diff xml/dnsbl.in @ 395:a8cf6a3da907 stable-6-0-52

document dkim/spf processing
author Carl Byington <carl@five-ten-sg.com>
date Tue, 07 Mar 2017 09:39:25 -0800
parents 17f21fcd44a8
children d08da4b058e8
line wrap: on
line diff
--- a/xml/dnsbl.in	Mon Mar 06 18:44:14 2017 -0800
+++ b/xml/dnsbl.in	Tue Mar 07 09:39:25 2017 -0800
@@ -25,7 +25,7 @@
 
     <refentry id="@PACKAGE@.1">
         <refentryinfo>
-            <date>2016-12-17</date>
+            <date>2017-03-07</date>
             <author>
                 <firstname>Carl</firstname>
                 <surname>Byington</surname>
@@ -390,7 +390,10 @@
                 </para></listitem>
                 <listitem><para>
                     If the answer is white, mail to this recipient is accepted and the dns
-                    lists are not checked.
+                    lists are not checked. However, if the envelope from domain name is
+                    listed in the current filtering context (or parents) dkim_from with
+                    "required_signed",
+                    we downgrade this to white answer to unknown.
                 </para></listitem>
                 <listitem><para>
                     If the answer is unknown, we don't reject yet, but the dns lists will be
@@ -457,6 +460,32 @@
                 messages from being blocked by the dnsbl or content filtering.
             </para>
             <para>
+                If content filtering is enabled for this body, we look for dkim_signer
+                and dkim_from sections in the current context and parents. We collect the
+                signers of this message from the header added by the dkim-milter. If any
+                of the message signers are whitelisted, the message is accepted.
+            </para>
+            <para>
+                If the header from domain maps to required_signed then:
+                If any of the message signers are in that list, the message is accepted.
+                If the source ip address passes a strong spf check for the header from
+                domain, the message is accepted. Otherwise, the message is rejected.
+            </para>
+            <para>
+                If the header from domain maps to signed_white then:
+                If any of the message signers are in that list, the message is accepted.
+                If the source ip address passes a strong spf check for the header from
+                domain, the message is accepted. Otherwise, processing continues.
+            </para>
+            <para>
+                If the header from domain maps to signed_black then:
+                If any of the message signers are in that list, the message is rejected.
+                Otherwise, processing continues.
+            </para>
+            <para>
+                If any of the message signers is blacklisted, the message is rejected.
+            </para>
+            <para>
                 If content filtering is enabled for this body, the mail text is decoded
                 (uuencode, base64, mime, html entity, url encodings), and scanned for HTTP
                 and HTTPS URLs or bare host names.  Hostnames must be either ip address
@@ -630,11 +659,6 @@
                 http:// protocol header. Such references are still clickable in common
                 mail software.
             </para>
-            <para>
-                Add spf to the white/black/unknown values in env_from blocks. This
-                results in whitelisting that envelope from value as long as the connection
-                is made from an ip address listed in the domain spf txt record.
-            </para>
         </refsect1>
 
         <refsect1 id='copyright.1'>
@@ -666,7 +690,7 @@
 
     <refentry id="@PACKAGE@.conf.5">
         <refentryinfo>
-            <date>2016-12-17</date>
+            <date>2017-03-07</date>
             <author>
                 <firstname>Carl</firstname>
                 <surname>Byington</surname>
@@ -837,13 +861,30 @@
 
     content on {
         dkim_signer {
+            #
+            # anything signed by this is accepted.
+            accounts.google.com     white;
+        };
+        dkim_from {
+            #
+            # white/blacklisting based on presence of valid signatures
             credit.paypal.com   require_signed  credit.paypal.com;
             paypal.com          require_signed  paypal.com;
             dhl.com             require_signed  dhl.com;
             adp.com             require_signed  "adp.com,bmi.adp.com";
-        };
-        dkim_from {
-            accounts.google.com     white;
+            #
+            # blacklisting based on header from value - requiring signatures
+            # from an impossible signer.
+            spammer.domain      require_signed  " ";
+            #
+            # whitelisting based on strong spf pass - whitelisted if signed by
+            # an impossible signer (which will never happen) or strong spf pass.
+            some.domain         signed_white    " ";
+            #
+            # whitelisting based on valid signature or strong spf pass.
+            # some paychex mail is signed, some is unsigned but passes strong spf.
+            paychex.com         require_signed  paychex.com;
+            #
         };
         filter    sbl-xbl.spamhaus.org        "Mail containing %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s";
         uribl     multi.surbl.org             "Mail containing %s rejected - surbl; see http://www.surbl.org/surbl-analysis?d=%s";