context main-default { // outbound dnsbl filtering to catch our own customers that end up on the sbl dnsbl sbl sbl-xbl.spamhaus.org "Mail from %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s"; dnsbl_list sbl; // outbound content filtering to prevent our own customers from sending spam content on { filter sbl-xbl.spamhaus.org "Mail containing %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s"; uribl multi.surbl.org "Mail containing %s rejected - surbl; see http://www.surbl.org/surbl-analysis?d=%s"; #uribl multi.uribl.com "Mail containing %s rejected - uribl; see http://l.uribl.com/?d=%s"; #uribl dbl.spamhaus.org "Mail containing %s rejected - dbl; see http://www.spamhaus.org/query/domain?domain=%s"; ignore { include "hosts-ignore.conf"; }; tld { include "tld.conf"; }; html_tags { include "html-tags.conf"; }; html_limit on 20 "Mail containing excessive bad html tags rejected"; html_limit off; host_limit on 20 "Mail containing excessive host names rejected"; host_limit soft 20; spamassassin 4; require_match yes; dcc_greylist yes; dcc_bulk_threshold 50; }; // backscatter prevention - do not send bounces for mail that we accepted but could not forward // we only send bounces to our own customers env_from unknown { "<>" black; }; // hourly recipient rate limit by smtp auth client id, or unauthenticated mail from address // hourly unique ip addresses by smtp auth client id, or unauthenticated mail from address // default hourly rate limit is 30 // daily rate limits are 4 times the hourly limit // default hourly unique ip addresses is 5 // daily unique ip addresses are 4 times the hourly limit rate_limit 30 4 5 4 { // default fred 100 10; // override default limits joe 10 2; // "" "sam@somedomain.tld" 500 2; "@otherdomain.tld" 100 2; }; }; context main { dnsbl localp partial.blackholes.five-ten-sg.com "Mail from %s rejected - local; see http://www.five-ten-sg.com/blackhole.php?%s"; dnsbl local blackholes.five-ten-sg.com "Mail from %s rejected - local; see http://www.five-ten-sg.com/blackhole.php?%s"; dnsbl sbl zen.spamhaus.org "Mail from %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s"; dnsbl xbl xbl.spamhaus.org "Mail from %s rejected - xbl; see http://www.spamhaus.org/query/bl?ip=%s"; dnswl dnswl.org list.dnswl.org 2; dnsbl_list local sbl; dnswl_list dnswl.org; require_rdns yes; content on { dkim_signer { // we could add consumer facing domains like yahoo.com, aol.com, etc // here, IF you really want to accept all the mail from such folks. five-ten-sg.com white; some.spammer black; // reject if signed by them }; dkim_from { // cannot really add consumer facing domains like yahoo.com, aol.com, etc // here, since such messages from humans might be sent via mailing lists // that will break the dkim signature. But this works well for commonly // forged bulk senders like ebay and paypal. some.spammer require_signed some.spammer // reject if not signed adp.com require_signed adp.com; amazon.com require_signed amazon.com; billpay.bankofamerica.com require_signed billpay.bankofamerica.com; craigslist.org require_signed craigslist.org; dhl.com require_signed dhl.com; dropbox.com require_signed dropbox.com; dvd.com require_signed dvd.com e.statefarm.com require_signed e.statefarm.com; ealerts.bankofamerica.com require_signed ealerts.bankofamerica.com; ebay.com require_signed ebay.com; ecommail.walgreens.com require_signed ecommail.walgreens.com; email.travelzoo.com require_signed email.travelzoo.com; email.jetblue.com require_signed email.jetblue.com; facebookmail.com require_signed facebookmail.com; fedex.com require_signed fedex.com; healthcare.gov require_signed healthcare.gov; iheartmedia.com require_signed iheartmedia.onmicrosoft.com; linkedin.com require_signed linkedin.com; monster.com require_signed monster.com; paypal.com require_signed paypal.com; paychex.com require_signed paychex.com; r.groupon.com require_signed r.groupon.com; service.capitalone.com require_signed capitalone.com; support.facebook.com require_signed support.facebook.com; twitter.com require_signed twitter.com; ups.com require_signed ups.com; wellsfargo.com require_signed wellsfargo.com; }; filter sbl-xbl.spamhaus.org "Mail containing %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s"; uribl multi.surbl.org "Mail containing %s rejected - surbl; see http://www.surbl.org/surbl-analysis?d=%s"; #uribl multi.uribl.com "Mail containing %s rejected - uribl; see http://l.uribl.com/?d=%s"; #uribl dbl.spamhaus.org "Mail containing %s rejected - dbl; see http://www.spamhaus.org/query/domain?domain=%s"; ignore { include "hosts-ignore.conf"; }; tld { include "tld.conf"; }; html_tags { include "html-tags.conf"; }; html_limit off; host_limit soft 20; spamassassin 5; require_match yes; dcc_greylist yes; dcc_bulk_threshold 20; }; generic "^li.*members.linode.com$|^dsl.static.*ttnet.net.tr$|(^|[x.-])(ppp|h|host)?([0-9]{1,3}[x.-](Red-|dynamic[x.-])?){4}" "your mail server %s seems to have a generic name"; white_regex "=example.com=user@yourhostingaccount.com$"; env_to { # !! replace this with your domain names # child contexts are not allowed to specify recipient addresses outside these domains # if this is a backup-mx, you need to include here domains for which you relay to the primary mx include "/etc/mail/local-host-names"; }; context whitelist { content off {}; env_to { # dcc_to ok { include "/var/dcc/whitecommon"; }; }; env_from white {}; # white forces all unmatched from addresses (everyone in this case) to be whitelisted # so all mail TO these env_to addresses is accepted }; context abuse { dnsbl_list xbl; content off {}; generic "^$ " " "; # regex cannot match, to disable generic rdns rejects env_to { abuse@ # no content filtering on abuse reports postmaster@ # "" }; env_from unknown {}; # ignore all parent white/black listing }; context minimal { dnsbl_list sbl; content on { spamassassin 10; dcc_bulk_threshold many; }; generic "^$ " " "; # regex cannot match, to disable generic rdns rejects env_to { }; }; context blacklist { dnsbl_list ; dnswl_list ; env_to { # dcc_to many { include "/var/dcc/whitecommon"; }; }; env_from black {}; # black forces all unmatched from addresses (everyone in this case) to be blacklisted # so all mail TO these env_to addresses is rejected }; env_from unknown { abuse@ abuse; # replies to abuse reports use the abuse context # dcc_from { include "/var/dcc/whitecommon"; }; }; autowhite 90 "autowhite/my-auto-whitelist"; # install should create /etc/dnsbl/autowhite writable by userid dnsbl };