Mercurial > dnsbl

annotate xml/dnsbl.in @ 90:962a1f8f1d9f stable-5-4

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
add verify statement to verify addresses with better mx host
author carl
date Sun, 18 Sep 2005 10:19:58 -0700
parents 946fc1bcfb2c
children 505e77188317
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
88
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
1 <html>
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
2
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
3 <head>
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
4 <meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
90
962a1f8f1d9f add verify statement to verify addresses with better mx host
carl
parents: 89
diff changeset
5 <title>DNSBL Sendmail milter - Version 5.4</title>
88
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
6 </head>
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
7
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
8 <center>Introduction</center>
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
9 <p>This milter is released under the GPL license version 2 included in
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
10 the LICENSE file in the distribution, and also available at
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
11 <a href="http://www.gnu.org/licenses/gpl.html">http://www.gnu.org/licenses/gpl.html</a>
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
12
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
13 <p>Consider the case of a mail server that is acting as secondary MX for
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
14 a collection of clients, each of which has a collection of mail domains.
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
15 Each client may use their own collection of DNSBLs on their primary mail
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
16 server. We present here a mechanism whereby the backup mail server can
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
17 use the correct set of DNSBLs for each recipient for each message. As a
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
18 side-effect, it gives us the ability to customize the set of DNSBLs on a
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
19 per-recipient basis, so that fred@example.com could use SPEWS and the
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
20 SBL, where all other users @example.com use only the SBL.
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
21
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
22 <p>This milter will also decode (uuencode, base64, mime, html entity,
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
23 url encodings) and scan for HTTP and HTTPS URLs and bare hostnames in
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
24 the body of the mail. If any of those host names have A or NS records
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
25 on the SBL (or a single configurable DNSBL), the mail will be rejected
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
26 unless previously whitelisted. This milter also counts the number of
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
27 invalid HTML tags, and can reject mail if that count exceeds your
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
28 specified limit.
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
29
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
30 <p>The DNSBL milter reads a text configuration file (dnsbl.conf) on
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
31 startup, and whenever the config file (or any of the referenced include
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
32 files) is changed. The entire configuration file is case insensitive.
89
946fc1bcfb2c don't load null config pointer, keep the old one
carl
parents: 88
diff changeset
33 If the configuration cannot be loaded due to a syntax error, the milter
946fc1bcfb2c don't load null config pointer, keep the old one
carl
parents: 88
diff changeset
34 will log the error and quit. If the configuration cannot be reloaded
946fc1bcfb2c don't load null config pointer, keep the old one
carl
parents: 88
diff changeset
35 after being modified, the milter will log the error and send an email to
946fc1bcfb2c don't load null config pointer, keep the old one
carl
parents: 88
diff changeset
36 root from dnsbl@$hostname. You probably want to added dnsbl@$hostname
946fc1bcfb2c don't load null config pointer, keep the old one
carl
parents: 88
diff changeset
37 to your /etc/mail/virtusertable since otherwise sendmail will reject
946fc1bcfb2c don't load null config pointer, keep the old one
carl
parents: 88
diff changeset
38 that message.
88
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
39
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
40 <hr> <center>DCC Issues</center>
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
41 <p>If you are also using the <a
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
42 href="http://www.rhyolite.com/anti-spam/dcc/">DCC</a> milter, there are
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
43 a few considerations. You may need to whitelist senders from the DCC
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
44 bulk detector, or from the DNS based lists. Those are two very
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
45 different reasons for whitelisting. The former is done thru the DCC
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
46 whiteclnt config file, the later is done thru the DNSBL milter config
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
47 file.
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
48
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
49 <p>You may want to blacklist some specific senders or sending domains.
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
50 This could be done thru either the DCC (on a global basis, or for a
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
51 specific single recipient). We prefer to do such blacklisting via the
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
52 DNSBL milter config, since it can be done for a collection of recipient
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
53 mail domains. The DCC approach has the feature that you can capture the
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
54 entire message in the DCC log files. The DNSBL milter approach has the
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
55 feature that the mail is rejected earlier (at RCPT TO time), and the
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
56 sending machine just gets a generic "550 5.7.1 no such user" message.
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
57
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
58 <p>The DCC whiteclnt file can be included in the DNSBL milter config by
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
59 the dcc_to and dcc_from statements. This will import the (env_to,
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
60 env_from, and substitute mail_host) entries from the DCC config into the
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
61 DNSBL config. This allows using the DCC config as the single point for
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
62 white/blacklisting.
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
63
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
64 <p>Consider the case where you have multiple clients, each with their
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
65 own mail servers, and each running their own DCC milters. Each client
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
66 is using the DCC facilities for envelope from/to white/blacklisting.
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
67 Presumably you can use rsync or scp to fetch copies of your clients DCC
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
68 whiteclnt files on a regular basis. Your mail server, acting as a
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
69 backup MX for your clients, can use the DNSBL milter, and include those
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
70 client DCC config files. The envelope from/to white/blacklisting will
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
71 be appropriately tagged and used only for the domains controlled by each
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
72 of those clients.
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
73
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
74 <hr> <center>Definitions</center>
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
75
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
76 <p>CONTEXT - a collection of parameters that defines the filtering
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
77 context to be used for a collection of envelope recipient addresses.
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
78 The context includes such things as the list of DNSBLs to be used, and
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
79 the various content filtering parameters.
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
80
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
81 <p>DNSBL - a named DNS based blocking list is defined by a dns suffix
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
82 (e.g. sbl-xbl.spamhaus.org) and a message string that is used to
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
83 generate the "550 5.7.1" smtp error return code. The names of these
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
84 DNSBLs will be used to define the DNSBL-LISTs.
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
85
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
86 <p>DNSBL-LIST - a named list of DNSBLs that will be used for specific
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
87 recipients or recipient domains.
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
88
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
89 <hr> <center>Filtering Procedure</center>
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
90
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
91 <p>If the client has authenticated with sendmail, the mail is accepted,
90
962a1f8f1d9f add verify statement to verify addresses with better mx host
carl
parents: 89
diff changeset
92 the filtering contexts are not used, the dns lists are not checked, and
962a1f8f1d9f add verify statement to verify addresses with better mx host
carl
parents: 89
diff changeset
93 the body content is not scanned. Otherwise, we follow these steps for
962a1f8f1d9f add verify statement to verify addresses with better mx host
carl
parents: 89
diff changeset
94 each recipient.
88
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
95
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
96 <ol>
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
97
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
98 <li>The envelope to email address is used to find an initial filtering
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
99 context. We first look for a context that specified the full email
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
100 address in the env_to statement. If that is not found, we look for a
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
101 context that specified the entire domain name of the envelope recipient
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
102 in the env_to statement. If that is not found, we look for a context
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
103 that specified the user@ part of the envelope recipient in the env_to
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
104 statement. If that is not found, we use the first top level context
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
105 defined in the config file.
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
106
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
107 <br><br><li>The initial filtering context may redirect to a child
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
108 context based on the values in the initial context's env_from statement.
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
109 We look for [1) the full envelope from email address, 2) the domain name
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
110 part of the envelope from address, 3) the user@ part of the envelope
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
111 from address] in that context's env_from statement, with values that
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
112 point to a child context. If such an entry is found, we switch to that
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
113 child filtering context.
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
114
90
962a1f8f1d9f add verify statement to verify addresses with better mx host
carl
parents: 89
diff changeset
115 <br><br><li>If the filtering context specifies a verification host, and
962a1f8f1d9f add verify statement to verify addresses with better mx host
carl
parents: 89
diff changeset
116 the envelope to email address is covered by this filtering context, and
962a1f8f1d9f add verify statement to verify addresses with better mx host
carl
parents: 89
diff changeset
117 the verification host is not our own hostname, we open an smtp
962a1f8f1d9f add verify statement to verify addresses with better mx host
carl
parents: 89
diff changeset
118 conversation with that verification host. The current envelope from and
962a1f8f1d9f add verify statement to verify addresses with better mx host
carl
parents: 89
diff changeset
119 recipient to values are passed to that verification host. If we receive
962a1f8f1d9f add verify statement to verify addresses with better mx host
carl
parents: 89
diff changeset
120 anything other than a 250 response those commands, we reject the current
962a1f8f1d9f add verify statement to verify addresses with better mx host
carl
parents: 89
diff changeset
121 recipient with "no such user".
962a1f8f1d9f add verify statement to verify addresses with better mx host
carl
parents: 89
diff changeset
122
88
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
123 <br><br><li>We lookup [1) the full envelope from email address, 2) the
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
124 domain name part of the envelope from address, 3) the user@ part of the
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
125 envelope from address] in the filtering context env_from statement.
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
126 That results in one of (white, black, unknown, inherit).
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
127
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
128 <br><br><li>If the answer is black, mail to this recipient is rejected
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
129 with "no such user", and the dns lists are not checked.
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
130
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
131 <br><br><li>If the answer is white, mail to this recipient is accepted
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
132 and the dns lists are not checked.
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
133
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
134 <br><br><li>If the answer is unknown, we don't reject yet, but the dns
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
135 lists will be checked, and the content may be scanned.
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
136
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
137 <br><br><li>If the answer is inherit, we repeat the envelope from search
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
138 in the parent context.
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
139
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
140 <br><br><li>The dns lists specified in the filtering context are checked
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
141 and the mail is rejected if any list has an A record for the standard
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
142 dns based lookup scheme (reversed octets of the client followed by the
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
143 dns suffix).
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
144
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
145 <br><br><li>If the mail has not been accepted or rejected yet, and the
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
146 filtering context enables content filtering, and this is the first such
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
147 recipient in this smtp transaction, we set the content filtering parameters
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
148 from this context, and enable content filtering for this body.
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
149
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
150 </ol>
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
151
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
152 <p>If content filtering is enabled for this body, the mail text is
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
153 decoded (uuencode, base64, mime, html entity, url encodings), scanned
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
154 for HTTP and HTTPS URLs, and the first &lt;configurable&gt; host names
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
155 are checked for their presence on the single &lt;configurable&gt; DNSBL.
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
156 The only known list that is suitable for this purpose is the SBL. If
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
157 any of those host names are on that DNSBL (or have nameservers that are
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
158 on that list), and it is not on the &lt;configurable&gt; ignore list,
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
159 the mail is rejected. We also scan for excessive bad html tags, and if
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
160 a &lt;configurable&gt; limit is exceeded, the mail is rejected.
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
161
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
162 <hr> <center>Sendmail access vs. DNSBL</center>
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
163 <p>With the standard sendmail.mc dnsbl FEATURE, the dnsbl checks may be
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
164 suppressed by entries in the /etc/mail/access database. For example,
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
165 suppose you control a /18 of address space, and have allocated some /24s
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
166 to some clients. You have access entries like
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
167
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
168 <pre>
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
169 192.168.4 OK
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
170 192.168.17 OK
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
171 </pre>
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
172
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
173 <p>to allow those clients to smarthost thru your mail server. Now if
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
174 one of those clients happens get infected with a virus that turns a
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
175 machine into an open proxy, and their 192.168.4.45 lands on the SBL-XBL,
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
176 you will still wind up allowing that infected machine to smarthost thru
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
177 your mail servers.
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
178
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
179 <p>With this DNSBL milter, the sendmail access database cannot override
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
180 the dnsbl checks, so that machine won't be able to send mail to or thru
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
181 your smarthost mail server (unless the virus/proxy can use smtp-auth).
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
182
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
183 <p>Using the standard sendmail features, you would add access entries to
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
184 allow hosts on your local network to relay thru your mail server. Those
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
185 OK entries in the sendmail access database will override all the dnsbl
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
186 checks. With this DNSBL milter, you will need to have the local users
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
187 authenticate with smtp-auth to get the same effect. You might find <a
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
188 href="http://www.ists.dartmouth.edu/classroom/sendmail-ssl-how-to.php">
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
189 these directions</a> helpful for setting up smtp-auth if you are on RH
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
190 Linux.
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
191
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
192 <hr> <center>Installation and configuration</center>
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
193 <p>Usage: Note that this has ONLY been tested on Linux, specifically
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
194 RedHat Linux. In particular, this milter makes no attempt to understand
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
195 IPv6. Your mileage will vary. You will need at a minimum a C++
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
196 compiler with a minimally thread safe STL implementation. The
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
197 distribution includes a test.cpp program. If it fails this milter won't
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
198 work. If it passes, this milter might work.
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
199
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
200 Fetch <a href="http://www.five-ten-sg.com/util/dnsbl.tar.gz">dnsbl.tar.gz</a>
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
201 and
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
202
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
203 <pre>
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
204 tar xfvz dnsbl.tar.gz
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
205 bash install.bash
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
206 </pre>
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
207
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
208 Read and understand the contents of that install.bash script before you
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
209 run it. It may not be suitable for your system. Modify your
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
210 sendmail.mc by removing all the "FEATURE(dnsbl" lines, add the following
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
211 line in your sendmail.mc and rebuild the .cf file
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
212
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
213 <pre>
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
214 INPUT_MAIL_FILTER(`dnsbl', `S=local:/var/run/dnsbl/dnsbl.sock, F=T, T=C:30s;S:5m;R:5m;E:5m')
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
215 </pre>
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
216
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
217 Read the sample <a
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
218 href="http://www.five-ten-sg.com/dnsbl.conf">/etc/dnsbl/dnsbl.conf</a>
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
219 file and modify it to fit your configuration. You can test your
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
220 configuration files, and see a readable internal dump of them on stdout
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
221 with
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
222
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
223 <pre>
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
224 cd /etc/dnsbl
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
225 /usr/sbin/dnsbl -c
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
226 </pre>
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
227
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
228 You can check a specific envelope from/to pair with
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
229
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
230 <pre>
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
231 cd /etc/dnsbl
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
232 from="$1" # or your from address
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
233 to="$2" # or your to address
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
234 /usr/sbin/dnsbl -e "$from"'|'"$to"
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
235 </pre>
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
236
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
237 <hr> <center>Performance issues</center>
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
238
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
239 <p>Consider a high volume high performance machine running sendmail.
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
240 Each sendmail process can do its own dns resolution. Typically, such
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
241 dns resolver libraries are not thread safe, and so must be protected by
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
242 some sort of mutex in a threaded environment. When we add a milter to
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
243 sendmail, we now have a collection of sendmail processes, and a
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
244 collection of milter threads.
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
245
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
246 <p>We will be doing a lot of dns lookups per mail message, and at least
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
247 some of those will take many tens of seconds. If all this dns work is
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
248 serialized inside the milter, we have an upper limit of about 25K mail
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
249 messages per day. That is clearly not sufficient for many sites.
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
250
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
251 <p>Since we want to do parallel dns resolution across those milter
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
252 threads, we add another collection of dns resolver processes. Each
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
253 sendmail process is talking to a milter thread over a socket, and each
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
254 milter thread is talking to a dns resolver process over another socket.
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
255
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
256 <p>Suppose we are processing 20 messages per second, and each message
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
257 requires 20 seconds of dns work. Then we will have 400 sendmail
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
258 processes, 400 milter threads, and 400 dns resolver processes. Of
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
259 course that steady state is very unlikely to happen.
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
260
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
261 <hr> <center>Rejected Ideas</center>
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
262
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
263 <p>The following ideas have been considered and rejected.
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
264
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
265 <p>Add max_recipients for each mail domain to the configuration.
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
266 Recipients in excess of that limit will be rejected, and all the
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
267 recipients in that domain will be removed if there are some other
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
268 whitelisted recipients. Current spammers *very* rarely send more than
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
269 ten recipients in a single smtp transaction, so this won't stop
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
270 any significant amount of spam.
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
271
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
272 <p>Add poison addresses to the configuration. If any recipient is
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
273 poison, all recipients are rejected even if they would be whitelisted,
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
274 and the data is rejected if sent. I have a collection of spam trap
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
275 addresses that would be suitable for such use. Based on my log files,
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
276 any mail to those spam trap addresses is rejected based on either dnsbl
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
277 lookups or the DCC. So this won't result in blocking any additional
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
278 spam.
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
279
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
280 <p>Add an option to only allow one recipient if the return path is
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
281 empty. Based on my log files, there is no mail that violates this
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
282 check.
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
283
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
284 <p>Reject the mail if the envelope from domain name contains any MX
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
285 records pointing to 127.0.0.0/8. I don't see any significant amount of spam
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
286 sent with such domain names.
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
287
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
288
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
289 <pre>
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
290 $Id$
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
291 </pre>
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
292 </body>
7245c45cef7a fix for missing default return value in CONTEXT::acceptable_content()
carl
parents: 87
diff changeset
293 </html>