Mercurial > dnsbl

comparison xml/dnsbl.in @ 395:a8cf6a3da907 stable-6-0-52

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
document dkim/spf processing
author Carl Byington <carl@five-ten-sg.com>
date Tue, 07 Mar 2017 09:39:25 -0800
parents 17f21fcd44a8
children d08da4b058e8
comparison
equal deleted inserted replaced
394:619a4880a3bf 395:a8cf6a3da907
23 </para> 23 </para>
24 </partintro> 24 </partintro>
25 25
26 <refentry id="@PACKAGE@.1"> 26 <refentry id="@PACKAGE@.1">
27 <refentryinfo> 27 <refentryinfo>
28 <date>2016-12-17</date> 28 <date>2017-03-07</date>
29 <author> 29 <author>
30 <firstname>Carl</firstname> 30 <firstname>Carl</firstname>
31 <surname>Byington</surname> 31 <surname>Byington</surname>
32 <affiliation><orgname>510 Software Group</orgname></affiliation> 32 <affiliation><orgname>510 Software Group</orgname></affiliation>
33 </author> 33 </author>
388 If the answer is black, mail to this recipient is rejected with "no such 388 If the answer is black, mail to this recipient is rejected with "no such
389 user", and the dns lists are not checked. 389 user", and the dns lists are not checked.
390 </para></listitem> 390 </para></listitem>
391 <listitem><para> 391 <listitem><para>
392 If the answer is white, mail to this recipient is accepted and the dns 392 If the answer is white, mail to this recipient is accepted and the dns
393 lists are not checked. 393 lists are not checked. However, if the envelope from domain name is
394 listed in the current filtering context (or parents) dkim_from with
395 "required_signed",
396 we downgrade this to white answer to unknown.
394 </para></listitem> 397 </para></listitem>
395 <listitem><para> 398 <listitem><para>
396 If the answer is unknown, we don't reject yet, but the dns lists will be 399 If the answer is unknown, we don't reject yet, but the dns lists will be
397 checked, and the content may be scanned. 400 checked, and the content may be scanned.
398 </para></listitem> 401 </para></listitem>
455 starting in the reply filtering context. If an autowhite entry is found, 458 starting in the reply filtering context. If an autowhite entry is found,
456 we add the recipient to that auto whitelist file. This will prevent reply 459 we add the recipient to that auto whitelist file. This will prevent reply
457 messages from being blocked by the dnsbl or content filtering. 460 messages from being blocked by the dnsbl or content filtering.
458 </para> 461 </para>
459 <para> 462 <para>
463 If content filtering is enabled for this body, we look for dkim_signer
464 and dkim_from sections in the current context and parents. We collect the
465 signers of this message from the header added by the dkim-milter. If any
466 of the message signers are whitelisted, the message is accepted.
467 </para>
468 <para>
469 If the header from domain maps to required_signed then:
470 If any of the message signers are in that list, the message is accepted.
471 If the source ip address passes a strong spf check for the header from
472 domain, the message is accepted. Otherwise, the message is rejected.
473 </para>
474 <para>
475 If the header from domain maps to signed_white then:
476 If any of the message signers are in that list, the message is accepted.
477 If the source ip address passes a strong spf check for the header from
478 domain, the message is accepted. Otherwise, processing continues.
479 </para>
480 <para>
481 If the header from domain maps to signed_black then:
482 If any of the message signers are in that list, the message is rejected.
483 Otherwise, processing continues.
484 </para>
485 <para>
486 If any of the message signers is blacklisted, the message is rejected.
487 </para>
488 <para>
460 If content filtering is enabled for this body, the mail text is decoded 489 If content filtering is enabled for this body, the mail text is decoded
461 (uuencode, base64, mime, html entity, url encodings), and scanned for HTTP 490 (uuencode, base64, mime, html entity, url encodings), and scanned for HTTP
462 and HTTPS URLs or bare host names. Hostnames must be either ip address 491 and HTTPS URLs or bare host names. Hostnames must be either ip address
463 literals, or must end in a string defined by the TLD list. The first 492 literals, or must end in a string defined by the TLD list. The first
464 &lt;configurable&gt; host names are checked as follows. 493 &lt;configurable&gt; host names are checked as follows.
628 <para> 657 <para>
629 Look for href="hostname/path" strings that are missing the required 658 Look for href="hostname/path" strings that are missing the required
630 http:// protocol header. Such references are still clickable in common 659 http:// protocol header. Such references are still clickable in common
631 mail software. 660 mail software.
632 </para> 661 </para>
633 <para>
634 Add spf to the white/black/unknown values in env_from blocks. This
635 results in whitelisting that envelope from value as long as the connection
636 is made from an ip address listed in the domain spf txt record.
637 </para>
638 </refsect1> 662 </refsect1>
639 663
640 <refsect1 id='copyright.1'> 664 <refsect1 id='copyright.1'>
641 <title>Copyright</title> 665 <title>Copyright</title>
642 <para> 666 <para>
664 </refentry> 688 </refentry>
665 689
666 690
667 <refentry id="@PACKAGE@.conf.5"> 691 <refentry id="@PACKAGE@.conf.5">
668 <refentryinfo> 692 <refentryinfo>
669 <date>2016-12-17</date> 693 <date>2017-03-07</date>
670 <author> 694 <author>
671 <firstname>Carl</firstname> 695 <firstname>Carl</firstname>
672 <surname>Byington</surname> 696 <surname>Byington</surname>
673 <affiliation><orgname>510 Software Group</orgname></affiliation> 697 <affiliation><orgname>510 Software Group</orgname></affiliation>
674 </author> 698 </author>
835 dnswl_list dnswl.org; 859 dnswl_list dnswl.org;
836 require_rdns yes; 860 require_rdns yes;
837 861
838 content on { 862 content on {
839 dkim_signer { 863 dkim_signer {
864 #
865 # anything signed by this is accepted.
866 accounts.google.com white;
867 };
868 dkim_from {
869 #
870 # white/blacklisting based on presence of valid signatures
840 credit.paypal.com require_signed credit.paypal.com; 871 credit.paypal.com require_signed credit.paypal.com;
841 paypal.com require_signed paypal.com; 872 paypal.com require_signed paypal.com;
842 dhl.com require_signed dhl.com; 873 dhl.com require_signed dhl.com;
843 adp.com require_signed "adp.com,bmi.adp.com"; 874 adp.com require_signed "adp.com,bmi.adp.com";
844 }; 875 #
845 dkim_from { 876 # blacklisting based on header from value - requiring signatures
846 accounts.google.com white; 877 # from an impossible signer.
878 spammer.domain require_signed " ";
879 #
880 # whitelisting based on strong spf pass - whitelisted if signed by
881 # an impossible signer (which will never happen) or strong spf pass.
882 some.domain signed_white " ";
883 #
884 # whitelisting based on valid signature or strong spf pass.
885 # some paychex mail is signed, some is unsigned but passes strong spf.
886 paychex.com require_signed paychex.com;
887 #
847 }; 888 };
848 filter sbl-xbl.spamhaus.org "Mail containing %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s"; 889 filter sbl-xbl.spamhaus.org "Mail containing %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s";
849 uribl multi.surbl.org "Mail containing %s rejected - surbl; see http://www.surbl.org/surbl-analysis?d=%s"; 890 uribl multi.surbl.org "Mail containing %s rejected - surbl; see http://www.surbl.org/surbl-analysis?d=%s";
850 #uribl multi.uribl.com "Mail containing %s rejected - uribl; see http://l.uribl.com/?d=%s"; 891 #uribl multi.uribl.com "Mail containing %s rejected - uribl; see http://l.uribl.com/?d=%s";
851 #uribl dbl.spamhaus.org "Mail containing %s rejected - dbl; see http://www.spamhaus.org/query/domain?domain=%s"; 892 #uribl dbl.spamhaus.org "Mail containing %s rejected - dbl; see http://www.spamhaus.org/query/domain?domain=%s";