#!/bin/sh

set -o errexit
#set -o pipefail
set -o nounset
#set -o xtrace

#CHANGELOG
#0.10	Initial version
#0.20	cleanups
#0.30	no backups
#0.40	check for BOGON_CUR before compare
#0.50	rewrite for SOE4.2 with IPv6 support

POSTFIX_DIR='/etc/postfix/local'
BOGON_CUR="$POSTFIX_DIR/mx_access"
BOGON_NEW='bogon_new'

# http://www.team-cymru.org/bogon-reference-http.html
BOGON_BASE_URL='http://www.team-cymru.org/Services/Bogons/'
#BOGON_FILE_IPV4='fullbogons-ipv4.txt'
#BOGON_FILE_IPV6='fullbogons-ipv6.txt'
BOGON_FILE_BASE='fullbogons-ipv'
BOGON_FILE_EXT='.txt'

DELAY_RANDOM_MAX=240

# delay only when running under CRON
if [ -n "${MAILTO+xxx}" ]; then
	DELAY=$(( RANDOM % DELAY_RANDOM_MAX ))
	echo "desynchronization adjustment of $DELAY second(s)"
	sleep $DELAY
fi

syscheck restrict bogon-update 300

# obtain bogon text files for both address families
BOGON_DL_DIR=$(mktemp --directory)
cd $BOGON_DL_DIR
for AF in 4 6; do 
	wget ${BOGON_BASE_URL}${BOGON_FILE_BASE}${AF}${BOGON_FILE_EXT}
done

# headers
cat > $BOGON_NEW << EOF
# Team Cymru Bogon Reference
# $BOGON_BASE_URL
# DO NOT MODIFY -- automatically updated via $0
EOF

# http://www.postfix.org/cidr_table.5.html
# 192.168.0.0/16	REJECT
# 2001:db8::/32		REJECT
for AF in 4 6; do
	echo "IPv$AF bogon conversion"
	while read IP_BLOCK; do
		if [ "${IP_BLOCK###}" = "${IP_BLOCK}" ]; then
			echo "${IP_BLOCK}	REJECT domain MX in IPv${AF} bogon range ${IP_BLOCK}" >> $BOGON_NEW
		else
			: # source comment
		fi
	done < ${BOGON_FILE_BASE}${AF}${BOGON_FILE_EXT}
done

if ! cmp --silent $BOGON_NEW $BOGON_CUR
then
	chmod 444 $BOGON_NEW
	mv --verbose $BOGON_NEW $BOGON_CUR
	postfix reload
fi

cd /
rm --force --recursive $BOGON_DL_DIR

syscheck release bogon-update

# vim: cindent:shiftwidth=4:tabstop=4:smarttab:textwidth=100
