Mercurial > dnsbl
diff xml/dnsbl.in @ 395:a8cf6a3da907 stable-6-0-52
document dkim/spf processing
author | Carl Byington <carl@five-ten-sg.com> |
---|---|
date | Tue, 07 Mar 2017 09:39:25 -0800 |
parents | 17f21fcd44a8 |
children | d08da4b058e8 |
line wrap: on
line diff
--- a/xml/dnsbl.in Mon Mar 06 18:44:14 2017 -0800 +++ b/xml/dnsbl.in Tue Mar 07 09:39:25 2017 -0800 @@ -25,7 +25,7 @@ <refentry id="@PACKAGE@.1"> <refentryinfo> - <date>2016-12-17</date> + <date>2017-03-07</date> <author> <firstname>Carl</firstname> <surname>Byington</surname> @@ -390,7 +390,10 @@ </para></listitem> <listitem><para> If the answer is white, mail to this recipient is accepted and the dns - lists are not checked. + lists are not checked. However, if the envelope from domain name is + listed in the current filtering context (or parents) dkim_from with + "required_signed", + we downgrade this to white answer to unknown. </para></listitem> <listitem><para> If the answer is unknown, we don't reject yet, but the dns lists will be @@ -457,6 +460,32 @@ messages from being blocked by the dnsbl or content filtering. </para> <para> + If content filtering is enabled for this body, we look for dkim_signer + and dkim_from sections in the current context and parents. We collect the + signers of this message from the header added by the dkim-milter. If any + of the message signers are whitelisted, the message is accepted. + </para> + <para> + If the header from domain maps to required_signed then: + If any of the message signers are in that list, the message is accepted. + If the source ip address passes a strong spf check for the header from + domain, the message is accepted. Otherwise, the message is rejected. + </para> + <para> + If the header from domain maps to signed_white then: + If any of the message signers are in that list, the message is accepted. + If the source ip address passes a strong spf check for the header from + domain, the message is accepted. Otherwise, processing continues. + </para> + <para> + If the header from domain maps to signed_black then: + If any of the message signers are in that list, the message is rejected. + Otherwise, processing continues. + </para> + <para> + If any of the message signers is blacklisted, the message is rejected. + </para> + <para> If content filtering is enabled for this body, the mail text is decoded (uuencode, base64, mime, html entity, url encodings), and scanned for HTTP and HTTPS URLs or bare host names. Hostnames must be either ip address @@ -630,11 +659,6 @@ http:// protocol header. Such references are still clickable in common mail software. </para> - <para> - Add spf to the white/black/unknown values in env_from blocks. This - results in whitelisting that envelope from value as long as the connection - is made from an ip address listed in the domain spf txt record. - </para> </refsect1> <refsect1 id='copyright.1'> @@ -666,7 +690,7 @@ <refentry id="@PACKAGE@.conf.5"> <refentryinfo> - <date>2016-12-17</date> + <date>2017-03-07</date> <author> <firstname>Carl</firstname> <surname>Byington</surname> @@ -837,13 +861,30 @@ content on { dkim_signer { + # + # anything signed by this is accepted. + accounts.google.com white; + }; + dkim_from { + # + # white/blacklisting based on presence of valid signatures credit.paypal.com require_signed credit.paypal.com; paypal.com require_signed paypal.com; dhl.com require_signed dhl.com; adp.com require_signed "adp.com,bmi.adp.com"; - }; - dkim_from { - accounts.google.com white; + # + # blacklisting based on header from value - requiring signatures + # from an impossible signer. + spammer.domain require_signed " "; + # + # whitelisting based on strong spf pass - whitelisted if signed by + # an impossible signer (which will never happen) or strong spf pass. + some.domain signed_white " "; + # + # whitelisting based on valid signature or strong spf pass. + # some paychex mail is signed, some is unsigned but passes strong spf. + paychex.com require_signed paychex.com; + # }; filter sbl-xbl.spamhaus.org "Mail containing %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s"; uribl multi.surbl.org "Mail containing %s rejected - surbl; see http://www.surbl.org/surbl-analysis?d=%s";