Mercurial > dnsbl
comparison xml/dnsbl.in @ 12:6ac6d6b822ce stable-2-0
fix memory leak with duplicate url host names,
document differences from sendmail.mc feature
| author | carl |
|---|---|
| date | Fri, 23 Apr 2004 22:45:10 -0700 |
| parents | 2c206836b4cc |
| children | 2752e512fd32 |
comparison
equal
deleted
inserted
replaced
| 11:2c206836b4cc | 12:6ac6d6b822ce |
|---|---|
| 3 <head> | 3 <head> |
| 4 <meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> | 4 <meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> |
| 5 <title>DNSBL Sendmail milter</title> | 5 <title>DNSBL Sendmail milter</title> |
| 6 </head> | 6 </head> |
| 7 | 7 |
| 8 <center>Introduction</center> | |
| 8 <p>This milter is released under the GPL license version 2 included in | 9 <p>This milter is released under the GPL license version 2 included in |
| 9 the LICENSE file in the distribution, and also available at | 10 the LICENSE file in the distribution, and also available at |
| 10 <a href="http://www.gnu.org/licenses/gpl.html">http://www.gnu.org/licenses/gpl.html</a> | 11 <a href="http://www.gnu.org/licenses/gpl.html">http://www.gnu.org/licenses/gpl.html</a> |
| 11 | 12 |
| 12 <p>Consider the case of a mail server that is acting as secondary MX | 13 <p>Consider the case of a mail server that is acting as secondary MX for |
| 13 for a collection of clients, each of which has a collection of mail | 14 a collection of clients, each of which has a collection of mail domains. |
| 14 domains. Each client may use their own collection of DNSBLs on their | 15 Each client may use their own collection of DNSBLs on their primary mail |
| 15 primary mail server. We present here a mechanism whereby the backup | 16 server. We present here a mechanism whereby the backup mail server can |
| 16 mail server can use the correct set of DNSBLs for each message. As a | 17 use the correct set of DNSBLs for each recipient for each message. As a |
| 17 side-effect, it gives us the ability to customize the set of DNSBLs on a | 18 side-effect, it gives us the ability to customize the set of DNSBLs on a |
| 18 per-recipient basis, so that fred@example.com could use SPEWS and the | 19 per-recipient basis, so that fred@example.com could use SPEWS and the |
| 19 SBL, where all other users @example.com use only the SBL. | 20 SBL, where all other users @example.com use only the SBL. |
| 20 | 21 |
| 21 <p>This milter will also decode (base64, mime, html entity) and scan | 22 <p>This milter will also decode (base64, mime, html entity) and scan |
| 25 | 26 |
| 26 <p>The DNSBL milter reads a text configuration file (dnsbl.conf) on | 27 <p>The DNSBL milter reads a text configuration file (dnsbl.conf) on |
| 27 startup, and whenever the config file (or any of the referenced include | 28 startup, and whenever the config file (or any of the referenced include |
| 28 files) is changed. The entire configuration file is case insensitive. | 29 files) is changed. The entire configuration file is case insensitive. |
| 29 | 30 |
| 31 <hr> | |
| 32 <center>DCC Issues</center> | |
| 30 <p>If you are also using the <a | 33 <p>If you are also using the <a |
| 31 href="http://www.rhyolite.com/anti-spam/dcc/">DCC</a> milter, there are | 34 href="http://www.rhyolite.com/anti-spam/dcc/">DCC</a> milter, there are |
| 32 a few considerations. You may need to whitelist senders from the DCC | 35 a few considerations. You may need to whitelist senders from the DCC |
| 33 bulk detector, or from the DNS based lists. Those are two very | 36 bulk detector, or from the DNS based lists. Those are two very |
| 34 different reasons for whitelisting. The former is done thru the DCC | 37 different reasons for whitelisting. The former is done thru the DCC |
| 59 client DCC config files. The envelope to white/blacklisting will be | 62 client DCC config files. The envelope to white/blacklisting will be |
| 60 global for your system, but the envelope from white/blacklisting will be | 63 global for your system, but the envelope from white/blacklisting will be |
| 61 appropriately tagged and used only for the domains controlled by each of | 64 appropriately tagged and used only for the domains controlled by each of |
| 62 those clients. | 65 those clients. |
| 63 | 66 |
| 64 <p>Definitions: | 67 <hr> |
| 65 | 68 <center>Definitions</center> |
| 66 <p>DNSBL - a named DNS based blocking list is defined by a dns suffix | 69 <p>DNSBL - a named DNS based blocking list is defined by a dns suffix |
| 67 (e.g. sbl-xbl.spamhaus.org) and a message string that is used to | 70 (e.g. sbl-xbl.spamhaus.org) and a message string that is used to |
| 68 generate the "550 5.7.1" smtp error return code. The names of these | 71 generate the "550 5.7.1" smtp error return code. The names of these |
| 69 DNSBLs will be used to define the DNSBL-LISTs. | 72 DNSBLs will be used to define the DNSBL-LISTs. |
| 70 | 73 |
| 108 and the first 20 host names are checked for their presence on the SBL. | 111 and the first 20 host names are checked for their presence on the SBL. |
| 109 If any host name is on the SBL, the mail is rejected. | 112 If any host name is on the SBL, the mail is rejected. |
| 110 | 113 |
| 111 </ol> | 114 </ol> |
| 112 | 115 |
| 116 <hr> | |
| 117 <center>Sendmail access vs. DNSBL</center> | |
| 118 <p>With the standard sendmail.mc dnsbl FEATURE, the dnsbl checks may be | |
| 119 suppressed by entries in the /etc/mail/access database. For example, | |
| 120 suppose you control a /18 of address space, and have allocated some /24s | |
| 121 to some clients. You have access entries like | |
| 113 | 122 |
| 123 <pre> | |
| 124 192.168.4 OK | |
| 125 192.168.17 OK | |
| 126 </pre> | |
| 127 | |
| 128 <p>to allow those clients to smarthost thru your mail server. Now if | |
| 129 one of those clients happens get infected with a virus that turns into | |
| 130 an open proxy, and their 192.168.4.45 lands on the SBL-XBL, you will | |
| 131 still wind up allowing that infected machine to smarthost thru your mail | |
| 132 servers. | |
| 133 | |
| 134 <p>With this DNSBL milter, the sendmail access database cannot override | |
| 135 the dnsbl checks, so that machine won't be able to send mail to or thru | |
| 136 your smarthost machine. | |
| 137 | |
| 138 <hr> | |
| 139 <center>Installation and configuration</center> | |
| 114 <p>Usage: Note that this has ONLY been tested on Linux, specifically | 140 <p>Usage: Note that this has ONLY been tested on Linux, specifically |
| 115 RedHat Linux. Your mileage will vary. In particular, this milter makes no | 141 RedHat Linux. Your mileage will vary. In particular, this milter makes no |
| 116 attempt to understand IPv6. | 142 attempt to understand IPv6. |
| 117 | 143 |
| 118 Fetch <a href="http://www.five-ten-sg.com/util/dnsbl.tar.gz">dnsbl.tar.gz</a> | 144 Fetch <a href="http://www.five-ten-sg.com/util/dnsbl.tar.gz">dnsbl.tar.gz</a> |