|
0
|
1 <html>
|
|
|
2
|
|
|
3 <head>
|
|
|
4 <meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
|
|
|
5 <title>DNSBL Sendmail milter</title>
|
|
|
6 </head>
|
|
|
7
|
|
12
|
8 <center>Introduction</center>
|
|
0
|
9 <p>This milter is released under the GPL license version 2 included in
|
|
|
10 the LICENSE file in the distribution, and also available at
|
|
|
11 <a href="http://www.gnu.org/licenses/gpl.html">http://www.gnu.org/licenses/gpl.html</a>
|
|
|
12
|
|
12
|
13 <p>Consider the case of a mail server that is acting as secondary MX for
|
|
|
14 a collection of clients, each of which has a collection of mail domains.
|
|
|
15 Each client may use their own collection of DNSBLs on their primary mail
|
|
|
16 server. We present here a mechanism whereby the backup mail server can
|
|
|
17 use the correct set of DNSBLs for each recipient for each message. As a
|
|
0
|
18 side-effect, it gives us the ability to customize the set of DNSBLs on a
|
|
|
19 per-recipient basis, so that fred@example.com could use SPEWS and the
|
|
|
20 SBL, where all other users @example.com use only the SBL.
|
|
|
21
|
|
16
|
22 <p>This milter will also decode (base64, mime, html entity) and scan for
|
|
|
23 HTTP URLs and bare hostnames in the body of the mail. If any of those
|
|
|
24 host names have A records on the SBL (or a single configurable list),
|
|
|
25 the mail will be rejected unless previously whitelisted.
|
|
11
|
26
|
|
6
|
27 <p>The DNSBL milter reads a text configuration file (dnsbl.conf) on
|
|
|
28 startup, and whenever the config file (or any of the referenced include
|
|
|
29 files) is changed. The entire configuration file is case insensitive.
|
|
0
|
30
|
|
12
|
31 <hr>
|
|
|
32 <center>DCC Issues</center>
|
|
0
|
33 <p>If you are also using the <a
|
|
|
34 href="http://www.rhyolite.com/anti-spam/dcc/">DCC</a> milter, there are
|
|
|
35 a few considerations. You may need to whitelist senders from the DCC
|
|
|
36 bulk detector, or from the DNS based lists. Those are two very
|
|
|
37 different reasons for whitelisting. The former is done thru the DCC
|
|
|
38 whiteclnt config file, the later is done thru the DNSBL milter config
|
|
5
|
39 file.
|
|
0
|
40
|
|
|
41 <p>You may want to blacklist some specific senders or sending domains.
|
|
|
42 This could be done thru either the DCC (on a global basis, or for a
|
|
|
43 specific single recipient). We prefer to do such blacklisting via the
|
|
13
|
44 DNSBL milter config, since it can be done for a collection of recipient
|
|
|
45 mail domains. The DCC approach has the feature that you can capture the
|
|
0
|
46 entire message in the DCC log files. The DNSBL milter approach has the
|
|
|
47 feature that the mail is rejected earlier (at RCPT TO time), and the
|
|
|
48 sending machine just gets a generic "550 5.7.1 no such user" message.
|
|
|
49
|
|
5
|
50 <p>There is an option to reference the DCC whiteclnt file (via an
|
|
|
51 include_dcc line) in the DNSBL milter config. This will import the
|
|
|
52 (env_to, env_from, and substitute mail_host) entries from the DCC config
|
|
|
53 into the DNSBL config. This allows using the DCC config as the single
|
|
13
|
54 point for white/blacklisting. When used in this manner, the whitelist
|
|
|
55 env_to entries from the DCC config become global whitelist entries in
|
|
|
56 the DNSBL config.
|
|
5
|
57
|
|
|
58 <p>Consider the case where you have multiple clients, each with their
|
|
|
59 own mail servers, and each running their own DCC milters. Each client
|
|
|
60 is using the DCC facilities for envelope from/to white/blacklisting.
|
|
6
|
61 Presumably you can use rsync or scp to fetch copies of your clients DCC
|
|
5
|
62 whiteclnt files on a regular basis. Your mail server, acting as a
|
|
|
63 backup MX for your clients, can use the DNSBL milter, and include those
|
|
|
64 client DCC config files. The envelope to white/blacklisting will be
|
|
|
65 global for your system, but the envelope from white/blacklisting will be
|
|
|
66 appropriately tagged and used only for the domains controlled by each of
|
|
|
67 those clients.
|
|
|
68
|
|
12
|
69 <hr>
|
|
|
70 <center>Definitions</center>
|
|
0
|
71 <p>DNSBL - a named DNS based blocking list is defined by a dns suffix
|
|
|
72 (e.g. sbl-xbl.spamhaus.org) and a message string that is used to
|
|
|
73 generate the "550 5.7.1" smtp error return code. The names of these
|
|
|
74 DNSBLs will be used to define the DNSBL-LISTs.
|
|
|
75
|
|
|
76 <p>DNSBL-LIST - a named list of DNSBLs that will be used for specific
|
|
|
77 recipients or recipient domains.
|
|
|
78
|
|
|
79 <p>ENVELOPE-FROM-MAP - a named collection of mappings (key->value pairs)
|
|
|
80 from envelope-from values to the WHITE, BLACK, or DEFAULT keywords. The
|
|
|
81 names of these maps will be used for specific recipients or recipient
|
|
|
82 domains.
|
|
|
83
|
|
|
84 <p>The configuration file maps each recipient (or recipient domain) to
|
|
|
85 two names (a named DNSBL-LIST, and a named ENVELOPE-FROM-MAP). If the
|
|
|
86 recipient is not found in the configuration, the named DEFAULT
|
|
|
87 dnsbl-list and DEFAULT envelope-from-map will be used. When mail is
|
|
|
88 received for that recipient,
|
|
|
89
|
|
|
90 <ol>
|
|
|
91
|
|
|
92 <li>If the client has authenticated with sendmail, the mail is accepted
|
|
|
93 and the dns lists are not checked.
|
|
|
94
|
|
|
95 <li>If either one is BLACK, mail to this recipient is rejected with "no
|
|
|
96 such user", and the dns lists are not checked.
|
|
|
97
|
|
|
98 <li>If the envelope-from-map name is WHITE, mail to this recipient is
|
|
|
99 accepted and the dns lists are not checked.
|
|
|
100
|
|
|
101 <li>If the envelope-from-map exists, the map is checked for the presence
|
|
|
102 of the sender. A WHITE or BLACK answer is definitive and the dns lists
|
|
|
103 are not checked.
|
|
|
104
|
|
|
105 <li>If the dnsbl-list name is WHITE, the dns lists are not checked and
|
|
|
106 the mail is accepted. Otherwise, the dns lists are checked and the mail
|
|
|
107 is rejected if any list has an A record for the standard dns based
|
|
|
108 lookup scheme (reversed octets of the client followed by the dns
|
|
|
109 suffix).
|
|
|
110
|
|
11
|
111 <li>If the mail has not been accepted or rejected yet, the body content
|
|
|
112 is scanned for HTTP URLs (after base64, mime and html entity decoding),
|
|
|
113 and the first 20 host names are checked for their presence on the SBL.
|
|
|
114 If any host name is on the SBL, the mail is rejected.
|
|
|
115
|
|
0
|
116 </ol>
|
|
|
117
|
|
12
|
118 <hr>
|
|
|
119 <center>Sendmail access vs. DNSBL</center>
|
|
|
120 <p>With the standard sendmail.mc dnsbl FEATURE, the dnsbl checks may be
|
|
|
121 suppressed by entries in the /etc/mail/access database. For example,
|
|
|
122 suppose you control a /18 of address space, and have allocated some /24s
|
|
|
123 to some clients. You have access entries like
|
|
0
|
124
|
|
12
|
125 <pre>
|
|
|
126 192.168.4 OK
|
|
|
127 192.168.17 OK
|
|
|
128 </pre>
|
|
|
129
|
|
|
130 <p>to allow those clients to smarthost thru your mail server. Now if
|
|
13
|
131 one of those clients happens get infected with a virus that turns a
|
|
|
132 machine into an open proxy, and their 192.168.4.45 lands on the SBL-XBL,
|
|
|
133 you will still wind up allowing that infected machine to smarthost thru
|
|
|
134 your mail servers.
|
|
12
|
135
|
|
|
136 <p>With this DNSBL milter, the sendmail access database cannot override
|
|
|
137 the dnsbl checks, so that machine won't be able to send mail to or thru
|
|
15
|
138 your smarthost mail server (unless the virus/proxy can use smtp-auth).
|
|
|
139
|
|
|
140 <p>Using the standard sendmail features, you would add access entries to
|
|
|
141 allow hosts on your local network to relay thru your mail server. Those
|
|
|
142 OK entries in the sendmail access database will override all the dnsbl
|
|
|
143 checks. With this DNSBL milter, you will need to have the local users
|
|
|
144 authenticate with smtp-auth to get the same effect. You might find <a
|
|
|
145 href="http://www.ists.dartmouth.edu/IRIA/knowledge_base/linuxinfo/sendmail-ssh-how-to.htm">
|
|
|
146 these directions</a> helpful for setting up smtp-auth if you are on RH
|
|
|
147 Linux.
|
|
12
|
148
|
|
13
|
149 <hr> <center>Installation and configuration</center> <p>Usage: Note
|
|
|
150 that this has ONLY been tested on Linux, specifically RedHat Linux. In
|
|
|
151 particular, this milter makes no attempt to understand IPv6. Your
|
|
|
152 mileage will vary. You will need at a minimum a C++ compiler with a
|
|
|
153 minimally thread safe STL implementation. The distribution includes a
|
|
|
154 test.cpp program. If it fails this milter won't work. If it passes,
|
|
|
155 this milter might work.
|
|
0
|
156
|
|
|
157 Fetch <a href="http://www.five-ten-sg.com/util/dnsbl.tar.gz">dnsbl.tar.gz</a>
|
|
|
158 and
|
|
|
159
|
|
|
160 <pre>
|
|
|
161 tar xfvz dnsbl.tar.gz
|
|
|
162 bash install.bash
|
|
|
163 </pre>
|
|
|
164
|
|
|
165 Read and understand the contents of that install.bash script before you
|
|
|
166 run it. It may not be suitable for your system. Modify your
|
|
|
167 sendmail.mc by removing all the "FEATURE(dnsbl" lines, add the following
|
|
|
168 line in your sendmail.mc and rebuild the .cf file
|
|
|
169
|
|
|
170 <pre>
|
|
14
|
171 INPUT_MAIL_FILTER(`dnsbl', `S=local:/var/run/dnsbl.sock, F=T, T=C:30s;S:2m;R:2m;E:5m')
|
|
0
|
172 </pre>
|
|
|
173
|
|
|
174 Read the sample <a
|
|
|
175 href="http://www.five-ten-sg.com/dnsbl.conf">var/dnsbl/dnsbl.conf</a>
|
|
6
|
176 file and modify it to fit your configuration. You can test your
|
|
13
|
177 configuration files, and see a readable internal dump of them on stdout
|
|
6
|
178 with
|
|
|
179
|
|
|
180 <pre>
|
|
|
181 cd /var/dnsbl
|
|
|
182 ./dnsbl -c
|
|
|
183 </pre>
|
|
|
184
|
|
|
185 <pre>
|
|
0
|
186
|
|
|
187
|
|
6
|
188
|
|
2
|
189 $Id$
|
|
4
|
190 </pre>
|
|
0
|
191 </body>
|
|
|
192 </html>
|
