annotate xml/dnsbl.in @ 476:fcf66a7aead5 stable-6-0-78

fix dkim regex
author Carl Byington <carl@five-ten-sg.com>
date Sat, 20 Feb 2021 10:24:12 -0800
parents f3f1ece619ba
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
1 <reference>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
2 <title>@PACKAGE@ Sendmail milter - Version @VERSION@</title>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
3 <partintro>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
4 <title>Packages</title>
201
752d4315675c add reference to mercurial repository in the documentation
Carl Byington <carl@five-ten-sg.com>
parents: 187
diff changeset
5
305
1f40b1b0ad31 add bitcoin donation address
Carl Byington <carl@five-ten-sg.com>
parents: 284
diff changeset
6 <para>
1f40b1b0ad31 add bitcoin donation address
Carl Byington <carl@five-ten-sg.com>
parents: 284
diff changeset
7 The various source and binary packages are available at <ulink
1f40b1b0ad31 add bitcoin donation address
Carl Byington <carl@five-ten-sg.com>
parents: 284
diff changeset
8 url="http://www.five-ten-sg.com/@PACKAGE@/packages/">http://www.five-ten-sg.com/@PACKAGE@/packages/</ulink>.
1f40b1b0ad31 add bitcoin donation address
Carl Byington <carl@five-ten-sg.com>
parents: 284
diff changeset
9 The most recent documentation is available at <ulink
1f40b1b0ad31 add bitcoin donation address
Carl Byington <carl@five-ten-sg.com>
parents: 284
diff changeset
10 url="http://www.five-ten-sg.com/@PACKAGE@/">http://www.five-ten-sg.com/@PACKAGE@/</ulink>.
201
752d4315675c add reference to mercurial repository in the documentation
Carl Byington <carl@five-ten-sg.com>
parents: 187
diff changeset
11 </para>
752d4315675c add reference to mercurial repository in the documentation
Carl Byington <carl@five-ten-sg.com>
parents: 187
diff changeset
12
305
1f40b1b0ad31 add bitcoin donation address
Carl Byington <carl@five-ten-sg.com>
parents: 284
diff changeset
13 <para>
1f40b1b0ad31 add bitcoin donation address
Carl Byington <carl@five-ten-sg.com>
parents: 284
diff changeset
14 A <ulink
1f40b1b0ad31 add bitcoin donation address
Carl Byington <carl@five-ten-sg.com>
parents: 284
diff changeset
15 url="http://www.selenic.com/mercurial/wiki/">Mercurial</ulink> source
1f40b1b0ad31 add bitcoin donation address
Carl Byington <carl@five-ten-sg.com>
parents: 284
diff changeset
16 code repository for this project is available at <ulink
1f40b1b0ad31 add bitcoin donation address
Carl Byington <carl@five-ten-sg.com>
parents: 284
diff changeset
17 url="http://hg.five-ten-sg.com/@PACKAGE@/">http://hg.five-ten-sg.com/@PACKAGE@/</ulink>.
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
18 </para>
94
e107ade3b1c0 fix dos line terminators
carl
parents: 92
diff changeset
19
305
1f40b1b0ad31 add bitcoin donation address
Carl Byington <carl@five-ten-sg.com>
parents: 284
diff changeset
20 <para>
1f40b1b0ad31 add bitcoin donation address
Carl Byington <carl@five-ten-sg.com>
parents: 284
diff changeset
21 Bitcoin donations for this project may be sent to
1f40b1b0ad31 add bitcoin donation address
Carl Byington <carl@five-ten-sg.com>
parents: 284
diff changeset
22 <ulink url="bitcoin:17n5xJZ9a8csJW2uLeZn7i6jegNKGdLUPJ">bitcoin:17n5xJZ9a8csJW2uLeZn7i6jegNKGdLUPJ</ulink>
1f40b1b0ad31 add bitcoin donation address
Carl Byington <carl@five-ten-sg.com>
parents: 284
diff changeset
23 </para>
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
24 </partintro>
94
e107ade3b1c0 fix dos line terminators
carl
parents: 92
diff changeset
25
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
26 <refentry id="@PACKAGE@.1">
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
27 <refentryinfo>
462
f3f1ece619ba change dkim_from syntax to allow "signer1,signer2;spf data"
Carl Byington <carl@five-ten-sg.com>
parents: 458
diff changeset
28 <date>2019-03-09</date>
261
92a98e661a0b update documentation for newer xml dtd
Carl Byington <carl@five-ten-sg.com>
parents: 259
diff changeset
29 <author>
92a98e661a0b update documentation for newer xml dtd
Carl Byington <carl@five-ten-sg.com>
parents: 259
diff changeset
30 <firstname>Carl</firstname>
92a98e661a0b update documentation for newer xml dtd
Carl Byington <carl@five-ten-sg.com>
parents: 259
diff changeset
31 <surname>Byington</surname>
92a98e661a0b update documentation for newer xml dtd
Carl Byington <carl@five-ten-sg.com>
parents: 259
diff changeset
32 <affiliation><orgname>510 Software Group</orgname></affiliation>
407
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
33 <personblurb><para></para></personblurb>
261
92a98e661a0b update documentation for newer xml dtd
Carl Byington <carl@five-ten-sg.com>
parents: 259
diff changeset
34 </author>
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
35 </refentryinfo>
94
e107ade3b1c0 fix dos line terminators
carl
parents: 92
diff changeset
36
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
37 <refmeta>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
38 <refentrytitle>@PACKAGE@</refentrytitle>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
39 <manvolnum>1</manvolnum>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
40 <refmiscinfo>@PACKAGE@ @VERSION@</refmiscinfo>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
41 </refmeta>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
42
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
43 <refnamediv id='name.1'>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
44 <refname>@PACKAGE@</refname>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
45 <refpurpose>a sendmail milter with per-user dnsbl filtering</refpurpose>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
46 </refnamediv>
94
e107ade3b1c0 fix dos line terminators
carl
parents: 92
diff changeset
47
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
48 <refsynopsisdiv id='synopsis.1'>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
49 <title>Synopsis</title>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
50 <cmdsynopsis>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
51 <command>@PACKAGE@</command>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
52 <arg><option>-c</option></arg>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
53 <arg><option>-s</option></arg>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
54 <arg><option>-d <replaceable class="parameter">n</replaceable></option></arg>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
55 <arg><option>-e <replaceable class="parameter">from|to</replaceable></option></arg>
179
8b86a894514d embedded dcc filtering
carl
parents: 178
diff changeset
56 <arg><option>-b <replaceable class="parameter">local-domain-socket</replaceable></option></arg>
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
57 <arg><option>-r <replaceable class="parameter">local-domain-socket</replaceable></option></arg>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
58 <arg><option>-p <replaceable class="parameter">sendmail-socket</replaceable></option></arg>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
59 <arg><option>-t <replaceable class="parameter">timeout</replaceable></option></arg>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
60 </cmdsynopsis>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
61 </refsynopsisdiv>
94
e107ade3b1c0 fix dos line terminators
carl
parents: 92
diff changeset
62
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
63 <refsect1 id='options.1'>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
64 <title>Options</title>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
65 <variablelist>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
66 <varlistentry>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
67 <term>-c</term>
111
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
68 <listitem><para>
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
69 Load the configuration file, print a cannonical form
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
70 of the configuration on stdout, and exit.
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
71 </para></listitem>
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
72 </varlistentry>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
73 <varlistentry>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
74 <term>-s</term>
111
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
75 <listitem><para>
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
76 Stress test the configuration loading code by repeating
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
77 the load/free cycle in an infinite loop.
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
78 </para></listitem>
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
79 </varlistentry>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
80 <varlistentry>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
81 <term>-d <replaceable class="parameter">n</replaceable></term>
111
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
82 <listitem><para>
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
83 Set the debug level to <replaceable class="parameter">n</replaceable>.
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
84 </para></listitem>
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
85 </varlistentry>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
86 <varlistentry>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
87 <term>-e <replaceable class="parameter">from|to</replaceable></term>
111
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
88 <listitem><para>
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
89 Print the results of looking up the from and to addresses in the
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
90 current configuration. The | character is used to separate the from and to
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
91 addresses in the argument to the -e switch.
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
92 </para></listitem>
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
93 </varlistentry>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
94 <varlistentry>
179
8b86a894514d embedded dcc filtering
carl
parents: 178
diff changeset
95 <term>-b <replaceable class="parameter">local-domain-socket-file-name</replaceable></term>
8b86a894514d embedded dcc filtering
carl
parents: 178
diff changeset
96 <listitem><para>
8b86a894514d embedded dcc filtering
carl
parents: 178
diff changeset
97 Set the local socket used for the connection to the dccifd daemon.
8b86a894514d embedded dcc filtering
carl
parents: 178
diff changeset
98 This is typically /var/dcc/dccifd.
8b86a894514d embedded dcc filtering
carl
parents: 178
diff changeset
99 </para></listitem>
8b86a894514d embedded dcc filtering
carl
parents: 178
diff changeset
100 </varlistentry>
8b86a894514d embedded dcc filtering
carl
parents: 178
diff changeset
101 <varlistentry>
8b86a894514d embedded dcc filtering
carl
parents: 178
diff changeset
102 <term>-r <replaceable class="parameter">local-domain-socket-file-name</replaceable></term>
111
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
103 <listitem><para>
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
104 Set the local socket used for the connection to our own dns resolver processes.
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
105 </para></listitem>
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
106 </varlistentry>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
107 <varlistentry>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
108 <term>-p <replaceable class="parameter">sendmail-socket</replaceable></term>
111
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
109 <listitem><para>
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
110 Set the socket used for the milter connection to sendmail. This is either
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
111 "inet:port@ip-address" or "local:local-domain-socket-file-name".
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
112 </para></listitem>
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
113 </varlistentry>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
114 <varlistentry>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
115 <term>-t <replaceable class="parameter">timeout</replaceable></term>
111
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
116 <listitem><para>
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
117 Set the timeout in seconds used for communication with sendmail.
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
118 </para></listitem>
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
119 </varlistentry>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
120 </variablelist>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
121 </refsect1>
94
e107ade3b1c0 fix dos line terminators
carl
parents: 92
diff changeset
122
111
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
123 <refsect1 id='usage.1'>
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
124 <title>Usage</title>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
125 <para><command>@PACKAGE@</command> -c</para>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
126 <para><command>@PACKAGE@</command> -s</para>
111
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
127 <para><command>@PACKAGE@</command> -e 'someone@aol.com|localname@mydomain.tld'</para>
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
128 <para><command>@PACKAGE@</command> -d 10 -r resolver.sock -p local:dnsbl.sock</para>
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
129 </refsect1>
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
130
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
131 <refsect1 id='installation.1'>
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
132 <title>Installation</title>
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
133 <para>
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
134 This is now a standard GNU autoconf/automake installation, so the normal
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
135 "./configure; make; su; make install" works. "make chkconfig" will
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
136 setup the init.d runlevel scripts. Alternatively, you can use the
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
137 source or binary RPMs at <ulink
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
138 url="http://www.five-ten-sg.com/@PACKAGE@/packages">http://www.five-ten-sg.com/@PACKAGE@/packages</ulink>.
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
139 </para>
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
140 <para>
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
141 Note that this has ONLY been tested on Linux, specifically RedHat Linux.
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
142 In particular, this milter makes no attempt to understand IPv6. Your
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
143 mileage will vary. You will need at a minimum a C++ compiler with a
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
144 minimally thread safe STL implementation. The distribution includes a
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
145 test.cpp program. If it fails this milter won't work. If it passes,
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
146 this milter might work.
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
147 </para>
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
148 <para>
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
149 Modify your sendmail.mc by removing all the "FEATURE(dnsbl" lines, add
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
150 the following line in your sendmail.mc and rebuild the .cf file
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
151 </para>
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
152 <para><screen>INPUT_MAIL_FILTER(`dnsbl', `S=local:/var/run/dnsbl/dnsbl.sock, F=T, T=C:30s;S:5m;R:5m;E:5m')</screen></para>
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
153 <para>
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
154 Modify the default <citerefentry>
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
155 <refentrytitle>@PACKAGE@.conf</refentrytitle> <manvolnum>5</manvolnum>
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
156 </citerefentry> configuration.
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
157 </para>
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
158 </refsect1>
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
159
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
160 <refsect1 id='configuration.1'>
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
161 <title>Configuration</title>
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
162 <para>
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
163 The configuration file is documented in <citerefentry>
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
164 <refentrytitle>@PACKAGE@.conf</refentrytitle> <manvolnum>5</manvolnum>
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
165 </citerefentry>. Any change to the config file, or any file included
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
166 from that config file, will cause it to be reloaded within three
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
167 minutes.
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
168 </para>
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
169 </refsect1>
94
e107ade3b1c0 fix dos line terminators
carl
parents: 92
diff changeset
170
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
171 <refsect1 id='introduction.1'>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
172 <title>Introduction</title>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
173 <para>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
174 Consider the case of a mail server that is acting as secondary MX for a
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
175 collection of clients, each of which has a collection of mail domains.
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
176 Each client may use their own collection of DNSBLs on their primary mail
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
177 server. We present here a mechanism whereby the backup mail server can
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
178 use the correct set of DNSBLs for each recipient for each message. As a
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
179 side-effect, it gives us the ability to customize the set of DNSBLs on a
183
e8a822f9cca0 embedded dcc filtering
carl
parents: 180
diff changeset
180 per-recipient basis, so that fred@example.com could use LOCAL and the
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
181 SBL, where all other users @example.com use only the SBL.
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
182 </para>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
183 <para>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
184 This milter can also verify the envelope from/recipient pairs with the
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
185 primary MX server. This allows the backup mail servers to properly
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
186 reject mail sent to invalid addresses. Otherwise, the backup mail
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
187 servers will accept that mail, and then generate a bounce message when
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
188 the message is forwarded to the primary server (and rejected there with
127
2b1a4701e856 sendmail no longer guarantees <> wrapper on envelopes
carl
parents: 124
diff changeset
189 no such user). These rejections are the primary cause of such backscatter.
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
190 </para>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
191 <para>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
192 This milter will also decode (uuencode, base64, mime, html entity, url
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
193 encodings) and scan for HTTP and HTTPS URLs and bare hostnames in the
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
194 body of the mail. If any of those host names have A or NS records on
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
195 the SBL (or a single configurable DNSBL), the mail will be rejected
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
196 unless previously whitelisted. This milter also counts the number of
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
197 invalid HTML tags, and can reject mail if that count exceeds your
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
198 specified limit.
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
199 </para>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
200 <para>
259
be939802c64e add recipient rate limits by email from address or domain
Carl Byington <carl@five-ten-sg.com>
parents: 255
diff changeset
201 This milter can also impose hourly and daily rate
be939802c64e add recipient rate limits by email from address or domain
Carl Byington <carl@five-ten-sg.com>
parents: 255
diff changeset
202 limits on the number of recipients accepted from SMTP
be939802c64e add recipient rate limits by email from address or domain
Carl Byington <carl@five-ten-sg.com>
parents: 255
diff changeset
203 AUTH connections, that would otherwise be allowed to
be939802c64e add recipient rate limits by email from address or domain
Carl Byington <carl@five-ten-sg.com>
parents: 255
diff changeset
204 relay thru this mail server with no spam filtering. If
be939802c64e add recipient rate limits by email from address or domain
Carl Byington <carl@five-ten-sg.com>
parents: 255
diff changeset
205 the connection does not use SMTP AUTH, the rate limits
be939802c64e add recipient rate limits by email from address or domain
Carl Byington <carl@five-ten-sg.com>
parents: 255
diff changeset
206 may be specified by the mail from email address or
be939802c64e add recipient rate limits by email from address or domain
Carl Byington <carl@five-ten-sg.com>
parents: 255
diff changeset
207 domain.
136
f4746d8a12a3 add smtp auth rate limits
carl
parents: 127
diff changeset
208 </para>
f4746d8a12a3 add smtp auth rate limits
carl
parents: 127
diff changeset
209 <para>
284
896b9393d3f0 Fix segfault caused by freeing unallocated memory
Carl Byington <carl@five-ten-sg.com>
parents: 278
diff changeset
210 This milter can also impose hourly and daily limits on the number of
896b9393d3f0 Fix segfault caused by freeing unallocated memory
Carl Byington <carl@five-ten-sg.com>
parents: 278
diff changeset
211 different ip addresses used for SMTP AUTH connections. If a single
896b9393d3f0 Fix segfault caused by freeing unallocated memory
Carl Byington <carl@five-ten-sg.com>
parents: 278
diff changeset
212 user is connecting from too many different ip addresses, we presume that
896b9393d3f0 Fix segfault caused by freeing unallocated memory
Carl Byington <carl@five-ten-sg.com>
parents: 278
diff changeset
213 their authentication credentials have been discovered, and block their
896b9393d3f0 Fix segfault caused by freeing unallocated memory
Carl Byington <carl@five-ten-sg.com>
parents: 278
diff changeset
214 outgoing mail.
896b9393d3f0 Fix segfault caused by freeing unallocated memory
Carl Byington <carl@five-ten-sg.com>
parents: 278
diff changeset
215 </para>
896b9393d3f0 Fix segfault caused by freeing unallocated memory
Carl Byington <carl@five-ten-sg.com>
parents: 278
diff changeset
216 <para>
162
c4bce911c276 don't add auto whitelist for A to A
carl
parents: 161
diff changeset
217 Consider the case of a message from A to B passing thru this milter. If
c4bce911c276 don't add auto whitelist for A to A
carl
parents: 161
diff changeset
218 that message is not blocked, then we might eventually see a reply
156
a220bfb9211f add auto whitelisting
carl
parents: 153
diff changeset
219 message from B to A. If the filtering context for A includes an
162
c4bce911c276 don't add auto whitelist for A to A
carl
parents: 161
diff changeset
220 autowhite entry, and that context does <emphasis>not</emphasis> cover B
c4bce911c276 don't add auto whitelist for A to A
carl
parents: 161
diff changeset
221 as a recipient, then this milter will add an entry in that file to
c4bce911c276 don't add auto whitelist for A to A
carl
parents: 161
diff changeset
222 whitelist such replies for a configurable time period. Suppose A and B
c4bce911c276 don't add auto whitelist for A to A
carl
parents: 161
diff changeset
223 are in the same domain, or at least use the same filtering context. In
c4bce911c276 don't add auto whitelist for A to A
carl
parents: 161
diff changeset
224 that case we don't want to add a whitelist entry for B, since that would
c4bce911c276 don't add auto whitelist for A to A
carl
parents: 161
diff changeset
225 then allow spammers to send mail from B (forged) to B. Such autowhite
160
b3ed72ee6564 allow manual updates to auto whitelist files
carl
parents: 158
diff changeset
226 files need to be writeable by the dnsbl user, where all the other dnsbl
b3ed72ee6564 allow manual updates to auto whitelist files
carl
parents: 158
diff changeset
227 configuration files only need to be readable by the dnsbl user.
156
a220bfb9211f add auto whitelisting
carl
parents: 153
diff changeset
228 </para>
a220bfb9211f add auto whitelisting
carl
parents: 153
diff changeset
229 <para>
176
4ec928b24bab allow manual whitelisting with stamp 1 to remove a whitelist entry
carl
parents: 175
diff changeset
230 You can manually add such an autowhite entry, by appending a single
4ec928b24bab allow manual whitelisting with stamp 1 to remove a whitelist entry
carl
parents: 175
diff changeset
231 text line to the autowhitelist file, using something like
4ec928b24bab allow manual whitelisting with stamp 1 to remove a whitelist entry
carl
parents: 175
diff changeset
232 <command>echo "$mail 0" >>$autowhitefile</command>.
4ec928b24bab allow manual whitelisting with stamp 1 to remove a whitelist entry
carl
parents: 175
diff changeset
233 You can manually remove such an autowhite entry, by appending a single
4ec928b24bab allow manual whitelisting with stamp 1 to remove a whitelist entry
carl
parents: 175
diff changeset
234 text line to the autowhitelist file, using something like
4ec928b24bab allow manual whitelisting with stamp 1 to remove a whitelist entry
carl
parents: 175
diff changeset
235 <command>echo "$mail 1" >>$autowhitefile</command>.
4ec928b24bab allow manual whitelisting with stamp 1 to remove a whitelist entry
carl
parents: 175
diff changeset
236 </para>
4ec928b24bab allow manual whitelisting with stamp 1 to remove a whitelist entry
carl
parents: 175
diff changeset
237 <para>
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
238 The DNSBL milter reads a text configuration file (dnsbl.conf) on
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
239 startup, and whenever the config file (or any of the referenced include
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
240 files) is changed. The entire configuration file is case insensitive.
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
241 If the configuration cannot be loaded due to a syntax error, the milter
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
242 will log the error and quit. If the configuration cannot be reloaded
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
243 after being modified, the milter will log the error and send an email to
152
c7fc218686f5 gpl3, block mail to recipients that cannot reply
carl
parents: 149
diff changeset
244 root from dnsbl@$hostname. You probably want to add dnsbl@$hostname
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
245 to your /etc/mail/virtusertable since otherwise sendmail will reject
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
246 that message.
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
247 </para>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
248 </refsect1>
94
e107ade3b1c0 fix dos line terminators
carl
parents: 92
diff changeset
249
111
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
250 <refsect1 id='dcc.1'>
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
251 <title>DCC Issues</title>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
252 <para>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
253 If you are also using the <ulink
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
254 url="http://www.rhyolite.com/anti-spam/dcc/">DCC</ulink> milter, there
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
255 are a few considerations. You may need to whitelist senders from the
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
256 DCC bulk detector, or from the DNS based lists. Those are two very
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
257 different reasons for whitelisting. The former is done thru the DCC
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
258 whiteclnt config file, the later is done thru the DNSBL milter config
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
259 file.
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
260 </para>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
261 <para>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
262 You may want to blacklist some specific senders or sending domains.
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
263 This could be done thru either the DCC (on a global basis, or for a
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
264 specific single recipient). We prefer to do such blacklisting via the
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
265 DNSBL milter config, since it can be done for a collection of recipient
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
266 mail domains. The DCC approach has the feature that you can capture the
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
267 entire message in the DCC log files. The DNSBL milter approach has the
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
268 feature that the mail is rejected earlier (at RCPT TO time), and the
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
269 sending machine just gets a generic "550 5.7.1 no such user" message.
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
270 </para>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
271 <para>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
272 The DCC whiteclnt file can be included in the DNSBL milter config by the
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
273 dcc_to and dcc_from statements. This will import the (env_to, env_from,
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
274 and substitute mail_host) entries from the DCC config into the DNSBL
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
275 config. This allows using the DCC config as the single point for
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
276 white/blacklisting.
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
277 </para>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
278 <para>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
279 Consider the case where you have multiple clients, each with their own
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
280 mail servers, and each running their own DCC milters. Each client is
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
281 using the DCC facilities for envelope from/to white/blacklisting.
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
282 Presumably you can use rsync or scp to fetch copies of your clients DCC
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
283 whiteclnt files on a regular basis. Your mail server, acting as a
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
284 backup MX for your clients, can use the DNSBL milter, and include those
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
285 client DCC config files. The envelope from/to white/blacklisting will
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
286 be appropriately tagged and used only for the domains controlled by each
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
287 of those clients.
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
288 </para>
179
8b86a894514d embedded dcc filtering
carl
parents: 178
diff changeset
289 <para>
8b86a894514d embedded dcc filtering
carl
parents: 178
diff changeset
290 You can now use (via dccifd) different dcc filtering parameters on a per
8b86a894514d embedded dcc filtering
carl
parents: 178
diff changeset
291 context basis. See the dcc_greylist and dcc_bulk_threshold statements
8b86a894514d embedded dcc filtering
carl
parents: 178
diff changeset
292 in the <citerefentry> <refentrytitle>@PACKAGE@.conf</refentrytitle>
8b86a894514d embedded dcc filtering
carl
parents: 178
diff changeset
293 <manvolnum>5</manvolnum> </citerefentry> configuration. Those
8b86a894514d embedded dcc filtering
carl
parents: 178
diff changeset
294 statements are only active if you supply the <option>-b</option> option
8b86a894514d embedded dcc filtering
carl
parents: 178
diff changeset
295 on the dnsbl command line. If you use the dcc via the standard dcc
8b86a894514d embedded dcc filtering
carl
parents: 178
diff changeset
296 milter (dccm), then connections from clients that use SMTP AUTH are
8b86a894514d embedded dcc filtering
carl
parents: 178
diff changeset
297 still subject to greylisting. If you use the dcc via dccifd and this
8b86a894514d embedded dcc filtering
carl
parents: 178
diff changeset
298 milter, then connections from clients that use SMTP AUTH are never
180
7a722f482bfb embedded dcc filtering
carl
parents: 179
diff changeset
299 subject to greylisting. As part of this per-user greylisting, you need
7a722f482bfb embedded dcc filtering
carl
parents: 179
diff changeset
300 to move the dnsblnogrey file from the config directory to something
407
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
301 like /var/dcc/userdirs/dnsblnogrey/whiteclnt so the dccifd will
180
7a722f482bfb embedded dcc filtering
carl
parents: 179
diff changeset
302 properly ignore greylisting for those recipients that don't want it.
179
8b86a894514d embedded dcc filtering
carl
parents: 178
diff changeset
303 </para>
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
304 </refsect1>
94
e107ade3b1c0 fix dos line terminators
carl
parents: 92
diff changeset
305
111
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
306 <refsect1 id='definitions.1'>
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
307 <title>Definitions</title>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
308 <para>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
309 CONTEXT - a collection of parameters that defines the filtering context
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
310 to be used for a collection of envelope recipient addresses. The
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
311 context includes such things as the list of DNSBLs to be used, and the
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
312 various content filtering parameters.
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
313 </para>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
314 <para>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
315 DNSBL - a named DNS based blocking list is defined by a dns suffix (e.g.
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
316 sbl-xbl.spamhaus.org) and a message string that is used to generate the
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
317 "550 5.7.1" smtp error return code. The names of these DNSBLs will be
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
318 used to define the DNSBL-LISTs.
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
319 </para>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
320 <para>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
321 DNSBL-LIST - a named list of DNSBLs that will be used for specific
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
322 recipients or recipient domains.
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
323 </para>
249
15bf4f68a0b2 Add dnswl support
Carl Byington <carl@five-ten-sg.com>
parents: 246
diff changeset
324 <para>
15bf4f68a0b2 Add dnswl support
Carl Byington <carl@five-ten-sg.com>
parents: 246
diff changeset
325 DNSWL - a named DNS based white list is defined by a dns suffix (e.g.
15bf4f68a0b2 Add dnswl support
Carl Byington <carl@five-ten-sg.com>
parents: 246
diff changeset
326 list.dnswl.org) and an integer level. If the level is greater than or
15bf4f68a0b2 Add dnswl support
Carl Byington <carl@five-ten-sg.com>
parents: 246
diff changeset
327 equal to x in the 127.0.z.x return code from the white list, then the
15bf4f68a0b2 Add dnswl support
Carl Byington <carl@five-ten-sg.com>
parents: 246
diff changeset
328 ip address is considered to match, and the message will be whitelisted.
15bf4f68a0b2 Add dnswl support
Carl Byington <carl@five-ten-sg.com>
parents: 246
diff changeset
329 The names of these DNSWLs will be used to define the DNSWL-LISTs.
15bf4f68a0b2 Add dnswl support
Carl Byington <carl@five-ten-sg.com>
parents: 246
diff changeset
330 </para>
15bf4f68a0b2 Add dnswl support
Carl Byington <carl@five-ten-sg.com>
parents: 246
diff changeset
331 <para>
15bf4f68a0b2 Add dnswl support
Carl Byington <carl@five-ten-sg.com>
parents: 246
diff changeset
332 DNSWL-LIST - a named list of DNSWLs that will be used for specific
15bf4f68a0b2 Add dnswl support
Carl Byington <carl@five-ten-sg.com>
parents: 246
diff changeset
333 recipients or recipient domains.
15bf4f68a0b2 Add dnswl support
Carl Byington <carl@five-ten-sg.com>
parents: 246
diff changeset
334 </para>
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
335 </refsect1>
94
e107ade3b1c0 fix dos line terminators
carl
parents: 92
diff changeset
336
111
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
337 <refsect1 id='filtering.1'>
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
338 <title>Filtering Procedure</title>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
339 <para>
152
c7fc218686f5 gpl3, block mail to recipients that cannot reply
carl
parents: 149
diff changeset
340 The SMTP envelope 'from' and 'to' values are used in various checks.
c7fc218686f5 gpl3, block mail to recipients that cannot reply
carl
parents: 149
diff changeset
341 The first check is to see if a reply message (swapping the env_from and
160
b3ed72ee6564 allow manual updates to auto whitelist files
carl
parents: 158
diff changeset
342 env_to values) would be unconditionally blocked (just based on the
b3ed72ee6564 allow manual updates to auto whitelist files
carl
parents: 158
diff changeset
343 envelope from address). That check is similar to the main check
b3ed72ee6564 allow manual updates to auto whitelist files
carl
parents: 158
diff changeset
344 described below, but there is no body content to be scanned, and there
b3ed72ee6564 allow manual updates to auto whitelist files
carl
parents: 158
diff changeset
345 is no client connection ip address to be checked against DNSBLs. If
b3ed72ee6564 allow manual updates to auto whitelist files
carl
parents: 158
diff changeset
346 such a reply message would be blocked, we also block the original
b3ed72ee6564 allow manual updates to auto whitelist files
carl
parents: 158
diff changeset
347 outgoing message. This prevents folks from sending mail to recipients
b3ed72ee6564 allow manual updates to auto whitelist files
carl
parents: 158
diff changeset
348 that are unable to reply.
152
c7fc218686f5 gpl3, block mail to recipients that cannot reply
carl
parents: 149
diff changeset
349 </para>
c7fc218686f5 gpl3, block mail to recipients that cannot reply
carl
parents: 149
diff changeset
350 <para>
284
896b9393d3f0 Fix segfault caused by freeing unallocated memory
Carl Byington <carl@five-ten-sg.com>
parents: 278
diff changeset
351 If the client has authenticated with sendmail, the recipient rate limits
896b9393d3f0 Fix segfault caused by freeing unallocated memory
Carl Byington <carl@five-ten-sg.com>
parents: 278
diff changeset
352 and connection ip address limits are
268
f941563c2a95 Add require_rdns checking
Carl Byington <carl@five-ten-sg.com>
parents: 263
diff changeset
353 checked. If the authenticated user has not exceeded the hourly or daily rate
f941563c2a95 Add require_rdns checking
Carl Byington <carl@five-ten-sg.com>
parents: 263
diff changeset
354 limits, then the mail is accepted, the filtering contexts are not used,
284
896b9393d3f0 Fix segfault caused by freeing unallocated memory
Carl Byington <carl@five-ten-sg.com>
parents: 278
diff changeset
355 the dns lists are not checked, and the body content is not scanned. These
896b9393d3f0 Fix segfault caused by freeing unallocated memory
Carl Byington <carl@five-ten-sg.com>
parents: 278
diff changeset
356 rate limits can also be applied to unauthenticated connections, in which case
896b9393d3f0 Fix segfault caused by freeing unallocated memory
Carl Byington <carl@five-ten-sg.com>
parents: 278
diff changeset
357 the envelope from value is used as the authentication id for lookup purposes.
896b9393d3f0 Fix segfault caused by freeing unallocated memory
Carl Byington <carl@five-ten-sg.com>
parents: 278
diff changeset
358 If
136
f4746d8a12a3 add smtp auth rate limits
carl
parents: 127
diff changeset
359 the client has not authenticated with sendmail, we follow these steps
f4746d8a12a3 add smtp auth rate limits
carl
parents: 127
diff changeset
360 for each recipient.
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
361 </para>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
362 <orderedlist>
111
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
363 <listitem><para>
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
364 The envelope to email address is used to find an initial filtering
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
365 context. We first look for a context that specified the full email
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
366 address in the env_to statement. If that is not found, we look for a
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
367 context that specified the entire domain name of the envelope recipient
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
368 in the env_to statement. If that is not found, we look for a context
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
369 that specified the user@ part of the envelope recipient in the env_to
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
370 statement. If that is not found, we use the first top level context
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
371 defined in the config file.
111
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
372 </para></listitem>
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
373 <listitem><para>
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
374 The initial filtering context may redirect to a child context based on
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
375 the values in the initial context's env_from statement. We look for [1)
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
376 the full envelope from email address, 2) the domain name part of the
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
377 envelope from address, 3) the user@ part of the envelope from address]
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
378 in that context's env_from statement, with values that point to a child
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
379 context. If such an entry is found, we switch to that child filtering
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
380 context.
111
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
381 </para></listitem>
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
382 <listitem><para>
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
383 We lookup [1) the full envelope from email address, 2) the domain name
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
384 part of the envelope from address, 3) the user@ part of the envelope
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
385 from address] in the filtering context env_from statement. That results
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
386 in one of (white, black, unknown, inherit).
111
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
387 </para></listitem>
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
388 <listitem><para>
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
389 If the answer is black, mail to this recipient is rejected with "no such
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
390 user", and the dns lists are not checked.
111
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
391 </para></listitem>
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
392 <listitem><para>
436
7b072e16bd69 fix syslog for long messages, supress dkim checks for mail from localhost
Carl Byington <carl@five-ten-sg.com>
parents: 426
diff changeset
393 If the answer is white, the mail is not from localhost,
458
6c1c2bd9fb54 ignore dnswl entries if the sender is <>
Carl Byington <carl@five-ten-sg.com>
parents: 451
diff changeset
394 and the envelope from domain name is listed in the current (or parents)
6c1c2bd9fb54 ignore dnswl entries if the sender is <>
Carl Byington <carl@five-ten-sg.com>
parents: 451
diff changeset
395 filtering contexts dkim_from with "required_signed" or "unsigned_black",
6c1c2bd9fb54 ignore dnswl entries if the sender is <>
Carl Byington <carl@five-ten-sg.com>
parents: 451
diff changeset
396 we downgrade this white answer to unknown. If the answer is still white,
6c1c2bd9fb54 ignore dnswl entries if the sender is <>
Carl Byington <carl@five-ten-sg.com>
parents: 451
diff changeset
397 mail to this recipient is accepted and the dns lists are not checked.
111
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
398 </para></listitem>
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
399 <listitem><para>
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
400 If the answer is unknown, we don't reject yet, but the dns lists will be
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
401 checked, and the content may be scanned.
111
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
402 </para></listitem>
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
403 <listitem><para>
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
404 If the answer is inherit, we repeat the envelope from search in the
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
405 parent context.
111
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
406 </para></listitem>
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
407 <listitem><para>
233
5c3e9bf45bb5 Add whitelisting by regex expression filtering.
Carl Byington <carl@five-ten-sg.com>
parents: 216
diff changeset
408 If the mail has not been accepted or rejected yet, and the filtering
5c3e9bf45bb5 Add whitelisting by regex expression filtering.
Carl Byington <carl@five-ten-sg.com>
parents: 216
diff changeset
409 context (or any ancestor context) specifies a non-empty whitelist regular
5c3e9bf45bb5 Add whitelisting by regex expression filtering.
Carl Byington <carl@five-ten-sg.com>
parents: 216
diff changeset
410 expression, then we check the envelope from value against that regex.
5c3e9bf45bb5 Add whitelisting by regex expression filtering.
Carl Byington <carl@five-ten-sg.com>
parents: 216
diff changeset
411 The mail is accepted if the envelope from value matches the specified regular
5c3e9bf45bb5 Add whitelisting by regex expression filtering.
Carl Byington <carl@five-ten-sg.com>
parents: 216
diff changeset
412 expression.
5c3e9bf45bb5 Add whitelisting by regex expression filtering.
Carl Byington <carl@five-ten-sg.com>
parents: 216
diff changeset
413 </para></listitem>
5c3e9bf45bb5 Add whitelisting by regex expression filtering.
Carl Byington <carl@five-ten-sg.com>
parents: 216
diff changeset
414 <listitem><para>
458
6c1c2bd9fb54 ignore dnswl entries if the sender is <>
Carl Byington <carl@five-ten-sg.com>
parents: 451
diff changeset
415 If the mail has not been accepted or rejected yet, and the envelope from
6c1c2bd9fb54 ignore dnswl entries if the sender is <>
Carl Byington <carl@five-ten-sg.com>
parents: 451
diff changeset
416 email address is not empty, the dns white lists
249
15bf4f68a0b2 Add dnswl support
Carl Byington <carl@five-ten-sg.com>
parents: 246
diff changeset
417 specified in the filtering context are checked and the mail is accepted
15bf4f68a0b2 Add dnswl support
Carl Byington <carl@five-ten-sg.com>
parents: 246
diff changeset
418 if any list has an A record for the standard dns based lookup scheme
15bf4f68a0b2 Add dnswl support
Carl Byington <carl@five-ten-sg.com>
parents: 246
diff changeset
419 (reversed octets of the client followed by the dns suffix) with a final
15bf4f68a0b2 Add dnswl support
Carl Byington <carl@five-ten-sg.com>
parents: 246
diff changeset
420 octet greater than or equal to the level specified for that dnswl.
15bf4f68a0b2 Add dnswl support
Carl Byington <carl@five-ten-sg.com>
parents: 246
diff changeset
421 </para></listitem>
15bf4f68a0b2 Add dnswl support
Carl Byington <carl@five-ten-sg.com>
parents: 246
diff changeset
422 <listitem><para>
15bf4f68a0b2 Add dnswl support
Carl Byington <carl@five-ten-sg.com>
parents: 246
diff changeset
423 If the mail has not been accepted or rejected yet, the dns black lists
168
6bac960af6b4 add generic reverse dns filtering regex
carl
parents: 167
diff changeset
424 specified in the filtering context are checked and the mail is rejected
6bac960af6b4 add generic reverse dns filtering regex
carl
parents: 167
diff changeset
425 if any list has an A record for the standard dns based lookup scheme
6bac960af6b4 add generic reverse dns filtering regex
carl
parents: 167
diff changeset
426 (reversed octets of the client followed by the dns suffix).
6bac960af6b4 add generic reverse dns filtering regex
carl
parents: 167
diff changeset
427 </para></listitem>
6bac960af6b4 add generic reverse dns filtering regex
carl
parents: 167
diff changeset
428 <listitem><para>
6bac960af6b4 add generic reverse dns filtering regex
carl
parents: 167
diff changeset
429 If the mail has not been accepted or rejected yet, and the filtering
268
f941563c2a95 Add require_rdns checking
Carl Byington <carl@five-ten-sg.com>
parents: 263
diff changeset
430 context (or any ancestor context) requires matching reverse dns client
f941563c2a95 Add require_rdns checking
Carl Byington <carl@five-ten-sg.com>
parents: 263
diff changeset
431 name, the mail is rejected if the client name is empty or forged.
f941563c2a95 Add require_rdns checking
Carl Byington <carl@five-ten-sg.com>
parents: 263
diff changeset
432 </para></listitem>
f941563c2a95 Add require_rdns checking
Carl Byington <carl@five-ten-sg.com>
parents: 263
diff changeset
433 <listitem><para>
f941563c2a95 Add require_rdns checking
Carl Byington <carl@five-ten-sg.com>
parents: 263
diff changeset
434 If the mail has not been accepted or rejected yet, and the filtering
170
bd33eaccfed8 fix pre/post scripts in rpm spec file
carl
parents: 168
diff changeset
435 context (or any ancestor context) specifies a non-empty generic regular
bd33eaccfed8 fix pre/post scripts in rpm spec file
carl
parents: 168
diff changeset
436 expression, then we check the fully qualified client name (obtained via
bd33eaccfed8 fix pre/post scripts in rpm spec file
carl
parents: 168
diff changeset
437 the sendmail macro "_"). The mail is rejected if the client name
bd33eaccfed8 fix pre/post scripts in rpm spec file
carl
parents: 168
diff changeset
438 matches the specified regular expression.
111
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
439 </para></listitem>
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
440 <listitem><para>
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
441 If the mail has not been accepted or rejected yet, we look for a
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
442 verification context, which is the closest ancestor of the filtering
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
443 context that both specifies a verification host, and which covers the
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
444 envelope to address. If we find such a verification context, and the
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
445 verification host is not our own hostname, we open an smtp conversation
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
446 with that verification host. The current envelope from and recipient to
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
447 values are passed to that verification host. If we receive a 5xy
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
448 response those commands, we reject the current recipient with "no such
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
449 user".
111
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
450 </para></listitem>
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
451 <listitem><para>
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
452 If the mail has not been accepted or rejected yet, and the filtering
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
453 context enables content filtering, and this is the first such recipient
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
454 in this smtp transaction, we set the content filtering parameters from
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
455 this context, and enable content filtering for the body of this message.
111
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
456 </para></listitem>
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
457 </orderedlist>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
458 <para>
160
b3ed72ee6564 allow manual updates to auto whitelist files
carl
parents: 158
diff changeset
459 For each recipient that was accepted, we search for an autowhite entry
b3ed72ee6564 allow manual updates to auto whitelist files
carl
parents: 158
diff changeset
460 starting in the reply filtering context. If an autowhite entry is found,
458
6c1c2bd9fb54 ignore dnswl entries if the sender is <>
Carl Byington <carl@five-ten-sg.com>
parents: 451
diff changeset
461 and the local part of the recipient address is shorter than 35 characters,
160
b3ed72ee6564 allow manual updates to auto whitelist files
carl
parents: 158
diff changeset
462 we add the recipient to that auto whitelist file. This will prevent reply
b3ed72ee6564 allow manual updates to auto whitelist files
carl
parents: 158
diff changeset
463 messages from being blocked by the dnsbl or content filtering.
b3ed72ee6564 allow manual updates to auto whitelist files
carl
parents: 158
diff changeset
464 </para>
b3ed72ee6564 allow manual updates to auto whitelist files
carl
parents: 158
diff changeset
465 <para>
436
7b072e16bd69 fix syslog for long messages, supress dkim checks for mail from localhost
Carl Byington <carl@five-ten-sg.com>
parents: 426
diff changeset
466 If the mail is from localhost we skip the following dkim checks, since
7b072e16bd69 fix syslog for long messages, supress dkim checks for mail from localhost
Carl Byington <carl@five-ten-sg.com>
parents: 426
diff changeset
467 such mail will never be dkim signed. This is typically mail that is generated by
7b072e16bd69 fix syslog for long messages, supress dkim checks for mail from localhost
Carl Byington <carl@five-ten-sg.com>
parents: 426
diff changeset
468 apache forms.
7b072e16bd69 fix syslog for long messages, supress dkim checks for mail from localhost
Carl Byington <carl@five-ten-sg.com>
parents: 426
diff changeset
469 </para>
7b072e16bd69 fix syslog for long messages, supress dkim checks for mail from localhost
Carl Byington <carl@five-ten-sg.com>
parents: 426
diff changeset
470 <para>
395
a8cf6a3da907 document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents: 360
diff changeset
471 If content filtering is enabled for this body, we look for dkim_signer
a8cf6a3da907 document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents: 360
diff changeset
472 and dkim_from sections in the current context and parents. We collect the
a8cf6a3da907 document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents: 360
diff changeset
473 signers of this message from the header added by the dkim-milter. If any
a8cf6a3da907 document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents: 360
diff changeset
474 of the message signers are whitelisted, the message is accepted.
a8cf6a3da907 document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents: 360
diff changeset
475 </para>
a8cf6a3da907 document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents: 360
diff changeset
476 <para>
a8cf6a3da907 document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents: 360
diff changeset
477 If the header from domain maps to required_signed then:
451
f2bc221240e8 add unsigned_black for enforcement of dmarc policy
Carl Byington <carl@five-ten-sg.com>
parents: 436
diff changeset
478 If any of the message signers are in that list, or if
f2bc221240e8 add unsigned_black for enforcement of dmarc policy
Carl Byington <carl@five-ten-sg.com>
parents: 436
diff changeset
479 the source ip address passes a strong spf check for the header from
395
a8cf6a3da907 document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents: 360
diff changeset
480 domain, the message is accepted. Otherwise, the message is rejected.
a8cf6a3da907 document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents: 360
diff changeset
481 </para>
a8cf6a3da907 document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents: 360
diff changeset
482 <para>
a8cf6a3da907 document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents: 360
diff changeset
483 If the header from domain maps to signed_white then:
451
f2bc221240e8 add unsigned_black for enforcement of dmarc policy
Carl Byington <carl@five-ten-sg.com>
parents: 436
diff changeset
484 If any of the message signers are in that list, or if
f2bc221240e8 add unsigned_black for enforcement of dmarc policy
Carl Byington <carl@five-ten-sg.com>
parents: 436
diff changeset
485 the source ip address passes a strong spf check for the header from
395
a8cf6a3da907 document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents: 360
diff changeset
486 domain, the message is accepted. Otherwise, processing continues.
a8cf6a3da907 document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents: 360
diff changeset
487 </para>
a8cf6a3da907 document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents: 360
diff changeset
488 <para>
a8cf6a3da907 document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents: 360
diff changeset
489 If the header from domain maps to signed_black then:
a8cf6a3da907 document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents: 360
diff changeset
490 If any of the message signers are in that list, the message is rejected.
a8cf6a3da907 document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents: 360
diff changeset
491 Otherwise, processing continues.
a8cf6a3da907 document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents: 360
diff changeset
492 </para>
a8cf6a3da907 document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents: 360
diff changeset
493 <para>
451
f2bc221240e8 add unsigned_black for enforcement of dmarc policy
Carl Byington <carl@five-ten-sg.com>
parents: 436
diff changeset
494 If the header from domain maps to unsigned_black then:
f2bc221240e8 add unsigned_black for enforcement of dmarc policy
Carl Byington <carl@five-ten-sg.com>
parents: 436
diff changeset
495 If any of the message signers are in that list, or if
f2bc221240e8 add unsigned_black for enforcement of dmarc policy
Carl Byington <carl@five-ten-sg.com>
parents: 436
diff changeset
496 the source ip address passes a strong spf check for the header from
f2bc221240e8 add unsigned_black for enforcement of dmarc policy
Carl Byington <carl@five-ten-sg.com>
parents: 436
diff changeset
497 domain, processing continues. Otherwise, the message is rejected.
458
6c1c2bd9fb54 ignore dnswl entries if the sender is <>
Carl Byington <carl@five-ten-sg.com>
parents: 451
diff changeset
498 This is very close to enforcing DMARC for the header from domain.
451
f2bc221240e8 add unsigned_black for enforcement of dmarc policy
Carl Byington <carl@five-ten-sg.com>
parents: 436
diff changeset
499 </para>
f2bc221240e8 add unsigned_black for enforcement of dmarc policy
Carl Byington <carl@five-ten-sg.com>
parents: 436
diff changeset
500 <para>
397
d08da4b058e8 only ntohl() once during recursive spf txt processing
Carl Byington <carl@five-ten-sg.com>
parents: 395
diff changeset
501 If any of the message signers are blacklisted, the message is rejected.
395
a8cf6a3da907 document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents: 360
diff changeset
502 </para>
a8cf6a3da907 document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents: 360
diff changeset
503 <para>
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
504 If content filtering is enabled for this body, the mail text is decoded
119
d9d2f8699621 uribl patch from Jeff Evans <jeffe@tricab.com>
carl
parents: 115
diff changeset
505 (uuencode, base64, mime, html entity, url encodings), and scanned for HTTP
d9d2f8699621 uribl patch from Jeff Evans <jeffe@tricab.com>
carl
parents: 115
diff changeset
506 and HTTPS URLs or bare host names. Hostnames must be either ip address
d9d2f8699621 uribl patch from Jeff Evans <jeffe@tricab.com>
carl
parents: 115
diff changeset
507 literals, or must end in a string defined by the TLD list. The first
d9d2f8699621 uribl patch from Jeff Evans <jeffe@tricab.com>
carl
parents: 115
diff changeset
508 &lt;configurable&gt; host names are checked as follows.
d9d2f8699621 uribl patch from Jeff Evans <jeffe@tricab.com>
carl
parents: 115
diff changeset
509 </para>
d9d2f8699621 uribl patch from Jeff Evans <jeffe@tricab.com>
carl
parents: 115
diff changeset
510 <para>
d9d2f8699621 uribl patch from Jeff Evans <jeffe@tricab.com>
carl
parents: 115
diff changeset
511 The only known list that is suitable for the content filter DNSBL is the
d9d2f8699621 uribl patch from Jeff Evans <jeffe@tricab.com>
carl
parents: 115
diff changeset
512 SBL. If the content filter DNSBL is defined, and any of those host
d9d2f8699621 uribl patch from Jeff Evans <jeffe@tricab.com>
carl
parents: 115
diff changeset
513 names resolve to ip addresses that are on that DNSBL (or have
d9d2f8699621 uribl patch from Jeff Evans <jeffe@tricab.com>
carl
parents: 115
diff changeset
514 nameservers that are on that list), and the host name is not on the
d9d2f8699621 uribl patch from Jeff Evans <jeffe@tricab.com>
carl
parents: 115
diff changeset
515 &lt;configurable&gt; ignore list, the mail is rejected.
d9d2f8699621 uribl patch from Jeff Evans <jeffe@tricab.com>
carl
parents: 115
diff changeset
516 </para>
d9d2f8699621 uribl patch from Jeff Evans <jeffe@tricab.com>
carl
parents: 115
diff changeset
517 <para>
d9d2f8699621 uribl patch from Jeff Evans <jeffe@tricab.com>
carl
parents: 115
diff changeset
518 If the content uribl DNSBL is defined, and any of those host names are
d9d2f8699621 uribl patch from Jeff Evans <jeffe@tricab.com>
carl
parents: 115
diff changeset
519 on that DNSBL, and the host name is not on the &lt;configurable&gt;
270
f92f24950bd3 Use mozilla prefix list for tld checking, Enable surbl/uribl/dbl rhs lists
Carl Byington <carl@five-ten-sg.com>
parents: 268
diff changeset
520 ignore list, the mail is rejected. There are three lists that are suitable
284
896b9393d3f0 Fix segfault caused by freeing unallocated memory
Carl Byington <carl@five-ten-sg.com>
parents: 278
diff changeset
521 here, URIBL, SURBL, and DBL.
119
d9d2f8699621 uribl patch from Jeff Evans <jeffe@tricab.com>
carl
parents: 115
diff changeset
522 </para>
d9d2f8699621 uribl patch from Jeff Evans <jeffe@tricab.com>
carl
parents: 115
diff changeset
523 <para>
167
9b129ed78d7d actually use spamassassin result, allow build without spam assassin, only call it if some recipient needs it.
carl
parents: 164
diff changeset
524 If any non-whitelisted recipient has a filtering context with a non-zero
9b129ed78d7d actually use spamassassin result, allow build without spam assassin, only call it if some recipient needs it.
carl
parents: 164
diff changeset
525 spamassassin limit, then the message is passed thru spamassassin (via
9b129ed78d7d actually use spamassassin result, allow build without spam assassin, only call it if some recipient needs it.
carl
parents: 164
diff changeset
526 spamc), and the message is rejected for those recipients with spamassassin
203
92a5c866bdfa Verify from/to pairs even if they might be explicitly whitelisted.
Carl Byington <carl@five-ten-sg.com>
parents: 201
diff changeset
527 limits less than the resulting spamassassin score. For example, a
92a5c866bdfa Verify from/to pairs even if they might be explicitly whitelisted.
Carl Byington <carl@five-ten-sg.com>
parents: 201
diff changeset
528 spamassassin limit of three will reject messages with spamassassin scores
246
8b0f16abee53 Add prvs decoding to envelope addresses
Carl Byington <carl@five-ten-sg.com>
parents: 233
diff changeset
529 of four or greater. If the filtering context has a spamassassin limit of
8b0f16abee53 Add prvs decoding to envelope addresses
Carl Byington <carl@five-ten-sg.com>
parents: 233
diff changeset
530 zero, then spamassassin is not called (or if called the results are not used)
8b0f16abee53 Add prvs decoding to envelope addresses
Carl Byington <carl@five-ten-sg.com>
parents: 233
diff changeset
531 for this recipient.
203
92a5c866bdfa Verify from/to pairs even if they might be explicitly whitelisted.
Carl Byington <carl@five-ten-sg.com>
parents: 201
diff changeset
532 </para>
92a5c866bdfa Verify from/to pairs even if they might be explicitly whitelisted.
Carl Byington <carl@five-ten-sg.com>
parents: 201
diff changeset
533 <para>
92a5c866bdfa Verify from/to pairs even if they might be explicitly whitelisted.
Carl Byington <carl@five-ten-sg.com>
parents: 201
diff changeset
534 If any non-whitelisted recipient has a filtering context that specifies
92a5c866bdfa Verify from/to pairs even if they might be explicitly whitelisted.
Carl Byington <carl@five-ten-sg.com>
parents: 201
diff changeset
535 DCC greylisting, then the message is passed thru the DCC bulk detector,
92a5c866bdfa Verify from/to pairs even if they might be explicitly whitelisted.
Carl Byington <carl@five-ten-sg.com>
parents: 201
diff changeset
536 and the message is greylisted (for all recipients) if the DCC says this
92a5c866bdfa Verify from/to pairs even if they might be explicitly whitelisted.
Carl Byington <carl@five-ten-sg.com>
parents: 201
diff changeset
537 message should be delayed.
92a5c866bdfa Verify from/to pairs even if they might be explicitly whitelisted.
Carl Byington <carl@five-ten-sg.com>
parents: 201
diff changeset
538 </para>
92a5c866bdfa Verify from/to pairs even if they might be explicitly whitelisted.
Carl Byington <carl@five-ten-sg.com>
parents: 201
diff changeset
539 <para>
92a5c866bdfa Verify from/to pairs even if they might be explicitly whitelisted.
Carl Byington <carl@five-ten-sg.com>
parents: 201
diff changeset
540 If any non-whitelisted recipient has a filtering context with a non-zero
92a5c866bdfa Verify from/to pairs even if they might be explicitly whitelisted.
Carl Byington <carl@five-ten-sg.com>
parents: 201
diff changeset
541 DCC bulk threshold, then the message is passed thru the DCC bulk detector,
92a5c866bdfa Verify from/to pairs even if they might be explicitly whitelisted.
Carl Byington <carl@five-ten-sg.com>
parents: 201
diff changeset
542 and the message is rejected for those recipients with DCC thresholds less
92a5c866bdfa Verify from/to pairs even if they might be explicitly whitelisted.
Carl Byington <carl@five-ten-sg.com>
parents: 201
diff changeset
543 than or equal to the DCC bulk score.
163
97d7da45fe2a spamassassin changes
carl
parents: 162
diff changeset
544 </para>
97d7da45fe2a spamassassin changes
carl
parents: 162
diff changeset
545 <para>
119
d9d2f8699621 uribl patch from Jeff Evans <jeffe@tricab.com>
carl
parents: 115
diff changeset
546 We also scan for excessive bad html tags, and if a &lt;configurable&gt;
d9d2f8699621 uribl patch from Jeff Evans <jeffe@tricab.com>
carl
parents: 115
diff changeset
547 limit is exceeded, the mail is rejected.
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
548 </para>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
549 </refsect1>
94
e107ade3b1c0 fix dos line terminators
carl
parents: 92
diff changeset
550
407
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
551 <refsect1 id='dmarc.1'>
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
552 <title>DMARC vs dkim_from require_signed</title>
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
553 <para>
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
554 Note that DNSBL does not implement rfc7489 DMARC. We do not look for
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
555 _dmarc.$DOMAIN txt records.
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
556 </para>
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
557 <para>
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
558 The restrictions imposed by require_signed are similar but not
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
559 identical to a DMARC reject policy with strict identifier alignment.
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
560 When doing SPF fallback, DMARC checks SPF based on the rfc5321
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
561 envelope from domain. DNSBL checks SPF based on the rfc5322 header
426
beda588f2881 include sample dkim config
Carl Byington <carl@five-ten-sg.com>
parents: 414
diff changeset
562 from domain.
409
e018ed19a1cc require 3 dots in bare ip addresses
Carl Byington <carl@five-ten-sg.com>
parents: 407
diff changeset
563 DMARC does not allow mail from good.example.com to be
407
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
564 signed by trusted.example.net - which is a common case. Both Microsoft
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
565 Office365 and Google run mail for customer domains, but use DKIM
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
566 signing domains in onmicrosoft.com and gappssmtp.com, which are
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
567 unrelated to the customer domain. DMARC in the default relaxed
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
568 alignment mode allows evil.example.com to sign mail from
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
569 good.example.com. DNSBL specifies the exact list of acceptable signing
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
570 domains, rather than inferring it from child/parent relationships, or
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
571 using public
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
572 suffix lists to find the organizational domain. We can block mail
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
573 from marketing.example.com while accepting mail from
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
574 billing.example.com, even if both are DKIM signed by example.com.
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
575 </para>
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
576 <para>
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
577 Suppose we have:
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
578 <literallayout class="monospaced"><![CDATA[
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
579 rfc5321 envelope from = one@evil.example.com
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
580 rfc5322 header from = two@good.example.com
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
581 authentication results = dkim pass header.d=other.example.com
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
582 _dmarc.good.example.com txt = "v=DMARC1; p=reject; adkim:s aspf:s"
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
583 dkim_from {good.example.com require_signed other.example.com;}
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
584 ]]></literallayout>
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
585 DMARC would fail the strict identifier alignment. DNSBL allows
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
586 us to require DKIM signatures that are unrelated
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
587 to the rfc5322 header from, so we accept this message.
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
588 </para>
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
589 <para>
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
590 Suppose we have:
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
591 <literallayout class="monospaced"><![CDATA[
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
592 rfc5321 envelope from = one@evil.example.com
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
593 rfc5322 header from = two@good.example.com
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
594 authentication results = dkim pass header.d=other.example.net
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
595 _dmarc.good.example.com txt = "v=DMARC1; p=reject; adkim:r aspf:r"
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
596 dkim_from {good.example.com require_signed other.example.net;}
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
597 ]]></literallayout>
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
598 DMARC would pass the relaxed spf identifier alignments,
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
599 and would check the evil.example.com spf record. If that
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
600 allowed the source ip, DMARC would accept the message.
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
601 DMARC would not check DKIM since example.com and example.net
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
602 do not pass even the relaxed identifer alignment requirement.
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
603 DNSBL allows us to require DKIM signatures that are not
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
604 related to the rfc5322 header from domain, so we accept
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
605 the message based on the DKIM signature and don't need to
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
606 fall back to SPF.
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
607 </para>
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
608 <para>
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
609 Suppose we have:
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
610 <literallayout class="monospaced"><![CDATA[
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
611 rfc5321 envelope from = one@evil.example.com
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
612 rfc5322 header from = two@good.example.com
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
613 authentication results = dkim fail header.d=other.example.net
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
614 _dmarc.good.example.com txt = "v=DMARC1; p=reject; adkim:r aspf:r"
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
615 evil.example.com txt = "v=spf1 ... including the source ip
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
616 good.example.com txt = "v=spf1 ... not including the source ip
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
617 dkim_from {good.example.com require_signed other.example.net;}
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
618 ]]></literallayout>
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
619 DNSBL allows us to require DKIM signatures that are not
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
620 related to the rfc5322 header from domain. In this case
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
621 the signature fails, so we fall back to an SPF check.
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
622 We check SPF based on the rfc5322 header from, and
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
623 good.example.com does not allow the source ip, so we reject
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
624 this message.
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
625 DMARC would accept that message based on the SPF check
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
626 for evil.example.com
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
627 </para>
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
628 </refsect1>
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
629
111
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
630 <refsect1 id='access.1'>
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
631 <title>Sendmail access vs. DNSBL</title>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
632 <para>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
633 With the standard sendmail.mc dnsbl FEATURE, the dnsbl checks may be
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
634 suppressed by entries in the /etc/mail/access database. For example,
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
635 suppose you control a /18 of address space, and have allocated some /24s
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
636 to some clients. You have access entries like
111
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
637 <literallayout class="monospaced"><![CDATA[
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
638 192.168.4 OK
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
639 192.168.17 OK]]></literallayout>
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
640 </para>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
641 <para>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
642 to allow those clients to smarthost thru your mail server. Now if one
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
643 of those clients happens get infected with a virus that turns a machine
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
644 into an open proxy, and their 192.168.4.45 lands on the SBL-XBL, you
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
645 will still wind up allowing that infected machine to smarthost thru your
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
646 mail servers.
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
647 </para>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
648 <para>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
649 With this DNSBL milter, the sendmail access database cannot override the
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
650 dnsbl checks, so that machine won't be able to send mail to or thru your
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
651 smarthost mail server (unless the virus/proxy can use smtp-auth).
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
652 </para>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
653 <para>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
654 Using the standard sendmail features, you would add access entries to
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
655 allow hosts on your local network to relay thru your mail server. Those
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
656 OK entries in the sendmail access database will override all the dnsbl
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
657 checks. With this DNSBL milter, you will need to have the local users
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
658 authenticate with smtp-auth to get the same effect. You might find
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
659 <ulink
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
660 url="http://www.ists.dartmouth.edu/classroom/sendmail-ssl-how-to.php">
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
661 these directions</ulink> helpful for setting up smtp-auth if you are on
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
662 RH Linux.
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
663 </para>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
664 </refsect1>
94
e107ade3b1c0 fix dos line terminators
carl
parents: 92
diff changeset
665
111
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
666 <refsect1 id='performance.1'>
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
667 <title>Performance Issues</title>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
668 <para>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
669 Consider a high volume high performance machine running sendmail. Each
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
670 sendmail process can do its own dns resolution. Typically, such dns
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
671 resolver libraries are not thread safe, and so must be protected by some
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
672 sort of mutex in a threaded environment. When we add a milter to
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
673 sendmail, we now have a collection of sendmail processes, and a
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
674 collection of milter threads.
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
675 </para>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
676 <para>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
677 We will be doing a lot of dns lookups per mail message, and at least
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
678 some of those will take many tens of seconds. If all this dns work is
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
679 serialized inside the milter, we have an upper limit of about 25K mail
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
680 messages per day. That is clearly not sufficient for many sites.
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
681 </para>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
682 <para>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
683 Since we want to do parallel dns resolution across those milter threads,
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
684 we add another collection of dns resolver processes. Each sendmail
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
685 process is talking to a milter thread over a socket, and each milter
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
686 thread is talking to a dns resolver process over another socket.
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
687 </para>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
688 <para>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
689 Suppose we are processing 20 messages per second, and each message
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
690 requires 20 seconds of dns work. Then we will have 400 sendmail
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
691 processes, 400 milter threads, and 400 dns resolver processes. Of
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
692 course that steady state is very unlikely to happen.
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
693 </para>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
694 </refsect1>
94
e107ade3b1c0 fix dos line terminators
carl
parents: 92
diff changeset
695
e107ade3b1c0 fix dos line terminators
carl
parents: 92
diff changeset
696
111
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
697 <refsect1 id='rejected.1'>
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
698 <title>Rejected Ideas</title>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
699 <para>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
700 The following ideas have been considered and rejected.
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
701 </para>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
702 <para>
111
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
703 Add max_recipients setting to the context configuration. Recipients in
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
704 excess of that limit will be rejected, and all the non-whitelisted
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
705 recipients will be removed. Current spammers *very* rarely send more
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
706 than ten recipients in a single smtp transaction, so this won't stop any
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
707 significant amount of spam.
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
708 </para>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
709 <para>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
710 Add poison addresses to the configuration. If any recipient is
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
711 poison, all recipients are rejected even if they would be whitelisted,
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
712 and the data is rejected if sent. I have a collection of spam trap
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
713 addresses that would be suitable for such use. Based on my log files,
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
714 any mail to those spam trap addresses is rejected based on either dnsbl
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
715 lookups or the DCC. So this won't result in blocking any additional
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
716 spam.
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
717 </para>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
718 <para>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
719 Add an option to only allow one recipient if the return path is
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
720 empty. Based on my log files, there is no mail that violates this
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
721 check.
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
722 </para>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
723 <para>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
724 Reject the mail if the envelope from domain name contains any MX
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
725 records pointing to 127.0.0.0/8. I don't see any significant amount of
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
726 spam sent with such domain names.
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
727 </para>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
728 </refsect1>
94
e107ade3b1c0 fix dos line terminators
carl
parents: 92
diff changeset
729
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
730 <refsect1 id='todo.1'>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
731 <title>TODO</title>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
732 <para>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
733 The following ideas are under consideration.
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
734 </para>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
735 <para>
414
d5a1ed33d3ae spf code now handles mx,exists,ptr tags, multiple A records, %{i} macro
Carl Byington <carl@five-ten-sg.com>
parents: 409
diff changeset
736 More complete SPF check.
d5a1ed33d3ae spf code now handles mx,exists,ptr tags, multiple A records, %{i} macro
Carl Byington <carl@five-ten-sg.com>
parents: 409
diff changeset
737 </para>
d5a1ed33d3ae spf code now handles mx,exists,ptr tags, multiple A records, %{i} macro
Carl Byington <carl@five-ten-sg.com>
parents: 409
diff changeset
738 <para>
276
19ff60eaab74 more tld entries
Carl Byington <carl@five-ten-sg.com>
parents: 270
diff changeset
739 Add config switch to require the HELO argument to resolve to an ip address.
19ff60eaab74 more tld entries
Carl Byington <carl@five-ten-sg.com>
parents: 270
diff changeset
740 </para>
19ff60eaab74 more tld entries
Carl Byington <carl@five-ten-sg.com>
parents: 270
diff changeset
741 <para>
270
f92f24950bd3 Use mozilla prefix list for tld checking, Enable surbl/uribl/dbl rhs lists
Carl Byington <carl@five-ten-sg.com>
parents: 268
diff changeset
742 Add white/unknown to config for smtp authenticated connections. Currently
284
896b9393d3f0 Fix segfault caused by freeing unallocated memory
Carl Byington <carl@five-ten-sg.com>
parents: 278
diff changeset
743 any authenticated connection is fully whitelisted. The only spam control
896b9393d3f0 Fix segfault caused by freeing unallocated memory
Carl Byington <carl@five-ten-sg.com>
parents: 278
diff changeset
744 on those connections is rate limiting. This feature would allow content based
270
f92f24950bd3 Use mozilla prefix list for tld checking, Enable surbl/uribl/dbl rhs lists
Carl Byington <carl@five-ten-sg.com>
parents: 268
diff changeset
745 spam controls to be applied even to authenticated connections. Add
f92f24950bd3 Use mozilla prefix list for tld checking, Enable surbl/uribl/dbl rhs lists
Carl Byington <carl@five-ten-sg.com>
parents: 268
diff changeset
746 context/authenticated_dnsbl_list and context/content/authenticated.
f92f24950bd3 Use mozilla prefix list for tld checking, Enable surbl/uribl/dbl rhs lists
Carl Byington <carl@five-ten-sg.com>
parents: 268
diff changeset
747 </para>
f92f24950bd3 Use mozilla prefix list for tld checking, Enable surbl/uribl/dbl rhs lists
Carl Byington <carl@five-ten-sg.com>
parents: 268
diff changeset
748 <para>
f92f24950bd3 Use mozilla prefix list for tld checking, Enable surbl/uribl/dbl rhs lists
Carl Byington <carl@five-ten-sg.com>
parents: 268
diff changeset
749 Add an optional list of domains to be enforced on the env_from value for
f92f24950bd3 Use mozilla prefix list for tld checking, Enable surbl/uribl/dbl rhs lists
Carl Byington <carl@five-ten-sg.com>
parents: 268
diff changeset
750 authenticated connections. User abc could be restricted to envelope from
f92f24950bd3 Use mozilla prefix list for tld checking, Enable surbl/uribl/dbl rhs lists
Carl Byington <carl@five-ten-sg.com>
parents: 268
diff changeset
751 values of a.com and b.com, user def could be restricted to envelope from
f92f24950bd3 Use mozilla prefix list for tld checking, Enable surbl/uribl/dbl rhs lists
Carl Byington <carl@five-ten-sg.com>
parents: 268
diff changeset
752 values of dd.com and ee.com.
f92f24950bd3 Use mozilla prefix list for tld checking, Enable surbl/uribl/dbl rhs lists
Carl Byington <carl@five-ten-sg.com>
parents: 268
diff changeset
753 </para>
f92f24950bd3 Use mozilla prefix list for tld checking, Enable surbl/uribl/dbl rhs lists
Carl Byington <carl@five-ten-sg.com>
parents: 268
diff changeset
754 <para>
115
07e5d4721213 use larger resolver buffer
carl
parents: 114
diff changeset
755 Look for href="hostname/path" strings that are missing the required
07e5d4721213 use larger resolver buffer
carl
parents: 114
diff changeset
756 http:// protocol header. Such references are still clickable in common
07e5d4721213 use larger resolver buffer
carl
parents: 114
diff changeset
757 mail software.
07e5d4721213 use larger resolver buffer
carl
parents: 114
diff changeset
758 </para>
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
759 </refsect1>
94
e107ade3b1c0 fix dos line terminators
carl
parents: 92
diff changeset
760
111
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
761 <refsect1 id='copyright.1'>
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
762 <title>Copyright</title>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
763 <para>
261
92a98e661a0b update documentation for newer xml dtd
Carl Byington <carl@five-ten-sg.com>
parents: 259
diff changeset
764 Copyright (C) 2012 by 510 Software Group &lt;carl@five-ten-sg.com&gt;
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
765 </para>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
766 <para>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
767 This program is free software; you can redistribute it and/or modify it
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
768 under the terms of the GNU General Public License as published by the
160
b3ed72ee6564 allow manual updates to auto whitelist files
carl
parents: 158
diff changeset
769 Free Software Foundation; either version 3, or (at your option) any
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
770 later version.
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
771 </para>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
772 <para>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
773 You should have received a copy of the GNU General Public License along
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
774 with this program; see the file COPYING. If not, please write to the
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
775 Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
776 </para>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
777 </refsect1>
94
e107ade3b1c0 fix dos line terminators
carl
parents: 92
diff changeset
778
111
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
779 <refsect1 id='version.1'>
201
752d4315675c add reference to mercurial repository in the documentation
Carl Byington <carl@five-ten-sg.com>
parents: 187
diff changeset
780 <title>Version</title>
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
781 <para>
201
752d4315675c add reference to mercurial repository in the documentation
Carl Byington <carl@five-ten-sg.com>
parents: 187
diff changeset
782 @VERSION@
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
783 </para>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
784 </refsect1>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
785 </refentry>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
786
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
787
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
788 <refentry id="@PACKAGE@.conf.5">
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
789 <refentryinfo>
462
f3f1ece619ba change dkim_from syntax to allow "signer1,signer2;spf data"
Carl Byington <carl@five-ten-sg.com>
parents: 458
diff changeset
790 <date>2019-03-09</date>
261
92a98e661a0b update documentation for newer xml dtd
Carl Byington <carl@five-ten-sg.com>
parents: 259
diff changeset
791 <author>
92a98e661a0b update documentation for newer xml dtd
Carl Byington <carl@five-ten-sg.com>
parents: 259
diff changeset
792 <firstname>Carl</firstname>
92a98e661a0b update documentation for newer xml dtd
Carl Byington <carl@five-ten-sg.com>
parents: 259
diff changeset
793 <surname>Byington</surname>
92a98e661a0b update documentation for newer xml dtd
Carl Byington <carl@five-ten-sg.com>
parents: 259
diff changeset
794 <affiliation><orgname>510 Software Group</orgname></affiliation>
407
29d54e7028f6 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents: 397
diff changeset
795 <personblurb><para></para></personblurb>
261
92a98e661a0b update documentation for newer xml dtd
Carl Byington <carl@five-ten-sg.com>
parents: 259
diff changeset
796 </author>
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
797 </refentryinfo>
94
e107ade3b1c0 fix dos line terminators
carl
parents: 92
diff changeset
798
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
799 <refmeta>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
800 <refentrytitle>@PACKAGE@.conf</refentrytitle>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
801 <manvolnum>5</manvolnum>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
802 <refmiscinfo>@PACKAGE@ @VERSION@</refmiscinfo>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
803 </refmeta>
94
e107ade3b1c0 fix dos line terminators
carl
parents: 92
diff changeset
804
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
805 <refnamediv id='name.5'>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
806 <refname>@PACKAGE@.conf</refname>
111
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
807 <refpurpose>configuration file for @PACKAGE@ sendmail milter</refpurpose>
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
808 </refnamediv>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
809
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
810 <refsynopsisdiv id='synopsis.5'>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
811 <title>Synopsis</title>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
812 <cmdsynopsis>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
813 <command>@PACKAGE@.conf</command>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
814 </cmdsynopsis>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
815 </refsynopsisdiv>
94
e107ade3b1c0 fix dos line terminators
carl
parents: 92
diff changeset
816
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
817 <refsect1 id='description.5'>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
818 <title>Description</title>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
819 <para>The <command>@PACKAGE@.conf</command> configuration file is
148
9330b8d6a56b add documentation fixes, allow env_from target of inherit
carl
parents: 144
diff changeset
820 specified by this partial bnf description. Comments start with //
9330b8d6a56b add documentation fixes, allow env_from target of inherit
carl
parents: 144
diff changeset
821 or # and extend to the end of the line. To include the contents
9330b8d6a56b add documentation fixes, allow env_from target of inherit
carl
parents: 144
diff changeset
822 of some file verbatim in the dnsbl.conf file, use
9330b8d6a56b add documentation fixes, allow env_from target of inherit
carl
parents: 144
diff changeset
823 <literallayout class="monospaced"><![CDATA[include "<file>";]]></literallayout>
9330b8d6a56b add documentation fixes, allow env_from target of inherit
carl
parents: 144
diff changeset
824 </para>
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
825
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
826 <literallayout class="monospaced"><![CDATA[
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
827 CONFIG = {CONTEXT ";"}+
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
828 CONTEXT = "context" NAME "{" {STATEMENT}+ "}"
321
e172dc10fe24 add dkim white/black listing
Carl Byington <carl@five-ten-sg.com>
parents: 305
diff changeset
829 STATEMENT = ( DNSBL | DNSBLLIST | DNSWL | DNSWLLIST | CONTENT | ENV-TO
e172dc10fe24 add dkim white/black listing
Carl Byington <carl@five-ten-sg.com>
parents: 305
diff changeset
830 | VERIFY | GENERIC | W_REGEX | AUTOWHITE | CONTEXT | ENV-FROM
322
9f8411f3919c add dkim white/black listing
Carl Byington <carl@five-ten-sg.com>
parents: 321
diff changeset
831 | RATE-LIMIT | REQUIRERDNS) ";"
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
832
124
ea6f9c812faa put hostname in smtp message for uribl style lookups
carl
parents: 122
diff changeset
833 DNSBL = "dnsbl" NAME DNSPREFIX ERROR-MSG1
255
d6d5c50b9278 Allow dnswl_list and dnsbl_list to be empty, to override lists specified in the ancestor contexts. Add daily recipient limits as a multiple of the hourly limits.
Carl Byington <carl@five-ten-sg.com>
parents: 253
diff changeset
834 DNSBLLIST = "dnsbl_list" {NAME}*
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
835
255
d6d5c50b9278 Allow dnswl_list and dnsbl_list to be empty, to override lists specified in the ancestor contexts. Add daily recipient limits as a multiple of the hourly limits.
Carl Byington <carl@five-ten-sg.com>
parents: 253
diff changeset
836 DNSWL = "dnswl" NAME DNSPREFIX LEVEL
d6d5c50b9278 Allow dnswl_list and dnsbl_list to be empty, to override lists specified in the ancestor contexts. Add daily recipient limits as a multiple of the hourly limits.
Carl Byington <carl@five-ten-sg.com>
parents: 253
diff changeset
837 DNSWLLIST = "dnswl_list" {NAME}*
d6d5c50b9278 Allow dnswl_list and dnsbl_list to be empty, to override lists specified in the ancestor contexts. Add daily recipient limits as a multiple of the hourly limits.
Carl Byington <carl@five-ten-sg.com>
parents: 253
diff changeset
838 LEVEL = INTEGER
94
e107ade3b1c0 fix dos line terminators
carl
parents: 92
diff changeset
839
268
f941563c2a95 Add require_rdns checking
Carl Byington <carl@five-ten-sg.com>
parents: 263
diff changeset
840 REQUIRERDNS = "require_rdns" ("yes" | "no")
f941563c2a95 Add require_rdns checking
Carl Byington <carl@five-ten-sg.com>
parents: 263
diff changeset
841
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
842 CONTENT = "content" ("on" | "off") "{" {CONTENT-ST}+ "}"
322
9f8411f3919c add dkim white/black listing
Carl Byington <carl@five-ten-sg.com>
parents: 321
diff changeset
843 CONTENT-ST = (FILTER | URIBL | IGNORE | TLD | HTML-TAGS | HTML-LIMIT |
9f8411f3919c add dkim white/black listing
Carl Byington <carl@five-ten-sg.com>
parents: 321
diff changeset
844 HOST-LIMIT | SPAMASS | REQUIRE | DCCGREY | DCCBULK | DKIM_SIGNER |
9f8411f3919c add dkim white/black listing
Carl Byington <carl@five-ten-sg.com>
parents: 321
diff changeset
845 DKIM_FROM) ";"
124
ea6f9c812faa put hostname in smtp message for uribl style lookups
carl
parents: 122
diff changeset
846 FILTER = "filter" DNSPREFIX ERROR-MSG2
ea6f9c812faa put hostname in smtp message for uribl style lookups
carl
parents: 122
diff changeset
847 URIBL = "uribl" DNSPREFIX ERROR-MSG3
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
848 IGNORE = "ignore" "{" {HOSTNAME [";"]}+ "}"
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
849 TLD = "tld" "{" {TLD [";"]}+ "}"
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
850 HTML-TAGS = "html_tags" "{" {HTMLTAG [";"]}+ "}"
124
ea6f9c812faa put hostname in smtp message for uribl style lookups
carl
parents: 122
diff changeset
851 ERROR-MSG1 = string containing exactly two %s replacement tokens
ea6f9c812faa put hostname in smtp message for uribl style lookups
carl
parents: 122
diff changeset
852 both are replaced with the client ip address
ea6f9c812faa put hostname in smtp message for uribl style lookups
carl
parents: 122
diff changeset
853 ERROR-MSG2 = string containing exactly two %s replacement tokens
ea6f9c812faa put hostname in smtp message for uribl style lookups
carl
parents: 122
diff changeset
854 the first is replaced with the hostname, and the second
ea6f9c812faa put hostname in smtp message for uribl style lookups
carl
parents: 122
diff changeset
855 is replaced with the ip address
ea6f9c812faa put hostname in smtp message for uribl style lookups
carl
parents: 122
diff changeset
856 ERROR-MSG3 = string containing exactly two %s replacement tokens
ea6f9c812faa put hostname in smtp message for uribl style lookups
carl
parents: 122
diff changeset
857 both are replaced with the hostname
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
858
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
859 HTML-LIMIT = "html_limit" ("on" INTEGER ERROR-MSG | "off")
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
860
111
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
861 HOST-LIMIT = "host_limit" ("on" INTEGER ERROR-MSG | "off" |
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
862 "soft" INTEGER)
178
d6531c702be3 embedded dcc filtering
carl
parents: 176
diff changeset
863 SPAMASS = "spamassassin" INTEGER
d6531c702be3 embedded dcc filtering
carl
parents: 176
diff changeset
864 REQUIRE = "require_match" ("yes" | "no")
d6531c702be3 embedded dcc filtering
carl
parents: 176
diff changeset
865 DCCGREY = "dcc_greylist" ("yes" | "no")
d6531c702be3 embedded dcc filtering
carl
parents: 176
diff changeset
866 DCCBULK = "dcc_bulk_threshold" (INTEGER | "many" | "off")
94
e107ade3b1c0 fix dos line terminators
carl
parents: 92
diff changeset
867
321
e172dc10fe24 add dkim white/black listing
Carl Byington <carl@five-ten-sg.com>
parents: 305
diff changeset
868 DKIMSIGNER = "dkim_signer" "{" {SIGNING_DOMAIN DEF [";"]}+ "}"
360
17f21fcd44a8 allow quoted comma separated multiple signers in the dkim_from config entries
Carl Byington <carl@five-ten-sg.com>
parents: 322
diff changeset
869 DKIMFROM = "dkim_from" "{" {HEADER_FROM_DOMAIN DKIMVALUE SIGNERS [";"]}+ "}"
451
f2bc221240e8 add unsigned_black for enforcement of dmarc policy
Carl Byington <carl@five-ten-sg.com>
parents: 436
diff changeset
870 DKIMVALUE = "signed_white" | "signed_black" | "require_signed" | "unsigned_black"
462
f3f1ece619ba change dkim_from syntax to allow "signer1,signer2;spf data"
Carl Byington <carl@five-ten-sg.com>
parents: 458
diff changeset
871 SIGNERS = '"' SIGNING_DOMAINS[;EXTRA_SPF_DATA] '"'
f3f1ece619ba change dkim_from syntax to allow "signer1,signer2;spf data"
Carl Byington <carl@five-ten-sg.com>
parents: 458
diff changeset
872 SIGNING_DOMAINS = SIGNING_DOMAIN[,SIGNING_DOMAINS]
321
e172dc10fe24 add dkim white/black listing
Carl Byington <carl@five-ten-sg.com>
parents: 305
diff changeset
873
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
874 ENV-TO = "env_to" "{" {(TO-ADDR | DCC-TO)}+ "}"
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
875 TO-ADDR = ADDRESS [";"]
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
876 DCC-TO = "dcc_to" ("ok" | "many") "{" DCCINCLUDEFILE "}" ";"
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
877
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
878 VERIFY = "verify" HOSTNAME ";"
168
6bac960af6b4 add generic reverse dns filtering regex
carl
parents: 167
diff changeset
879 GENERIC = "generic" REGULAREXPRESSION ERROR-MSG4 ";"
233
5c3e9bf45bb5 Add whitelisting by regex expression filtering.
Carl Byington <carl@five-ten-sg.com>
parents: 216
diff changeset
880 W-REGEX = "white_regex" REGULAREXPRESSION ";"
168
6bac960af6b4 add generic reverse dns filtering regex
carl
parents: 167
diff changeset
881 ERROR-MSG4 = string containing exactly one %s replacement token
6bac960af6b4 add generic reverse dns filtering regex
carl
parents: 167
diff changeset
882 which is replaced with the client name
153
8d7c439bb6fa add auto whitelisting
carl
parents: 152
diff changeset
883 AUTOWHITE = "autowhite" DAYS FILENAME ";"
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
884
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
885 ENV_FROM = "env_from" [DEFAULT] "{" {(FROM-ADDR | DCC-FROM)}+ "}"
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
886 FROM-ADDR = ADDRESS VALUE [";"]
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
887 DCC-FROM = "dcc_from" "{" DCCINCLUDEFILE "}" ";"
136
f4746d8a12a3 add smtp auth rate limits
carl
parents: 127
diff changeset
888
278
368572c57013 add limits on unique ip addresses per hour per authenticated user
Carl Byington <carl@five-ten-sg.com>
parents: 276
diff changeset
889 RATE-LIMIT = "rate_limit" DEFAULT_RCPT_LIMIT DAILY_MULTIPLE_RCPT
368572c57013 add limits on unique ip addresses per hour per authenticated user
Carl Byington <carl@five-ten-sg.com>
parents: 276
diff changeset
890 DEFAULT_IP_LIMIT DAILY_MULTIPLE_IP "{" (RATE)+ "}"
368572c57013 add limits on unique ip addresses per hour per authenticated user
Carl Byington <carl@five-ten-sg.com>
parents: 276
diff changeset
891 RATE = USER RCPTLIMIT IPLIMIT ";"
368572c57013 add limits on unique ip addresses per hour per authenticated user
Carl Byington <carl@five-ten-sg.com>
parents: 276
diff changeset
892 RCPTLIMIT = INTEGER
368572c57013 add limits on unique ip addresses per hour per authenticated user
Carl Byington <carl@five-ten-sg.com>
parents: 276
diff changeset
893 DEFAULT_RCPT_LIMIT = INTEGER
368572c57013 add limits on unique ip addresses per hour per authenticated user
Carl Byington <carl@five-ten-sg.com>
parents: 276
diff changeset
894 DAILY_MULTIPLE_RCPT = INTEGER
368572c57013 add limits on unique ip addresses per hour per authenticated user
Carl Byington <carl@five-ten-sg.com>
parents: 276
diff changeset
895 DEFAULT_IP_LIMIT = INTEGER
368572c57013 add limits on unique ip addresses per hour per authenticated user
Carl Byington <carl@five-ten-sg.com>
parents: 276
diff changeset
896 DAILY_MULTIPLE_IP = INTEGER
136
f4746d8a12a3 add smtp auth rate limits
carl
parents: 127
diff changeset
897
360
17f21fcd44a8 allow quoted comma separated multiple signers in the dkim_from config entries
Carl Byington <carl@five-ten-sg.com>
parents: 322
diff changeset
898 DEF = ("white" | "black" | "unknown")
17f21fcd44a8 allow quoted comma separated multiple signers in the dkim_from config entries
Carl Byington <carl@five-ten-sg.com>
parents: 322
diff changeset
899 DEFAULT = (DEF | "inherit" | "")
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
900 ADDRESS = (USER@ | DOMAIN | USER@DOMAIN)
360
17f21fcd44a8 allow quoted comma separated multiple signers in the dkim_from config entries
Carl Byington <carl@five-ten-sg.com>
parents: 322
diff changeset
901 VALUE = (DEF | "inherit" | CHILD-CONTEXT-NAME)]]></literallayout>
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
902 </refsect1>
94
e107ade3b1c0 fix dos line terminators
carl
parents: 92
diff changeset
903
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
904 <refsect1 id='sample.5'>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
905 <title>Sample</title>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
906 <literallayout class="monospaced"><![CDATA[
127
2b1a4701e856 sendmail no longer guarantees <> wrapper on envelopes
carl
parents: 124
diff changeset
907 context main-default {
2b1a4701e856 sendmail no longer guarantees <> wrapper on envelopes
carl
parents: 124
diff changeset
908 // outbound dnsbl filtering to catch our own customers that end up on the sbl
2b1a4701e856 sendmail no longer guarantees <> wrapper on envelopes
carl
parents: 124
diff changeset
909 dnsbl sbl sbl-xbl.spamhaus.org "Mail from %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s";
174
da0c41b9f672 don't whitelist addresses with embedded spaces
carl
parents: 172
diff changeset
910 dnsbl_list sbl;
127
2b1a4701e856 sendmail no longer guarantees <> wrapper on envelopes
carl
parents: 124
diff changeset
911
2b1a4701e856 sendmail no longer guarantees <> wrapper on envelopes
carl
parents: 124
diff changeset
912 // outbound content filtering to prevent our own customers from sending spam
2b1a4701e856 sendmail no longer guarantees <> wrapper on envelopes
carl
parents: 124
diff changeset
913 content on {
2b1a4701e856 sendmail no longer guarantees <> wrapper on envelopes
carl
parents: 124
diff changeset
914 filter sbl-xbl.spamhaus.org "Mail containing %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s";
270
f92f24950bd3 Use mozilla prefix list for tld checking, Enable surbl/uribl/dbl rhs lists
Carl Byington <carl@five-ten-sg.com>
parents: 268
diff changeset
915 uribl multi.surbl.org "Mail containing %s rejected - surbl; see http://www.surbl.org/surbl-analysis?d=%s";
259
be939802c64e add recipient rate limits by email from address or domain
Carl Byington <carl@five-ten-sg.com>
parents: 255
diff changeset
916 #uribl multi.uribl.com "Mail containing %s rejected - uribl; see http://l.uribl.com/?d=%s";
270
f92f24950bd3 Use mozilla prefix list for tld checking, Enable surbl/uribl/dbl rhs lists
Carl Byington <carl@five-ten-sg.com>
parents: 268
diff changeset
917 #uribl dbl.spamhaus.org "Mail containing %s rejected - dbl; see http://www.spamhaus.org/query/domain?domain=%s";
127
2b1a4701e856 sendmail no longer guarantees <> wrapper on envelopes
carl
parents: 124
diff changeset
918 ignore { include "hosts-ignore.conf"; };
2b1a4701e856 sendmail no longer guarantees <> wrapper on envelopes
carl
parents: 124
diff changeset
919 tld { include "tld.conf"; };
2b1a4701e856 sendmail no longer guarantees <> wrapper on envelopes
carl
parents: 124
diff changeset
920 html_tags { include "html-tags.conf"; };
2b1a4701e856 sendmail no longer guarantees <> wrapper on envelopes
carl
parents: 124
diff changeset
921 html_limit on 20 "Mail containing excessive bad html tags rejected";
2b1a4701e856 sendmail no longer guarantees <> wrapper on envelopes
carl
parents: 124
diff changeset
922 html_limit off;
2b1a4701e856 sendmail no longer guarantees <> wrapper on envelopes
carl
parents: 124
diff changeset
923 host_limit on 20 "Mail containing excessive host names rejected";
2b1a4701e856 sendmail no longer guarantees <> wrapper on envelopes
carl
parents: 124
diff changeset
924 host_limit soft 20;
178
d6531c702be3 embedded dcc filtering
carl
parents: 176
diff changeset
925 spamassassin 4;
d6531c702be3 embedded dcc filtering
carl
parents: 176
diff changeset
926 require_match yes;
d6531c702be3 embedded dcc filtering
carl
parents: 176
diff changeset
927 dcc_greylist yes;
d6531c702be3 embedded dcc filtering
carl
parents: 176
diff changeset
928 dcc_bulk_threshold 50;
127
2b1a4701e856 sendmail no longer guarantees <> wrapper on envelopes
carl
parents: 124
diff changeset
929 };
2b1a4701e856 sendmail no longer guarantees <> wrapper on envelopes
carl
parents: 124
diff changeset
930
278
368572c57013 add limits on unique ip addresses per hour per authenticated user
Carl Byington <carl@five-ten-sg.com>
parents: 276
diff changeset
931 // backscatter prevention - do not send bounces for mail that we accepted but could not forward
127
2b1a4701e856 sendmail no longer guarantees <> wrapper on envelopes
carl
parents: 124
diff changeset
932 // we only send bounces to our own customers
2b1a4701e856 sendmail no longer guarantees <> wrapper on envelopes
carl
parents: 124
diff changeset
933 env_from unknown {
2b1a4701e856 sendmail no longer guarantees <> wrapper on envelopes
carl
parents: 124
diff changeset
934 "<>" black;
2b1a4701e856 sendmail no longer guarantees <> wrapper on envelopes
carl
parents: 124
diff changeset
935 };
136
f4746d8a12a3 add smtp auth rate limits
carl
parents: 127
diff changeset
936
278
368572c57013 add limits on unique ip addresses per hour per authenticated user
Carl Byington <carl@five-ten-sg.com>
parents: 276
diff changeset
937 // hourly recipient rate limit by smtp auth client id, or unauthenticated mail from address
368572c57013 add limits on unique ip addresses per hour per authenticated user
Carl Byington <carl@five-ten-sg.com>
parents: 276
diff changeset
938 // hourly unique ip addresses by smtp auth client id, or unauthenticated mail from address
284
896b9393d3f0 Fix segfault caused by freeing unallocated memory
Carl Byington <carl@five-ten-sg.com>
parents: 278
diff changeset
939 // default hourly recipient rate limit is 30
896b9393d3f0 Fix segfault caused by freeing unallocated memory
Carl Byington <carl@five-ten-sg.com>
parents: 278
diff changeset
940 // daily recipient rate limits are 4 times the hourly limit
278
368572c57013 add limits on unique ip addresses per hour per authenticated user
Carl Byington <carl@five-ten-sg.com>
parents: 276
diff changeset
941 // default hourly unique ip addresses is 5
368572c57013 add limits on unique ip addresses per hour per authenticated user
Carl Byington <carl@five-ten-sg.com>
parents: 276
diff changeset
942 // daily unique ip addresses are 4 times the hourly limit
368572c57013 add limits on unique ip addresses per hour per authenticated user
Carl Byington <carl@five-ten-sg.com>
parents: 276
diff changeset
943 rate_limit 30 4 5 4 { // default
368572c57013 add limits on unique ip addresses per hour per authenticated user
Carl Byington <carl@five-ten-sg.com>
parents: 276
diff changeset
944 fred 100 10; // override default limits
368572c57013 add limits on unique ip addresses per hour per authenticated user
Carl Byington <carl@five-ten-sg.com>
parents: 276
diff changeset
945 joe 10 2; // ""
368572c57013 add limits on unique ip addresses per hour per authenticated user
Carl Byington <carl@five-ten-sg.com>
parents: 276
diff changeset
946 "sam@somedomain.tld" 500 2;
368572c57013 add limits on unique ip addresses per hour per authenticated user
Carl Byington <carl@five-ten-sg.com>
parents: 276
diff changeset
947 "@otherdomain.tld" 100 2;
136
f4746d8a12a3 add smtp auth rate limits
carl
parents: 127
diff changeset
948 };
127
2b1a4701e856 sendmail no longer guarantees <> wrapper on envelopes
carl
parents: 124
diff changeset
949 };
2b1a4701e856 sendmail no longer guarantees <> wrapper on envelopes
carl
parents: 124
diff changeset
950
171
8deb51871b3d fix pre/post scripts in rpm spec file
carl
parents: 170
diff changeset
951 context main {
8deb51871b3d fix pre/post scripts in rpm spec file
carl
parents: 170
diff changeset
952 dnsbl localp partial.blackholes.five-ten-sg.com "Mail from %s rejected - local; see http://www.five-ten-sg.com/blackhole.php?%s";
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
953 dnsbl local blackholes.five-ten-sg.com "Mail from %s rejected - local; see http://www.five-ten-sg.com/blackhole.php?%s";
174
da0c41b9f672 don't whitelist addresses with embedded spaces
carl
parents: 172
diff changeset
954 dnsbl sbl zen.spamhaus.org "Mail from %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s";
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
955 dnsbl xbl xbl.spamhaus.org "Mail from %s rejected - xbl; see http://www.spamhaus.org/query/bl?ip=%s";
249
15bf4f68a0b2 Add dnswl support
Carl Byington <carl@five-ten-sg.com>
parents: 246
diff changeset
956 dnswl dnswl.org list.dnswl.org 2;
171
8deb51871b3d fix pre/post scripts in rpm spec file
carl
parents: 170
diff changeset
957 dnsbl_list local sbl;
249
15bf4f68a0b2 Add dnswl support
Carl Byington <carl@five-ten-sg.com>
parents: 246
diff changeset
958 dnswl_list dnswl.org;
268
f941563c2a95 Add require_rdns checking
Carl Byington <carl@five-ten-sg.com>
parents: 263
diff changeset
959 require_rdns yes;
94
e107ade3b1c0 fix dos line terminators
carl
parents: 92
diff changeset
960
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
961 content on {
360
17f21fcd44a8 allow quoted comma separated multiple signers in the dkim_from config entries
Carl Byington <carl@five-ten-sg.com>
parents: 322
diff changeset
962 dkim_signer {
395
a8cf6a3da907 document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents: 360
diff changeset
963 #
a8cf6a3da907 document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents: 360
diff changeset
964 # anything signed by this is accepted.
a8cf6a3da907 document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents: 360
diff changeset
965 accounts.google.com white;
a8cf6a3da907 document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents: 360
diff changeset
966 };
a8cf6a3da907 document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents: 360
diff changeset
967 dkim_from {
a8cf6a3da907 document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents: 360
diff changeset
968 #
458
6c1c2bd9fb54 ignore dnswl entries if the sender is <>
Carl Byington <carl@five-ten-sg.com>
parents: 451
diff changeset
969 # dmarc enforcement
6c1c2bd9fb54 ignore dnswl entries if the sender is <>
Carl Byington <carl@five-ten-sg.com>
parents: 451
diff changeset
970 aim.com unsigned_black "aim.com,mx.aim.com";
6c1c2bd9fb54 ignore dnswl entries if the sender is <>
Carl Byington <carl@five-ten-sg.com>
parents: 451
diff changeset
971 aol.com unsigned_black "aol.com,mx.aol.com";
6c1c2bd9fb54 ignore dnswl entries if the sender is <>
Carl Byington <carl@five-ten-sg.com>
parents: 451
diff changeset
972 yahoo.co.uk unsigned_black yahoo.co.uk;
6c1c2bd9fb54 ignore dnswl entries if the sender is <>
Carl Byington <carl@five-ten-sg.com>
parents: 451
diff changeset
973 yahoo.com unsigned_black yahoo.com;
6c1c2bd9fb54 ignore dnswl entries if the sender is <>
Carl Byington <carl@five-ten-sg.com>
parents: 451
diff changeset
974 yahoo.in unsigned_black yahoo.in;
6c1c2bd9fb54 ignore dnswl entries if the sender is <>
Carl Byington <carl@five-ten-sg.com>
parents: 451
diff changeset
975 #
395
a8cf6a3da907 document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents: 360
diff changeset
976 # white/blacklisting based on presence of valid signatures
360
17f21fcd44a8 allow quoted comma separated multiple signers in the dkim_from config entries
Carl Byington <carl@five-ten-sg.com>
parents: 322
diff changeset
977 credit.paypal.com require_signed credit.paypal.com;
17f21fcd44a8 allow quoted comma separated multiple signers in the dkim_from config entries
Carl Byington <carl@five-ten-sg.com>
parents: 322
diff changeset
978 paypal.com require_signed paypal.com;
17f21fcd44a8 allow quoted comma separated multiple signers in the dkim_from config entries
Carl Byington <carl@five-ten-sg.com>
parents: 322
diff changeset
979 dhl.com require_signed dhl.com;
17f21fcd44a8 allow quoted comma separated multiple signers in the dkim_from config entries
Carl Byington <carl@five-ten-sg.com>
parents: 322
diff changeset
980 adp.com require_signed "adp.com,bmi.adp.com";
395
a8cf6a3da907 document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents: 360
diff changeset
981 #
a8cf6a3da907 document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents: 360
diff changeset
982 # blacklisting based on header from value - requiring signatures
a8cf6a3da907 document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents: 360
diff changeset
983 # from an impossible signer.
409
e018ed19a1cc require 3 dots in bare ip addresses
Carl Byington <carl@five-ten-sg.com>
parents: 407
diff changeset
984 spammer.domain require_signed .;
395
a8cf6a3da907 document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents: 360
diff changeset
985 #
a8cf6a3da907 document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents: 360
diff changeset
986 # whitelisting based on strong spf pass - whitelisted if signed by
a8cf6a3da907 document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents: 360
diff changeset
987 # an impossible signer (which will never happen) or strong spf pass.
409
e018ed19a1cc require 3 dots in bare ip addresses
Carl Byington <carl@five-ten-sg.com>
parents: 407
diff changeset
988 some.domain signed_white .;
395
a8cf6a3da907 document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents: 360
diff changeset
989 #
462
f3f1ece619ba change dkim_from syntax to allow "signer1,signer2;spf data"
Carl Byington <carl@five-ten-sg.com>
parents: 458
diff changeset
990 # whitelisting based on strong spf pass - whitelisted if signed by
f3f1ece619ba change dkim_from syntax to allow "signer1,signer2;spf data"
Carl Byington <carl@five-ten-sg.com>
parents: 458
diff changeset
991 # an impossible signer (which will never happen) or strong spf pass
f3f1ece619ba change dkim_from syntax to allow "signer1,signer2;spf data"
Carl Byington <carl@five-ten-sg.com>
parents: 458
diff changeset
992 # adding some extra spf data to their record. This whitelists their
f3f1ece619ba change dkim_from syntax to allow "signer1,signer2;spf data"
Carl Byington <carl@five-ten-sg.com>
parents: 458
diff changeset
993 # email that arrives via 10.0.0.0/16 (or via anything listed in their
f3f1ece619ba change dkim_from syntax to allow "signer1,signer2;spf data"
Carl Byington <carl@five-ten-sg.com>
parents: 458
diff changeset
994 # actual spf record).
f3f1ece619ba change dkim_from syntax to allow "signer1,signer2;spf data"
Carl Byington <carl@five-ten-sg.com>
parents: 458
diff changeset
995 some.other.domain signed_white ".;ip4:10.0.0.0/16";
f3f1ece619ba change dkim_from syntax to allow "signer1,signer2;spf data"
Carl Byington <carl@five-ten-sg.com>
parents: 458
diff changeset
996 #
395
a8cf6a3da907 document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents: 360
diff changeset
997 # whitelisting based on valid signature or strong spf pass.
a8cf6a3da907 document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents: 360
diff changeset
998 # some paychex mail is signed, some is unsigned but passes strong spf.
a8cf6a3da907 document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents: 360
diff changeset
999 paychex.com require_signed paychex.com;
a8cf6a3da907 document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents: 360
diff changeset
1000 #
414
d5a1ed33d3ae spf code now handles mx,exists,ptr tags, multiple A records, %{i} macro
Carl Byington <carl@five-ten-sg.com>
parents: 409
diff changeset
1001 # whitelisting from mailchimp which needs wildcards
d5a1ed33d3ae spf code now handles mx,exists,ptr tags, multiple A records, %{i} macro
Carl Byington <carl@five-ten-sg.com>
parents: 409
diff changeset
1002 princetheater.org require_signed "mandrillapp.com,*.mcsignup.com,*.mcsv.net,*.rsgsv.net,*.mcdlv.net";
d5a1ed33d3ae spf code now handles mx,exists,ptr tags, multiple A records, %{i} macro
Carl Byington <carl@five-ten-sg.com>
parents: 409
diff changeset
1003 #
360
17f21fcd44a8 allow quoted comma separated multiple signers in the dkim_from config entries
Carl Byington <carl@five-ten-sg.com>
parents: 322
diff changeset
1004 };
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
1005 filter sbl-xbl.spamhaus.org "Mail containing %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s";
270
f92f24950bd3 Use mozilla prefix list for tld checking, Enable surbl/uribl/dbl rhs lists
Carl Byington <carl@five-ten-sg.com>
parents: 268
diff changeset
1006 uribl multi.surbl.org "Mail containing %s rejected - surbl; see http://www.surbl.org/surbl-analysis?d=%s";
259
be939802c64e add recipient rate limits by email from address or domain
Carl Byington <carl@five-ten-sg.com>
parents: 255
diff changeset
1007 #uribl multi.uribl.com "Mail containing %s rejected - uribl; see http://l.uribl.com/?d=%s";
270
f92f24950bd3 Use mozilla prefix list for tld checking, Enable surbl/uribl/dbl rhs lists
Carl Byington <carl@five-ten-sg.com>
parents: 268
diff changeset
1008 #uribl dbl.spamhaus.org "Mail containing %s rejected - dbl; see http://www.spamhaus.org/query/domain?domain=%s";
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
1009 ignore { include "hosts-ignore.conf"; };
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
1010 tld { include "tld.conf"; };
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
1011 html_tags { include "html-tags.conf"; };
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
1012 html_limit off;
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
1013 host_limit soft 20;
178
d6531c702be3 embedded dcc filtering
carl
parents: 176
diff changeset
1014 spamassassin 5;
d6531c702be3 embedded dcc filtering
carl
parents: 176
diff changeset
1015 require_match yes;
d6531c702be3 embedded dcc filtering
carl
parents: 176
diff changeset
1016 dcc_greylist yes;
d6531c702be3 embedded dcc filtering
carl
parents: 176
diff changeset
1017 dcc_bulk_threshold 20;
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
1018 };
94
e107ade3b1c0 fix dos line terminators
carl
parents: 92
diff changeset
1019
216
784030ac71f1 Never whitelist self addressed mail. Changes for Fedora 10 and const correctness.
Carl Byington <carl@five-ten-sg.com>
parents: 214
diff changeset
1020 generic "^dsl.static.*ttnet.net.tr$|(^|[x.-])(ppp|h|host)?([0-9]{1,3}[x.-](Red-|dynamic[x.-])?){4}"
171
8deb51871b3d fix pre/post scripts in rpm spec file
carl
parents: 170
diff changeset
1021 "your mail server %s seems to have a generic name";
8deb51871b3d fix pre/post scripts in rpm spec file
carl
parents: 170
diff changeset
1022
259
be939802c64e add recipient rate limits by email from address or domain
Carl Byington <carl@five-ten-sg.com>
parents: 255
diff changeset
1023 white_regex "=example.com=user@yourhostingaccount.com$";
233
5c3e9bf45bb5 Add whitelisting by regex expression filtering.
Carl Byington <carl@five-ten-sg.com>
parents: 216
diff changeset
1024
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
1025 env_to {
171
8deb51871b3d fix pre/post scripts in rpm spec file
carl
parents: 170
diff changeset
1026 # !! replace this with your domain names
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
1027 # child contexts are not allowed to specify recipient addresses outside these domains
179
8b86a894514d embedded dcc filtering
carl
parents: 178
diff changeset
1028 # if this is a backup-mx, you need to include here domains for which you relay to the primary mx
174
da0c41b9f672 don't whitelist addresses with embedded spaces
carl
parents: 172
diff changeset
1029 include "/etc/mail/local-host-names";
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
1030 };
94
e107ade3b1c0 fix dos line terminators
carl
parents: 92
diff changeset
1031
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
1032 context whitelist {
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
1033 content off {};
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
1034 env_to {
171
8deb51871b3d fix pre/post scripts in rpm spec file
carl
parents: 170
diff changeset
1035 # dcc_to ok { include "/var/dcc/whitecommon"; };
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
1036 };
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
1037 env_from white {}; # white forces all unmatched from addresses (everyone in this case) to be whitelisted
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
1038 # so all mail TO these env_to addresses is accepted
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
1039 };
94
e107ade3b1c0 fix dos line terminators
carl
parents: 92
diff changeset
1040
171
8deb51871b3d fix pre/post scripts in rpm spec file
carl
parents: 170
diff changeset
1041 context abuse {
8deb51871b3d fix pre/post scripts in rpm spec file
carl
parents: 170
diff changeset
1042 dnsbl_list xbl;
8deb51871b3d fix pre/post scripts in rpm spec file
carl
parents: 170
diff changeset
1043 content off {};
174
da0c41b9f672 don't whitelist addresses with embedded spaces
carl
parents: 172
diff changeset
1044 generic "^$ " " "; # regex cannot match, to disable generic rdns rejects
171
8deb51871b3d fix pre/post scripts in rpm spec file
carl
parents: 170
diff changeset
1045 env_to {
8deb51871b3d fix pre/post scripts in rpm spec file
carl
parents: 170
diff changeset
1046 abuse@ # no content filtering on abuse reports
8deb51871b3d fix pre/post scripts in rpm spec file
carl
parents: 170
diff changeset
1047 postmaster@ # ""
8deb51871b3d fix pre/post scripts in rpm spec file
carl
parents: 170
diff changeset
1048 };
8deb51871b3d fix pre/post scripts in rpm spec file
carl
parents: 170
diff changeset
1049 env_from unknown {}; # ignore all parent white/black listing
8deb51871b3d fix pre/post scripts in rpm spec file
carl
parents: 170
diff changeset
1050 };
8deb51871b3d fix pre/post scripts in rpm spec file
carl
parents: 170
diff changeset
1051
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
1052 context minimal {
171
8deb51871b3d fix pre/post scripts in rpm spec file
carl
parents: 170
diff changeset
1053 dnsbl_list sbl;
178
d6531c702be3 embedded dcc filtering
carl
parents: 176
diff changeset
1054 content on {
d6531c702be3 embedded dcc filtering
carl
parents: 176
diff changeset
1055 spamassassin 10;
d6531c702be3 embedded dcc filtering
carl
parents: 176
diff changeset
1056 dcc_bulk_threshold many;
d6531c702be3 embedded dcc filtering
carl
parents: 176
diff changeset
1057 };
171
8deb51871b3d fix pre/post scripts in rpm spec file
carl
parents: 170
diff changeset
1058 generic "^$ " " "; # regex cannot match, to disable generic rdns rejects
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
1059 env_to {
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
1060 };
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
1061 };
94
e107ade3b1c0 fix dos line terminators
carl
parents: 92
diff changeset
1062
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
1063 context blacklist {
255
d6d5c50b9278 Allow dnswl_list and dnsbl_list to be empty, to override lists specified in the ancestor contexts. Add daily recipient limits as a multiple of the hourly limits.
Carl Byington <carl@five-ten-sg.com>
parents: 253
diff changeset
1064 dnsbl_list ;
d6d5c50b9278 Allow dnswl_list and dnsbl_list to be empty, to override lists specified in the ancestor contexts. Add daily recipient limits as a multiple of the hourly limits.
Carl Byington <carl@five-ten-sg.com>
parents: 253
diff changeset
1065 dnswl_list ;
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
1066 env_to {
171
8deb51871b3d fix pre/post scripts in rpm spec file
carl
parents: 170
diff changeset
1067 # dcc_to many { include "/var/dcc/whitecommon"; };
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
1068 };
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
1069 env_from black {}; # black forces all unmatched from addresses (everyone in this case) to be blacklisted
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
1070 # so all mail TO these env_to addresses is rejected
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
1071 };
94
e107ade3b1c0 fix dos line terminators
carl
parents: 92
diff changeset
1072
171
8deb51871b3d fix pre/post scripts in rpm spec file
carl
parents: 170
diff changeset
1073 env_from unknown {
8deb51871b3d fix pre/post scripts in rpm spec file
carl
parents: 170
diff changeset
1074 abuse@ abuse; # replies to abuse reports use the abuse context
8deb51871b3d fix pre/post scripts in rpm spec file
carl
parents: 170
diff changeset
1075 # dcc_from { include "/var/dcc/whitecommon"; };
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
1076 };
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
1077
171
8deb51871b3d fix pre/post scripts in rpm spec file
carl
parents: 170
diff changeset
1078 autowhite 90 "autowhite/my-auto-whitelist";
8deb51871b3d fix pre/post scripts in rpm spec file
carl
parents: 170
diff changeset
1079 # install should create /etc/dnsbl/autowhite writable by userid dnsbl
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
1080 };]]></literallayout>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
1081 </refsect1>
94
e107ade3b1c0 fix dos line terminators
carl
parents: 92
diff changeset
1082
111
d0dad5610980 move to autoconf/automake/docbook
carl
parents: 108
diff changeset
1083 <refsect1 id='version.5'>
201
752d4315675c add reference to mercurial repository in the documentation
Carl Byington <carl@five-ten-sg.com>
parents: 187
diff changeset
1084 <title>Version</title>
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
1085 <para>
201
752d4315675c add reference to mercurial repository in the documentation
Carl Byington <carl@five-ten-sg.com>
parents: 187
diff changeset
1086 @VERSION@
108
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
1087 </para>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
1088 </refsect1>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
1089
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
1090 </refentry>
1c7677042b78 move to autoconf/automake/docbook
carl
parents: 104
diff changeset
1091 </reference>