annotate xml/dnsbl.in @ 81:db85c53e3d90

start coding on new config syntax
author carl
date Sun, 17 Jul 2005 07:34:28 -0700
parents 81f1e400e8ab
children 7a432c2b473f
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
0
96a9758165cd Initial revision
carl
parents:
diff changeset
1 <html>
96a9758165cd Initial revision
carl
parents:
diff changeset
2
96a9758165cd Initial revision
carl
parents:
diff changeset
3 <head>
96a9758165cd Initial revision
carl
parents:
diff changeset
4 <meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
75
1142e46be550 start coding on new config syntax
carl
parents: 69
diff changeset
5 <title>DNSBL Sendmail milter - Version 5.0</title>
0
96a9758165cd Initial revision
carl
parents:
diff changeset
6 </head>
96a9758165cd Initial revision
carl
parents:
diff changeset
7
12
6ac6d6b822ce fix memory leak with duplicate url host names,
carl
parents: 11
diff changeset
8 <center>Introduction</center>
0
96a9758165cd Initial revision
carl
parents:
diff changeset
9 <p>This milter is released under the GPL license version 2 included in
96a9758165cd Initial revision
carl
parents:
diff changeset
10 the LICENSE file in the distribution, and also available at
96a9758165cd Initial revision
carl
parents:
diff changeset
11 <a href="http://www.gnu.org/licenses/gpl.html">http://www.gnu.org/licenses/gpl.html</a>
96a9758165cd Initial revision
carl
parents:
diff changeset
12
12
6ac6d6b822ce fix memory leak with duplicate url host names,
carl
parents: 11
diff changeset
13 <p>Consider the case of a mail server that is acting as secondary MX for
6ac6d6b822ce fix memory leak with duplicate url host names,
carl
parents: 11
diff changeset
14 a collection of clients, each of which has a collection of mail domains.
6ac6d6b822ce fix memory leak with duplicate url host names,
carl
parents: 11
diff changeset
15 Each client may use their own collection of DNSBLs on their primary mail
6ac6d6b822ce fix memory leak with duplicate url host names,
carl
parents: 11
diff changeset
16 server. We present here a mechanism whereby the backup mail server can
6ac6d6b822ce fix memory leak with duplicate url host names,
carl
parents: 11
diff changeset
17 use the correct set of DNSBLs for each recipient for each message. As a
0
96a9758165cd Initial revision
carl
parents:
diff changeset
18 side-effect, it gives us the ability to customize the set of DNSBLs on a
96a9758165cd Initial revision
carl
parents:
diff changeset
19 per-recipient basis, so that fred@example.com could use SPEWS and the
96a9758165cd Initial revision
carl
parents:
diff changeset
20 SBL, where all other users @example.com use only the SBL.
96a9758165cd Initial revision
carl
parents:
diff changeset
21
68
0e387cd3784b add uuencode decoding
carl
parents: 66
diff changeset
22 <p>This milter will also decode (uuencode, base64, mime, html entity,
0e387cd3784b add uuencode decoding
carl
parents: 66
diff changeset
23 url encodings) and scan for HTTP and HTTPS URLs and bare hostnames in
0e387cd3784b add uuencode decoding
carl
parents: 66
diff changeset
24 the body of the mail. If any of those host names have A or NS records
0e387cd3784b add uuencode decoding
carl
parents: 66
diff changeset
25 on the SBL (or a single configurable DNSBL), the mail will be rejected
34
fc7f8f3ea90f look for NS records on the SBL also
carl
parents: 27
diff changeset
26 unless previously whitelisted. This milter also counts the number of
fc7f8f3ea90f look for NS records on the SBL also
carl
parents: 27
diff changeset
27 invalid HTML tags, and can reject mail if that count exceeds your
fc7f8f3ea90f look for NS records on the SBL also
carl
parents: 27
diff changeset
28 specified limit.
11
2c206836b4cc integration work on url scanner
carl
parents: 6
diff changeset
29
6
cea50d98a6cf start work on content url scanner
carl
parents: 5
diff changeset
30 <p>The DNSBL milter reads a text configuration file (dnsbl.conf) on
cea50d98a6cf start work on content url scanner
carl
parents: 5
diff changeset
31 startup, and whenever the config file (or any of the referenced include
cea50d98a6cf start work on content url scanner
carl
parents: 5
diff changeset
32 files) is changed. The entire configuration file is case insensitive.
0
96a9758165cd Initial revision
carl
parents:
diff changeset
33
59
510a511ad554 Add resolver processes to allow better performance on busy machines
carl
parents: 57
diff changeset
34 <hr> <center>DCC Issues</center>
0
96a9758165cd Initial revision
carl
parents:
diff changeset
35 <p>If you are also using the <a
96a9758165cd Initial revision
carl
parents:
diff changeset
36 href="http://www.rhyolite.com/anti-spam/dcc/">DCC</a> milter, there are
96a9758165cd Initial revision
carl
parents:
diff changeset
37 a few considerations. You may need to whitelist senders from the DCC
96a9758165cd Initial revision
carl
parents:
diff changeset
38 bulk detector, or from the DNS based lists. Those are two very
96a9758165cd Initial revision
carl
parents:
diff changeset
39 different reasons for whitelisting. The former is done thru the DCC
96a9758165cd Initial revision
carl
parents:
diff changeset
40 whiteclnt config file, the later is done thru the DNSBL milter config
5
793ac9cc114d updates to use dcc conf files
carl
parents: 4
diff changeset
41 file.
0
96a9758165cd Initial revision
carl
parents:
diff changeset
42
96a9758165cd Initial revision
carl
parents:
diff changeset
43 <p>You may want to blacklist some specific senders or sending domains.
96a9758165cd Initial revision
carl
parents:
diff changeset
44 This could be done thru either the DCC (on a global basis, or for a
96a9758165cd Initial revision
carl
parents:
diff changeset
45 specific single recipient). We prefer to do such blacklisting via the
13
2752e512fd32 finish documentation
carl
parents: 12
diff changeset
46 DNSBL milter config, since it can be done for a collection of recipient
2752e512fd32 finish documentation
carl
parents: 12
diff changeset
47 mail domains. The DCC approach has the feature that you can capture the
0
96a9758165cd Initial revision
carl
parents:
diff changeset
48 entire message in the DCC log files. The DNSBL milter approach has the
96a9758165cd Initial revision
carl
parents:
diff changeset
49 feature that the mail is rejected earlier (at RCPT TO time), and the
96a9758165cd Initial revision
carl
parents:
diff changeset
50 sending machine just gets a generic "550 5.7.1 no such user" message.
96a9758165cd Initial revision
carl
parents:
diff changeset
51
75
1142e46be550 start coding on new config syntax
carl
parents: 69
diff changeset
52 <p>The DCC whiteclnt file can be included in the DNSBL milter config by
1142e46be550 start coding on new config syntax
carl
parents: 69
diff changeset
53 the dcc_to and dcc_from statements. This will import the (env_to,
1142e46be550 start coding on new config syntax
carl
parents: 69
diff changeset
54 env_from, and substitute mail_host) entries from the DCC config into the
1142e46be550 start coding on new config syntax
carl
parents: 69
diff changeset
55 DNSBL config. This allows using the DCC config as the single point for
1142e46be550 start coding on new config syntax
carl
parents: 69
diff changeset
56 white/blacklisting.
5
793ac9cc114d updates to use dcc conf files
carl
parents: 4
diff changeset
57
793ac9cc114d updates to use dcc conf files
carl
parents: 4
diff changeset
58 <p>Consider the case where you have multiple clients, each with their
793ac9cc114d updates to use dcc conf files
carl
parents: 4
diff changeset
59 own mail servers, and each running their own DCC milters. Each client
793ac9cc114d updates to use dcc conf files
carl
parents: 4
diff changeset
60 is using the DCC facilities for envelope from/to white/blacklisting.
6
cea50d98a6cf start work on content url scanner
carl
parents: 5
diff changeset
61 Presumably you can use rsync or scp to fetch copies of your clients DCC
5
793ac9cc114d updates to use dcc conf files
carl
parents: 4
diff changeset
62 whiteclnt files on a regular basis. Your mail server, acting as a
793ac9cc114d updates to use dcc conf files
carl
parents: 4
diff changeset
63 backup MX for your clients, can use the DNSBL milter, and include those
75
1142e46be550 start coding on new config syntax
carl
parents: 69
diff changeset
64 client DCC config files. The envelope from/to white/blacklisting will
1142e46be550 start coding on new config syntax
carl
parents: 69
diff changeset
65 be appropriately tagged and used only for the domains controlled by each
1142e46be550 start coding on new config syntax
carl
parents: 69
diff changeset
66 of those clients.
5
793ac9cc114d updates to use dcc conf files
carl
parents: 4
diff changeset
67
59
510a511ad554 Add resolver processes to allow better performance on busy machines
carl
parents: 57
diff changeset
68 <hr> <center>Definitions</center>
75
1142e46be550 start coding on new config syntax
carl
parents: 69
diff changeset
69
1142e46be550 start coding on new config syntax
carl
parents: 69
diff changeset
70 <p>CONTEXT - a collection of parameters that defines the filtering
1142e46be550 start coding on new config syntax
carl
parents: 69
diff changeset
71 context to be used for a collection of envelope recipient addresses.
1142e46be550 start coding on new config syntax
carl
parents: 69
diff changeset
72 The context includes such things as the list of DNSBLs to be used, and
1142e46be550 start coding on new config syntax
carl
parents: 69
diff changeset
73 the various content filtering parameters.
1142e46be550 start coding on new config syntax
carl
parents: 69
diff changeset
74
0
96a9758165cd Initial revision
carl
parents:
diff changeset
75 <p>DNSBL - a named DNS based blocking list is defined by a dns suffix
96a9758165cd Initial revision
carl
parents:
diff changeset
76 (e.g. sbl-xbl.spamhaus.org) and a message string that is used to
96a9758165cd Initial revision
carl
parents:
diff changeset
77 generate the "550 5.7.1" smtp error return code. The names of these
96a9758165cd Initial revision
carl
parents:
diff changeset
78 DNSBLs will be used to define the DNSBL-LISTs.
96a9758165cd Initial revision
carl
parents:
diff changeset
79
96a9758165cd Initial revision
carl
parents:
diff changeset
80 <p>DNSBL-LIST - a named list of DNSBLs that will be used for specific
96a9758165cd Initial revision
carl
parents:
diff changeset
81 recipients or recipient domains.
96a9758165cd Initial revision
carl
parents:
diff changeset
82
76
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
83 <hr> <center>Filtering Procedure</center>
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
84
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
85 <p>If the client has authenticated with sendmail, the mail is accepted,
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
86 the dns lists are not checked, and the body content is not scanned.
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
87 Otherwise, we follow these steps for each recipient.
0
96a9758165cd Initial revision
carl
parents:
diff changeset
88
96a9758165cd Initial revision
carl
parents:
diff changeset
89 <ol>
96a9758165cd Initial revision
carl
parents:
diff changeset
90
75
1142e46be550 start coding on new config syntax
carl
parents: 69
diff changeset
91 <li>The envelope to email address is used to find an initial filtering
76
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
92 context. We first look for a context that specified the full email
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
93 address in the env_to statement. If that is not found, we look for a
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
94 context that specified the entire domain name of the envelope recipient
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
95 in the env_to statement. If that is not found, we look for a context
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
96 that specified the user@ part of the envelope recipient in the env_to
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
97 statement. If that is not found, we use the first top level context
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
98 defined in the config file.
0
96a9758165cd Initial revision
carl
parents:
diff changeset
99
76
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
100 <br><br><li>The initial filtering context may redirect to a child
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
101 context based on the values in the initial context's env_from statement.
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
102 We look for [1) the full envelope from email address, 2) the domain name
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
103 part of the envelope from address, 3) the user@ part of the envelope
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
104 from address] in that context's env_from statement, with values that
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
105 point to a child context. If such an entry is found, we switch to that
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
106 child filtering context.
75
1142e46be550 start coding on new config syntax
carl
parents: 69
diff changeset
107
76
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
108 <br><br><li>We lookup [1) the full envelope from email address, 2) the
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
109 domain name part of the envelope from address, 3) the user@ part of the
75
1142e46be550 start coding on new config syntax
carl
parents: 69
diff changeset
110 envelope from address] in the filtering context env_from statement.
1142e46be550 start coding on new config syntax
carl
parents: 69
diff changeset
111 That results in one of (white, black, unknown, inherit).
1142e46be550 start coding on new config syntax
carl
parents: 69
diff changeset
112
76
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
113 <br><br><li>If the answer is black, mail to this recipient is rejected
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
114 with "no such user", and the dns lists are not checked.
75
1142e46be550 start coding on new config syntax
carl
parents: 69
diff changeset
115
76
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
116 <br><br><li>If the answer is white, mail to this recipient is accepted
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
117 and the dns lists are not checked.
0
96a9758165cd Initial revision
carl
parents:
diff changeset
118
76
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
119 <br><br><li>If the answer is unknown, we don't reject yet, but the dns
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
120 lists will be checked, and the content may be scanned.
0
96a9758165cd Initial revision
carl
parents:
diff changeset
121
76
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
122 <br><br><li>If the answer is inherit, we repeat the envelope from search
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
123 in the parent context.
0
96a9758165cd Initial revision
carl
parents:
diff changeset
124
76
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
125 <br><br><li>The dns lists specified in the filtering context are checked
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
126 and the mail is rejected if any list has an A record for the standard
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
127 dns based lookup scheme (reversed octets of the client followed by the
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
128 dns suffix).
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
129
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
130 <br><br><li>If the mail has not been accepted or rejected yet, and the
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
131 filtering context enables content filtering, and this is the first such
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
132 recipient in this smtp transaction, we set the content filtering parameters
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
133 from this context, and enable content filtering for this body.
11
2c206836b4cc integration work on url scanner
carl
parents: 6
diff changeset
134
0
96a9758165cd Initial revision
carl
parents:
diff changeset
135 </ol>
96a9758165cd Initial revision
carl
parents:
diff changeset
136
76
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
137 <p>If content filtering is enabled for this body, the mail text is
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
138 decoded (uuencode, base64, mime, html entity, url encodings), scanned
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
139 for HTTP and HTTPS URLs, and the first &lt;configurable&gt; host names
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
140 are checked for their presence on the single &lt;configurable&gt; DNSBL.
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
141 The only known list that is suitable for this purpose is the SBL. If
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
142 any of those host names are on that DNSBL (or have nameservers that are
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
143 on that list), and it is not on the &lt;configurable&gt; ignore list,
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
144 the mail is rejected. We also scan for excessive bad html tags, and if
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
145 a &lt;configurable&gt; limit is exceeded, the mail is rejected.
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
146
59
510a511ad554 Add resolver processes to allow better performance on busy machines
carl
parents: 57
diff changeset
147 <hr> <center>Sendmail access vs. DNSBL</center>
12
6ac6d6b822ce fix memory leak with duplicate url host names,
carl
parents: 11
diff changeset
148 <p>With the standard sendmail.mc dnsbl FEATURE, the dnsbl checks may be
6ac6d6b822ce fix memory leak with duplicate url host names,
carl
parents: 11
diff changeset
149 suppressed by entries in the /etc/mail/access database. For example,
6ac6d6b822ce fix memory leak with duplicate url host names,
carl
parents: 11
diff changeset
150 suppose you control a /18 of address space, and have allocated some /24s
6ac6d6b822ce fix memory leak with duplicate url host names,
carl
parents: 11
diff changeset
151 to some clients. You have access entries like
0
96a9758165cd Initial revision
carl
parents:
diff changeset
152
12
6ac6d6b822ce fix memory leak with duplicate url host names,
carl
parents: 11
diff changeset
153 <pre>
6ac6d6b822ce fix memory leak with duplicate url host names,
carl
parents: 11
diff changeset
154 192.168.4 OK
6ac6d6b822ce fix memory leak with duplicate url host names,
carl
parents: 11
diff changeset
155 192.168.17 OK
6ac6d6b822ce fix memory leak with duplicate url host names,
carl
parents: 11
diff changeset
156 </pre>
6ac6d6b822ce fix memory leak with duplicate url host names,
carl
parents: 11
diff changeset
157
6ac6d6b822ce fix memory leak with duplicate url host names,
carl
parents: 11
diff changeset
158 <p>to allow those clients to smarthost thru your mail server. Now if
13
2752e512fd32 finish documentation
carl
parents: 12
diff changeset
159 one of those clients happens get infected with a virus that turns a
2752e512fd32 finish documentation
carl
parents: 12
diff changeset
160 machine into an open proxy, and their 192.168.4.45 lands on the SBL-XBL,
2752e512fd32 finish documentation
carl
parents: 12
diff changeset
161 you will still wind up allowing that infected machine to smarthost thru
2752e512fd32 finish documentation
carl
parents: 12
diff changeset
162 your mail servers.
12
6ac6d6b822ce fix memory leak with duplicate url host names,
carl
parents: 11
diff changeset
163
6ac6d6b822ce fix memory leak with duplicate url host names,
carl
parents: 11
diff changeset
164 <p>With this DNSBL milter, the sendmail access database cannot override
6ac6d6b822ce fix memory leak with duplicate url host names,
carl
parents: 11
diff changeset
165 the dnsbl checks, so that machine won't be able to send mail to or thru
15
6a21f7a3b002 add reference to starttls directions for rh8
carl
parents: 14
diff changeset
166 your smarthost mail server (unless the virus/proxy can use smtp-auth).
6a21f7a3b002 add reference to starttls directions for rh8
carl
parents: 14
diff changeset
167
6a21f7a3b002 add reference to starttls directions for rh8
carl
parents: 14
diff changeset
168 <p>Using the standard sendmail features, you would add access entries to
6a21f7a3b002 add reference to starttls directions for rh8
carl
parents: 14
diff changeset
169 allow hosts on your local network to relay thru your mail server. Those
6a21f7a3b002 add reference to starttls directions for rh8
carl
parents: 14
diff changeset
170 OK entries in the sendmail access database will override all the dnsbl
6a21f7a3b002 add reference to starttls directions for rh8
carl
parents: 14
diff changeset
171 checks. With this DNSBL milter, you will need to have the local users
6a21f7a3b002 add reference to starttls directions for rh8
carl
parents: 14
diff changeset
172 authenticate with smtp-auth to get the same effect. You might find <a
81
db85c53e3d90 start coding on new config syntax
carl
parents: 76
diff changeset
173 href="http://www.ists.dartmouth.edu/classroom/sendmail-ssl-how-to.php">
15
6a21f7a3b002 add reference to starttls directions for rh8
carl
parents: 14
diff changeset
174 these directions</a> helpful for setting up smtp-auth if you are on RH
6a21f7a3b002 add reference to starttls directions for rh8
carl
parents: 14
diff changeset
175 Linux.
12
6ac6d6b822ce fix memory leak with duplicate url host names,
carl
parents: 11
diff changeset
176
59
510a511ad554 Add resolver processes to allow better performance on busy machines
carl
parents: 57
diff changeset
177 <hr> <center>Installation and configuration</center>
510a511ad554 Add resolver processes to allow better performance on busy machines
carl
parents: 57
diff changeset
178 <p>Usage: Note that this has ONLY been tested on Linux, specifically
510a511ad554 Add resolver processes to allow better performance on busy machines
carl
parents: 57
diff changeset
179 RedHat Linux. In particular, this milter makes no attempt to understand
510a511ad554 Add resolver processes to allow better performance on busy machines
carl
parents: 57
diff changeset
180 IPv6. Your mileage will vary. You will need at a minimum a C++
510a511ad554 Add resolver processes to allow better performance on busy machines
carl
parents: 57
diff changeset
181 compiler with a minimally thread safe STL implementation. The
510a511ad554 Add resolver processes to allow better performance on busy machines
carl
parents: 57
diff changeset
182 distribution includes a test.cpp program. If it fails this milter won't
510a511ad554 Add resolver processes to allow better performance on busy machines
carl
parents: 57
diff changeset
183 work. If it passes, this milter might work.
0
96a9758165cd Initial revision
carl
parents:
diff changeset
184
96a9758165cd Initial revision
carl
parents:
diff changeset
185 Fetch <a href="http://www.five-ten-sg.com/util/dnsbl.tar.gz">dnsbl.tar.gz</a>
96a9758165cd Initial revision
carl
parents:
diff changeset
186 and
96a9758165cd Initial revision
carl
parents:
diff changeset
187
96a9758165cd Initial revision
carl
parents:
diff changeset
188 <pre>
96a9758165cd Initial revision
carl
parents:
diff changeset
189 tar xfvz dnsbl.tar.gz
96a9758165cd Initial revision
carl
parents:
diff changeset
190 bash install.bash
96a9758165cd Initial revision
carl
parents:
diff changeset
191 </pre>
96a9758165cd Initial revision
carl
parents:
diff changeset
192
96a9758165cd Initial revision
carl
parents:
diff changeset
193 Read and understand the contents of that install.bash script before you
96a9758165cd Initial revision
carl
parents:
diff changeset
194 run it. It may not be suitable for your system. Modify your
96a9758165cd Initial revision
carl
parents:
diff changeset
195 sendmail.mc by removing all the "FEATURE(dnsbl" lines, add the following
96a9758165cd Initial revision
carl
parents:
diff changeset
196 line in your sendmail.mc and rebuild the .cf file
96a9758165cd Initial revision
carl
parents:
diff changeset
197
96a9758165cd Initial revision
carl
parents:
diff changeset
198 <pre>
50
05957b18b2e6 final changes for 3.3
carl
parents: 44
diff changeset
199 INPUT_MAIL_FILTER(`dnsbl', `S=local:/var/run/dnsbl/dnsbl.sock, F=T, T=C:30s;S:5m;R:5m;E:5m')
0
96a9758165cd Initial revision
carl
parents:
diff changeset
200 </pre>
96a9758165cd Initial revision
carl
parents:
diff changeset
201
96a9758165cd Initial revision
carl
parents:
diff changeset
202 Read the sample <a
44
6b79046b18c2 changes for 3.2
carl
parents: 34
diff changeset
203 href="http://www.five-ten-sg.com/dnsbl.conf">/etc/dnsbl/dnsbl.conf</a>
6
cea50d98a6cf start work on content url scanner
carl
parents: 5
diff changeset
204 file and modify it to fit your configuration. You can test your
13
2752e512fd32 finish documentation
carl
parents: 12
diff changeset
205 configuration files, and see a readable internal dump of them on stdout
6
cea50d98a6cf start work on content url scanner
carl
parents: 5
diff changeset
206 with
cea50d98a6cf start work on content url scanner
carl
parents: 5
diff changeset
207
cea50d98a6cf start work on content url scanner
carl
parents: 5
diff changeset
208 <pre>
44
6b79046b18c2 changes for 3.2
carl
parents: 34
diff changeset
209 cd /etc/dnsbl
6b79046b18c2 changes for 3.2
carl
parents: 34
diff changeset
210 /usr/sbin/dnsbl -c
6
cea50d98a6cf start work on content url scanner
carl
parents: 5
diff changeset
211 </pre>
cea50d98a6cf start work on content url scanner
carl
parents: 5
diff changeset
212
75
1142e46be550 start coding on new config syntax
carl
parents: 69
diff changeset
213 You can check a specific envelope from/to pair with
1142e46be550 start coding on new config syntax
carl
parents: 69
diff changeset
214
1142e46be550 start coding on new config syntax
carl
parents: 69
diff changeset
215 <pre>
1142e46be550 start coding on new config syntax
carl
parents: 69
diff changeset
216 cd /etc/dnsbl
1142e46be550 start coding on new config syntax
carl
parents: 69
diff changeset
217 from="$1" # or your from address
1142e46be550 start coding on new config syntax
carl
parents: 69
diff changeset
218 to="$2" # or your to address
1142e46be550 start coding on new config syntax
carl
parents: 69
diff changeset
219 /usr/sbin/dnsbl -e "$from"'|'"$to"
1142e46be550 start coding on new config syntax
carl
parents: 69
diff changeset
220 </pre>
1142e46be550 start coding on new config syntax
carl
parents: 69
diff changeset
221
59
510a511ad554 Add resolver processes to allow better performance on busy machines
carl
parents: 57
diff changeset
222 <hr> <center>Performance issues</center>
510a511ad554 Add resolver processes to allow better performance on busy machines
carl
parents: 57
diff changeset
223
510a511ad554 Add resolver processes to allow better performance on busy machines
carl
parents: 57
diff changeset
224 <p>Consider a high volume high performance machine running sendmail.
510a511ad554 Add resolver processes to allow better performance on busy machines
carl
parents: 57
diff changeset
225 Each sendmail process can do its own dns resolution. Typically, such
510a511ad554 Add resolver processes to allow better performance on busy machines
carl
parents: 57
diff changeset
226 dns resolver libraries are not thread safe, and so must be protected by
510a511ad554 Add resolver processes to allow better performance on busy machines
carl
parents: 57
diff changeset
227 some sort of mutex in a threaded environment. When we add a milter to
510a511ad554 Add resolver processes to allow better performance on busy machines
carl
parents: 57
diff changeset
228 sendmail, we now have a collection of sendmail processes, and a
510a511ad554 Add resolver processes to allow better performance on busy machines
carl
parents: 57
diff changeset
229 collection of milter threads.
0
96a9758165cd Initial revision
carl
parents:
diff changeset
230
59
510a511ad554 Add resolver processes to allow better performance on busy machines
carl
parents: 57
diff changeset
231 <p>We will be doing a lot of dns lookups per mail message, and at least
510a511ad554 Add resolver processes to allow better performance on busy machines
carl
parents: 57
diff changeset
232 some of those will take many tens of seconds. If all this dns work is
510a511ad554 Add resolver processes to allow better performance on busy machines
carl
parents: 57
diff changeset
233 serialized inside the milter, we have an upper limit of about 25K mail
510a511ad554 Add resolver processes to allow better performance on busy machines
carl
parents: 57
diff changeset
234 messages per day. That is clearly not sufficient for many sites.
0
96a9758165cd Initial revision
carl
parents:
diff changeset
235
59
510a511ad554 Add resolver processes to allow better performance on busy machines
carl
parents: 57
diff changeset
236 <p>Since we want to do parallel dns resolution across those milter
510a511ad554 Add resolver processes to allow better performance on busy machines
carl
parents: 57
diff changeset
237 threads, we add another collection of dns resolver processes. Each
510a511ad554 Add resolver processes to allow better performance on busy machines
carl
parents: 57
diff changeset
238 sendmail process is talking to a milter thread over a socket, and each
510a511ad554 Add resolver processes to allow better performance on busy machines
carl
parents: 57
diff changeset
239 milter thread is talking to a dns resolver process over another socket.
6
cea50d98a6cf start work on content url scanner
carl
parents: 5
diff changeset
240
59
510a511ad554 Add resolver processes to allow better performance on busy machines
carl
parents: 57
diff changeset
241 <p>Suppose we are processing 20 messages per second, and each message
510a511ad554 Add resolver processes to allow better performance on busy machines
carl
parents: 57
diff changeset
242 requires 20 seconds of dns work. Then we will have 400 sendmail
510a511ad554 Add resolver processes to allow better performance on busy machines
carl
parents: 57
diff changeset
243 processes, 400 milter threads, and 400 dns resolver processes. Of
510a511ad554 Add resolver processes to allow better performance on busy machines
carl
parents: 57
diff changeset
244 course that steady state is very unlikely to happen.
510a511ad554 Add resolver processes to allow better performance on busy machines
carl
parents: 57
diff changeset
245
76
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
246 <hr> <center>Rejected Ideas</center>
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
247
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
248 <p>The following ideas have been considered and rejected.
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
249
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
250 <p>Add max_recipients for each mail domain to the configuration.
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
251 Recipients in excess of that limit will be rejected, and all the
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
252 recipients in that domain will be removed if there are some other
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
253 whitelisted recipients. Current spammers *very* rarely send more than
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
254 ten recipients in a single smtp transaction, so this won't stop
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
255 any significant amount of spam.
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
256
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
257 <p>Add poison addresses to the configuration. If any recipient is
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
258 poison, all recipients are rejected even if they would be whitelisted,
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
259 and the data is rejected if sent. I have a collection of spam trap
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
260 addresses that would be suitable for such use. Based on my log files,
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
261 any mail to those spam trap addresses is rejected based on either dnsbl
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
262 lookups or the DCC. So this won't result in blocking any additional
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
263 spam.
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
264
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
265 <p>Add an option to only allow one recipient if the return path is
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
266 empty. Based on my log files, there is no mail that violates this
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
267 check.
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
268
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
269 <p>Reject the mail if the envelope from domain name contains any MX
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
270 records pointing to 127.0.0.0/8. I don't see any significant amount of spam
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
271 sent with such domain names.
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
272
81f1e400e8ab start coding on new config syntax
carl
parents: 75
diff changeset
273
59
510a511ad554 Add resolver processes to allow better performance on busy machines
carl
parents: 57
diff changeset
274 <pre>
2
9bcd5ef11279 no message
carl
parents: 0
diff changeset
275 $Id$
4
15a7e942adec updates to use dcc conf files
carl
parents: 2
diff changeset
276 </pre>
0
96a9758165cd Initial revision
carl
parents:
diff changeset
277 </body>
96a9758165cd Initial revision
carl
parents:
diff changeset
278 </html>