Mercurial > dnsbl
comparison xml/dnsbl.in @ 0:96a9758165cd original
Initial revision
| author | carl |
|---|---|
| date | Tue, 20 Apr 2004 20:02:29 -0700 |
| parents | |
| children | 9bcd5ef11279 |
comparison
equal
deleted
inserted
replaced
| -1:000000000000 | 0:96a9758165cd |
|---|---|
| 1 <html> | |
| 2 | |
| 3 <head> | |
| 4 <meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> | |
| 5 <title>DNSBL Sendmail milter</title> | |
| 6 </head> | |
| 7 | |
| 8 <p>This milter is released under the GPL license version 2 included in | |
| 9 the LICENSE file in the distribution, and also available at | |
| 10 <a href="http://www.gnu.org/licenses/gpl.html">http://www.gnu.org/licenses/gpl.html</a> | |
| 11 | |
| 12 <p>Consider the case of a mail server that is acting as secondary MX | |
| 13 for a collection of clients, each of which has a collection of mail | |
| 14 domains. Each client may use their own collection of DNSBLs on their | |
| 15 primary mail server. We present here a mechanism whereby the backup | |
| 16 mail server can use the correct set of DNSBLs for each message. As a | |
| 17 side-effect, it gives us the ability to customize the set of DNSBLs on a | |
| 18 per-recipient basis, so that fred@example.com could use SPEWS and the | |
| 19 SBL, where all other users @example.com use only the SBL. | |
| 20 | |
| 21 <p>The DNSBL milter reads a text configuration file on startup, and | |
| 22 whenever the config file (or any of the referenced include files) is | |
| 23 changed. The entire configuration file is case insensitive. | |
| 24 | |
| 25 <p>If you are also using the <a | |
| 26 href="http://www.rhyolite.com/anti-spam/dcc/">DCC</a> milter, there are | |
| 27 a few considerations. You may need to whitelist senders from the DCC | |
| 28 bulk detector, or from the DNS based lists. Those are two very | |
| 29 different reasons for whitelisting. The former is done thru the DCC | |
| 30 whiteclnt config file, the later is done thru the DNSBL milter config | |
| 31 file. | |
| 32 | |
| 33 <p>You may want to blacklist some specific senders or sending domains. | |
| 34 This could be done thru either the DCC (on a global basis, or for a | |
| 35 specific single recipient). We prefer to do such blacklisting via the | |
| 36 DNSBL milter config, since it can be done for an entire recipient mail | |
| 37 domain. The DCC approach has the feature that you can capture the | |
| 38 entire message in the DCC log files. The DNSBL milter approach has the | |
| 39 feature that the mail is rejected earlier (at RCPT TO time), and the | |
| 40 sending machine just gets a generic "550 5.7.1 no such user" message. | |
| 41 | |
| 42 <p>Definitions: | |
| 43 | |
| 44 <p>DNSBL - a named DNS based blocking list is defined by a dns suffix | |
| 45 (e.g. sbl-xbl.spamhaus.org) and a message string that is used to | |
| 46 generate the "550 5.7.1" smtp error return code. The names of these | |
| 47 DNSBLs will be used to define the DNSBL-LISTs. | |
| 48 | |
| 49 <p>DNSBL-LIST - a named list of DNSBLs that will be used for specific | |
| 50 recipients or recipient domains. | |
| 51 | |
| 52 <p>ENVELOPE-FROM-MAP - a named collection of mappings (key->value pairs) | |
| 53 from envelope-from values to the WHITE, BLACK, or DEFAULT keywords. The | |
| 54 names of these maps will be used for specific recipients or recipient | |
| 55 domains. | |
| 56 | |
| 57 <p>The configuration file maps each recipient (or recipient domain) to | |
| 58 two names (a named DNSBL-LIST, and a named ENVELOPE-FROM-MAP). If the | |
| 59 recipient is not found in the configuration, the named DEFAULT | |
| 60 dnsbl-list and DEFAULT envelope-from-map will be used. When mail is | |
| 61 received for that recipient, | |
| 62 | |
| 63 <ol> | |
| 64 | |
| 65 <li>If the client has authenticated with sendmail, the mail is accepted | |
| 66 and the dns lists are not checked. | |
| 67 | |
| 68 <li>If either one is BLACK, mail to this recipient is rejected with "no | |
| 69 such user", and the dns lists are not checked. | |
| 70 | |
| 71 <li>If the envelope-from-map name is WHITE, mail to this recipient is | |
| 72 accepted and the dns lists are not checked. | |
| 73 | |
| 74 <li>If the envelope-from-map exists, the map is checked for the presence | |
| 75 of the sender. A WHITE or BLACK answer is definitive and the dns lists | |
| 76 are not checked. | |
| 77 | |
| 78 <li>If the dnsbl-list name is WHITE, the dns lists are not checked and | |
| 79 the mail is accepted. Otherwise, the dns lists are checked and the mail | |
| 80 is rejected if any list has an A record for the standard dns based | |
| 81 lookup scheme (reversed octets of the client followed by the dns | |
| 82 suffix). | |
| 83 | |
| 84 </ol> | |
| 85 | |
| 86 | |
| 87 <p>Usage: Note that this has ONLY been tested on Linux, specifically | |
| 88 RedHat Linux. Your mileage will vary. In particular, this milter makes no | |
| 89 attempt to understand IPv6. | |
| 90 | |
| 91 Fetch <a href="http://www.five-ten-sg.com/util/dnsbl.tar.gz">dnsbl.tar.gz</a> | |
| 92 and | |
| 93 | |
| 94 <pre> | |
| 95 tar xfvz dnsbl.tar.gz | |
| 96 bash install.bash | |
| 97 </pre> | |
| 98 | |
| 99 Read and understand the contents of that install.bash script before you | |
| 100 run it. It may not be suitable for your system. Modify your | |
| 101 sendmail.mc by removing all the "FEATURE(dnsbl" lines, add the following | |
| 102 line in your sendmail.mc and rebuild the .cf file | |
| 103 | |
| 104 <pre> | |
| 105 INPUT_MAIL_FILTER(`dnsbl', `S=local:/var/run/dnsbl/dnsbl.sock, F=T, T=S:30s;R:30s;E:30s') | |
| 106 </pre> | |
| 107 | |
| 108 Read the sample <a | |
| 109 href="http://www.five-ten-sg.com/dnsbl.conf">var/dnsbl/dnsbl.conf</a> | |
| 110 file and modify it to fit your configuration. | |
| 111 | |
| 112 | |
| 113 </body> | |
| 114 </html> |