Mercurial > dnsbl
annotate xml/dnsbl.in @ 24:2e23b7184d2b
start coding for bad html tag detection
| author | carl |
|---|---|
| date | Wed, 19 May 2004 21:40:50 -0700 |
| parents | b8f5fa3dd5b8 |
| children | 43a4f6b3e668 |
| rev | line source |
|---|---|
| 0 | 1 <html> |
| 2 | |
| 3 <head> | |
| 4 <meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> | |
| 5 <title>DNSBL Sendmail milter</title> | |
| 6 </head> | |
| 7 | |
| 12 | 8 <center>Introduction</center> |
| 0 | 9 <p>This milter is released under the GPL license version 2 included in |
| 10 the LICENSE file in the distribution, and also available at | |
| 11 <a href="http://www.gnu.org/licenses/gpl.html">http://www.gnu.org/licenses/gpl.html</a> | |
| 12 | |
| 12 | 13 <p>Consider the case of a mail server that is acting as secondary MX for |
| 14 a collection of clients, each of which has a collection of mail domains. | |
| 15 Each client may use their own collection of DNSBLs on their primary mail | |
| 16 server. We present here a mechanism whereby the backup mail server can | |
| 17 use the correct set of DNSBLs for each recipient for each message. As a | |
| 0 | 18 side-effect, it gives us the ability to customize the set of DNSBLs on a |
| 19 per-recipient basis, so that fred@example.com could use SPEWS and the | |
| 20 SBL, where all other users @example.com use only the SBL. | |
| 21 | |
| 16 | 22 <p>This milter will also decode (base64, mime, html entity) and scan for |
|
19
b8f5fa3dd5b8
fix problems in the state transitions causing impossible states
carl
parents:
16
diff
changeset
|
23 HTTP and HTTPS URLs and bare hostnames in the body of the mail. If any |
|
b8f5fa3dd5b8
fix problems in the state transitions causing impossible states
carl
parents:
16
diff
changeset
|
24 of those host names have A records on the SBL (or a single configurable |
| 24 | 25 list), the mail will be rejected unless previously whitelisted. This |
| 26 milter also counts the number of invalid HTML tags, and can reject mail | |
| 27 if that count exceeds your specified limit. | |
| 11 | 28 |
| 6 | 29 <p>The DNSBL milter reads a text configuration file (dnsbl.conf) on |
| 30 startup, and whenever the config file (or any of the referenced include | |
| 31 files) is changed. The entire configuration file is case insensitive. | |
| 0 | 32 |
| 12 | 33 <hr> |
| 34 <center>DCC Issues</center> | |
| 0 | 35 <p>If you are also using the <a |
| 36 href="http://www.rhyolite.com/anti-spam/dcc/">DCC</a> milter, there are | |
| 37 a few considerations. You may need to whitelist senders from the DCC | |
| 38 bulk detector, or from the DNS based lists. Those are two very | |
| 39 different reasons for whitelisting. The former is done thru the DCC | |
| 40 whiteclnt config file, the later is done thru the DNSBL milter config | |
| 5 | 41 file. |
| 0 | 42 |
| 43 <p>You may want to blacklist some specific senders or sending domains. | |
| 44 This could be done thru either the DCC (on a global basis, or for a | |
| 45 specific single recipient). We prefer to do such blacklisting via the | |
| 13 | 46 DNSBL milter config, since it can be done for a collection of recipient |
| 47 mail domains. The DCC approach has the feature that you can capture the | |
| 0 | 48 entire message in the DCC log files. The DNSBL milter approach has the |
| 49 feature that the mail is rejected earlier (at RCPT TO time), and the | |
| 50 sending machine just gets a generic "550 5.7.1 no such user" message. | |
| 51 | |
| 5 | 52 <p>There is an option to reference the DCC whiteclnt file (via an |
| 53 include_dcc line) in the DNSBL milter config. This will import the | |
| 54 (env_to, env_from, and substitute mail_host) entries from the DCC config | |
| 55 into the DNSBL config. This allows using the DCC config as the single | |
| 13 | 56 point for white/blacklisting. When used in this manner, the whitelist |
| 57 env_to entries from the DCC config become global whitelist entries in | |
| 58 the DNSBL config. | |
| 5 | 59 |
| 60 <p>Consider the case where you have multiple clients, each with their | |
| 61 own mail servers, and each running their own DCC milters. Each client | |
| 62 is using the DCC facilities for envelope from/to white/blacklisting. | |
| 6 | 63 Presumably you can use rsync or scp to fetch copies of your clients DCC |
| 5 | 64 whiteclnt files on a regular basis. Your mail server, acting as a |
| 65 backup MX for your clients, can use the DNSBL milter, and include those | |
| 66 client DCC config files. The envelope to white/blacklisting will be | |
| 67 global for your system, but the envelope from white/blacklisting will be | |
| 68 appropriately tagged and used only for the domains controlled by each of | |
| 69 those clients. | |
| 70 | |
| 12 | 71 <hr> |
| 72 <center>Definitions</center> | |
| 0 | 73 <p>DNSBL - a named DNS based blocking list is defined by a dns suffix |
| 74 (e.g. sbl-xbl.spamhaus.org) and a message string that is used to | |
| 75 generate the "550 5.7.1" smtp error return code. The names of these | |
| 76 DNSBLs will be used to define the DNSBL-LISTs. | |
| 77 | |
| 78 <p>DNSBL-LIST - a named list of DNSBLs that will be used for specific | |
| 79 recipients or recipient domains. | |
| 80 | |
| 81 <p>ENVELOPE-FROM-MAP - a named collection of mappings (key->value pairs) | |
| 82 from envelope-from values to the WHITE, BLACK, or DEFAULT keywords. The | |
| 83 names of these maps will be used for specific recipients or recipient | |
| 84 domains. | |
| 85 | |
| 86 <p>The configuration file maps each recipient (or recipient domain) to | |
| 87 two names (a named DNSBL-LIST, and a named ENVELOPE-FROM-MAP). If the | |
| 88 recipient is not found in the configuration, the named DEFAULT | |
| 89 dnsbl-list and DEFAULT envelope-from-map will be used. When mail is | |
| 90 received for that recipient, | |
| 91 | |
| 92 <ol> | |
| 93 | |
| 94 <li>If the client has authenticated with sendmail, the mail is accepted | |
| 95 and the dns lists are not checked. | |
| 96 | |
| 97 <li>If either one is BLACK, mail to this recipient is rejected with "no | |
| 98 such user", and the dns lists are not checked. | |
| 99 | |
| 100 <li>If the envelope-from-map name is WHITE, mail to this recipient is | |
| 101 accepted and the dns lists are not checked. | |
| 102 | |
| 103 <li>If the envelope-from-map exists, the map is checked for the presence | |
| 104 of the sender. A WHITE or BLACK answer is definitive and the dns lists | |
| 105 are not checked. | |
| 106 | |
| 107 <li>If the dnsbl-list name is WHITE, the dns lists are not checked and | |
| 108 the mail is accepted. Otherwise, the dns lists are checked and the mail | |
| 109 is rejected if any list has an A record for the standard dns based | |
| 110 lookup scheme (reversed octets of the client followed by the dns | |
| 111 suffix). | |
| 112 | |
| 11 | 113 <li>If the mail has not been accepted or rejected yet, the body content |
| 114 is scanned for HTTP URLs (after base64, mime and html entity decoding), | |
| 115 and the first 20 host names are checked for their presence on the SBL. | |
| 116 If any host name is on the SBL, the mail is rejected. | |
| 117 | |
| 0 | 118 </ol> |
| 119 | |
| 12 | 120 <hr> |
| 121 <center>Sendmail access vs. DNSBL</center> | |
| 122 <p>With the standard sendmail.mc dnsbl FEATURE, the dnsbl checks may be | |
| 123 suppressed by entries in the /etc/mail/access database. For example, | |
| 124 suppose you control a /18 of address space, and have allocated some /24s | |
| 125 to some clients. You have access entries like | |
| 0 | 126 |
| 12 | 127 <pre> |
| 128 192.168.4 OK | |
| 129 192.168.17 OK | |
| 130 </pre> | |
| 131 | |
| 132 <p>to allow those clients to smarthost thru your mail server. Now if | |
| 13 | 133 one of those clients happens get infected with a virus that turns a |
| 134 machine into an open proxy, and their 192.168.4.45 lands on the SBL-XBL, | |
| 135 you will still wind up allowing that infected machine to smarthost thru | |
| 136 your mail servers. | |
| 12 | 137 |
| 138 <p>With this DNSBL milter, the sendmail access database cannot override | |
| 139 the dnsbl checks, so that machine won't be able to send mail to or thru | |
| 15 | 140 your smarthost mail server (unless the virus/proxy can use smtp-auth). |
| 141 | |
| 142 <p>Using the standard sendmail features, you would add access entries to | |
| 143 allow hosts on your local network to relay thru your mail server. Those | |
| 144 OK entries in the sendmail access database will override all the dnsbl | |
| 145 checks. With this DNSBL milter, you will need to have the local users | |
| 146 authenticate with smtp-auth to get the same effect. You might find <a | |
| 147 href="http://www.ists.dartmouth.edu/IRIA/knowledge_base/linuxinfo/sendmail-ssh-how-to.htm"> | |
| 148 these directions</a> helpful for setting up smtp-auth if you are on RH | |
| 149 Linux. | |
| 12 | 150 |
| 13 | 151 <hr> <center>Installation and configuration</center> <p>Usage: Note |
| 152 that this has ONLY been tested on Linux, specifically RedHat Linux. In | |
| 153 particular, this milter makes no attempt to understand IPv6. Your | |
| 154 mileage will vary. You will need at a minimum a C++ compiler with a | |
| 155 minimally thread safe STL implementation. The distribution includes a | |
| 156 test.cpp program. If it fails this milter won't work. If it passes, | |
| 157 this milter might work. | |
| 0 | 158 |
| 159 Fetch <a href="http://www.five-ten-sg.com/util/dnsbl.tar.gz">dnsbl.tar.gz</a> | |
| 160 and | |
| 161 | |
| 162 <pre> | |
| 163 tar xfvz dnsbl.tar.gz | |
| 164 bash install.bash | |
| 165 </pre> | |
| 166 | |
| 167 Read and understand the contents of that install.bash script before you | |
| 168 run it. It may not be suitable for your system. Modify your | |
| 169 sendmail.mc by removing all the "FEATURE(dnsbl" lines, add the following | |
| 170 line in your sendmail.mc and rebuild the .cf file | |
| 171 | |
| 172 <pre> | |
| 14 | 173 INPUT_MAIL_FILTER(`dnsbl', `S=local:/var/run/dnsbl.sock, F=T, T=C:30s;S:2m;R:2m;E:5m') |
| 0 | 174 </pre> |
| 175 | |
| 176 Read the sample <a | |
| 177 href="http://www.five-ten-sg.com/dnsbl.conf">var/dnsbl/dnsbl.conf</a> | |
| 6 | 178 file and modify it to fit your configuration. You can test your |
| 13 | 179 configuration files, and see a readable internal dump of them on stdout |
| 6 | 180 with |
| 181 | |
| 182 <pre> | |
| 183 cd /var/dnsbl | |
| 184 ./dnsbl -c | |
| 185 </pre> | |
| 186 | |
| 187 <pre> | |
| 0 | 188 |
| 189 | |
| 6 | 190 |
| 2 | 191 $Id$ |
| 4 | 192 </pre> |
| 0 | 193 </body> |
| 194 </html> |