--- a/xml/dnsbl.in	Thu Apr 22 20:19:01 2004 -0700
+++ b/xml/dnsbl.in	Fri Apr 23 22:45:10 2004 -0700
@@ -5,15 +5,16 @@
 <title>DNSBL Sendmail milter</title>
 </head>
 
+<center>Introduction</center>
 <p>This milter is released under the GPL license version 2 included in
 the LICENSE file in the distribution, and also available at
 <a href="http://www.gnu.org/licenses/gpl.html">http://www.gnu.org/licenses/gpl.html</a>
 
-<p>Consider the case of a mail server that is acting as secondary MX
-for a collection of clients, each of which has a collection of mail
-domains.  Each client may use their own collection of DNSBLs on their
-primary mail server.  We present here a mechanism whereby the backup
-mail server can use the correct set of DNSBLs for each message.  As a
+<p>Consider the case of a mail server that is acting as secondary MX for
+a collection of clients, each of which has a collection of mail domains.
+Each client may use their own collection of DNSBLs on their primary mail
+server.  We present here a mechanism whereby the backup mail server can
+use the correct set of DNSBLs for each recipient for each message.  As a
 side-effect, it gives us the ability to customize the set of DNSBLs on a
 per-recipient basis, so that fred@example.com could use SPEWS and the
 SBL, where all other users @example.com use only the SBL.
@@ -27,6 +28,8 @@
 startup, and whenever the config file (or any of the referenced include
 files) is changed.  The entire configuration file is case insensitive.
 
+<hr>
+<center>DCC Issues</center>
 <p>If you are also using the <a
 href="http://www.rhyolite.com/anti-spam/dcc/">DCC</a> milter, there are
 a few considerations.  You may need to whitelist senders from the DCC
@@ -61,8 +64,8 @@
 appropriately tagged and used only for the domains controlled by each of
 those clients.
 
-<p>Definitions:
-
+<hr>
+<center>Definitions</center>
 <p>DNSBL - a named DNS based blocking list is defined by a dns suffix
 (e.g. sbl-xbl.spamhaus.org) and a message string that is used to
 generate the "550 5.7.1" smtp error return code.  The names of these
@@ -110,7 +113,30 @@
 
 </ol>
 
+<hr>
+<center>Sendmail access vs. DNSBL</center>
+<p>With the standard sendmail.mc dnsbl FEATURE, the dnsbl checks may be
+suppressed by entries in the /etc/mail/access database.  For example,
+suppose you control a /18 of address space, and have allocated some /24s
+to some clients.  You have access entries like
 
+<pre>
+192.168.4   OK
+192.168.17  OK
+</pre>
+
+<p>to allow those clients to smarthost thru your mail server.  Now if
+one of those clients happens get infected with a virus that turns into
+an open proxy, and their 192.168.4.45 lands on the SBL-XBL, you will
+still wind up allowing that infected machine to smarthost thru your mail
+servers.
+
+<p>With this DNSBL milter, the sendmail access database cannot override
+the dnsbl checks, so that machine won't be able to send mail to or thru
+your smarthost machine.
+
+<hr>
+<center>Installation and configuration</center>
 <p>Usage:  Note that this has ONLY been tested on Linux, specifically
 RedHat Linux.  Your mileage will vary. In particular, this milter makes no
 attempt to understand IPv6.