context main-default { // outbound dnsbl filtering to catch our own customers that end up on the sbl dnsbl sbl sbl-xbl.spamhaus.org "Mail from %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s"; dnsbl_list sbl; // outbound content filtering to prevent our own customers from sending spam content on { filter sbl-xbl.spamhaus.org "Mail containing %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s"; uribl multi.surbl.org "Mail containing %s rejected - surbl; see http://www.surbl.org/surbl-analysis?d=%s"; #uribl multi.uribl.com "Mail containing %s rejected - uribl; see http://l.uribl.com/?d=%s"; #uribl dbl.spamhaus.org "Mail containing %s rejected - dbl; see http://www.spamhaus.org/query/domain?domain=%s"; ignore { include "hosts-ignore.conf"; }; tld { include "tld.conf"; }; html_tags { include "html-tags.conf"; }; html_limit on 20 "Mail containing excessive bad html tags rejected"; html_limit off; host_limit on 20 "Mail containing excessive host names rejected"; host_limit soft 20; spamassassin 4; require_match yes; dcc_greylist yes; dcc_bulk_threshold 50; }; // backscatter prevention - do not send bounces for mail that we accepted but could not forward // we only send bounces to our own customers env_from unknown { "<>" black; }; // hourly recipient rate limit by smtp auth client id, or unauthenticated mail from address // hourly unique ip addresses by smtp auth client id, or unauthenticated mail from address // default hourly rate limit is 30 // daily rate limits are 4 times the hourly limit // default hourly unique ip addresses is 5 // daily unique ip addresses are 4 times the hourly limit rate_limit 30 4 5 4 { // default fred 100 10; // override default limits joe 10 2; // "" "sam@somedomain.tld" 500 2; "@otherdomain.tld" 100 2; }; }; context main { dnsbl localp partial.blackholes.five-ten-sg.com "Mail from %s rejected - local; see http://www.five-ten-sg.com/blackhole.php?%s"; dnsbl local blackholes.five-ten-sg.com "Mail from %s rejected - local; see http://www.five-ten-sg.com/blackhole.php?%s"; dnsbl sbl zen.spamhaus.org "Mail from %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s"; dnsbl xbl xbl.spamhaus.org "Mail from %s rejected - xbl; see http://www.spamhaus.org/query/bl?ip=%s"; dnswl dnswl.org list.dnswl.org 2; dnsbl_list local sbl; dnswl_list dnswl.org; require_rdns yes; content on { dkim_signer { // we could add consumer facing domains like yahoo.com, aol.com, etc // here, IF you really want to accept all the mail from such folks. five-ten-sg.com white; some.spammer black; // reject if signed by them }; dkim_from { // cannot really add consumer facing domains like yahoo.com, aol.com, etc // here, since such messages from humans might be sent via mailing lists // that will break the dkim signature. But this works well for commonly // forged bulk senders like ebay and paypal. some.spammer require_signed some.spammer // reject if not signed 123greetings.info require_signed 123greetings.info; aadvantage.email.aa.com require_signed aadvantage.email.aa.com; admarketing.yahoo.com require_signed admarketing.yahoo.com; adp.com require_signed adp.com; alertsp.chase.com require_signed alertsp.chase.com; allaboutjazz.com require_signed allaboutjazz.com; alpineescrow.net require_signed alpineescrowarrowhead.onmicrosoft.com; amazon.com require_signed amazon.com; applemusic.com require_signed applemusic.com; billpay.bankofamerica.com require_signed billpay.bankofamerica.com; booking.com require_signed sg.booking.com; cafepress.com require_signed cafepressinc.onmicrosoft.com; checkin.email.aa.com require_signed checkin.email.aa.com; connect.wellsfargoemail.com require_signed connect.wellsfargoemail.com; craigslist.org require_signed craigslist.org; dailykos.com require_signed sg.actionnetwork.org; daytimer.com require_signed daytimer.com; deals.priceline.com require_signed deals.priceline.com; dhl.com require_signed dhl.com; dropbox.com require_signed dropbox.com; dvd.com require_signed dvd.com e.bevmo.com require_signed e.bevmo.com; e.bloomingdales.com require_signed e.bloomingdales.com; e.business.officedepot.com require_signed e.business.officedepot.com; e.shutterfly.com require_signed e.shutterfly.com; e.statefarm.com require_signed e.statefarm.com; e1.llbean.com require_signed e1.llbean.com; ealerts.bankofamerica.com require_signed ealerts.bankofamerica.com; easy.staples.com require_signed easy.staples.com; ebay.com require_signed ebay.com; ecommail.walgreens.com require_signed ecommail.walgreens.com; email.aa.com require_signed email.aa.com; email.aegeanair.com require_signed email.aegeanair.com; email.chase.com require_signed email.chase.com; email.consumerreports.org require_signed email.consumerreports.org; email.dowjones.com require_signed email.dowjones.com; email.homedepot.com require_signed email.homedepot.com; email.jetblue.com require_signed email.jetblue.com; email.ticketmaster.com require_signed email.ticketmaster.com; email.travelzoo.com require_signed email.travelzoo.com; email.wetransfer.com require_signed email.wetransfer.com; email.zazzle.com require_signed email.zazzle.com; email.zionlodge.com require_signed email.zionlodge.com; emails.cafepress.com require_signed cafepress.com; et.uber.com require_signed et.uber.com; facebookmail.com require_signed facebookmail.com; fedex.com require_signed fedex.com; harryanddavid-email.com require_signed harryanddavid-email.com; healthcare.gov require_signed healthcare.gov; imail.register.com require_signed imail.register.com; info1.networksolutions.com require_signed info1.networksolutions.com; insideapple.apple.com require_signed insideapple.apple.com; intuit.com require_signed intuit.com; lakearrowheadchamber.com require_signed lakearrowhead.ccsend.com; lehighvalleychamber.org require_signed lehighvalleychamber.ccsend.com; libertymutual.com require_signed libertymutual.com; linkedin.com require_signed linkedin.com; luv.southwest.com require_signed luv.southwest.com; mail.sling.com require_signed mail.sling.com; mail.zillow.com require_signed mail.zillow.com; mailer.box.com require_signed box.com; midjerseychamber.org require_signed midjerseychamber.ccsend.com; monster.com require_signed monster.com; my.orbitz.com require_signed my.orbitz.com; mystubhub.com require_signed mystubhub.com; na.email.aa.com require_signed na.email.aa.com; new.itunes.com require_signed new.itunes.com; news.united.com require_signed news.united.com; nextdayflyers.com require_signed nextdayflyers.com; notices.rei.com require_signed notices.rei.com; openemail.americanexpress.com require_signed openemail.americanexpress.com; orders.staples.com signed_white orders.staples.com; // some unsigned mail via protection.outlook.com paychex.com require_signed paychex.com; paypal.com require_signed paypal.com; public.govdelivery.com require_signed public.govdelivery.com; r.groupon.com require_signed r.groupon.com; reply1.ebay.com require_signed reply1.ebay.com; response.nfcu.org require_signed response.nfcu.org; service.capitalone.com require_signed capitalone.com; service.checkout.visa.com require_signed service.checkout.visa.com; sg.booking.com require_signed sg.booking.com; subscriptions.ssa.gov require_signed subscriptions.ssa.gov; support.facebook.com require_signed support.facebook.com; support.zappos.com require_signed zappos.com; ticketfly.com require_signed ticketfly.com; twitter.com require_signed twitter.com; unionbank.com require_signed unionbank.com; ups.com require_signed ups.com; welcome.aexp.com require_signed welcome.aexp.com; wellsfargo.com require_signed wellsfargo.com; wetransfer.com require_signed email.wetransfer.com; zappos.com require_signed zappos.com; }; filter sbl-xbl.spamhaus.org "Mail containing %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s"; uribl multi.surbl.org "Mail containing %s rejected - surbl; see http://www.surbl.org/surbl-analysis?d=%s"; #uribl multi.uribl.com "Mail containing %s rejected - uribl; see http://l.uribl.com/?d=%s"; #uribl dbl.spamhaus.org "Mail containing %s rejected - dbl; see http://www.spamhaus.org/query/domain?domain=%s"; ignore { include "hosts-ignore.conf"; }; tld { include "tld.conf"; }; html_tags { include "html-tags.conf"; }; html_limit off; host_limit soft 20; spamassassin 5; require_match yes; dcc_greylist yes; dcc_bulk_threshold 20; }; generic "^li.*members.linode.com$|^dsl.static.*ttnet.net.tr$|(^|[x.-])(ppp|h|host)?([0-9]{1,3}[x.-](Red-|dynamic[x.-])?){4}" "your mail server %s seems to have a generic name"; white_regex "=example.com=user@yourhostingaccount.com$"; env_to { # !! replace this with your domain names # child contexts are not allowed to specify recipient addresses outside these domains # if this is a backup-mx, you need to include here domains for which you relay to the primary mx include "/etc/mail/local-host-names"; }; context whitelist { content off {}; env_to { # dcc_to ok { include "/var/dcc/whitecommon"; }; }; env_from white {}; # white forces all unmatched from addresses (everyone in this case) to be whitelisted # so all mail TO these env_to addresses is accepted }; context abuse { dnsbl_list xbl; content off {}; generic "^$ " " "; # regex cannot match, to disable generic rdns rejects env_to { abuse@ # no content filtering on abuse reports postmaster@ # "" }; env_from unknown {}; # ignore all parent white/black listing }; context minimal { dnsbl_list sbl; content on { spamassassin 10; dcc_bulk_threshold many; }; generic "^$ " " "; # regex cannot match, to disable generic rdns rejects env_to { }; }; context blacklist { dnsbl_list ; dnswl_list ; env_to { # dcc_to many { include "/var/dcc/whitecommon"; }; }; env_from black {}; # black forces all unmatched from addresses (everyone in this case) to be blacklisted # so all mail TO these env_to addresses is rejected }; env_from unknown { abuse@ abuse; # replies to abuse reports use the abuse context # dcc_from { include "/var/dcc/whitecommon"; }; }; autowhite 90 "autowhite/my-auto-whitelist"; # install should create /etc/dnsbl/autowhite writable by userid dnsbl };