view ChangeLog @ 140:4028de9b46dd

cleanup smtp rate limit code
author carl
date Wed, 27 Sep 2006 08:00:13 -0700
parents f4746d8a12a3
children ecb40aa3eaa5
line wrap: on
line source

    $Id$

5.22 2006-09-27
    Change syntax for default rate limit. Improve hourly reset of
    limits. Warning for rate limits in non default contexts to allow
    nesting of client configurations.

5.21 2006-09-26
    Add SMTP AUTH recipient rate limits, to help throttle infected
    client machines and accounts with weak cracked passwords.

5.20 2006-08-02
    Fully qualify all dns lookups.  Fix my_read() bug.  Try to convert
    names that might be ip addresses via inet_aton before doing dns
    lookups.

5.19 2006-08-01
    Bug fix - add trailing dot to uribl dns lookups to make them fully
    qualified.  Check host names with only two components, since
    spammers are now using bare http://domain.tld references.
    Spec file now creates an rpm that properly creates the dnsbl user.

5.18 2006-04-27
    Bug fix - newer sendmail versions don't guarantee envelope addresses
    enclosed in <> wrapper.

    Document backscatter prevention configuration for systems that are
    used to mainly spam filter and then forward to mail to the internal
    server.

    Never ask uribl blacklists about rfc1918 address space.

5.17 2006-03-25
    Never ask dns blacklists about rfc1918 address space.

5.16 2006-03-16
    Bug fix - the smtp error message for uribl filtering needs to
    reference the host name, not the ip address.

5.15 2006-03-15
    Bug fix - we failed to properly set the return code to indicate the
    reason when rejecting mail for content filtering.

5.14 2006-03-13
    Fix a typo in the default config file and documentation for using
    multi.surbl.org

5.13 2006-03-12
    patch from Jeff Evans <jeffe@tricab.com>
        add SURBL/URIBL lookups, remove trailing dots from hostnames,
        allow ip address literals as hostnames.
    add configuration for surbl/uribl list and reject message

5.12 2006-01-08
    Use larger resolver buffer to accomodate spammers with many name
    servers.  A current example is life-all.com which needs to retry in
    tcp mode to fetch the 1444 byte response.

    'make chkconfig' now creates the dnsbl user if it does not exist.

5.11 2005-12-20
    switch to autoconf/automake/docbook

5.10 2005-10-16
    Fix a compile error on Fedora Core 3.
    Discovered by Nigel Horne <njh@bandsman.co.uk>

5.9 2005-09-26
    Fix a bug with empty return paths passed to the verification code.
    That resulted in 'MAIL FROM:<<>>' being sent to the verification
    mail server.

5.8 2005-09-25
    Allow empty env_to at global context level to remove restrictions
    on env_to values in child contexts.

5.7 2005-09-23
    Failed to return a value from parse_verify() which caused failures
    to load the configuration.

5.6 2005-09-22
    Tokenizer errors now go thru the syslog code, so they are visible
    when generated during config file reloads during normal operation.

5.5 2005-09-21
    Cleanup debug logging.  Verify from/to pairs now remembers the last
    from value sent to the remote server to prevent unnecessary rset
    commands.

5.4 2005-09-18
    Add verify statement to specify the smtp host to be used to verify
    envelope from / recipient pairs.

    Authenticated clients are now exempt from all white/black listing
    in addition to the dnsbl lookups.

    dcc_to should not look at substitute mail_host. That is only used
    by dcc_from.

5.3 2005-08-07
    Properly quit if the config file has syntax errors on startup.  Send
    mail to root if the config file needs to be reloaded since it was
    modified, but contains syntax errors.  In this case, we continue to
    use the old configuration.

5.2 2005-08-02
    Patch from Stephen Johnson <stephen.johnson@arkansas.gov> fixing the
    lack of a default return value in CONTEXT::acceptable_content().

5.1 2005-07-20
    Add multiple syslog debug levels.  Detect and silently remove
    duplicate DNSBL definitions.  That allows us to accept mail to
    recipients in multiple domains that use the same blacklist and yet
    only check that blacklist once.  This may happen when your config
    file directly includes as child contexts the config files used on
    your clients mail servers.

5.0 2005-07-16
    Major changes to the syntax of the config file.  Content filtering
    is no longer a global mail server setting.

4.6 2005-04-02
    Fix enum compilation error on Fedora Core 3.
    Discovered by Nigel Horne <njh@bandsman.co.uk>

    Remove bad html tag command from the default conf file.  Spammers
    seem to have abandoned this.

    Add toolbar.msn.click-url.com in hosts-ignore.conf.  These are all
    commented, but you might want to uncomment them.

4.5 2005-01-22
    Add uuencode decoding for old style attachments.

4.4 2005-01-18
    Bug fix in forked process termination that left zombies.

4.3 2005-01-16
    Only keep 20% of the resolver sockets in the ready pool.

4.2 2005-01-08
    Use the separate resolver processes even if we don't have the
    resolver interfaces and need gethostbyname.

4.1 2005-01-06
    Use a local unix domain socket for the resolver process
    communication, rather than a tcp/ip socket.

4.0 2005-01-03
    Initialize the thread mutex objects early, before they are needed
    by possible calls to my_syslog.

    Fork off a separate resolver listener process, so we can do multiple
    dns operations in parallel. For each simultaneous inbound email,
    we have a separate sendmail process, a milter thread, and a dns
    resolver process.

3.7 2004-10-28
    Added an 'ignore' command to the conf file, used to ignore some
    hosts that might end up on the SBL and otherwise trip the content
    scanning filter.  In particular, many recent Microsoft Word
    documents contain the string www.5iantlavalamp.com which is
    associated with their smart tags stuff.  That is currently hosted at
    216.168.224.70, which is shared with a site that ended up on the
    SBL.

3.6 2004-09-08
    Contributions from Dan Harkless <software@harkless.org>
        Better documentation for disabling the content filtering.
        Don't bother looking at the body text if we are not doing
        content filtering.

3.5 2004-07-17
    Extend the error message for content filtering when the NS record
    points to an ip address on the SBL.  Include the original host name
    that referenced that NS name.


3.4 2004-07-15
    Tokens with two consecutive periods cannot be ip addresses or host
    names.

    Updated dnsbl.spec file for building rpms from John Gunkel.


3.3 2004-07-09
    Drop root priviledges properly, including the group id.


3.2 2004-07-09

    Contributions from John Gunkel <jgunkel@palliser.ca>:
        Add .spec file for building rpms, contributed by John Gunkel

        Changes to file layout to conform to RedHat/LSB standards.

        Add some html (actually xml) tags used by Apple mac print
        subsystem that were tripping the html tag detector.

        Help with changes required to allow dnsbl to drop root
        priviledges. Move the socket to /var/run/dnsbl/dnsbl.sock

    Change parser to handle &#xnnn; obfuscated urls with charaters
    specified in hex.

    Make bad_html tags more sensitive to binary tags, to reduce false
    positives in .zip or .tar.gz file attachments.

    Add sendmail queueid to the dnsbl syslog messages.

    Fix one place where host names were not forced to lower case.
    Discovered by Nigel Horne <njh@bandsman.co.uk>

    Remove duplicate dns queries within the same smtp transaction from
    the body content filtering.  This helps if the mail server does not
    have a nearby caching dns server.

    Add host_soft_limit config keyword.  Use only one of host_limit or
    host_soft_limit, since the last one wins.  The host_limit is a hard
    upper limit on the number of host names in a message.  The
    host_soft_limit allows unlimited host names, but only checks a
    random sample of them against the dnsbl.

    The main thread has dropped root priviledges, but other threads
    are still running as root. This needs to be fixed.