dnsbl: xml/dnsbl.in annotate

annotate xml/dnsbl.in @ 98:91c27c00048f

tokenizer errors now go thru syslog to be visible during config file reloads in normal operation

author	carl
date	Thu, 22 Sep 2005 21:57:08 -0700
parents	53a2fbe3f761
children	f8963ddf7143

rev	line source
94 e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	1 <html>
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	2
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	3 <head>
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	4 <meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
98 91c27c00048f tokenizer errors now go thru syslog to be visible during config file reloads in normal operation carl parents: 95 diff changeset	5 <title>DNSBL Sendmail milter - Version 5.6</title>
94 e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	6 </head>
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	7
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	8 <center>Introduction</center>
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	9 <p>This milter is released under the GPL license version 2 included in
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	10 the LICENSE file in the distribution, and also available at
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	11 <a href="http://www.gnu.org/licenses/gpl.html">http://www.gnu.org/licenses/gpl.html</a>
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	12
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	13 <p>Consider the case of a mail server that is acting as secondary MX for
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	14 a collection of clients, each of which has a collection of mail domains.
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	15 Each client may use their own collection of DNSBLs on their primary mail
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	16 server. We present here a mechanism whereby the backup mail server can
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	17 use the correct set of DNSBLs for each recipient for each message. As a
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	18 side-effect, it gives us the ability to customize the set of DNSBLs on a
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	19 per-recipient basis, so that fred@example.com could use SPEWS and the
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	20 SBL, where all other users @example.com use only the SBL.
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	21
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	22 <p>This milter can also verify the envelope from/recipient pairs with
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	23 the primary MX server. This allows the backup mail servers to properly
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	24 reject mail sent to invalid addresses. Otherwise, the backup mail
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	25 servers will accept that mail, and then generate a bounce message when
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	26 the message is forwarded to the primary server (and rejected there with
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	27 no such user).
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	28
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	29 <p>This milter will also decode (uuencode, base64, mime, html entity,
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	30 url encodings) and scan for HTTP and HTTPS URLs and bare hostnames in
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	31 the body of the mail. If any of those host names have A or NS records
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	32 on the SBL (or a single configurable DNSBL), the mail will be rejected
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	33 unless previously whitelisted. This milter also counts the number of
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	34 invalid HTML tags, and can reject mail if that count exceeds your
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	35 specified limit.
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	36
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	37 <p>The DNSBL milter reads a text configuration file (dnsbl.conf) on
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	38 startup, and whenever the config file (or any of the referenced include
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	39 files) is changed. The entire configuration file is case insensitive.
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	40 If the configuration cannot be loaded due to a syntax error, the milter
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	41 will log the error and quit. If the configuration cannot be reloaded
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	42 after being modified, the milter will log the error and send an email to
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	43 root from dnsbl@$hostname. You probably want to added dnsbl@$hostname
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	44 to your /etc/mail/virtusertable since otherwise sendmail will reject
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	45 that message.
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	46
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	47 <hr> <center>DCC Issues</center>
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	48 <p>If you are also using the <a
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	49 href="http://www.rhyolite.com/anti-spam/dcc/">DCC</a> milter, there are
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	50 a few considerations. You may need to whitelist senders from the DCC
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	51 bulk detector, or from the DNS based lists. Those are two very
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	52 different reasons for whitelisting. The former is done thru the DCC
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	53 whiteclnt config file, the later is done thru the DNSBL milter config
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	54 file.
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	55
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	56 <p>You may want to blacklist some specific senders or sending domains.
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	57 This could be done thru either the DCC (on a global basis, or for a
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	58 specific single recipient). We prefer to do such blacklisting via the
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	59 DNSBL milter config, since it can be done for a collection of recipient
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	60 mail domains. The DCC approach has the feature that you can capture the
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	61 entire message in the DCC log files. The DNSBL milter approach has the
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	62 feature that the mail is rejected earlier (at RCPT TO time), and the
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	63 sending machine just gets a generic "550 5.7.1 no such user" message.
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	64
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	65 <p>The DCC whiteclnt file can be included in the DNSBL milter config by
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	66 the dcc_to and dcc_from statements. This will import the (env_to,
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	67 env_from, and substitute mail_host) entries from the DCC config into the
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	68 DNSBL config. This allows using the DCC config as the single point for
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	69 white/blacklisting.
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	70
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	71 <p>Consider the case where you have multiple clients, each with their
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	72 own mail servers, and each running their own DCC milters. Each client
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	73 is using the DCC facilities for envelope from/to white/blacklisting.
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	74 Presumably you can use rsync or scp to fetch copies of your clients DCC
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	75 whiteclnt files on a regular basis. Your mail server, acting as a
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	76 backup MX for your clients, can use the DNSBL milter, and include those
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	77 client DCC config files. The envelope from/to white/blacklisting will
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	78 be appropriately tagged and used only for the domains controlled by each
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	79 of those clients.
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	80
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	81 <hr> <center>Definitions</center>
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	82
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	83 <p>CONTEXT - a collection of parameters that defines the filtering
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	84 context to be used for a collection of envelope recipient addresses.
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	85 The context includes such things as the list of DNSBLs to be used, and
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	86 the various content filtering parameters.
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	87
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	88 <p>DNSBL - a named DNS based blocking list is defined by a dns suffix
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	89 (e.g. sbl-xbl.spamhaus.org) and a message string that is used to
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	90 generate the "550 5.7.1" smtp error return code. The names of these
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	91 DNSBLs will be used to define the DNSBL-LISTs.
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	92
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	93 <p>DNSBL-LIST - a named list of DNSBLs that will be used for specific
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	94 recipients or recipient domains.
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	95
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	96 <hr> <center>Filtering Procedure</center>
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	97
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	98 <p>If the client has authenticated with sendmail, the mail is accepted,
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	99 the filtering contexts are not used, the dns lists are not checked, and
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	100 the body content is not scanned. Otherwise, we follow these steps for
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	101 each recipient.
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	102
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	103 <ol>
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	104
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	105 <li>The envelope to email address is used to find an initial filtering
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	106 context. We first look for a context that specified the full email
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	107 address in the env_to statement. If that is not found, we look for a
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	108 context that specified the entire domain name of the envelope recipient
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	109 in the env_to statement. If that is not found, we look for a context
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	110 that specified the user@ part of the envelope recipient in the env_to
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	111 statement. If that is not found, we use the first top level context
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	112 defined in the config file.
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	113
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	114 <br><br><li>The initial filtering context may redirect to a child
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	115 context based on the values in the initial context's env_from statement.
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	116 We look for [1) the full envelope from email address, 2) the domain name
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	117 part of the envelope from address, 3) the user@ part of the envelope
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	118 from address] in that context's env_from statement, with values that
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	119 point to a child context. If such an entry is found, we switch to that
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	120 child filtering context.
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	121
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	122 <br><br><li>We lookup [1) the full envelope from email address, 2) the
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	123 domain name part of the envelope from address, 3) the user@ part of the
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	124 envelope from address] in the filtering context env_from statement.
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	125 That results in one of (white, black, unknown, inherit).
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	126
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	127 <br><br><li>If the answer is black, mail to this recipient is rejected
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	128 with "no such user", and the dns lists are not checked.
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	129
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	130 <br><br><li>If the answer is white, mail to this recipient is accepted
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	131 and the dns lists are not checked.
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	132
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	133 <br><br><li>If the answer is unknown, we don't reject yet, but the dns
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	134 lists will be checked, and the content may be scanned.
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	135
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	136 <br><br><li>If the answer is inherit, we repeat the envelope from search
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	137 in the parent context.
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	138
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	139 <br><br><li>The dns lists specified in the filtering context are checked
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	140 and the mail is rejected if any list has an A record for the standard
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	141 dns based lookup scheme (reversed octets of the client followed by the
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	142 dns suffix).
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	143
95 53a2fbe3f761 cleanup documentation carl parents: 94 diff changeset	144 <br><br><li>If the mail has not been accepted or rejected yet, we look
53a2fbe3f761 cleanup documentation carl parents: 94 diff changeset	145 for a verification context, which is the closest ancestor of the
53a2fbe3f761 cleanup documentation carl parents: 94 diff changeset	146 filtering context that both specifies a verification host, and which
53a2fbe3f761 cleanup documentation carl parents: 94 diff changeset	147 covers the envelope to address. If we find such a verification context,
53a2fbe3f761 cleanup documentation carl parents: 94 diff changeset	148 and the verification host is not our own hostname, we open an smtp
53a2fbe3f761 cleanup documentation carl parents: 94 diff changeset	149 conversation with that verification host. The current envelope from and
53a2fbe3f761 cleanup documentation carl parents: 94 diff changeset	150 recipient to values are passed to that verification host. If we receive
53a2fbe3f761 cleanup documentation carl parents: 94 diff changeset	151 a 5xy response those commands, we reject the current recipient with "no
53a2fbe3f761 cleanup documentation carl parents: 94 diff changeset	152 such user".
94 e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	153
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	154 <br><br><li>If the mail has not been accepted or rejected yet, and the
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	155 filtering context enables content filtering, and this is the first such
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	156 recipient in this smtp transaction, we set the content filtering
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	157 parameters from this context, and enable content filtering for the body
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	158 of this message.
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	159
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	160 </ol>
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	161
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	162 <p>If content filtering is enabled for this body, the mail text is
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	163 decoded (uuencode, base64, mime, html entity, url encodings), scanned
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	164 for HTTP and HTTPS URLs, and the first <configurable> host names
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	165 are checked for their presence on the single <configurable> DNSBL.
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	166 The only known list that is suitable for this purpose is the SBL. If
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	167 any of those host names are on that DNSBL (or have nameservers that are
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	168 on that list), and it is not on the <configurable> ignore list,
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	169 the mail is rejected. We also scan for excessive bad html tags, and if
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	170 a <configurable> limit is exceeded, the mail is rejected.
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	171
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	172 <hr> <center>Sendmail access vs. DNSBL</center>
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	173 <p>With the standard sendmail.mc dnsbl FEATURE, the dnsbl checks may be
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	174 suppressed by entries in the /etc/mail/access database. For example,
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	175 suppose you control a /18 of address space, and have allocated some /24s
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	176 to some clients. You have access entries like
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	177
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	178 <pre>
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	179 192.168.4 OK
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	180 192.168.17 OK
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	181 </pre>
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	182
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	183 <p>to allow those clients to smarthost thru your mail server. Now if
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	184 one of those clients happens get infected with a virus that turns a
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	185 machine into an open proxy, and their 192.168.4.45 lands on the SBL-XBL,
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	186 you will still wind up allowing that infected machine to smarthost thru
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	187 your mail servers.
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	188
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	189 <p>With this DNSBL milter, the sendmail access database cannot override
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	190 the dnsbl checks, so that machine won't be able to send mail to or thru
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	191 your smarthost mail server (unless the virus/proxy can use smtp-auth).
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	192
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	193 <p>Using the standard sendmail features, you would add access entries to
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	194 allow hosts on your local network to relay thru your mail server. Those
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	195 OK entries in the sendmail access database will override all the dnsbl
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	196 checks. With this DNSBL milter, you will need to have the local users
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	197 authenticate with smtp-auth to get the same effect. You might find <a
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	198 href="http://www.ists.dartmouth.edu/classroom/sendmail-ssl-how-to.php">
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	199 these directions</a> helpful for setting up smtp-auth if you are on RH
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	200 Linux.
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	201
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	202 <hr> <center>Installation and configuration</center>
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	203 <p>Usage: Note that this has ONLY been tested on Linux, specifically
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	204 RedHat Linux. In particular, this milter makes no attempt to understand
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	205 IPv6. Your mileage will vary. You will need at a minimum a C++
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	206 compiler with a minimally thread safe STL implementation. The
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	207 distribution includes a test.cpp program. If it fails this milter won't
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	208 work. If it passes, this milter might work.
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	209
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	210 Fetch <a href="http://www.five-ten-sg.com/util/dnsbl.tar.gz">dnsbl.tar.gz</a>
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	211 and
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	212
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	213 <pre>
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	214 tar xfvz dnsbl.tar.gz
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	215 bash install.bash
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	216 </pre>
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	217
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	218 Read and understand the contents of that install.bash script before you
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	219 run it. It may not be suitable for your system. Modify your
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	220 sendmail.mc by removing all the "FEATURE(dnsbl" lines, add the following
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	221 line in your sendmail.mc and rebuild the .cf file
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	222
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	223 <pre>
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	224 INPUT_MAIL_FILTER(`dnsbl', `S=local:/var/run/dnsbl/dnsbl.sock, F=T, T=C:30s;S:5m;R:5m;E:5m')
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	225 </pre>
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	226
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	227 Read the sample <a
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	228 href="http://www.five-ten-sg.com/dnsbl.conf">/etc/dnsbl/dnsbl.conf</a>
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	229 file and modify it to fit your configuration. You can test your
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	230 configuration files, and see a readable internal dump of them on stdout
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	231 with
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	232
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	233 <pre>
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	234 cd /etc/dnsbl
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	235 /usr/sbin/dnsbl -c
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	236 </pre>
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	237
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	238 You can check a specific envelope from/to pair with
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	239
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	240 <pre>
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	241 cd /etc/dnsbl
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	242 from="$1" # or your from address
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	243 to="$2" # or your to address
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	244 /usr/sbin/dnsbl -e "$from"'\|'"$to"
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	245 </pre>
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	246
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	247 <hr> <center>Performance issues</center>
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	248
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	249 <p>Consider a high volume high performance machine running sendmail.
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	250 Each sendmail process can do its own dns resolution. Typically, such
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	251 dns resolver libraries are not thread safe, and so must be protected by
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	252 some sort of mutex in a threaded environment. When we add a milter to
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	253 sendmail, we now have a collection of sendmail processes, and a
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	254 collection of milter threads.
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	255
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	256 <p>We will be doing a lot of dns lookups per mail message, and at least
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	257 some of those will take many tens of seconds. If all this dns work is
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	258 serialized inside the milter, we have an upper limit of about 25K mail
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	259 messages per day. That is clearly not sufficient for many sites.
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	260
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	261 <p>Since we want to do parallel dns resolution across those milter
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	262 threads, we add another collection of dns resolver processes. Each
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	263 sendmail process is talking to a milter thread over a socket, and each
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	264 milter thread is talking to a dns resolver process over another socket.
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	265
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	266 <p>Suppose we are processing 20 messages per second, and each message
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	267 requires 20 seconds of dns work. Then we will have 400 sendmail
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	268 processes, 400 milter threads, and 400 dns resolver processes. Of
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	269 course that steady state is very unlikely to happen.
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	270
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	271 <hr> <center>Rejected Ideas</center>
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	272
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	273 <p>The following ideas have been considered and rejected.
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	274
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	275 <p>Add max_recipients for each mail domain to the configuration.
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	276 Recipients in excess of that limit will be rejected, and all the
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	277 recipients in that domain will be removed if there are some other
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	278 whitelisted recipients. Current spammers very rarely send more than
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	279 ten recipients in a single smtp transaction, so this won't stop
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	280 any significant amount of spam.
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	281
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	282 <p>Add poison addresses to the configuration. If any recipient is
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	283 poison, all recipients are rejected even if they would be whitelisted,
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	284 and the data is rejected if sent. I have a collection of spam trap
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	285 addresses that would be suitable for such use. Based on my log files,
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	286 any mail to those spam trap addresses is rejected based on either dnsbl
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	287 lookups or the DCC. So this won't result in blocking any additional
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	288 spam.
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	289
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	290 <p>Add an option to only allow one recipient if the return path is
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	291 empty. Based on my log files, there is no mail that violates this
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	292 check.
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	293
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	294 <p>Reject the mail if the envelope from domain name contains any MX
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	295 records pointing to 127.0.0.0/8. I don't see any significant amount of spam
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	296 sent with such domain names.
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	297
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	298
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	299 <pre>
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	300 $Id$
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	301 </pre>
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	302 </body>
e107ade3b1c0 fix dos line terminators carl parents: 92 diff changeset	303 </html>

Mercurial > dnsbl

annotate xml/dnsbl.in @ 98:91c27c00048f