Mercurial > dnsbl
annotate xml/dnsbl.in @ 263:e118fd2c6af0
fix unauthenticated rate limit bug for empty mail from; move unauthenticate rate limit checks after spam filtering
| author | Carl Byington <carl@five-ten-sg.com> |
|---|---|
| date | Sat, 21 Jul 2012 12:35:19 -0700 |
| parents | 92a98e661a0b |
| children | f941563c2a95 |
| rev | line source |
|---|---|
| 108 | 1 <reference> |
| 2 <title>@PACKAGE@ Sendmail milter - Version @VERSION@</title> | |
| 3 <partintro> | |
| 4 <title>Packages</title> | |
|
201
752d4315675c
add reference to mercurial repository in the documentation
Carl Byington <carl@five-ten-sg.com>
parents:
187
diff
changeset
|
5 |
| 108 | 6 <para>The various source and binary packages are available at <ulink |
|
201
752d4315675c
add reference to mercurial repository in the documentation
Carl Byington <carl@five-ten-sg.com>
parents:
187
diff
changeset
|
7 url="http://www.five-ten-sg.com/@PACKAGE@/packages/">http://www.five-ten-sg.com/@PACKAGE@/packages/</ulink>. |
| 108 | 8 The most recent documentation is available at <ulink |
|
201
752d4315675c
add reference to mercurial repository in the documentation
Carl Byington <carl@five-ten-sg.com>
parents:
187
diff
changeset
|
9 url="http://www.five-ten-sg.com/@PACKAGE@/">http://www.five-ten-sg.com/@PACKAGE@/</ulink>. |
|
752d4315675c
add reference to mercurial repository in the documentation
Carl Byington <carl@five-ten-sg.com>
parents:
187
diff
changeset
|
10 </para> |
|
752d4315675c
add reference to mercurial repository in the documentation
Carl Byington <carl@five-ten-sg.com>
parents:
187
diff
changeset
|
11 |
|
752d4315675c
add reference to mercurial repository in the documentation
Carl Byington <carl@five-ten-sg.com>
parents:
187
diff
changeset
|
12 <para>A <ulink |
|
752d4315675c
add reference to mercurial repository in the documentation
Carl Byington <carl@five-ten-sg.com>
parents:
187
diff
changeset
|
13 url="http://www.selenic.com/mercurial/wiki/">Mercurial</ulink> source |
|
752d4315675c
add reference to mercurial repository in the documentation
Carl Byington <carl@five-ten-sg.com>
parents:
187
diff
changeset
|
14 code repository for this project is available at <ulink |
|
752d4315675c
add reference to mercurial repository in the documentation
Carl Byington <carl@five-ten-sg.com>
parents:
187
diff
changeset
|
15 url="http://hg.five-ten-sg.com/@PACKAGE@/">http://hg.five-ten-sg.com/@PACKAGE@/</ulink>. |
| 108 | 16 </para> |
| 94 | 17 |
| 108 | 18 </partintro> |
| 94 | 19 |
| 108 | 20 <refentry id="@PACKAGE@.1"> |
| 21 <refentryinfo> | |
|
261
92a98e661a0b
update documentation for newer xml dtd
Carl Byington <carl@five-ten-sg.com>
parents:
259
diff
changeset
|
22 <date>2012-07-21</date> |
|
92a98e661a0b
update documentation for newer xml dtd
Carl Byington <carl@five-ten-sg.com>
parents:
259
diff
changeset
|
23 <author> |
|
92a98e661a0b
update documentation for newer xml dtd
Carl Byington <carl@five-ten-sg.com>
parents:
259
diff
changeset
|
24 <firstname>Carl</firstname> |
|
92a98e661a0b
update documentation for newer xml dtd
Carl Byington <carl@five-ten-sg.com>
parents:
259
diff
changeset
|
25 <surname>Byington</surname> |
|
92a98e661a0b
update documentation for newer xml dtd
Carl Byington <carl@five-ten-sg.com>
parents:
259
diff
changeset
|
26 <affiliation><orgname>510 Software Group</orgname></affiliation> |
|
92a98e661a0b
update documentation for newer xml dtd
Carl Byington <carl@five-ten-sg.com>
parents:
259
diff
changeset
|
27 </author> |
| 108 | 28 </refentryinfo> |
| 94 | 29 |
| 108 | 30 <refmeta> |
| 31 <refentrytitle>@PACKAGE@</refentrytitle> | |
| 32 <manvolnum>1</manvolnum> | |
| 33 <refmiscinfo>@PACKAGE@ @VERSION@</refmiscinfo> | |
| 34 </refmeta> | |
| 35 | |
| 36 <refnamediv id='name.1'> | |
| 37 <refname>@PACKAGE@</refname> | |
| 38 <refpurpose>a sendmail milter with per-user dnsbl filtering</refpurpose> | |
| 39 </refnamediv> | |
| 94 | 40 |
| 108 | 41 <refsynopsisdiv id='synopsis.1'> |
| 42 <title>Synopsis</title> | |
| 43 <cmdsynopsis> | |
| 44 <command>@PACKAGE@</command> | |
| 45 <arg><option>-c</option></arg> | |
| 46 <arg><option>-s</option></arg> | |
| 47 <arg><option>-d <replaceable class="parameter">n</replaceable></option></arg> | |
| 48 <arg><option>-e <replaceable class="parameter">from|to</replaceable></option></arg> | |
| 179 | 49 <arg><option>-b <replaceable class="parameter">local-domain-socket</replaceable></option></arg> |
| 108 | 50 <arg><option>-r <replaceable class="parameter">local-domain-socket</replaceable></option></arg> |
| 51 <arg><option>-p <replaceable class="parameter">sendmail-socket</replaceable></option></arg> | |
| 52 <arg><option>-t <replaceable class="parameter">timeout</replaceable></option></arg> | |
| 53 </cmdsynopsis> | |
| 54 </refsynopsisdiv> | |
| 94 | 55 |
| 108 | 56 <refsect1 id='options.1'> |
| 57 <title>Options</title> | |
| 58 <variablelist> | |
| 59 <varlistentry> | |
| 60 <term>-c</term> | |
| 111 | 61 <listitem><para> |
| 62 Load the configuration file, print a cannonical form | |
| 63 of the configuration on stdout, and exit. | |
| 64 </para></listitem> | |
| 108 | 65 </varlistentry> |
| 66 <varlistentry> | |
| 67 <term>-s</term> | |
| 111 | 68 <listitem><para> |
| 69 Stress test the configuration loading code by repeating | |
| 70 the load/free cycle in an infinite loop. | |
| 71 </para></listitem> | |
| 108 | 72 </varlistentry> |
| 73 <varlistentry> | |
| 74 <term>-d <replaceable class="parameter">n</replaceable></term> | |
| 111 | 75 <listitem><para> |
| 76 Set the debug level to <replaceable class="parameter">n</replaceable>. | |
| 77 </para></listitem> | |
| 108 | 78 </varlistentry> |
| 79 <varlistentry> | |
| 80 <term>-e <replaceable class="parameter">from|to</replaceable></term> | |
| 111 | 81 <listitem><para> |
| 82 Print the results of looking up the from and to addresses in the | |
| 83 current configuration. The | character is used to separate the from and to | |
| 84 addresses in the argument to the -e switch. | |
| 85 </para></listitem> | |
| 108 | 86 </varlistentry> |
| 87 <varlistentry> | |
| 179 | 88 <term>-b <replaceable class="parameter">local-domain-socket-file-name</replaceable></term> |
| 89 <listitem><para> | |
| 90 Set the local socket used for the connection to the dccifd daemon. | |
| 91 This is typically /var/dcc/dccifd. | |
| 92 </para></listitem> | |
| 93 </varlistentry> | |
| 94 <varlistentry> | |
| 95 <term>-r <replaceable class="parameter">local-domain-socket-file-name</replaceable></term> | |
| 111 | 96 <listitem><para> |
| 97 Set the local socket used for the connection to our own dns resolver processes. | |
| 98 </para></listitem> | |
| 108 | 99 </varlistentry> |
| 100 <varlistentry> | |
| 101 <term>-p <replaceable class="parameter">sendmail-socket</replaceable></term> | |
| 111 | 102 <listitem><para> |
| 103 Set the socket used for the milter connection to sendmail. This is either | |
| 104 "inet:port@ip-address" or "local:local-domain-socket-file-name". | |
| 105 </para></listitem> | |
| 108 | 106 </varlistentry> |
| 107 <varlistentry> | |
| 108 <term>-t <replaceable class="parameter">timeout</replaceable></term> | |
| 111 | 109 <listitem><para> |
| 110 Set the timeout in seconds used for communication with sendmail. | |
| 111 </para></listitem> | |
| 108 | 112 </varlistentry> |
| 113 </variablelist> | |
| 114 </refsect1> | |
| 94 | 115 |
| 111 | 116 <refsect1 id='usage.1'> |
| 108 | 117 <title>Usage</title> |
| 118 <para><command>@PACKAGE@</command> -c</para> | |
| 119 <para><command>@PACKAGE@</command> -s</para> | |
| 111 | 120 <para><command>@PACKAGE@</command> -e 'someone@aol.com|localname@mydomain.tld'</para> |
| 121 <para><command>@PACKAGE@</command> -d 10 -r resolver.sock -p local:dnsbl.sock</para> | |
| 122 </refsect1> | |
| 123 | |
| 124 <refsect1 id='installation.1'> | |
| 125 <title>Installation</title> | |
| 126 <para> | |
| 127 This is now a standard GNU autoconf/automake installation, so the normal | |
| 128 "./configure; make; su; make install" works. "make chkconfig" will | |
| 129 setup the init.d runlevel scripts. Alternatively, you can use the | |
| 130 source or binary RPMs at <ulink | |
| 131 url="http://www.five-ten-sg.com/@PACKAGE@/packages">http://www.five-ten-sg.com/@PACKAGE@/packages</ulink>. | |
| 132 </para> | |
| 133 <para> | |
| 134 Note that this has ONLY been tested on Linux, specifically RedHat Linux. | |
| 135 In particular, this milter makes no attempt to understand IPv6. Your | |
| 136 mileage will vary. You will need at a minimum a C++ compiler with a | |
| 137 minimally thread safe STL implementation. The distribution includes a | |
| 138 test.cpp program. If it fails this milter won't work. If it passes, | |
| 139 this milter might work. | |
| 140 </para> | |
| 141 <para> | |
| 142 Modify your sendmail.mc by removing all the "FEATURE(dnsbl" lines, add | |
| 143 the following line in your sendmail.mc and rebuild the .cf file | |
| 144 </para> | |
| 145 <para><screen>INPUT_MAIL_FILTER(`dnsbl', `S=local:/var/run/dnsbl/dnsbl.sock, F=T, T=C:30s;S:5m;R:5m;E:5m')</screen></para> | |
| 146 <para> | |
| 147 Modify the default <citerefentry> | |
| 148 <refentrytitle>@PACKAGE@.conf</refentrytitle> <manvolnum>5</manvolnum> | |
| 149 </citerefentry> configuration. | |
| 150 </para> | |
| 151 </refsect1> | |
| 152 | |
| 153 <refsect1 id='configuration.1'> | |
| 154 <title>Configuration</title> | |
| 155 <para> | |
| 156 The configuration file is documented in <citerefentry> | |
| 157 <refentrytitle>@PACKAGE@.conf</refentrytitle> <manvolnum>5</manvolnum> | |
| 158 </citerefentry>. Any change to the config file, or any file included | |
| 159 from that config file, will cause it to be reloaded within three | |
| 160 minutes. | |
| 161 </para> | |
| 108 | 162 </refsect1> |
| 94 | 163 |
| 108 | 164 <refsect1 id='introduction.1'> |
| 165 <title>Introduction</title> | |
| 166 <para> | |
| 167 Consider the case of a mail server that is acting as secondary MX for a | |
| 168 collection of clients, each of which has a collection of mail domains. | |
| 169 Each client may use their own collection of DNSBLs on their primary mail | |
| 170 server. We present here a mechanism whereby the backup mail server can | |
| 171 use the correct set of DNSBLs for each recipient for each message. As a | |
| 172 side-effect, it gives us the ability to customize the set of DNSBLs on a | |
| 183 | 173 per-recipient basis, so that fred@example.com could use LOCAL and the |
| 108 | 174 SBL, where all other users @example.com use only the SBL. |
| 175 </para> | |
| 176 <para> | |
| 177 This milter can also verify the envelope from/recipient pairs with the | |
| 178 primary MX server. This allows the backup mail servers to properly | |
| 179 reject mail sent to invalid addresses. Otherwise, the backup mail | |
| 180 servers will accept that mail, and then generate a bounce message when | |
| 181 the message is forwarded to the primary server (and rejected there with | |
| 127 | 182 no such user). These rejections are the primary cause of such backscatter. |
| 108 | 183 </para> |
| 184 <para> | |
| 185 This milter will also decode (uuencode, base64, mime, html entity, url | |
| 186 encodings) and scan for HTTP and HTTPS URLs and bare hostnames in the | |
| 187 body of the mail. If any of those host names have A or NS records on | |
| 188 the SBL (or a single configurable DNSBL), the mail will be rejected | |
| 189 unless previously whitelisted. This milter also counts the number of | |
| 190 invalid HTML tags, and can reject mail if that count exceeds your | |
| 191 specified limit. | |
| 192 </para> | |
| 193 <para> | |
|
259
be939802c64e
add recipient rate limits by email from address or domain
Carl Byington <carl@five-ten-sg.com>
parents:
255
diff
changeset
|
194 This milter can also impose hourly and daily rate |
|
be939802c64e
add recipient rate limits by email from address or domain
Carl Byington <carl@five-ten-sg.com>
parents:
255
diff
changeset
|
195 limits on the number of recipients accepted from SMTP |
|
be939802c64e
add recipient rate limits by email from address or domain
Carl Byington <carl@five-ten-sg.com>
parents:
255
diff
changeset
|
196 AUTH connections, that would otherwise be allowed to |
|
be939802c64e
add recipient rate limits by email from address or domain
Carl Byington <carl@five-ten-sg.com>
parents:
255
diff
changeset
|
197 relay thru this mail server with no spam filtering. If |
|
be939802c64e
add recipient rate limits by email from address or domain
Carl Byington <carl@five-ten-sg.com>
parents:
255
diff
changeset
|
198 the connection does not use SMTP AUTH, the rate limits |
|
be939802c64e
add recipient rate limits by email from address or domain
Carl Byington <carl@five-ten-sg.com>
parents:
255
diff
changeset
|
199 may be specified by the mail from email address or |
|
be939802c64e
add recipient rate limits by email from address or domain
Carl Byington <carl@five-ten-sg.com>
parents:
255
diff
changeset
|
200 domain. |
| 136 | 201 </para> |
| 202 <para> | |
| 162 | 203 Consider the case of a message from A to B passing thru this milter. If |
| 204 that message is not blocked, then we might eventually see a reply | |
| 156 | 205 message from B to A. If the filtering context for A includes an |
| 162 | 206 autowhite entry, and that context does <emphasis>not</emphasis> cover B |
| 207 as a recipient, then this milter will add an entry in that file to | |
| 208 whitelist such replies for a configurable time period. Suppose A and B | |
| 209 are in the same domain, or at least use the same filtering context. In | |
| 210 that case we don't want to add a whitelist entry for B, since that would | |
| 211 then allow spammers to send mail from B (forged) to B. Such autowhite | |
| 160 | 212 files need to be writeable by the dnsbl user, where all the other dnsbl |
| 213 configuration files only need to be readable by the dnsbl user. | |
| 156 | 214 </para> |
| 215 <para> | |
|
176
4ec928b24bab
allow manual whitelisting with stamp 1 to remove a whitelist entry
carl
parents:
175
diff
changeset
|
216 You can manually add such an autowhite entry, by appending a single |
|
4ec928b24bab
allow manual whitelisting with stamp 1 to remove a whitelist entry
carl
parents:
175
diff
changeset
|
217 text line to the autowhitelist file, using something like |
|
4ec928b24bab
allow manual whitelisting with stamp 1 to remove a whitelist entry
carl
parents:
175
diff
changeset
|
218 <command>echo "$mail 0" >>$autowhitefile</command>. |
|
4ec928b24bab
allow manual whitelisting with stamp 1 to remove a whitelist entry
carl
parents:
175
diff
changeset
|
219 You can manually remove such an autowhite entry, by appending a single |
|
4ec928b24bab
allow manual whitelisting with stamp 1 to remove a whitelist entry
carl
parents:
175
diff
changeset
|
220 text line to the autowhitelist file, using something like |
|
4ec928b24bab
allow manual whitelisting with stamp 1 to remove a whitelist entry
carl
parents:
175
diff
changeset
|
221 <command>echo "$mail 1" >>$autowhitefile</command>. |
|
4ec928b24bab
allow manual whitelisting with stamp 1 to remove a whitelist entry
carl
parents:
175
diff
changeset
|
222 </para> |
|
4ec928b24bab
allow manual whitelisting with stamp 1 to remove a whitelist entry
carl
parents:
175
diff
changeset
|
223 <para> |
| 108 | 224 The DNSBL milter reads a text configuration file (dnsbl.conf) on |
| 225 startup, and whenever the config file (or any of the referenced include | |
| 226 files) is changed. The entire configuration file is case insensitive. | |
| 227 If the configuration cannot be loaded due to a syntax error, the milter | |
| 228 will log the error and quit. If the configuration cannot be reloaded | |
| 229 after being modified, the milter will log the error and send an email to | |
| 152 | 230 root from dnsbl@$hostname. You probably want to add dnsbl@$hostname |
| 108 | 231 to your /etc/mail/virtusertable since otherwise sendmail will reject |
| 232 that message. | |
| 233 </para> | |
| 234 </refsect1> | |
| 94 | 235 |
| 111 | 236 <refsect1 id='dcc.1'> |
| 108 | 237 <title>DCC Issues</title> |
| 238 <para> | |
| 239 If you are also using the <ulink | |
| 240 url="http://www.rhyolite.com/anti-spam/dcc/">DCC</ulink> milter, there | |
| 241 are a few considerations. You may need to whitelist senders from the | |
| 242 DCC bulk detector, or from the DNS based lists. Those are two very | |
| 243 different reasons for whitelisting. The former is done thru the DCC | |
| 244 whiteclnt config file, the later is done thru the DNSBL milter config | |
| 245 file. | |
| 246 </para> | |
| 247 <para> | |
| 248 You may want to blacklist some specific senders or sending domains. | |
| 249 This could be done thru either the DCC (on a global basis, or for a | |
| 250 specific single recipient). We prefer to do such blacklisting via the | |
| 251 DNSBL milter config, since it can be done for a collection of recipient | |
| 252 mail domains. The DCC approach has the feature that you can capture the | |
| 253 entire message in the DCC log files. The DNSBL milter approach has the | |
| 254 feature that the mail is rejected earlier (at RCPT TO time), and the | |
| 255 sending machine just gets a generic "550 5.7.1 no such user" message. | |
| 256 </para> | |
| 257 <para> | |
| 258 The DCC whiteclnt file can be included in the DNSBL milter config by the | |
| 259 dcc_to and dcc_from statements. This will import the (env_to, env_from, | |
| 260 and substitute mail_host) entries from the DCC config into the DNSBL | |
| 261 config. This allows using the DCC config as the single point for | |
| 262 white/blacklisting. | |
| 263 </para> | |
| 264 <para> | |
| 265 Consider the case where you have multiple clients, each with their own | |
| 266 mail servers, and each running their own DCC milters. Each client is | |
| 267 using the DCC facilities for envelope from/to white/blacklisting. | |
| 268 Presumably you can use rsync or scp to fetch copies of your clients DCC | |
| 269 whiteclnt files on a regular basis. Your mail server, acting as a | |
| 270 backup MX for your clients, can use the DNSBL milter, and include those | |
| 271 client DCC config files. The envelope from/to white/blacklisting will | |
| 272 be appropriately tagged and used only for the domains controlled by each | |
| 273 of those clients. | |
| 274 </para> | |
| 179 | 275 <para> |
| 276 You can now use (via dccifd) different dcc filtering parameters on a per | |
| 277 context basis. See the dcc_greylist and dcc_bulk_threshold statements | |
| 278 in the <citerefentry> <refentrytitle>@PACKAGE@.conf</refentrytitle> | |
| 279 <manvolnum>5</manvolnum> </citerefentry> configuration. Those | |
| 280 statements are only active if you supply the <option>-b</option> option | |
| 281 on the dnsbl command line. If you use the dcc via the standard dcc | |
| 282 milter (dccm), then connections from clients that use SMTP AUTH are | |
| 283 still subject to greylisting. If you use the dcc via dccifd and this | |
| 284 milter, then connections from clients that use SMTP AUTH are never | |
| 180 | 285 subject to greylisting. As part of this per-user greylisting, you need |
| 286 to move the dnsblnogrey file from the config directory to something | |
| 287 like /var/dcc/userdirs/local/dnsblnogrey/whiteclnt so the dccifd will | |
| 288 properly ignore greylisting for those recipients that don't want it. | |
| 179 | 289 </para> |
| 108 | 290 </refsect1> |
| 94 | 291 |
| 111 | 292 <refsect1 id='definitions.1'> |
| 108 | 293 <title>Definitions</title> |
| 294 <para> | |
| 295 CONTEXT - a collection of parameters that defines the filtering context | |
| 296 to be used for a collection of envelope recipient addresses. The | |
| 297 context includes such things as the list of DNSBLs to be used, and the | |
| 298 various content filtering parameters. | |
| 299 </para> | |
| 300 <para> | |
| 301 DNSBL - a named DNS based blocking list is defined by a dns suffix (e.g. | |
| 302 sbl-xbl.spamhaus.org) and a message string that is used to generate the | |
| 303 "550 5.7.1" smtp error return code. The names of these DNSBLs will be | |
| 304 used to define the DNSBL-LISTs. | |
| 305 </para> | |
| 306 <para> | |
| 307 DNSBL-LIST - a named list of DNSBLs that will be used for specific | |
| 308 recipients or recipient domains. | |
| 309 </para> | |
| 249 | 310 <para> |
| 311 DNSWL - a named DNS based white list is defined by a dns suffix (e.g. | |
| 312 list.dnswl.org) and an integer level. If the level is greater than or | |
| 313 equal to x in the 127.0.z.x return code from the white list, then the | |
| 314 ip address is considered to match, and the message will be whitelisted. | |
| 315 The names of these DNSWLs will be used to define the DNSWL-LISTs. | |
| 316 </para> | |
| 317 <para> | |
| 318 DNSWL-LIST - a named list of DNSWLs that will be used for specific | |
| 319 recipients or recipient domains. | |
| 320 </para> | |
| 108 | 321 </refsect1> |
| 94 | 322 |
| 111 | 323 <refsect1 id='filtering.1'> |
| 108 | 324 <title>Filtering Procedure</title> |
| 325 <para> | |
| 152 | 326 The SMTP envelope 'from' and 'to' values are used in various checks. |
| 327 The first check is to see if a reply message (swapping the env_from and | |
| 160 | 328 env_to values) would be unconditionally blocked (just based on the |
| 329 envelope from address). That check is similar to the main check | |
| 330 described below, but there is no body content to be scanned, and there | |
| 331 is no client connection ip address to be checked against DNSBLs. If | |
| 332 such a reply message would be blocked, we also block the original | |
| 333 outgoing message. This prevents folks from sending mail to recipients | |
| 334 that are unable to reply. | |
| 152 | 335 </para> |
| 336 <para> | |
| 136 | 337 If the client has authenticated with sendmail, the rate limits are |
| 338 checked. If the authenticated user has not exceeded the hourly rate | |
|
144
31ff00ea6bfb
allow parent/child to share a fully qualified env_to address
carl
parents:
140
diff
changeset
|
339 limit, then the mail is accepted, the filtering contexts are not used, |
| 136 | 340 the dns lists are not checked, and the body content is not scanned. If |
| 341 the client has not authenticated with sendmail, we follow these steps | |
| 342 for each recipient. | |
| 108 | 343 </para> |
| 344 <orderedlist> | |
| 111 | 345 <listitem><para> |
| 108 | 346 The envelope to email address is used to find an initial filtering |
| 347 context. We first look for a context that specified the full email | |
| 348 address in the env_to statement. If that is not found, we look for a | |
| 349 context that specified the entire domain name of the envelope recipient | |
| 350 in the env_to statement. If that is not found, we look for a context | |
| 351 that specified the user@ part of the envelope recipient in the env_to | |
| 352 statement. If that is not found, we use the first top level context | |
| 353 defined in the config file. | |
| 111 | 354 </para></listitem> |
| 355 <listitem><para> | |
| 108 | 356 The initial filtering context may redirect to a child context based on |
| 357 the values in the initial context's env_from statement. We look for [1) | |
| 358 the full envelope from email address, 2) the domain name part of the | |
| 359 envelope from address, 3) the user@ part of the envelope from address] | |
| 360 in that context's env_from statement, with values that point to a child | |
| 361 context. If such an entry is found, we switch to that child filtering | |
| 362 context. | |
| 111 | 363 </para></listitem> |
| 364 <listitem><para> | |
| 108 | 365 We lookup [1) the full envelope from email address, 2) the domain name |
| 366 part of the envelope from address, 3) the user@ part of the envelope | |
| 367 from address] in the filtering context env_from statement. That results | |
| 368 in one of (white, black, unknown, inherit). | |
| 111 | 369 </para></listitem> |
| 370 <listitem><para> | |
| 108 | 371 If the answer is black, mail to this recipient is rejected with "no such |
| 372 user", and the dns lists are not checked. | |
| 111 | 373 </para></listitem> |
| 374 <listitem><para> | |
| 108 | 375 If the answer is white, mail to this recipient is accepted and the dns |
| 376 lists are not checked. | |
| 111 | 377 </para></listitem> |
| 378 <listitem><para> | |
| 108 | 379 If the answer is unknown, we don't reject yet, but the dns lists will be |
| 380 checked, and the content may be scanned. | |
| 111 | 381 </para></listitem> |
| 382 <listitem><para> | |
| 108 | 383 If the answer is inherit, we repeat the envelope from search in the |
| 384 parent context. | |
| 111 | 385 </para></listitem> |
| 386 <listitem><para> | |
|
233
5c3e9bf45bb5
Add whitelisting by regex expression filtering.
Carl Byington <carl@five-ten-sg.com>
parents:
216
diff
changeset
|
387 If the mail has not been accepted or rejected yet, and the filtering |
|
5c3e9bf45bb5
Add whitelisting by regex expression filtering.
Carl Byington <carl@five-ten-sg.com>
parents:
216
diff
changeset
|
388 context (or any ancestor context) specifies a non-empty whitelist regular |
|
5c3e9bf45bb5
Add whitelisting by regex expression filtering.
Carl Byington <carl@five-ten-sg.com>
parents:
216
diff
changeset
|
389 expression, then we check the envelope from value against that regex. |
|
5c3e9bf45bb5
Add whitelisting by regex expression filtering.
Carl Byington <carl@five-ten-sg.com>
parents:
216
diff
changeset
|
390 The mail is accepted if the envelope from value matches the specified regular |
|
5c3e9bf45bb5
Add whitelisting by regex expression filtering.
Carl Byington <carl@five-ten-sg.com>
parents:
216
diff
changeset
|
391 expression. |
|
5c3e9bf45bb5
Add whitelisting by regex expression filtering.
Carl Byington <carl@five-ten-sg.com>
parents:
216
diff
changeset
|
392 </para></listitem> |
|
5c3e9bf45bb5
Add whitelisting by regex expression filtering.
Carl Byington <carl@five-ten-sg.com>
parents:
216
diff
changeset
|
393 <listitem><para> |
| 249 | 394 If the mail has not been accepted or rejected yet, the dns white lists |
| 395 specified in the filtering context are checked and the mail is accepted | |
| 396 if any list has an A record for the standard dns based lookup scheme | |
| 397 (reversed octets of the client followed by the dns suffix) with a final | |
| 398 octet greater than or equal to the level specified for that dnswl. | |
| 399 </para></listitem> | |
| 400 <listitem><para> | |
| 401 If the mail has not been accepted or rejected yet, the dns black lists | |
| 168 | 402 specified in the filtering context are checked and the mail is rejected |
| 403 if any list has an A record for the standard dns based lookup scheme | |
| 404 (reversed octets of the client followed by the dns suffix). | |
| 405 </para></listitem> | |
| 406 <listitem><para> | |
| 407 If the mail has not been accepted or rejected yet, and the filtering | |
| 170 | 408 context (or any ancestor context) specifies a non-empty generic regular |
| 409 expression, then we check the fully qualified client name (obtained via | |
| 410 the sendmail macro "_"). The mail is rejected if the client name | |
| 411 matches the specified regular expression. | |
| 111 | 412 </para></listitem> |
| 413 <listitem><para> | |
| 108 | 414 If the mail has not been accepted or rejected yet, we look for a |
| 415 verification context, which is the closest ancestor of the filtering | |
| 416 context that both specifies a verification host, and which covers the | |
| 417 envelope to address. If we find such a verification context, and the | |
| 418 verification host is not our own hostname, we open an smtp conversation | |
| 419 with that verification host. The current envelope from and recipient to | |
| 420 values are passed to that verification host. If we receive a 5xy | |
| 421 response those commands, we reject the current recipient with "no such | |
| 422 user". | |
| 111 | 423 </para></listitem> |
| 424 <listitem><para> | |
| 108 | 425 If the mail has not been accepted or rejected yet, and the filtering |
| 426 context enables content filtering, and this is the first such recipient | |
| 427 in this smtp transaction, we set the content filtering parameters from | |
| 428 this context, and enable content filtering for the body of this message. | |
| 111 | 429 </para></listitem> |
| 108 | 430 </orderedlist> |
| 431 <para> | |
| 160 | 432 For each recipient that was accepted, we search for an autowhite entry |
| 433 starting in the reply filtering context. If an autowhite entry is found, | |
| 434 we add the recipient to that auto whitelist file. This will prevent reply | |
| 435 messages from being blocked by the dnsbl or content filtering. | |
| 436 </para> | |
| 437 <para> | |
| 108 | 438 If content filtering is enabled for this body, the mail text is decoded |
| 119 | 439 (uuencode, base64, mime, html entity, url encodings), and scanned for HTTP |
| 440 and HTTPS URLs or bare host names. Hostnames must be either ip address | |
| 441 literals, or must end in a string defined by the TLD list. The first | |
| 442 <configurable> host names are checked as follows. | |
| 443 </para> | |
| 444 <para> | |
| 445 The only known list that is suitable for the content filter DNSBL is the | |
| 446 SBL. If the content filter DNSBL is defined, and any of those host | |
| 447 names resolve to ip addresses that are on that DNSBL (or have | |
| 448 nameservers that are on that list), and the host name is not on the | |
| 449 <configurable> ignore list, the mail is rejected. | |
| 450 </para> | |
| 451 <para> | |
| 452 If the content uribl DNSBL is defined, and any of those host names are | |
| 453 on that DNSBL, and the host name is not on the <configurable> | |
| 249 | 454 ignore list, the mail is rejected. Note that the Spamhaus DBL is not (yet) |
| 455 suitable here, since we currently pass ip addresses to the uribl checker, | |
| 456 and the DBL lists all such bare ip addresses. | |
| 119 | 457 </para> |
| 458 <para> | |
|
167
9b129ed78d7d
actually use spamassassin result, allow build without spam assassin, only call it if some recipient needs it.
carl
parents:
164
diff
changeset
|
459 If any non-whitelisted recipient has a filtering context with a non-zero |
|
9b129ed78d7d
actually use spamassassin result, allow build without spam assassin, only call it if some recipient needs it.
carl
parents:
164
diff
changeset
|
460 spamassassin limit, then the message is passed thru spamassassin (via |
|
9b129ed78d7d
actually use spamassassin result, allow build without spam assassin, only call it if some recipient needs it.
carl
parents:
164
diff
changeset
|
461 spamc), and the message is rejected for those recipients with spamassassin |
|
203
92a5c866bdfa
Verify from/to pairs even if they might be explicitly whitelisted.
Carl Byington <carl@five-ten-sg.com>
parents:
201
diff
changeset
|
462 limits less than the resulting spamassassin score. For example, a |
|
92a5c866bdfa
Verify from/to pairs even if they might be explicitly whitelisted.
Carl Byington <carl@five-ten-sg.com>
parents:
201
diff
changeset
|
463 spamassassin limit of three will reject messages with spamassassin scores |
|
246
8b0f16abee53
Add prvs decoding to envelope addresses
Carl Byington <carl@five-ten-sg.com>
parents:
233
diff
changeset
|
464 of four or greater. If the filtering context has a spamassassin limit of |
|
8b0f16abee53
Add prvs decoding to envelope addresses
Carl Byington <carl@five-ten-sg.com>
parents:
233
diff
changeset
|
465 zero, then spamassassin is not called (or if called the results are not used) |
|
8b0f16abee53
Add prvs decoding to envelope addresses
Carl Byington <carl@five-ten-sg.com>
parents:
233
diff
changeset
|
466 for this recipient. |
|
203
92a5c866bdfa
Verify from/to pairs even if they might be explicitly whitelisted.
Carl Byington <carl@five-ten-sg.com>
parents:
201
diff
changeset
|
467 </para> |
|
92a5c866bdfa
Verify from/to pairs even if they might be explicitly whitelisted.
Carl Byington <carl@five-ten-sg.com>
parents:
201
diff
changeset
|
468 <para> |
|
92a5c866bdfa
Verify from/to pairs even if they might be explicitly whitelisted.
Carl Byington <carl@five-ten-sg.com>
parents:
201
diff
changeset
|
469 If any non-whitelisted recipient has a filtering context that specifies |
|
92a5c866bdfa
Verify from/to pairs even if they might be explicitly whitelisted.
Carl Byington <carl@five-ten-sg.com>
parents:
201
diff
changeset
|
470 DCC greylisting, then the message is passed thru the DCC bulk detector, |
|
92a5c866bdfa
Verify from/to pairs even if they might be explicitly whitelisted.
Carl Byington <carl@five-ten-sg.com>
parents:
201
diff
changeset
|
471 and the message is greylisted (for all recipients) if the DCC says this |
|
92a5c866bdfa
Verify from/to pairs even if they might be explicitly whitelisted.
Carl Byington <carl@five-ten-sg.com>
parents:
201
diff
changeset
|
472 message should be delayed. |
|
92a5c866bdfa
Verify from/to pairs even if they might be explicitly whitelisted.
Carl Byington <carl@five-ten-sg.com>
parents:
201
diff
changeset
|
473 </para> |
|
92a5c866bdfa
Verify from/to pairs even if they might be explicitly whitelisted.
Carl Byington <carl@five-ten-sg.com>
parents:
201
diff
changeset
|
474 <para> |
|
92a5c866bdfa
Verify from/to pairs even if they might be explicitly whitelisted.
Carl Byington <carl@five-ten-sg.com>
parents:
201
diff
changeset
|
475 If any non-whitelisted recipient has a filtering context with a non-zero |
|
92a5c866bdfa
Verify from/to pairs even if they might be explicitly whitelisted.
Carl Byington <carl@five-ten-sg.com>
parents:
201
diff
changeset
|
476 DCC bulk threshold, then the message is passed thru the DCC bulk detector, |
|
92a5c866bdfa
Verify from/to pairs even if they might be explicitly whitelisted.
Carl Byington <carl@five-ten-sg.com>
parents:
201
diff
changeset
|
477 and the message is rejected for those recipients with DCC thresholds less |
|
92a5c866bdfa
Verify from/to pairs even if they might be explicitly whitelisted.
Carl Byington <carl@five-ten-sg.com>
parents:
201
diff
changeset
|
478 than or equal to the DCC bulk score. |
| 163 | 479 </para> |
| 480 <para> | |
| 119 | 481 We also scan for excessive bad html tags, and if a <configurable> |
| 482 limit is exceeded, the mail is rejected. | |
| 108 | 483 </para> |
| 484 </refsect1> | |
| 94 | 485 |
| 111 | 486 <refsect1 id='access.1'> |
| 108 | 487 <title>Sendmail access vs. DNSBL</title> |
| 488 <para> | |
| 489 With the standard sendmail.mc dnsbl FEATURE, the dnsbl checks may be | |
| 490 suppressed by entries in the /etc/mail/access database. For example, | |
| 491 suppose you control a /18 of address space, and have allocated some /24s | |
| 492 to some clients. You have access entries like | |
| 111 | 493 <literallayout class="monospaced"><![CDATA[ |
| 494 192.168.4 OK | |
| 495 192.168.17 OK]]></literallayout> | |
| 108 | 496 </para> |
| 497 <para> | |
| 498 to allow those clients to smarthost thru your mail server. Now if one | |
| 499 of those clients happens get infected with a virus that turns a machine | |
| 500 into an open proxy, and their 192.168.4.45 lands on the SBL-XBL, you | |
| 501 will still wind up allowing that infected machine to smarthost thru your | |
| 502 mail servers. | |
| 503 </para> | |
| 504 <para> | |
| 505 With this DNSBL milter, the sendmail access database cannot override the | |
| 506 dnsbl checks, so that machine won't be able to send mail to or thru your | |
| 507 smarthost mail server (unless the virus/proxy can use smtp-auth). | |
| 508 </para> | |
| 509 <para> | |
| 510 Using the standard sendmail features, you would add access entries to | |
| 511 allow hosts on your local network to relay thru your mail server. Those | |
| 512 OK entries in the sendmail access database will override all the dnsbl | |
| 513 checks. With this DNSBL milter, you will need to have the local users | |
| 514 authenticate with smtp-auth to get the same effect. You might find | |
| 515 <ulink | |
| 516 url="http://www.ists.dartmouth.edu/classroom/sendmail-ssl-how-to.php"> | |
| 517 these directions</ulink> helpful for setting up smtp-auth if you are on | |
| 518 RH Linux. | |
| 519 </para> | |
| 520 </refsect1> | |
| 94 | 521 |
| 111 | 522 <refsect1 id='performance.1'> |
| 108 | 523 <title>Performance Issues</title> |
| 524 <para> | |
| 525 Consider a high volume high performance machine running sendmail. Each | |
| 526 sendmail process can do its own dns resolution. Typically, such dns | |
| 527 resolver libraries are not thread safe, and so must be protected by some | |
| 528 sort of mutex in a threaded environment. When we add a milter to | |
| 529 sendmail, we now have a collection of sendmail processes, and a | |
| 530 collection of milter threads. | |
| 531 </para> | |
| 532 <para> | |
| 533 We will be doing a lot of dns lookups per mail message, and at least | |
| 534 some of those will take many tens of seconds. If all this dns work is | |
| 535 serialized inside the milter, we have an upper limit of about 25K mail | |
| 536 messages per day. That is clearly not sufficient for many sites. | |
| 537 </para> | |
| 538 <para> | |
| 539 Since we want to do parallel dns resolution across those milter threads, | |
| 540 we add another collection of dns resolver processes. Each sendmail | |
| 541 process is talking to a milter thread over a socket, and each milter | |
| 542 thread is talking to a dns resolver process over another socket. | |
| 543 </para> | |
| 544 <para> | |
| 545 Suppose we are processing 20 messages per second, and each message | |
| 546 requires 20 seconds of dns work. Then we will have 400 sendmail | |
| 547 processes, 400 milter threads, and 400 dns resolver processes. Of | |
| 548 course that steady state is very unlikely to happen. | |
| 549 </para> | |
| 550 </refsect1> | |
| 94 | 551 |
| 552 | |
| 111 | 553 <refsect1 id='rejected.1'> |
| 108 | 554 <title>Rejected Ideas</title> |
| 555 <para> | |
| 556 The following ideas have been considered and rejected. | |
| 557 </para> | |
| 558 <para> | |
| 111 | 559 Add max_recipients setting to the context configuration. Recipients in |
| 560 excess of that limit will be rejected, and all the non-whitelisted | |
| 561 recipients will be removed. Current spammers *very* rarely send more | |
| 562 than ten recipients in a single smtp transaction, so this won't stop any | |
| 108 | 563 significant amount of spam. |
| 564 </para> | |
| 565 <para> | |
| 566 Add poison addresses to the configuration. If any recipient is | |
| 567 poison, all recipients are rejected even if they would be whitelisted, | |
| 568 and the data is rejected if sent. I have a collection of spam trap | |
| 569 addresses that would be suitable for such use. Based on my log files, | |
| 570 any mail to those spam trap addresses is rejected based on either dnsbl | |
| 571 lookups or the DCC. So this won't result in blocking any additional | |
| 572 spam. | |
| 573 </para> | |
| 574 <para> | |
| 575 Add an option to only allow one recipient if the return path is | |
| 576 empty. Based on my log files, there is no mail that violates this | |
| 577 check. | |
| 578 </para> | |
| 579 <para> | |
| 580 Reject the mail if the envelope from domain name contains any MX | |
| 581 records pointing to 127.0.0.0/8. I don't see any significant amount of | |
| 582 spam sent with such domain names. | |
| 583 </para> | |
| 584 </refsect1> | |
| 94 | 585 |
| 108 | 586 <refsect1 id='todo.1'> |
| 587 <title>TODO</title> | |
| 588 <para> | |
| 589 The following ideas are under consideration. | |
| 590 </para> | |
| 591 <para> | |
| 115 | 592 Look for href="hostname/path" strings that are missing the required |
| 593 http:// protocol header. Such references are still clickable in common | |
| 594 mail software. | |
| 595 </para> | |
| 249 | 596 <para> |
| 597 Add the ability to use the DBL for content filtering. We need to avoid | |
| 598 checking bare ip addresses against that list. | |
| 599 </para> | |
| 600 <para> | |
| 601 Add daily recipient limits based on some fixed multiple (perhaps 3?) | |
| 602 of the hourly limit. | |
| 603 </para> | |
| 108 | 604 </refsect1> |
| 94 | 605 |
| 111 | 606 <refsect1 id='copyright.1'> |
| 108 | 607 <title>Copyright</title> |
| 608 <para> | |
|
261
92a98e661a0b
update documentation for newer xml dtd
Carl Byington <carl@five-ten-sg.com>
parents:
259
diff
changeset
|
609 Copyright (C) 2012 by 510 Software Group <carl@five-ten-sg.com> |
| 108 | 610 </para> |
| 611 <para> | |
| 612 This program is free software; you can redistribute it and/or modify it | |
| 613 under the terms of the GNU General Public License as published by the | |
| 160 | 614 Free Software Foundation; either version 3, or (at your option) any |
| 108 | 615 later version. |
| 616 </para> | |
| 617 <para> | |
| 618 You should have received a copy of the GNU General Public License along | |
| 619 with this program; see the file COPYING. If not, please write to the | |
| 620 Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA. | |
| 621 </para> | |
| 622 </refsect1> | |
| 94 | 623 |
| 111 | 624 <refsect1 id='version.1'> |
|
201
752d4315675c
add reference to mercurial repository in the documentation
Carl Byington <carl@five-ten-sg.com>
parents:
187
diff
changeset
|
625 <title>Version</title> |
| 108 | 626 <para> |
|
201
752d4315675c
add reference to mercurial repository in the documentation
Carl Byington <carl@five-ten-sg.com>
parents:
187
diff
changeset
|
627 @VERSION@ |
| 108 | 628 </para> |
| 629 </refsect1> | |
| 630 </refentry> | |
| 631 | |
| 632 | |
| 633 <refentry id="@PACKAGE@.conf.5"> | |
| 634 <refentryinfo> | |
|
261
92a98e661a0b
update documentation for newer xml dtd
Carl Byington <carl@five-ten-sg.com>
parents:
259
diff
changeset
|
635 <date>2012-07-21</date> |
|
92a98e661a0b
update documentation for newer xml dtd
Carl Byington <carl@five-ten-sg.com>
parents:
259
diff
changeset
|
636 <author> |
|
92a98e661a0b
update documentation for newer xml dtd
Carl Byington <carl@five-ten-sg.com>
parents:
259
diff
changeset
|
637 <firstname>Carl</firstname> |
|
92a98e661a0b
update documentation for newer xml dtd
Carl Byington <carl@five-ten-sg.com>
parents:
259
diff
changeset
|
638 <surname>Byington</surname> |
|
92a98e661a0b
update documentation for newer xml dtd
Carl Byington <carl@five-ten-sg.com>
parents:
259
diff
changeset
|
639 <affiliation><orgname>510 Software Group</orgname></affiliation> |
|
92a98e661a0b
update documentation for newer xml dtd
Carl Byington <carl@five-ten-sg.com>
parents:
259
diff
changeset
|
640 </author> |
| 108 | 641 </refentryinfo> |
| 94 | 642 |
| 108 | 643 <refmeta> |
| 644 <refentrytitle>@PACKAGE@.conf</refentrytitle> | |
| 645 <manvolnum>5</manvolnum> | |
| 646 <refmiscinfo>@PACKAGE@ @VERSION@</refmiscinfo> | |
| 647 </refmeta> | |
| 94 | 648 |
| 108 | 649 <refnamediv id='name.5'> |
| 650 <refname>@PACKAGE@.conf</refname> | |
| 111 | 651 <refpurpose>configuration file for @PACKAGE@ sendmail milter</refpurpose> |
| 108 | 652 </refnamediv> |
| 653 | |
| 654 <refsynopsisdiv id='synopsis.5'> | |
| 655 <title>Synopsis</title> | |
| 656 <cmdsynopsis> | |
| 657 <command>@PACKAGE@.conf</command> | |
| 658 </cmdsynopsis> | |
| 659 </refsynopsisdiv> | |
| 94 | 660 |
| 108 | 661 <refsect1 id='description.5'> |
| 662 <title>Description</title> | |
| 663 <para>The <command>@PACKAGE@.conf</command> configuration file is | |
|
148
9330b8d6a56b
add documentation fixes, allow env_from target of inherit
carl
parents:
144
diff
changeset
|
664 specified by this partial bnf description. Comments start with // |
|
9330b8d6a56b
add documentation fixes, allow env_from target of inherit
carl
parents:
144
diff
changeset
|
665 or # and extend to the end of the line. To include the contents |
|
9330b8d6a56b
add documentation fixes, allow env_from target of inherit
carl
parents:
144
diff
changeset
|
666 of some file verbatim in the dnsbl.conf file, use |
|
9330b8d6a56b
add documentation fixes, allow env_from target of inherit
carl
parents:
144
diff
changeset
|
667 <literallayout class="monospaced"><![CDATA[include "<file>";]]></literallayout> |
|
9330b8d6a56b
add documentation fixes, allow env_from target of inherit
carl
parents:
144
diff
changeset
|
668 </para> |
| 108 | 669 |
| 670 <literallayout class="monospaced"><![CDATA[ | |
| 671 CONFIG = {CONTEXT ";"}+ | |
| 672 CONTEXT = "context" NAME "{" {STATEMENT}+ "}" | |
| 249 | 673 STATEMENT = (DNSBL | DNSBLLIST | DNSWL | DNSWLLIST | CONTENT | ENV-TO |
| 674 | VERIFY | GENERIC | W_REGEX | AUTOWHITE | CONTEXT | ENV-FROM | |
| 675 | RATE-LIMIT) ";" | |
| 108 | 676 |
| 124 | 677 DNSBL = "dnsbl" NAME DNSPREFIX ERROR-MSG1 |
|
255
d6d5c50b9278
Allow dnswl_list and dnsbl_list to be empty, to override lists specified in the ancestor contexts. Add daily recipient limits as a multiple of the hourly limits.
Carl Byington <carl@five-ten-sg.com>
parents:
253
diff
changeset
|
678 DNSBLLIST = "dnsbl_list" {NAME}* |
| 108 | 679 |
|
255
d6d5c50b9278
Allow dnswl_list and dnsbl_list to be empty, to override lists specified in the ancestor contexts. Add daily recipient limits as a multiple of the hourly limits.
Carl Byington <carl@five-ten-sg.com>
parents:
253
diff
changeset
|
680 DNSWL = "dnswl" NAME DNSPREFIX LEVEL |
|
d6d5c50b9278
Allow dnswl_list and dnsbl_list to be empty, to override lists specified in the ancestor contexts. Add daily recipient limits as a multiple of the hourly limits.
Carl Byington <carl@five-ten-sg.com>
parents:
253
diff
changeset
|
681 DNSWLLIST = "dnswl_list" {NAME}* |
|
d6d5c50b9278
Allow dnswl_list and dnsbl_list to be empty, to override lists specified in the ancestor contexts. Add daily recipient limits as a multiple of the hourly limits.
Carl Byington <carl@five-ten-sg.com>
parents:
253
diff
changeset
|
682 LEVEL = INTEGER |
| 94 | 683 |
| 108 | 684 CONTENT = "content" ("on" | "off") "{" {CONTENT-ST}+ "}" |
| 178 | 685 CONTENT-ST = (FILTER | URIBL | IGNORE | TLD | CCTLD | HTML-TAGS | |
| 686 HTML-LIMIT | HOST-LIMIT | SPAMASS | REQUIRE | DCCGREY | | |
| 687 DCCBULK) ";" | |
| 124 | 688 FILTER = "filter" DNSPREFIX ERROR-MSG2 |
| 689 URIBL = "uribl" DNSPREFIX ERROR-MSG3 | |
| 108 | 690 IGNORE = "ignore" "{" {HOSTNAME [";"]}+ "}" |
| 691 TLD = "tld" "{" {TLD [";"]}+ "}" | |
| 119 | 692 CCTLD = "cctld" "{" {TLD [";"]}+ "}" |
| 108 | 693 HTML-TAGS = "html_tags" "{" {HTMLTAG [";"]}+ "}" |
| 124 | 694 ERROR-MSG1 = string containing exactly two %s replacement tokens |
| 695 both are replaced with the client ip address | |
| 696 ERROR-MSG2 = string containing exactly two %s replacement tokens | |
| 697 the first is replaced with the hostname, and the second | |
| 698 is replaced with the ip address | |
| 699 ERROR-MSG3 = string containing exactly two %s replacement tokens | |
| 700 both are replaced with the hostname | |
| 108 | 701 |
| 702 HTML-LIMIT = "html_limit" ("on" INTEGER ERROR-MSG | "off") | |
| 703 | |
| 111 | 704 HOST-LIMIT = "host_limit" ("on" INTEGER ERROR-MSG | "off" | |
| 705 "soft" INTEGER) | |
| 178 | 706 SPAMASS = "spamassassin" INTEGER |
| 707 REQUIRE = "require_match" ("yes" | "no") | |
| 708 DCCGREY = "dcc_greylist" ("yes" | "no") | |
| 709 DCCBULK = "dcc_bulk_threshold" (INTEGER | "many" | "off") | |
| 94 | 710 |
| 108 | 711 ENV-TO = "env_to" "{" {(TO-ADDR | DCC-TO)}+ "}" |
| 712 TO-ADDR = ADDRESS [";"] | |
| 713 DCC-TO = "dcc_to" ("ok" | "many") "{" DCCINCLUDEFILE "}" ";" | |
| 714 | |
| 715 VERIFY = "verify" HOSTNAME ";" | |
| 168 | 716 GENERIC = "generic" REGULAREXPRESSION ERROR-MSG4 ";" |
|
233
5c3e9bf45bb5
Add whitelisting by regex expression filtering.
Carl Byington <carl@five-ten-sg.com>
parents:
216
diff
changeset
|
717 W-REGEX = "white_regex" REGULAREXPRESSION ";" |
| 168 | 718 ERROR-MSG4 = string containing exactly one %s replacement token |
| 719 which is replaced with the client name | |
| 153 | 720 AUTOWHITE = "autowhite" DAYS FILENAME ";" |
| 108 | 721 |
| 722 ENV_FROM = "env_from" [DEFAULT] "{" {(FROM-ADDR | DCC-FROM)}+ "}" | |
| 723 FROM-ADDR = ADDRESS VALUE [";"] | |
| 724 DCC-FROM = "dcc_from" "{" DCCINCLUDEFILE "}" ";" | |
| 136 | 725 |
|
255
d6d5c50b9278
Allow dnswl_list and dnsbl_list to be empty, to override lists specified in the ancestor contexts. Add daily recipient limits as a multiple of the hourly limits.
Carl Byington <carl@five-ten-sg.com>
parents:
253
diff
changeset
|
726 RATE-LIMIT = "rate_limit" [DEFAULT_LIMIT [DAILY_MULTIPLE]] "{" (RATE)+ "}" |
|
d6d5c50b9278
Allow dnswl_list and dnsbl_list to be empty, to override lists specified in the ancestor contexts. Add daily recipient limits as a multiple of the hourly limits.
Carl Byington <carl@five-ten-sg.com>
parents:
253
diff
changeset
|
727 RATE = USER LIMIT [";"] |
|
d6d5c50b9278
Allow dnswl_list and dnsbl_list to be empty, to override lists specified in the ancestor contexts. Add daily recipient limits as a multiple of the hourly limits.
Carl Byington <carl@five-ten-sg.com>
parents:
253
diff
changeset
|
728 LIMIT = INTEGER |
|
d6d5c50b9278
Allow dnswl_list and dnsbl_list to be empty, to override lists specified in the ancestor contexts. Add daily recipient limits as a multiple of the hourly limits.
Carl Byington <carl@five-ten-sg.com>
parents:
253
diff
changeset
|
729 DEFAULT_LIMIT = INTEGER |
|
d6d5c50b9278
Allow dnswl_list and dnsbl_list to be empty, to override lists specified in the ancestor contexts. Add daily recipient limits as a multiple of the hourly limits.
Carl Byington <carl@five-ten-sg.com>
parents:
253
diff
changeset
|
730 DAILY_MULTIPLE = INTEGER |
| 136 | 731 |
| 108 | 732 DEFAULT = ("white" | "black" | "unknown" | "inherit" | "") |
| 733 ADDRESS = (USER@ | DOMAIN | USER@DOMAIN) | |
|
148
9330b8d6a56b
add documentation fixes, allow env_from target of inherit
carl
parents:
144
diff
changeset
|
734 VALUE = ("white" | "black" | "unknown" | "inherit" | CHILD-CONTEXT-NAME)]]></literallayout> |
| 108 | 735 </refsect1> |
| 94 | 736 |
| 108 | 737 <refsect1 id='sample.5'> |
| 738 <title>Sample</title> | |
| 739 <literallayout class="monospaced"><![CDATA[ | |
| 127 | 740 context main-default { |
| 741 // outbound dnsbl filtering to catch our own customers that end up on the sbl | |
| 742 dnsbl sbl sbl-xbl.spamhaus.org "Mail from %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s"; | |
| 174 | 743 dnsbl_list sbl; |
| 127 | 744 |
| 745 // outbound content filtering to prevent our own customers from sending spam | |
| 746 content on { | |
| 747 filter sbl-xbl.spamhaus.org "Mail containing %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s"; | |
| 748 uribl multi.surbl.org "Mail containing %s rejected - surbl; see http://www.rulesemporium.com/cgi-bin/uribl.cgi?bl0=1&domain0=%s"; | |
|
259
be939802c64e
add recipient rate limits by email from address or domain
Carl Byington <carl@five-ten-sg.com>
parents:
255
diff
changeset
|
749 #uribl multi.uribl.com "Mail containing %s rejected - uribl; see http://l.uribl.com/?d=%s"; |
| 127 | 750 ignore { include "hosts-ignore.conf"; }; |
| 751 tld { include "tld.conf"; }; | |
| 752 cctld { include "cctld.conf"; }; | |
| 753 html_tags { include "html-tags.conf"; }; | |
| 754 html_limit on 20 "Mail containing excessive bad html tags rejected"; | |
| 755 html_limit off; | |
| 756 host_limit on 20 "Mail containing excessive host names rejected"; | |
| 757 host_limit soft 20; | |
| 178 | 758 spamassassin 4; |
| 759 require_match yes; | |
| 760 dcc_greylist yes; | |
| 761 dcc_bulk_threshold 50; | |
| 127 | 762 }; |
| 763 | |
| 764 // backscatter prevention - don't send bounces for mail that we accepted but could not forward | |
| 765 // we only send bounces to our own customers | |
| 766 env_from unknown { | |
| 767 "<>" black; | |
| 768 }; | |
| 136 | 769 |
|
259
be939802c64e
add recipient rate limits by email from address or domain
Carl Byington <carl@five-ten-sg.com>
parents:
255
diff
changeset
|
770 // hourly recipient rate limit by smtp auth client id, |
|
be939802c64e
add recipient rate limits by email from address or domain
Carl Byington <carl@five-ten-sg.com>
parents:
255
diff
changeset
|
771 // or unauthenticated mail from address |
|
255
d6d5c50b9278
Allow dnswl_list and dnsbl_list to be empty, to override lists specified in the ancestor contexts. Add daily recipient limits as a multiple of the hourly limits.
Carl Byington <carl@five-ten-sg.com>
parents:
253
diff
changeset
|
772 // default hourly limit is 30 |
|
d6d5c50b9278
Allow dnswl_list and dnsbl_list to be empty, to override lists specified in the ancestor contexts. Add daily recipient limits as a multiple of the hourly limits.
Carl Byington <carl@five-ten-sg.com>
parents:
253
diff
changeset
|
773 // daily limits are 4 times the hourly limit |
|
d6d5c50b9278
Allow dnswl_list and dnsbl_list to be empty, to override lists specified in the ancestor contexts. Add daily recipient limits as a multiple of the hourly limits.
Carl Byington <carl@five-ten-sg.com>
parents:
253
diff
changeset
|
774 rate_limit 30 4 { // default |
| 171 | 775 #fred 100; // override default limits |
| 776 #joe 10; // "" | |
|
263
e118fd2c6af0
fix unauthenticated rate limit bug for empty mail from; move unauthenticate rate limit checks after spam filtering
Carl Byington <carl@five-ten-sg.com>
parents:
261
diff
changeset
|
777 #"sam@somedomain.tld" 500; |
|
e118fd2c6af0
fix unauthenticated rate limit bug for empty mail from; move unauthenticate rate limit checks after spam filtering
Carl Byington <carl@five-ten-sg.com>
parents:
261
diff
changeset
|
778 #"@otherdomain.tld" 100; |
| 136 | 779 }; |
| 127 | 780 }; |
| 781 | |
| 171 | 782 context main { |
| 783 dnsbl localp partial.blackholes.five-ten-sg.com "Mail from %s rejected - local; see http://www.five-ten-sg.com/blackhole.php?%s"; | |
| 108 | 784 dnsbl local blackholes.five-ten-sg.com "Mail from %s rejected - local; see http://www.five-ten-sg.com/blackhole.php?%s"; |
| 174 | 785 dnsbl sbl zen.spamhaus.org "Mail from %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s"; |
| 108 | 786 dnsbl xbl xbl.spamhaus.org "Mail from %s rejected - xbl; see http://www.spamhaus.org/query/bl?ip=%s"; |
| 249 | 787 dnswl dnswl.org list.dnswl.org 2; |
| 171 | 788 dnsbl_list local sbl; |
| 249 | 789 dnswl_list dnswl.org; |
| 94 | 790 |
| 108 | 791 content on { |
| 792 filter sbl-xbl.spamhaus.org "Mail containing %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s"; | |
| 122 | 793 uribl multi.surbl.org "Mail containing %s rejected - surbl; see http://www.rulesemporium.com/cgi-bin/uribl.cgi?bl0=1&domain0=%s"; |
|
259
be939802c64e
add recipient rate limits by email from address or domain
Carl Byington <carl@five-ten-sg.com>
parents:
255
diff
changeset
|
794 #uribl multi.uribl.com "Mail containing %s rejected - uribl; see http://l.uribl.com/?d=%s"; |
| 108 | 795 ignore { include "hosts-ignore.conf"; }; |
| 796 tld { include "tld.conf"; }; | |
| 119 | 797 cctld { include "cctld.conf"; }; |
| 108 | 798 html_tags { include "html-tags.conf"; }; |
| 799 html_limit off; | |
| 800 host_limit soft 20; | |
| 178 | 801 spamassassin 5; |
| 802 require_match yes; | |
| 803 dcc_greylist yes; | |
| 804 dcc_bulk_threshold 20; | |
| 108 | 805 }; |
| 94 | 806 |
|
216
784030ac71f1
Never whitelist self addressed mail. Changes for Fedora 10 and const correctness.
Carl Byington <carl@five-ten-sg.com>
parents:
214
diff
changeset
|
807 generic "^dsl.static.*ttnet.net.tr$|(^|[x.-])(ppp|h|host)?([0-9]{1,3}[x.-](Red-|dynamic[x.-])?){4}" |
| 171 | 808 "your mail server %s seems to have a generic name"; |
| 809 | |
|
259
be939802c64e
add recipient rate limits by email from address or domain
Carl Byington <carl@five-ten-sg.com>
parents:
255
diff
changeset
|
810 white_regex "=example.com=user@yourhostingaccount.com$"; |
|
233
5c3e9bf45bb5
Add whitelisting by regex expression filtering.
Carl Byington <carl@five-ten-sg.com>
parents:
216
diff
changeset
|
811 |
| 108 | 812 env_to { |
| 171 | 813 # !! replace this with your domain names |
| 108 | 814 # child contexts are not allowed to specify recipient addresses outside these domains |
| 179 | 815 # if this is a backup-mx, you need to include here domains for which you relay to the primary mx |
| 174 | 816 include "/etc/mail/local-host-names"; |
| 108 | 817 }; |
| 94 | 818 |
| 108 | 819 context whitelist { |
| 820 content off {}; | |
| 821 env_to { | |
| 171 | 822 # dcc_to ok { include "/var/dcc/whitecommon"; }; |
| 108 | 823 }; |
| 824 env_from white {}; # white forces all unmatched from addresses (everyone in this case) to be whitelisted | |
| 825 # so all mail TO these env_to addresses is accepted | |
| 826 }; | |
| 94 | 827 |
| 171 | 828 context abuse { |
| 829 dnsbl_list xbl; | |
| 830 content off {}; | |
| 174 | 831 generic "^$ " " "; # regex cannot match, to disable generic rdns rejects |
| 171 | 832 env_to { |
| 833 abuse@ # no content filtering on abuse reports | |
| 834 postmaster@ # "" | |
| 835 }; | |
| 836 env_from unknown {}; # ignore all parent white/black listing | |
| 837 }; | |
| 838 | |
| 108 | 839 context minimal { |
| 171 | 840 dnsbl_list sbl; |
| 178 | 841 content on { |
| 842 spamassassin 10; | |
| 843 dcc_bulk_threshold many; | |
| 844 }; | |
| 171 | 845 generic "^$ " " "; # regex cannot match, to disable generic rdns rejects |
| 108 | 846 env_to { |
| 847 }; | |
| 848 }; | |
| 94 | 849 |
| 108 | 850 context blacklist { |
|
255
d6d5c50b9278
Allow dnswl_list and dnsbl_list to be empty, to override lists specified in the ancestor contexts. Add daily recipient limits as a multiple of the hourly limits.
Carl Byington <carl@five-ten-sg.com>
parents:
253
diff
changeset
|
851 dnsbl_list ; |
|
d6d5c50b9278
Allow dnswl_list and dnsbl_list to be empty, to override lists specified in the ancestor contexts. Add daily recipient limits as a multiple of the hourly limits.
Carl Byington <carl@five-ten-sg.com>
parents:
253
diff
changeset
|
852 dnswl_list ; |
| 108 | 853 env_to { |
| 171 | 854 # dcc_to many { include "/var/dcc/whitecommon"; }; |
| 108 | 855 }; |
| 856 env_from black {}; # black forces all unmatched from addresses (everyone in this case) to be blacklisted | |
| 857 # so all mail TO these env_to addresses is rejected | |
| 858 }; | |
| 94 | 859 |
| 171 | 860 env_from unknown { |
| 861 abuse@ abuse; # replies to abuse reports use the abuse context | |
| 862 # dcc_from { include "/var/dcc/whitecommon"; }; | |
| 108 | 863 }; |
| 864 | |
| 171 | 865 autowhite 90 "autowhite/my-auto-whitelist"; |
| 866 # install should create /etc/dnsbl/autowhite writable by userid dnsbl | |
| 108 | 867 };]]></literallayout> |
| 868 </refsect1> | |
| 94 | 869 |
| 111 | 870 <refsect1 id='version.5'> |
|
201
752d4315675c
add reference to mercurial repository in the documentation
Carl Byington <carl@five-ten-sg.com>
parents:
187
diff
changeset
|
871 <title>Version</title> |
| 108 | 872 <para> |
|
201
752d4315675c
add reference to mercurial repository in the documentation
Carl Byington <carl@five-ten-sg.com>
parents:
187
diff
changeset
|
873 @VERSION@ |
| 108 | 874 </para> |
| 875 </refsect1> | |
| 876 | |
| 877 </refentry> | |
| 878 </reference> |