Mercurial > dnsbl
annotate xml/dnsbl.in @ 81:db85c53e3d90
start coding on new config syntax
| author | carl |
|---|---|
| date | Sun, 17 Jul 2005 07:34:28 -0700 |
| parents | 81f1e400e8ab |
| children | 7a432c2b473f |
| rev | line source |
|---|---|
| 0 | 1 <html> |
| 2 | |
| 3 <head> | |
| 4 <meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> | |
| 75 | 5 <title>DNSBL Sendmail milter - Version 5.0</title> |
| 0 | 6 </head> |
| 7 | |
| 12 | 8 <center>Introduction</center> |
| 0 | 9 <p>This milter is released under the GPL license version 2 included in |
| 10 the LICENSE file in the distribution, and also available at | |
| 11 <a href="http://www.gnu.org/licenses/gpl.html">http://www.gnu.org/licenses/gpl.html</a> | |
| 12 | |
| 12 | 13 <p>Consider the case of a mail server that is acting as secondary MX for |
| 14 a collection of clients, each of which has a collection of mail domains. | |
| 15 Each client may use their own collection of DNSBLs on their primary mail | |
| 16 server. We present here a mechanism whereby the backup mail server can | |
| 17 use the correct set of DNSBLs for each recipient for each message. As a | |
| 0 | 18 side-effect, it gives us the ability to customize the set of DNSBLs on a |
| 19 per-recipient basis, so that fred@example.com could use SPEWS and the | |
| 20 SBL, where all other users @example.com use only the SBL. | |
| 21 | |
| 68 | 22 <p>This milter will also decode (uuencode, base64, mime, html entity, |
| 23 url encodings) and scan for HTTP and HTTPS URLs and bare hostnames in | |
| 24 the body of the mail. If any of those host names have A or NS records | |
| 25 on the SBL (or a single configurable DNSBL), the mail will be rejected | |
| 34 | 26 unless previously whitelisted. This milter also counts the number of |
| 27 invalid HTML tags, and can reject mail if that count exceeds your | |
| 28 specified limit. | |
| 11 | 29 |
| 6 | 30 <p>The DNSBL milter reads a text configuration file (dnsbl.conf) on |
| 31 startup, and whenever the config file (or any of the referenced include | |
| 32 files) is changed. The entire configuration file is case insensitive. | |
| 0 | 33 |
|
59
510a511ad554
Add resolver processes to allow better performance on busy machines
carl
parents:
57
diff
changeset
|
34 <hr> <center>DCC Issues</center> |
| 0 | 35 <p>If you are also using the <a |
| 36 href="http://www.rhyolite.com/anti-spam/dcc/">DCC</a> milter, there are | |
| 37 a few considerations. You may need to whitelist senders from the DCC | |
| 38 bulk detector, or from the DNS based lists. Those are two very | |
| 39 different reasons for whitelisting. The former is done thru the DCC | |
| 40 whiteclnt config file, the later is done thru the DNSBL milter config | |
| 5 | 41 file. |
| 0 | 42 |
| 43 <p>You may want to blacklist some specific senders or sending domains. | |
| 44 This could be done thru either the DCC (on a global basis, or for a | |
| 45 specific single recipient). We prefer to do such blacklisting via the | |
| 13 | 46 DNSBL milter config, since it can be done for a collection of recipient |
| 47 mail domains. The DCC approach has the feature that you can capture the | |
| 0 | 48 entire message in the DCC log files. The DNSBL milter approach has the |
| 49 feature that the mail is rejected earlier (at RCPT TO time), and the | |
| 50 sending machine just gets a generic "550 5.7.1 no such user" message. | |
| 51 | |
| 75 | 52 <p>The DCC whiteclnt file can be included in the DNSBL milter config by |
| 53 the dcc_to and dcc_from statements. This will import the (env_to, | |
| 54 env_from, and substitute mail_host) entries from the DCC config into the | |
| 55 DNSBL config. This allows using the DCC config as the single point for | |
| 56 white/blacklisting. | |
| 5 | 57 |
| 58 <p>Consider the case where you have multiple clients, each with their | |
| 59 own mail servers, and each running their own DCC milters. Each client | |
| 60 is using the DCC facilities for envelope from/to white/blacklisting. | |
| 6 | 61 Presumably you can use rsync or scp to fetch copies of your clients DCC |
| 5 | 62 whiteclnt files on a regular basis. Your mail server, acting as a |
| 63 backup MX for your clients, can use the DNSBL milter, and include those | |
| 75 | 64 client DCC config files. The envelope from/to white/blacklisting will |
| 65 be appropriately tagged and used only for the domains controlled by each | |
| 66 of those clients. | |
| 5 | 67 |
|
59
510a511ad554
Add resolver processes to allow better performance on busy machines
carl
parents:
57
diff
changeset
|
68 <hr> <center>Definitions</center> |
| 75 | 69 |
| 70 <p>CONTEXT - a collection of parameters that defines the filtering | |
| 71 context to be used for a collection of envelope recipient addresses. | |
| 72 The context includes such things as the list of DNSBLs to be used, and | |
| 73 the various content filtering parameters. | |
| 74 | |
| 0 | 75 <p>DNSBL - a named DNS based blocking list is defined by a dns suffix |
| 76 (e.g. sbl-xbl.spamhaus.org) and a message string that is used to | |
| 77 generate the "550 5.7.1" smtp error return code. The names of these | |
| 78 DNSBLs will be used to define the DNSBL-LISTs. | |
| 79 | |
| 80 <p>DNSBL-LIST - a named list of DNSBLs that will be used for specific | |
| 81 recipients or recipient domains. | |
| 82 | |
| 76 | 83 <hr> <center>Filtering Procedure</center> |
| 84 | |
| 85 <p>If the client has authenticated with sendmail, the mail is accepted, | |
| 86 the dns lists are not checked, and the body content is not scanned. | |
| 87 Otherwise, we follow these steps for each recipient. | |
| 0 | 88 |
| 89 <ol> | |
| 90 | |
| 75 | 91 <li>The envelope to email address is used to find an initial filtering |
| 76 | 92 context. We first look for a context that specified the full email |
| 93 address in the env_to statement. If that is not found, we look for a | |
| 94 context that specified the entire domain name of the envelope recipient | |
| 95 in the env_to statement. If that is not found, we look for a context | |
| 96 that specified the user@ part of the envelope recipient in the env_to | |
| 97 statement. If that is not found, we use the first top level context | |
| 98 defined in the config file. | |
| 0 | 99 |
| 76 | 100 <br><br><li>The initial filtering context may redirect to a child |
| 101 context based on the values in the initial context's env_from statement. | |
| 102 We look for [1) the full envelope from email address, 2) the domain name | |
| 103 part of the envelope from address, 3) the user@ part of the envelope | |
| 104 from address] in that context's env_from statement, with values that | |
| 105 point to a child context. If such an entry is found, we switch to that | |
| 106 child filtering context. | |
| 75 | 107 |
| 76 | 108 <br><br><li>We lookup [1) the full envelope from email address, 2) the |
| 109 domain name part of the envelope from address, 3) the user@ part of the | |
| 75 | 110 envelope from address] in the filtering context env_from statement. |
| 111 That results in one of (white, black, unknown, inherit). | |
| 112 | |
| 76 | 113 <br><br><li>If the answer is black, mail to this recipient is rejected |
| 114 with "no such user", and the dns lists are not checked. | |
| 75 | 115 |
| 76 | 116 <br><br><li>If the answer is white, mail to this recipient is accepted |
| 117 and the dns lists are not checked. | |
| 0 | 118 |
| 76 | 119 <br><br><li>If the answer is unknown, we don't reject yet, but the dns |
| 120 lists will be checked, and the content may be scanned. | |
| 0 | 121 |
| 76 | 122 <br><br><li>If the answer is inherit, we repeat the envelope from search |
| 123 in the parent context. | |
| 0 | 124 |
| 76 | 125 <br><br><li>The dns lists specified in the filtering context are checked |
| 126 and the mail is rejected if any list has an A record for the standard | |
| 127 dns based lookup scheme (reversed octets of the client followed by the | |
| 128 dns suffix). | |
| 129 | |
| 130 <br><br><li>If the mail has not been accepted or rejected yet, and the | |
| 131 filtering context enables content filtering, and this is the first such | |
| 132 recipient in this smtp transaction, we set the content filtering parameters | |
| 133 from this context, and enable content filtering for this body. | |
| 11 | 134 |
| 0 | 135 </ol> |
| 136 | |
| 76 | 137 <p>If content filtering is enabled for this body, the mail text is |
| 138 decoded (uuencode, base64, mime, html entity, url encodings), scanned | |
| 139 for HTTP and HTTPS URLs, and the first <configurable> host names | |
| 140 are checked for their presence on the single <configurable> DNSBL. | |
| 141 The only known list that is suitable for this purpose is the SBL. If | |
| 142 any of those host names are on that DNSBL (or have nameservers that are | |
| 143 on that list), and it is not on the <configurable> ignore list, | |
| 144 the mail is rejected. We also scan for excessive bad html tags, and if | |
| 145 a <configurable> limit is exceeded, the mail is rejected. | |
| 146 | |
|
59
510a511ad554
Add resolver processes to allow better performance on busy machines
carl
parents:
57
diff
changeset
|
147 <hr> <center>Sendmail access vs. DNSBL</center> |
| 12 | 148 <p>With the standard sendmail.mc dnsbl FEATURE, the dnsbl checks may be |
| 149 suppressed by entries in the /etc/mail/access database. For example, | |
| 150 suppose you control a /18 of address space, and have allocated some /24s | |
| 151 to some clients. You have access entries like | |
| 0 | 152 |
| 12 | 153 <pre> |
| 154 192.168.4 OK | |
| 155 192.168.17 OK | |
| 156 </pre> | |
| 157 | |
| 158 <p>to allow those clients to smarthost thru your mail server. Now if | |
| 13 | 159 one of those clients happens get infected with a virus that turns a |
| 160 machine into an open proxy, and their 192.168.4.45 lands on the SBL-XBL, | |
| 161 you will still wind up allowing that infected machine to smarthost thru | |
| 162 your mail servers. | |
| 12 | 163 |
| 164 <p>With this DNSBL milter, the sendmail access database cannot override | |
| 165 the dnsbl checks, so that machine won't be able to send mail to or thru | |
| 15 | 166 your smarthost mail server (unless the virus/proxy can use smtp-auth). |
| 167 | |
| 168 <p>Using the standard sendmail features, you would add access entries to | |
| 169 allow hosts on your local network to relay thru your mail server. Those | |
| 170 OK entries in the sendmail access database will override all the dnsbl | |
| 171 checks. With this DNSBL milter, you will need to have the local users | |
| 172 authenticate with smtp-auth to get the same effect. You might find <a | |
| 81 | 173 href="http://www.ists.dartmouth.edu/classroom/sendmail-ssl-how-to.php"> |
| 15 | 174 these directions</a> helpful for setting up smtp-auth if you are on RH |
| 175 Linux. | |
| 12 | 176 |
|
59
510a511ad554
Add resolver processes to allow better performance on busy machines
carl
parents:
57
diff
changeset
|
177 <hr> <center>Installation and configuration</center> |
|
510a511ad554
Add resolver processes to allow better performance on busy machines
carl
parents:
57
diff
changeset
|
178 <p>Usage: Note that this has ONLY been tested on Linux, specifically |
|
510a511ad554
Add resolver processes to allow better performance on busy machines
carl
parents:
57
diff
changeset
|
179 RedHat Linux. In particular, this milter makes no attempt to understand |
|
510a511ad554
Add resolver processes to allow better performance on busy machines
carl
parents:
57
diff
changeset
|
180 IPv6. Your mileage will vary. You will need at a minimum a C++ |
|
510a511ad554
Add resolver processes to allow better performance on busy machines
carl
parents:
57
diff
changeset
|
181 compiler with a minimally thread safe STL implementation. The |
|
510a511ad554
Add resolver processes to allow better performance on busy machines
carl
parents:
57
diff
changeset
|
182 distribution includes a test.cpp program. If it fails this milter won't |
|
510a511ad554
Add resolver processes to allow better performance on busy machines
carl
parents:
57
diff
changeset
|
183 work. If it passes, this milter might work. |
| 0 | 184 |
| 185 Fetch <a href="http://www.five-ten-sg.com/util/dnsbl.tar.gz">dnsbl.tar.gz</a> | |
| 186 and | |
| 187 | |
| 188 <pre> | |
| 189 tar xfvz dnsbl.tar.gz | |
| 190 bash install.bash | |
| 191 </pre> | |
| 192 | |
| 193 Read and understand the contents of that install.bash script before you | |
| 194 run it. It may not be suitable for your system. Modify your | |
| 195 sendmail.mc by removing all the "FEATURE(dnsbl" lines, add the following | |
| 196 line in your sendmail.mc and rebuild the .cf file | |
| 197 | |
| 198 <pre> | |
| 50 | 199 INPUT_MAIL_FILTER(`dnsbl', `S=local:/var/run/dnsbl/dnsbl.sock, F=T, T=C:30s;S:5m;R:5m;E:5m') |
| 0 | 200 </pre> |
| 201 | |
| 202 Read the sample <a | |
| 44 | 203 href="http://www.five-ten-sg.com/dnsbl.conf">/etc/dnsbl/dnsbl.conf</a> |
| 6 | 204 file and modify it to fit your configuration. You can test your |
| 13 | 205 configuration files, and see a readable internal dump of them on stdout |
| 6 | 206 with |
| 207 | |
| 208 <pre> | |
| 44 | 209 cd /etc/dnsbl |
| 210 /usr/sbin/dnsbl -c | |
| 6 | 211 </pre> |
| 212 | |
| 75 | 213 You can check a specific envelope from/to pair with |
| 214 | |
| 215 <pre> | |
| 216 cd /etc/dnsbl | |
| 217 from="$1" # or your from address | |
| 218 to="$2" # or your to address | |
| 219 /usr/sbin/dnsbl -e "$from"'|'"$to" | |
| 220 </pre> | |
| 221 | |
|
59
510a511ad554
Add resolver processes to allow better performance on busy machines
carl
parents:
57
diff
changeset
|
222 <hr> <center>Performance issues</center> |
|
510a511ad554
Add resolver processes to allow better performance on busy machines
carl
parents:
57
diff
changeset
|
223 |
|
510a511ad554
Add resolver processes to allow better performance on busy machines
carl
parents:
57
diff
changeset
|
224 <p>Consider a high volume high performance machine running sendmail. |
|
510a511ad554
Add resolver processes to allow better performance on busy machines
carl
parents:
57
diff
changeset
|
225 Each sendmail process can do its own dns resolution. Typically, such |
|
510a511ad554
Add resolver processes to allow better performance on busy machines
carl
parents:
57
diff
changeset
|
226 dns resolver libraries are not thread safe, and so must be protected by |
|
510a511ad554
Add resolver processes to allow better performance on busy machines
carl
parents:
57
diff
changeset
|
227 some sort of mutex in a threaded environment. When we add a milter to |
|
510a511ad554
Add resolver processes to allow better performance on busy machines
carl
parents:
57
diff
changeset
|
228 sendmail, we now have a collection of sendmail processes, and a |
|
510a511ad554
Add resolver processes to allow better performance on busy machines
carl
parents:
57
diff
changeset
|
229 collection of milter threads. |
| 0 | 230 |
|
59
510a511ad554
Add resolver processes to allow better performance on busy machines
carl
parents:
57
diff
changeset
|
231 <p>We will be doing a lot of dns lookups per mail message, and at least |
|
510a511ad554
Add resolver processes to allow better performance on busy machines
carl
parents:
57
diff
changeset
|
232 some of those will take many tens of seconds. If all this dns work is |
|
510a511ad554
Add resolver processes to allow better performance on busy machines
carl
parents:
57
diff
changeset
|
233 serialized inside the milter, we have an upper limit of about 25K mail |
|
510a511ad554
Add resolver processes to allow better performance on busy machines
carl
parents:
57
diff
changeset
|
234 messages per day. That is clearly not sufficient for many sites. |
| 0 | 235 |
|
59
510a511ad554
Add resolver processes to allow better performance on busy machines
carl
parents:
57
diff
changeset
|
236 <p>Since we want to do parallel dns resolution across those milter |
|
510a511ad554
Add resolver processes to allow better performance on busy machines
carl
parents:
57
diff
changeset
|
237 threads, we add another collection of dns resolver processes. Each |
|
510a511ad554
Add resolver processes to allow better performance on busy machines
carl
parents:
57
diff
changeset
|
238 sendmail process is talking to a milter thread over a socket, and each |
|
510a511ad554
Add resolver processes to allow better performance on busy machines
carl
parents:
57
diff
changeset
|
239 milter thread is talking to a dns resolver process over another socket. |
| 6 | 240 |
|
59
510a511ad554
Add resolver processes to allow better performance on busy machines
carl
parents:
57
diff
changeset
|
241 <p>Suppose we are processing 20 messages per second, and each message |
|
510a511ad554
Add resolver processes to allow better performance on busy machines
carl
parents:
57
diff
changeset
|
242 requires 20 seconds of dns work. Then we will have 400 sendmail |
|
510a511ad554
Add resolver processes to allow better performance on busy machines
carl
parents:
57
diff
changeset
|
243 processes, 400 milter threads, and 400 dns resolver processes. Of |
|
510a511ad554
Add resolver processes to allow better performance on busy machines
carl
parents:
57
diff
changeset
|
244 course that steady state is very unlikely to happen. |
|
510a511ad554
Add resolver processes to allow better performance on busy machines
carl
parents:
57
diff
changeset
|
245 |
| 76 | 246 <hr> <center>Rejected Ideas</center> |
| 247 | |
| 248 <p>The following ideas have been considered and rejected. | |
| 249 | |
| 250 <p>Add max_recipients for each mail domain to the configuration. | |
| 251 Recipients in excess of that limit will be rejected, and all the | |
| 252 recipients in that domain will be removed if there are some other | |
| 253 whitelisted recipients. Current spammers *very* rarely send more than | |
| 254 ten recipients in a single smtp transaction, so this won't stop | |
| 255 any significant amount of spam. | |
| 256 | |
| 257 <p>Add poison addresses to the configuration. If any recipient is | |
| 258 poison, all recipients are rejected even if they would be whitelisted, | |
| 259 and the data is rejected if sent. I have a collection of spam trap | |
| 260 addresses that would be suitable for such use. Based on my log files, | |
| 261 any mail to those spam trap addresses is rejected based on either dnsbl | |
| 262 lookups or the DCC. So this won't result in blocking any additional | |
| 263 spam. | |
| 264 | |
| 265 <p>Add an option to only allow one recipient if the return path is | |
| 266 empty. Based on my log files, there is no mail that violates this | |
| 267 check. | |
| 268 | |
| 269 <p>Reject the mail if the envelope from domain name contains any MX | |
| 270 records pointing to 127.0.0.0/8. I don't see any significant amount of spam | |
| 271 sent with such domain names. | |
| 272 | |
| 273 | |
|
59
510a511ad554
Add resolver processes to allow better performance on busy machines
carl
parents:
57
diff
changeset
|
274 <pre> |
| 2 | 275 $Id$ |
| 4 | 276 </pre> |
| 0 | 277 </body> |
| 278 </html> |