Mercurial > dnsbl

diff xml/dnsbl.in @ 0:96a9758165cd original

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Initial revision
author carl
date Tue, 20 Apr 2004 20:02:29 -0700
parents
children 9bcd5ef11279
line wrap: on
line diff
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/xml/dnsbl.in	Tue Apr 20 20:02:29 2004 -0700
@@ -0,0 +1,114 @@
+<html>
+
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
+<title>DNSBL Sendmail milter</title>
+</head>
+
+<p>This milter is released under the GPL license version 2 included in
+the LICENSE file in the distribution, and also available at
+<a href="http://www.gnu.org/licenses/gpl.html">http://www.gnu.org/licenses/gpl.html</a>
+
+<p>Consider the case of a mail server that is acting as secondary MX
+for a collection of clients, each of which has a collection of mail
+domains.  Each client may use their own collection of DNSBLs on their
+primary mail server.  We present here a mechanism whereby the backup
+mail server can use the correct set of DNSBLs for each message.  As a
+side-effect, it gives us the ability to customize the set of DNSBLs on a
+per-recipient basis, so that fred@example.com could use SPEWS and the
+SBL, where all other users @example.com use only the SBL.
+
+<p>The DNSBL milter reads a text configuration file on startup, and
+whenever the config file (or any of the referenced include files) is
+changed. The entire configuration file is case insensitive.
+
+<p>If you are also using the <a
+href="http://www.rhyolite.com/anti-spam/dcc/">DCC</a> milter, there are
+a few considerations.  You may need to whitelist senders from the DCC
+bulk detector, or from the DNS based lists.  Those are two very
+different reasons for whitelisting.  The former is done thru the DCC
+whiteclnt config file, the later is done thru the DNSBL milter config
+file.
+
+<p>You may want to blacklist some specific senders or sending domains.
+This could be done thru either the DCC (on a global basis, or for a
+specific single recipient).  We prefer to do such blacklisting via the
+DNSBL milter config, since it can be done for an entire recipient mail
+domain.  The DCC approach has the feature that you can capture the
+entire message in the DCC log files.  The DNSBL milter approach has the
+feature that the mail is rejected earlier (at RCPT TO time), and the
+sending machine just gets a generic "550 5.7.1 no such user" message.
+
+<p>Definitions:
+
+<p>DNSBL - a named DNS based blocking list is defined by a dns suffix
+(e.g. sbl-xbl.spamhaus.org) and a message string that is used to
+generate the "550 5.7.1" smtp error return code.  The names of these
+DNSBLs will be used to define the DNSBL-LISTs.
+
+<p>DNSBL-LIST - a named list of DNSBLs that will be used for specific
+recipients or recipient domains.
+
+<p>ENVELOPE-FROM-MAP - a named collection of mappings (key->value pairs)
+from envelope-from values to the WHITE, BLACK, or DEFAULT keywords.  The
+names of these maps will be used for specific recipients or recipient
+domains.
+
+<p>The configuration file maps each recipient (or recipient domain) to
+two names (a named DNSBL-LIST, and a named ENVELOPE-FROM-MAP).  If the
+recipient is not found in the configuration, the named DEFAULT
+dnsbl-list and DEFAULT envelope-from-map will be used.  When mail is
+received for that recipient,
+
+<ol>
+
+<li>If the client has authenticated with sendmail, the mail is accepted
+and the dns lists are not checked.
+
+<li>If either one is BLACK, mail to this recipient is rejected with "no
+such user", and the dns lists are not checked.
+
+<li>If the envelope-from-map name is WHITE, mail to this recipient is
+accepted and the dns lists are not checked.
+
+<li>If the envelope-from-map exists, the map is checked for the presence
+of the sender.  A WHITE or BLACK answer is definitive and the dns lists
+are not checked.
+
+<li>If the dnsbl-list name is WHITE, the dns lists are not checked and
+the mail is accepted.  Otherwise, the dns lists are checked and the mail
+is rejected if any list has an A record for the standard dns based
+lookup scheme (reversed octets of the client followed by the dns
+suffix).
+
+</ol>
+
+
+<p>Usage:  Note that this has ONLY been tested on Linux, specifically
+RedHat Linux.  Your mileage will vary. In particular, this milter makes no
+attempt to understand IPv6.
+
+Fetch <a href="http://www.five-ten-sg.com/util/dnsbl.tar.gz">dnsbl.tar.gz</a>
+and
+
+<pre>
+tar xfvz dnsbl.tar.gz
+bash install.bash
+</pre>
+
+Read and understand the contents of that install.bash script before you
+run it.  It may not be suitable for your system.  Modify your
+sendmail.mc by removing all the "FEATURE(dnsbl" lines, add the following
+line in your sendmail.mc and rebuild the .cf file
+
+<pre>
+INPUT_MAIL_FILTER(`dnsbl', `S=local:/var/run/dnsbl/dnsbl.sock, F=T, T=S:30s;R:30s;E:30s')
+</pre>
+
+Read the sample <a
+href="http://www.five-ten-sg.com/dnsbl.conf">var/dnsbl/dnsbl.conf</a>
+file and modify it to fit your configuration.
+
+
+</body>
+</html>