Win32::Exchange::SMTP::Security - Microsoft Exchange SMTP Virtual Server Access Lists
|
Win32::Exchange::SMTP::Security - Exchange 2000 SMTP Protocol functions (Relays and IP Blocks)
#no offense to the owner of 123.123.123.0 :) just a sample
@addlist = ('123.123.123.0,255.255.255.0',
'192.168.1.199'
);
@dellist = ('123.123.123.0,255.255.255.0',
'192.168.1.199'
);
@ovrlist = ('123.123.123.123',
);
$IpSec = Win32::Exchange::SMTP::Security->new() ||
die " - error creating new object\n';
$IpSec->Bind($exchange_server,$dom_controller) ||
die " - error binding to new object\n';
$IpSec->GetIpRelayList(\%relay) ||
die " - error connecting to Relay IP list object\n';
print "access to the Relay mail on the SMTP interface is ".$relay{'defaultaction'}."ed by default\n\n";
#denyed is a typo, but oh well
foreach $ip (@{$relay{'iplist'}}) {
print " $ip\n";
}
$IpSec->IpListManip("add",\@addlist) &&
print " - hey look, I just added some IPs to the list (Relay)\n';
$IpSec->IpListManip("delete",\@dellist) &&
print " - hey look, I just deleted some IPs to the list (Relay)\n';
$IpSec->IpListManip("overwrite",\@ovrlist) &&
print " - hey look, I just overwrote the current list with a new set of IPs (Relay)\n';
$IpSec->IpListManip("reset",[]) &&
print " - hey look, I just reset the current domain and IP list with null set of IPs and Domains (Relay)\n';
$IpSec->GetIpSecurityList(\%security) ||
die " - error connecting to Relay IP list object\n';
print "access to the SMTP interface is ".$security{'defaultaction'}."ed by default\n\n";#denyed is a typo, but oh well
foreach $ip (@{$security{'iplist'}}) {
print " $ip\n";
}
$IpSec->IpListManip("add",\@addlist) &&
print " - hey look, I just added some IPs to the list (Security)\n';
$IpSec->IpListManip("delete",\@dellist) &&
print " - hey look, I just deleted some IPs to the list (Security)\n';
$IpSec->IpListManip("overwrite",\@ovrlist) &&
print " - hey look, I just overwrote the current list with a new set of IPs (Security)\n';
$IpSec->IpListManip("reset",[]) &&
print " - hey look, I just reset the current domain and IP list with null set of IPs and Domains (Security)\n';
Wow, it was sure nice of Microsoft to expose the interface for this. I now have a new way of blocking SPAM!!!
Well, now that I've blocked ~1000 IPs and a few class A,B and C address spaces, I leave it to you to help
protect your organization from those that would consume your valuable bandwidth and piss off your users in the form of
unsolicited e-mail.
This module uses Win32::OLE exclusively (and technically is just a wrapper for the
underlying OLE calls) so feel free to look at them, and make a suggestion or two.
Exchange 2000 access to the SMTP protocol access restrictions were provided in Exchange Server post SP3 as a hotfix,
and should be rolled into SP4 whenever they decide to release that service pack.
All methods return 0 (or undef) on failure and 1 for success unless otherwise noted.
- $provider = Win32::Exchange::SMTP::Security->new();
-
The
new()
class method starts a new instance of an Exchange SMTP Protocol object.
It returns a reference to this object or undef if the creation fails.
$IpSec = Win32::Exchange::SMTP::Security->new();
- $IpSec->
Bind($exchange_server,$instance,[$dom_controller]);
-
You must bind to the object after creating a new object.. I may do away with this, and just have it as part of the new
function.
$instance is added since your Exchange server may have additional SMTP interfaces that you want to bind to. 1, is the first
instance.
If you omit the domain controller as the third parameter, the function performs a search for a close Domain Controller using WMI
to determine the best possible, most up to date, and well-connected server -- if more than one fits these criteria, the first
available is used. This search is performed with Win32::Exchange::FindCloseDC()
$IpSec->Bind("EXCH2",1,"DC1");#first and maybe only instance
$IpSec->Bind("EXCH2",2,"DC1");#second smtp server
$IpSec->Bind("EXCH2",2);#second smtp server, omitting the DC.. the function is forced to find a close server
- $IpSec->SetDefaultAction("grant"|"deny");
-
After using the GetIPSecurityList or GetIPRelayList
you can set the default action for either Security List, depending on which security list you have loaded.
Note: If you change this setting (from "grant" to "deny", or vice versa), you effectively wipe out any block/grant
lists that were previously entered. Please be careful.
$IpSec->GetIpSecurityList() || die " - error connecting to Security list object\n';
$IpSec->SetDefaultAction("grant");
$IpSec->GetIpRelayList() || die " - error connecting to Relay list object\n';
$IpSec->SetDefaultAction("deny");
- $IpSec->
GetIpSecurityList();
-
This function loads the Security (Access list) for mail servers to that are allowed to talk to this server on port 25.
As well, it returns loaded list of security lists into a hash for later comsumption (maybe as a backup before
you are about to make a drastic change through this module) either as the second parameter or the return value.
- [%listresults] = $IpSec->
GetIpRelayList([%listresults]);
-
This function loads the Relay (Access list) for mail servers to that are allowed to relay mail off of this server into
the object. Please be incredibly careful with this. You typically don't want to allow relaying, because that helps
the spread of unsolicited email, and may lead to your server being blocked by people who don't like the fact that you allow realying,
sometimes referred to as an "Open Relay". Again, allowing a relay is usually bad.... very bad.
As well, it returns loaded list of security lists into a hash for later comsumption (maybe as a backup before
you are about to make a drastic change through this module) either as the second parameter or the return value.
Internally (inside your firewall), it might be less offensive, but is still something you don't normally need/want to
do. Use your skills (and this module) wisely and help out the internet community by curbing the tide of "open relays".
- [%list] = $IpSec->
RetrieveList([\%list]);
-
This function gets the loaded list of IPs (Relay or Security) into a hash for later comsumption (maybe as a backup before
you are about to make a drastic change through this module). This function is called by default when you load either of
the 2 lists that this module supports Security or Relay,
and must be called after one of these 2 functions or it will fail.
This function either returns the list as the result, like so...
%list = $IpSec->RetrieveList() || die " - error retrieving the list object\n';
- or -
$IpSec->RetrieveList(%list) || die " - error error retrieving the list object\n';
if ($list1{'defaultaction'} eq 'grant') {
print "SMTP Blocks\n";
} else {
print "SMTP Grants\n";
}
foreach $key (keys %list) {
if (ref($list{$key}) eq "ARRAY") {
foreach $entry (@{$list{$key}}) {
print " $entry\n";
}
} else {
print "$key - $list{$key}\n";
}
}
- $IpSec->
IPListManip(\@list,'add'|'delete'|'overwrite');
-
This function takes 2 paramaters, the first is the list of IPs that you want to modify the SMTP Virtual server with,
and the second is that action you want it to take. This function performs the action on the currently loaded IPList (Relay or Security),
expecting the list to contain IPs, or IP ranges.
- $IpSec->
DomainListManip(\@list,'add'|'delete'|'overwrite');
-
This function takes 2 paramaters, the first is the list of IPs that you want to modify the SMTP Virtual server with,
and the second is that action you want it to take. This function performs the action on the currently loaded IPList (Relay or Security),
expecting the list to contain domain names. Microsoft suggests this is not a recommended option, due to slower response times because Exchange
will need to perform a DNS lookup every time a connection is established to guarantee that the IP does not belong to a blocked domain name.
Consider yourself warned.
- $IpSec
->Release();
-
This function releases your connection to the SMTP Virtual server for your object. After releasing your connection, you will need to perform
a bind to start using this object again.
None currently..
- I would think this goes without saying, but:
- Test this module in a test environment before touching your production environment.
- You need Administrative rights to do most if not all of these tasks, on the Exchange and AD servers
- I am not responsible for mistakes in this module, misuse of this code (though I will take criticism, if you can argue that I have done something bad)
- If you find a mistake, or bug please inform me of the mistake or a possible solution you have found.
- the Exchange 2000 client tools are required in order to use this module.
- Service Pack 3 (or greater, if/when released) for Exchange 2000 is required as well as the hotfix referenced here.
I hope this module helps someone else out there combat SPAM, or is able to help you in some other way.
Thanks for taking the time to read all of this..
I'd like to extend thanks to the following:
- Dave Roth, in part for advice and comments on my code, and then also for finding this hotfix via Google Groups!
- Andy Webb, for his constructive criticism, for brainstorming new functionality to the module, and bug testing my code "while at lunch".
- Jan Dubois jand@activestate.com and Everyone at Activestate for Win32::OLE, without which this module wouldn't be possible.
- Activestate, for having the mailing list archive chock-full-o' source code and answers to questions asked and answered way too many times!
- Microsoft... for exposing the Exchange 2000 SMTP Access List interface, <sarcasm>and for NOT releasing it until after SP3</sarcasm>
Please send questions, comments or suggestions about this module to Steven Manross <steven@manross.net>.
Version 0.003 May 3, 2003
Microsoft, Active Directory, ADSI, Windows, Windows NT, MSDN, and Exchange are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
Win32::Exchange::SMTP::Security - Microsoft Exchange SMTP Virtual Server Access Lists
|