view dnsbl.conf @ 412:e63c6b4835ef stable-6-0-56

refactor spf code; allow wildcard *.example.com in dkim signing restrictions
author Carl Byington <carl@five-ten-sg.com>
date Wed, 19 Apr 2017 09:26:14 -0700
parents f4ca91f49cb6
children 1b7a785610f5
line wrap: on
line source

context main-default {
    // outbound dnsbl filtering to catch our own customers that end up on the sbl
    dnsbl   sbl     sbl-xbl.spamhaus.org        "Mail from %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s";
    dnsbl_list  sbl;

    // outbound content filtering to prevent our own customers from sending spam
    content on {
        filter    sbl-xbl.spamhaus.org        "Mail containing %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s";
        uribl     multi.surbl.org             "Mail containing %s rejected - surbl; see http://www.surbl.org/surbl-analysis?d=%s";
        #uribl    multi.uribl.com             "Mail containing %s rejected - uribl; see http://l.uribl.com/?d=%s";
        #uribl    dbl.spamhaus.org            "Mail containing %s rejected - dbl; see http://www.spamhaus.org/query/domain?domain=%s";
        ignore    { include "hosts-ignore.conf"; };
        tld       { include "tld.conf"; };
        html_tags { include "html-tags.conf"; };
        html_limit on 20 "Mail containing excessive bad html tags rejected";
        html_limit off;
        host_limit on 20 "Mail containing excessive host names rejected";
        host_limit soft 20;
        spamassassin        4;
        require_match       yes;
        dcc_greylist        yes;
        dcc_bulk_threshold  50;
    };

    // backscatter prevention - do not send bounces for mail that we accepted but could not forward
    // we only send bounces to our own customers
    env_from unknown {
        "<>"    black;
    };

    // hourly recipient rate limit by smtp auth client id, or unauthenticated mail from address
    // hourly unique ip addresses  by smtp auth client id, or unauthenticated mail from address
    // default hourly rate limit is 30
    // daily rate limits are 4 times the hourly limit
    // default hourly unique ip addresses is 5
    // daily unique ip addresses are 4 times the hourly limit
    rate_limit 30 4 5 4 { // default
        fred 100 10;   // override default limits
        joe  10  2;    // ""
        "sam@somedomain.tld"  500 2;
        "@otherdomain.tld"    100 2;
    };
};

context main {
    dnsbl   localp  partial.blackholes.five-ten-sg.com  "Mail from %s rejected - local; see http://www.five-ten-sg.com/blackhole.php?%s";
    dnsbl   local   blackholes.five-ten-sg.com  "Mail from %s rejected - local; see http://www.five-ten-sg.com/blackhole.php?%s";
    dnsbl   sbl     zen.spamhaus.org            "Mail from %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s";
    dnsbl   xbl     xbl.spamhaus.org            "Mail from %s rejected - xbl; see http://www.spamhaus.org/query/bl?ip=%s";
    dnswl   dnswl.org  list.dnswl.org   2;
    dnsbl_list  local sbl;
    dnswl_list  dnswl.org;
    require_rdns    yes;

    content on {
        dkim_signer {
            // we could add consumer facing domains like yahoo.com, aol.com, etc
            // here, IF you really want to accept all the mail from such folks.
            five-ten-sg.com         white;
            some.spammer            black;      // reject if signed by them
        };

        dkim_from {
            // cannot really add consumer facing domains like yahoo.com, aol.com, etc
            // here, since such messages from humans might be sent via mailing lists
            // that will break the dkim signature. But this works well for commonly
            // forged bulk senders like ebay and paypal.
            some.spammer                require_signed  some.spammer    // reject if not signed

            123greetings.info               require_signed  123greetings.info;
            aadvantage.email.aa.com         require_signed  aadvantage.email.aa.com;
            admarketing.yahoo.com           require_signed  admarketing.yahoo.com;
            adp.com                         require_signed  adp.com;
            alertsp.chase.com               require_signed  alertsp.chase.com;
            allaboutjazz.com                require_signed  allaboutjazz.com;
            alpineescrow.net                require_signed  alpineescrowarrowhead.onmicrosoft.com;
            amazon.com                      require_signed  amazon.com;
            applemusic.com                  require_signed  applemusic.com;
            billpay.bankofamerica.com       require_signed  billpay.bankofamerica.com;
            booking.com                     require_signed  sg.booking.com;
            cafepress.com                   require_signed  cafepressinc.onmicrosoft.com;
            checkin.email.aa.com            require_signed  checkin.email.aa.com;
            connect.wellsfargoemail.com     require_signed  connect.wellsfargoemail.com;
            craigslist.org                  require_signed  craigslist.org;
            dailykos.com                    require_signed  sg.actionnetwork.org;
            daytimer.com                    require_signed  daytimer.com;
            deals.priceline.com             require_signed  deals.priceline.com;
            dhl.com                         require_signed  dhl.com;
            dropbox.com                     require_signed  dropbox.com;
            dvd.com                         require_signed  dvd.com
            e.bevmo.com                     require_signed  e.bevmo.com;
            e.bloomingdales.com             require_signed  e.bloomingdales.com;
            e.business.officedepot.com      require_signed  e.business.officedepot.com;
            e.shutterfly.com                require_signed  e.shutterfly.com;
            e.statefarm.com                 require_signed  e.statefarm.com;
            e1.llbean.com                   require_signed  e1.llbean.com;
            ealerts.bankofamerica.com       require_signed  ealerts.bankofamerica.com;
            easy.staples.com                require_signed  easy.staples.com;
            ebay.com                        require_signed  ebay.com;
            ecommail.walgreens.com          require_signed  ecommail.walgreens.com;
            email.aa.com                    require_signed  email.aa.com;
            email.aegeanair.com             require_signed  email.aegeanair.com;
            email.chase.com                 require_signed  email.chase.com;
            email.consumerreports.org       require_signed  email.consumerreports.org;
            email.dowjones.com              require_signed  email.dowjones.com;
            email.homedepot.com             require_signed  email.homedepot.com;
            email.jetblue.com               require_signed  email.jetblue.com;
            email.ticketmaster.com          require_signed  email.ticketmaster.com;
            email.travelzoo.com             require_signed  email.travelzoo.com;
            email.wetransfer.com            require_signed  email.wetransfer.com;
            email.zazzle.com                require_signed  email.zazzle.com;
            email.zionlodge.com             require_signed  email.zionlodge.com;
            emails.cafepress.com            require_signed  cafepress.com;
            et.uber.com                     require_signed  et.uber.com;
            facebookmail.com                require_signed  facebookmail.com;
            fedex.com                       require_signed  fedex.com;
            harryanddavid-email.com         require_signed  harryanddavid-email.com;
            healthcare.gov                  require_signed  healthcare.gov;
            imail.register.com              require_signed  imail.register.com;
            info1.networksolutions.com      require_signed  info1.networksolutions.com;
            insideapple.apple.com           require_signed  insideapple.apple.com;
            intuit.com                      require_signed  intuit.com;
            lakearrowheadchamber.com        require_signed  lakearrowhead.ccsend.com;
            lehighvalleychamber.org         require_signed  lehighvalleychamber.ccsend.com;
            libertymutual.com               require_signed  libertymutual.com;
            linkedin.com                    require_signed  linkedin.com;
            luv.southwest.com               require_signed  luv.southwest.com;
            mail.sling.com                  require_signed  mail.sling.com;
            mail.zillow.com                 require_signed  mail.zillow.com;
            mailer.box.com                  require_signed  box.com;
            midjerseychamber.org            require_signed  midjerseychamber.ccsend.com;
            monster.com                     require_signed  monster.com;
            my.orbitz.com                   require_signed  my.orbitz.com;
            mystubhub.com                   require_signed  mystubhub.com;
            na.email.aa.com                 require_signed  na.email.aa.com;
            new.itunes.com                  require_signed  new.itunes.com;
            news.united.com                 require_signed  news.united.com;
            nextdayflyers.com               require_signed  nextdayflyers.com;
            notices.rei.com                 require_signed  notices.rei.com;
            openemail.americanexpress.com   require_signed  openemail.americanexpress.com;
            orders.staples.com              signed_white    orders.staples.com;     // some unsigned mail via protection.outlook.com
            paychex.com                     require_signed  paychex.com;
            paypal.com                      require_signed  paypal.com;
            public.govdelivery.com          require_signed  public.govdelivery.com;
            r.groupon.com                   require_signed  r.groupon.com;
            reply1.ebay.com                 require_signed  reply1.ebay.com;
            response.nfcu.org               require_signed  response.nfcu.org;
            service.capitalone.com          require_signed  capitalone.com;
            service.checkout.visa.com       require_signed  service.checkout.visa.com;
            sg.booking.com                  require_signed  sg.booking.com;
            subscriptions.ssa.gov           require_signed  subscriptions.ssa.gov;
            support.facebook.com            require_signed  support.facebook.com;
            support.zappos.com              require_signed  zappos.com;
            ticketfly.com                   require_signed  ticketfly.com;
            twitter.com                     require_signed  twitter.com;
            unionbank.com                   require_signed  unionbank.com;
            ups.com                         require_signed  ups.com;
            welcome.aexp.com                require_signed  welcome.aexp.com;
            wellsfargo.com                  require_signed  wellsfargo.com;
            wetransfer.com                  require_signed  email.wetransfer.com;
            zappos.com                      require_signed  zappos.com;
        };
        filter    sbl-xbl.spamhaus.org        "Mail containing %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s";
        uribl     multi.surbl.org             "Mail containing %s rejected - surbl; see http://www.surbl.org/surbl-analysis?d=%s";
        #uribl    multi.uribl.com             "Mail containing %s rejected - uribl; see http://l.uribl.com/?d=%s";
        #uribl    dbl.spamhaus.org            "Mail containing %s rejected - dbl; see http://www.spamhaus.org/query/domain?domain=%s";
        ignore    { include "hosts-ignore.conf"; };
        tld       { include "tld.conf"; };
        html_tags { include "html-tags.conf"; };
        html_limit off;
        host_limit soft 20;
        spamassassin    5;
        require_match       yes;
        dcc_greylist        yes;
        dcc_bulk_threshold  20;
    };

    generic "^li.*members.linode.com$|^dsl.static.*ttnet.net.tr$|(^|[x.-])(ppp|h|host)?([0-9]{1,3}[x.-](Red-|dynamic[x.-])?){4}"
            "your mail server %s seems to have a generic name";

    white_regex "=example.com=user@yourhostingaccount.com$";

    env_to {
        # !! replace this with your domain names
        # child contexts are not allowed to specify recipient addresses outside these domains
        # if this is a backup-mx, you need to include here domains for which you relay to the primary mx
        include "/etc/mail/local-host-names";
    };

    context whitelist {
        content off {};
        env_to {
            # dcc_to ok { include "/var/dcc/whitecommon"; };
        };
        env_from white {};      # white forces all unmatched from addresses (everyone in this case) to be whitelisted
                                # so all mail TO these env_to addresses is accepted
    };

    context abuse {
        dnsbl_list xbl;
        content off {};
        generic "^$ " " ";      # regex cannot match, to disable generic rdns rejects
        env_to {
            abuse@              # no content filtering on abuse reports
            postmaster@         # ""
        };
        env_from unknown {};    # ignore all parent white/black listing
    };

    context minimal {
        dnsbl_list sbl;
        content on {
            spamassassin        10;
            dcc_bulk_threshold  many;
        };
        generic "^$ " " ";      # regex cannot match, to disable generic rdns rejects
        env_to {
        };
    };

    context blacklist {
        dnsbl_list ;
        dnswl_list ;
        env_to {
            # dcc_to many { include "/var/dcc/whitecommon"; };
        };
        env_from black {};      # black forces all unmatched from addresses (everyone in this case) to be blacklisted
                                # so all mail TO these env_to addresses is rejected
    };

    env_from unknown {
        abuse@  abuse;  # replies to abuse reports use the abuse context
        # dcc_from { include "/var/dcc/whitecommon"; };
    };

    autowhite 90 "autowhite/my-auto-whitelist";
    # install should create /etc/dnsbl/autowhite writable by userid dnsbl
};