Mercurial > dnsbl
comparison xml/dnsbl.in @ 284:896b9393d3f0 stable-6-0-39
Fix segfault caused by freeing unallocated memory
| author | Carl Byington <carl@five-ten-sg.com> |
|---|---|
| date | Tue, 31 Dec 2013 10:44:15 -0800 |
| parents | 368572c57013 |
| children | 1f40b1b0ad31 |
comparison
equal
deleted
inserted
replaced
| 283:7438f79afeb0 | 284:896b9393d3f0 |
|---|---|
| 198 the connection does not use SMTP AUTH, the rate limits | 198 the connection does not use SMTP AUTH, the rate limits |
| 199 may be specified by the mail from email address or | 199 may be specified by the mail from email address or |
| 200 domain. | 200 domain. |
| 201 </para> | 201 </para> |
| 202 <para> | 202 <para> |
| 203 This milter can also impose hourly and daily limits on the number of | |
| 204 different ip addresses used for SMTP AUTH connections. If a single | |
| 205 user is connecting from too many different ip addresses, we presume that | |
| 206 their authentication credentials have been discovered, and block their | |
| 207 outgoing mail. | |
| 208 </para> | |
| 209 <para> | |
| 203 Consider the case of a message from A to B passing thru this milter. If | 210 Consider the case of a message from A to B passing thru this milter. If |
| 204 that message is not blocked, then we might eventually see a reply | 211 that message is not blocked, then we might eventually see a reply |
| 205 message from B to A. If the filtering context for A includes an | 212 message from B to A. If the filtering context for A includes an |
| 206 autowhite entry, and that context does <emphasis>not</emphasis> cover B | 213 autowhite entry, and that context does <emphasis>not</emphasis> cover B |
| 207 as a recipient, then this milter will add an entry in that file to | 214 as a recipient, then this milter will add an entry in that file to |
| 332 such a reply message would be blocked, we also block the original | 339 such a reply message would be blocked, we also block the original |
| 333 outgoing message. This prevents folks from sending mail to recipients | 340 outgoing message. This prevents folks from sending mail to recipients |
| 334 that are unable to reply. | 341 that are unable to reply. |
| 335 </para> | 342 </para> |
| 336 <para> | 343 <para> |
| 337 If the client has authenticated with sendmail, the rate limits are | 344 If the client has authenticated with sendmail, the recipient rate limits |
| 345 and connection ip address limits are | |
| 338 checked. If the authenticated user has not exceeded the hourly or daily rate | 346 checked. If the authenticated user has not exceeded the hourly or daily rate |
| 339 limits, then the mail is accepted, the filtering contexts are not used, | 347 limits, then the mail is accepted, the filtering contexts are not used, |
| 340 the dns lists are not checked, and the body content is not scanned. If | 348 the dns lists are not checked, and the body content is not scanned. These |
| 349 rate limits can also be applied to unauthenticated connections, in which case | |
| 350 the envelope from value is used as the authentication id for lookup purposes. | |
| 351 If | |
| 341 the client has not authenticated with sendmail, we follow these steps | 352 the client has not authenticated with sendmail, we follow these steps |
| 342 for each recipient. | 353 for each recipient. |
| 343 </para> | 354 </para> |
| 344 <orderedlist> | 355 <orderedlist> |
| 345 <listitem><para> | 356 <listitem><para> |
| 455 </para> | 466 </para> |
| 456 <para> | 467 <para> |
| 457 If the content uribl DNSBL is defined, and any of those host names are | 468 If the content uribl DNSBL is defined, and any of those host names are |
| 458 on that DNSBL, and the host name is not on the <configurable> | 469 on that DNSBL, and the host name is not on the <configurable> |
| 459 ignore list, the mail is rejected. There are three lists that are suitable | 470 ignore list, the mail is rejected. There are three lists that are suitable |
| 460 here, uribl, surbl, and dbl. | 471 here, URIBL, SURBL, and DBL. |
| 461 </para> | 472 </para> |
| 462 <para> | 473 <para> |
| 463 If any non-whitelisted recipient has a filtering context with a non-zero | 474 If any non-whitelisted recipient has a filtering context with a non-zero |
| 464 spamassassin limit, then the message is passed thru spamassassin (via | 475 spamassassin limit, then the message is passed thru spamassassin (via |
| 465 spamc), and the message is rejected for those recipients with spamassassin | 476 spamc), and the message is rejected for those recipients with spamassassin |
| 595 <para> | 606 <para> |
| 596 Add config switch to require the HELO argument to resolve to an ip address. | 607 Add config switch to require the HELO argument to resolve to an ip address. |
| 597 </para> | 608 </para> |
| 598 <para> | 609 <para> |
| 599 Add white/unknown to config for smtp authenticated connections. Currently | 610 Add white/unknown to config for smtp authenticated connections. Currently |
| 600 any authenticated connection is fully whitelisted. This would allow normal | 611 any authenticated connection is fully whitelisted. The only spam control |
| 612 on those connections is rate limiting. This feature would allow content based | |
| 601 spam controls to be applied even to authenticated connections. Add | 613 spam controls to be applied even to authenticated connections. Add |
| 602 context/authenticated_dnsbl_list and context/content/authenticated. | 614 context/authenticated_dnsbl_list and context/content/authenticated. |
| 603 </para> | 615 </para> |
| 604 <para> | 616 <para> |
| 605 Add an optional list of domains to be enforced on the env_from value for | 617 Add an optional list of domains to be enforced on the env_from value for |
| 611 Look for href="hostname/path" strings that are missing the required | 623 Look for href="hostname/path" strings that are missing the required |
| 612 http:// protocol header. Such references are still clickable in common | 624 http:// protocol header. Such references are still clickable in common |
| 613 mail software. | 625 mail software. |
| 614 </para> | 626 </para> |
| 615 <para> | 627 <para> |
| 616 Add trusted_spf list of domains for which we trust their spf data. Mail | 628 Add spf to the white/black/unknown values in env_from blocks. This |
| 617 from their listed ip addresses from their domain will be whitelisted. | 629 results in whitelisting that envelope from value as long as the connection |
| 630 is made from an ip address listed in the domain spf txt record. | |
| 618 </para> | 631 </para> |
| 619 </refsect1> | 632 </refsect1> |
| 620 | 633 |
| 621 <refsect1 id='copyright.1'> | 634 <refsect1 id='copyright.1'> |
| 622 <title>Copyright</title> | 635 <title>Copyright</title> |
| 785 "<>" black; | 798 "<>" black; |
| 786 }; | 799 }; |
| 787 | 800 |
| 788 // hourly recipient rate limit by smtp auth client id, or unauthenticated mail from address | 801 // hourly recipient rate limit by smtp auth client id, or unauthenticated mail from address |
| 789 // hourly unique ip addresses by smtp auth client id, or unauthenticated mail from address | 802 // hourly unique ip addresses by smtp auth client id, or unauthenticated mail from address |
| 790 // default hourly rate limit is 30 | 803 // default hourly recipient rate limit is 30 |
| 791 // daily rate limits are 4 times the hourly limit | 804 // daily recipient rate limits are 4 times the hourly limit |
| 792 // default hourly unique ip addresses is 5 | 805 // default hourly unique ip addresses is 5 |
| 793 // daily unique ip addresses are 4 times the hourly limit | 806 // daily unique ip addresses are 4 times the hourly limit |
| 794 rate_limit 30 4 5 4 { // default | 807 rate_limit 30 4 5 4 { // default |
| 795 fred 100 10; // override default limits | 808 fred 100 10; // override default limits |
| 796 joe 10 2; // "" | 809 joe 10 2; // "" |