Mercurial > dnsbl
annotate xml/dnsbl.in @ 471:419564449cea stable-6-0-77
change paths from /var/run/dnsbl to /run/dnsbl
author | Carl Byington <carl@five-ten-sg.com> |
---|---|
date | Wed, 16 Dec 2020 13:34:55 -0800 |
parents | f3f1ece619ba |
children |
rev | line source |
---|---|
108 | 1 <reference> |
2 <title>@PACKAGE@ Sendmail milter - Version @VERSION@</title> | |
3 <partintro> | |
4 <title>Packages</title> | |
201
752d4315675c
add reference to mercurial repository in the documentation
Carl Byington <carl@five-ten-sg.com>
parents:
187
diff
changeset
|
5 |
305
1f40b1b0ad31
add bitcoin donation address
Carl Byington <carl@five-ten-sg.com>
parents:
284
diff
changeset
|
6 <para> |
1f40b1b0ad31
add bitcoin donation address
Carl Byington <carl@five-ten-sg.com>
parents:
284
diff
changeset
|
7 The various source and binary packages are available at <ulink |
1f40b1b0ad31
add bitcoin donation address
Carl Byington <carl@five-ten-sg.com>
parents:
284
diff
changeset
|
8 url="http://www.five-ten-sg.com/@PACKAGE@/packages/">http://www.five-ten-sg.com/@PACKAGE@/packages/</ulink>. |
1f40b1b0ad31
add bitcoin donation address
Carl Byington <carl@five-ten-sg.com>
parents:
284
diff
changeset
|
9 The most recent documentation is available at <ulink |
1f40b1b0ad31
add bitcoin donation address
Carl Byington <carl@five-ten-sg.com>
parents:
284
diff
changeset
|
10 url="http://www.five-ten-sg.com/@PACKAGE@/">http://www.five-ten-sg.com/@PACKAGE@/</ulink>. |
201
752d4315675c
add reference to mercurial repository in the documentation
Carl Byington <carl@five-ten-sg.com>
parents:
187
diff
changeset
|
11 </para> |
752d4315675c
add reference to mercurial repository in the documentation
Carl Byington <carl@five-ten-sg.com>
parents:
187
diff
changeset
|
12 |
305
1f40b1b0ad31
add bitcoin donation address
Carl Byington <carl@five-ten-sg.com>
parents:
284
diff
changeset
|
13 <para> |
1f40b1b0ad31
add bitcoin donation address
Carl Byington <carl@five-ten-sg.com>
parents:
284
diff
changeset
|
14 A <ulink |
1f40b1b0ad31
add bitcoin donation address
Carl Byington <carl@five-ten-sg.com>
parents:
284
diff
changeset
|
15 url="http://www.selenic.com/mercurial/wiki/">Mercurial</ulink> source |
1f40b1b0ad31
add bitcoin donation address
Carl Byington <carl@five-ten-sg.com>
parents:
284
diff
changeset
|
16 code repository for this project is available at <ulink |
1f40b1b0ad31
add bitcoin donation address
Carl Byington <carl@five-ten-sg.com>
parents:
284
diff
changeset
|
17 url="http://hg.five-ten-sg.com/@PACKAGE@/">http://hg.five-ten-sg.com/@PACKAGE@/</ulink>. |
108 | 18 </para> |
94 | 19 |
305
1f40b1b0ad31
add bitcoin donation address
Carl Byington <carl@five-ten-sg.com>
parents:
284
diff
changeset
|
20 <para> |
1f40b1b0ad31
add bitcoin donation address
Carl Byington <carl@five-ten-sg.com>
parents:
284
diff
changeset
|
21 Bitcoin donations for this project may be sent to |
1f40b1b0ad31
add bitcoin donation address
Carl Byington <carl@five-ten-sg.com>
parents:
284
diff
changeset
|
22 <ulink url="bitcoin:17n5xJZ9a8csJW2uLeZn7i6jegNKGdLUPJ">bitcoin:17n5xJZ9a8csJW2uLeZn7i6jegNKGdLUPJ</ulink> |
1f40b1b0ad31
add bitcoin donation address
Carl Byington <carl@five-ten-sg.com>
parents:
284
diff
changeset
|
23 </para> |
108 | 24 </partintro> |
94 | 25 |
108 | 26 <refentry id="@PACKAGE@.1"> |
27 <refentryinfo> | |
462
f3f1ece619ba
change dkim_from syntax to allow "signer1,signer2;spf data"
Carl Byington <carl@five-ten-sg.com>
parents:
458
diff
changeset
|
28 <date>2019-03-09</date> |
261
92a98e661a0b
update documentation for newer xml dtd
Carl Byington <carl@five-ten-sg.com>
parents:
259
diff
changeset
|
29 <author> |
92a98e661a0b
update documentation for newer xml dtd
Carl Byington <carl@five-ten-sg.com>
parents:
259
diff
changeset
|
30 <firstname>Carl</firstname> |
92a98e661a0b
update documentation for newer xml dtd
Carl Byington <carl@five-ten-sg.com>
parents:
259
diff
changeset
|
31 <surname>Byington</surname> |
92a98e661a0b
update documentation for newer xml dtd
Carl Byington <carl@five-ten-sg.com>
parents:
259
diff
changeset
|
32 <affiliation><orgname>510 Software Group</orgname></affiliation> |
407
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
33 <personblurb><para></para></personblurb> |
261
92a98e661a0b
update documentation for newer xml dtd
Carl Byington <carl@five-ten-sg.com>
parents:
259
diff
changeset
|
34 </author> |
108 | 35 </refentryinfo> |
94 | 36 |
108 | 37 <refmeta> |
38 <refentrytitle>@PACKAGE@</refentrytitle> | |
39 <manvolnum>1</manvolnum> | |
40 <refmiscinfo>@PACKAGE@ @VERSION@</refmiscinfo> | |
41 </refmeta> | |
42 | |
43 <refnamediv id='name.1'> | |
44 <refname>@PACKAGE@</refname> | |
45 <refpurpose>a sendmail milter with per-user dnsbl filtering</refpurpose> | |
46 </refnamediv> | |
94 | 47 |
108 | 48 <refsynopsisdiv id='synopsis.1'> |
49 <title>Synopsis</title> | |
50 <cmdsynopsis> | |
51 <command>@PACKAGE@</command> | |
52 <arg><option>-c</option></arg> | |
53 <arg><option>-s</option></arg> | |
54 <arg><option>-d <replaceable class="parameter">n</replaceable></option></arg> | |
55 <arg><option>-e <replaceable class="parameter">from|to</replaceable></option></arg> | |
179 | 56 <arg><option>-b <replaceable class="parameter">local-domain-socket</replaceable></option></arg> |
108 | 57 <arg><option>-r <replaceable class="parameter">local-domain-socket</replaceable></option></arg> |
58 <arg><option>-p <replaceable class="parameter">sendmail-socket</replaceable></option></arg> | |
59 <arg><option>-t <replaceable class="parameter">timeout</replaceable></option></arg> | |
60 </cmdsynopsis> | |
61 </refsynopsisdiv> | |
94 | 62 |
108 | 63 <refsect1 id='options.1'> |
64 <title>Options</title> | |
65 <variablelist> | |
66 <varlistentry> | |
67 <term>-c</term> | |
111 | 68 <listitem><para> |
69 Load the configuration file, print a cannonical form | |
70 of the configuration on stdout, and exit. | |
71 </para></listitem> | |
108 | 72 </varlistentry> |
73 <varlistentry> | |
74 <term>-s</term> | |
111 | 75 <listitem><para> |
76 Stress test the configuration loading code by repeating | |
77 the load/free cycle in an infinite loop. | |
78 </para></listitem> | |
108 | 79 </varlistentry> |
80 <varlistentry> | |
81 <term>-d <replaceable class="parameter">n</replaceable></term> | |
111 | 82 <listitem><para> |
83 Set the debug level to <replaceable class="parameter">n</replaceable>. | |
84 </para></listitem> | |
108 | 85 </varlistentry> |
86 <varlistentry> | |
87 <term>-e <replaceable class="parameter">from|to</replaceable></term> | |
111 | 88 <listitem><para> |
89 Print the results of looking up the from and to addresses in the | |
90 current configuration. The | character is used to separate the from and to | |
91 addresses in the argument to the -e switch. | |
92 </para></listitem> | |
108 | 93 </varlistentry> |
94 <varlistentry> | |
179 | 95 <term>-b <replaceable class="parameter">local-domain-socket-file-name</replaceable></term> |
96 <listitem><para> | |
97 Set the local socket used for the connection to the dccifd daemon. | |
98 This is typically /var/dcc/dccifd. | |
99 </para></listitem> | |
100 </varlistentry> | |
101 <varlistentry> | |
102 <term>-r <replaceable class="parameter">local-domain-socket-file-name</replaceable></term> | |
111 | 103 <listitem><para> |
104 Set the local socket used for the connection to our own dns resolver processes. | |
105 </para></listitem> | |
108 | 106 </varlistentry> |
107 <varlistentry> | |
108 <term>-p <replaceable class="parameter">sendmail-socket</replaceable></term> | |
111 | 109 <listitem><para> |
110 Set the socket used for the milter connection to sendmail. This is either | |
111 "inet:port@ip-address" or "local:local-domain-socket-file-name". | |
112 </para></listitem> | |
108 | 113 </varlistentry> |
114 <varlistentry> | |
115 <term>-t <replaceable class="parameter">timeout</replaceable></term> | |
111 | 116 <listitem><para> |
117 Set the timeout in seconds used for communication with sendmail. | |
118 </para></listitem> | |
108 | 119 </varlistentry> |
120 </variablelist> | |
121 </refsect1> | |
94 | 122 |
111 | 123 <refsect1 id='usage.1'> |
108 | 124 <title>Usage</title> |
125 <para><command>@PACKAGE@</command> -c</para> | |
126 <para><command>@PACKAGE@</command> -s</para> | |
111 | 127 <para><command>@PACKAGE@</command> -e 'someone@aol.com|localname@mydomain.tld'</para> |
128 <para><command>@PACKAGE@</command> -d 10 -r resolver.sock -p local:dnsbl.sock</para> | |
129 </refsect1> | |
130 | |
131 <refsect1 id='installation.1'> | |
132 <title>Installation</title> | |
133 <para> | |
134 This is now a standard GNU autoconf/automake installation, so the normal | |
135 "./configure; make; su; make install" works. "make chkconfig" will | |
136 setup the init.d runlevel scripts. Alternatively, you can use the | |
137 source or binary RPMs at <ulink | |
138 url="http://www.five-ten-sg.com/@PACKAGE@/packages">http://www.five-ten-sg.com/@PACKAGE@/packages</ulink>. | |
139 </para> | |
140 <para> | |
141 Note that this has ONLY been tested on Linux, specifically RedHat Linux. | |
142 In particular, this milter makes no attempt to understand IPv6. Your | |
143 mileage will vary. You will need at a minimum a C++ compiler with a | |
144 minimally thread safe STL implementation. The distribution includes a | |
145 test.cpp program. If it fails this milter won't work. If it passes, | |
146 this milter might work. | |
147 </para> | |
148 <para> | |
149 Modify your sendmail.mc by removing all the "FEATURE(dnsbl" lines, add | |
150 the following line in your sendmail.mc and rebuild the .cf file | |
151 </para> | |
152 <para><screen>INPUT_MAIL_FILTER(`dnsbl', `S=local:/var/run/dnsbl/dnsbl.sock, F=T, T=C:30s;S:5m;R:5m;E:5m')</screen></para> | |
153 <para> | |
154 Modify the default <citerefentry> | |
155 <refentrytitle>@PACKAGE@.conf</refentrytitle> <manvolnum>5</manvolnum> | |
156 </citerefentry> configuration. | |
157 </para> | |
158 </refsect1> | |
159 | |
160 <refsect1 id='configuration.1'> | |
161 <title>Configuration</title> | |
162 <para> | |
163 The configuration file is documented in <citerefentry> | |
164 <refentrytitle>@PACKAGE@.conf</refentrytitle> <manvolnum>5</manvolnum> | |
165 </citerefentry>. Any change to the config file, or any file included | |
166 from that config file, will cause it to be reloaded within three | |
167 minutes. | |
168 </para> | |
108 | 169 </refsect1> |
94 | 170 |
108 | 171 <refsect1 id='introduction.1'> |
172 <title>Introduction</title> | |
173 <para> | |
174 Consider the case of a mail server that is acting as secondary MX for a | |
175 collection of clients, each of which has a collection of mail domains. | |
176 Each client may use their own collection of DNSBLs on their primary mail | |
177 server. We present here a mechanism whereby the backup mail server can | |
178 use the correct set of DNSBLs for each recipient for each message. As a | |
179 side-effect, it gives us the ability to customize the set of DNSBLs on a | |
183 | 180 per-recipient basis, so that fred@example.com could use LOCAL and the |
108 | 181 SBL, where all other users @example.com use only the SBL. |
182 </para> | |
183 <para> | |
184 This milter can also verify the envelope from/recipient pairs with the | |
185 primary MX server. This allows the backup mail servers to properly | |
186 reject mail sent to invalid addresses. Otherwise, the backup mail | |
187 servers will accept that mail, and then generate a bounce message when | |
188 the message is forwarded to the primary server (and rejected there with | |
127 | 189 no such user). These rejections are the primary cause of such backscatter. |
108 | 190 </para> |
191 <para> | |
192 This milter will also decode (uuencode, base64, mime, html entity, url | |
193 encodings) and scan for HTTP and HTTPS URLs and bare hostnames in the | |
194 body of the mail. If any of those host names have A or NS records on | |
195 the SBL (or a single configurable DNSBL), the mail will be rejected | |
196 unless previously whitelisted. This milter also counts the number of | |
197 invalid HTML tags, and can reject mail if that count exceeds your | |
198 specified limit. | |
199 </para> | |
200 <para> | |
259
be939802c64e
add recipient rate limits by email from address or domain
Carl Byington <carl@five-ten-sg.com>
parents:
255
diff
changeset
|
201 This milter can also impose hourly and daily rate |
be939802c64e
add recipient rate limits by email from address or domain
Carl Byington <carl@five-ten-sg.com>
parents:
255
diff
changeset
|
202 limits on the number of recipients accepted from SMTP |
be939802c64e
add recipient rate limits by email from address or domain
Carl Byington <carl@five-ten-sg.com>
parents:
255
diff
changeset
|
203 AUTH connections, that would otherwise be allowed to |
be939802c64e
add recipient rate limits by email from address or domain
Carl Byington <carl@five-ten-sg.com>
parents:
255
diff
changeset
|
204 relay thru this mail server with no spam filtering. If |
be939802c64e
add recipient rate limits by email from address or domain
Carl Byington <carl@five-ten-sg.com>
parents:
255
diff
changeset
|
205 the connection does not use SMTP AUTH, the rate limits |
be939802c64e
add recipient rate limits by email from address or domain
Carl Byington <carl@five-ten-sg.com>
parents:
255
diff
changeset
|
206 may be specified by the mail from email address or |
be939802c64e
add recipient rate limits by email from address or domain
Carl Byington <carl@five-ten-sg.com>
parents:
255
diff
changeset
|
207 domain. |
136 | 208 </para> |
209 <para> | |
284
896b9393d3f0
Fix segfault caused by freeing unallocated memory
Carl Byington <carl@five-ten-sg.com>
parents:
278
diff
changeset
|
210 This milter can also impose hourly and daily limits on the number of |
896b9393d3f0
Fix segfault caused by freeing unallocated memory
Carl Byington <carl@five-ten-sg.com>
parents:
278
diff
changeset
|
211 different ip addresses used for SMTP AUTH connections. If a single |
896b9393d3f0
Fix segfault caused by freeing unallocated memory
Carl Byington <carl@five-ten-sg.com>
parents:
278
diff
changeset
|
212 user is connecting from too many different ip addresses, we presume that |
896b9393d3f0
Fix segfault caused by freeing unallocated memory
Carl Byington <carl@five-ten-sg.com>
parents:
278
diff
changeset
|
213 their authentication credentials have been discovered, and block their |
896b9393d3f0
Fix segfault caused by freeing unallocated memory
Carl Byington <carl@five-ten-sg.com>
parents:
278
diff
changeset
|
214 outgoing mail. |
896b9393d3f0
Fix segfault caused by freeing unallocated memory
Carl Byington <carl@five-ten-sg.com>
parents:
278
diff
changeset
|
215 </para> |
896b9393d3f0
Fix segfault caused by freeing unallocated memory
Carl Byington <carl@five-ten-sg.com>
parents:
278
diff
changeset
|
216 <para> |
162 | 217 Consider the case of a message from A to B passing thru this milter. If |
218 that message is not blocked, then we might eventually see a reply | |
156 | 219 message from B to A. If the filtering context for A includes an |
162 | 220 autowhite entry, and that context does <emphasis>not</emphasis> cover B |
221 as a recipient, then this milter will add an entry in that file to | |
222 whitelist such replies for a configurable time period. Suppose A and B | |
223 are in the same domain, or at least use the same filtering context. In | |
224 that case we don't want to add a whitelist entry for B, since that would | |
225 then allow spammers to send mail from B (forged) to B. Such autowhite | |
160 | 226 files need to be writeable by the dnsbl user, where all the other dnsbl |
227 configuration files only need to be readable by the dnsbl user. | |
156 | 228 </para> |
229 <para> | |
176
4ec928b24bab
allow manual whitelisting with stamp 1 to remove a whitelist entry
carl
parents:
175
diff
changeset
|
230 You can manually add such an autowhite entry, by appending a single |
4ec928b24bab
allow manual whitelisting with stamp 1 to remove a whitelist entry
carl
parents:
175
diff
changeset
|
231 text line to the autowhitelist file, using something like |
4ec928b24bab
allow manual whitelisting with stamp 1 to remove a whitelist entry
carl
parents:
175
diff
changeset
|
232 <command>echo "$mail 0" >>$autowhitefile</command>. |
4ec928b24bab
allow manual whitelisting with stamp 1 to remove a whitelist entry
carl
parents:
175
diff
changeset
|
233 You can manually remove such an autowhite entry, by appending a single |
4ec928b24bab
allow manual whitelisting with stamp 1 to remove a whitelist entry
carl
parents:
175
diff
changeset
|
234 text line to the autowhitelist file, using something like |
4ec928b24bab
allow manual whitelisting with stamp 1 to remove a whitelist entry
carl
parents:
175
diff
changeset
|
235 <command>echo "$mail 1" >>$autowhitefile</command>. |
4ec928b24bab
allow manual whitelisting with stamp 1 to remove a whitelist entry
carl
parents:
175
diff
changeset
|
236 </para> |
4ec928b24bab
allow manual whitelisting with stamp 1 to remove a whitelist entry
carl
parents:
175
diff
changeset
|
237 <para> |
108 | 238 The DNSBL milter reads a text configuration file (dnsbl.conf) on |
239 startup, and whenever the config file (or any of the referenced include | |
240 files) is changed. The entire configuration file is case insensitive. | |
241 If the configuration cannot be loaded due to a syntax error, the milter | |
242 will log the error and quit. If the configuration cannot be reloaded | |
243 after being modified, the milter will log the error and send an email to | |
152 | 244 root from dnsbl@$hostname. You probably want to add dnsbl@$hostname |
108 | 245 to your /etc/mail/virtusertable since otherwise sendmail will reject |
246 that message. | |
247 </para> | |
248 </refsect1> | |
94 | 249 |
111 | 250 <refsect1 id='dcc.1'> |
108 | 251 <title>DCC Issues</title> |
252 <para> | |
253 If you are also using the <ulink | |
254 url="http://www.rhyolite.com/anti-spam/dcc/">DCC</ulink> milter, there | |
255 are a few considerations. You may need to whitelist senders from the | |
256 DCC bulk detector, or from the DNS based lists. Those are two very | |
257 different reasons for whitelisting. The former is done thru the DCC | |
258 whiteclnt config file, the later is done thru the DNSBL milter config | |
259 file. | |
260 </para> | |
261 <para> | |
262 You may want to blacklist some specific senders or sending domains. | |
263 This could be done thru either the DCC (on a global basis, or for a | |
264 specific single recipient). We prefer to do such blacklisting via the | |
265 DNSBL milter config, since it can be done for a collection of recipient | |
266 mail domains. The DCC approach has the feature that you can capture the | |
267 entire message in the DCC log files. The DNSBL milter approach has the | |
268 feature that the mail is rejected earlier (at RCPT TO time), and the | |
269 sending machine just gets a generic "550 5.7.1 no such user" message. | |
270 </para> | |
271 <para> | |
272 The DCC whiteclnt file can be included in the DNSBL milter config by the | |
273 dcc_to and dcc_from statements. This will import the (env_to, env_from, | |
274 and substitute mail_host) entries from the DCC config into the DNSBL | |
275 config. This allows using the DCC config as the single point for | |
276 white/blacklisting. | |
277 </para> | |
278 <para> | |
279 Consider the case where you have multiple clients, each with their own | |
280 mail servers, and each running their own DCC milters. Each client is | |
281 using the DCC facilities for envelope from/to white/blacklisting. | |
282 Presumably you can use rsync or scp to fetch copies of your clients DCC | |
283 whiteclnt files on a regular basis. Your mail server, acting as a | |
284 backup MX for your clients, can use the DNSBL milter, and include those | |
285 client DCC config files. The envelope from/to white/blacklisting will | |
286 be appropriately tagged and used only for the domains controlled by each | |
287 of those clients. | |
288 </para> | |
179 | 289 <para> |
290 You can now use (via dccifd) different dcc filtering parameters on a per | |
291 context basis. See the dcc_greylist and dcc_bulk_threshold statements | |
292 in the <citerefentry> <refentrytitle>@PACKAGE@.conf</refentrytitle> | |
293 <manvolnum>5</manvolnum> </citerefentry> configuration. Those | |
294 statements are only active if you supply the <option>-b</option> option | |
295 on the dnsbl command line. If you use the dcc via the standard dcc | |
296 milter (dccm), then connections from clients that use SMTP AUTH are | |
297 still subject to greylisting. If you use the dcc via dccifd and this | |
298 milter, then connections from clients that use SMTP AUTH are never | |
180 | 299 subject to greylisting. As part of this per-user greylisting, you need |
300 to move the dnsblnogrey file from the config directory to something | |
407
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
301 like /var/dcc/userdirs/dnsblnogrey/whiteclnt so the dccifd will |
180 | 302 properly ignore greylisting for those recipients that don't want it. |
179 | 303 </para> |
108 | 304 </refsect1> |
94 | 305 |
111 | 306 <refsect1 id='definitions.1'> |
108 | 307 <title>Definitions</title> |
308 <para> | |
309 CONTEXT - a collection of parameters that defines the filtering context | |
310 to be used for a collection of envelope recipient addresses. The | |
311 context includes such things as the list of DNSBLs to be used, and the | |
312 various content filtering parameters. | |
313 </para> | |
314 <para> | |
315 DNSBL - a named DNS based blocking list is defined by a dns suffix (e.g. | |
316 sbl-xbl.spamhaus.org) and a message string that is used to generate the | |
317 "550 5.7.1" smtp error return code. The names of these DNSBLs will be | |
318 used to define the DNSBL-LISTs. | |
319 </para> | |
320 <para> | |
321 DNSBL-LIST - a named list of DNSBLs that will be used for specific | |
322 recipients or recipient domains. | |
323 </para> | |
249 | 324 <para> |
325 DNSWL - a named DNS based white list is defined by a dns suffix (e.g. | |
326 list.dnswl.org) and an integer level. If the level is greater than or | |
327 equal to x in the 127.0.z.x return code from the white list, then the | |
328 ip address is considered to match, and the message will be whitelisted. | |
329 The names of these DNSWLs will be used to define the DNSWL-LISTs. | |
330 </para> | |
331 <para> | |
332 DNSWL-LIST - a named list of DNSWLs that will be used for specific | |
333 recipients or recipient domains. | |
334 </para> | |
108 | 335 </refsect1> |
94 | 336 |
111 | 337 <refsect1 id='filtering.1'> |
108 | 338 <title>Filtering Procedure</title> |
339 <para> | |
152 | 340 The SMTP envelope 'from' and 'to' values are used in various checks. |
341 The first check is to see if a reply message (swapping the env_from and | |
160 | 342 env_to values) would be unconditionally blocked (just based on the |
343 envelope from address). That check is similar to the main check | |
344 described below, but there is no body content to be scanned, and there | |
345 is no client connection ip address to be checked against DNSBLs. If | |
346 such a reply message would be blocked, we also block the original | |
347 outgoing message. This prevents folks from sending mail to recipients | |
348 that are unable to reply. | |
152 | 349 </para> |
350 <para> | |
284
896b9393d3f0
Fix segfault caused by freeing unallocated memory
Carl Byington <carl@five-ten-sg.com>
parents:
278
diff
changeset
|
351 If the client has authenticated with sendmail, the recipient rate limits |
896b9393d3f0
Fix segfault caused by freeing unallocated memory
Carl Byington <carl@five-ten-sg.com>
parents:
278
diff
changeset
|
352 and connection ip address limits are |
268
f941563c2a95
Add require_rdns checking
Carl Byington <carl@five-ten-sg.com>
parents:
263
diff
changeset
|
353 checked. If the authenticated user has not exceeded the hourly or daily rate |
f941563c2a95
Add require_rdns checking
Carl Byington <carl@five-ten-sg.com>
parents:
263
diff
changeset
|
354 limits, then the mail is accepted, the filtering contexts are not used, |
284
896b9393d3f0
Fix segfault caused by freeing unallocated memory
Carl Byington <carl@five-ten-sg.com>
parents:
278
diff
changeset
|
355 the dns lists are not checked, and the body content is not scanned. These |
896b9393d3f0
Fix segfault caused by freeing unallocated memory
Carl Byington <carl@five-ten-sg.com>
parents:
278
diff
changeset
|
356 rate limits can also be applied to unauthenticated connections, in which case |
896b9393d3f0
Fix segfault caused by freeing unallocated memory
Carl Byington <carl@five-ten-sg.com>
parents:
278
diff
changeset
|
357 the envelope from value is used as the authentication id for lookup purposes. |
896b9393d3f0
Fix segfault caused by freeing unallocated memory
Carl Byington <carl@five-ten-sg.com>
parents:
278
diff
changeset
|
358 If |
136 | 359 the client has not authenticated with sendmail, we follow these steps |
360 for each recipient. | |
108 | 361 </para> |
362 <orderedlist> | |
111 | 363 <listitem><para> |
108 | 364 The envelope to email address is used to find an initial filtering |
365 context. We first look for a context that specified the full email | |
366 address in the env_to statement. If that is not found, we look for a | |
367 context that specified the entire domain name of the envelope recipient | |
368 in the env_to statement. If that is not found, we look for a context | |
369 that specified the user@ part of the envelope recipient in the env_to | |
370 statement. If that is not found, we use the first top level context | |
371 defined in the config file. | |
111 | 372 </para></listitem> |
373 <listitem><para> | |
108 | 374 The initial filtering context may redirect to a child context based on |
375 the values in the initial context's env_from statement. We look for [1) | |
376 the full envelope from email address, 2) the domain name part of the | |
377 envelope from address, 3) the user@ part of the envelope from address] | |
378 in that context's env_from statement, with values that point to a child | |
379 context. If such an entry is found, we switch to that child filtering | |
380 context. | |
111 | 381 </para></listitem> |
382 <listitem><para> | |
108 | 383 We lookup [1) the full envelope from email address, 2) the domain name |
384 part of the envelope from address, 3) the user@ part of the envelope | |
385 from address] in the filtering context env_from statement. That results | |
386 in one of (white, black, unknown, inherit). | |
111 | 387 </para></listitem> |
388 <listitem><para> | |
108 | 389 If the answer is black, mail to this recipient is rejected with "no such |
390 user", and the dns lists are not checked. | |
111 | 391 </para></listitem> |
392 <listitem><para> | |
436
7b072e16bd69
fix syslog for long messages, supress dkim checks for mail from localhost
Carl Byington <carl@five-ten-sg.com>
parents:
426
diff
changeset
|
393 If the answer is white, the mail is not from localhost, |
458
6c1c2bd9fb54
ignore dnswl entries if the sender is <>
Carl Byington <carl@five-ten-sg.com>
parents:
451
diff
changeset
|
394 and the envelope from domain name is listed in the current (or parents) |
6c1c2bd9fb54
ignore dnswl entries if the sender is <>
Carl Byington <carl@five-ten-sg.com>
parents:
451
diff
changeset
|
395 filtering contexts dkim_from with "required_signed" or "unsigned_black", |
6c1c2bd9fb54
ignore dnswl entries if the sender is <>
Carl Byington <carl@five-ten-sg.com>
parents:
451
diff
changeset
|
396 we downgrade this white answer to unknown. If the answer is still white, |
6c1c2bd9fb54
ignore dnswl entries if the sender is <>
Carl Byington <carl@five-ten-sg.com>
parents:
451
diff
changeset
|
397 mail to this recipient is accepted and the dns lists are not checked. |
111 | 398 </para></listitem> |
399 <listitem><para> | |
108 | 400 If the answer is unknown, we don't reject yet, but the dns lists will be |
401 checked, and the content may be scanned. | |
111 | 402 </para></listitem> |
403 <listitem><para> | |
108 | 404 If the answer is inherit, we repeat the envelope from search in the |
405 parent context. | |
111 | 406 </para></listitem> |
407 <listitem><para> | |
233
5c3e9bf45bb5
Add whitelisting by regex expression filtering.
Carl Byington <carl@five-ten-sg.com>
parents:
216
diff
changeset
|
408 If the mail has not been accepted or rejected yet, and the filtering |
5c3e9bf45bb5
Add whitelisting by regex expression filtering.
Carl Byington <carl@five-ten-sg.com>
parents:
216
diff
changeset
|
409 context (or any ancestor context) specifies a non-empty whitelist regular |
5c3e9bf45bb5
Add whitelisting by regex expression filtering.
Carl Byington <carl@five-ten-sg.com>
parents:
216
diff
changeset
|
410 expression, then we check the envelope from value against that regex. |
5c3e9bf45bb5
Add whitelisting by regex expression filtering.
Carl Byington <carl@five-ten-sg.com>
parents:
216
diff
changeset
|
411 The mail is accepted if the envelope from value matches the specified regular |
5c3e9bf45bb5
Add whitelisting by regex expression filtering.
Carl Byington <carl@five-ten-sg.com>
parents:
216
diff
changeset
|
412 expression. |
5c3e9bf45bb5
Add whitelisting by regex expression filtering.
Carl Byington <carl@five-ten-sg.com>
parents:
216
diff
changeset
|
413 </para></listitem> |
5c3e9bf45bb5
Add whitelisting by regex expression filtering.
Carl Byington <carl@five-ten-sg.com>
parents:
216
diff
changeset
|
414 <listitem><para> |
458
6c1c2bd9fb54
ignore dnswl entries if the sender is <>
Carl Byington <carl@five-ten-sg.com>
parents:
451
diff
changeset
|
415 If the mail has not been accepted or rejected yet, and the envelope from |
6c1c2bd9fb54
ignore dnswl entries if the sender is <>
Carl Byington <carl@five-ten-sg.com>
parents:
451
diff
changeset
|
416 email address is not empty, the dns white lists |
249 | 417 specified in the filtering context are checked and the mail is accepted |
418 if any list has an A record for the standard dns based lookup scheme | |
419 (reversed octets of the client followed by the dns suffix) with a final | |
420 octet greater than or equal to the level specified for that dnswl. | |
421 </para></listitem> | |
422 <listitem><para> | |
423 If the mail has not been accepted or rejected yet, the dns black lists | |
168 | 424 specified in the filtering context are checked and the mail is rejected |
425 if any list has an A record for the standard dns based lookup scheme | |
426 (reversed octets of the client followed by the dns suffix). | |
427 </para></listitem> | |
428 <listitem><para> | |
429 If the mail has not been accepted or rejected yet, and the filtering | |
268
f941563c2a95
Add require_rdns checking
Carl Byington <carl@five-ten-sg.com>
parents:
263
diff
changeset
|
430 context (or any ancestor context) requires matching reverse dns client |
f941563c2a95
Add require_rdns checking
Carl Byington <carl@five-ten-sg.com>
parents:
263
diff
changeset
|
431 name, the mail is rejected if the client name is empty or forged. |
f941563c2a95
Add require_rdns checking
Carl Byington <carl@five-ten-sg.com>
parents:
263
diff
changeset
|
432 </para></listitem> |
f941563c2a95
Add require_rdns checking
Carl Byington <carl@five-ten-sg.com>
parents:
263
diff
changeset
|
433 <listitem><para> |
f941563c2a95
Add require_rdns checking
Carl Byington <carl@five-ten-sg.com>
parents:
263
diff
changeset
|
434 If the mail has not been accepted or rejected yet, and the filtering |
170 | 435 context (or any ancestor context) specifies a non-empty generic regular |
436 expression, then we check the fully qualified client name (obtained via | |
437 the sendmail macro "_"). The mail is rejected if the client name | |
438 matches the specified regular expression. | |
111 | 439 </para></listitem> |
440 <listitem><para> | |
108 | 441 If the mail has not been accepted or rejected yet, we look for a |
442 verification context, which is the closest ancestor of the filtering | |
443 context that both specifies a verification host, and which covers the | |
444 envelope to address. If we find such a verification context, and the | |
445 verification host is not our own hostname, we open an smtp conversation | |
446 with that verification host. The current envelope from and recipient to | |
447 values are passed to that verification host. If we receive a 5xy | |
448 response those commands, we reject the current recipient with "no such | |
449 user". | |
111 | 450 </para></listitem> |
451 <listitem><para> | |
108 | 452 If the mail has not been accepted or rejected yet, and the filtering |
453 context enables content filtering, and this is the first such recipient | |
454 in this smtp transaction, we set the content filtering parameters from | |
455 this context, and enable content filtering for the body of this message. | |
111 | 456 </para></listitem> |
108 | 457 </orderedlist> |
458 <para> | |
160 | 459 For each recipient that was accepted, we search for an autowhite entry |
460 starting in the reply filtering context. If an autowhite entry is found, | |
458
6c1c2bd9fb54
ignore dnswl entries if the sender is <>
Carl Byington <carl@five-ten-sg.com>
parents:
451
diff
changeset
|
461 and the local part of the recipient address is shorter than 35 characters, |
160 | 462 we add the recipient to that auto whitelist file. This will prevent reply |
463 messages from being blocked by the dnsbl or content filtering. | |
464 </para> | |
465 <para> | |
436
7b072e16bd69
fix syslog for long messages, supress dkim checks for mail from localhost
Carl Byington <carl@five-ten-sg.com>
parents:
426
diff
changeset
|
466 If the mail is from localhost we skip the following dkim checks, since |
7b072e16bd69
fix syslog for long messages, supress dkim checks for mail from localhost
Carl Byington <carl@five-ten-sg.com>
parents:
426
diff
changeset
|
467 such mail will never be dkim signed. This is typically mail that is generated by |
7b072e16bd69
fix syslog for long messages, supress dkim checks for mail from localhost
Carl Byington <carl@five-ten-sg.com>
parents:
426
diff
changeset
|
468 apache forms. |
7b072e16bd69
fix syslog for long messages, supress dkim checks for mail from localhost
Carl Byington <carl@five-ten-sg.com>
parents:
426
diff
changeset
|
469 </para> |
7b072e16bd69
fix syslog for long messages, supress dkim checks for mail from localhost
Carl Byington <carl@five-ten-sg.com>
parents:
426
diff
changeset
|
470 <para> |
395
a8cf6a3da907
document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents:
360
diff
changeset
|
471 If content filtering is enabled for this body, we look for dkim_signer |
a8cf6a3da907
document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents:
360
diff
changeset
|
472 and dkim_from sections in the current context and parents. We collect the |
a8cf6a3da907
document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents:
360
diff
changeset
|
473 signers of this message from the header added by the dkim-milter. If any |
a8cf6a3da907
document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents:
360
diff
changeset
|
474 of the message signers are whitelisted, the message is accepted. |
a8cf6a3da907
document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents:
360
diff
changeset
|
475 </para> |
a8cf6a3da907
document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents:
360
diff
changeset
|
476 <para> |
a8cf6a3da907
document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents:
360
diff
changeset
|
477 If the header from domain maps to required_signed then: |
451
f2bc221240e8
add unsigned_black for enforcement of dmarc policy
Carl Byington <carl@five-ten-sg.com>
parents:
436
diff
changeset
|
478 If any of the message signers are in that list, or if |
f2bc221240e8
add unsigned_black for enforcement of dmarc policy
Carl Byington <carl@five-ten-sg.com>
parents:
436
diff
changeset
|
479 the source ip address passes a strong spf check for the header from |
395
a8cf6a3da907
document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents:
360
diff
changeset
|
480 domain, the message is accepted. Otherwise, the message is rejected. |
a8cf6a3da907
document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents:
360
diff
changeset
|
481 </para> |
a8cf6a3da907
document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents:
360
diff
changeset
|
482 <para> |
a8cf6a3da907
document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents:
360
diff
changeset
|
483 If the header from domain maps to signed_white then: |
451
f2bc221240e8
add unsigned_black for enforcement of dmarc policy
Carl Byington <carl@five-ten-sg.com>
parents:
436
diff
changeset
|
484 If any of the message signers are in that list, or if |
f2bc221240e8
add unsigned_black for enforcement of dmarc policy
Carl Byington <carl@five-ten-sg.com>
parents:
436
diff
changeset
|
485 the source ip address passes a strong spf check for the header from |
395
a8cf6a3da907
document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents:
360
diff
changeset
|
486 domain, the message is accepted. Otherwise, processing continues. |
a8cf6a3da907
document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents:
360
diff
changeset
|
487 </para> |
a8cf6a3da907
document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents:
360
diff
changeset
|
488 <para> |
a8cf6a3da907
document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents:
360
diff
changeset
|
489 If the header from domain maps to signed_black then: |
a8cf6a3da907
document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents:
360
diff
changeset
|
490 If any of the message signers are in that list, the message is rejected. |
a8cf6a3da907
document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents:
360
diff
changeset
|
491 Otherwise, processing continues. |
a8cf6a3da907
document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents:
360
diff
changeset
|
492 </para> |
a8cf6a3da907
document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents:
360
diff
changeset
|
493 <para> |
451
f2bc221240e8
add unsigned_black for enforcement of dmarc policy
Carl Byington <carl@five-ten-sg.com>
parents:
436
diff
changeset
|
494 If the header from domain maps to unsigned_black then: |
f2bc221240e8
add unsigned_black for enforcement of dmarc policy
Carl Byington <carl@five-ten-sg.com>
parents:
436
diff
changeset
|
495 If any of the message signers are in that list, or if |
f2bc221240e8
add unsigned_black for enforcement of dmarc policy
Carl Byington <carl@five-ten-sg.com>
parents:
436
diff
changeset
|
496 the source ip address passes a strong spf check for the header from |
f2bc221240e8
add unsigned_black for enforcement of dmarc policy
Carl Byington <carl@five-ten-sg.com>
parents:
436
diff
changeset
|
497 domain, processing continues. Otherwise, the message is rejected. |
458
6c1c2bd9fb54
ignore dnswl entries if the sender is <>
Carl Byington <carl@five-ten-sg.com>
parents:
451
diff
changeset
|
498 This is very close to enforcing DMARC for the header from domain. |
451
f2bc221240e8
add unsigned_black for enforcement of dmarc policy
Carl Byington <carl@five-ten-sg.com>
parents:
436
diff
changeset
|
499 </para> |
f2bc221240e8
add unsigned_black for enforcement of dmarc policy
Carl Byington <carl@five-ten-sg.com>
parents:
436
diff
changeset
|
500 <para> |
397
d08da4b058e8
only ntohl() once during recursive spf txt processing
Carl Byington <carl@five-ten-sg.com>
parents:
395
diff
changeset
|
501 If any of the message signers are blacklisted, the message is rejected. |
395
a8cf6a3da907
document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents:
360
diff
changeset
|
502 </para> |
a8cf6a3da907
document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents:
360
diff
changeset
|
503 <para> |
108 | 504 If content filtering is enabled for this body, the mail text is decoded |
119 | 505 (uuencode, base64, mime, html entity, url encodings), and scanned for HTTP |
506 and HTTPS URLs or bare host names. Hostnames must be either ip address | |
507 literals, or must end in a string defined by the TLD list. The first | |
508 <configurable> host names are checked as follows. | |
509 </para> | |
510 <para> | |
511 The only known list that is suitable for the content filter DNSBL is the | |
512 SBL. If the content filter DNSBL is defined, and any of those host | |
513 names resolve to ip addresses that are on that DNSBL (or have | |
514 nameservers that are on that list), and the host name is not on the | |
515 <configurable> ignore list, the mail is rejected. | |
516 </para> | |
517 <para> | |
518 If the content uribl DNSBL is defined, and any of those host names are | |
519 on that DNSBL, and the host name is not on the <configurable> | |
270
f92f24950bd3
Use mozilla prefix list for tld checking, Enable surbl/uribl/dbl rhs lists
Carl Byington <carl@five-ten-sg.com>
parents:
268
diff
changeset
|
520 ignore list, the mail is rejected. There are three lists that are suitable |
284
896b9393d3f0
Fix segfault caused by freeing unallocated memory
Carl Byington <carl@five-ten-sg.com>
parents:
278
diff
changeset
|
521 here, URIBL, SURBL, and DBL. |
119 | 522 </para> |
523 <para> | |
167
9b129ed78d7d
actually use spamassassin result, allow build without spam assassin, only call it if some recipient needs it.
carl
parents:
164
diff
changeset
|
524 If any non-whitelisted recipient has a filtering context with a non-zero |
9b129ed78d7d
actually use spamassassin result, allow build without spam assassin, only call it if some recipient needs it.
carl
parents:
164
diff
changeset
|
525 spamassassin limit, then the message is passed thru spamassassin (via |
9b129ed78d7d
actually use spamassassin result, allow build without spam assassin, only call it if some recipient needs it.
carl
parents:
164
diff
changeset
|
526 spamc), and the message is rejected for those recipients with spamassassin |
203
92a5c866bdfa
Verify from/to pairs even if they might be explicitly whitelisted.
Carl Byington <carl@five-ten-sg.com>
parents:
201
diff
changeset
|
527 limits less than the resulting spamassassin score. For example, a |
92a5c866bdfa
Verify from/to pairs even if they might be explicitly whitelisted.
Carl Byington <carl@five-ten-sg.com>
parents:
201
diff
changeset
|
528 spamassassin limit of three will reject messages with spamassassin scores |
246
8b0f16abee53
Add prvs decoding to envelope addresses
Carl Byington <carl@five-ten-sg.com>
parents:
233
diff
changeset
|
529 of four or greater. If the filtering context has a spamassassin limit of |
8b0f16abee53
Add prvs decoding to envelope addresses
Carl Byington <carl@five-ten-sg.com>
parents:
233
diff
changeset
|
530 zero, then spamassassin is not called (or if called the results are not used) |
8b0f16abee53
Add prvs decoding to envelope addresses
Carl Byington <carl@five-ten-sg.com>
parents:
233
diff
changeset
|
531 for this recipient. |
203
92a5c866bdfa
Verify from/to pairs even if they might be explicitly whitelisted.
Carl Byington <carl@five-ten-sg.com>
parents:
201
diff
changeset
|
532 </para> |
92a5c866bdfa
Verify from/to pairs even if they might be explicitly whitelisted.
Carl Byington <carl@five-ten-sg.com>
parents:
201
diff
changeset
|
533 <para> |
92a5c866bdfa
Verify from/to pairs even if they might be explicitly whitelisted.
Carl Byington <carl@five-ten-sg.com>
parents:
201
diff
changeset
|
534 If any non-whitelisted recipient has a filtering context that specifies |
92a5c866bdfa
Verify from/to pairs even if they might be explicitly whitelisted.
Carl Byington <carl@five-ten-sg.com>
parents:
201
diff
changeset
|
535 DCC greylisting, then the message is passed thru the DCC bulk detector, |
92a5c866bdfa
Verify from/to pairs even if they might be explicitly whitelisted.
Carl Byington <carl@five-ten-sg.com>
parents:
201
diff
changeset
|
536 and the message is greylisted (for all recipients) if the DCC says this |
92a5c866bdfa
Verify from/to pairs even if they might be explicitly whitelisted.
Carl Byington <carl@five-ten-sg.com>
parents:
201
diff
changeset
|
537 message should be delayed. |
92a5c866bdfa
Verify from/to pairs even if they might be explicitly whitelisted.
Carl Byington <carl@five-ten-sg.com>
parents:
201
diff
changeset
|
538 </para> |
92a5c866bdfa
Verify from/to pairs even if they might be explicitly whitelisted.
Carl Byington <carl@five-ten-sg.com>
parents:
201
diff
changeset
|
539 <para> |
92a5c866bdfa
Verify from/to pairs even if they might be explicitly whitelisted.
Carl Byington <carl@five-ten-sg.com>
parents:
201
diff
changeset
|
540 If any non-whitelisted recipient has a filtering context with a non-zero |
92a5c866bdfa
Verify from/to pairs even if they might be explicitly whitelisted.
Carl Byington <carl@five-ten-sg.com>
parents:
201
diff
changeset
|
541 DCC bulk threshold, then the message is passed thru the DCC bulk detector, |
92a5c866bdfa
Verify from/to pairs even if they might be explicitly whitelisted.
Carl Byington <carl@five-ten-sg.com>
parents:
201
diff
changeset
|
542 and the message is rejected for those recipients with DCC thresholds less |
92a5c866bdfa
Verify from/to pairs even if they might be explicitly whitelisted.
Carl Byington <carl@five-ten-sg.com>
parents:
201
diff
changeset
|
543 than or equal to the DCC bulk score. |
163 | 544 </para> |
545 <para> | |
119 | 546 We also scan for excessive bad html tags, and if a <configurable> |
547 limit is exceeded, the mail is rejected. | |
108 | 548 </para> |
549 </refsect1> | |
94 | 550 |
407
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
551 <refsect1 id='dmarc.1'> |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
552 <title>DMARC vs dkim_from require_signed</title> |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
553 <para> |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
554 Note that DNSBL does not implement rfc7489 DMARC. We do not look for |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
555 _dmarc.$DOMAIN txt records. |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
556 </para> |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
557 <para> |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
558 The restrictions imposed by require_signed are similar but not |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
559 identical to a DMARC reject policy with strict identifier alignment. |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
560 When doing SPF fallback, DMARC checks SPF based on the rfc5321 |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
561 envelope from domain. DNSBL checks SPF based on the rfc5322 header |
426
beda588f2881
include sample dkim config
Carl Byington <carl@five-ten-sg.com>
parents:
414
diff
changeset
|
562 from domain. |
409
e018ed19a1cc
require 3 dots in bare ip addresses
Carl Byington <carl@five-ten-sg.com>
parents:
407
diff
changeset
|
563 DMARC does not allow mail from good.example.com to be |
407
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
564 signed by trusted.example.net - which is a common case. Both Microsoft |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
565 Office365 and Google run mail for customer domains, but use DKIM |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
566 signing domains in onmicrosoft.com and gappssmtp.com, which are |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
567 unrelated to the customer domain. DMARC in the default relaxed |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
568 alignment mode allows evil.example.com to sign mail from |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
569 good.example.com. DNSBL specifies the exact list of acceptable signing |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
570 domains, rather than inferring it from child/parent relationships, or |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
571 using public |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
572 suffix lists to find the organizational domain. We can block mail |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
573 from marketing.example.com while accepting mail from |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
574 billing.example.com, even if both are DKIM signed by example.com. |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
575 </para> |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
576 <para> |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
577 Suppose we have: |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
578 <literallayout class="monospaced"><![CDATA[ |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
579 rfc5321 envelope from = one@evil.example.com |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
580 rfc5322 header from = two@good.example.com |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
581 authentication results = dkim pass header.d=other.example.com |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
582 _dmarc.good.example.com txt = "v=DMARC1; p=reject; adkim:s aspf:s" |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
583 dkim_from {good.example.com require_signed other.example.com;} |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
584 ]]></literallayout> |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
585 DMARC would fail the strict identifier alignment. DNSBL allows |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
586 us to require DKIM signatures that are unrelated |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
587 to the rfc5322 header from, so we accept this message. |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
588 </para> |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
589 <para> |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
590 Suppose we have: |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
591 <literallayout class="monospaced"><![CDATA[ |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
592 rfc5321 envelope from = one@evil.example.com |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
593 rfc5322 header from = two@good.example.com |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
594 authentication results = dkim pass header.d=other.example.net |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
595 _dmarc.good.example.com txt = "v=DMARC1; p=reject; adkim:r aspf:r" |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
596 dkim_from {good.example.com require_signed other.example.net;} |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
597 ]]></literallayout> |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
598 DMARC would pass the relaxed spf identifier alignments, |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
599 and would check the evil.example.com spf record. If that |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
600 allowed the source ip, DMARC would accept the message. |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
601 DMARC would not check DKIM since example.com and example.net |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
602 do not pass even the relaxed identifer alignment requirement. |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
603 DNSBL allows us to require DKIM signatures that are not |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
604 related to the rfc5322 header from domain, so we accept |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
605 the message based on the DKIM signature and don't need to |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
606 fall back to SPF. |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
607 </para> |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
608 <para> |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
609 Suppose we have: |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
610 <literallayout class="monospaced"><![CDATA[ |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
611 rfc5321 envelope from = one@evil.example.com |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
612 rfc5322 header from = two@good.example.com |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
613 authentication results = dkim fail header.d=other.example.net |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
614 _dmarc.good.example.com txt = "v=DMARC1; p=reject; adkim:r aspf:r" |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
615 evil.example.com txt = "v=spf1 ... including the source ip |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
616 good.example.com txt = "v=spf1 ... not including the source ip |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
617 dkim_from {good.example.com require_signed other.example.net;} |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
618 ]]></literallayout> |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
619 DNSBL allows us to require DKIM signatures that are not |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
620 related to the rfc5322 header from domain. In this case |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
621 the signature fails, so we fall back to an SPF check. |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
622 We check SPF based on the rfc5322 header from, and |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
623 good.example.com does not allow the source ip, so we reject |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
624 this message. |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
625 DMARC would accept that message based on the SPF check |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
626 for evil.example.com |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
627 </para> |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
628 </refsect1> |
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
629 |
111 | 630 <refsect1 id='access.1'> |
108 | 631 <title>Sendmail access vs. DNSBL</title> |
632 <para> | |
633 With the standard sendmail.mc dnsbl FEATURE, the dnsbl checks may be | |
634 suppressed by entries in the /etc/mail/access database. For example, | |
635 suppose you control a /18 of address space, and have allocated some /24s | |
636 to some clients. You have access entries like | |
111 | 637 <literallayout class="monospaced"><![CDATA[ |
638 192.168.4 OK | |
639 192.168.17 OK]]></literallayout> | |
108 | 640 </para> |
641 <para> | |
642 to allow those clients to smarthost thru your mail server. Now if one | |
643 of those clients happens get infected with a virus that turns a machine | |
644 into an open proxy, and their 192.168.4.45 lands on the SBL-XBL, you | |
645 will still wind up allowing that infected machine to smarthost thru your | |
646 mail servers. | |
647 </para> | |
648 <para> | |
649 With this DNSBL milter, the sendmail access database cannot override the | |
650 dnsbl checks, so that machine won't be able to send mail to or thru your | |
651 smarthost mail server (unless the virus/proxy can use smtp-auth). | |
652 </para> | |
653 <para> | |
654 Using the standard sendmail features, you would add access entries to | |
655 allow hosts on your local network to relay thru your mail server. Those | |
656 OK entries in the sendmail access database will override all the dnsbl | |
657 checks. With this DNSBL milter, you will need to have the local users | |
658 authenticate with smtp-auth to get the same effect. You might find | |
659 <ulink | |
660 url="http://www.ists.dartmouth.edu/classroom/sendmail-ssl-how-to.php"> | |
661 these directions</ulink> helpful for setting up smtp-auth if you are on | |
662 RH Linux. | |
663 </para> | |
664 </refsect1> | |
94 | 665 |
111 | 666 <refsect1 id='performance.1'> |
108 | 667 <title>Performance Issues</title> |
668 <para> | |
669 Consider a high volume high performance machine running sendmail. Each | |
670 sendmail process can do its own dns resolution. Typically, such dns | |
671 resolver libraries are not thread safe, and so must be protected by some | |
672 sort of mutex in a threaded environment. When we add a milter to | |
673 sendmail, we now have a collection of sendmail processes, and a | |
674 collection of milter threads. | |
675 </para> | |
676 <para> | |
677 We will be doing a lot of dns lookups per mail message, and at least | |
678 some of those will take many tens of seconds. If all this dns work is | |
679 serialized inside the milter, we have an upper limit of about 25K mail | |
680 messages per day. That is clearly not sufficient for many sites. | |
681 </para> | |
682 <para> | |
683 Since we want to do parallel dns resolution across those milter threads, | |
684 we add another collection of dns resolver processes. Each sendmail | |
685 process is talking to a milter thread over a socket, and each milter | |
686 thread is talking to a dns resolver process over another socket. | |
687 </para> | |
688 <para> | |
689 Suppose we are processing 20 messages per second, and each message | |
690 requires 20 seconds of dns work. Then we will have 400 sendmail | |
691 processes, 400 milter threads, and 400 dns resolver processes. Of | |
692 course that steady state is very unlikely to happen. | |
693 </para> | |
694 </refsect1> | |
94 | 695 |
696 | |
111 | 697 <refsect1 id='rejected.1'> |
108 | 698 <title>Rejected Ideas</title> |
699 <para> | |
700 The following ideas have been considered and rejected. | |
701 </para> | |
702 <para> | |
111 | 703 Add max_recipients setting to the context configuration. Recipients in |
704 excess of that limit will be rejected, and all the non-whitelisted | |
705 recipients will be removed. Current spammers *very* rarely send more | |
706 than ten recipients in a single smtp transaction, so this won't stop any | |
108 | 707 significant amount of spam. |
708 </para> | |
709 <para> | |
710 Add poison addresses to the configuration. If any recipient is | |
711 poison, all recipients are rejected even if they would be whitelisted, | |
712 and the data is rejected if sent. I have a collection of spam trap | |
713 addresses that would be suitable for such use. Based on my log files, | |
714 any mail to those spam trap addresses is rejected based on either dnsbl | |
715 lookups or the DCC. So this won't result in blocking any additional | |
716 spam. | |
717 </para> | |
718 <para> | |
719 Add an option to only allow one recipient if the return path is | |
720 empty. Based on my log files, there is no mail that violates this | |
721 check. | |
722 </para> | |
723 <para> | |
724 Reject the mail if the envelope from domain name contains any MX | |
725 records pointing to 127.0.0.0/8. I don't see any significant amount of | |
726 spam sent with such domain names. | |
727 </para> | |
728 </refsect1> | |
94 | 729 |
108 | 730 <refsect1 id='todo.1'> |
731 <title>TODO</title> | |
732 <para> | |
733 The following ideas are under consideration. | |
734 </para> | |
735 <para> | |
414
d5a1ed33d3ae
spf code now handles mx,exists,ptr tags, multiple A records, %{i} macro
Carl Byington <carl@five-ten-sg.com>
parents:
409
diff
changeset
|
736 More complete SPF check. |
d5a1ed33d3ae
spf code now handles mx,exists,ptr tags, multiple A records, %{i} macro
Carl Byington <carl@five-ten-sg.com>
parents:
409
diff
changeset
|
737 </para> |
d5a1ed33d3ae
spf code now handles mx,exists,ptr tags, multiple A records, %{i} macro
Carl Byington <carl@five-ten-sg.com>
parents:
409
diff
changeset
|
738 <para> |
276 | 739 Add config switch to require the HELO argument to resolve to an ip address. |
740 </para> | |
741 <para> | |
270
f92f24950bd3
Use mozilla prefix list for tld checking, Enable surbl/uribl/dbl rhs lists
Carl Byington <carl@five-ten-sg.com>
parents:
268
diff
changeset
|
742 Add white/unknown to config for smtp authenticated connections. Currently |
284
896b9393d3f0
Fix segfault caused by freeing unallocated memory
Carl Byington <carl@five-ten-sg.com>
parents:
278
diff
changeset
|
743 any authenticated connection is fully whitelisted. The only spam control |
896b9393d3f0
Fix segfault caused by freeing unallocated memory
Carl Byington <carl@five-ten-sg.com>
parents:
278
diff
changeset
|
744 on those connections is rate limiting. This feature would allow content based |
270
f92f24950bd3
Use mozilla prefix list for tld checking, Enable surbl/uribl/dbl rhs lists
Carl Byington <carl@five-ten-sg.com>
parents:
268
diff
changeset
|
745 spam controls to be applied even to authenticated connections. Add |
f92f24950bd3
Use mozilla prefix list for tld checking, Enable surbl/uribl/dbl rhs lists
Carl Byington <carl@five-ten-sg.com>
parents:
268
diff
changeset
|
746 context/authenticated_dnsbl_list and context/content/authenticated. |
f92f24950bd3
Use mozilla prefix list for tld checking, Enable surbl/uribl/dbl rhs lists
Carl Byington <carl@five-ten-sg.com>
parents:
268
diff
changeset
|
747 </para> |
f92f24950bd3
Use mozilla prefix list for tld checking, Enable surbl/uribl/dbl rhs lists
Carl Byington <carl@five-ten-sg.com>
parents:
268
diff
changeset
|
748 <para> |
f92f24950bd3
Use mozilla prefix list for tld checking, Enable surbl/uribl/dbl rhs lists
Carl Byington <carl@five-ten-sg.com>
parents:
268
diff
changeset
|
749 Add an optional list of domains to be enforced on the env_from value for |
f92f24950bd3
Use mozilla prefix list for tld checking, Enable surbl/uribl/dbl rhs lists
Carl Byington <carl@five-ten-sg.com>
parents:
268
diff
changeset
|
750 authenticated connections. User abc could be restricted to envelope from |
f92f24950bd3
Use mozilla prefix list for tld checking, Enable surbl/uribl/dbl rhs lists
Carl Byington <carl@five-ten-sg.com>
parents:
268
diff
changeset
|
751 values of a.com and b.com, user def could be restricted to envelope from |
f92f24950bd3
Use mozilla prefix list for tld checking, Enable surbl/uribl/dbl rhs lists
Carl Byington <carl@five-ten-sg.com>
parents:
268
diff
changeset
|
752 values of dd.com and ee.com. |
f92f24950bd3
Use mozilla prefix list for tld checking, Enable surbl/uribl/dbl rhs lists
Carl Byington <carl@five-ten-sg.com>
parents:
268
diff
changeset
|
753 </para> |
f92f24950bd3
Use mozilla prefix list for tld checking, Enable surbl/uribl/dbl rhs lists
Carl Byington <carl@five-ten-sg.com>
parents:
268
diff
changeset
|
754 <para> |
115 | 755 Look for href="hostname/path" strings that are missing the required |
756 http:// protocol header. Such references are still clickable in common | |
757 mail software. | |
758 </para> | |
108 | 759 </refsect1> |
94 | 760 |
111 | 761 <refsect1 id='copyright.1'> |
108 | 762 <title>Copyright</title> |
763 <para> | |
261
92a98e661a0b
update documentation for newer xml dtd
Carl Byington <carl@five-ten-sg.com>
parents:
259
diff
changeset
|
764 Copyright (C) 2012 by 510 Software Group <carl@five-ten-sg.com> |
108 | 765 </para> |
766 <para> | |
767 This program is free software; you can redistribute it and/or modify it | |
768 under the terms of the GNU General Public License as published by the | |
160 | 769 Free Software Foundation; either version 3, or (at your option) any |
108 | 770 later version. |
771 </para> | |
772 <para> | |
773 You should have received a copy of the GNU General Public License along | |
774 with this program; see the file COPYING. If not, please write to the | |
775 Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA. | |
776 </para> | |
777 </refsect1> | |
94 | 778 |
111 | 779 <refsect1 id='version.1'> |
201
752d4315675c
add reference to mercurial repository in the documentation
Carl Byington <carl@five-ten-sg.com>
parents:
187
diff
changeset
|
780 <title>Version</title> |
108 | 781 <para> |
201
752d4315675c
add reference to mercurial repository in the documentation
Carl Byington <carl@five-ten-sg.com>
parents:
187
diff
changeset
|
782 @VERSION@ |
108 | 783 </para> |
784 </refsect1> | |
785 </refentry> | |
786 | |
787 | |
788 <refentry id="@PACKAGE@.conf.5"> | |
789 <refentryinfo> | |
462
f3f1ece619ba
change dkim_from syntax to allow "signer1,signer2;spf data"
Carl Byington <carl@five-ten-sg.com>
parents:
458
diff
changeset
|
790 <date>2019-03-09</date> |
261
92a98e661a0b
update documentation for newer xml dtd
Carl Byington <carl@five-ten-sg.com>
parents:
259
diff
changeset
|
791 <author> |
92a98e661a0b
update documentation for newer xml dtd
Carl Byington <carl@five-ten-sg.com>
parents:
259
diff
changeset
|
792 <firstname>Carl</firstname> |
92a98e661a0b
update documentation for newer xml dtd
Carl Byington <carl@five-ten-sg.com>
parents:
259
diff
changeset
|
793 <surname>Byington</surname> |
92a98e661a0b
update documentation for newer xml dtd
Carl Byington <carl@five-ten-sg.com>
parents:
259
diff
changeset
|
794 <affiliation><orgname>510 Software Group</orgname></affiliation> |
407
29d54e7028f6
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
Carl Byington <carl@five-ten-sg.com>
parents:
397
diff
changeset
|
795 <personblurb><para></para></personblurb> |
261
92a98e661a0b
update documentation for newer xml dtd
Carl Byington <carl@five-ten-sg.com>
parents:
259
diff
changeset
|
796 </author> |
108 | 797 </refentryinfo> |
94 | 798 |
108 | 799 <refmeta> |
800 <refentrytitle>@PACKAGE@.conf</refentrytitle> | |
801 <manvolnum>5</manvolnum> | |
802 <refmiscinfo>@PACKAGE@ @VERSION@</refmiscinfo> | |
803 </refmeta> | |
94 | 804 |
108 | 805 <refnamediv id='name.5'> |
806 <refname>@PACKAGE@.conf</refname> | |
111 | 807 <refpurpose>configuration file for @PACKAGE@ sendmail milter</refpurpose> |
108 | 808 </refnamediv> |
809 | |
810 <refsynopsisdiv id='synopsis.5'> | |
811 <title>Synopsis</title> | |
812 <cmdsynopsis> | |
813 <command>@PACKAGE@.conf</command> | |
814 </cmdsynopsis> | |
815 </refsynopsisdiv> | |
94 | 816 |
108 | 817 <refsect1 id='description.5'> |
818 <title>Description</title> | |
819 <para>The <command>@PACKAGE@.conf</command> configuration file is | |
148
9330b8d6a56b
add documentation fixes, allow env_from target of inherit
carl
parents:
144
diff
changeset
|
820 specified by this partial bnf description. Comments start with // |
9330b8d6a56b
add documentation fixes, allow env_from target of inherit
carl
parents:
144
diff
changeset
|
821 or # and extend to the end of the line. To include the contents |
9330b8d6a56b
add documentation fixes, allow env_from target of inherit
carl
parents:
144
diff
changeset
|
822 of some file verbatim in the dnsbl.conf file, use |
9330b8d6a56b
add documentation fixes, allow env_from target of inherit
carl
parents:
144
diff
changeset
|
823 <literallayout class="monospaced"><![CDATA[include "<file>";]]></literallayout> |
9330b8d6a56b
add documentation fixes, allow env_from target of inherit
carl
parents:
144
diff
changeset
|
824 </para> |
108 | 825 |
826 <literallayout class="monospaced"><![CDATA[ | |
827 CONFIG = {CONTEXT ";"}+ | |
828 CONTEXT = "context" NAME "{" {STATEMENT}+ "}" | |
321
e172dc10fe24
add dkim white/black listing
Carl Byington <carl@five-ten-sg.com>
parents:
305
diff
changeset
|
829 STATEMENT = ( DNSBL | DNSBLLIST | DNSWL | DNSWLLIST | CONTENT | ENV-TO |
e172dc10fe24
add dkim white/black listing
Carl Byington <carl@five-ten-sg.com>
parents:
305
diff
changeset
|
830 | VERIFY | GENERIC | W_REGEX | AUTOWHITE | CONTEXT | ENV-FROM |
322
9f8411f3919c
add dkim white/black listing
Carl Byington <carl@five-ten-sg.com>
parents:
321
diff
changeset
|
831 | RATE-LIMIT | REQUIRERDNS) ";" |
108 | 832 |
124 | 833 DNSBL = "dnsbl" NAME DNSPREFIX ERROR-MSG1 |
255
d6d5c50b9278
Allow dnswl_list and dnsbl_list to be empty, to override lists specified in the ancestor contexts. Add daily recipient limits as a multiple of the hourly limits.
Carl Byington <carl@five-ten-sg.com>
parents:
253
diff
changeset
|
834 DNSBLLIST = "dnsbl_list" {NAME}* |
108 | 835 |
255
d6d5c50b9278
Allow dnswl_list and dnsbl_list to be empty, to override lists specified in the ancestor contexts. Add daily recipient limits as a multiple of the hourly limits.
Carl Byington <carl@five-ten-sg.com>
parents:
253
diff
changeset
|
836 DNSWL = "dnswl" NAME DNSPREFIX LEVEL |
d6d5c50b9278
Allow dnswl_list and dnsbl_list to be empty, to override lists specified in the ancestor contexts. Add daily recipient limits as a multiple of the hourly limits.
Carl Byington <carl@five-ten-sg.com>
parents:
253
diff
changeset
|
837 DNSWLLIST = "dnswl_list" {NAME}* |
d6d5c50b9278
Allow dnswl_list and dnsbl_list to be empty, to override lists specified in the ancestor contexts. Add daily recipient limits as a multiple of the hourly limits.
Carl Byington <carl@five-ten-sg.com>
parents:
253
diff
changeset
|
838 LEVEL = INTEGER |
94 | 839 |
268
f941563c2a95
Add require_rdns checking
Carl Byington <carl@five-ten-sg.com>
parents:
263
diff
changeset
|
840 REQUIRERDNS = "require_rdns" ("yes" | "no") |
f941563c2a95
Add require_rdns checking
Carl Byington <carl@five-ten-sg.com>
parents:
263
diff
changeset
|
841 |
108 | 842 CONTENT = "content" ("on" | "off") "{" {CONTENT-ST}+ "}" |
322
9f8411f3919c
add dkim white/black listing
Carl Byington <carl@five-ten-sg.com>
parents:
321
diff
changeset
|
843 CONTENT-ST = (FILTER | URIBL | IGNORE | TLD | HTML-TAGS | HTML-LIMIT | |
9f8411f3919c
add dkim white/black listing
Carl Byington <carl@five-ten-sg.com>
parents:
321
diff
changeset
|
844 HOST-LIMIT | SPAMASS | REQUIRE | DCCGREY | DCCBULK | DKIM_SIGNER | |
9f8411f3919c
add dkim white/black listing
Carl Byington <carl@five-ten-sg.com>
parents:
321
diff
changeset
|
845 DKIM_FROM) ";" |
124 | 846 FILTER = "filter" DNSPREFIX ERROR-MSG2 |
847 URIBL = "uribl" DNSPREFIX ERROR-MSG3 | |
108 | 848 IGNORE = "ignore" "{" {HOSTNAME [";"]}+ "}" |
849 TLD = "tld" "{" {TLD [";"]}+ "}" | |
850 HTML-TAGS = "html_tags" "{" {HTMLTAG [";"]}+ "}" | |
124 | 851 ERROR-MSG1 = string containing exactly two %s replacement tokens |
852 both are replaced with the client ip address | |
853 ERROR-MSG2 = string containing exactly two %s replacement tokens | |
854 the first is replaced with the hostname, and the second | |
855 is replaced with the ip address | |
856 ERROR-MSG3 = string containing exactly two %s replacement tokens | |
857 both are replaced with the hostname | |
108 | 858 |
859 HTML-LIMIT = "html_limit" ("on" INTEGER ERROR-MSG | "off") | |
860 | |
111 | 861 HOST-LIMIT = "host_limit" ("on" INTEGER ERROR-MSG | "off" | |
862 "soft" INTEGER) | |
178 | 863 SPAMASS = "spamassassin" INTEGER |
864 REQUIRE = "require_match" ("yes" | "no") | |
865 DCCGREY = "dcc_greylist" ("yes" | "no") | |
866 DCCBULK = "dcc_bulk_threshold" (INTEGER | "many" | "off") | |
94 | 867 |
321
e172dc10fe24
add dkim white/black listing
Carl Byington <carl@five-ten-sg.com>
parents:
305
diff
changeset
|
868 DKIMSIGNER = "dkim_signer" "{" {SIGNING_DOMAIN DEF [";"]}+ "}" |
360
17f21fcd44a8
allow quoted comma separated multiple signers in the dkim_from config entries
Carl Byington <carl@five-ten-sg.com>
parents:
322
diff
changeset
|
869 DKIMFROM = "dkim_from" "{" {HEADER_FROM_DOMAIN DKIMVALUE SIGNERS [";"]}+ "}" |
451
f2bc221240e8
add unsigned_black for enforcement of dmarc policy
Carl Byington <carl@five-ten-sg.com>
parents:
436
diff
changeset
|
870 DKIMVALUE = "signed_white" | "signed_black" | "require_signed" | "unsigned_black" |
462
f3f1ece619ba
change dkim_from syntax to allow "signer1,signer2;spf data"
Carl Byington <carl@five-ten-sg.com>
parents:
458
diff
changeset
|
871 SIGNERS = '"' SIGNING_DOMAINS[;EXTRA_SPF_DATA] '"' |
f3f1ece619ba
change dkim_from syntax to allow "signer1,signer2;spf data"
Carl Byington <carl@five-ten-sg.com>
parents:
458
diff
changeset
|
872 SIGNING_DOMAINS = SIGNING_DOMAIN[,SIGNING_DOMAINS] |
321
e172dc10fe24
add dkim white/black listing
Carl Byington <carl@five-ten-sg.com>
parents:
305
diff
changeset
|
873 |
108 | 874 ENV-TO = "env_to" "{" {(TO-ADDR | DCC-TO)}+ "}" |
875 TO-ADDR = ADDRESS [";"] | |
876 DCC-TO = "dcc_to" ("ok" | "many") "{" DCCINCLUDEFILE "}" ";" | |
877 | |
878 VERIFY = "verify" HOSTNAME ";" | |
168 | 879 GENERIC = "generic" REGULAREXPRESSION ERROR-MSG4 ";" |
233
5c3e9bf45bb5
Add whitelisting by regex expression filtering.
Carl Byington <carl@five-ten-sg.com>
parents:
216
diff
changeset
|
880 W-REGEX = "white_regex" REGULAREXPRESSION ";" |
168 | 881 ERROR-MSG4 = string containing exactly one %s replacement token |
882 which is replaced with the client name | |
153 | 883 AUTOWHITE = "autowhite" DAYS FILENAME ";" |
108 | 884 |
885 ENV_FROM = "env_from" [DEFAULT] "{" {(FROM-ADDR | DCC-FROM)}+ "}" | |
886 FROM-ADDR = ADDRESS VALUE [";"] | |
887 DCC-FROM = "dcc_from" "{" DCCINCLUDEFILE "}" ";" | |
136 | 888 |
278
368572c57013
add limits on unique ip addresses per hour per authenticated user
Carl Byington <carl@five-ten-sg.com>
parents:
276
diff
changeset
|
889 RATE-LIMIT = "rate_limit" DEFAULT_RCPT_LIMIT DAILY_MULTIPLE_RCPT |
368572c57013
add limits on unique ip addresses per hour per authenticated user
Carl Byington <carl@five-ten-sg.com>
parents:
276
diff
changeset
|
890 DEFAULT_IP_LIMIT DAILY_MULTIPLE_IP "{" (RATE)+ "}" |
368572c57013
add limits on unique ip addresses per hour per authenticated user
Carl Byington <carl@five-ten-sg.com>
parents:
276
diff
changeset
|
891 RATE = USER RCPTLIMIT IPLIMIT ";" |
368572c57013
add limits on unique ip addresses per hour per authenticated user
Carl Byington <carl@five-ten-sg.com>
parents:
276
diff
changeset
|
892 RCPTLIMIT = INTEGER |
368572c57013
add limits on unique ip addresses per hour per authenticated user
Carl Byington <carl@five-ten-sg.com>
parents:
276
diff
changeset
|
893 DEFAULT_RCPT_LIMIT = INTEGER |
368572c57013
add limits on unique ip addresses per hour per authenticated user
Carl Byington <carl@five-ten-sg.com>
parents:
276
diff
changeset
|
894 DAILY_MULTIPLE_RCPT = INTEGER |
368572c57013
add limits on unique ip addresses per hour per authenticated user
Carl Byington <carl@five-ten-sg.com>
parents:
276
diff
changeset
|
895 DEFAULT_IP_LIMIT = INTEGER |
368572c57013
add limits on unique ip addresses per hour per authenticated user
Carl Byington <carl@five-ten-sg.com>
parents:
276
diff
changeset
|
896 DAILY_MULTIPLE_IP = INTEGER |
136 | 897 |
360
17f21fcd44a8
allow quoted comma separated multiple signers in the dkim_from config entries
Carl Byington <carl@five-ten-sg.com>
parents:
322
diff
changeset
|
898 DEF = ("white" | "black" | "unknown") |
17f21fcd44a8
allow quoted comma separated multiple signers in the dkim_from config entries
Carl Byington <carl@five-ten-sg.com>
parents:
322
diff
changeset
|
899 DEFAULT = (DEF | "inherit" | "") |
108 | 900 ADDRESS = (USER@ | DOMAIN | USER@DOMAIN) |
360
17f21fcd44a8
allow quoted comma separated multiple signers in the dkim_from config entries
Carl Byington <carl@five-ten-sg.com>
parents:
322
diff
changeset
|
901 VALUE = (DEF | "inherit" | CHILD-CONTEXT-NAME)]]></literallayout> |
108 | 902 </refsect1> |
94 | 903 |
108 | 904 <refsect1 id='sample.5'> |
905 <title>Sample</title> | |
906 <literallayout class="monospaced"><![CDATA[ | |
127 | 907 context main-default { |
908 // outbound dnsbl filtering to catch our own customers that end up on the sbl | |
909 dnsbl sbl sbl-xbl.spamhaus.org "Mail from %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s"; | |
174 | 910 dnsbl_list sbl; |
127 | 911 |
912 // outbound content filtering to prevent our own customers from sending spam | |
913 content on { | |
914 filter sbl-xbl.spamhaus.org "Mail containing %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s"; | |
270
f92f24950bd3
Use mozilla prefix list for tld checking, Enable surbl/uribl/dbl rhs lists
Carl Byington <carl@five-ten-sg.com>
parents:
268
diff
changeset
|
915 uribl multi.surbl.org "Mail containing %s rejected - surbl; see http://www.surbl.org/surbl-analysis?d=%s"; |
259
be939802c64e
add recipient rate limits by email from address or domain
Carl Byington <carl@five-ten-sg.com>
parents:
255
diff
changeset
|
916 #uribl multi.uribl.com "Mail containing %s rejected - uribl; see http://l.uribl.com/?d=%s"; |
270
f92f24950bd3
Use mozilla prefix list for tld checking, Enable surbl/uribl/dbl rhs lists
Carl Byington <carl@five-ten-sg.com>
parents:
268
diff
changeset
|
917 #uribl dbl.spamhaus.org "Mail containing %s rejected - dbl; see http://www.spamhaus.org/query/domain?domain=%s"; |
127 | 918 ignore { include "hosts-ignore.conf"; }; |
919 tld { include "tld.conf"; }; | |
920 html_tags { include "html-tags.conf"; }; | |
921 html_limit on 20 "Mail containing excessive bad html tags rejected"; | |
922 html_limit off; | |
923 host_limit on 20 "Mail containing excessive host names rejected"; | |
924 host_limit soft 20; | |
178 | 925 spamassassin 4; |
926 require_match yes; | |
927 dcc_greylist yes; | |
928 dcc_bulk_threshold 50; | |
127 | 929 }; |
930 | |
278
368572c57013
add limits on unique ip addresses per hour per authenticated user
Carl Byington <carl@five-ten-sg.com>
parents:
276
diff
changeset
|
931 // backscatter prevention - do not send bounces for mail that we accepted but could not forward |
127 | 932 // we only send bounces to our own customers |
933 env_from unknown { | |
934 "<>" black; | |
935 }; | |
136 | 936 |
278
368572c57013
add limits on unique ip addresses per hour per authenticated user
Carl Byington <carl@five-ten-sg.com>
parents:
276
diff
changeset
|
937 // hourly recipient rate limit by smtp auth client id, or unauthenticated mail from address |
368572c57013
add limits on unique ip addresses per hour per authenticated user
Carl Byington <carl@five-ten-sg.com>
parents:
276
diff
changeset
|
938 // hourly unique ip addresses by smtp auth client id, or unauthenticated mail from address |
284
896b9393d3f0
Fix segfault caused by freeing unallocated memory
Carl Byington <carl@five-ten-sg.com>
parents:
278
diff
changeset
|
939 // default hourly recipient rate limit is 30 |
896b9393d3f0
Fix segfault caused by freeing unallocated memory
Carl Byington <carl@five-ten-sg.com>
parents:
278
diff
changeset
|
940 // daily recipient rate limits are 4 times the hourly limit |
278
368572c57013
add limits on unique ip addresses per hour per authenticated user
Carl Byington <carl@five-ten-sg.com>
parents:
276
diff
changeset
|
941 // default hourly unique ip addresses is 5 |
368572c57013
add limits on unique ip addresses per hour per authenticated user
Carl Byington <carl@five-ten-sg.com>
parents:
276
diff
changeset
|
942 // daily unique ip addresses are 4 times the hourly limit |
368572c57013
add limits on unique ip addresses per hour per authenticated user
Carl Byington <carl@five-ten-sg.com>
parents:
276
diff
changeset
|
943 rate_limit 30 4 5 4 { // default |
368572c57013
add limits on unique ip addresses per hour per authenticated user
Carl Byington <carl@five-ten-sg.com>
parents:
276
diff
changeset
|
944 fred 100 10; // override default limits |
368572c57013
add limits on unique ip addresses per hour per authenticated user
Carl Byington <carl@five-ten-sg.com>
parents:
276
diff
changeset
|
945 joe 10 2; // "" |
368572c57013
add limits on unique ip addresses per hour per authenticated user
Carl Byington <carl@five-ten-sg.com>
parents:
276
diff
changeset
|
946 "sam@somedomain.tld" 500 2; |
368572c57013
add limits on unique ip addresses per hour per authenticated user
Carl Byington <carl@five-ten-sg.com>
parents:
276
diff
changeset
|
947 "@otherdomain.tld" 100 2; |
136 | 948 }; |
127 | 949 }; |
950 | |
171 | 951 context main { |
952 dnsbl localp partial.blackholes.five-ten-sg.com "Mail from %s rejected - local; see http://www.five-ten-sg.com/blackhole.php?%s"; | |
108 | 953 dnsbl local blackholes.five-ten-sg.com "Mail from %s rejected - local; see http://www.five-ten-sg.com/blackhole.php?%s"; |
174 | 954 dnsbl sbl zen.spamhaus.org "Mail from %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s"; |
108 | 955 dnsbl xbl xbl.spamhaus.org "Mail from %s rejected - xbl; see http://www.spamhaus.org/query/bl?ip=%s"; |
249 | 956 dnswl dnswl.org list.dnswl.org 2; |
171 | 957 dnsbl_list local sbl; |
249 | 958 dnswl_list dnswl.org; |
268
f941563c2a95
Add require_rdns checking
Carl Byington <carl@five-ten-sg.com>
parents:
263
diff
changeset
|
959 require_rdns yes; |
94 | 960 |
108 | 961 content on { |
360
17f21fcd44a8
allow quoted comma separated multiple signers in the dkim_from config entries
Carl Byington <carl@five-ten-sg.com>
parents:
322
diff
changeset
|
962 dkim_signer { |
395
a8cf6a3da907
document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents:
360
diff
changeset
|
963 # |
a8cf6a3da907
document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents:
360
diff
changeset
|
964 # anything signed by this is accepted. |
a8cf6a3da907
document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents:
360
diff
changeset
|
965 accounts.google.com white; |
a8cf6a3da907
document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents:
360
diff
changeset
|
966 }; |
a8cf6a3da907
document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents:
360
diff
changeset
|
967 dkim_from { |
a8cf6a3da907
document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents:
360
diff
changeset
|
968 # |
458
6c1c2bd9fb54
ignore dnswl entries if the sender is <>
Carl Byington <carl@five-ten-sg.com>
parents:
451
diff
changeset
|
969 # dmarc enforcement |
6c1c2bd9fb54
ignore dnswl entries if the sender is <>
Carl Byington <carl@five-ten-sg.com>
parents:
451
diff
changeset
|
970 aim.com unsigned_black "aim.com,mx.aim.com"; |
6c1c2bd9fb54
ignore dnswl entries if the sender is <>
Carl Byington <carl@five-ten-sg.com>
parents:
451
diff
changeset
|
971 aol.com unsigned_black "aol.com,mx.aol.com"; |
6c1c2bd9fb54
ignore dnswl entries if the sender is <>
Carl Byington <carl@five-ten-sg.com>
parents:
451
diff
changeset
|
972 yahoo.co.uk unsigned_black yahoo.co.uk; |
6c1c2bd9fb54
ignore dnswl entries if the sender is <>
Carl Byington <carl@five-ten-sg.com>
parents:
451
diff
changeset
|
973 yahoo.com unsigned_black yahoo.com; |
6c1c2bd9fb54
ignore dnswl entries if the sender is <>
Carl Byington <carl@five-ten-sg.com>
parents:
451
diff
changeset
|
974 yahoo.in unsigned_black yahoo.in; |
6c1c2bd9fb54
ignore dnswl entries if the sender is <>
Carl Byington <carl@five-ten-sg.com>
parents:
451
diff
changeset
|
975 # |
395
a8cf6a3da907
document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents:
360
diff
changeset
|
976 # white/blacklisting based on presence of valid signatures |
360
17f21fcd44a8
allow quoted comma separated multiple signers in the dkim_from config entries
Carl Byington <carl@five-ten-sg.com>
parents:
322
diff
changeset
|
977 credit.paypal.com require_signed credit.paypal.com; |
17f21fcd44a8
allow quoted comma separated multiple signers in the dkim_from config entries
Carl Byington <carl@five-ten-sg.com>
parents:
322
diff
changeset
|
978 paypal.com require_signed paypal.com; |
17f21fcd44a8
allow quoted comma separated multiple signers in the dkim_from config entries
Carl Byington <carl@five-ten-sg.com>
parents:
322
diff
changeset
|
979 dhl.com require_signed dhl.com; |
17f21fcd44a8
allow quoted comma separated multiple signers in the dkim_from config entries
Carl Byington <carl@five-ten-sg.com>
parents:
322
diff
changeset
|
980 adp.com require_signed "adp.com,bmi.adp.com"; |
395
a8cf6a3da907
document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents:
360
diff
changeset
|
981 # |
a8cf6a3da907
document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents:
360
diff
changeset
|
982 # blacklisting based on header from value - requiring signatures |
a8cf6a3da907
document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents:
360
diff
changeset
|
983 # from an impossible signer. |
409
e018ed19a1cc
require 3 dots in bare ip addresses
Carl Byington <carl@five-ten-sg.com>
parents:
407
diff
changeset
|
984 spammer.domain require_signed .; |
395
a8cf6a3da907
document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents:
360
diff
changeset
|
985 # |
a8cf6a3da907
document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents:
360
diff
changeset
|
986 # whitelisting based on strong spf pass - whitelisted if signed by |
a8cf6a3da907
document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents:
360
diff
changeset
|
987 # an impossible signer (which will never happen) or strong spf pass. |
409
e018ed19a1cc
require 3 dots in bare ip addresses
Carl Byington <carl@five-ten-sg.com>
parents:
407
diff
changeset
|
988 some.domain signed_white .; |
395
a8cf6a3da907
document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents:
360
diff
changeset
|
989 # |
462
f3f1ece619ba
change dkim_from syntax to allow "signer1,signer2;spf data"
Carl Byington <carl@five-ten-sg.com>
parents:
458
diff
changeset
|
990 # whitelisting based on strong spf pass - whitelisted if signed by |
f3f1ece619ba
change dkim_from syntax to allow "signer1,signer2;spf data"
Carl Byington <carl@five-ten-sg.com>
parents:
458
diff
changeset
|
991 # an impossible signer (which will never happen) or strong spf pass |
f3f1ece619ba
change dkim_from syntax to allow "signer1,signer2;spf data"
Carl Byington <carl@five-ten-sg.com>
parents:
458
diff
changeset
|
992 # adding some extra spf data to their record. This whitelists their |
f3f1ece619ba
change dkim_from syntax to allow "signer1,signer2;spf data"
Carl Byington <carl@five-ten-sg.com>
parents:
458
diff
changeset
|
993 # email that arrives via 10.0.0.0/16 (or via anything listed in their |
f3f1ece619ba
change dkim_from syntax to allow "signer1,signer2;spf data"
Carl Byington <carl@five-ten-sg.com>
parents:
458
diff
changeset
|
994 # actual spf record). |
f3f1ece619ba
change dkim_from syntax to allow "signer1,signer2;spf data"
Carl Byington <carl@five-ten-sg.com>
parents:
458
diff
changeset
|
995 some.other.domain signed_white ".;ip4:10.0.0.0/16"; |
f3f1ece619ba
change dkim_from syntax to allow "signer1,signer2;spf data"
Carl Byington <carl@five-ten-sg.com>
parents:
458
diff
changeset
|
996 # |
395
a8cf6a3da907
document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents:
360
diff
changeset
|
997 # whitelisting based on valid signature or strong spf pass. |
a8cf6a3da907
document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents:
360
diff
changeset
|
998 # some paychex mail is signed, some is unsigned but passes strong spf. |
a8cf6a3da907
document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents:
360
diff
changeset
|
999 paychex.com require_signed paychex.com; |
a8cf6a3da907
document dkim/spf processing
Carl Byington <carl@five-ten-sg.com>
parents:
360
diff
changeset
|
1000 # |
414
d5a1ed33d3ae
spf code now handles mx,exists,ptr tags, multiple A records, %{i} macro
Carl Byington <carl@five-ten-sg.com>
parents:
409
diff
changeset
|
1001 # whitelisting from mailchimp which needs wildcards |
d5a1ed33d3ae
spf code now handles mx,exists,ptr tags, multiple A records, %{i} macro
Carl Byington <carl@five-ten-sg.com>
parents:
409
diff
changeset
|
1002 princetheater.org require_signed "mandrillapp.com,*.mcsignup.com,*.mcsv.net,*.rsgsv.net,*.mcdlv.net"; |
d5a1ed33d3ae
spf code now handles mx,exists,ptr tags, multiple A records, %{i} macro
Carl Byington <carl@five-ten-sg.com>
parents:
409
diff
changeset
|
1003 # |
360
17f21fcd44a8
allow quoted comma separated multiple signers in the dkim_from config entries
Carl Byington <carl@five-ten-sg.com>
parents:
322
diff
changeset
|
1004 }; |
108 | 1005 filter sbl-xbl.spamhaus.org "Mail containing %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s"; |
270
f92f24950bd3
Use mozilla prefix list for tld checking, Enable surbl/uribl/dbl rhs lists
Carl Byington <carl@five-ten-sg.com>
parents:
268
diff
changeset
|
1006 uribl multi.surbl.org "Mail containing %s rejected - surbl; see http://www.surbl.org/surbl-analysis?d=%s"; |
259
be939802c64e
add recipient rate limits by email from address or domain
Carl Byington <carl@five-ten-sg.com>
parents:
255
diff
changeset
|
1007 #uribl multi.uribl.com "Mail containing %s rejected - uribl; see http://l.uribl.com/?d=%s"; |
270
f92f24950bd3
Use mozilla prefix list for tld checking, Enable surbl/uribl/dbl rhs lists
Carl Byington <carl@five-ten-sg.com>
parents:
268
diff
changeset
|
1008 #uribl dbl.spamhaus.org "Mail containing %s rejected - dbl; see http://www.spamhaus.org/query/domain?domain=%s"; |
108 | 1009 ignore { include "hosts-ignore.conf"; }; |
1010 tld { include "tld.conf"; }; | |
1011 html_tags { include "html-tags.conf"; }; | |
1012 html_limit off; | |
1013 host_limit soft 20; | |
178 | 1014 spamassassin 5; |
1015 require_match yes; | |
1016 dcc_greylist yes; | |
1017 dcc_bulk_threshold 20; | |
108 | 1018 }; |
94 | 1019 |
216
784030ac71f1
Never whitelist self addressed mail. Changes for Fedora 10 and const correctness.
Carl Byington <carl@five-ten-sg.com>
parents:
214
diff
changeset
|
1020 generic "^dsl.static.*ttnet.net.tr$|(^|[x.-])(ppp|h|host)?([0-9]{1,3}[x.-](Red-|dynamic[x.-])?){4}" |
171 | 1021 "your mail server %s seems to have a generic name"; |
1022 | |
259
be939802c64e
add recipient rate limits by email from address or domain
Carl Byington <carl@five-ten-sg.com>
parents:
255
diff
changeset
|
1023 white_regex "=example.com=user@yourhostingaccount.com$"; |
233
5c3e9bf45bb5
Add whitelisting by regex expression filtering.
Carl Byington <carl@five-ten-sg.com>
parents:
216
diff
changeset
|
1024 |
108 | 1025 env_to { |
171 | 1026 # !! replace this with your domain names |
108 | 1027 # child contexts are not allowed to specify recipient addresses outside these domains |
179 | 1028 # if this is a backup-mx, you need to include here domains for which you relay to the primary mx |
174 | 1029 include "/etc/mail/local-host-names"; |
108 | 1030 }; |
94 | 1031 |
108 | 1032 context whitelist { |
1033 content off {}; | |
1034 env_to { | |
171 | 1035 # dcc_to ok { include "/var/dcc/whitecommon"; }; |
108 | 1036 }; |
1037 env_from white {}; # white forces all unmatched from addresses (everyone in this case) to be whitelisted | |
1038 # so all mail TO these env_to addresses is accepted | |
1039 }; | |
94 | 1040 |
171 | 1041 context abuse { |
1042 dnsbl_list xbl; | |
1043 content off {}; | |
174 | 1044 generic "^$ " " "; # regex cannot match, to disable generic rdns rejects |
171 | 1045 env_to { |
1046 abuse@ # no content filtering on abuse reports | |
1047 postmaster@ # "" | |
1048 }; | |
1049 env_from unknown {}; # ignore all parent white/black listing | |
1050 }; | |
1051 | |
108 | 1052 context minimal { |
171 | 1053 dnsbl_list sbl; |
178 | 1054 content on { |
1055 spamassassin 10; | |
1056 dcc_bulk_threshold many; | |
1057 }; | |
171 | 1058 generic "^$ " " "; # regex cannot match, to disable generic rdns rejects |
108 | 1059 env_to { |
1060 }; | |
1061 }; | |
94 | 1062 |
108 | 1063 context blacklist { |
255
d6d5c50b9278
Allow dnswl_list and dnsbl_list to be empty, to override lists specified in the ancestor contexts. Add daily recipient limits as a multiple of the hourly limits.
Carl Byington <carl@five-ten-sg.com>
parents:
253
diff
changeset
|
1064 dnsbl_list ; |
d6d5c50b9278
Allow dnswl_list and dnsbl_list to be empty, to override lists specified in the ancestor contexts. Add daily recipient limits as a multiple of the hourly limits.
Carl Byington <carl@five-ten-sg.com>
parents:
253
diff
changeset
|
1065 dnswl_list ; |
108 | 1066 env_to { |
171 | 1067 # dcc_to many { include "/var/dcc/whitecommon"; }; |
108 | 1068 }; |
1069 env_from black {}; # black forces all unmatched from addresses (everyone in this case) to be blacklisted | |
1070 # so all mail TO these env_to addresses is rejected | |
1071 }; | |
94 | 1072 |
171 | 1073 env_from unknown { |
1074 abuse@ abuse; # replies to abuse reports use the abuse context | |
1075 # dcc_from { include "/var/dcc/whitecommon"; }; | |
108 | 1076 }; |
1077 | |
171 | 1078 autowhite 90 "autowhite/my-auto-whitelist"; |
1079 # install should create /etc/dnsbl/autowhite writable by userid dnsbl | |
108 | 1080 };]]></literallayout> |
1081 </refsect1> | |
94 | 1082 |
111 | 1083 <refsect1 id='version.5'> |
201
752d4315675c
add reference to mercurial repository in the documentation
Carl Byington <carl@five-ten-sg.com>
parents:
187
diff
changeset
|
1084 <title>Version</title> |
108 | 1085 <para> |
201
752d4315675c
add reference to mercurial repository in the documentation
Carl Byington <carl@five-ten-sg.com>
parents:
187
diff
changeset
|
1086 @VERSION@ |
108 | 1087 </para> |
1088 </refsect1> | |
1089 | |
1090 </refentry> | |
1091 </reference> |