Mercurial > dnsbl

comparison xml/dnsbl.in @ 75:1142e46be550

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
start coding on new config syntax
author carl
date Wed, 13 Jul 2005 23:04:14 -0700
parents fb8afa205293
children 81f1e400e8ab
comparison
equal deleted inserted replaced
74:b7449114ebb0 75:1142e46be550
1 <html> 1 <html>
2 2
3 <head> 3 <head>
4 <meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> 4 <meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
5 <title>DNSBL Sendmail milter - Version 4.6</title> 5 <title>DNSBL Sendmail milter - Version 5.0</title>
6 </head> 6 </head>
7 7
8 <center>Introduction</center> 8 <center>Introduction</center>
9 <p>This milter is released under the GPL license version 2 included in 9 <p>This milter is released under the GPL license version 2 included in
10 the LICENSE file in the distribution, and also available at 10 the LICENSE file in the distribution, and also available at
47 mail domains. The DCC approach has the feature that you can capture the 47 mail domains. The DCC approach has the feature that you can capture the
48 entire message in the DCC log files. The DNSBL milter approach has the 48 entire message in the DCC log files. The DNSBL milter approach has the
49 feature that the mail is rejected earlier (at RCPT TO time), and the 49 feature that the mail is rejected earlier (at RCPT TO time), and the
50 sending machine just gets a generic "550 5.7.1 no such user" message. 50 sending machine just gets a generic "550 5.7.1 no such user" message.
51 51
52 <p>There is an option to reference the DCC whiteclnt file (via an 52 <p>The DCC whiteclnt file can be included in the DNSBL milter config by
53 include_dcc line) in the DNSBL milter config. This will import the 53 the dcc_to and dcc_from statements. This will import the (env_to,
54 (env_to, env_from, and substitute mail_host) entries from the DCC config 54 env_from, and substitute mail_host) entries from the DCC config into the
55 into the DNSBL config. This allows using the DCC config as the single 55 DNSBL config. This allows using the DCC config as the single point for
56 point for white/blacklisting. When used in this manner, the whitelist 56 white/blacklisting.
57 env_to entries from the DCC config become global whitelist entries in
58 the DNSBL config.
59 57
60 <p>Consider the case where you have multiple clients, each with their 58 <p>Consider the case where you have multiple clients, each with their
61 own mail servers, and each running their own DCC milters. Each client 59 own mail servers, and each running their own DCC milters. Each client
62 is using the DCC facilities for envelope from/to white/blacklisting. 60 is using the DCC facilities for envelope from/to white/blacklisting.
63 Presumably you can use rsync or scp to fetch copies of your clients DCC 61 Presumably you can use rsync or scp to fetch copies of your clients DCC
64 whiteclnt files on a regular basis. Your mail server, acting as a 62 whiteclnt files on a regular basis. Your mail server, acting as a
65 backup MX for your clients, can use the DNSBL milter, and include those 63 backup MX for your clients, can use the DNSBL milter, and include those
66 client DCC config files. The envelope to white/blacklisting will be 64 client DCC config files. The envelope from/to white/blacklisting will
67 global for your system, but the envelope from white/blacklisting will be 65 be appropriately tagged and used only for the domains controlled by each
68 appropriately tagged and used only for the domains controlled by each of 66 of those clients.
69 those clients.
70 67
71 <hr> <center>Definitions</center> 68 <hr> <center>Definitions</center>
69
70 <p>CONTEXT - a collection of parameters that defines the filtering
71 context to be used for a collection of envelope recipient addresses.
72 The context includes such things as the list of DNSBLs to be used, and
73 the various content filtering parameters.
74
72 <p>DNSBL - a named DNS based blocking list is defined by a dns suffix 75 <p>DNSBL - a named DNS based blocking list is defined by a dns suffix
73 (e.g. sbl-xbl.spamhaus.org) and a message string that is used to 76 (e.g. sbl-xbl.spamhaus.org) and a message string that is used to
74 generate the "550 5.7.1" smtp error return code. The names of these 77 generate the "550 5.7.1" smtp error return code. The names of these
75 DNSBLs will be used to define the DNSBL-LISTs. 78 DNSBLs will be used to define the DNSBL-LISTs.
76 79
77 <p>DNSBL-LIST - a named list of DNSBLs that will be used for specific 80 <p>DNSBL-LIST - a named list of DNSBLs that will be used for specific
78 recipients or recipient domains. 81 recipients or recipient domains.
79 82
80 <p>ENVELOPE-FROM-MAP - a named collection of mappings (key->value pairs) 83 <p>The envelope to email address is used to find an initial filtering context.
81 from envelope-from values to the WHITE, BLACK, or DEFAULT keywords. The 84 That context then uses the envelope from email address to find the final
82 names of these maps will be used for specific recipients or recipient 85 filtering context. The envelope from email address is checked in that context
83 domains. 86 to see if we should whitelist or blacklist the message
84
85 <p>The configuration file maps each recipient (or recipient domain) to
86 two names (a named DNSBL-LIST, and a named ENVELOPE-FROM-MAP). If the 87 two names (a named DNSBL-LIST, and a named ENVELOPE-FROM-MAP). If the
87 recipient is not found in the configuration, the named DEFAULT 88 recipient is not found in the configuration, the named DEFAULT
88 dnsbl-list and DEFAULT envelope-from-map will be used. When mail is 89 dnsbl-list and DEFAULT envelope-from-map will be used. When mail is
89 received for that recipient, 90 received for that recipient,
90 91
91 <ol> 92 <ol>
92 93
93 <li>If the client has authenticated with sendmail, the mail is accepted 94 <li>If the client has authenticated with sendmail, the mail is accepted,
94 and the dns lists are not checked. 95 the dns lists are not checked, and the body content is not scanned.
95 96
96 <li>If either one is BLACK, mail to this recipient is rejected with "no 97 <li>The envelope to email address is used to find an initial filtering
98 context. We first look for a context that specified the full email address
99 in the env_to statement. If that is not found, we look for a context that
100 specified the entire domain name of the envelope recipient in the env_to
101 statement. If that is not found, we look for a context that specified the
102 user@ part of the envelope recipient in the env_to statement. If that is not
103 found, we use the first top level context defined in the config file.
104
105 <li>The initial filtering context may redirect to a child context based
106 on the values in the initial context's env_from statement. We look for
107 [1) the full envelope from email address, 2) the domain name part of the
108 envelope from address, 3) the user@ part of the envelope from address]
109 in that context's env_from statement, with values that point to a child
110 context. If such an entry is found, we switch to that filtering
111 context.
112
113 <li>We lookup [1) the full envelope from email address, 2) the domain
114 name part of the envelope from address, 3) the user@ part of the
115 envelope from address] in the filtering context env_from statement.
116 That results in one of (white, black, unknown, inherit).
117
118 <li>If the answer is black, mail to this recipient is rejected with "no
97 such user", and the dns lists are not checked. 119 such user", and the dns lists are not checked.
98 120
99 <li>If the envelope-from-map name is WHITE, mail to this recipient is 121 <li>If the answer is white, mail to this recipient is accepted and the
100 accepted and the dns lists are not checked. 122 dns lists are not checked.
101 123
102 <li>If the envelope-from-map exists, the map is checked for the presence 124 <li>If the answer is unknown, we don't reject yet, but the dns lists
103 of the sender. A WHITE or BLACK answer is definitive and the dns lists 125 will be checked, and the content may be scanned.
104 are not checked. 126
105 127 <li>If the answer is inherit, we repeat the envelope from search in the
106 <li>If the dnsbl-list name is WHITE, the dns lists are not checked and 128 parent context.
107 the mail is accepted. Otherwise, the dns lists are checked and the mail 129
108 is rejected if any list has an A record for the standard dns based 130 <li>The dns lists specified in the filtering context are checked and the
131 mail is rejected if any list has an A record for the standard dns based
109 lookup scheme (reversed octets of the client followed by the dns 132 lookup scheme (reversed octets of the client followed by the dns
110 suffix). 133 suffix).
111 134
112 <li>If the mail has not been accepted or rejected yet, the body content 135 <li>If the mail has not been accepted or rejected yet, the body content
113 is optionally scanned for HTTP URLs (after base64, mime and html entity 136 is optionally scanned for HTTP URLs (after base64, mime and html entity
143 <p>Using the standard sendmail features, you would add access entries to 166 <p>Using the standard sendmail features, you would add access entries to
144 allow hosts on your local network to relay thru your mail server. Those 167 allow hosts on your local network to relay thru your mail server. Those
145 OK entries in the sendmail access database will override all the dnsbl 168 OK entries in the sendmail access database will override all the dnsbl
146 checks. With this DNSBL milter, you will need to have the local users 169 checks. With this DNSBL milter, you will need to have the local users
147 authenticate with smtp-auth to get the same effect. You might find <a 170 authenticate with smtp-auth to get the same effect. You might find <a
148 href="http://www.ists.dartmouth.edu/IRIA/knowledge_base/linuxinfo/sendmail-ssh-how-to.htm"> 171 href="http://www.lists.dartmouth.edu/IRIA/knowledge_base/linuxinfo/sendmail-ssl-how-to.htm">
149 these directions</a> helpful for setting up smtp-auth if you are on RH 172 these directions</a> helpful for setting up smtp-auth if you are on RH
150 Linux. 173 Linux.
151 174
152 <hr> <center>Installation and configuration</center> 175 <hr> <center>Installation and configuration</center>
153 <p>Usage: Note that this has ONLY been tested on Linux, specifically 176 <p>Usage: Note that this has ONLY been tested on Linux, specifically
183 <pre> 206 <pre>
184 cd /etc/dnsbl 207 cd /etc/dnsbl
185 /usr/sbin/dnsbl -c 208 /usr/sbin/dnsbl -c
186 </pre> 209 </pre>
187 210
211 You can check a specific envelope from/to pair with
212
213 <pre>
214 cd /etc/dnsbl
215 from="$1" # or your from address
216 to="$2" # or your to address
217 /usr/sbin/dnsbl -e "$from"'|'"$to"
218 </pre>
219
188 <hr> <center>Performance issues</center> 220 <hr> <center>Performance issues</center>
189 221
190 <p>Consider a high volume high performance machine running sendmail. 222 <p>Consider a high volume high performance machine running sendmail.
191 Each sendmail process can do its own dns resolution. Typically, such 223 Each sendmail process can do its own dns resolution. Typically, such
192 dns resolver libraries are not thread safe, and so must be protected by 224 dns resolver libraries are not thread safe, and so must be protected by