dnsbl: xml/dnsbl.in comparison

comparison xml/dnsbl.in @ 111:d0dad5610980

move to autoconf/automake/docbook

author	carl
date	Sun, 18 Dec 2005 15:16:25 -0800
parents	1c7677042b78
children	f4f5fb263072

comparison

equal deleted inserted replaced

-:75c10deb3fe9
+:d0dad5610980
 <refsect1 id='options.1'>
 <title>Options</title>
 <variablelist>
 <varlistentry>
 <term>-c</term>
-<listitem>
+<listitem><para>
-<para>
+Load the configuration file, print a cannonical form
-Load the configuration file, print a cannonical form
+of the configuration on stdout, and exit.
-of the configuration on stdout, and exit.
+</para></listitem>
-</para>
-</listitem>
 </varlistentry>
 <varlistentry>
 <term>-s</term>
-<listitem>
+<listitem><para>
-<para>
+Stress test the configuration loading code by repeating
-Stress test the configuration loading code by repeating
+the load/free cycle in an infinite loop.
-the load/free cycle in an infinite loop.
+</para></listitem>
-</para>
-</listitem>
 </varlistentry>
 <varlistentry>
 <term>-d <replaceable class="parameter">n</replaceable></term>
-<listitem>
+<listitem><para>
-<para>
+Set the debug level to <replaceable class="parameter">n</replaceable>.
-Set the debug level to <replaceable class="parameter">n</replaceable>.
+</para></listitem>
-</para>
-</listitem>
 </varlistentry>
 <varlistentry>
 <term>-e <replaceable class="parameter">from|to</replaceable></term>
-<listitem>
+<listitem><para>
-<para>
+Print the results of looking up the from and to addresses in the
-Print the results of looking up the from and to addresses in the
+current configuration. The | character is used to separate the from and to
-current configuration. The | character is used to separate the from and to
+addresses in the argument to the -e switch.
-addresses in the argument to the -e switch.
+</para></listitem>
-</para>
-</listitem>
 </varlistentry>
 <varlistentry>
 <term>-r <replaceable class="parameter">local-domain-socket</replaceable></term>
-<listitem>
+<listitem><para>
-<para>
+Set the local socket used for the connection to our own dns resolver processes.
-Set the local socket used for the connection to our own dns resolver processes.
+</para></listitem>
-</para>
-</listitem>
 </varlistentry>
 <varlistentry>
 <term>-p <replaceable class="parameter">sendmail-socket</replaceable></term>
-<listitem>
+<listitem><para>
-<para>
+Set the socket used for the milter connection to sendmail. This is either
-Set the socket used for the milter connection to sendmail. This is either
+"inet:port@ip-address" or "local:local-domain-socket-file-name".
-"inet:port@ip-address" or "local:local-domain-socket-file-name".
+</para></listitem>
-</para>
-</listitem>
 </varlistentry>
 <varlistentry>
 <term>-t <replaceable class="parameter">timeout</replaceable></term>
-<listitem>
+<listitem><para>
-<para>
+Set the timeout in seconds used for communication with sendmail.
-Set the timeout in seconds used for communication with sendmail.
+</para></listitem>
-</para>
-</listitem>
 </varlistentry>
 </variablelist>
 </refsect1>
-<refsect1>
+<refsect1 id='usage.1'>
 <title>Usage</title>
 <para><command>@PACKAGE@</command> -c</para>
 <para><command>@PACKAGE@</command> -s</para>
-<para><command>@PACKAGE@</command> -d 2</para>
+<para><command>@PACKAGE@</command> -e 'someone@aol.com|localname@mydomain.tld'</para>
-<para><command>@PACKAGE@</command> -e'someone@aol.com|localname@mydomain.tld'</para>
+<para><command>@PACKAGE@</command> -d 10 -r resolver.sock -p local:dnsbl.sock</para>
-<para><command>@PACKAGE@</command> -d 10 -r /var/run/dnsbl/dnsbl.resolver.sock -p local:/var/run/dnsbl/dnsbl.sock</para>
+</refsect1>
+<refsect1 id='installation.1'>
+<title>Installation</title>
+<para>
+This is now a standard GNU autoconf/automake installation, so the normal
+"./configure; make; su; make install" works.  "make chkconfig" will
+setup the init.d runlevel scripts.  Alternatively, you can use the
+source or binary RPMs at <ulink
+url="http://www.five-ten-sg.com/@PACKAGE@/packages">http://www.five-ten-sg.com/@PACKAGE@/packages</ulink>.
+</para>
+<para>
+Note that this has ONLY been tested on Linux, specifically RedHat Linux.
+In particular, this milter makes no attempt to understand IPv6.  Your
+mileage will vary.  You will need at a minimum a C++ compiler with a
+minimally thread safe STL implementation.  The distribution includes a
+test.cpp program.  If it fails this milter won't work.  If it passes,
+this milter might work.
+</para>
+<para>
+Modify your sendmail.mc by removing all the "FEATURE(dnsbl" lines, add
+the following line in your sendmail.mc and rebuild the .cf file
+</para>
+<para><screen>INPUT_MAIL_FILTER(`dnsbl', `S=local:/var/run/dnsbl/dnsbl.sock, F=T, T=C:30s;S:5m;R:5m;E:5m')</screen></para>
+<para>
+Modify the default <citerefentry>
+<refentrytitle>@PACKAGE@.conf</refentrytitle> <manvolnum>5</manvolnum>
+</citerefentry> configuration.
+</para>
+</refsect1>
+<refsect1 id='configuration.1'>
+<title>Configuration</title>
+<para>
+The configuration file is documented in <citerefentry>
+<refentrytitle>@PACKAGE@.conf</refentrytitle> <manvolnum>5</manvolnum>
+</citerefentry>.  Any change to the config file, or any file included
+from that config file, will cause it to be reloaded within three
+minutes.
+</para>
 </refsect1>
 <refsect1 id='introduction.1'>
 <title>Introduction</title>
 <para>
 to your /etc/mail/virtusertable since otherwise sendmail will reject
 that message.
 </para>
 </refsect1>
-<refsect1 id='todo.1'>
+<refsect1 id='dcc.1'>
 <title>DCC Issues</title>
 <para>
 If you are also using the <ulink
 url="http://www.rhyolite.com/anti-spam/dcc/">DCC</ulink> milter, there
 are a few considerations.  You may need to whitelist senders from the
 be appropriately tagged and used only for the domains controlled by each
 of those clients.
 </para>
 </refsect1>
-<refsect1 id='todo.1'>
+<refsect1 id='definitions.1'>
 <title>Definitions</title>
 <para>
 CONTEXT - a collection of parameters that defines the filtering context
 to be used for a collection of envelope recipient addresses.  The
 context includes such things as the list of DNSBLs to be used, and the
 DNSBL-LIST - a named list of DNSBLs that will be used for specific
 recipients or recipient domains.
 </para>
 </refsect1>
-<refsect1 id='todo.1'>
+<refsect1 id='filtering.1'>
 <title>Filtering Procedure</title>
 <para>
 If the client has authenticated with sendmail, the mail is accepted, the
 filtering contexts are not used, the dns lists are not checked, and the
 body content is not scanned.  Otherwise, we follow these steps for each
 recipient.
 </para>
 <orderedlist>
-<listitem>
+<listitem><para>
 The envelope to email address is used to find an initial filtering
 context.  We first look for a context that specified the full email
 address in the env_to statement.  If that is not found, we look for a
 context that specified the entire domain name of the envelope recipient
 in the env_to statement.  If that is not found, we look for a context
 that specified the user@ part of the envelope recipient in the env_to
 statement.  If that is not found, we use the first top level context
 defined in the config file.
-</listitem>
+</para></listitem>
-<listitem>
+<listitem><para>
 The initial filtering context may redirect to a child context based on
 the values in the initial context's env_from statement.  We look for [1)
 the full envelope from email address, 2) the domain name part of the
 envelope from address, 3) the user@ part of the envelope from address]
 in that context's env_from statement, with values that point to a child
 context.  If such an entry is found, we switch to that child filtering
 context.
-</listitem>
+</para></listitem>
-<listitem>
+<listitem><para>
 We lookup [1) the full envelope from email address, 2) the domain name
 part of the envelope from address, 3) the user@ part of the envelope
 from address] in the filtering context env_from statement.  That results
 in one of (white, black, unknown, inherit).
-</listitem>
+</para></listitem>
-<listitem>
+<listitem><para>
 If the answer is black, mail to this recipient is rejected with "no such
 user", and the dns lists are not checked.
-</listitem>
+</para></listitem>
-<listitem>
+<listitem><para>
 If the answer is white, mail to this recipient is accepted and the dns
 lists are not checked.
-</listitem>
+</para></listitem>
-<listitem>
+<listitem><para>
 If the answer is unknown, we don't reject yet, but the dns lists will be
 checked, and the content may be scanned.
-<listitem>
+</para></listitem>
+<listitem><para>
 If the answer is inherit, we repeat the envelope from search in the
 parent context.
-</listitem>
+</para></listitem>
-<listitem>
+<listitem><para>
 The dns lists specified in the filtering context are checked and the
 mail is rejected if any list has an A record for the standard dns based
 lookup scheme (reversed octets of the client followed by the dns
 suffix).
-</listitem>
+</para></listitem>
-<listitem>
+<listitem><para>
 If the mail has not been accepted or rejected yet, we look for a
 verification context, which is the closest ancestor of the filtering
 context that both specifies a verification host, and which covers the
 envelope to address.  If we find such a verification context, and the
 verification host is not our own hostname, we open an smtp conversation
 with that verification host.  The current envelope from and recipient to
 values are passed to that verification host.  If we receive a 5xy
 response those commands, we reject the current recipient with "no such
 user".
-</listitem>
+</para></listitem>
-<listitem>
+<listitem><para>
 If the mail has not been accepted or rejected yet, and the filtering
 context enables content filtering, and this is the first such recipient
 in this smtp transaction, we set the content filtering parameters from
 this context, and enable content filtering for the body of this message.
-</listitem>
+</para></listitem>
 </orderedlist>
 <para>
 If content filtering is enabled for this body, the mail text is decoded
 (uuencode, base64, mime, html entity, url encodings), scanned for HTTP
 and HTTPS URLs, and the first &lt;configurable&gt; host names are
 the mail is rejected.  We also scan for excessive bad html tags, and if
 a &lt;configurable&gt; limit is exceeded, the mail is rejected.
 </para>
 </refsect1>
-<refsect1>
+<refsect1 id='access.1'>
 <title>Sendmail access vs. DNSBL</title>
 <para>
 With the standard sendmail.mc dnsbl FEATURE, the dnsbl checks may be
 suppressed by entries in the /etc/mail/access database.  For example,
 suppose you control a /18 of address space, and have allocated some /24s
 to some clients.  You have access entries like
-<screen>
+<literallayout class="monospaced"><![CDATA[
 192.168.4   OK
-192.168.17  OK
+192.168.17  OK]]></literallayout>
-</screen>
 </para>
 <para>
 to allow those clients to smarthost thru your mail server.  Now if one
 of those clients happens get infected with a virus that turns a machine
 into an open proxy, and their 192.168.4.45 lands on the SBL-XBL, you
 these directions</ulink> helpful for setting up smtp-auth if you are on
 RH Linux.
 </para>
 </refsect1>
-<refsect1>
+<refsect1 id='performance.1'>
-<title>Installation and configuration</title>
-<para>
-This is a standard GNU autoconf/automake installation, so the normal
-<screen>
-./configure
-make
-su
-make install
-</screen>
-works. "make chkconfig" will setup the init.d runlevel scripts.
-</para>
-<para>
-Note that this has ONLY been tested on Linux, specifically RedHat Linux.
-In particular, this milter makes no attempt to understand IPv6.  Your
-mileage will vary.  You will need at a minimum a C++ compiler with a
-minimally thread safe STL implementation.  The distribution includes a
-test.cpp program.  If it fails this milter won't work.  If it passes,
-this milter might work.
-</para>
-<para>
-Modify your sendmail.mc by removing all the "FEATURE(dnsbl" lines, add
-the following line in your sendmail.mc and rebuild the .cf file
-</para>
-<para>
-<screen>
-INPUT_MAIL_FILTER(`dnsbl', `S=local:/var/run/dnsbl/dnsbl.sock, F=T, T=C:30s;S:5m;R:5m;E:5m')
-</screen>
-</para>
-<para>
-Modify the default <citerefentry>
-<refentrytitle>@PACKAGE@.conf</refentrytitle> <manvolnum>5</manvolnum>
-</citerefentry> configuration.
-</para>
-<refsect1 id='todo.1'>
 <title>Performance Issues</title>
 <para>
 Consider a high volume high performance machine running sendmail.  Each
 sendmail process can do its own dns resolution.  Typically, such dns
 resolver libraries are not thread safe, and so must be protected by some
 course that steady state is very unlikely to happen.
 </para>
 </refsect1>
-<refsect1 id='todo.1'>
+<refsect1 id='rejected.1'>
 <title>Rejected Ideas</title>
 <para>
 The following ideas have been considered and rejected.
 </para>
 <para>
-Add max_recipients for each mail domain to the configuration.
+Add max_recipients setting to the context configuration.  Recipients in
-Recipients in excess of that limit will be rejected, and all the
+excess of that limit will be rejected, and all the non-whitelisted
-recipients in that domain will be removed if there are some other
+recipients will be removed.  Current spammers *very* rarely send more
-whitelisted recipients.  Current spammers *very* rarely send more than
+than ten recipients in a single smtp transaction, so this won't stop any
-ten recipients in a single smtp transaction, so this won't stop any
 significant amount of spam.
 </para>
 <para>
 Add poison addresses to the configuration.  If any recipient is
 poison, all recipients are rejected even if they would be whitelisted,
 Add a per-context option to reject mail if the number of digits in
 the reverse dns client name exceeds some threshold.
 </para>
 </refsect1>
-<refsect1>
+<refsect1 id='copyright.1'>
-<title>Configuration</title>
-<para>
-The configuration file is documented in <citerefentry>
-<refentrytitle>@PACKAGE@.conf</refentrytitle> <manvolnum>5</manvolnum>
-</citerefentry>.  Any change to the config file, or any file included
-from that config file, will cause it to be reloaded within three
-minutes.
-</para>
-</refsect1>
-<refsect1>
 <title>Copyright</title>
 <para>
 Copyright (C) 2005 by 510 Software Group &lt;carl@five-ten-sg.com&gt;
 </para>
 <para>
 with this program; see the file COPYING.  If not, please write to the
 Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.
 </para>
 </refsect1>
-<refsect1>
+<refsect1 id='version.1'>
+<title>CVS Version</title>
 <para>
 $Id$
 </para>
 </refsect1>
 </refentry>
 <refmiscinfo>@PACKAGE@ @VERSION@</refmiscinfo>
 </refmeta>
 <refnamediv id='name.5'>
 <refname>@PACKAGE@.conf</refname>
-<refpurpose>configuration file for @PACKAGE@</refpurpose>
+<refpurpose>configuration file for @PACKAGE@ sendmail milter</refpurpose>
 </refnamediv>
 <refsynopsisdiv id='synopsis.5'>
 <title>Synopsis</title>
 <cmdsynopsis>
 specified by this partial bnf description.</para>
 <literallayout class="monospaced"><![CDATA[
 CONFIG     = {CONTEXT ";"}+
 CONTEXT    = "context" NAME "{" {STATEMENT}+ "}"
-STATEMENT  = (DNSBL | DNSBLLIST | CONTENT | ENV-TO | VERIFY | CONTEXT | ENV-FROM) ";"
+STATEMENT  = (DNSBL | DNSBLLIST | CONTENT | ENV-TO | VERIFY |
+CONTEXT | ENV-FROM) ";"
 DNSBL      = "dnsbl" NAME DNSPREFIX ERROR-MSG
 DNSBLLIST  = "dnsbl_list" {NAME}+
 CONTENT    = "content" ("on" | "off") "{" {CONTENT-ST}+ "}"
-CONTENT-ST = (FILTER | IGNORE | TLD | HTML-TAGS | HTML-LIMIT | HOST-LIMIT) ";"
+CONTENT-ST = (FILTER | IGNORE | TLD | HTML-TAGS | HTML-LIMIT |
+HOST-LIMIT) ";"
 FILTER     = "filter" DNSPREFIX ERROR-MSG
 IGNORE     = "ignore"     "{" {HOSTNAME [";"]}+ "}"
 TLD        = "tld"        "{" {TLD      [";"]}+ "}"
 HTML-TAGS  = "html_tags"  "{" {HTMLTAG  [";"]}+ "}"
-ERROR-MSG  = string containing exactly two %s replacement tokens for the client ip address
+ERROR-MSG  = string containing exactly two %s replacement tokens
+for the client ip address
 HTML-LIMIT = "html_limit" ("on" INTEGER ERROR-MSG | "off")
-HOST-LIMIT = "host_limit" ("on" INTEGER ERROR-MSG | "off" | "soft" INTEGER)
+HOST-LIMIT = "host_limit" ("on" INTEGER ERROR-MSG | "off" |
+"soft" INTEGER)
 ENV-TO     = "env_to"     "{" {(TO-ADDR | DCC-TO)}+ "}"
 TO-ADDR    = ADDRESS [";"]
 DCC-TO     = "dcc_to" ("ok" | "many") "{" DCCINCLUDEFILE "}" ";"
 spammer@example.com black;
 };
 };]]></literallayout>
 </refsect1>
-<refsect1>
+<refsect1 id='version.5'>
+<title>CVS Version</title>
 <para>
 $Id$
 </para>
 </refsect1>

Mercurial > dnsbl

comparison xml/dnsbl.in @ 111:d0dad5610980