Mercurial > dnsbl
annotate xml/dnsbl.in @ 149:9581f6e62574
switch to second context wins in all cases
| author | carl |
|---|---|
| date | Mon, 19 Feb 2007 15:57:24 -0800 |
| parents | 9330b8d6a56b |
| children | c7fc218686f5 |
| rev | line source |
|---|---|
| 108 | 1 <reference> |
| 2 <title>@PACKAGE@ Sendmail milter - Version @VERSION@</title> | |
| 3 <partintro> | |
| 4 <title>Packages</title> | |
| 5 <para>The various source and binary packages are available at <ulink | |
|
114
f4f5fb263072
cleanup list of tlds, add trailing / on http package directory reference
carl
parents:
111
diff
changeset
|
6 url="http://www.five-ten-sg.com/@PACKAGE@/packages/">http://www.five-ten-sg.com/@PACKAGE@/packages/</ulink> |
| 108 | 7 The most recent documentation is available at <ulink |
| 8 url="http://www.five-ten-sg.com/@PACKAGE@/">http://www.five-ten-sg.com/@PACKAGE@/</ulink> | |
| 9 </para> | |
| 94 | 10 |
| 108 | 11 </partintro> |
| 94 | 12 |
| 108 | 13 <refentry id="@PACKAGE@.1"> |
| 14 <refentryinfo> | |
| 115 | 15 <date>2006-01-08</date> |
| 108 | 16 </refentryinfo> |
| 94 | 17 |
| 108 | 18 <refmeta> |
| 19 <refentrytitle>@PACKAGE@</refentrytitle> | |
| 20 <manvolnum>1</manvolnum> | |
| 21 <refmiscinfo>@PACKAGE@ @VERSION@</refmiscinfo> | |
| 22 </refmeta> | |
| 23 | |
| 24 <refnamediv id='name.1'> | |
| 25 <refname>@PACKAGE@</refname> | |
| 26 <refpurpose>a sendmail milter with per-user dnsbl filtering</refpurpose> | |
| 27 </refnamediv> | |
| 94 | 28 |
| 108 | 29 <refsynopsisdiv id='synopsis.1'> |
| 30 <title>Synopsis</title> | |
| 31 <cmdsynopsis> | |
| 32 <command>@PACKAGE@</command> | |
| 33 <arg><option>-c</option></arg> | |
| 34 <arg><option>-s</option></arg> | |
| 35 <arg><option>-d <replaceable class="parameter">n</replaceable></option></arg> | |
| 36 <arg><option>-e <replaceable class="parameter">from|to</replaceable></option></arg> | |
| 37 <arg><option>-r <replaceable class="parameter">local-domain-socket</replaceable></option></arg> | |
| 38 <arg><option>-p <replaceable class="parameter">sendmail-socket</replaceable></option></arg> | |
| 39 <arg><option>-t <replaceable class="parameter">timeout</replaceable></option></arg> | |
| 40 </cmdsynopsis> | |
| 41 </refsynopsisdiv> | |
| 94 | 42 |
| 108 | 43 <refsect1 id='options.1'> |
| 44 <title>Options</title> | |
| 45 <variablelist> | |
| 46 <varlistentry> | |
| 47 <term>-c</term> | |
| 111 | 48 <listitem><para> |
| 49 Load the configuration file, print a cannonical form | |
| 50 of the configuration on stdout, and exit. | |
| 51 </para></listitem> | |
| 108 | 52 </varlistentry> |
| 53 <varlistentry> | |
| 54 <term>-s</term> | |
| 111 | 55 <listitem><para> |
| 56 Stress test the configuration loading code by repeating | |
| 57 the load/free cycle in an infinite loop. | |
| 58 </para></listitem> | |
| 108 | 59 </varlistentry> |
| 60 <varlistentry> | |
| 61 <term>-d <replaceable class="parameter">n</replaceable></term> | |
| 111 | 62 <listitem><para> |
| 63 Set the debug level to <replaceable class="parameter">n</replaceable>. | |
| 64 </para></listitem> | |
| 108 | 65 </varlistentry> |
| 66 <varlistentry> | |
| 67 <term>-e <replaceable class="parameter">from|to</replaceable></term> | |
| 111 | 68 <listitem><para> |
| 69 Print the results of looking up the from and to addresses in the | |
| 70 current configuration. The | character is used to separate the from and to | |
| 71 addresses in the argument to the -e switch. | |
| 72 </para></listitem> | |
| 108 | 73 </varlistentry> |
| 74 <varlistentry> | |
| 75 <term>-r <replaceable class="parameter">local-domain-socket</replaceable></term> | |
| 111 | 76 <listitem><para> |
| 77 Set the local socket used for the connection to our own dns resolver processes. | |
| 78 </para></listitem> | |
| 108 | 79 </varlistentry> |
| 80 <varlistentry> | |
| 81 <term>-p <replaceable class="parameter">sendmail-socket</replaceable></term> | |
| 111 | 82 <listitem><para> |
| 83 Set the socket used for the milter connection to sendmail. This is either | |
| 84 "inet:port@ip-address" or "local:local-domain-socket-file-name". | |
| 85 </para></listitem> | |
| 108 | 86 </varlistentry> |
| 87 <varlistentry> | |
| 88 <term>-t <replaceable class="parameter">timeout</replaceable></term> | |
| 111 | 89 <listitem><para> |
| 90 Set the timeout in seconds used for communication with sendmail. | |
| 91 </para></listitem> | |
| 108 | 92 </varlistentry> |
| 93 </variablelist> | |
| 94 </refsect1> | |
| 94 | 95 |
| 111 | 96 <refsect1 id='usage.1'> |
| 108 | 97 <title>Usage</title> |
| 98 <para><command>@PACKAGE@</command> -c</para> | |
| 99 <para><command>@PACKAGE@</command> -s</para> | |
| 111 | 100 <para><command>@PACKAGE@</command> -e 'someone@aol.com|localname@mydomain.tld'</para> |
| 101 <para><command>@PACKAGE@</command> -d 10 -r resolver.sock -p local:dnsbl.sock</para> | |
| 102 </refsect1> | |
| 103 | |
| 104 <refsect1 id='installation.1'> | |
| 105 <title>Installation</title> | |
| 106 <para> | |
| 107 This is now a standard GNU autoconf/automake installation, so the normal | |
| 108 "./configure; make; su; make install" works. "make chkconfig" will | |
| 109 setup the init.d runlevel scripts. Alternatively, you can use the | |
| 110 source or binary RPMs at <ulink | |
| 111 url="http://www.five-ten-sg.com/@PACKAGE@/packages">http://www.five-ten-sg.com/@PACKAGE@/packages</ulink>. | |
| 112 </para> | |
| 113 <para> | |
| 114 Note that this has ONLY been tested on Linux, specifically RedHat Linux. | |
| 115 In particular, this milter makes no attempt to understand IPv6. Your | |
| 116 mileage will vary. You will need at a minimum a C++ compiler with a | |
| 117 minimally thread safe STL implementation. The distribution includes a | |
| 118 test.cpp program. If it fails this milter won't work. If it passes, | |
| 119 this milter might work. | |
| 120 </para> | |
| 121 <para> | |
| 122 Modify your sendmail.mc by removing all the "FEATURE(dnsbl" lines, add | |
| 123 the following line in your sendmail.mc and rebuild the .cf file | |
| 124 </para> | |
| 125 <para><screen>INPUT_MAIL_FILTER(`dnsbl', `S=local:/var/run/dnsbl/dnsbl.sock, F=T, T=C:30s;S:5m;R:5m;E:5m')</screen></para> | |
| 126 <para> | |
| 127 Modify the default <citerefentry> | |
| 128 <refentrytitle>@PACKAGE@.conf</refentrytitle> <manvolnum>5</manvolnum> | |
| 129 </citerefentry> configuration. | |
| 130 </para> | |
| 131 </refsect1> | |
| 132 | |
| 133 <refsect1 id='configuration.1'> | |
| 134 <title>Configuration</title> | |
| 135 <para> | |
| 136 The configuration file is documented in <citerefentry> | |
| 137 <refentrytitle>@PACKAGE@.conf</refentrytitle> <manvolnum>5</manvolnum> | |
| 138 </citerefentry>. Any change to the config file, or any file included | |
| 139 from that config file, will cause it to be reloaded within three | |
| 140 minutes. | |
| 141 </para> | |
| 108 | 142 </refsect1> |
| 94 | 143 |
| 108 | 144 <refsect1 id='introduction.1'> |
| 145 <title>Introduction</title> | |
| 146 <para> | |
| 147 Consider the case of a mail server that is acting as secondary MX for a | |
| 148 collection of clients, each of which has a collection of mail domains. | |
| 149 Each client may use their own collection of DNSBLs on their primary mail | |
| 150 server. We present here a mechanism whereby the backup mail server can | |
| 151 use the correct set of DNSBLs for each recipient for each message. As a | |
| 152 side-effect, it gives us the ability to customize the set of DNSBLs on a | |
| 153 per-recipient basis, so that fred@example.com could use SPEWS and the | |
| 154 SBL, where all other users @example.com use only the SBL. | |
| 155 </para> | |
| 156 <para> | |
| 157 This milter can also verify the envelope from/recipient pairs with the | |
| 158 primary MX server. This allows the backup mail servers to properly | |
| 159 reject mail sent to invalid addresses. Otherwise, the backup mail | |
| 160 servers will accept that mail, and then generate a bounce message when | |
| 161 the message is forwarded to the primary server (and rejected there with | |
| 127 | 162 no such user). These rejections are the primary cause of such backscatter. |
| 108 | 163 </para> |
| 164 <para> | |
| 165 This milter will also decode (uuencode, base64, mime, html entity, url | |
| 166 encodings) and scan for HTTP and HTTPS URLs and bare hostnames in the | |
| 167 body of the mail. If any of those host names have A or NS records on | |
| 168 the SBL (or a single configurable DNSBL), the mail will be rejected | |
| 169 unless previously whitelisted. This milter also counts the number of | |
| 170 invalid HTML tags, and can reject mail if that count exceeds your | |
| 171 specified limit. | |
| 172 </para> | |
| 173 <para> | |
| 136 | 174 This milter can also impose hourly rate limits on the number of |
| 175 recipients accepted from SMTP AUTH connections, that would otherwise be | |
| 176 allowed to relay thru this mail server with no spam filtering. | |
| 177 </para> | |
| 178 <para> | |
| 108 | 179 The DNSBL milter reads a text configuration file (dnsbl.conf) on |
| 180 startup, and whenever the config file (or any of the referenced include | |
| 181 files) is changed. The entire configuration file is case insensitive. | |
| 182 If the configuration cannot be loaded due to a syntax error, the milter | |
| 183 will log the error and quit. If the configuration cannot be reloaded | |
| 184 after being modified, the milter will log the error and send an email to | |
| 185 root from dnsbl@$hostname. You probably want to added dnsbl@$hostname | |
| 186 to your /etc/mail/virtusertable since otherwise sendmail will reject | |
| 187 that message. | |
| 188 </para> | |
| 189 </refsect1> | |
| 94 | 190 |
| 111 | 191 <refsect1 id='dcc.1'> |
| 108 | 192 <title>DCC Issues</title> |
| 193 <para> | |
| 194 If you are also using the <ulink | |
| 195 url="http://www.rhyolite.com/anti-spam/dcc/">DCC</ulink> milter, there | |
| 196 are a few considerations. You may need to whitelist senders from the | |
| 197 DCC bulk detector, or from the DNS based lists. Those are two very | |
| 198 different reasons for whitelisting. The former is done thru the DCC | |
| 199 whiteclnt config file, the later is done thru the DNSBL milter config | |
| 200 file. | |
| 201 </para> | |
| 202 <para> | |
| 203 You may want to blacklist some specific senders or sending domains. | |
| 204 This could be done thru either the DCC (on a global basis, or for a | |
| 205 specific single recipient). We prefer to do such blacklisting via the | |
| 206 DNSBL milter config, since it can be done for a collection of recipient | |
| 207 mail domains. The DCC approach has the feature that you can capture the | |
| 208 entire message in the DCC log files. The DNSBL milter approach has the | |
| 209 feature that the mail is rejected earlier (at RCPT TO time), and the | |
| 210 sending machine just gets a generic "550 5.7.1 no such user" message. | |
| 211 </para> | |
| 212 <para> | |
| 213 The DCC whiteclnt file can be included in the DNSBL milter config by the | |
| 214 dcc_to and dcc_from statements. This will import the (env_to, env_from, | |
| 215 and substitute mail_host) entries from the DCC config into the DNSBL | |
| 216 config. This allows using the DCC config as the single point for | |
| 217 white/blacklisting. | |
| 218 </para> | |
| 219 <para> | |
| 220 Consider the case where you have multiple clients, each with their own | |
| 221 mail servers, and each running their own DCC milters. Each client is | |
| 222 using the DCC facilities for envelope from/to white/blacklisting. | |
| 223 Presumably you can use rsync or scp to fetch copies of your clients DCC | |
| 224 whiteclnt files on a regular basis. Your mail server, acting as a | |
| 225 backup MX for your clients, can use the DNSBL milter, and include those | |
| 226 client DCC config files. The envelope from/to white/blacklisting will | |
| 227 be appropriately tagged and used only for the domains controlled by each | |
| 228 of those clients. | |
| 229 </para> | |
| 230 </refsect1> | |
| 94 | 231 |
| 111 | 232 <refsect1 id='definitions.1'> |
| 108 | 233 <title>Definitions</title> |
| 234 <para> | |
| 235 CONTEXT - a collection of parameters that defines the filtering context | |
| 236 to be used for a collection of envelope recipient addresses. The | |
| 237 context includes such things as the list of DNSBLs to be used, and the | |
| 238 various content filtering parameters. | |
| 239 </para> | |
| 240 <para> | |
| 241 DNSBL - a named DNS based blocking list is defined by a dns suffix (e.g. | |
| 242 sbl-xbl.spamhaus.org) and a message string that is used to generate the | |
| 243 "550 5.7.1" smtp error return code. The names of these DNSBLs will be | |
| 244 used to define the DNSBL-LISTs. | |
| 245 </para> | |
| 246 <para> | |
| 247 DNSBL-LIST - a named list of DNSBLs that will be used for specific | |
| 248 recipients or recipient domains. | |
| 249 </para> | |
| 250 </refsect1> | |
| 94 | 251 |
| 111 | 252 <refsect1 id='filtering.1'> |
| 108 | 253 <title>Filtering Procedure</title> |
| 254 <para> | |
| 136 | 255 If the client has authenticated with sendmail, the rate limits are |
| 256 checked. If the authenticated user has not exceeded the hourly rate | |
|
144
31ff00ea6bfb
allow parent/child to share a fully qualified env_to address
carl
parents:
140
diff
changeset
|
257 limit, then the mail is accepted, the filtering contexts are not used, |
| 136 | 258 the dns lists are not checked, and the body content is not scanned. If |
| 259 the client has not authenticated with sendmail, we follow these steps | |
| 260 for each recipient. | |
| 108 | 261 </para> |
| 262 <orderedlist> | |
| 111 | 263 <listitem><para> |
| 108 | 264 The envelope to email address is used to find an initial filtering |
| 265 context. We first look for a context that specified the full email | |
| 266 address in the env_to statement. If that is not found, we look for a | |
| 267 context that specified the entire domain name of the envelope recipient | |
| 268 in the env_to statement. If that is not found, we look for a context | |
| 269 that specified the user@ part of the envelope recipient in the env_to | |
| 270 statement. If that is not found, we use the first top level context | |
| 271 defined in the config file. | |
| 111 | 272 </para></listitem> |
| 273 <listitem><para> | |
| 108 | 274 The initial filtering context may redirect to a child context based on |
| 275 the values in the initial context's env_from statement. We look for [1) | |
| 276 the full envelope from email address, 2) the domain name part of the | |
| 277 envelope from address, 3) the user@ part of the envelope from address] | |
| 278 in that context's env_from statement, with values that point to a child | |
| 279 context. If such an entry is found, we switch to that child filtering | |
| 280 context. | |
| 111 | 281 </para></listitem> |
| 282 <listitem><para> | |
| 108 | 283 We lookup [1) the full envelope from email address, 2) the domain name |
| 284 part of the envelope from address, 3) the user@ part of the envelope | |
| 285 from address] in the filtering context env_from statement. That results | |
| 286 in one of (white, black, unknown, inherit). | |
| 111 | 287 </para></listitem> |
| 288 <listitem><para> | |
| 108 | 289 If the answer is black, mail to this recipient is rejected with "no such |
| 290 user", and the dns lists are not checked. | |
| 111 | 291 </para></listitem> |
| 292 <listitem><para> | |
| 108 | 293 If the answer is white, mail to this recipient is accepted and the dns |
| 294 lists are not checked. | |
| 111 | 295 </para></listitem> |
| 296 <listitem><para> | |
| 108 | 297 If the answer is unknown, we don't reject yet, but the dns lists will be |
| 298 checked, and the content may be scanned. | |
| 111 | 299 </para></listitem> |
| 300 <listitem><para> | |
| 108 | 301 If the answer is inherit, we repeat the envelope from search in the |
| 302 parent context. | |
| 111 | 303 </para></listitem> |
| 304 <listitem><para> | |
| 108 | 305 The dns lists specified in the filtering context are checked and the |
| 306 mail is rejected if any list has an A record for the standard dns based | |
| 307 lookup scheme (reversed octets of the client followed by the dns | |
| 308 suffix). | |
| 111 | 309 </para></listitem> |
| 310 <listitem><para> | |
| 108 | 311 If the mail has not been accepted or rejected yet, we look for a |
| 312 verification context, which is the closest ancestor of the filtering | |
| 313 context that both specifies a verification host, and which covers the | |
| 314 envelope to address. If we find such a verification context, and the | |
| 315 verification host is not our own hostname, we open an smtp conversation | |
| 316 with that verification host. The current envelope from and recipient to | |
| 317 values are passed to that verification host. If we receive a 5xy | |
| 318 response those commands, we reject the current recipient with "no such | |
| 319 user". | |
| 111 | 320 </para></listitem> |
| 321 <listitem><para> | |
| 108 | 322 If the mail has not been accepted or rejected yet, and the filtering |
| 323 context enables content filtering, and this is the first such recipient | |
| 324 in this smtp transaction, we set the content filtering parameters from | |
| 325 this context, and enable content filtering for the body of this message. | |
| 111 | 326 </para></listitem> |
| 108 | 327 </orderedlist> |
| 328 <para> | |
| 329 If content filtering is enabled for this body, the mail text is decoded | |
| 119 | 330 (uuencode, base64, mime, html entity, url encodings), and scanned for HTTP |
| 331 and HTTPS URLs or bare host names. Hostnames must be either ip address | |
| 332 literals, or must end in a string defined by the TLD list. The first | |
| 333 <configurable> host names are checked as follows. | |
| 334 </para> | |
| 335 <para> | |
| 336 The only known list that is suitable for the content filter DNSBL is the | |
| 337 SBL. If the content filter DNSBL is defined, and any of those host | |
| 338 names resolve to ip addresses that are on that DNSBL (or have | |
| 339 nameservers that are on that list), and the host name is not on the | |
| 340 <configurable> ignore list, the mail is rejected. | |
| 341 </para> | |
| 342 <para> | |
| 343 If the content uribl DNSBL is defined, and any of those host names are | |
| 344 on that DNSBL, and the host name is not on the <configurable> | |
| 345 ignore list, the mail is rejected. | |
| 346 </para> | |
| 347 <para> | |
| 348 We also scan for excessive bad html tags, and if a <configurable> | |
| 349 limit is exceeded, the mail is rejected. | |
| 108 | 350 </para> |
| 351 </refsect1> | |
| 94 | 352 |
| 111 | 353 <refsect1 id='access.1'> |
| 108 | 354 <title>Sendmail access vs. DNSBL</title> |
| 355 <para> | |
| 356 With the standard sendmail.mc dnsbl FEATURE, the dnsbl checks may be | |
| 357 suppressed by entries in the /etc/mail/access database. For example, | |
| 358 suppose you control a /18 of address space, and have allocated some /24s | |
| 359 to some clients. You have access entries like | |
| 111 | 360 <literallayout class="monospaced"><![CDATA[ |
| 361 192.168.4 OK | |
| 362 192.168.17 OK]]></literallayout> | |
| 108 | 363 </para> |
| 364 <para> | |
| 365 to allow those clients to smarthost thru your mail server. Now if one | |
| 366 of those clients happens get infected with a virus that turns a machine | |
| 367 into an open proxy, and their 192.168.4.45 lands on the SBL-XBL, you | |
| 368 will still wind up allowing that infected machine to smarthost thru your | |
| 369 mail servers. | |
| 370 </para> | |
| 371 <para> | |
| 372 With this DNSBL milter, the sendmail access database cannot override the | |
| 373 dnsbl checks, so that machine won't be able to send mail to or thru your | |
| 374 smarthost mail server (unless the virus/proxy can use smtp-auth). | |
| 375 </para> | |
| 376 <para> | |
| 377 Using the standard sendmail features, you would add access entries to | |
| 378 allow hosts on your local network to relay thru your mail server. Those | |
| 379 OK entries in the sendmail access database will override all the dnsbl | |
| 380 checks. With this DNSBL milter, you will need to have the local users | |
| 381 authenticate with smtp-auth to get the same effect. You might find | |
| 382 <ulink | |
| 383 url="http://www.ists.dartmouth.edu/classroom/sendmail-ssl-how-to.php"> | |
| 384 these directions</ulink> helpful for setting up smtp-auth if you are on | |
| 385 RH Linux. | |
| 386 </para> | |
| 387 </refsect1> | |
| 94 | 388 |
| 111 | 389 <refsect1 id='performance.1'> |
| 108 | 390 <title>Performance Issues</title> |
| 391 <para> | |
| 392 Consider a high volume high performance machine running sendmail. Each | |
| 393 sendmail process can do its own dns resolution. Typically, such dns | |
| 394 resolver libraries are not thread safe, and so must be protected by some | |
| 395 sort of mutex in a threaded environment. When we add a milter to | |
| 396 sendmail, we now have a collection of sendmail processes, and a | |
| 397 collection of milter threads. | |
| 398 </para> | |
| 399 <para> | |
| 400 We will be doing a lot of dns lookups per mail message, and at least | |
| 401 some of those will take many tens of seconds. If all this dns work is | |
| 402 serialized inside the milter, we have an upper limit of about 25K mail | |
| 403 messages per day. That is clearly not sufficient for many sites. | |
| 404 </para> | |
| 405 <para> | |
| 406 Since we want to do parallel dns resolution across those milter threads, | |
| 407 we add another collection of dns resolver processes. Each sendmail | |
| 408 process is talking to a milter thread over a socket, and each milter | |
| 409 thread is talking to a dns resolver process over another socket. | |
| 410 </para> | |
| 411 <para> | |
| 412 Suppose we are processing 20 messages per second, and each message | |
| 413 requires 20 seconds of dns work. Then we will have 400 sendmail | |
| 414 processes, 400 milter threads, and 400 dns resolver processes. Of | |
| 415 course that steady state is very unlikely to happen. | |
| 416 </para> | |
| 417 </refsect1> | |
| 94 | 418 |
| 419 | |
| 111 | 420 <refsect1 id='rejected.1'> |
| 108 | 421 <title>Rejected Ideas</title> |
| 422 <para> | |
| 423 The following ideas have been considered and rejected. | |
| 424 </para> | |
| 425 <para> | |
| 111 | 426 Add max_recipients setting to the context configuration. Recipients in |
| 427 excess of that limit will be rejected, and all the non-whitelisted | |
| 428 recipients will be removed. Current spammers *very* rarely send more | |
| 429 than ten recipients in a single smtp transaction, so this won't stop any | |
| 108 | 430 significant amount of spam. |
| 431 </para> | |
| 432 <para> | |
| 433 Add poison addresses to the configuration. If any recipient is | |
| 434 poison, all recipients are rejected even if they would be whitelisted, | |
| 435 and the data is rejected if sent. I have a collection of spam trap | |
| 436 addresses that would be suitable for such use. Based on my log files, | |
| 437 any mail to those spam trap addresses is rejected based on either dnsbl | |
| 438 lookups or the DCC. So this won't result in blocking any additional | |
| 439 spam. | |
| 440 </para> | |
| 441 <para> | |
| 442 Add an option to only allow one recipient if the return path is | |
| 443 empty. Based on my log files, there is no mail that violates this | |
| 444 check. | |
| 445 </para> | |
| 446 <para> | |
| 447 Reject the mail if the envelope from domain name contains any MX | |
| 448 records pointing to 127.0.0.0/8. I don't see any significant amount of | |
| 449 spam sent with such domain names. | |
| 450 </para> | |
| 451 </refsect1> | |
| 94 | 452 |
| 108 | 453 <refsect1 id='todo.1'> |
| 454 <title>TODO</title> | |
| 455 <para> | |
| 456 The following ideas are under consideration. | |
| 457 </para> | |
| 458 <para> | |
| 459 Add a per-context option to reject mail if the number of digits in | |
| 460 the reverse dns client name exceeds some threshold. | |
| 461 </para> | |
| 115 | 462 <para> |
| 463 Look for href="hostname/path" strings that are missing the required | |
| 464 http:// protocol header. Such references are still clickable in common | |
| 465 mail software. | |
| 466 </para> | |
| 108 | 467 </refsect1> |
| 94 | 468 |
| 111 | 469 <refsect1 id='copyright.1'> |
| 108 | 470 <title>Copyright</title> |
| 471 <para> | |
| 472 Copyright (C) 2005 by 510 Software Group <carl@five-ten-sg.com> | |
| 473 </para> | |
| 474 <para> | |
| 475 This program is free software; you can redistribute it and/or modify it | |
| 476 under the terms of the GNU General Public License as published by the | |
| 477 Free Software Foundation; either version 2, or (at your option) any | |
| 478 later version. | |
| 479 </para> | |
| 480 <para> | |
| 481 You should have received a copy of the GNU General Public License along | |
| 482 with this program; see the file COPYING. If not, please write to the | |
| 483 Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA. | |
| 484 </para> | |
| 485 </refsect1> | |
| 94 | 486 |
| 111 | 487 <refsect1 id='version.1'> |
| 488 <title>CVS Version</title> | |
| 108 | 489 <para> |
| 490 $Id$ | |
| 491 </para> | |
| 492 </refsect1> | |
| 493 </refentry> | |
| 494 | |
| 495 | |
| 496 <refentry id="@PACKAGE@.conf.5"> | |
| 497 <refentryinfo> | |
| 115 | 498 <date>2006-01-08</date> |
| 108 | 499 </refentryinfo> |
| 94 | 500 |
| 108 | 501 <refmeta> |
| 502 <refentrytitle>@PACKAGE@.conf</refentrytitle> | |
| 503 <manvolnum>5</manvolnum> | |
| 504 <refmiscinfo>@PACKAGE@ @VERSION@</refmiscinfo> | |
| 505 </refmeta> | |
| 94 | 506 |
| 108 | 507 <refnamediv id='name.5'> |
| 508 <refname>@PACKAGE@.conf</refname> | |
| 111 | 509 <refpurpose>configuration file for @PACKAGE@ sendmail milter</refpurpose> |
| 108 | 510 </refnamediv> |
| 511 | |
| 512 <refsynopsisdiv id='synopsis.5'> | |
| 513 <title>Synopsis</title> | |
| 514 <cmdsynopsis> | |
| 515 <command>@PACKAGE@.conf</command> | |
| 516 </cmdsynopsis> | |
| 517 </refsynopsisdiv> | |
| 94 | 518 |
| 108 | 519 <refsect1 id='description.5'> |
| 520 <title>Description</title> | |
| 521 <para>The <command>@PACKAGE@.conf</command> configuration file is | |
|
148
9330b8d6a56b
add documentation fixes, allow env_from target of inherit
carl
parents:
144
diff
changeset
|
522 specified by this partial bnf description. Comments start with // |
|
9330b8d6a56b
add documentation fixes, allow env_from target of inherit
carl
parents:
144
diff
changeset
|
523 or # and extend to the end of the line. To include the contents |
|
9330b8d6a56b
add documentation fixes, allow env_from target of inherit
carl
parents:
144
diff
changeset
|
524 of some file verbatim in the dnsbl.conf file, use |
|
9330b8d6a56b
add documentation fixes, allow env_from target of inherit
carl
parents:
144
diff
changeset
|
525 <literallayout class="monospaced"><![CDATA[include "<file>";]]></literallayout> |
|
9330b8d6a56b
add documentation fixes, allow env_from target of inherit
carl
parents:
144
diff
changeset
|
526 </para> |
| 108 | 527 |
| 528 <literallayout class="monospaced"><![CDATA[ | |
| 529 CONFIG = {CONTEXT ";"}+ | |
| 530 CONTEXT = "context" NAME "{" {STATEMENT}+ "}" | |
| 111 | 531 STATEMENT = (DNSBL | DNSBLLIST | CONTENT | ENV-TO | VERIFY | |
| 136 | 532 CONTEXT | ENV-FROM | RATE-LIMIT) ";" |
| 108 | 533 |
| 124 | 534 DNSBL = "dnsbl" NAME DNSPREFIX ERROR-MSG1 |
| 108 | 535 |
| 536 DNSBLLIST = "dnsbl_list" {NAME}+ | |
| 94 | 537 |
| 108 | 538 CONTENT = "content" ("on" | "off") "{" {CONTENT-ST}+ "}" |
| 119 | 539 CONTENT-ST = (FILTER | URIBL | IGNORE | TLD | CCTLD | HTML-TAGS | |
| 540 HTML-LIMIT | HOST-LIMIT) ";" | |
| 124 | 541 FILTER = "filter" DNSPREFIX ERROR-MSG2 |
| 542 URIBL = "uribl" DNSPREFIX ERROR-MSG3 | |
| 108 | 543 IGNORE = "ignore" "{" {HOSTNAME [";"]}+ "}" |
| 544 TLD = "tld" "{" {TLD [";"]}+ "}" | |
| 119 | 545 CCTLD = "cctld" "{" {TLD [";"]}+ "}" |
| 108 | 546 HTML-TAGS = "html_tags" "{" {HTMLTAG [";"]}+ "}" |
| 124 | 547 ERROR-MSG1 = string containing exactly two %s replacement tokens |
| 548 both are replaced with the client ip address | |
| 549 ERROR-MSG2 = string containing exactly two %s replacement tokens | |
| 550 the first is replaced with the hostname, and the second | |
| 551 is replaced with the ip address | |
| 552 ERROR-MSG3 = string containing exactly two %s replacement tokens | |
| 553 both are replaced with the hostname | |
| 108 | 554 |
| 555 HTML-LIMIT = "html_limit" ("on" INTEGER ERROR-MSG | "off") | |
| 556 | |
| 111 | 557 HOST-LIMIT = "host_limit" ("on" INTEGER ERROR-MSG | "off" | |
| 558 "soft" INTEGER) | |
| 94 | 559 |
| 108 | 560 ENV-TO = "env_to" "{" {(TO-ADDR | DCC-TO)}+ "}" |
| 561 TO-ADDR = ADDRESS [";"] | |
| 562 DCC-TO = "dcc_to" ("ok" | "many") "{" DCCINCLUDEFILE "}" ";" | |
| 563 | |
| 564 VERIFY = "verify" HOSTNAME ";" | |
| 565 | |
| 566 ENV_FROM = "env_from" [DEFAULT] "{" {(FROM-ADDR | DCC-FROM)}+ "}" | |
| 567 FROM-ADDR = ADDRESS VALUE [";"] | |
| 568 DCC-FROM = "dcc_from" "{" DCCINCLUDEFILE "}" ";" | |
| 136 | 569 |
| 140 | 570 RATE-LIMIT = "rate_limit" [DEFAULTLIMIT] "{" (RATE)+ "}" |
| 136 | 571 RATE = USER LIMIT [";"] |
| 572 | |
| 108 | 573 DEFAULT = ("white" | "black" | "unknown" | "inherit" | "") |
| 574 ADDRESS = (USER@ | DOMAIN | USER@DOMAIN) | |
|
148
9330b8d6a56b
add documentation fixes, allow env_from target of inherit
carl
parents:
144
diff
changeset
|
575 VALUE = ("white" | "black" | "unknown" | "inherit" | CHILD-CONTEXT-NAME)]]></literallayout> |
| 108 | 576 </refsect1> |
| 94 | 577 |
| 108 | 578 <refsect1 id='sample.5'> |
| 579 <title>Sample</title> | |
| 580 <literallayout class="monospaced"><![CDATA[ | |
| 127 | 581 context main-default { |
| 582 // outbound dnsbl filtering to catch our own customers that end up on the sbl | |
|
144
31ff00ea6bfb
allow parent/child to share a fully qualified env_to address
carl
parents:
140
diff
changeset
|
583 dnsbl localp partial.blackholes.five-ten-sg.com "Mail from %s rejected - local; see http://www.five-ten-sg.com/blackhole.php?%s"; |
| 127 | 584 dnsbl local blackholes.five-ten-sg.com "Mail from %s rejected - local; see http://www.five-ten-sg.com/blackhole.php?%s"; |
| 585 dnsbl sbl sbl-xbl.spamhaus.org "Mail from %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s"; | |
| 586 dnsbl dul dul.dnsbl.sorbs.net "Mail from %s rejected - dul; see http://www.sorbs.net/lookup.shtml?%s"; | |
| 587 dnsbl_list local sbl dul; | |
| 588 | |
| 589 // outbound content filtering to prevent our own customers from sending spam | |
| 590 content on { | |
| 591 filter sbl-xbl.spamhaus.org "Mail containing %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s"; | |
| 592 uribl multi.surbl.org "Mail containing %s rejected - surbl; see http://www.rulesemporium.com/cgi-bin/uribl.cgi?bl0=1&domain0=%s"; | |
| 593 #uribl black.uribl.com "Mail containing %s rejected - uribl; see http://l.uribl.com/?d=%s"; | |
| 594 ignore { include "hosts-ignore.conf"; }; | |
| 595 tld { include "tld.conf"; }; | |
| 596 cctld { include "cctld.conf"; }; | |
| 597 html_tags { include "html-tags.conf"; }; | |
| 598 html_limit on 20 "Mail containing excessive bad html tags rejected"; | |
| 599 html_limit off; | |
| 600 host_limit on 20 "Mail containing excessive host names rejected"; | |
| 601 host_limit soft 20; | |
| 602 }; | |
| 603 | |
| 604 // backscatter prevention - don't send bounces for mail that we accepted but could not forward | |
| 605 // we only send bounces to our own customers | |
| 606 env_from unknown { | |
| 607 "<>" black; | |
| 608 }; | |
| 136 | 609 |
|
144
31ff00ea6bfb
allow parent/child to share a fully qualified env_to address
carl
parents:
140
diff
changeset
|
610 // hourly recipient rate limit by smtp auth client id |
| 140 | 611 rate_limit 30 { // default |
| 136 | 612 fred 100; // override default limits |
| 140 | 613 joe 10; // "" |
| 136 | 614 }; |
| 127 | 615 }; |
| 616 | |
| 108 | 617 context sample { |
| 618 dnsbl local blackholes.five-ten-sg.com "Mail from %s rejected - local; see http://www.five-ten-sg.com/blackhole.php?%s"; | |
| 619 dnsbl sbl sbl-xbl.spamhaus.org "Mail from %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s"; | |
| 620 dnsbl xbl xbl.spamhaus.org "Mail from %s rejected - xbl; see http://www.spamhaus.org/query/bl?ip=%s"; | |
| 621 dnsbl dul dul.dnsbl.sorbs.net "Mail from %s rejected - dul; see http://www.sorbs.net/lookup.shtml?%s"; | |
| 622 dnsbl_list local sbl dul; | |
| 94 | 623 |
| 108 | 624 content on { |
| 625 filter sbl-xbl.spamhaus.org "Mail containing %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s"; | |
| 122 | 626 uribl multi.surbl.org "Mail containing %s rejected - surbl; see http://www.rulesemporium.com/cgi-bin/uribl.cgi?bl0=1&domain0=%s"; |
| 119 | 627 #uribl black.uribl.com "Mail containing %s rejected - uribl; see http://l.uribl.com/?d=%s"; |
| 108 | 628 ignore { include "hosts-ignore.conf"; }; |
| 629 tld { include "tld.conf"; }; | |
| 119 | 630 cctld { include "cctld.conf"; }; |
| 108 | 631 html_tags { include "html-tags.conf"; }; |
| 632 html_limit on 20 "Mail containing excessive bad html tags rejected"; | |
| 633 html_limit off; | |
| 634 host_limit on 20 "Mail containing excessive host names rejected"; | |
| 635 host_limit soft 20; | |
| 636 }; | |
| 94 | 637 |
| 108 | 638 env_to { |
| 639 # child contexts are not allowed to specify recipient addresses outside these domains | |
| 640 # leave this outer global context env_to empty to allow arbitrary recipients in child contexts | |
| 641 mydomain.com; | |
| 642 customer1.com; | |
| 643 customer1a.com; | |
| 644 customer1b.com; | |
| 645 customer2.com; | |
| 646 customer2a.com; | |
| 647 customer2b.com; | |
| 648 }; | |
| 94 | 649 |
| 108 | 650 context whitelist { |
| 651 content off {}; | |
| 652 env_to { | |
| 653 # dcc_to ok { include "/var/dcc/whitecommon"; }; # copy the dcc OK values (env_to) into this context | |
| 654 }; | |
| 655 env_from white {}; # white forces all unmatched from addresses (everyone in this case) to be whitelisted | |
| 656 # so all mail TO these env_to addresses is accepted | |
| 657 }; | |
| 94 | 658 |
| 108 | 659 context minimal { |
| 660 dnsbl_list sbl dul; | |
| 661 content on {}; | |
| 662 env_to { | |
| 663 sales@mydomain.com; | |
| 664 }; | |
| 665 }; | |
| 94 | 666 |
| 108 | 667 context blacklist { |
| 668 env_to { | |
| 669 dcc_to many { include "/var/dcc/whitecommon"; }; # copy the dcc MANY values (env_to) into this context | |
| 670 old-employee@mydomain.com; | |
| 671 }; | |
| 672 env_from black {}; # black forces all unmatched from addresses (everyone in this case) to be blacklisted | |
| 673 # so all mail TO these env_to addresses is rejected | |
| 674 }; | |
| 94 | 675 |
| 108 | 676 context vp { # special context for the vp |
| 677 env_to { | |
| 678 vp@mydomain.com; | |
| 679 }; | |
| 680 env_from inherit { | |
| 681 nai.com black; # the vp does not like nai | |
| 682 yahoo.com unknown; # override parent context blacklisting | |
| 683 mother@spammyisp.com white; # suppress dnsbl checking | |
| 684 }; | |
| 685 }; | |
| 686 | |
| 687 context customer1 { | |
| 688 dnsbl_list sbl dul; | |
| 689 env_to { | |
| 690 customer1.com; | |
| 691 customer1a.com; | |
| 692 customer1b.com; | |
| 693 }; | |
| 94 | 694 |
| 108 | 695 verify mail.customer1.com; |
| 94 | 696 |
| 108 | 697 context customer1a { |
| 698 env_to { | |
| 699 customer1a.com; | |
|
148
9330b8d6a56b
add documentation fixes, allow env_from target of inherit
carl
parents:
144
diff
changeset
|
700 }; |
| 108 | 701 env_from black { # blacklist everything |
| 702 first@acceptable.com unknown; # except these specific envelope senders | |
| 703 second@another.com unknown; | |
| 704 yahoo.com inherit; # delegate to the parent | |
| 705 }; | |
| 706 }; | |
| 707 | |
| 708 env_from { # default value of the default is inherit | |
| 709 yahoo.com black; # no mail from yahoo | |
| 710 first@yahoo.com unknown; # except this one | |
| 711 }; | |
| 712 }; | |
| 94 | 713 |
| 108 | 714 context customer2 { |
| 715 dnsbl_list sbl; | |
| 716 env_to { | |
| 717 customer2.com; | |
| 718 customer2a.com; | |
| 719 customer2b.com; | |
| 720 }; | |
| 721 }; | |
| 104 | 722 |
| 149 | 723 # this is at the end, so that these abuse@ and postmaster@ entries will |
| 724 # override any conflicting entries inside the customer contexts. | |
| 725 context abuse { | |
| 726 dnsbl_list xbl; | |
| 727 content off {}; | |
| 728 env_to { | |
| 729 abuse@; # no content filtering on abuse reports | |
| 730 postmaster@; # "" | |
| 731 }; | |
| 732 env_from unknown {}; # ignore all parent white/black listing | |
| 733 }; | |
| 734 | |
| 108 | 735 env_from unknown { |
| 736 dcc_from { include "/var/dcc/whitecommon"; }; # copy the dcc OK/MANY values (env_from, substitute mail_host) into this context | |
| 737 abuse@ abuse; # replies to abuse reports use the abuse context | |
| 738 yahoo.com black; # don't take mail from yahoo | |
| 739 spammer@example.com black; | |
| 740 }; | |
| 741 };]]></literallayout> | |
| 742 </refsect1> | |
| 94 | 743 |
| 111 | 744 <refsect1 id='version.5'> |
| 745 <title>CVS Version</title> | |
| 108 | 746 <para> |
| 747 $Id$ | |
| 748 </para> | |
| 749 </refsect1> | |
| 750 | |
| 751 </refentry> | |
| 752 </reference> |