dnsbl: xml/dnsbl.in comparison

comparison xml/dnsbl.in @ 108:1c7677042b78

move to autoconf/automake/docbook

author	carl
date	Sun, 18 Dec 2005 12:05:05 -0800
parents	586d5b58040a
children	d0dad5610980

comparison

equal deleted inserted replaced

-:eeaaecda4acc
+:1c7677042b78
-<html>
+<reference>
+<title>@PACKAGE@ Sendmail milter - Version @VERSION@</title>
-<head>
+<partintro>
-<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
+<title>Packages</title>
-<title>DNSBL Sendmail milter - Version 5.10</title>
+<para>The various source and binary packages are available at <ulink
-</head>
+url="http://www.five-ten-sg.com/@PACKAGE@/packages">http://www.five-ten-sg.com/@PACKAGE@/packages</ulink>
+The most recent documentation is available at <ulink
-<center>Introduction</center>
+url="http://www.five-ten-sg.com/@PACKAGE@/">http://www.five-ten-sg.com/@PACKAGE@/</ulink>
-<p>This milter is released under the GPL license version 2 included in
+</para>
-the LICENSE file in the distribution, and also available at
-<a href="http://www.gnu.org/licenses/gpl.html">http://www.gnu.org/licenses/gpl.html</a>
+</partintro>
-<p>Consider the case of a mail server that is acting as secondary MX for
+<refentry id="@PACKAGE@.1">
-a collection of clients, each of which has a collection of mail domains.
+<refentryinfo>
-Each client may use their own collection of DNSBLs on their primary mail
+<date>2005-12-18</date>
-server.  We present here a mechanism whereby the backup mail server can
+</refentryinfo>
-use the correct set of DNSBLs for each recipient for each message.  As a
-side-effect, it gives us the ability to customize the set of DNSBLs on a
+<refmeta>
-per-recipient basis, so that fred@example.com could use SPEWS and the
+<refentrytitle>@PACKAGE@</refentrytitle>
-SBL, where all other users @example.com use only the SBL.
+<manvolnum>1</manvolnum>
+<refmiscinfo>@PACKAGE@ @VERSION@</refmiscinfo>
-<p>This milter can also verify the envelope from/recipient pairs with
+</refmeta>
-the primary MX server.  This allows the backup mail servers to properly
-reject mail sent to invalid addresses.  Otherwise, the backup mail
+<refnamediv id='name.1'>
-servers will accept that mail, and then generate a bounce message when
+<refname>@PACKAGE@</refname>
-the message is forwarded to the primary server (and rejected there with
+<refpurpose>a sendmail milter with per-user dnsbl filtering</refpurpose>
-no such user).
+</refnamediv>
-<p>This milter will also decode (uuencode, base64, mime, html entity,
+<refsynopsisdiv id='synopsis.1'>
-url encodings) and scan for HTTP and HTTPS URLs and bare hostnames in
+<title>Synopsis</title>
-the body of the mail.  If any of those host names have A or NS records
+<cmdsynopsis>
-on the SBL (or a single configurable DNSBL), the mail will be rejected
+<command>@PACKAGE@</command>
-unless previously whitelisted.  This milter also counts the number of
+<arg><option>-c</option></arg>
-invalid HTML tags, and can reject mail if that count exceeds your
+<arg><option>-s</option></arg>
-specified limit.
+<arg><option>-d <replaceable class="parameter">n</replaceable></option></arg>
+<arg><option>-e <replaceable class="parameter">from|to</replaceable></option></arg>
-<p>The DNSBL milter reads a text configuration file (dnsbl.conf) on
+<arg><option>-r <replaceable class="parameter">local-domain-socket</replaceable></option></arg>
-startup, and whenever the config file (or any of the referenced include
+<arg><option>-p <replaceable class="parameter">sendmail-socket</replaceable></option></arg>
-files) is changed.  The entire configuration file is case insensitive.
+<arg><option>-t <replaceable class="parameter">timeout</replaceable></option></arg>
-If the configuration cannot be loaded due to a syntax error, the milter
+</cmdsynopsis>
-will log the error and quit.  If the configuration cannot be reloaded
+</refsynopsisdiv>
-after being modified, the milter will log the error and send an email to
-root from dnsbl@$hostname.  You probably want to added dnsbl@$hostname
+<refsect1 id='options.1'>
-to your /etc/mail/virtusertable since otherwise sendmail will reject
+<title>Options</title>
-that message.
+<variablelist>
+<varlistentry>
-<hr> <center>DCC Issues</center>
+<term>-c</term>
-<p>If you are also using the <a
+<listitem>
-href="http://www.rhyolite.com/anti-spam/dcc/">DCC</a> milter, there are
+<para>
-a few considerations.  You may need to whitelist senders from the DCC
+Load the configuration file, print a cannonical form
-bulk detector, or from the DNS based lists.  Those are two very
+of the configuration on stdout, and exit.
-different reasons for whitelisting.  The former is done thru the DCC
+</para>
-whiteclnt config file, the later is done thru the DNSBL milter config
+</listitem>
-file.
+</varlistentry>
+<varlistentry>
-<p>You may want to blacklist some specific senders or sending domains.
+<term>-s</term>
-This could be done thru either the DCC (on a global basis, or for a
+<listitem>
-specific single recipient).  We prefer to do such blacklisting via the
+<para>
-DNSBL milter config, since it can be done for a collection of recipient
+Stress test the configuration loading code by repeating
-mail domains.  The DCC approach has the feature that you can capture the
+the load/free cycle in an infinite loop.
-entire message in the DCC log files.  The DNSBL milter approach has the
+</para>
-feature that the mail is rejected earlier (at RCPT TO time), and the
+</listitem>
-sending machine just gets a generic "550 5.7.1 no such user" message.
+</varlistentry>
+<varlistentry>
-<p>The DCC whiteclnt file can be included in the DNSBL milter config by
+<term>-d <replaceable class="parameter">n</replaceable></term>
-the dcc_to and dcc_from statements.  This will import the (env_to,
+<listitem>
-env_from, and substitute mail_host) entries from the DCC config into the
+<para>
-DNSBL config.  This allows using the DCC config as the single point for
+Set the debug level to <replaceable class="parameter">n</replaceable>.
-white/blacklisting.
+</para>
+</listitem>
-<p>Consider the case where you have multiple clients, each with their
+</varlistentry>
-own mail servers, and each running their own DCC milters.  Each client
+<varlistentry>
-is using the DCC facilities for envelope from/to white/blacklisting.
+<term>-e <replaceable class="parameter">from|to</replaceable></term>
-Presumably you can use rsync or scp to fetch copies of your clients DCC
+<listitem>
-whiteclnt files on a regular basis.  Your mail server, acting as a
+<para>
-backup MX for your clients, can use the DNSBL milter, and include those
+Print the results of looking up the from and to addresses in the
-client DCC config files.  The envelope from/to white/blacklisting will
+current configuration. The | character is used to separate the from and to
-be appropriately tagged and used only for the domains controlled by each
+addresses in the argument to the -e switch.
-of those clients.
+</para>
+</listitem>
-<hr> <center>Definitions</center>
+</varlistentry>
+<varlistentry>
-<p>CONTEXT - a collection of parameters that defines the filtering
+<term>-r <replaceable class="parameter">local-domain-socket</replaceable></term>
-context to be used for a collection of envelope recipient addresses.
+<listitem>
-The context includes such things as the list of DNSBLs to be used, and
+<para>
-the various content filtering parameters.
+Set the local socket used for the connection to our own dns resolver processes.
+</para>
-<p>DNSBL - a named DNS based blocking list is defined by a dns suffix
+</listitem>
-(e.g. sbl-xbl.spamhaus.org) and a message string that is used to
+</varlistentry>
-generate the "550 5.7.1" smtp error return code.  The names of these
+<varlistentry>
-DNSBLs will be used to define the DNSBL-LISTs.
+<term>-p <replaceable class="parameter">sendmail-socket</replaceable></term>
+<listitem>
-<p>DNSBL-LIST - a named list of DNSBLs that will be used for specific
+<para>
-recipients or recipient domains.
+Set the socket used for the milter connection to sendmail. This is either
+"inet:port@ip-address" or "local:local-domain-socket-file-name".
-<hr> <center>Filtering Procedure</center>
+</para>
+</listitem>
-<p>If the client has authenticated with sendmail, the mail is accepted,
+</varlistentry>
-the filtering contexts are not used, the dns lists are not checked, and
+<varlistentry>
-the body content is not scanned.  Otherwise, we follow these steps for
+<term>-t <replaceable class="parameter">timeout</replaceable></term>
-each recipient.
+<listitem>
+<para>
-<ol>
+Set the timeout in seconds used for communication with sendmail.
+</para>
-<li>The envelope to email address is used to find an initial filtering
+</listitem>
-context.  We first look for a context that specified the full email
+</varlistentry>
-address in the env_to statement.  If that is not found, we look for a
+</variablelist>
-context that specified the entire domain name of the envelope recipient
+</refsect1>
-in the env_to statement.  If that is not found, we look for a context
-that specified the user@ part of the envelope recipient in the env_to
+<refsect1>
-statement.  If that is not found, we use the first top level context
+<title>Usage</title>
-defined in the config file.
+<para><command>@PACKAGE@</command> -c</para>
+<para><command>@PACKAGE@</command> -s</para>
-<br><br><li>The initial filtering context may redirect to a child
+<para><command>@PACKAGE@</command> -d 2</para>
-context based on the values in the initial context's env_from statement.
+<para><command>@PACKAGE@</command> -e'someone@aol.com|localname@mydomain.tld'</para>
-We look for [1) the full envelope from email address, 2) the domain name
+<para><command>@PACKAGE@</command> -d 10 -r /var/run/dnsbl/dnsbl.resolver.sock -p local:/var/run/dnsbl/dnsbl.sock</para>
-part of the envelope from address, 3) the user@ part of the envelope
+</refsect1>
-from address] in that context's env_from statement, with values that
-point to a child context.  If such an entry is found, we switch to that
+<refsect1 id='introduction.1'>
-child filtering context.
+<title>Introduction</title>
+<para>
-<br><br><li>We lookup [1) the full envelope from email address, 2) the
+Consider the case of a mail server that is acting as secondary MX for a
-domain name part of the envelope from address, 3) the user@ part of the
+collection of clients, each of which has a collection of mail domains.
-envelope from address] in the filtering context env_from statement.
+Each client may use their own collection of DNSBLs on their primary mail
-That results in one of (white, black, unknown, inherit).
+server.  We present here a mechanism whereby the backup mail server can
+use the correct set of DNSBLs for each recipient for each message.  As a
-<br><br><li>If the answer is black, mail to this recipient is rejected
+side-effect, it gives us the ability to customize the set of DNSBLs on a
-with "no such user", and the dns lists are not checked.
+per-recipient basis, so that fred@example.com could use SPEWS and the
+SBL, where all other users @example.com use only the SBL.
-<br><br><li>If the answer is white, mail to this recipient is accepted
+</para>
-and the dns lists are not checked.
+<para>
+This milter can also verify the envelope from/recipient pairs with the
-<br><br><li>If the answer is unknown, we don't reject yet, but the dns
+primary MX server.  This allows the backup mail servers to properly
-lists will be checked, and the content may be scanned.
+reject mail sent to invalid addresses.  Otherwise, the backup mail
+servers will accept that mail, and then generate a bounce message when
-<br><br><li>If the answer is inherit, we repeat the envelope from search
+the message is forwarded to the primary server (and rejected there with
-in the parent context.
+no such user).
+</para>
-<br><br><li>The dns lists specified in the filtering context are checked
+<para>
-and the mail is rejected if any list has an A record for the standard
+This milter will also decode (uuencode, base64, mime, html entity, url
-dns based lookup scheme (reversed octets of the client followed by the
+encodings) and scan for HTTP and HTTPS URLs and bare hostnames in the
-dns suffix).
+body of the mail.  If any of those host names have A or NS records on
+the SBL (or a single configurable DNSBL), the mail will be rejected
-<br><br><li>If the mail has not been accepted or rejected yet, we look
+unless previously whitelisted.  This milter also counts the number of
-for a verification context, which is the closest ancestor of the
+invalid HTML tags, and can reject mail if that count exceeds your
-filtering context that both specifies a verification host, and which
+specified limit.
-covers the envelope to address.  If we find such a verification context,
+</para>
-and the verification host is not our own hostname, we open an smtp
+<para>
-conversation with that verification host.  The current envelope from and
+The DNSBL milter reads a text configuration file (dnsbl.conf) on
-recipient to values are passed to that verification host.  If we receive
+startup, and whenever the config file (or any of the referenced include
-a 5xy response those commands, we reject the current recipient with "no
+files) is changed.  The entire configuration file is case insensitive.
-such user".
+If the configuration cannot be loaded due to a syntax error, the milter
+will log the error and quit.  If the configuration cannot be reloaded
-<br><br><li>If the mail has not been accepted or rejected yet, and the
+after being modified, the milter will log the error and send an email to
-filtering context enables content filtering, and this is the first such
+root from dnsbl@$hostname.  You probably want to added dnsbl@$hostname
-recipient in this smtp transaction, we set the content filtering
+to your /etc/mail/virtusertable since otherwise sendmail will reject
-parameters from this context, and enable content filtering for the body
+that message.
-of this message.
+</para>
+</refsect1>
-</ol>
+<refsect1 id='todo.1'>
-<p>If content filtering is enabled for this body, the mail text is
+<title>DCC Issues</title>
-decoded (uuencode, base64, mime, html entity, url encodings), scanned
+<para>
-for HTTP and HTTPS URLs, and the first &lt;configurable&gt; host names
+If you are also using the <ulink
-are checked for their presence on the single &lt;configurable&gt; DNSBL.
+url="http://www.rhyolite.com/anti-spam/dcc/">DCC</ulink> milter, there
-The only known list that is suitable for this purpose is the SBL.  If
+are a few considerations.  You may need to whitelist senders from the
-any of those host names are on that DNSBL (or have nameservers that are
+DCC bulk detector, or from the DNS based lists.  Those are two very
-on that list), and it is not on the &lt;configurable&gt; ignore list,
+different reasons for whitelisting.  The former is done thru the DCC
-the mail is rejected.  We also scan for excessive bad html tags, and if
+whiteclnt config file, the later is done thru the DNSBL milter config
-a &lt;configurable&gt; limit is exceeded, the mail is rejected.
+file.
+</para>
-<hr> <center>Sendmail access vs. DNSBL</center>
+<para>
-<p>With the standard sendmail.mc dnsbl FEATURE, the dnsbl checks may be
+You may want to blacklist some specific senders or sending domains.
-suppressed by entries in the /etc/mail/access database.  For example,
+This could be done thru either the DCC (on a global basis, or for a
-suppose you control a /18 of address space, and have allocated some /24s
+specific single recipient).  We prefer to do such blacklisting via the
-to some clients.  You have access entries like
+DNSBL milter config, since it can be done for a collection of recipient
+mail domains.  The DCC approach has the feature that you can capture the
-<pre>
+entire message in the DCC log files.  The DNSBL milter approach has the
-192.168.4   OK
+feature that the mail is rejected earlier (at RCPT TO time), and the
-192.168.17  OK
+sending machine just gets a generic "550 5.7.1 no such user" message.
-</pre>
+</para>
+<para>
-<p>to allow those clients to smarthost thru your mail server.  Now if
+The DCC whiteclnt file can be included in the DNSBL milter config by the
-one of those clients happens get infected with a virus that turns a
+dcc_to and dcc_from statements.  This will import the (env_to, env_from,
-machine into an open proxy, and their 192.168.4.45 lands on the SBL-XBL,
+and substitute mail_host) entries from the DCC config into the DNSBL
-you will still wind up allowing that infected machine to smarthost thru
+config.  This allows using the DCC config as the single point for
-your mail servers.
+white/blacklisting.
+</para>
-<p>With this DNSBL milter, the sendmail access database cannot override
+<para>
-the dnsbl checks, so that machine won't be able to send mail to or thru
+Consider the case where you have multiple clients, each with their own
-your smarthost mail server (unless the virus/proxy can use smtp-auth).
+mail servers, and each running their own DCC milters.  Each client is
+using the DCC facilities for envelope from/to white/blacklisting.
-<p>Using the standard sendmail features, you would add access entries to
+Presumably you can use rsync or scp to fetch copies of your clients DCC
-allow hosts on your local network to relay thru your mail server.  Those
+whiteclnt files on a regular basis.  Your mail server, acting as a
-OK entries in the sendmail access database will override all the dnsbl
+backup MX for your clients, can use the DNSBL milter, and include those
-checks.  With this DNSBL milter, you will need to have the local users
+client DCC config files.  The envelope from/to white/blacklisting will
-authenticate with smtp-auth to get the same effect.  You might find <a
+be appropriately tagged and used only for the domains controlled by each
-href="http://www.ists.dartmouth.edu/classroom/sendmail-ssl-how-to.php">
+of those clients.
-these directions</a> helpful for setting up smtp-auth if you are on RH
+</para>
-Linux.
+</refsect1>
-<hr> <center>Installation and configuration</center>
+<refsect1 id='todo.1'>
-<p>Usage:  Note that this has ONLY been tested on Linux, specifically
+<title>Definitions</title>
-RedHat Linux.  In particular, this milter makes no attempt to understand
+<para>
-IPv6.  Your mileage will vary.  You will need at a minimum a C++
+CONTEXT - a collection of parameters that defines the filtering context
-compiler with a minimally thread safe STL implementation.  The
+to be used for a collection of envelope recipient addresses.  The
-distribution includes a test.cpp program.  If it fails this milter won't
+context includes such things as the list of DNSBLs to be used, and the
-work.  If it passes, this milter might work.
+various content filtering parameters.
+</para>
-Fetch <a href="http://www.five-ten-sg.com/util/dnsbl.tar.gz">dnsbl.tar.gz</a>
+<para>
-and
+DNSBL - a named DNS based blocking list is defined by a dns suffix (e.g.
+sbl-xbl.spamhaus.org) and a message string that is used to generate the
-<pre>
+"550 5.7.1" smtp error return code.  The names of these DNSBLs will be
-tar xfvz dnsbl.tar.gz
+used to define the DNSBL-LISTs.
-bash install.bash
+</para>
-</pre>
+<para>
+DNSBL-LIST - a named list of DNSBLs that will be used for specific
-Read and understand the contents of that install.bash script before you
+recipients or recipient domains.
-run it.  It may not be suitable for your system.  Modify your
+</para>
-sendmail.mc by removing all the "FEATURE(dnsbl" lines, add the following
+</refsect1>
-line in your sendmail.mc and rebuild the .cf file
+<refsect1 id='todo.1'>
-<pre>
+<title>Filtering Procedure</title>
-INPUT_MAIL_FILTER(`dnsbl', `S=local:/var/run/dnsbl/dnsbl.sock, F=T, T=C:30s;S:5m;R:5m;E:5m')
+<para>
-</pre>
+If the client has authenticated with sendmail, the mail is accepted, the
+filtering contexts are not used, the dns lists are not checked, and the
-Read the sample <a
+body content is not scanned.  Otherwise, we follow these steps for each
-href="http://www.five-ten-sg.com/dnsbl/dnsbl.conf">/etc/dnsbl/dnsbl.conf</a>
+recipient.
-file and modify it to fit your configuration.  You can test your
+</para>
-configuration files, and see a readable internal dump of them on stdout
+<orderedlist>
-with
+<listitem>
+The envelope to email address is used to find an initial filtering
-<pre>
+context.  We first look for a context that specified the full email
-cd /etc/dnsbl
+address in the env_to statement.  If that is not found, we look for a
-/usr/sbin/dnsbl -c
+context that specified the entire domain name of the envelope recipient
-</pre>
+in the env_to statement.  If that is not found, we look for a context
+that specified the user@ part of the envelope recipient in the env_to
-You can check a specific envelope from/to pair with
+statement.  If that is not found, we use the first top level context
+defined in the config file.
-<pre>
+</listitem>
-cd /etc/dnsbl
+<listitem>
-from="$1" # or your from address
+The initial filtering context may redirect to a child context based on
-to="$2"   # or your to address
+the values in the initial context's env_from statement.  We look for [1)
-/usr/sbin/dnsbl -e "$from"'|'"$to"
+the full envelope from email address, 2) the domain name part of the
-</pre>
+envelope from address, 3) the user@ part of the envelope from address]
+in that context's env_from statement, with values that point to a child
-<hr> <center>Performance issues</center>
+context.  If such an entry is found, we switch to that child filtering
+context.
-<p>Consider a high volume high performance machine running sendmail.
+</listitem>
-Each sendmail process can do its own dns resolution.  Typically, such
+<listitem>
-dns resolver libraries are not thread safe, and so must be protected by
+We lookup [1) the full envelope from email address, 2) the domain name
-some sort of mutex in a threaded environment.  When we add a milter to
+part of the envelope from address, 3) the user@ part of the envelope
-sendmail, we now have a collection of sendmail processes, and a
+from address] in the filtering context env_from statement.  That results
-collection of milter threads.
+in one of (white, black, unknown, inherit).
+</listitem>
-<p>We will be doing a lot of dns lookups per mail message, and at least
+<listitem>
-some of those will take many tens of seconds.  If all this dns work is
+If the answer is black, mail to this recipient is rejected with "no such
-serialized inside the milter, we have an upper limit of about 25K mail
+user", and the dns lists are not checked.
-messages per day.  That is clearly not sufficient for many sites.
+</listitem>
+<listitem>
-<p>Since we want to do parallel dns resolution across those milter
+If the answer is white, mail to this recipient is accepted and the dns
-threads, we add another collection of dns resolver processes.  Each
+lists are not checked.
-sendmail process is talking to a milter thread over a socket, and each
+</listitem>
-milter thread is talking to a dns resolver process over another socket.
+<listitem>
+If the answer is unknown, we don't reject yet, but the dns lists will be
-<p>Suppose we are processing 20 messages per second, and each message
+checked, and the content may be scanned.
-requires 20 seconds of dns work.  Then we will have 400 sendmail
+<listitem>
-processes, 400 milter threads, and 400 dns resolver processes.  Of
+If the answer is inherit, we repeat the envelope from search in the
-course that steady state is very unlikely to happen.
+parent context.
+</listitem>
-<hr> <center>Rejected Ideas</center>
+<listitem>
+The dns lists specified in the filtering context are checked and the
-<p>The following ideas have been considered and rejected.
+mail is rejected if any list has an A record for the standard dns based
+lookup scheme (reversed octets of the client followed by the dns
-<p>Add max_recipients for each mail domain to the configuration.
+suffix).
-Recipients in excess of that limit will be rejected, and all the
+</listitem>
-recipients in that domain will be removed if there are some other
+<listitem>
-whitelisted recipients.  Current spammers *very* rarely send more than
+If the mail has not been accepted or rejected yet, we look for a
-ten recipients in a single smtp transaction, so this won't stop
+verification context, which is the closest ancestor of the filtering
-any significant amount of spam.
+context that both specifies a verification host, and which covers the
+envelope to address.  If we find such a verification context, and the
-<p>Add poison addresses to the configuration.  If any recipient is
+verification host is not our own hostname, we open an smtp conversation
-poison, all recipients are rejected even if they would be whitelisted,
+with that verification host.  The current envelope from and recipient to
-and the data is rejected if sent.  I have a collection of spam trap
+values are passed to that verification host.  If we receive a 5xy
-addresses that would be suitable for such use.  Based on my log files,
+response those commands, we reject the current recipient with "no such
-any mail to those spam trap addresses is rejected based on either dnsbl
+user".
-lookups or the DCC.  So this won't result in blocking any additional
+</listitem>
-spam.
+<listitem>
+If the mail has not been accepted or rejected yet, and the filtering
-<p>Add an option to only allow one recipient if the return path is
+context enables content filtering, and this is the first such recipient
-empty.  Based on my log files, there is no mail that violates this
+in this smtp transaction, we set the content filtering parameters from
-check.
+this context, and enable content filtering for the body of this message.
+</listitem>
-<p>Reject the mail if the envelope from domain name contains any MX
+</orderedlist>
-records pointing to 127.0.0.0/8. I don't see any significant amount of spam
+<para>
-sent with such domain names.
+If content filtering is enabled for this body, the mail text is decoded
+(uuencode, base64, mime, html entity, url encodings), scanned for HTTP
-<hr> <center>Future work</center>
+and HTTPS URLs, and the first &lt;configurable&gt; host names are
+checked for their presence on the single &lt;configurable&gt; DNSBL.
-<p>The following ideas are under consideration.
+The only known list that is suitable for this purpose is the SBL.  If
+any of those host names are on that DNSBL (or have nameservers that are
-<p>Add a per-context option to reject mail if the number of digits in
+on that list), and it is not on the &lt;configurable&gt; ignore list,
-the reverse dns client name exceeds some threshold.
+the mail is rejected.  We also scan for excessive bad html tags, and if
+a &lt;configurable&gt; limit is exceeded, the mail is rejected.
-<pre>
+</para>
-$Id$
+</refsect1>
-</pre>
-</body>
+<refsect1>
-</html>
+<title>Sendmail access vs. DNSBL</title>
+<para>
+With the standard sendmail.mc dnsbl FEATURE, the dnsbl checks may be
+suppressed by entries in the /etc/mail/access database.  For example,
+suppose you control a /18 of address space, and have allocated some /24s
+to some clients.  You have access entries like
+<screen>
+192.168.4   OK
+192.168.17  OK
+</screen>
+</para>
+<para>
+to allow those clients to smarthost thru your mail server.  Now if one
+of those clients happens get infected with a virus that turns a machine
+into an open proxy, and their 192.168.4.45 lands on the SBL-XBL, you
+will still wind up allowing that infected machine to smarthost thru your
+mail servers.
+</para>
+<para>
+With this DNSBL milter, the sendmail access database cannot override the
+dnsbl checks, so that machine won't be able to send mail to or thru your
+smarthost mail server (unless the virus/proxy can use smtp-auth).
+</para>
+<para>
+Using the standard sendmail features, you would add access entries to
+allow hosts on your local network to relay thru your mail server.  Those
+OK entries in the sendmail access database will override all the dnsbl
+checks.  With this DNSBL milter, you will need to have the local users
+authenticate with smtp-auth to get the same effect.  You might find
+<ulink
+url="http://www.ists.dartmouth.edu/classroom/sendmail-ssl-how-to.php">
+these directions</ulink> helpful for setting up smtp-auth if you are on
+RH Linux.
+</para>
+</refsect1>
+<refsect1>
+<title>Installation and configuration</title>
+<para>
+This is a standard GNU autoconf/automake installation, so the normal
+<screen>
+./configure
+make
+su
+make install
+</screen>
+works. "make chkconfig" will setup the init.d runlevel scripts.
+</para>
+<para>
+Note that this has ONLY been tested on Linux, specifically RedHat Linux.
+In particular, this milter makes no attempt to understand IPv6.  Your
+mileage will vary.  You will need at a minimum a C++ compiler with a
+minimally thread safe STL implementation.  The distribution includes a
+test.cpp program.  If it fails this milter won't work.  If it passes,
+this milter might work.
+</para>
+<para>
+Modify your sendmail.mc by removing all the "FEATURE(dnsbl" lines, add
+the following line in your sendmail.mc and rebuild the .cf file
+</para>
+<para>
+<screen>
+INPUT_MAIL_FILTER(`dnsbl', `S=local:/var/run/dnsbl/dnsbl.sock, F=T, T=C:30s;S:5m;R:5m;E:5m')
+</screen>
+</para>
+<para>
+Modify the default <citerefentry>
+<refentrytitle>@PACKAGE@.conf</refentrytitle> <manvolnum>5</manvolnum>
+</citerefentry> configuration.
+</para>
+<refsect1 id='todo.1'>
+<title>Performance Issues</title>
+<para>
+Consider a high volume high performance machine running sendmail.  Each
+sendmail process can do its own dns resolution.  Typically, such dns
+resolver libraries are not thread safe, and so must be protected by some
+sort of mutex in a threaded environment.  When we add a milter to
+sendmail, we now have a collection of sendmail processes, and a
+collection of milter threads.
+</para>
+<para>
+We will be doing a lot of dns lookups per mail message, and at least
+some of those will take many tens of seconds.  If all this dns work is
+serialized inside the milter, we have an upper limit of about 25K mail
+messages per day.  That is clearly not sufficient for many sites.
+</para>
+<para>
+Since we want to do parallel dns resolution across those milter threads,
+we add another collection of dns resolver processes.  Each sendmail
+process is talking to a milter thread over a socket, and each milter
+thread is talking to a dns resolver process over another socket.
+</para>
+<para>
+Suppose we are processing 20 messages per second, and each message
+requires 20 seconds of dns work.  Then we will have 400 sendmail
+processes, 400 milter threads, and 400 dns resolver processes.  Of
+course that steady state is very unlikely to happen.
+</para>
+</refsect1>
+<refsect1 id='todo.1'>
+<title>Rejected Ideas</title>
+<para>
+The following ideas have been considered and rejected.
+</para>
+<para>
+Add max_recipients for each mail domain to the configuration.
+Recipients in excess of that limit will be rejected, and all the
+recipients in that domain will be removed if there are some other
+whitelisted recipients.  Current spammers *very* rarely send more than
+ten recipients in a single smtp transaction, so this won't stop any
+significant amount of spam.
+</para>
+<para>
+Add poison addresses to the configuration.  If any recipient is
+poison, all recipients are rejected even if they would be whitelisted,
+and the data is rejected if sent.  I have a collection of spam trap
+addresses that would be suitable for such use.  Based on my log files,
+any mail to those spam trap addresses is rejected based on either dnsbl
+lookups or the DCC.  So this won't result in blocking any additional
+spam.
+</para>
+<para>
+Add an option to only allow one recipient if the return path is
+empty.  Based on my log files, there is no mail that violates this
+check.
+</para>
+<para>
+Reject the mail if the envelope from domain name contains any MX
+records pointing to 127.0.0.0/8.  I don't see any significant amount of
+spam sent with such domain names.
+</para>
+</refsect1>
+<refsect1 id='todo.1'>
+<title>TODO</title>
+<para>
+The following ideas are under consideration.
+</para>
+<para>
+Add a per-context option to reject mail if the number of digits in
+the reverse dns client name exceeds some threshold.
+</para>
+</refsect1>
+<refsect1>
+<title>Configuration</title>
+<para>
+The configuration file is documented in <citerefentry>
+<refentrytitle>@PACKAGE@.conf</refentrytitle> <manvolnum>5</manvolnum>
+</citerefentry>.  Any change to the config file, or any file included
+from that config file, will cause it to be reloaded within three
+minutes.
+</para>
+</refsect1>
+<refsect1>
+<title>Copyright</title>
+<para>
+Copyright (C) 2005 by 510 Software Group &lt;carl@five-ten-sg.com&gt;
+</para>
+<para>
+This program is free software; you can redistribute it and/or modify it
+under the terms of the GNU General Public License as published by the
+Free Software Foundation; either version 2, or (at your option) any
+later version.
+</para>
+<para>
+You should have received a copy of the GNU General Public License along
+with this program; see the file COPYING.  If not, please write to the
+Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.
+</para>
+</refsect1>
+<refsect1>
+<para>
+$Id$
+</para>
+</refsect1>
+</refentry>
+<refentry id="@PACKAGE@.conf.5">
+<refentryinfo>
+<date>2005-12-18</date>
+</refentryinfo>
+<refmeta>
+<refentrytitle>@PACKAGE@.conf</refentrytitle>
+<manvolnum>5</manvolnum>
+<refmiscinfo>@PACKAGE@ @VERSION@</refmiscinfo>
+</refmeta>
+<refnamediv id='name.5'>
+<refname>@PACKAGE@.conf</refname>
+<refpurpose>configuration file for @PACKAGE@</refpurpose>
+</refnamediv>
+<refsynopsisdiv id='synopsis.5'>
+<title>Synopsis</title>
+<cmdsynopsis>
+<command>@PACKAGE@.conf</command>
+</cmdsynopsis>
+</refsynopsisdiv>
+<refsect1 id='description.5'>
+<title>Description</title>
+<para>The <command>@PACKAGE@.conf</command> configuration file is
+specified by this partial bnf description.</para>
+<literallayout class="monospaced"><![CDATA[
+CONFIG     = {CONTEXT ";"}+
+CONTEXT    = "context" NAME "{" {STATEMENT}+ "}"
+STATEMENT  = (DNSBL | DNSBLLIST | CONTENT | ENV-TO | VERIFY | CONTEXT | ENV-FROM) ";"
+DNSBL      = "dnsbl" NAME DNSPREFIX ERROR-MSG
+DNSBLLIST  = "dnsbl_list" {NAME}+
+CONTENT    = "content" ("on" | "off") "{" {CONTENT-ST}+ "}"
+CONTENT-ST = (FILTER | IGNORE | TLD | HTML-TAGS | HTML-LIMIT | HOST-LIMIT) ";"
+FILTER     = "filter" DNSPREFIX ERROR-MSG
+IGNORE     = "ignore"     "{" {HOSTNAME [";"]}+ "}"
+TLD        = "tld"        "{" {TLD      [";"]}+ "}"
+HTML-TAGS  = "html_tags"  "{" {HTMLTAG  [";"]}+ "}"
+ERROR-MSG  = string containing exactly two %s replacement tokens for the client ip address
+HTML-LIMIT = "html_limit" ("on" INTEGER ERROR-MSG | "off")
+HOST-LIMIT = "host_limit" ("on" INTEGER ERROR-MSG | "off" | "soft" INTEGER)
+ENV-TO     = "env_to"     "{" {(TO-ADDR | DCC-TO)}+ "}"
+TO-ADDR    = ADDRESS [";"]
+DCC-TO     = "dcc_to" ("ok" | "many") "{" DCCINCLUDEFILE "}" ";"
+VERIFY     = "verify" HOSTNAME ";"
+ENV_FROM   = "env_from" [DEFAULT] "{" {(FROM-ADDR | DCC-FROM)}+ "}"
+FROM-ADDR  = ADDRESS VALUE [";"]
+DCC-FROM   = "dcc_from" "{" DCCINCLUDEFILE "}" ";"
+DEFAULT    = ("white" | "black" | "unknown" | "inherit" | "")
+ADDRESS    = (USER@ | DOMAIN | USER@DOMAIN)
+VALUE      = ("white" | "black" | "unknown" | CHILD-CONTEXT-NAME)]]></literallayout>
+</refsect1>
+<refsect1 id='sample.5'>
+<title>Sample</title>
+<literallayout class="monospaced"><![CDATA[
+context sample {
+dnsbl   local   blackholes.five-ten-sg.com  "Mail from %s rejected - local; see http://www.five-ten-sg.com/blackhole.php?%s";
+dnsbl   sbl     sbl-xbl.spamhaus.org        "Mail from %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s";
+dnsbl   xbl     xbl.spamhaus.org            "Mail from %s rejected - xbl; see http://www.spamhaus.org/query/bl?ip=%s";
+dnsbl   dul     dul.dnsbl.sorbs.net         "Mail from %s rejected - dul; see http://www.sorbs.net/lookup.shtml?%s";
+dnsbl_list  local sbl dul;
+content on {
+filter    sbl-xbl.spamhaus.org        "Mail containing %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s";
+ignore    { include "hosts-ignore.conf"; };
+tld       { include "tld.conf"; };
+html_tags { include "html-tags.conf"; };
+html_limit on 20 "Mail containing excessive bad html tags rejected";
+html_limit off;
+host_limit on 20 "Mail containing excessive host names rejected";
+host_limit soft 20;
+};
+env_to {
+# child contexts are not allowed to specify recipient addresses outside these domains
+# leave this outer global context env_to empty to allow arbitrary recipients in child contexts
+mydomain.com;
+customer1.com;
+customer1a.com;
+customer1b.com;
+customer2.com;
+customer2a.com;
+customer2b.com;
+};
+context whitelist {
+content off {};
+env_to {
+# dcc_to ok { include "/var/dcc/whitecommon"; };    # copy the dcc OK values (env_to) into this context
+};
+env_from white {};      # white forces all unmatched from addresses (everyone in this case) to be whitelisted
+# so all mail TO these env_to addresses is accepted
+};
+context abuse {
+dnsbl_list xbl;
+content off {};
+env_to {
+abuse@;             # no content filtering on abuse reports
+postmaster@;        # ""
+};
+env_from unknown {};    # ignore all parent white/black listing
+};
+context minimal {
+dnsbl_list sbl dul;
+content on {};
+env_to {
+sales@mydomain.com;
+};
+};
+context blacklist {
+env_to {
+dcc_to many { include "/var/dcc/whitecommon"; };    # copy the dcc MANY values (env_to) into this context
+old-employee@mydomain.com;
+};
+env_from black {};      # black forces all unmatched from addresses (everyone in this case) to be blacklisted
+# so all mail TO these env_to addresses is rejected
+};
+context vp {    # special context for the vp
+env_to {
+vp@mydomain.com;
+};
+env_from inherit {
+nai.com                 black;      # the vp does not like nai
+yahoo.com               unknown;    # override parent context blacklisting
+mother@spammyisp.com    white;      # suppress dnsbl checking
+};
+};
+context customer1 {
+dnsbl_list sbl dul;
+env_to {
+customer1.com;
+customer1a.com;
+customer1b.com;
+};
+verify mail.customer1.com;
+context customer1a {
+env_to {
+customer1a.com;
+}
+env_from black {                        # blacklist everything
+first@acceptable.com    unknown;    # except these specific envelope senders
+second@another.com      unknown;
+yahoo.com               inherit;    # delegate to the parent
+};
+};
+env_from {  # default value of the default is inherit
+yahoo.com           black;      # no mail from yahoo
+first@yahoo.com     unknown;    # except this one
+};
+};
+context customer2 {
+dnsbl_list sbl;
+env_to {
+customer2.com;
+customer2a.com;
+customer2b.com;
+};
+};
+env_from unknown {
+dcc_from { include "/var/dcc/whitecommon"; };   # copy the dcc OK/MANY values (env_from, substitute mail_host) into this context
+abuse@              abuse;      # replies to abuse reports use the abuse context
+yahoo.com           black;      # don't take mail from yahoo
+spammer@example.com black;
+};
+};]]></literallayout>
+</refsect1>
+<refsect1>
+<para>
+$Id$
+</para>
+</refsect1>
+</refentry>
+</reference>

Mercurial > dnsbl

comparison xml/dnsbl.in @ 108:1c7677042b78