Mercurial > dnsbl
diff xml/sample.conf @ 75:1142e46be550
start coding on new config syntax
| author | carl |
|---|---|
| date | Wed, 13 Jul 2005 23:04:14 -0700 |
| parents | 419e00901570 |
| children | 81f1e400e8ab |
line wrap: on
line diff
--- a/xml/sample.conf Sun Jul 10 14:19:00 2005 -0700 +++ b/xml/sample.conf Wed Jul 13 23:04:14 2005 -0700 @@ -1,192 +1,153 @@ # $Id$ # -# lines start with a command token, following by argument tokens -# tokens are separated by spaces or tabs -# -# -# tld: -# second token is the tld suffix - com, net, org, etc -# -# -# content: -# second token is the dns suffix used for the actual lookups -# third token? is a string enclosed in single quotes, so it -# is not really a token. This is the error message, with -# up to two %s parameters for the offending host name and -# client ip address respectively. -# -# If this command is not present, there is no body scanning -# for host names or bad html tags. -# -# -# ignore: -# second token is a host name that is allowed in the body even -# if it would otherwise be rejected by the content scanning -# above. -# -# -# host_limit: -# second token is the integer count of the number of host names -# or urls that are allowed in any one mail body. Zero is -# unlimited. If the actual number of host names in the message -# is larger than this limit, the message is rejected. -# third token? is a string enclosed in single quotes, so it -# is not really a token. This is the error message supplied -# to the smtp client. -# -# -# host_soft_limit: -# second token is the integer count of the number of host names -# or urls that are checked in any one mail body. Zero is -# unlimited. If the actual number of host names in the message -# is larger than this limit, only a random selection of them -# are checked against the dnsbl. -# -# -# html_limit: -# second token is the integer count of the number of bad html tags -# that are allowed in any one mail body. Zero is unlimited. -# third token? is a string enclosed in single quotes, so it -# is not really a token. This is the error message supplied -# to the smtp client. -# -# -# html_tag: -# second token is a valid html tag, that is added to the list -# of valid tags. Any html tag seen in the mail bodies that -# that is not in this list is presumed to be invalid. -# -# -# dnsbl: -# second token is the name of this dnsbl -# third token is the dns suffix used for the actual lookups -# fourth token? is a string enclosed in single quotes, so it -# is not really a token. This is the error message, with -# up to two %s parameters for the client ip address. -# + +# partial bnf description of this configuration language # -# dnsbl_list: -# second token is the name of this list of dnsbls -# subsequent tokes are the names of the previously defined dnsbls -# -# -# env_from: -# second token is the name of this envelope-from-map. There will -# generally be multiple lines with the same name. -# third token is the envelope from value from the smtp conversation, -# or just the domain part that follows the @ symbol. -# fourth token is BLACK, WHITE, or the name of a previously defined -# envelope-from-map. BLACK causes mail from this sender to be -# rejected with "no such user". WHITE causes mail to be accepted -# and the dns based lists are ignored. DEFAULT may be used to override -# the contents of other maps that are copied into this map, and -# set that sender back to the default (not white or black listed, -# and subject to dnsbl lookups). -# -# -# env_to: -# second token is the envelope recipient value from the smtp conversation, -# or just the domain part that follows the @ symbol. -# third token is the name of a dnsbl-list, or WHITE or BLACK. -# fourth token is the name of an envelope-from-map, or WHITE or BLACK. -# -# If either one is BLACK, mail to this recipient is rejected with -# "no such user", and the dns lists are not checked. -# -# If the envelope-from-map name is WHITE, mail to this recipient is accepted -# and the dns lists are not checked. -# -# If the envelope-from-map exists, the map is checked for the presence -# of the sender. A WHITE or BLACK answer is definitive and the dns lists -# are not checked. -# -# If the dnsbl-list name is WHITE, the dns lists are not checked and the -# mail is accepted. Otherwise, the dns lists are checked and the mail -# is rejected if any list has an A record for the standard dns based -# lookup scheme (reversed octets of the client followed by the dns suffix). -# -# -# include: -# second token is the path name of the dnsbl milter config file to be -# included. -# -# -# include_dcc: -# second token is the name of an envelope-from-map (EMAP below). -# third token is the path name of the dcc whiteclnt config file to be -# included. Entries from the dcc config are mapped as: -# ok -> WHITE -# many -> BLACK -# env_from -> env_from EMAP xxx -# env_to -> env_to -# substitute mail_host -> env_from EMAP xxx -# -# -# -############################################## -# content scanning parameters -# -content sbl-xbl.spamhaus.org 'Mail containing %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s' -host_limit 20 'Mail containing too many host names rejected' -host_soft_limit 20 -html_limit 20 'Mail containing excessive bad html tags rejected' -include hosts-ignore.conf -include html-tags.conf -include tld.conf +# CONFIG = {CONTEXT ";"}+ +# CONTEXT = "context" NAME "{" {STATEMENT}+ "}" +# STATEMENT = (DNSBL | DNSBLLIST | CONTENT | ENV-TO | CONTEXT | ENV-FROM) ";" + +# DNSBL = "dnsbl" NAME DNSPREFIX ERROR-MSG + +# DNSBLLIST = "dnsbl_list" {NAME}+ + +# CONTENT = "content" ("on" | "off") "{" {CONTENT-STATEMENT}+ "}" +# CONTENT-STATEMENT = (FILTER | IGNORE | TLD | HTML-TAGS | HTML-LIMIT | HOST-LIMIT) ";" +# FILTER = "filter" DNSPREFIX ERROR-MSG +# IGNORE = "ignore" "{" {HOSTNAME [";"]}+ "}" +# TLD = "tld" "{" {TLD [";"]}+ "}" +# HTML-TAGS = "html_tags" "{" {HTMLTAG [";"]}+ "}" +# ERROR-MSG = string containing exactly two %s replacement tokens for the client ip address + +# HTML-LIMIT = "html_limit" ("on" INTEGER ERROR-MSG | "off") + +# HOST-LIMIT = "host_limit" ("on" INTEGER ERROR-MSG | "off" | "soft" INTEGER) + +# ENV-TO = "env_to" "{" {(TO-ADDR | DCC-TO)}+ "}" +# TO-ADDR = ADDRESS [";"] +# DCC-TO = "dcc_to" ("ok" | "many") "{" DCCINCLUDEFILE "}" ";" + +# ENV_FROM = "env_from" DEFAULT "{" {(FROM-ADDR | DCC-FROM)}+ "}" +# FROM-ADDR = ADDRESS VALUE [";"] +# DCC-FROM = "dcc_from" "{" DCCINCLUDEFILE "}" ";" +# DEFAULT = ("white" | "black" | "unknown" | "inherit" | "") +# ADDRESS = (USER@ | DOMAIN | USER@DOMAIN) +# VALUE = ("white" | "black" | "unknown" | CHILD-CONTEXT-NAME -############################################## -# define the dnsbls to use -# -dnsbl LOCAL blackholes.five-ten-sg.com 'Mail from %s rejected - local; see http://www.five-ten-sg.com/blackhole.php?%s' -dnsbl SPEWS blackholes.spews.org 'Mail from %s rejected - spews; see http://www.spews.org/ask.cgi?x=%s' -dnsbl SBL sbl-xbl.spamhaus.org 'Mail from %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s' +context sample { + dnsbl local blackholes.five-ten-sg.com "Mail from %s rejected - local; see http://www.five-ten-sg.com/blackhole.php?%s"; + dnsbl spews blackholes.spews.org "Mail from %s rejected - spews; see http://www.spews.org/ask.cgi?x=%s"; + dnsbl sbl sbl-xbl.spamhaus.org "Mail from %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s"; + dnsbl xbl xbl.spamhaus.org "Mail from %s rejected - xbl; see http://www.spamhaus.org/query/bl?ip=%s"; + dnsbl_list local sbl; + content on { + filter sbl-xbl.spamhaus.org "Mail containing %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s"; + ignore { include "hosts-ignore.conf"; }; + tld { include "tld.conf"; }; + html_tags { include "html-tags.conf"; }; + html_limit off; + host_limit on 20 "Mail containing excessive bad html tags rejected"; + host_limit soft 20; + }; + + env_to { + mydomain.com; # child contexts are not allowed to specify recipient addresses outside these domains + customer1.com; + customer1a.com; + customer1b.com; + customer2.com; + customer2a.com; + customer2b.com; + }; -############################################## -# define the (default and other) lists of dnsbls to use -# -dnsbl_list DEFAULT LOCAL SPEWS SBL -dnsbl_list SIMPLE SBL -dnsbl_list CUST1 SBL -dnsbl_list CUST2 SPEWS SBL + context whitelist { + content off {}; + env_to { + # dcc_to ok { include "/var/dcc/whitecommon"; }; + }; + env_from white {}; # white forces all unmatched from addresses (everyone in this case) to be whitelisted + # so all mail TO these env_to addresses is accepted + }; + context abuse { + dnsbl_list xbl; + content off {}; + env_to { + abuse@; # no content filtering on abuse reports + postmaster@; # "" + }; + env_from unknown {}; # ignore all parent white/black listing + }; -############################################## -# define the (default and other) env_from maps -# -env_from DEFAULT spammer@example.com BLACK -env_from DEFAULT yahoo.com BLACK + context minimal { + dnsbl_list sbl; + content on {}; + env_to { + sales@mydomain.com; + }; + }; -# special list for the vp -env_from TEST dummy-token DEFAULT # inherit the currently defined DEFAULT env_from mapping -env_from TEST nai.com BLACK # the vp does not like nai -env_from TEST yahoo.com DEFAULT # -env_from TEST mother@spammyisp.com WHITE # suppresses dnsbl checking - + context blacklist { + env_to { + dcc_to many { include "/var/dcc/whitecommon"; }; + old-employee@mydomain.com; + }; + env_from black {}; # black forces all unmatched from addresses (everyone in this case) to be blacklisted + # so all mail TO these env_to addresses is rejected + }; -############################################## -# specify dnsbl_lists and env_from maps to use for specific recipients -# -env_to abuse@mydomain.com WHITE WHITE # no dnsbl, no env_from map -env_to sales@mydomain.com SIMPLE NULL # sbl only, no env_from map -env_to vp@mydomain.com DEFAULT TEST # allow mail from mom -env_to old-emp@mydomain.com BLACK BLACK # return no such user even from backup mx machines + context vp { # special context for the vp + env_to { + vp@mydomain.com; + }; + env_from inherit { + nai.com black; # the vp does not like nai + yahoo.com unknown; # override parent context blacklisting + mother@spammyisp.com white; # suppress dnsbl checking + }; + }; + + context customer1 { + dnsbl_list sbl; + env_to { + customer1.com; + customer1a.com; + customer1b.com; + }; -############################################## -# specify dnsbl_lists and env_from maps to use for clients domains -# -env_to mydomain.com DEFAULT DEFAULT -env_to customer1.com CUST1 DEFAULT # all customer 1 domains use just sbl -env_to customer1a.com CUST1 DEFAULT -env_to customer1b.com CUST1 DEFAULT -env_to customer2.com CUST2 DEFAULT # all customer 2 domains use spews and sbl -env_to customer2a.com CUST2 DEFAULT + context customer1a { + env_to { + customer1a.com; + } + env_from black { # blacklist everything + first@acceptable.com unknown; # except these specific envelope senders + second@another.com unknown; + yahoo.com inherit; # delegate to the parent + }; + }; + + env_from { + yahoo.com black; # no mail from yahoo + first@yahoo.com unknown; # except this one + }; + }; + context customer2 { + dnsbl_list sbl spews; + env_to { + customer2.com; + customer2a.com; + customer2b.com; + }; + }; -############################################## -# you can also include nested config files -# file names are single tokens, no embedded blanks -# -include dnsbl.conf # this will generate a recursive include file syslog error message -include_dcc DEFAULT /var/dcc/whitecommon # this includes the default dcc whitelist file + env_from unknown { + dcc_from { include "/var/dcc/whitecommon"; }; # use the dcc whitecommon list ok/many values to white/black list envelope from values here + abuse@ abuse; # replies to abuse reports use the abuse context + yahoo.com black; # don't take mail from yahoo + spammer@example.com black; + }; +}; +