milter-regex 3.X GeoIP

Overview
License
Download
GeoIP data preparation
GeoIP enabled milter-regex config file

1. Overview

The milter-regex 3.X is the successor version with added GeoIP functions of the Daniel Hartmeier's milter-regex.

Everything about GeoIP processing is in the milter-regex source codes. GeoIP is implemented without MaxMind Inc.'s libraries or other GeoIP libraries. No dependency on the libgeoip.

Use the RIR ( Regianl Internet Registry ) IP address allocation lists for GeoIP data. Get country code by looking at the IP address allocation lists of the RIR. Those lists are converted from ASCII format to binary format by using the standalone utility program included in the milter-regex package.

https://github.com/milter-regex	Version 3.0 or later
https://www.benzedrine.ch/milter-regex.html	Up to version 2.7

2. License: The license is the BSD license according to the original milter-regex.
Under the license, anyone can use it freely regardless of personal or commercial use.

3. Download: GitHub https://github.com/milter-regex/milter-regex/releases/tag/3.1

4. GeoIP data preparation

Get IP address allocation lists from the RIR ( Regional Internet Registry ).

ftp://ftp.afrinic.net/pub/stats/afrinic/delegated-afrinic-latest
ftp://ftp.apnic.net/pub/stats/apnic/delegated-apnic-latest
ftp://ftp.arin.net/pub/stats/arin/delegated-arin-extended-latest
ftp://ftp.lacnic.net/pub/stats/lacnic/delegated-lacnic-latest
ftp://ftp.ripe.net/pub/stats/ripencc/delegated-ripencc-latest

$ ftp

ftp> open ftp.afrinic.net
Name: anonymous
Password:
ftp> cd /pub/stats/afrinic
ftp> get delegated-afrinic-latest
ftp> close

ftp> open ftp.apnic.net
Name: anonymous
Password:
ftp> cd /pub/stats/apnic
ftp> get delegated-apnic-latest
ftp> close

ftp> open ftp.arin.net
Name: anonymous
Password:
ftp> cd /pub/stats/arin
ftp> get delegated-arin-extended-latest
ftp> close

ftp> open ftp.lacnic.net
Name: anonymous
Password:
ftp> cd /pub/stats/lacnic
ftp> get delegated-lacnic-latest
ftp> close

ftp> open ftp.ripe.net
Name: anonymous
Password:
ftp> cd /pub/stats/ripencc
ftp> get delegated-ripencc-latest
ftp> close

ftp> quit

Convert IP address allocation lists from ASCII format to binary format by the standalone utility included in the milter-regex package.

cat delegated-*-latest | grep '|..|ipv[46]|' | sort -t '|' -k 3,4 | /_path_/milter-regex-ip-prep ipv4.dat ipv6.dat

5. GeoIP enabled milter-regex config file

To use GeoIP, set the keywords ipv4file, ipv6file, geoipCashMax, geoipCashKeep first, then set the allow rules for the local network, and then set block conditions.

####################################################################################################
#####
#####     00-settings.conf
#####
####################################################################################################

# ipv4file, ipv6file
#
# Before use keyword 'country', both these keywords must be specified.
#
# Get RIR allocation data
#
# (1) Download IP address allocation lists from the RIR ( Regianl Internet Registry )
#     ftp://ftp.afrinic.net/pub/stats/afrinic/delegated-afrinic-latest
#     ftp://ftp.apnic.net/pub/stats/apnic/delegated-apnic-latest
#     ftp://ftp.arin.net/pub/stats/arin/delegated-arin-extended-latest
#     ftp://ftp.lacnic.net/pub/stats/lacnic/delegated-lacnic-latest
#     ftp://ftp.ripe.net/pub/stats/ripencc/delegated-ripencc-latest
#
# (2) Convert IP address allocation lists from ASCII format to binary format
#     cat delegated-*-latest | grep '|..|ipv[46]|' | sort -t '|' -k 3,4 | /usr/local/sbin/milter-regex-ip-prep ipv4.dat ipv6.dat
#
# Maximum path length is 1023 characters.
#
ipv4file "/var/lib/milter-regex/ipv4.dat"
ipv6file "/var/lib/milter-regex/ipv6.dat"

# geoipCashMax
#
# Default  100K ( Minimum size )
# Unit     None: Byte | k/K: KByte | m/M: MByte
#
geoipCashMax  2M

# geoipCashKeep
#
# Default  7D
# Unit     None: Second | h/H: Hour | d/D: Day
#
geoipCashKeep 10D

####################################################################################################
#####
#####     10-passlist.conf
#####
####################################################################################################

accept

# Loopback and Local network

connect // /^127\./

connect // /^10\./
connect // /^169\.254\./
connect // /^172\.(1[6-9]|2[0-9]|3[0-1])\./e
connect // /^192\.168\./

connect // /^::1$/
connect // /^fd/
connect // /^fe80:/

# Local network ( Global IP address )

connect // /^192\.0\.2\./
connect // /^2001:db8:/

####################################################################################################
#####
#####     21-blocklist.conf ( GeoIP sample rules )
#####
####################################################################################################

reject "Refused connection by site policy."

# Email is not sent from the country

country /(XX|XY|XZ)/e and envfrom /[.@]example\.com>$/

country /JP/n and connect /\.jp$/n // and envfrom /[.@]example\.jp>$/

####################################################################################################
#####
#####     22-blockhelo.conf
#####
####################################################################################################

# Not client host name

reject "Refused connection by site policy. ( Malformed HELO )"

helo /^foobar\.example\.jp$/i and connect // /^127\.0\.0\.1$/n and connect // /^192\.0\.2\.1$/n and connect // /^::1$/n and connect // /^2001:db8::1$/n
helo /^\[*192\.0\.2\.1\]*$/   and connect // /^127\.0\.0\.1$/n and connect // /^192\.0\.2\.1$/n and connect // /^::1$/n and connect // /^2001:db8::1$/n
helo /^\[*2001:db8::1\]*$/    and connect // /^127\.0\.0\.1$/n and connect // /^192\.0\.2\.1$/n and connect // /^::1$/n and connect // /^2001:db8::1$/n
helo /^localhost$/i           and connect // /^127\.0\.0\.1$/n and connect // /^192\.0\.2\.1$/n and connect // /^::1$/n and connect // /^2001:db8::1$/n
helo /^\[*127\.0\.0\.1\]*$/   and connect // /^127\.0\.0\.1$/n and connect // /^192\.0\.2\.1$/n and connect // /^::1$/n and connect // /^2001:db8::1$/n
helo /^\[*::1\]*$/            and connect // /^127\.0\.0\.1$/n and connect // /^192\.0\.2\.1$/n and connect // /^::1$/n and connect // /^2001:db8::1$/n

# Only dot

reject "Refused connection by site policy. ( Invalid HELO )"

helo /^\.$/

# Nonexistent TLD

reject "Refused connection by site policy. ( Nonexistent TLD )"

helo /\.domain$/
helo /\.local$/
helo /\.localdomain$/

# Reserved domain

reject "Refused connection by site policy. ( Reserved domain )"

helo /^(.+\.)?example\.[^.]+$/ei

# Maybe spam or scan

reject "Refused connection by site policy."

helo /^User$/i
helo /^ylmf-pc$/i
helo /^info-api\.ru$/i
helo /^dc3-dc1$/i
helo /^masscan$/i
helo /^gerg$/i
helo /^admin$/i
helo /^scanner\.sslsonar\.org$/

https://github.com/milter-regex/milter-regex/wiki