dnsbl: xml/sample.conf comparison

comparison xml/sample.conf @ 75:1142e46be550

start coding on new config syntax

author	carl
date	Wed, 13 Jul 2005 23:04:14 -0700
parents	419e00901570
children	81f1e400e8ab

comparison

equal deleted inserted replaced

-:b7449114ebb0
+:1142e46be550
 # $Id$
 #
-# lines start with a command token, following by argument tokens
-# tokens are separated by spaces or tabs
+# partial bnf description of this configuration language
 #
-#
+# CONFIG            = {CONTEXT ";"}+
-# tld:
+# CONTEXT           = "context" NAME "{" {STATEMENT}+ "}"
-#   second token is the tld suffix - com, net, org, etc
+# STATEMENT         = (DNSBL | DNSBLLIST | CONTENT | ENV-TO | CONTEXT | ENV-FROM) ";"
-#
-#
+# DNSBL             = "dnsbl" NAME DNSPREFIX ERROR-MSG
-# content:
-#   second token is the dns suffix used for the actual lookups
+# DNSBLLIST         = "dnsbl_list" {NAME}+
-#   third  token? is a string enclosed in single quotes, so it
-#       is not really a token. This is the error message, with
+# CONTENT           = "content" ("on" | "off") "{" {CONTENT-STATEMENT}+ "}"
-#       up to two %s parameters for the offending host name and
+# CONTENT-STATEMENT = (FILTER | IGNORE | TLD | HTML-TAGS | HTML-LIMIT | HOST-LIMIT) ";"
-#       client ip address respectively.
+# FILTER            = "filter" DNSPREFIX ERROR-MSG
-#
+# IGNORE            = "ignore"     "{" {HOSTNAME [";"]}+ "}"
-#   If this command is not present, there is no body scanning
+# TLD               = "tld"        "{" {TLD      [";"]}+ "}"
-#   for host names or bad html tags.
+# HTML-TAGS         = "html_tags"  "{" {HTMLTAG  [";"]}+ "}"
-#
+# ERROR-MSG         = string containing exactly two %s replacement tokens for the client ip address
-#
-# ignore:
+# HTML-LIMIT        = "html_limit" ("on" INTEGER ERROR-MSG | "off")
-#   second token is a host name that is allowed in the body even
-#   if it would otherwise be rejected by the content scanning
+# HOST-LIMIT        = "host_limit" ("on" INTEGER ERROR-MSG | "off" | "soft" INTEGER)
-#   above.
-#
+# ENV-TO            = "env_to"     "{" {(TO-ADDR | DCC-TO)}+ "}"
-#
+# TO-ADDR           = ADDRESS [";"]
-# host_limit:
+# DCC-TO            = "dcc_to" ("ok" | "many") "{" DCCINCLUDEFILE "}" ";"
-#   second token is the integer count of the number of host names
-#       or urls that are allowed in any one mail body. Zero is
+# ENV_FROM          = "env_from" DEFAULT "{" {(FROM-ADDR | DCC-FROM)}+ "}"
-#       unlimited. If the actual number of host names in the message
+# FROM-ADDR         = ADDRESS VALUE [";"]
-#       is larger than this limit, the message is rejected.
+# DCC-FROM          = "dcc_from" "{" DCCINCLUDEFILE "}" ";"
-#   third  token? is a string enclosed in single quotes, so it
+# DEFAULT           = ("white" | "black" | "unknown" | "inherit" | "")
-#       is not really a token. This is the error message supplied
+# ADDRESS           = (USER@ | DOMAIN | USER@DOMAIN)
-#       to the smtp client.
+# VALUE             = ("white" | "black" | "unknown" | CHILD-CONTEXT-NAME
-#
-#
-# host_soft_limit:
-#   second token is the integer count of the number of host names
-#       or urls that are checked in any one mail body. Zero is
-#       unlimited. If the actual number of host names in the message
-#       is larger than this limit, only a random selection of them
-#       are checked against the dnsbl.
-#
-#
-# html_limit:
-#   second token is the integer count of the number of bad html tags
-#       that are allowed in any one mail body. Zero is unlimited.
-#   third  token? is a string enclosed in single quotes, so it
-#       is not really a token. This is the error message supplied
-#       to the smtp client.
-#
-#
-# html_tag:
-#   second token is a valid html tag, that is added to the list
-#       of valid tags. Any html tag seen in the mail bodies that
-#       that is not in this list is presumed to be invalid.
-#
-#
-# dnsbl:
-#   second token is the name of this dnsbl
-#   third  token is the dns suffix used for the actual lookups
-#   fourth token? is a string enclosed in single quotes, so it
-#       is not really a token. This is the error message, with
-#       up to two %s parameters for the client ip address.
-#
-#
-# dnsbl_list:
-#   second token is the name of this list of dnsbls
-#   subsequent tokes are the names of the previously defined dnsbls
-#
-#
-# env_from:
-#   second token is the name of this envelope-from-map. There will
-#       generally be multiple lines with the same name.
-#   third token is the envelope from value from the smtp conversation,
-#       or just the domain part that follows the @ symbol.
-#   fourth token is BLACK, WHITE, or the name of a previously defined
-#       envelope-from-map. BLACK causes mail from this sender to be
-#       rejected with "no such user". WHITE causes mail to be accepted
-#       and the dns based lists are ignored. DEFAULT may be used to override
-#       the contents of other maps that are copied into this map, and
-#       set that sender back to the default (not white or black listed,
-#       and subject to dnsbl lookups).
-#
-#
-# env_to:
-#   second token is the envelope recipient value from the smtp conversation,
-#       or just the domain part that follows the @ symbol.
-#   third token is the name of a dnsbl-list, or WHITE or BLACK.
-#   fourth token is the name of an envelope-from-map, or WHITE or BLACK.
-#
-#   If either one is BLACK, mail to this recipient is rejected with
-#   "no such user", and the dns lists are not checked.
-#
-#   If the envelope-from-map name is WHITE, mail to this recipient is accepted
-#   and the dns lists are not checked.
-#
-#   If the envelope-from-map exists, the map is checked for the presence
-#   of the sender. A WHITE or BLACK answer is definitive and the dns lists
-#   are not checked.
-#
-#   If the dnsbl-list name is WHITE, the dns lists are not checked and the
-#   mail is accepted. Otherwise, the dns lists are checked and the mail
-#   is rejected if any list has an A record for the standard dns based
-#   lookup scheme (reversed octets of the client followed by the dns suffix).
-#
-#
-# include:
-#   second token is the path name of the dnsbl milter config file to be
-#   included.
-#
-#
-# include_dcc:
-#   second token is the name of an envelope-from-map (EMAP below).
-#   third token is the path name of the dcc whiteclnt config file to be
-#       included. Entries from the dcc config are mapped as:
-#           ok -> WHITE
-#           many -> BLACK
-#           env_from -> env_from EMAP xxx
-#           env_to   -> env_to
-#           substitute mail_host -> env_from EMAP xxx
-#
-#
-#
-##############################################
-# content scanning parameters
-#
-content         sbl-xbl.spamhaus.org        'Mail containing %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s'
-host_limit      20                          'Mail containing too many host names rejected'
-host_soft_limit 20
-html_limit      20                          'Mail containing excessive bad html tags rejected'
-include hosts-ignore.conf
-include html-tags.conf
-include tld.conf
-##############################################
+context sample {
-# define the dnsbls to use
+dnsbl   local   blackholes.five-ten-sg.com  "Mail from %s rejected - local; see http://www.five-ten-sg.com/blackhole.php?%s";
-#
+dnsbl   spews   blackholes.spews.org        "Mail from %s rejected - spews; see http://www.spews.org/ask.cgi?x=%s";
-dnsbl   LOCAL   blackholes.five-ten-sg.com  'Mail from %s rejected - local; see http://www.five-ten-sg.com/blackhole.php?%s'
+dnsbl   sbl     sbl-xbl.spamhaus.org        "Mail from %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s";
-dnsbl   SPEWS   blackholes.spews.org        'Mail from %s rejected - spews; see http://www.spews.org/ask.cgi?x=%s'
+dnsbl   xbl     xbl.spamhaus.org            "Mail from %s rejected - xbl; see http://www.spamhaus.org/query/bl?ip=%s";
-dnsbl   SBL     sbl-xbl.spamhaus.org        'Mail from %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s'
+dnsbl_list  local sbl;
+content on {
+filter    sbl-xbl.spamhaus.org        "Mail containing %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s";
+ignore    { include "hosts-ignore.conf"; };
+tld       { include "tld.conf"; };
+html_tags { include "html-tags.conf"; };
+html_limit off;
+host_limit on 20 "Mail containing excessive bad html tags rejected";
+host_limit soft 20;
+};
-##############################################
+env_to {
-# define the (default and other) lists of dnsbls to use
+mydomain.com;   # child contexts are not allowed to specify recipient addresses outside these domains
-#
+customer1.com;
-dnsbl_list  DEFAULT LOCAL SPEWS SBL
+customer1a.com;
-dnsbl_list  SIMPLE  SBL
+customer1b.com;
-dnsbl_list  CUST1   SBL
+customer2.com;
-dnsbl_list  CUST2   SPEWS SBL
+customer2a.com;
+customer2b.com;
+};
+context whitelist {
+content off {};
+env_to {
+# dcc_to ok { include "/var/dcc/whitecommon"; };
+};
+env_from white {};      # white forces all unmatched from addresses (everyone in this case) to be whitelisted
+# so all mail TO these env_to addresses is accepted
+};
-##############################################
+context abuse {
-# define the (default and other) env_from maps
+dnsbl_list xbl;
-#
+content off {};
-env_from    DEFAULT spammer@example.com     BLACK
+env_to {
-env_from    DEFAULT yahoo.com               BLACK
+abuse@;             # no content filtering on abuse reports
+postmaster@;        # ""
+};
+env_from unknown {};    # ignore all parent white/black listing
+};
-# special list for the vp
+context minimal {
-env_from    TEST    dummy-token             DEFAULT # inherit the currently defined DEFAULT env_from mapping
+dnsbl_list sbl;
-env_from    TEST    nai.com                 BLACK   # the vp does not like nai
+content on {};
-env_from    TEST    yahoo.com               DEFAULT #
+env_to {
-env_from    TEST    mother@spammyisp.com    WHITE   # suppresses dnsbl checking
+sales@mydomain.com;
+};
+};
+context blacklist {
+env_to {
+dcc_to many { include "/var/dcc/whitecommon"; };
+old-employee@mydomain.com;
+};
+env_from black {};      # black forces all unmatched from addresses (everyone in this case) to be blacklisted
+# so all mail TO these env_to addresses is rejected
+};
-##############################################
+context vp {    # special context for the vp
-# specify dnsbl_lists and env_from maps to use for specific recipients
+env_to {
-#
+vp@mydomain.com;
-env_to      abuse@mydomain.com      WHITE   WHITE       # no dnsbl, no env_from map
+};
-env_to      sales@mydomain.com      SIMPLE  NULL        # sbl only, no env_from map
+env_from inherit {
-env_to      vp@mydomain.com         DEFAULT TEST        # allow mail from mom
+nai.com                 black;      # the vp does not like nai
-env_to      old-emp@mydomain.com    BLACK   BLACK       # return no such user even from backup mx machines
+yahoo.com               unknown;    # override parent context blacklisting
+mother@spammyisp.com    white;      # suppress dnsbl checking
+};
+};
-##############################################
+context customer1 {
-# specify dnsbl_lists and env_from maps to use for clients domains
+dnsbl_list sbl;
-#
+env_to {
-env_to      mydomain.com            DEFAULT DEFAULT
+customer1.com;
-env_to      customer1.com           CUST1   DEFAULT     # all customer 1 domains use just sbl
+customer1a.com;
-env_to      customer1a.com          CUST1   DEFAULT
+customer1b.com;
-env_to      customer1b.com          CUST1   DEFAULT
+};
-env_to      customer2.com           CUST2   DEFAULT     # all customer 2 domains use spews and sbl
-env_to      customer2a.com          CUST2   DEFAULT
+context customer1a {
+env_to {
+customer1a.com;
+}
+env_from black {                        # blacklist everything
+first@acceptable.com    unknown;    # except these specific envelope senders
+second@another.com      unknown;
+yahoo.com               inherit;    # delegate to the parent
+};
+};
-##############################################
+env_from {
-# you can also include nested config files
+yahoo.com           black;      # no mail from yahoo
-# file names are single tokens, no embedded blanks
+first@yahoo.com     unknown;    # except this one
-#
+};
-include dnsbl.conf      # this will generate a recursive include file syslog error message
+};
-include_dcc  DEFAULT /var/dcc/whitecommon   # this includes the default dcc whitelist file
+context customer2 {
+dnsbl_list sbl spews;
+env_to {
+customer2.com;
+customer2a.com;
+customer2b.com;
+};
+};
+env_from unknown {
+dcc_from { include "/var/dcc/whitecommon"; };   # use the dcc whitecommon list ok/many values to white/black list envelope from values here
+abuse@              abuse;      # replies to abuse reports use the abuse context
+yahoo.com           black;      # don't take mail from yahoo
+spammer@example.com black;
+};
+};

Mercurial > dnsbl

comparison xml/sample.conf @ 75:1142e46be550