Mercurial > dnsbl
comparison xml/dnsbl.in @ 59:510a511ad554
Add resolver processes to allow better performance on busy machines
| author | carl |
|---|---|
| date | Mon, 03 Jan 2005 18:35:50 -0800 |
| parents | 419e00901570 |
| children | 390ed250c5d2 |
comparison
equal
deleted
inserted
replaced
| 58:7bb8bbf79285 | 59:510a511ad554 |
|---|---|
| 1 <html> | 1 <html> |
| 2 | 2 |
| 3 <head> | 3 <head> |
| 4 <meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> | 4 <meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> |
| 5 <title>DNSBL Sendmail milter - Version 3.7</title> | 5 <title>DNSBL Sendmail milter - Version 4.0</title> |
| 6 </head> | 6 </head> |
| 7 | 7 |
| 8 <center>Introduction</center> | 8 <center>Introduction</center> |
| 9 <p>This milter is released under the GPL license version 2 included in | 9 <p>This milter is released under the GPL license version 2 included in |
| 10 the LICENSE file in the distribution, and also available at | 10 the LICENSE file in the distribution, and also available at |
| 29 | 29 |
| 30 <p>The DNSBL milter reads a text configuration file (dnsbl.conf) on | 30 <p>The DNSBL milter reads a text configuration file (dnsbl.conf) on |
| 31 startup, and whenever the config file (or any of the referenced include | 31 startup, and whenever the config file (or any of the referenced include |
| 32 files) is changed. The entire configuration file is case insensitive. | 32 files) is changed. The entire configuration file is case insensitive. |
| 33 | 33 |
| 34 <hr> | 34 <hr> <center>DCC Issues</center> |
| 35 <center>DCC Issues</center> | |
| 36 <p>If you are also using the <a | 35 <p>If you are also using the <a |
| 37 href="http://www.rhyolite.com/anti-spam/dcc/">DCC</a> milter, there are | 36 href="http://www.rhyolite.com/anti-spam/dcc/">DCC</a> milter, there are |
| 38 a few considerations. You may need to whitelist senders from the DCC | 37 a few considerations. You may need to whitelist senders from the DCC |
| 39 bulk detector, or from the DNS based lists. Those are two very | 38 bulk detector, or from the DNS based lists. Those are two very |
| 40 different reasons for whitelisting. The former is done thru the DCC | 39 different reasons for whitelisting. The former is done thru the DCC |
| 67 client DCC config files. The envelope to white/blacklisting will be | 66 client DCC config files. The envelope to white/blacklisting will be |
| 68 global for your system, but the envelope from white/blacklisting will be | 67 global for your system, but the envelope from white/blacklisting will be |
| 69 appropriately tagged and used only for the domains controlled by each of | 68 appropriately tagged and used only for the domains controlled by each of |
| 70 those clients. | 69 those clients. |
| 71 | 70 |
| 72 <hr> | 71 <hr> <center>Definitions</center> |
| 73 <center>Definitions</center> | |
| 74 <p>DNSBL - a named DNS based blocking list is defined by a dns suffix | 72 <p>DNSBL - a named DNS based blocking list is defined by a dns suffix |
| 75 (e.g. sbl-xbl.spamhaus.org) and a message string that is used to | 73 (e.g. sbl-xbl.spamhaus.org) and a message string that is used to |
| 76 generate the "550 5.7.1" smtp error return code. The names of these | 74 generate the "550 5.7.1" smtp error return code. The names of these |
| 77 DNSBLs will be used to define the DNSBL-LISTs. | 75 DNSBLs will be used to define the DNSBL-LISTs. |
| 78 | 76 |
| 119 content scanning, we also scan for excessive bad html tags, and if a | 117 content scanning, we also scan for excessive bad html tags, and if a |
| 120 <configurable> limit is exceeded, the mail is rejected. | 118 <configurable> limit is exceeded, the mail is rejected. |
| 121 | 119 |
| 122 </ol> | 120 </ol> |
| 123 | 121 |
| 124 <hr> | 122 <hr> <center>Sendmail access vs. DNSBL</center> |
| 125 <center>Sendmail access vs. DNSBL</center> | |
| 126 <p>With the standard sendmail.mc dnsbl FEATURE, the dnsbl checks may be | 123 <p>With the standard sendmail.mc dnsbl FEATURE, the dnsbl checks may be |
| 127 suppressed by entries in the /etc/mail/access database. For example, | 124 suppressed by entries in the /etc/mail/access database. For example, |
| 128 suppose you control a /18 of address space, and have allocated some /24s | 125 suppose you control a /18 of address space, and have allocated some /24s |
| 129 to some clients. You have access entries like | 126 to some clients. You have access entries like |
| 130 | 127 |
| 150 authenticate with smtp-auth to get the same effect. You might find <a | 147 authenticate with smtp-auth to get the same effect. You might find <a |
| 151 href="http://www.ists.dartmouth.edu/IRIA/knowledge_base/linuxinfo/sendmail-ssh-how-to.htm"> | 148 href="http://www.ists.dartmouth.edu/IRIA/knowledge_base/linuxinfo/sendmail-ssh-how-to.htm"> |
| 152 these directions</a> helpful for setting up smtp-auth if you are on RH | 149 these directions</a> helpful for setting up smtp-auth if you are on RH |
| 153 Linux. | 150 Linux. |
| 154 | 151 |
| 155 <hr> <center>Installation and configuration</center> <p>Usage: Note | 152 <hr> <center>Installation and configuration</center> |
| 156 that this has ONLY been tested on Linux, specifically RedHat Linux. In | 153 <p>Usage: Note that this has ONLY been tested on Linux, specifically |
| 157 particular, this milter makes no attempt to understand IPv6. Your | 154 RedHat Linux. In particular, this milter makes no attempt to understand |
| 158 mileage will vary. You will need at a minimum a C++ compiler with a | 155 IPv6. Your mileage will vary. You will need at a minimum a C++ |
| 159 minimally thread safe STL implementation. The distribution includes a | 156 compiler with a minimally thread safe STL implementation. The |
| 160 test.cpp program. If it fails this milter won't work. If it passes, | 157 distribution includes a test.cpp program. If it fails this milter won't |
| 161 this milter might work. | 158 work. If it passes, this milter might work. |
| 162 | 159 |
| 163 Fetch <a href="http://www.five-ten-sg.com/util/dnsbl.tar.gz">dnsbl.tar.gz</a> | 160 Fetch <a href="http://www.five-ten-sg.com/util/dnsbl.tar.gz">dnsbl.tar.gz</a> |
| 164 and | 161 and |
| 165 | 162 |
| 166 <pre> | 163 <pre> |
| 186 <pre> | 183 <pre> |
| 187 cd /etc/dnsbl | 184 cd /etc/dnsbl |
| 188 /usr/sbin/dnsbl -c | 185 /usr/sbin/dnsbl -c |
| 189 </pre> | 186 </pre> |
| 190 | 187 |
| 191 <pre> | 188 <hr> <center>Performance issues</center> |
| 192 | 189 |
| 193 | 190 <p>Consider a high volume high performance machine running sendmail. |
| 194 | 191 Each sendmail process can do its own dns resolution. Typically, such |
| 192 dns resolver libraries are not thread safe, and so must be protected by | |
| 193 some sort of mutex in a threaded environment. When we add a milter to | |
| 194 sendmail, we now have a collection of sendmail processes, and a | |
| 195 collection of milter threads. | |
| 196 | |
| 197 <p>We will be doing a lot of dns lookups per mail message, and at least | |
| 198 some of those will take many tens of seconds. If all this dns work is | |
| 199 serialized inside the milter, we have an upper limit of about 25K mail | |
| 200 messages per day. That is clearly not sufficient for many sites. | |
| 201 | |
| 202 <p>Since we want to do parallel dns resolution across those milter | |
| 203 threads, we add another collection of dns resolver processes. Each | |
| 204 sendmail process is talking to a milter thread over a socket, and each | |
| 205 milter thread is talking to a dns resolver process over another socket. | |
| 206 | |
| 207 <p>Suppose we are processing 20 messages per second, and each message | |
| 208 requires 20 seconds of dns work. Then we will have 400 sendmail | |
| 209 processes, 400 milter threads, and 400 dns resolver processes. Of | |
| 210 course that steady state is very unlikely to happen. | |
| 211 | |
| 212 <pre> | |
| 195 $Id$ | 213 $Id$ |
| 196 </pre> | 214 </pre> |
| 197 </body> | 215 </body> |
| 198 </html> | 216 </html> |