view xml/dnsbl.in @ 0:96a9758165cd original

Initial revision
author carl
date Tue, 20 Apr 2004 20:02:29 -0700
parents
children 9bcd5ef11279
line wrap: on
line source

<html>

<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>DNSBL Sendmail milter</title>
</head>

<p>This milter is released under the GPL license version 2 included in
the LICENSE file in the distribution, and also available at
<a href="http://www.gnu.org/licenses/gpl.html">http://www.gnu.org/licenses/gpl.html</a>

<p>Consider the case of a mail server that is acting as secondary MX
for a collection of clients, each of which has a collection of mail
domains.  Each client may use their own collection of DNSBLs on their
primary mail server.  We present here a mechanism whereby the backup
mail server can use the correct set of DNSBLs for each message.  As a
side-effect, it gives us the ability to customize the set of DNSBLs on a
per-recipient basis, so that fred@example.com could use SPEWS and the
SBL, where all other users @example.com use only the SBL.

<p>The DNSBL milter reads a text configuration file on startup, and
whenever the config file (or any of the referenced include files) is
changed. The entire configuration file is case insensitive.

<p>If you are also using the <a
href="http://www.rhyolite.com/anti-spam/dcc/">DCC</a> milter, there are
a few considerations.  You may need to whitelist senders from the DCC
bulk detector, or from the DNS based lists.  Those are two very
different reasons for whitelisting.  The former is done thru the DCC
whiteclnt config file, the later is done thru the DNSBL milter config
file.

<p>You may want to blacklist some specific senders or sending domains.
This could be done thru either the DCC (on a global basis, or for a
specific single recipient).  We prefer to do such blacklisting via the
DNSBL milter config, since it can be done for an entire recipient mail
domain.  The DCC approach has the feature that you can capture the
entire message in the DCC log files.  The DNSBL milter approach has the
feature that the mail is rejected earlier (at RCPT TO time), and the
sending machine just gets a generic "550 5.7.1 no such user" message.

<p>Definitions:

<p>DNSBL - a named DNS based blocking list is defined by a dns suffix
(e.g. sbl-xbl.spamhaus.org) and a message string that is used to
generate the "550 5.7.1" smtp error return code.  The names of these
DNSBLs will be used to define the DNSBL-LISTs.

<p>DNSBL-LIST - a named list of DNSBLs that will be used for specific
recipients or recipient domains.

<p>ENVELOPE-FROM-MAP - a named collection of mappings (key->value pairs)
from envelope-from values to the WHITE, BLACK, or DEFAULT keywords.  The
names of these maps will be used for specific recipients or recipient
domains.

<p>The configuration file maps each recipient (or recipient domain) to
two names (a named DNSBL-LIST, and a named ENVELOPE-FROM-MAP).  If the
recipient is not found in the configuration, the named DEFAULT
dnsbl-list and DEFAULT envelope-from-map will be used.  When mail is
received for that recipient,

<ol>

<li>If the client has authenticated with sendmail, the mail is accepted
and the dns lists are not checked.

<li>If either one is BLACK, mail to this recipient is rejected with "no
such user", and the dns lists are not checked.

<li>If the envelope-from-map name is WHITE, mail to this recipient is
accepted and the dns lists are not checked.

<li>If the envelope-from-map exists, the map is checked for the presence
of the sender.  A WHITE or BLACK answer is definitive and the dns lists
are not checked.

<li>If the dnsbl-list name is WHITE, the dns lists are not checked and
the mail is accepted.  Otherwise, the dns lists are checked and the mail
is rejected if any list has an A record for the standard dns based
lookup scheme (reversed octets of the client followed by the dns
suffix).

</ol>


<p>Usage:  Note that this has ONLY been tested on Linux, specifically
RedHat Linux.  Your mileage will vary. In particular, this milter makes no
attempt to understand IPv6.

Fetch <a href="http://www.five-ten-sg.com/util/dnsbl.tar.gz">dnsbl.tar.gz</a>
and

<pre>
tar xfvz dnsbl.tar.gz
bash install.bash
</pre>

Read and understand the contents of that install.bash script before you
run it.  It may not be suitable for your system.  Modify your
sendmail.mc by removing all the "FEATURE(dnsbl" lines, add the following
line in your sendmail.mc and rebuild the .cf file

<pre>
INPUT_MAIL_FILTER(`dnsbl', `S=local:/var/run/dnsbl/dnsbl.sock, F=T, T=S:30s;R:30s;E:30s')
</pre>

Read the sample <a
href="http://www.five-ten-sg.com/dnsbl.conf">var/dnsbl/dnsbl.conf</a>
file and modify it to fit your configuration.


</body>
</html>