Mercurial > dnsbl
annotate xml/dnsbl.in @ 246:8b0f16abee53 stable-6-0-28
Add prvs decoding to envelope addresses
author | Carl Byington <carl@five-ten-sg.com> |
---|---|
date | Fri, 30 Sep 2011 15:29:07 -0700 |
parents | 5c3e9bf45bb5 |
children | 15bf4f68a0b2 |
rev | line source |
---|---|
108 | 1 <reference> |
2 <title>@PACKAGE@ Sendmail milter - Version @VERSION@</title> | |
3 <partintro> | |
4 <title>Packages</title> | |
201
752d4315675c
add reference to mercurial repository in the documentation
Carl Byington <carl@five-ten-sg.com>
parents:
187
diff
changeset
|
5 |
108 | 6 <para>The various source and binary packages are available at <ulink |
201
752d4315675c
add reference to mercurial repository in the documentation
Carl Byington <carl@five-ten-sg.com>
parents:
187
diff
changeset
|
7 url="http://www.five-ten-sg.com/@PACKAGE@/packages/">http://www.five-ten-sg.com/@PACKAGE@/packages/</ulink>. |
108 | 8 The most recent documentation is available at <ulink |
201
752d4315675c
add reference to mercurial repository in the documentation
Carl Byington <carl@five-ten-sg.com>
parents:
187
diff
changeset
|
9 url="http://www.five-ten-sg.com/@PACKAGE@/">http://www.five-ten-sg.com/@PACKAGE@/</ulink>. |
752d4315675c
add reference to mercurial repository in the documentation
Carl Byington <carl@five-ten-sg.com>
parents:
187
diff
changeset
|
10 </para> |
752d4315675c
add reference to mercurial repository in the documentation
Carl Byington <carl@five-ten-sg.com>
parents:
187
diff
changeset
|
11 |
752d4315675c
add reference to mercurial repository in the documentation
Carl Byington <carl@five-ten-sg.com>
parents:
187
diff
changeset
|
12 <para>A <ulink |
752d4315675c
add reference to mercurial repository in the documentation
Carl Byington <carl@five-ten-sg.com>
parents:
187
diff
changeset
|
13 url="http://www.selenic.com/mercurial/wiki/">Mercurial</ulink> source |
752d4315675c
add reference to mercurial repository in the documentation
Carl Byington <carl@five-ten-sg.com>
parents:
187
diff
changeset
|
14 code repository for this project is available at <ulink |
752d4315675c
add reference to mercurial repository in the documentation
Carl Byington <carl@five-ten-sg.com>
parents:
187
diff
changeset
|
15 url="http://hg.five-ten-sg.com/@PACKAGE@/">http://hg.five-ten-sg.com/@PACKAGE@/</ulink>. |
108 | 16 </para> |
94 | 17 |
108 | 18 </partintro> |
94 | 19 |
108 | 20 <refentry id="@PACKAGE@.1"> |
21 <refentryinfo> | |
233
5c3e9bf45bb5
Add whitelisting by regex expression filtering.
Carl Byington <carl@five-ten-sg.com>
parents:
216
diff
changeset
|
22 <date>2009-05-25</date> |
108 | 23 </refentryinfo> |
94 | 24 |
108 | 25 <refmeta> |
26 <refentrytitle>@PACKAGE@</refentrytitle> | |
27 <manvolnum>1</manvolnum> | |
28 <refmiscinfo>@PACKAGE@ @VERSION@</refmiscinfo> | |
29 </refmeta> | |
30 | |
31 <refnamediv id='name.1'> | |
32 <refname>@PACKAGE@</refname> | |
33 <refpurpose>a sendmail milter with per-user dnsbl filtering</refpurpose> | |
34 </refnamediv> | |
94 | 35 |
108 | 36 <refsynopsisdiv id='synopsis.1'> |
37 <title>Synopsis</title> | |
38 <cmdsynopsis> | |
39 <command>@PACKAGE@</command> | |
40 <arg><option>-c</option></arg> | |
41 <arg><option>-s</option></arg> | |
42 <arg><option>-d <replaceable class="parameter">n</replaceable></option></arg> | |
43 <arg><option>-e <replaceable class="parameter">from|to</replaceable></option></arg> | |
179 | 44 <arg><option>-b <replaceable class="parameter">local-domain-socket</replaceable></option></arg> |
108 | 45 <arg><option>-r <replaceable class="parameter">local-domain-socket</replaceable></option></arg> |
46 <arg><option>-p <replaceable class="parameter">sendmail-socket</replaceable></option></arg> | |
47 <arg><option>-t <replaceable class="parameter">timeout</replaceable></option></arg> | |
48 </cmdsynopsis> | |
49 </refsynopsisdiv> | |
94 | 50 |
108 | 51 <refsect1 id='options.1'> |
52 <title>Options</title> | |
53 <variablelist> | |
54 <varlistentry> | |
55 <term>-c</term> | |
111 | 56 <listitem><para> |
57 Load the configuration file, print a cannonical form | |
58 of the configuration on stdout, and exit. | |
59 </para></listitem> | |
108 | 60 </varlistentry> |
61 <varlistentry> | |
62 <term>-s</term> | |
111 | 63 <listitem><para> |
64 Stress test the configuration loading code by repeating | |
65 the load/free cycle in an infinite loop. | |
66 </para></listitem> | |
108 | 67 </varlistentry> |
68 <varlistentry> | |
69 <term>-d <replaceable class="parameter">n</replaceable></term> | |
111 | 70 <listitem><para> |
71 Set the debug level to <replaceable class="parameter">n</replaceable>. | |
72 </para></listitem> | |
108 | 73 </varlistentry> |
74 <varlistentry> | |
75 <term>-e <replaceable class="parameter">from|to</replaceable></term> | |
111 | 76 <listitem><para> |
77 Print the results of looking up the from and to addresses in the | |
78 current configuration. The | character is used to separate the from and to | |
79 addresses in the argument to the -e switch. | |
80 </para></listitem> | |
108 | 81 </varlistentry> |
82 <varlistentry> | |
179 | 83 <term>-b <replaceable class="parameter">local-domain-socket-file-name</replaceable></term> |
84 <listitem><para> | |
85 Set the local socket used for the connection to the dccifd daemon. | |
86 This is typically /var/dcc/dccifd. | |
87 </para></listitem> | |
88 </varlistentry> | |
89 <varlistentry> | |
90 <term>-r <replaceable class="parameter">local-domain-socket-file-name</replaceable></term> | |
111 | 91 <listitem><para> |
92 Set the local socket used for the connection to our own dns resolver processes. | |
93 </para></listitem> | |
108 | 94 </varlistentry> |
95 <varlistentry> | |
96 <term>-p <replaceable class="parameter">sendmail-socket</replaceable></term> | |
111 | 97 <listitem><para> |
98 Set the socket used for the milter connection to sendmail. This is either | |
99 "inet:port@ip-address" or "local:local-domain-socket-file-name". | |
100 </para></listitem> | |
108 | 101 </varlistentry> |
102 <varlistentry> | |
103 <term>-t <replaceable class="parameter">timeout</replaceable></term> | |
111 | 104 <listitem><para> |
105 Set the timeout in seconds used for communication with sendmail. | |
106 </para></listitem> | |
108 | 107 </varlistentry> |
108 </variablelist> | |
109 </refsect1> | |
94 | 110 |
111 | 111 <refsect1 id='usage.1'> |
108 | 112 <title>Usage</title> |
113 <para><command>@PACKAGE@</command> -c</para> | |
114 <para><command>@PACKAGE@</command> -s</para> | |
111 | 115 <para><command>@PACKAGE@</command> -e 'someone@aol.com|localname@mydomain.tld'</para> |
116 <para><command>@PACKAGE@</command> -d 10 -r resolver.sock -p local:dnsbl.sock</para> | |
117 </refsect1> | |
118 | |
119 <refsect1 id='installation.1'> | |
120 <title>Installation</title> | |
121 <para> | |
122 This is now a standard GNU autoconf/automake installation, so the normal | |
123 "./configure; make; su; make install" works. "make chkconfig" will | |
124 setup the init.d runlevel scripts. Alternatively, you can use the | |
125 source or binary RPMs at <ulink | |
126 url="http://www.five-ten-sg.com/@PACKAGE@/packages">http://www.five-ten-sg.com/@PACKAGE@/packages</ulink>. | |
127 </para> | |
128 <para> | |
129 Note that this has ONLY been tested on Linux, specifically RedHat Linux. | |
130 In particular, this milter makes no attempt to understand IPv6. Your | |
131 mileage will vary. You will need at a minimum a C++ compiler with a | |
132 minimally thread safe STL implementation. The distribution includes a | |
133 test.cpp program. If it fails this milter won't work. If it passes, | |
134 this milter might work. | |
135 </para> | |
136 <para> | |
137 Modify your sendmail.mc by removing all the "FEATURE(dnsbl" lines, add | |
138 the following line in your sendmail.mc and rebuild the .cf file | |
139 </para> | |
140 <para><screen>INPUT_MAIL_FILTER(`dnsbl', `S=local:/var/run/dnsbl/dnsbl.sock, F=T, T=C:30s;S:5m;R:5m;E:5m')</screen></para> | |
141 <para> | |
142 Modify the default <citerefentry> | |
143 <refentrytitle>@PACKAGE@.conf</refentrytitle> <manvolnum>5</manvolnum> | |
144 </citerefentry> configuration. | |
145 </para> | |
146 </refsect1> | |
147 | |
148 <refsect1 id='configuration.1'> | |
149 <title>Configuration</title> | |
150 <para> | |
151 The configuration file is documented in <citerefentry> | |
152 <refentrytitle>@PACKAGE@.conf</refentrytitle> <manvolnum>5</manvolnum> | |
153 </citerefentry>. Any change to the config file, or any file included | |
154 from that config file, will cause it to be reloaded within three | |
155 minutes. | |
156 </para> | |
108 | 157 </refsect1> |
94 | 158 |
108 | 159 <refsect1 id='introduction.1'> |
160 <title>Introduction</title> | |
161 <para> | |
162 Consider the case of a mail server that is acting as secondary MX for a | |
163 collection of clients, each of which has a collection of mail domains. | |
164 Each client may use their own collection of DNSBLs on their primary mail | |
165 server. We present here a mechanism whereby the backup mail server can | |
166 use the correct set of DNSBLs for each recipient for each message. As a | |
167 side-effect, it gives us the ability to customize the set of DNSBLs on a | |
183 | 168 per-recipient basis, so that fred@example.com could use LOCAL and the |
108 | 169 SBL, where all other users @example.com use only the SBL. |
170 </para> | |
171 <para> | |
172 This milter can also verify the envelope from/recipient pairs with the | |
173 primary MX server. This allows the backup mail servers to properly | |
174 reject mail sent to invalid addresses. Otherwise, the backup mail | |
175 servers will accept that mail, and then generate a bounce message when | |
176 the message is forwarded to the primary server (and rejected there with | |
127 | 177 no such user). These rejections are the primary cause of such backscatter. |
108 | 178 </para> |
179 <para> | |
180 This milter will also decode (uuencode, base64, mime, html entity, url | |
181 encodings) and scan for HTTP and HTTPS URLs and bare hostnames in the | |
182 body of the mail. If any of those host names have A or NS records on | |
183 the SBL (or a single configurable DNSBL), the mail will be rejected | |
184 unless previously whitelisted. This milter also counts the number of | |
185 invalid HTML tags, and can reject mail if that count exceeds your | |
186 specified limit. | |
187 </para> | |
188 <para> | |
136 | 189 This milter can also impose hourly rate limits on the number of |
190 recipients accepted from SMTP AUTH connections, that would otherwise be | |
191 allowed to relay thru this mail server with no spam filtering. | |
192 </para> | |
193 <para> | |
162 | 194 Consider the case of a message from A to B passing thru this milter. If |
195 that message is not blocked, then we might eventually see a reply | |
156 | 196 message from B to A. If the filtering context for A includes an |
162 | 197 autowhite entry, and that context does <emphasis>not</emphasis> cover B |
198 as a recipient, then this milter will add an entry in that file to | |
199 whitelist such replies for a configurable time period. Suppose A and B | |
200 are in the same domain, or at least use the same filtering context. In | |
201 that case we don't want to add a whitelist entry for B, since that would | |
202 then allow spammers to send mail from B (forged) to B. Such autowhite | |
160 | 203 files need to be writeable by the dnsbl user, where all the other dnsbl |
204 configuration files only need to be readable by the dnsbl user. | |
156 | 205 </para> |
206 <para> | |
176
4ec928b24bab
allow manual whitelisting with stamp 1 to remove a whitelist entry
carl
parents:
175
diff
changeset
|
207 You can manually add such an autowhite entry, by appending a single |
4ec928b24bab
allow manual whitelisting with stamp 1 to remove a whitelist entry
carl
parents:
175
diff
changeset
|
208 text line to the autowhitelist file, using something like |
4ec928b24bab
allow manual whitelisting with stamp 1 to remove a whitelist entry
carl
parents:
175
diff
changeset
|
209 <command>echo "$mail 0" >>$autowhitefile</command>. |
4ec928b24bab
allow manual whitelisting with stamp 1 to remove a whitelist entry
carl
parents:
175
diff
changeset
|
210 You can manually remove such an autowhite entry, by appending a single |
4ec928b24bab
allow manual whitelisting with stamp 1 to remove a whitelist entry
carl
parents:
175
diff
changeset
|
211 text line to the autowhitelist file, using something like |
4ec928b24bab
allow manual whitelisting with stamp 1 to remove a whitelist entry
carl
parents:
175
diff
changeset
|
212 <command>echo "$mail 1" >>$autowhitefile</command>. |
4ec928b24bab
allow manual whitelisting with stamp 1 to remove a whitelist entry
carl
parents:
175
diff
changeset
|
213 </para> |
4ec928b24bab
allow manual whitelisting with stamp 1 to remove a whitelist entry
carl
parents:
175
diff
changeset
|
214 <para> |
108 | 215 The DNSBL milter reads a text configuration file (dnsbl.conf) on |
216 startup, and whenever the config file (or any of the referenced include | |
217 files) is changed. The entire configuration file is case insensitive. | |
218 If the configuration cannot be loaded due to a syntax error, the milter | |
219 will log the error and quit. If the configuration cannot be reloaded | |
220 after being modified, the milter will log the error and send an email to | |
152 | 221 root from dnsbl@$hostname. You probably want to add dnsbl@$hostname |
108 | 222 to your /etc/mail/virtusertable since otherwise sendmail will reject |
223 that message. | |
224 </para> | |
225 </refsect1> | |
94 | 226 |
111 | 227 <refsect1 id='dcc.1'> |
108 | 228 <title>DCC Issues</title> |
229 <para> | |
230 If you are also using the <ulink | |
231 url="http://www.rhyolite.com/anti-spam/dcc/">DCC</ulink> milter, there | |
232 are a few considerations. You may need to whitelist senders from the | |
233 DCC bulk detector, or from the DNS based lists. Those are two very | |
234 different reasons for whitelisting. The former is done thru the DCC | |
235 whiteclnt config file, the later is done thru the DNSBL milter config | |
236 file. | |
237 </para> | |
238 <para> | |
239 You may want to blacklist some specific senders or sending domains. | |
240 This could be done thru either the DCC (on a global basis, or for a | |
241 specific single recipient). We prefer to do such blacklisting via the | |
242 DNSBL milter config, since it can be done for a collection of recipient | |
243 mail domains. The DCC approach has the feature that you can capture the | |
244 entire message in the DCC log files. The DNSBL milter approach has the | |
245 feature that the mail is rejected earlier (at RCPT TO time), and the | |
246 sending machine just gets a generic "550 5.7.1 no such user" message. | |
247 </para> | |
248 <para> | |
249 The DCC whiteclnt file can be included in the DNSBL milter config by the | |
250 dcc_to and dcc_from statements. This will import the (env_to, env_from, | |
251 and substitute mail_host) entries from the DCC config into the DNSBL | |
252 config. This allows using the DCC config as the single point for | |
253 white/blacklisting. | |
254 </para> | |
255 <para> | |
256 Consider the case where you have multiple clients, each with their own | |
257 mail servers, and each running their own DCC milters. Each client is | |
258 using the DCC facilities for envelope from/to white/blacklisting. | |
259 Presumably you can use rsync or scp to fetch copies of your clients DCC | |
260 whiteclnt files on a regular basis. Your mail server, acting as a | |
261 backup MX for your clients, can use the DNSBL milter, and include those | |
262 client DCC config files. The envelope from/to white/blacklisting will | |
263 be appropriately tagged and used only for the domains controlled by each | |
264 of those clients. | |
265 </para> | |
179 | 266 <para> |
267 You can now use (via dccifd) different dcc filtering parameters on a per | |
268 context basis. See the dcc_greylist and dcc_bulk_threshold statements | |
269 in the <citerefentry> <refentrytitle>@PACKAGE@.conf</refentrytitle> | |
270 <manvolnum>5</manvolnum> </citerefentry> configuration. Those | |
271 statements are only active if you supply the <option>-b</option> option | |
272 on the dnsbl command line. If you use the dcc via the standard dcc | |
273 milter (dccm), then connections from clients that use SMTP AUTH are | |
274 still subject to greylisting. If you use the dcc via dccifd and this | |
275 milter, then connections from clients that use SMTP AUTH are never | |
180 | 276 subject to greylisting. As part of this per-user greylisting, you need |
277 to move the dnsblnogrey file from the config directory to something | |
278 like /var/dcc/userdirs/local/dnsblnogrey/whiteclnt so the dccifd will | |
279 properly ignore greylisting for those recipients that don't want it. | |
179 | 280 </para> |
108 | 281 </refsect1> |
94 | 282 |
111 | 283 <refsect1 id='definitions.1'> |
108 | 284 <title>Definitions</title> |
285 <para> | |
286 CONTEXT - a collection of parameters that defines the filtering context | |
287 to be used for a collection of envelope recipient addresses. The | |
288 context includes such things as the list of DNSBLs to be used, and the | |
289 various content filtering parameters. | |
290 </para> | |
291 <para> | |
292 DNSBL - a named DNS based blocking list is defined by a dns suffix (e.g. | |
293 sbl-xbl.spamhaus.org) and a message string that is used to generate the | |
294 "550 5.7.1" smtp error return code. The names of these DNSBLs will be | |
295 used to define the DNSBL-LISTs. | |
296 </para> | |
297 <para> | |
298 DNSBL-LIST - a named list of DNSBLs that will be used for specific | |
299 recipients or recipient domains. | |
300 </para> | |
301 </refsect1> | |
94 | 302 |
111 | 303 <refsect1 id='filtering.1'> |
108 | 304 <title>Filtering Procedure</title> |
305 <para> | |
152 | 306 The SMTP envelope 'from' and 'to' values are used in various checks. |
307 The first check is to see if a reply message (swapping the env_from and | |
160 | 308 env_to values) would be unconditionally blocked (just based on the |
309 envelope from address). That check is similar to the main check | |
310 described below, but there is no body content to be scanned, and there | |
311 is no client connection ip address to be checked against DNSBLs. If | |
312 such a reply message would be blocked, we also block the original | |
313 outgoing message. This prevents folks from sending mail to recipients | |
314 that are unable to reply. | |
152 | 315 </para> |
316 <para> | |
136 | 317 If the client has authenticated with sendmail, the rate limits are |
318 checked. If the authenticated user has not exceeded the hourly rate | |
144
31ff00ea6bfb
allow parent/child to share a fully qualified env_to address
carl
parents:
140
diff
changeset
|
319 limit, then the mail is accepted, the filtering contexts are not used, |
136 | 320 the dns lists are not checked, and the body content is not scanned. If |
321 the client has not authenticated with sendmail, we follow these steps | |
322 for each recipient. | |
108 | 323 </para> |
324 <orderedlist> | |
111 | 325 <listitem><para> |
108 | 326 The envelope to email address is used to find an initial filtering |
327 context. We first look for a context that specified the full email | |
328 address in the env_to statement. If that is not found, we look for a | |
329 context that specified the entire domain name of the envelope recipient | |
330 in the env_to statement. If that is not found, we look for a context | |
331 that specified the user@ part of the envelope recipient in the env_to | |
332 statement. If that is not found, we use the first top level context | |
333 defined in the config file. | |
111 | 334 </para></listitem> |
335 <listitem><para> | |
108 | 336 The initial filtering context may redirect to a child context based on |
337 the values in the initial context's env_from statement. We look for [1) | |
338 the full envelope from email address, 2) the domain name part of the | |
339 envelope from address, 3) the user@ part of the envelope from address] | |
340 in that context's env_from statement, with values that point to a child | |
341 context. If such an entry is found, we switch to that child filtering | |
342 context. | |
111 | 343 </para></listitem> |
344 <listitem><para> | |
108 | 345 We lookup [1) the full envelope from email address, 2) the domain name |
346 part of the envelope from address, 3) the user@ part of the envelope | |
347 from address] in the filtering context env_from statement. That results | |
348 in one of (white, black, unknown, inherit). | |
111 | 349 </para></listitem> |
350 <listitem><para> | |
108 | 351 If the answer is black, mail to this recipient is rejected with "no such |
352 user", and the dns lists are not checked. | |
111 | 353 </para></listitem> |
354 <listitem><para> | |
108 | 355 If the answer is white, mail to this recipient is accepted and the dns |
356 lists are not checked. | |
111 | 357 </para></listitem> |
358 <listitem><para> | |
108 | 359 If the answer is unknown, we don't reject yet, but the dns lists will be |
360 checked, and the content may be scanned. | |
111 | 361 </para></listitem> |
362 <listitem><para> | |
108 | 363 If the answer is inherit, we repeat the envelope from search in the |
364 parent context. | |
111 | 365 </para></listitem> |
366 <listitem><para> | |
233
5c3e9bf45bb5
Add whitelisting by regex expression filtering.
Carl Byington <carl@five-ten-sg.com>
parents:
216
diff
changeset
|
367 If the mail has not been accepted or rejected yet, and the filtering |
5c3e9bf45bb5
Add whitelisting by regex expression filtering.
Carl Byington <carl@five-ten-sg.com>
parents:
216
diff
changeset
|
368 context (or any ancestor context) specifies a non-empty whitelist regular |
5c3e9bf45bb5
Add whitelisting by regex expression filtering.
Carl Byington <carl@five-ten-sg.com>
parents:
216
diff
changeset
|
369 expression, then we check the envelope from value against that regex. |
5c3e9bf45bb5
Add whitelisting by regex expression filtering.
Carl Byington <carl@five-ten-sg.com>
parents:
216
diff
changeset
|
370 The mail is accepted if the envelope from value matches the specified regular |
5c3e9bf45bb5
Add whitelisting by regex expression filtering.
Carl Byington <carl@five-ten-sg.com>
parents:
216
diff
changeset
|
371 expression. |
5c3e9bf45bb5
Add whitelisting by regex expression filtering.
Carl Byington <carl@five-ten-sg.com>
parents:
216
diff
changeset
|
372 </para></listitem> |
5c3e9bf45bb5
Add whitelisting by regex expression filtering.
Carl Byington <carl@five-ten-sg.com>
parents:
216
diff
changeset
|
373 <listitem><para> |
168 | 374 If the mail has not been accepted or rejected yet, the dns lists |
375 specified in the filtering context are checked and the mail is rejected | |
376 if any list has an A record for the standard dns based lookup scheme | |
377 (reversed octets of the client followed by the dns suffix). | |
378 </para></listitem> | |
379 <listitem><para> | |
380 If the mail has not been accepted or rejected yet, and the filtering | |
170 | 381 context (or any ancestor context) specifies a non-empty generic regular |
382 expression, then we check the fully qualified client name (obtained via | |
383 the sendmail macro "_"). The mail is rejected if the client name | |
384 matches the specified regular expression. | |
111 | 385 </para></listitem> |
386 <listitem><para> | |
108 | 387 If the mail has not been accepted or rejected yet, we look for a |
388 verification context, which is the closest ancestor of the filtering | |
389 context that both specifies a verification host, and which covers the | |
390 envelope to address. If we find such a verification context, and the | |
391 verification host is not our own hostname, we open an smtp conversation | |
392 with that verification host. The current envelope from and recipient to | |
393 values are passed to that verification host. If we receive a 5xy | |
394 response those commands, we reject the current recipient with "no such | |
395 user". | |
111 | 396 </para></listitem> |
397 <listitem><para> | |
108 | 398 If the mail has not been accepted or rejected yet, and the filtering |
399 context enables content filtering, and this is the first such recipient | |
400 in this smtp transaction, we set the content filtering parameters from | |
401 this context, and enable content filtering for the body of this message. | |
111 | 402 </para></listitem> |
108 | 403 </orderedlist> |
404 <para> | |
160 | 405 For each recipient that was accepted, we search for an autowhite entry |
406 starting in the reply filtering context. If an autowhite entry is found, | |
407 we add the recipient to that auto whitelist file. This will prevent reply | |
408 messages from being blocked by the dnsbl or content filtering. | |
409 </para> | |
410 <para> | |
108 | 411 If content filtering is enabled for this body, the mail text is decoded |
119 | 412 (uuencode, base64, mime, html entity, url encodings), and scanned for HTTP |
413 and HTTPS URLs or bare host names. Hostnames must be either ip address | |
414 literals, or must end in a string defined by the TLD list. The first | |
415 <configurable> host names are checked as follows. | |
416 </para> | |
417 <para> | |
418 The only known list that is suitable for the content filter DNSBL is the | |
419 SBL. If the content filter DNSBL is defined, and any of those host | |
420 names resolve to ip addresses that are on that DNSBL (or have | |
421 nameservers that are on that list), and the host name is not on the | |
422 <configurable> ignore list, the mail is rejected. | |
423 </para> | |
424 <para> | |
425 If the content uribl DNSBL is defined, and any of those host names are | |
426 on that DNSBL, and the host name is not on the <configurable> | |
427 ignore list, the mail is rejected. | |
428 </para> | |
429 <para> | |
167
9b129ed78d7d
actually use spamassassin result, allow build without spam assassin, only call it if some recipient needs it.
carl
parents:
164
diff
changeset
|
430 If any non-whitelisted recipient has a filtering context with a non-zero |
9b129ed78d7d
actually use spamassassin result, allow build without spam assassin, only call it if some recipient needs it.
carl
parents:
164
diff
changeset
|
431 spamassassin limit, then the message is passed thru spamassassin (via |
9b129ed78d7d
actually use spamassassin result, allow build without spam assassin, only call it if some recipient needs it.
carl
parents:
164
diff
changeset
|
432 spamc), and the message is rejected for those recipients with spamassassin |
203
92a5c866bdfa
Verify from/to pairs even if they might be explicitly whitelisted.
Carl Byington <carl@five-ten-sg.com>
parents:
201
diff
changeset
|
433 limits less than the resulting spamassassin score. For example, a |
92a5c866bdfa
Verify from/to pairs even if they might be explicitly whitelisted.
Carl Byington <carl@five-ten-sg.com>
parents:
201
diff
changeset
|
434 spamassassin limit of three will reject messages with spamassassin scores |
246
8b0f16abee53
Add prvs decoding to envelope addresses
Carl Byington <carl@five-ten-sg.com>
parents:
233
diff
changeset
|
435 of four or greater. If the filtering context has a spamassassin limit of |
8b0f16abee53
Add prvs decoding to envelope addresses
Carl Byington <carl@five-ten-sg.com>
parents:
233
diff
changeset
|
436 zero, then spamassassin is not called (or if called the results are not used) |
8b0f16abee53
Add prvs decoding to envelope addresses
Carl Byington <carl@five-ten-sg.com>
parents:
233
diff
changeset
|
437 for this recipient. |
203
92a5c866bdfa
Verify from/to pairs even if they might be explicitly whitelisted.
Carl Byington <carl@five-ten-sg.com>
parents:
201
diff
changeset
|
438 </para> |
92a5c866bdfa
Verify from/to pairs even if they might be explicitly whitelisted.
Carl Byington <carl@five-ten-sg.com>
parents:
201
diff
changeset
|
439 <para> |
92a5c866bdfa
Verify from/to pairs even if they might be explicitly whitelisted.
Carl Byington <carl@five-ten-sg.com>
parents:
201
diff
changeset
|
440 If any non-whitelisted recipient has a filtering context that specifies |
92a5c866bdfa
Verify from/to pairs even if they might be explicitly whitelisted.
Carl Byington <carl@five-ten-sg.com>
parents:
201
diff
changeset
|
441 DCC greylisting, then the message is passed thru the DCC bulk detector, |
92a5c866bdfa
Verify from/to pairs even if they might be explicitly whitelisted.
Carl Byington <carl@five-ten-sg.com>
parents:
201
diff
changeset
|
442 and the message is greylisted (for all recipients) if the DCC says this |
92a5c866bdfa
Verify from/to pairs even if they might be explicitly whitelisted.
Carl Byington <carl@five-ten-sg.com>
parents:
201
diff
changeset
|
443 message should be delayed. |
92a5c866bdfa
Verify from/to pairs even if they might be explicitly whitelisted.
Carl Byington <carl@five-ten-sg.com>
parents:
201
diff
changeset
|
444 </para> |
92a5c866bdfa
Verify from/to pairs even if they might be explicitly whitelisted.
Carl Byington <carl@five-ten-sg.com>
parents:
201
diff
changeset
|
445 <para> |
92a5c866bdfa
Verify from/to pairs even if they might be explicitly whitelisted.
Carl Byington <carl@five-ten-sg.com>
parents:
201
diff
changeset
|
446 If any non-whitelisted recipient has a filtering context with a non-zero |
92a5c866bdfa
Verify from/to pairs even if they might be explicitly whitelisted.
Carl Byington <carl@five-ten-sg.com>
parents:
201
diff
changeset
|
447 DCC bulk threshold, then the message is passed thru the DCC bulk detector, |
92a5c866bdfa
Verify from/to pairs even if they might be explicitly whitelisted.
Carl Byington <carl@five-ten-sg.com>
parents:
201
diff
changeset
|
448 and the message is rejected for those recipients with DCC thresholds less |
92a5c866bdfa
Verify from/to pairs even if they might be explicitly whitelisted.
Carl Byington <carl@five-ten-sg.com>
parents:
201
diff
changeset
|
449 than or equal to the DCC bulk score. |
163 | 450 </para> |
451 <para> | |
119 | 452 We also scan for excessive bad html tags, and if a <configurable> |
453 limit is exceeded, the mail is rejected. | |
108 | 454 </para> |
455 </refsect1> | |
94 | 456 |
111 | 457 <refsect1 id='access.1'> |
108 | 458 <title>Sendmail access vs. DNSBL</title> |
459 <para> | |
460 With the standard sendmail.mc dnsbl FEATURE, the dnsbl checks may be | |
461 suppressed by entries in the /etc/mail/access database. For example, | |
462 suppose you control a /18 of address space, and have allocated some /24s | |
463 to some clients. You have access entries like | |
111 | 464 <literallayout class="monospaced"><![CDATA[ |
465 192.168.4 OK | |
466 192.168.17 OK]]></literallayout> | |
108 | 467 </para> |
468 <para> | |
469 to allow those clients to smarthost thru your mail server. Now if one | |
470 of those clients happens get infected with a virus that turns a machine | |
471 into an open proxy, and their 192.168.4.45 lands on the SBL-XBL, you | |
472 will still wind up allowing that infected machine to smarthost thru your | |
473 mail servers. | |
474 </para> | |
475 <para> | |
476 With this DNSBL milter, the sendmail access database cannot override the | |
477 dnsbl checks, so that machine won't be able to send mail to or thru your | |
478 smarthost mail server (unless the virus/proxy can use smtp-auth). | |
479 </para> | |
480 <para> | |
481 Using the standard sendmail features, you would add access entries to | |
482 allow hosts on your local network to relay thru your mail server. Those | |
483 OK entries in the sendmail access database will override all the dnsbl | |
484 checks. With this DNSBL milter, you will need to have the local users | |
485 authenticate with smtp-auth to get the same effect. You might find | |
486 <ulink | |
487 url="http://www.ists.dartmouth.edu/classroom/sendmail-ssl-how-to.php"> | |
488 these directions</ulink> helpful for setting up smtp-auth if you are on | |
489 RH Linux. | |
490 </para> | |
491 </refsect1> | |
94 | 492 |
111 | 493 <refsect1 id='performance.1'> |
108 | 494 <title>Performance Issues</title> |
495 <para> | |
496 Consider a high volume high performance machine running sendmail. Each | |
497 sendmail process can do its own dns resolution. Typically, such dns | |
498 resolver libraries are not thread safe, and so must be protected by some | |
499 sort of mutex in a threaded environment. When we add a milter to | |
500 sendmail, we now have a collection of sendmail processes, and a | |
501 collection of milter threads. | |
502 </para> | |
503 <para> | |
504 We will be doing a lot of dns lookups per mail message, and at least | |
505 some of those will take many tens of seconds. If all this dns work is | |
506 serialized inside the milter, we have an upper limit of about 25K mail | |
507 messages per day. That is clearly not sufficient for many sites. | |
508 </para> | |
509 <para> | |
510 Since we want to do parallel dns resolution across those milter threads, | |
511 we add another collection of dns resolver processes. Each sendmail | |
512 process is talking to a milter thread over a socket, and each milter | |
513 thread is talking to a dns resolver process over another socket. | |
514 </para> | |
515 <para> | |
516 Suppose we are processing 20 messages per second, and each message | |
517 requires 20 seconds of dns work. Then we will have 400 sendmail | |
518 processes, 400 milter threads, and 400 dns resolver processes. Of | |
519 course that steady state is very unlikely to happen. | |
520 </para> | |
521 </refsect1> | |
94 | 522 |
523 | |
111 | 524 <refsect1 id='rejected.1'> |
108 | 525 <title>Rejected Ideas</title> |
526 <para> | |
527 The following ideas have been considered and rejected. | |
528 </para> | |
529 <para> | |
111 | 530 Add max_recipients setting to the context configuration. Recipients in |
531 excess of that limit will be rejected, and all the non-whitelisted | |
532 recipients will be removed. Current spammers *very* rarely send more | |
533 than ten recipients in a single smtp transaction, so this won't stop any | |
108 | 534 significant amount of spam. |
535 </para> | |
536 <para> | |
537 Add poison addresses to the configuration. If any recipient is | |
538 poison, all recipients are rejected even if they would be whitelisted, | |
539 and the data is rejected if sent. I have a collection of spam trap | |
540 addresses that would be suitable for such use. Based on my log files, | |
541 any mail to those spam trap addresses is rejected based on either dnsbl | |
542 lookups or the DCC. So this won't result in blocking any additional | |
543 spam. | |
544 </para> | |
545 <para> | |
546 Add an option to only allow one recipient if the return path is | |
547 empty. Based on my log files, there is no mail that violates this | |
548 check. | |
549 </para> | |
550 <para> | |
551 Reject the mail if the envelope from domain name contains any MX | |
552 records pointing to 127.0.0.0/8. I don't see any significant amount of | |
553 spam sent with such domain names. | |
554 </para> | |
555 </refsect1> | |
94 | 556 |
108 | 557 <refsect1 id='todo.1'> |
558 <title>TODO</title> | |
559 <para> | |
560 The following ideas are under consideration. | |
561 </para> | |
562 <para> | |
115 | 563 Look for href="hostname/path" strings that are missing the required |
564 http:// protocol header. Such references are still clickable in common | |
565 mail software. | |
566 </para> | |
108 | 567 </refsect1> |
94 | 568 |
111 | 569 <refsect1 id='copyright.1'> |
108 | 570 <title>Copyright</title> |
571 <para> | |
163 | 572 Copyright (C) 2007 by 510 Software Group <carl@five-ten-sg.com> |
108 | 573 </para> |
574 <para> | |
575 This program is free software; you can redistribute it and/or modify it | |
576 under the terms of the GNU General Public License as published by the | |
160 | 577 Free Software Foundation; either version 3, or (at your option) any |
108 | 578 later version. |
579 </para> | |
580 <para> | |
581 You should have received a copy of the GNU General Public License along | |
582 with this program; see the file COPYING. If not, please write to the | |
583 Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA. | |
584 </para> | |
585 </refsect1> | |
94 | 586 |
111 | 587 <refsect1 id='version.1'> |
201
752d4315675c
add reference to mercurial repository in the documentation
Carl Byington <carl@five-ten-sg.com>
parents:
187
diff
changeset
|
588 <title>Version</title> |
108 | 589 <para> |
201
752d4315675c
add reference to mercurial repository in the documentation
Carl Byington <carl@five-ten-sg.com>
parents:
187
diff
changeset
|
590 @VERSION@ |
108 | 591 </para> |
592 </refsect1> | |
593 </refentry> | |
594 | |
595 | |
596 <refentry id="@PACKAGE@.conf.5"> | |
597 <refentryinfo> | |
233
5c3e9bf45bb5
Add whitelisting by regex expression filtering.
Carl Byington <carl@five-ten-sg.com>
parents:
216
diff
changeset
|
598 <date>2009-05-25</date> |
108 | 599 </refentryinfo> |
94 | 600 |
108 | 601 <refmeta> |
602 <refentrytitle>@PACKAGE@.conf</refentrytitle> | |
603 <manvolnum>5</manvolnum> | |
604 <refmiscinfo>@PACKAGE@ @VERSION@</refmiscinfo> | |
605 </refmeta> | |
94 | 606 |
108 | 607 <refnamediv id='name.5'> |
608 <refname>@PACKAGE@.conf</refname> | |
111 | 609 <refpurpose>configuration file for @PACKAGE@ sendmail milter</refpurpose> |
108 | 610 </refnamediv> |
611 | |
612 <refsynopsisdiv id='synopsis.5'> | |
613 <title>Synopsis</title> | |
614 <cmdsynopsis> | |
615 <command>@PACKAGE@.conf</command> | |
616 </cmdsynopsis> | |
617 </refsynopsisdiv> | |
94 | 618 |
108 | 619 <refsect1 id='description.5'> |
620 <title>Description</title> | |
621 <para>The <command>@PACKAGE@.conf</command> configuration file is | |
148
9330b8d6a56b
add documentation fixes, allow env_from target of inherit
carl
parents:
144
diff
changeset
|
622 specified by this partial bnf description. Comments start with // |
9330b8d6a56b
add documentation fixes, allow env_from target of inherit
carl
parents:
144
diff
changeset
|
623 or # and extend to the end of the line. To include the contents |
9330b8d6a56b
add documentation fixes, allow env_from target of inherit
carl
parents:
144
diff
changeset
|
624 of some file verbatim in the dnsbl.conf file, use |
9330b8d6a56b
add documentation fixes, allow env_from target of inherit
carl
parents:
144
diff
changeset
|
625 <literallayout class="monospaced"><![CDATA[include "<file>";]]></literallayout> |
9330b8d6a56b
add documentation fixes, allow env_from target of inherit
carl
parents:
144
diff
changeset
|
626 </para> |
108 | 627 |
628 <literallayout class="monospaced"><![CDATA[ | |
629 CONFIG = {CONTEXT ";"}+ | |
630 CONTEXT = "context" NAME "{" {STATEMENT}+ "}" | |
233
5c3e9bf45bb5
Add whitelisting by regex expression filtering.
Carl Byington <carl@five-ten-sg.com>
parents:
216
diff
changeset
|
631 STATEMENT = (DNSBL | DNSBLLIST | CONTENT | ENV-TO | VERIFY | GENERIC |
5c3e9bf45bb5
Add whitelisting by regex expression filtering.
Carl Byington <carl@five-ten-sg.com>
parents:
216
diff
changeset
|
632 | W_REGEX | AUTOWHITE | CONTEXT | ENV-FROM | RATE-LIMIT) ";" |
108 | 633 |
124 | 634 DNSBL = "dnsbl" NAME DNSPREFIX ERROR-MSG1 |
108 | 635 |
636 DNSBLLIST = "dnsbl_list" {NAME}+ | |
94 | 637 |
108 | 638 CONTENT = "content" ("on" | "off") "{" {CONTENT-ST}+ "}" |
178 | 639 CONTENT-ST = (FILTER | URIBL | IGNORE | TLD | CCTLD | HTML-TAGS | |
640 HTML-LIMIT | HOST-LIMIT | SPAMASS | REQUIRE | DCCGREY | | |
641 DCCBULK) ";" | |
124 | 642 FILTER = "filter" DNSPREFIX ERROR-MSG2 |
643 URIBL = "uribl" DNSPREFIX ERROR-MSG3 | |
108 | 644 IGNORE = "ignore" "{" {HOSTNAME [";"]}+ "}" |
645 TLD = "tld" "{" {TLD [";"]}+ "}" | |
119 | 646 CCTLD = "cctld" "{" {TLD [";"]}+ "}" |
108 | 647 HTML-TAGS = "html_tags" "{" {HTMLTAG [";"]}+ "}" |
124 | 648 ERROR-MSG1 = string containing exactly two %s replacement tokens |
649 both are replaced with the client ip address | |
650 ERROR-MSG2 = string containing exactly two %s replacement tokens | |
651 the first is replaced with the hostname, and the second | |
652 is replaced with the ip address | |
653 ERROR-MSG3 = string containing exactly two %s replacement tokens | |
654 both are replaced with the hostname | |
108 | 655 |
656 HTML-LIMIT = "html_limit" ("on" INTEGER ERROR-MSG | "off") | |
657 | |
111 | 658 HOST-LIMIT = "host_limit" ("on" INTEGER ERROR-MSG | "off" | |
659 "soft" INTEGER) | |
178 | 660 SPAMASS = "spamassassin" INTEGER |
661 REQUIRE = "require_match" ("yes" | "no") | |
662 DCCGREY = "dcc_greylist" ("yes" | "no") | |
663 DCCBULK = "dcc_bulk_threshold" (INTEGER | "many" | "off") | |
94 | 664 |
108 | 665 ENV-TO = "env_to" "{" {(TO-ADDR | DCC-TO)}+ "}" |
666 TO-ADDR = ADDRESS [";"] | |
667 DCC-TO = "dcc_to" ("ok" | "many") "{" DCCINCLUDEFILE "}" ";" | |
668 | |
669 VERIFY = "verify" HOSTNAME ";" | |
168 | 670 GENERIC = "generic" REGULAREXPRESSION ERROR-MSG4 ";" |
233
5c3e9bf45bb5
Add whitelisting by regex expression filtering.
Carl Byington <carl@five-ten-sg.com>
parents:
216
diff
changeset
|
671 W-REGEX = "white_regex" REGULAREXPRESSION ";" |
168 | 672 ERROR-MSG4 = string containing exactly one %s replacement token |
673 which is replaced with the client name | |
153 | 674 AUTOWHITE = "autowhite" DAYS FILENAME ";" |
108 | 675 |
676 ENV_FROM = "env_from" [DEFAULT] "{" {(FROM-ADDR | DCC-FROM)}+ "}" | |
677 FROM-ADDR = ADDRESS VALUE [";"] | |
678 DCC-FROM = "dcc_from" "{" DCCINCLUDEFILE "}" ";" | |
136 | 679 |
140 | 680 RATE-LIMIT = "rate_limit" [DEFAULTLIMIT] "{" (RATE)+ "}" |
136 | 681 RATE = USER LIMIT [";"] |
682 | |
108 | 683 DEFAULT = ("white" | "black" | "unknown" | "inherit" | "") |
684 ADDRESS = (USER@ | DOMAIN | USER@DOMAIN) | |
148
9330b8d6a56b
add documentation fixes, allow env_from target of inherit
carl
parents:
144
diff
changeset
|
685 VALUE = ("white" | "black" | "unknown" | "inherit" | CHILD-CONTEXT-NAME)]]></literallayout> |
108 | 686 </refsect1> |
94 | 687 |
108 | 688 <refsect1 id='sample.5'> |
689 <title>Sample</title> | |
690 <literallayout class="monospaced"><![CDATA[ | |
127 | 691 context main-default { |
692 // outbound dnsbl filtering to catch our own customers that end up on the sbl | |
693 dnsbl sbl sbl-xbl.spamhaus.org "Mail from %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s"; | |
174 | 694 dnsbl_list sbl; |
127 | 695 |
696 // outbound content filtering to prevent our own customers from sending spam | |
697 content on { | |
698 filter sbl-xbl.spamhaus.org "Mail containing %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s"; | |
699 uribl multi.surbl.org "Mail containing %s rejected - surbl; see http://www.rulesemporium.com/cgi-bin/uribl.cgi?bl0=1&domain0=%s"; | |
700 #uribl black.uribl.com "Mail containing %s rejected - uribl; see http://l.uribl.com/?d=%s"; | |
701 ignore { include "hosts-ignore.conf"; }; | |
702 tld { include "tld.conf"; }; | |
703 cctld { include "cctld.conf"; }; | |
704 html_tags { include "html-tags.conf"; }; | |
705 html_limit on 20 "Mail containing excessive bad html tags rejected"; | |
706 html_limit off; | |
707 host_limit on 20 "Mail containing excessive host names rejected"; | |
708 host_limit soft 20; | |
178 | 709 spamassassin 4; |
710 require_match yes; | |
711 dcc_greylist yes; | |
712 dcc_bulk_threshold 50; | |
127 | 713 }; |
714 | |
715 // backscatter prevention - don't send bounces for mail that we accepted but could not forward | |
716 // we only send bounces to our own customers | |
717 env_from unknown { | |
718 "<>" black; | |
719 }; | |
136 | 720 |
144
31ff00ea6bfb
allow parent/child to share a fully qualified env_to address
carl
parents:
140
diff
changeset
|
721 // hourly recipient rate limit by smtp auth client id |
140 | 722 rate_limit 30 { // default |
171 | 723 #fred 100; // override default limits |
724 #joe 10; // "" | |
136 | 725 }; |
127 | 726 }; |
727 | |
171 | 728 context main { |
729 dnsbl localp partial.blackholes.five-ten-sg.com "Mail from %s rejected - local; see http://www.five-ten-sg.com/blackhole.php?%s"; | |
108 | 730 dnsbl local blackholes.five-ten-sg.com "Mail from %s rejected - local; see http://www.five-ten-sg.com/blackhole.php?%s"; |
174 | 731 dnsbl sbl zen.spamhaus.org "Mail from %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s"; |
108 | 732 dnsbl xbl xbl.spamhaus.org "Mail from %s rejected - xbl; see http://www.spamhaus.org/query/bl?ip=%s"; |
171 | 733 dnsbl_list local sbl; |
94 | 734 |
108 | 735 content on { |
736 filter sbl-xbl.spamhaus.org "Mail containing %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s"; | |
122 | 737 uribl multi.surbl.org "Mail containing %s rejected - surbl; see http://www.rulesemporium.com/cgi-bin/uribl.cgi?bl0=1&domain0=%s"; |
119 | 738 #uribl black.uribl.com "Mail containing %s rejected - uribl; see http://l.uribl.com/?d=%s"; |
108 | 739 ignore { include "hosts-ignore.conf"; }; |
740 tld { include "tld.conf"; }; | |
119 | 741 cctld { include "cctld.conf"; }; |
108 | 742 html_tags { include "html-tags.conf"; }; |
743 html_limit off; | |
744 host_limit soft 20; | |
178 | 745 spamassassin 5; |
746 require_match yes; | |
747 dcc_greylist yes; | |
748 dcc_bulk_threshold 20; | |
108 | 749 }; |
94 | 750 |
216
784030ac71f1
Never whitelist self addressed mail. Changes for Fedora 10 and const correctness.
Carl Byington <carl@five-ten-sg.com>
parents:
214
diff
changeset
|
751 generic "^dsl.static.*ttnet.net.tr$|(^|[x.-])(ppp|h|host)?([0-9]{1,3}[x.-](Red-|dynamic[x.-])?){4}" |
171 | 752 "your mail server %s seems to have a generic name"; |
753 | |
233
5c3e9bf45bb5
Add whitelisting by regex expression filtering.
Carl Byington <carl@five-ten-sg.com>
parents:
216
diff
changeset
|
754 white_regex ".*=example.com=user@yourhostingaccount.com"; |
5c3e9bf45bb5
Add whitelisting by regex expression filtering.
Carl Byington <carl@five-ten-sg.com>
parents:
216
diff
changeset
|
755 |
108 | 756 env_to { |
171 | 757 # !! replace this with your domain names |
108 | 758 # child contexts are not allowed to specify recipient addresses outside these domains |
179 | 759 # if this is a backup-mx, you need to include here domains for which you relay to the primary mx |
174 | 760 include "/etc/mail/local-host-names"; |
108 | 761 }; |
94 | 762 |
108 | 763 context whitelist { |
764 content off {}; | |
765 env_to { | |
171 | 766 # dcc_to ok { include "/var/dcc/whitecommon"; }; |
108 | 767 }; |
768 env_from white {}; # white forces all unmatched from addresses (everyone in this case) to be whitelisted | |
769 # so all mail TO these env_to addresses is accepted | |
770 }; | |
94 | 771 |
171 | 772 context abuse { |
773 dnsbl_list xbl; | |
774 content off {}; | |
174 | 775 generic "^$ " " "; # regex cannot match, to disable generic rdns rejects |
171 | 776 env_to { |
777 abuse@ # no content filtering on abuse reports | |
778 postmaster@ # "" | |
779 }; | |
780 env_from unknown {}; # ignore all parent white/black listing | |
781 }; | |
782 | |
108 | 783 context minimal { |
171 | 784 dnsbl_list sbl; |
178 | 785 content on { |
786 spamassassin 10; | |
787 dcc_bulk_threshold many; | |
788 }; | |
171 | 789 generic "^$ " " "; # regex cannot match, to disable generic rdns rejects |
108 | 790 env_to { |
791 }; | |
792 }; | |
94 | 793 |
108 | 794 context blacklist { |
795 env_to { | |
171 | 796 # dcc_to many { include "/var/dcc/whitecommon"; }; |
108 | 797 }; |
798 env_from black {}; # black forces all unmatched from addresses (everyone in this case) to be blacklisted | |
799 # so all mail TO these env_to addresses is rejected | |
800 }; | |
94 | 801 |
171 | 802 env_from unknown { |
803 abuse@ abuse; # replies to abuse reports use the abuse context | |
804 # dcc_from { include "/var/dcc/whitecommon"; }; | |
108 | 805 }; |
806 | |
171 | 807 autowhite 90 "autowhite/my-auto-whitelist"; |
808 # install should create /etc/dnsbl/autowhite writable by userid dnsbl | |
108 | 809 };]]></literallayout> |
810 </refsect1> | |
94 | 811 |
111 | 812 <refsect1 id='version.5'> |
201
752d4315675c
add reference to mercurial repository in the documentation
Carl Byington <carl@five-ten-sg.com>
parents:
187
diff
changeset
|
813 <title>Version</title> |
108 | 814 <para> |
201
752d4315675c
add reference to mercurial repository in the documentation
Carl Byington <carl@five-ten-sg.com>
parents:
187
diff
changeset
|
815 @VERSION@ |
108 | 816 </para> |
817 </refsect1> | |
818 | |
819 </refentry> | |
820 </reference> |