needed.

====
-updated wiki to the newest rpm.

Thanks,
kruhm