Mercurial > dnsbl
annotate xml/dnsbl.in @ 133:b8ce1b31237d stable-5-19
uribl lookups fully qualified; allow two component host names
author | carl |
---|---|
date | Tue, 01 Aug 2006 15:28:13 -0700 |
parents | 2b1a4701e856 |
children | f4746d8a12a3 |
rev | line source |
---|---|
108 | 1 <reference> |
2 <title>@PACKAGE@ Sendmail milter - Version @VERSION@</title> | |
3 <partintro> | |
4 <title>Packages</title> | |
5 <para>The various source and binary packages are available at <ulink | |
114
f4f5fb263072
cleanup list of tlds, add trailing / on http package directory reference
carl
parents:
111
diff
changeset
|
6 url="http://www.five-ten-sg.com/@PACKAGE@/packages/">http://www.five-ten-sg.com/@PACKAGE@/packages/</ulink> |
108 | 7 The most recent documentation is available at <ulink |
8 url="http://www.five-ten-sg.com/@PACKAGE@/">http://www.five-ten-sg.com/@PACKAGE@/</ulink> | |
9 </para> | |
94 | 10 |
108 | 11 </partintro> |
94 | 12 |
108 | 13 <refentry id="@PACKAGE@.1"> |
14 <refentryinfo> | |
115 | 15 <date>2006-01-08</date> |
108 | 16 </refentryinfo> |
94 | 17 |
108 | 18 <refmeta> |
19 <refentrytitle>@PACKAGE@</refentrytitle> | |
20 <manvolnum>1</manvolnum> | |
21 <refmiscinfo>@PACKAGE@ @VERSION@</refmiscinfo> | |
22 </refmeta> | |
23 | |
24 <refnamediv id='name.1'> | |
25 <refname>@PACKAGE@</refname> | |
26 <refpurpose>a sendmail milter with per-user dnsbl filtering</refpurpose> | |
27 </refnamediv> | |
94 | 28 |
108 | 29 <refsynopsisdiv id='synopsis.1'> |
30 <title>Synopsis</title> | |
31 <cmdsynopsis> | |
32 <command>@PACKAGE@</command> | |
33 <arg><option>-c</option></arg> | |
34 <arg><option>-s</option></arg> | |
35 <arg><option>-d <replaceable class="parameter">n</replaceable></option></arg> | |
36 <arg><option>-e <replaceable class="parameter">from|to</replaceable></option></arg> | |
37 <arg><option>-r <replaceable class="parameter">local-domain-socket</replaceable></option></arg> | |
38 <arg><option>-p <replaceable class="parameter">sendmail-socket</replaceable></option></arg> | |
39 <arg><option>-t <replaceable class="parameter">timeout</replaceable></option></arg> | |
40 </cmdsynopsis> | |
41 </refsynopsisdiv> | |
94 | 42 |
108 | 43 <refsect1 id='options.1'> |
44 <title>Options</title> | |
45 <variablelist> | |
46 <varlistentry> | |
47 <term>-c</term> | |
111 | 48 <listitem><para> |
49 Load the configuration file, print a cannonical form | |
50 of the configuration on stdout, and exit. | |
51 </para></listitem> | |
108 | 52 </varlistentry> |
53 <varlistentry> | |
54 <term>-s</term> | |
111 | 55 <listitem><para> |
56 Stress test the configuration loading code by repeating | |
57 the load/free cycle in an infinite loop. | |
58 </para></listitem> | |
108 | 59 </varlistentry> |
60 <varlistentry> | |
61 <term>-d <replaceable class="parameter">n</replaceable></term> | |
111 | 62 <listitem><para> |
63 Set the debug level to <replaceable class="parameter">n</replaceable>. | |
64 </para></listitem> | |
108 | 65 </varlistentry> |
66 <varlistentry> | |
67 <term>-e <replaceable class="parameter">from|to</replaceable></term> | |
111 | 68 <listitem><para> |
69 Print the results of looking up the from and to addresses in the | |
70 current configuration. The | character is used to separate the from and to | |
71 addresses in the argument to the -e switch. | |
72 </para></listitem> | |
108 | 73 </varlistentry> |
74 <varlistentry> | |
75 <term>-r <replaceable class="parameter">local-domain-socket</replaceable></term> | |
111 | 76 <listitem><para> |
77 Set the local socket used for the connection to our own dns resolver processes. | |
78 </para></listitem> | |
108 | 79 </varlistentry> |
80 <varlistentry> | |
81 <term>-p <replaceable class="parameter">sendmail-socket</replaceable></term> | |
111 | 82 <listitem><para> |
83 Set the socket used for the milter connection to sendmail. This is either | |
84 "inet:port@ip-address" or "local:local-domain-socket-file-name". | |
85 </para></listitem> | |
108 | 86 </varlistentry> |
87 <varlistentry> | |
88 <term>-t <replaceable class="parameter">timeout</replaceable></term> | |
111 | 89 <listitem><para> |
90 Set the timeout in seconds used for communication with sendmail. | |
91 </para></listitem> | |
108 | 92 </varlistentry> |
93 </variablelist> | |
94 </refsect1> | |
94 | 95 |
111 | 96 <refsect1 id='usage.1'> |
108 | 97 <title>Usage</title> |
98 <para><command>@PACKAGE@</command> -c</para> | |
99 <para><command>@PACKAGE@</command> -s</para> | |
111 | 100 <para><command>@PACKAGE@</command> -e 'someone@aol.com|localname@mydomain.tld'</para> |
101 <para><command>@PACKAGE@</command> -d 10 -r resolver.sock -p local:dnsbl.sock</para> | |
102 </refsect1> | |
103 | |
104 <refsect1 id='installation.1'> | |
105 <title>Installation</title> | |
106 <para> | |
107 This is now a standard GNU autoconf/automake installation, so the normal | |
108 "./configure; make; su; make install" works. "make chkconfig" will | |
109 setup the init.d runlevel scripts. Alternatively, you can use the | |
110 source or binary RPMs at <ulink | |
111 url="http://www.five-ten-sg.com/@PACKAGE@/packages">http://www.five-ten-sg.com/@PACKAGE@/packages</ulink>. | |
112 </para> | |
113 <para> | |
114 Note that this has ONLY been tested on Linux, specifically RedHat Linux. | |
115 In particular, this milter makes no attempt to understand IPv6. Your | |
116 mileage will vary. You will need at a minimum a C++ compiler with a | |
117 minimally thread safe STL implementation. The distribution includes a | |
118 test.cpp program. If it fails this milter won't work. If it passes, | |
119 this milter might work. | |
120 </para> | |
121 <para> | |
122 Modify your sendmail.mc by removing all the "FEATURE(dnsbl" lines, add | |
123 the following line in your sendmail.mc and rebuild the .cf file | |
124 </para> | |
125 <para><screen>INPUT_MAIL_FILTER(`dnsbl', `S=local:/var/run/dnsbl/dnsbl.sock, F=T, T=C:30s;S:5m;R:5m;E:5m')</screen></para> | |
126 <para> | |
127 Modify the default <citerefentry> | |
128 <refentrytitle>@PACKAGE@.conf</refentrytitle> <manvolnum>5</manvolnum> | |
129 </citerefentry> configuration. | |
130 </para> | |
131 </refsect1> | |
132 | |
133 <refsect1 id='configuration.1'> | |
134 <title>Configuration</title> | |
135 <para> | |
136 The configuration file is documented in <citerefentry> | |
137 <refentrytitle>@PACKAGE@.conf</refentrytitle> <manvolnum>5</manvolnum> | |
138 </citerefentry>. Any change to the config file, or any file included | |
139 from that config file, will cause it to be reloaded within three | |
140 minutes. | |
141 </para> | |
108 | 142 </refsect1> |
94 | 143 |
108 | 144 <refsect1 id='introduction.1'> |
145 <title>Introduction</title> | |
146 <para> | |
147 Consider the case of a mail server that is acting as secondary MX for a | |
148 collection of clients, each of which has a collection of mail domains. | |
149 Each client may use their own collection of DNSBLs on their primary mail | |
150 server. We present here a mechanism whereby the backup mail server can | |
151 use the correct set of DNSBLs for each recipient for each message. As a | |
152 side-effect, it gives us the ability to customize the set of DNSBLs on a | |
153 per-recipient basis, so that fred@example.com could use SPEWS and the | |
154 SBL, where all other users @example.com use only the SBL. | |
155 </para> | |
156 <para> | |
157 This milter can also verify the envelope from/recipient pairs with the | |
158 primary MX server. This allows the backup mail servers to properly | |
159 reject mail sent to invalid addresses. Otherwise, the backup mail | |
160 servers will accept that mail, and then generate a bounce message when | |
161 the message is forwarded to the primary server (and rejected there with | |
127 | 162 no such user). These rejections are the primary cause of such backscatter. |
108 | 163 </para> |
164 <para> | |
165 This milter will also decode (uuencode, base64, mime, html entity, url | |
166 encodings) and scan for HTTP and HTTPS URLs and bare hostnames in the | |
167 body of the mail. If any of those host names have A or NS records on | |
168 the SBL (or a single configurable DNSBL), the mail will be rejected | |
169 unless previously whitelisted. This milter also counts the number of | |
170 invalid HTML tags, and can reject mail if that count exceeds your | |
171 specified limit. | |
172 </para> | |
173 <para> | |
174 The DNSBL milter reads a text configuration file (dnsbl.conf) on | |
175 startup, and whenever the config file (or any of the referenced include | |
176 files) is changed. The entire configuration file is case insensitive. | |
177 If the configuration cannot be loaded due to a syntax error, the milter | |
178 will log the error and quit. If the configuration cannot be reloaded | |
179 after being modified, the milter will log the error and send an email to | |
180 root from dnsbl@$hostname. You probably want to added dnsbl@$hostname | |
181 to your /etc/mail/virtusertable since otherwise sendmail will reject | |
182 that message. | |
183 </para> | |
184 </refsect1> | |
94 | 185 |
111 | 186 <refsect1 id='dcc.1'> |
108 | 187 <title>DCC Issues</title> |
188 <para> | |
189 If you are also using the <ulink | |
190 url="http://www.rhyolite.com/anti-spam/dcc/">DCC</ulink> milter, there | |
191 are a few considerations. You may need to whitelist senders from the | |
192 DCC bulk detector, or from the DNS based lists. Those are two very | |
193 different reasons for whitelisting. The former is done thru the DCC | |
194 whiteclnt config file, the later is done thru the DNSBL milter config | |
195 file. | |
196 </para> | |
197 <para> | |
198 You may want to blacklist some specific senders or sending domains. | |
199 This could be done thru either the DCC (on a global basis, or for a | |
200 specific single recipient). We prefer to do such blacklisting via the | |
201 DNSBL milter config, since it can be done for a collection of recipient | |
202 mail domains. The DCC approach has the feature that you can capture the | |
203 entire message in the DCC log files. The DNSBL milter approach has the | |
204 feature that the mail is rejected earlier (at RCPT TO time), and the | |
205 sending machine just gets a generic "550 5.7.1 no such user" message. | |
206 </para> | |
207 <para> | |
208 The DCC whiteclnt file can be included in the DNSBL milter config by the | |
209 dcc_to and dcc_from statements. This will import the (env_to, env_from, | |
210 and substitute mail_host) entries from the DCC config into the DNSBL | |
211 config. This allows using the DCC config as the single point for | |
212 white/blacklisting. | |
213 </para> | |
214 <para> | |
215 Consider the case where you have multiple clients, each with their own | |
216 mail servers, and each running their own DCC milters. Each client is | |
217 using the DCC facilities for envelope from/to white/blacklisting. | |
218 Presumably you can use rsync or scp to fetch copies of your clients DCC | |
219 whiteclnt files on a regular basis. Your mail server, acting as a | |
220 backup MX for your clients, can use the DNSBL milter, and include those | |
221 client DCC config files. The envelope from/to white/blacklisting will | |
222 be appropriately tagged and used only for the domains controlled by each | |
223 of those clients. | |
224 </para> | |
225 </refsect1> | |
94 | 226 |
111 | 227 <refsect1 id='definitions.1'> |
108 | 228 <title>Definitions</title> |
229 <para> | |
230 CONTEXT - a collection of parameters that defines the filtering context | |
231 to be used for a collection of envelope recipient addresses. The | |
232 context includes such things as the list of DNSBLs to be used, and the | |
233 various content filtering parameters. | |
234 </para> | |
235 <para> | |
236 DNSBL - a named DNS based blocking list is defined by a dns suffix (e.g. | |
237 sbl-xbl.spamhaus.org) and a message string that is used to generate the | |
238 "550 5.7.1" smtp error return code. The names of these DNSBLs will be | |
239 used to define the DNSBL-LISTs. | |
240 </para> | |
241 <para> | |
242 DNSBL-LIST - a named list of DNSBLs that will be used for specific | |
243 recipients or recipient domains. | |
244 </para> | |
245 </refsect1> | |
94 | 246 |
111 | 247 <refsect1 id='filtering.1'> |
108 | 248 <title>Filtering Procedure</title> |
249 <para> | |
250 If the client has authenticated with sendmail, the mail is accepted, the | |
251 filtering contexts are not used, the dns lists are not checked, and the | |
252 body content is not scanned. Otherwise, we follow these steps for each | |
253 recipient. | |
254 </para> | |
255 <orderedlist> | |
111 | 256 <listitem><para> |
108 | 257 The envelope to email address is used to find an initial filtering |
258 context. We first look for a context that specified the full email | |
259 address in the env_to statement. If that is not found, we look for a | |
260 context that specified the entire domain name of the envelope recipient | |
261 in the env_to statement. If that is not found, we look for a context | |
262 that specified the user@ part of the envelope recipient in the env_to | |
263 statement. If that is not found, we use the first top level context | |
264 defined in the config file. | |
111 | 265 </para></listitem> |
266 <listitem><para> | |
108 | 267 The initial filtering context may redirect to a child context based on |
268 the values in the initial context's env_from statement. We look for [1) | |
269 the full envelope from email address, 2) the domain name part of the | |
270 envelope from address, 3) the user@ part of the envelope from address] | |
271 in that context's env_from statement, with values that point to a child | |
272 context. If such an entry is found, we switch to that child filtering | |
273 context. | |
111 | 274 </para></listitem> |
275 <listitem><para> | |
108 | 276 We lookup [1) the full envelope from email address, 2) the domain name |
277 part of the envelope from address, 3) the user@ part of the envelope | |
278 from address] in the filtering context env_from statement. That results | |
279 in one of (white, black, unknown, inherit). | |
111 | 280 </para></listitem> |
281 <listitem><para> | |
108 | 282 If the answer is black, mail to this recipient is rejected with "no such |
283 user", and the dns lists are not checked. | |
111 | 284 </para></listitem> |
285 <listitem><para> | |
108 | 286 If the answer is white, mail to this recipient is accepted and the dns |
287 lists are not checked. | |
111 | 288 </para></listitem> |
289 <listitem><para> | |
108 | 290 If the answer is unknown, we don't reject yet, but the dns lists will be |
291 checked, and the content may be scanned. | |
111 | 292 </para></listitem> |
293 <listitem><para> | |
108 | 294 If the answer is inherit, we repeat the envelope from search in the |
295 parent context. | |
111 | 296 </para></listitem> |
297 <listitem><para> | |
108 | 298 The dns lists specified in the filtering context are checked and the |
299 mail is rejected if any list has an A record for the standard dns based | |
300 lookup scheme (reversed octets of the client followed by the dns | |
301 suffix). | |
111 | 302 </para></listitem> |
303 <listitem><para> | |
108 | 304 If the mail has not been accepted or rejected yet, we look for a |
305 verification context, which is the closest ancestor of the filtering | |
306 context that both specifies a verification host, and which covers the | |
307 envelope to address. If we find such a verification context, and the | |
308 verification host is not our own hostname, we open an smtp conversation | |
309 with that verification host. The current envelope from and recipient to | |
310 values are passed to that verification host. If we receive a 5xy | |
311 response those commands, we reject the current recipient with "no such | |
312 user". | |
111 | 313 </para></listitem> |
314 <listitem><para> | |
108 | 315 If the mail has not been accepted or rejected yet, and the filtering |
316 context enables content filtering, and this is the first such recipient | |
317 in this smtp transaction, we set the content filtering parameters from | |
318 this context, and enable content filtering for the body of this message. | |
111 | 319 </para></listitem> |
108 | 320 </orderedlist> |
321 <para> | |
322 If content filtering is enabled for this body, the mail text is decoded | |
119 | 323 (uuencode, base64, mime, html entity, url encodings), and scanned for HTTP |
324 and HTTPS URLs or bare host names. Hostnames must be either ip address | |
325 literals, or must end in a string defined by the TLD list. The first | |
326 <configurable> host names are checked as follows. | |
327 </para> | |
328 <para> | |
329 The only known list that is suitable for the content filter DNSBL is the | |
330 SBL. If the content filter DNSBL is defined, and any of those host | |
331 names resolve to ip addresses that are on that DNSBL (or have | |
332 nameservers that are on that list), and the host name is not on the | |
333 <configurable> ignore list, the mail is rejected. | |
334 </para> | |
335 <para> | |
336 If the content uribl DNSBL is defined, and any of those host names are | |
337 on that DNSBL, and the host name is not on the <configurable> | |
338 ignore list, the mail is rejected. | |
339 </para> | |
340 <para> | |
341 We also scan for excessive bad html tags, and if a <configurable> | |
342 limit is exceeded, the mail is rejected. | |
108 | 343 </para> |
344 </refsect1> | |
94 | 345 |
111 | 346 <refsect1 id='access.1'> |
108 | 347 <title>Sendmail access vs. DNSBL</title> |
348 <para> | |
349 With the standard sendmail.mc dnsbl FEATURE, the dnsbl checks may be | |
350 suppressed by entries in the /etc/mail/access database. For example, | |
351 suppose you control a /18 of address space, and have allocated some /24s | |
352 to some clients. You have access entries like | |
111 | 353 <literallayout class="monospaced"><![CDATA[ |
354 192.168.4 OK | |
355 192.168.17 OK]]></literallayout> | |
108 | 356 </para> |
357 <para> | |
358 to allow those clients to smarthost thru your mail server. Now if one | |
359 of those clients happens get infected with a virus that turns a machine | |
360 into an open proxy, and their 192.168.4.45 lands on the SBL-XBL, you | |
361 will still wind up allowing that infected machine to smarthost thru your | |
362 mail servers. | |
363 </para> | |
364 <para> | |
365 With this DNSBL milter, the sendmail access database cannot override the | |
366 dnsbl checks, so that machine won't be able to send mail to or thru your | |
367 smarthost mail server (unless the virus/proxy can use smtp-auth). | |
368 </para> | |
369 <para> | |
370 Using the standard sendmail features, you would add access entries to | |
371 allow hosts on your local network to relay thru your mail server. Those | |
372 OK entries in the sendmail access database will override all the dnsbl | |
373 checks. With this DNSBL milter, you will need to have the local users | |
374 authenticate with smtp-auth to get the same effect. You might find | |
375 <ulink | |
376 url="http://www.ists.dartmouth.edu/classroom/sendmail-ssl-how-to.php"> | |
377 these directions</ulink> helpful for setting up smtp-auth if you are on | |
378 RH Linux. | |
379 </para> | |
380 </refsect1> | |
94 | 381 |
111 | 382 <refsect1 id='performance.1'> |
108 | 383 <title>Performance Issues</title> |
384 <para> | |
385 Consider a high volume high performance machine running sendmail. Each | |
386 sendmail process can do its own dns resolution. Typically, such dns | |
387 resolver libraries are not thread safe, and so must be protected by some | |
388 sort of mutex in a threaded environment. When we add a milter to | |
389 sendmail, we now have a collection of sendmail processes, and a | |
390 collection of milter threads. | |
391 </para> | |
392 <para> | |
393 We will be doing a lot of dns lookups per mail message, and at least | |
394 some of those will take many tens of seconds. If all this dns work is | |
395 serialized inside the milter, we have an upper limit of about 25K mail | |
396 messages per day. That is clearly not sufficient for many sites. | |
397 </para> | |
398 <para> | |
399 Since we want to do parallel dns resolution across those milter threads, | |
400 we add another collection of dns resolver processes. Each sendmail | |
401 process is talking to a milter thread over a socket, and each milter | |
402 thread is talking to a dns resolver process over another socket. | |
403 </para> | |
404 <para> | |
405 Suppose we are processing 20 messages per second, and each message | |
406 requires 20 seconds of dns work. Then we will have 400 sendmail | |
407 processes, 400 milter threads, and 400 dns resolver processes. Of | |
408 course that steady state is very unlikely to happen. | |
409 </para> | |
410 </refsect1> | |
94 | 411 |
412 | |
111 | 413 <refsect1 id='rejected.1'> |
108 | 414 <title>Rejected Ideas</title> |
415 <para> | |
416 The following ideas have been considered and rejected. | |
417 </para> | |
418 <para> | |
111 | 419 Add max_recipients setting to the context configuration. Recipients in |
420 excess of that limit will be rejected, and all the non-whitelisted | |
421 recipients will be removed. Current spammers *very* rarely send more | |
422 than ten recipients in a single smtp transaction, so this won't stop any | |
108 | 423 significant amount of spam. |
424 </para> | |
425 <para> | |
426 Add poison addresses to the configuration. If any recipient is | |
427 poison, all recipients are rejected even if they would be whitelisted, | |
428 and the data is rejected if sent. I have a collection of spam trap | |
429 addresses that would be suitable for such use. Based on my log files, | |
430 any mail to those spam trap addresses is rejected based on either dnsbl | |
431 lookups or the DCC. So this won't result in blocking any additional | |
432 spam. | |
433 </para> | |
434 <para> | |
435 Add an option to only allow one recipient if the return path is | |
436 empty. Based on my log files, there is no mail that violates this | |
437 check. | |
438 </para> | |
439 <para> | |
440 Reject the mail if the envelope from domain name contains any MX | |
441 records pointing to 127.0.0.0/8. I don't see any significant amount of | |
442 spam sent with such domain names. | |
443 </para> | |
444 </refsect1> | |
94 | 445 |
108 | 446 <refsect1 id='todo.1'> |
447 <title>TODO</title> | |
448 <para> | |
449 The following ideas are under consideration. | |
450 </para> | |
451 <para> | |
127 | 452 Add mail volume limits based on smtp auth accounts, to prevent |
453 customers from sending too much mail. This should catch customers | |
454 that get infected with malware that knows about smtp auth. | |
455 </para> | |
456 <para> | |
108 | 457 Add a per-context option to reject mail if the number of digits in |
458 the reverse dns client name exceeds some threshold. | |
459 </para> | |
115 | 460 <para> |
461 Look for href="hostname/path" strings that are missing the required | |
462 http:// protocol header. Such references are still clickable in common | |
463 mail software. | |
464 </para> | |
108 | 465 </refsect1> |
94 | 466 |
111 | 467 <refsect1 id='copyright.1'> |
108 | 468 <title>Copyright</title> |
469 <para> | |
470 Copyright (C) 2005 by 510 Software Group <carl@five-ten-sg.com> | |
471 </para> | |
472 <para> | |
473 This program is free software; you can redistribute it and/or modify it | |
474 under the terms of the GNU General Public License as published by the | |
475 Free Software Foundation; either version 2, or (at your option) any | |
476 later version. | |
477 </para> | |
478 <para> | |
479 You should have received a copy of the GNU General Public License along | |
480 with this program; see the file COPYING. If not, please write to the | |
481 Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA. | |
482 </para> | |
483 </refsect1> | |
94 | 484 |
111 | 485 <refsect1 id='version.1'> |
486 <title>CVS Version</title> | |
108 | 487 <para> |
488 $Id$ | |
489 </para> | |
490 </refsect1> | |
491 </refentry> | |
492 | |
493 | |
494 <refentry id="@PACKAGE@.conf.5"> | |
495 <refentryinfo> | |
115 | 496 <date>2006-01-08</date> |
108 | 497 </refentryinfo> |
94 | 498 |
108 | 499 <refmeta> |
500 <refentrytitle>@PACKAGE@.conf</refentrytitle> | |
501 <manvolnum>5</manvolnum> | |
502 <refmiscinfo>@PACKAGE@ @VERSION@</refmiscinfo> | |
503 </refmeta> | |
94 | 504 |
108 | 505 <refnamediv id='name.5'> |
506 <refname>@PACKAGE@.conf</refname> | |
111 | 507 <refpurpose>configuration file for @PACKAGE@ sendmail milter</refpurpose> |
108 | 508 </refnamediv> |
509 | |
510 <refsynopsisdiv id='synopsis.5'> | |
511 <title>Synopsis</title> | |
512 <cmdsynopsis> | |
513 <command>@PACKAGE@.conf</command> | |
514 </cmdsynopsis> | |
515 </refsynopsisdiv> | |
94 | 516 |
108 | 517 <refsect1 id='description.5'> |
518 <title>Description</title> | |
519 <para>The <command>@PACKAGE@.conf</command> configuration file is | |
520 specified by this partial bnf description.</para> | |
521 | |
522 <literallayout class="monospaced"><![CDATA[ | |
523 CONFIG = {CONTEXT ";"}+ | |
524 CONTEXT = "context" NAME "{" {STATEMENT}+ "}" | |
111 | 525 STATEMENT = (DNSBL | DNSBLLIST | CONTENT | ENV-TO | VERIFY | |
526 CONTEXT | ENV-FROM) ";" | |
108 | 527 |
124 | 528 DNSBL = "dnsbl" NAME DNSPREFIX ERROR-MSG1 |
108 | 529 |
530 DNSBLLIST = "dnsbl_list" {NAME}+ | |
94 | 531 |
108 | 532 CONTENT = "content" ("on" | "off") "{" {CONTENT-ST}+ "}" |
119 | 533 CONTENT-ST = (FILTER | URIBL | IGNORE | TLD | CCTLD | HTML-TAGS | |
534 HTML-LIMIT | HOST-LIMIT) ";" | |
124 | 535 FILTER = "filter" DNSPREFIX ERROR-MSG2 |
536 URIBL = "uribl" DNSPREFIX ERROR-MSG3 | |
108 | 537 IGNORE = "ignore" "{" {HOSTNAME [";"]}+ "}" |
538 TLD = "tld" "{" {TLD [";"]}+ "}" | |
119 | 539 CCTLD = "cctld" "{" {TLD [";"]}+ "}" |
108 | 540 HTML-TAGS = "html_tags" "{" {HTMLTAG [";"]}+ "}" |
124 | 541 ERROR-MSG1 = string containing exactly two %s replacement tokens |
542 both are replaced with the client ip address | |
543 ERROR-MSG2 = string containing exactly two %s replacement tokens | |
544 the first is replaced with the hostname, and the second | |
545 is replaced with the ip address | |
546 ERROR-MSG3 = string containing exactly two %s replacement tokens | |
547 both are replaced with the hostname | |
108 | 548 |
549 HTML-LIMIT = "html_limit" ("on" INTEGER ERROR-MSG | "off") | |
550 | |
111 | 551 HOST-LIMIT = "host_limit" ("on" INTEGER ERROR-MSG | "off" | |
552 "soft" INTEGER) | |
94 | 553 |
108 | 554 ENV-TO = "env_to" "{" {(TO-ADDR | DCC-TO)}+ "}" |
555 TO-ADDR = ADDRESS [";"] | |
556 DCC-TO = "dcc_to" ("ok" | "many") "{" DCCINCLUDEFILE "}" ";" | |
557 | |
558 VERIFY = "verify" HOSTNAME ";" | |
559 | |
560 ENV_FROM = "env_from" [DEFAULT] "{" {(FROM-ADDR | DCC-FROM)}+ "}" | |
561 FROM-ADDR = ADDRESS VALUE [";"] | |
562 DCC-FROM = "dcc_from" "{" DCCINCLUDEFILE "}" ";" | |
563 DEFAULT = ("white" | "black" | "unknown" | "inherit" | "") | |
564 ADDRESS = (USER@ | DOMAIN | USER@DOMAIN) | |
565 VALUE = ("white" | "black" | "unknown" | CHILD-CONTEXT-NAME)]]></literallayout> | |
566 </refsect1> | |
94 | 567 |
108 | 568 <refsect1 id='sample.5'> |
569 <title>Sample</title> | |
570 <literallayout class="monospaced"><![CDATA[ | |
127 | 571 context main-default { |
572 // outbound dnsbl filtering to catch our own customers that end up on the sbl | |
573 dnsbl local blackholes.five-ten-sg.com "Mail from %s rejected - local; see http://www.five-ten-sg.com/blackhole.php?%s"; | |
574 dnsbl sbl sbl-xbl.spamhaus.org "Mail from %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s"; | |
575 dnsbl dul dul.dnsbl.sorbs.net "Mail from %s rejected - dul; see http://www.sorbs.net/lookup.shtml?%s"; | |
576 dnsbl_list local sbl dul; | |
577 | |
578 // outbound content filtering to prevent our own customers from sending spam | |
579 content on { | |
580 filter sbl-xbl.spamhaus.org "Mail containing %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s"; | |
581 uribl multi.surbl.org "Mail containing %s rejected - surbl; see http://www.rulesemporium.com/cgi-bin/uribl.cgi?bl0=1&domain0=%s"; | |
582 #uribl black.uribl.com "Mail containing %s rejected - uribl; see http://l.uribl.com/?d=%s"; | |
583 ignore { include "hosts-ignore.conf"; }; | |
584 tld { include "tld.conf"; }; | |
585 cctld { include "cctld.conf"; }; | |
586 html_tags { include "html-tags.conf"; }; | |
587 html_limit on 20 "Mail containing excessive bad html tags rejected"; | |
588 html_limit off; | |
589 host_limit on 20 "Mail containing excessive host names rejected"; | |
590 host_limit soft 20; | |
591 }; | |
592 | |
593 // backscatter prevention - don't send bounces for mail that we accepted but could not forward | |
594 // we only send bounces to our own customers | |
595 env_from unknown { | |
596 "<>" black; | |
597 }; | |
598 }; | |
599 | |
108 | 600 context sample { |
601 dnsbl local blackholes.five-ten-sg.com "Mail from %s rejected - local; see http://www.five-ten-sg.com/blackhole.php?%s"; | |
602 dnsbl sbl sbl-xbl.spamhaus.org "Mail from %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s"; | |
603 dnsbl xbl xbl.spamhaus.org "Mail from %s rejected - xbl; see http://www.spamhaus.org/query/bl?ip=%s"; | |
604 dnsbl dul dul.dnsbl.sorbs.net "Mail from %s rejected - dul; see http://www.sorbs.net/lookup.shtml?%s"; | |
605 dnsbl_list local sbl dul; | |
94 | 606 |
108 | 607 content on { |
608 filter sbl-xbl.spamhaus.org "Mail containing %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s"; | |
122 | 609 uribl multi.surbl.org "Mail containing %s rejected - surbl; see http://www.rulesemporium.com/cgi-bin/uribl.cgi?bl0=1&domain0=%s"; |
119 | 610 #uribl black.uribl.com "Mail containing %s rejected - uribl; see http://l.uribl.com/?d=%s"; |
108 | 611 ignore { include "hosts-ignore.conf"; }; |
612 tld { include "tld.conf"; }; | |
119 | 613 cctld { include "cctld.conf"; }; |
108 | 614 html_tags { include "html-tags.conf"; }; |
615 html_limit on 20 "Mail containing excessive bad html tags rejected"; | |
616 html_limit off; | |
617 host_limit on 20 "Mail containing excessive host names rejected"; | |
618 host_limit soft 20; | |
619 }; | |
94 | 620 |
108 | 621 env_to { |
622 # child contexts are not allowed to specify recipient addresses outside these domains | |
623 # leave this outer global context env_to empty to allow arbitrary recipients in child contexts | |
624 mydomain.com; | |
625 customer1.com; | |
626 customer1a.com; | |
627 customer1b.com; | |
628 customer2.com; | |
629 customer2a.com; | |
630 customer2b.com; | |
631 }; | |
94 | 632 |
108 | 633 context whitelist { |
634 content off {}; | |
635 env_to { | |
636 # dcc_to ok { include "/var/dcc/whitecommon"; }; # copy the dcc OK values (env_to) into this context | |
637 }; | |
638 env_from white {}; # white forces all unmatched from addresses (everyone in this case) to be whitelisted | |
639 # so all mail TO these env_to addresses is accepted | |
640 }; | |
94 | 641 |
108 | 642 context abuse { |
643 dnsbl_list xbl; | |
644 content off {}; | |
645 env_to { | |
646 abuse@; # no content filtering on abuse reports | |
647 postmaster@; # "" | |
648 }; | |
649 env_from unknown {}; # ignore all parent white/black listing | |
650 }; | |
94 | 651 |
108 | 652 context minimal { |
653 dnsbl_list sbl dul; | |
654 content on {}; | |
655 env_to { | |
656 sales@mydomain.com; | |
657 }; | |
658 }; | |
94 | 659 |
108 | 660 context blacklist { |
661 env_to { | |
662 dcc_to many { include "/var/dcc/whitecommon"; }; # copy the dcc MANY values (env_to) into this context | |
663 old-employee@mydomain.com; | |
664 }; | |
665 env_from black {}; # black forces all unmatched from addresses (everyone in this case) to be blacklisted | |
666 # so all mail TO these env_to addresses is rejected | |
667 }; | |
94 | 668 |
108 | 669 context vp { # special context for the vp |
670 env_to { | |
671 vp@mydomain.com; | |
672 }; | |
673 env_from inherit { | |
674 nai.com black; # the vp does not like nai | |
675 yahoo.com unknown; # override parent context blacklisting | |
676 mother@spammyisp.com white; # suppress dnsbl checking | |
677 }; | |
678 }; | |
679 | |
680 context customer1 { | |
681 dnsbl_list sbl dul; | |
682 env_to { | |
683 customer1.com; | |
684 customer1a.com; | |
685 customer1b.com; | |
686 }; | |
94 | 687 |
108 | 688 verify mail.customer1.com; |
94 | 689 |
108 | 690 context customer1a { |
691 env_to { | |
692 customer1a.com; | |
693 } | |
694 env_from black { # blacklist everything | |
695 first@acceptable.com unknown; # except these specific envelope senders | |
696 second@another.com unknown; | |
697 yahoo.com inherit; # delegate to the parent | |
698 }; | |
699 }; | |
700 | |
701 env_from { # default value of the default is inherit | |
702 yahoo.com black; # no mail from yahoo | |
703 first@yahoo.com unknown; # except this one | |
704 }; | |
705 }; | |
94 | 706 |
108 | 707 context customer2 { |
708 dnsbl_list sbl; | |
709 env_to { | |
710 customer2.com; | |
711 customer2a.com; | |
712 customer2b.com; | |
713 }; | |
714 }; | |
104 | 715 |
108 | 716 env_from unknown { |
717 dcc_from { include "/var/dcc/whitecommon"; }; # copy the dcc OK/MANY values (env_from, substitute mail_host) into this context | |
718 abuse@ abuse; # replies to abuse reports use the abuse context | |
719 yahoo.com black; # don't take mail from yahoo | |
720 spammer@example.com black; | |
721 }; | |
722 };]]></literallayout> | |
723 </refsect1> | |
94 | 724 |
111 | 725 <refsect1 id='version.5'> |
726 <title>CVS Version</title> | |
108 | 727 <para> |
728 $Id$ | |
729 </para> | |
730 </refsect1> | |
731 | |
732 </refentry> | |
733 </reference> |