The dnsbl.conf configuration file is specified by this partial bnf description. Comments start with // or # and extend to the end of the line. To include the contents of some file verbatim in the dnsbl.conf file, use
include "<file>";
CONFIG = {CONTEXT ";"}+ CONTEXT = "context" NAME "{" {STATEMENT}+ "}" STATEMENT = ( DNSBL | DNSBLLIST | DNSWL | DNSWLLIST | CONTENT | ENV-TO | VERIFY | GENERIC | W_REGEX | AUTOWHITE | CONTEXT | ENV-FROM | RATE-LIMIT | REQUIRERDNS) ";" DNSBL = "dnsbl" NAME DNSPREFIX ERROR-MSG1 DNSBLLIST = "dnsbl_list" {NAME}* DNSWL = "dnswl" NAME DNSPREFIX LEVEL DNSWLLIST = "dnswl_list" {NAME}* LEVEL = INTEGER REQUIRERDNS = "require_rdns" ("yes" | "no") CONTENT = "content" ("on" | "off") "{" {CONTENT-ST}+ "}" CONTENT-ST = (FILTER | URIBL | IGNORE | TLD | HTML-TAGS | HTML-LIMIT | HOST-LIMIT | SPAMASS | REQUIRE | DCCGREY | DCCBULK | DKIM_SIGNER | DKIM_FROM) ";" FILTER = "filter" DNSPREFIX ERROR-MSG2 URIBL = "uribl" DNSPREFIX ERROR-MSG3 IGNORE = "ignore" "{" {HOSTNAME [";"]}+ "}" TLD = "tld" "{" {TLD [";"]}+ "}" HTML-TAGS = "html_tags" "{" {HTMLTAG [";"]}+ "}" ERROR-MSG1 = string containing exactly two %s replacement tokens both are replaced with the client ip address ERROR-MSG2 = string containing exactly two %s replacement tokens the first is replaced with the hostname, and the second is replaced with the ip address ERROR-MSG3 = string containing exactly two %s replacement tokens both are replaced with the hostname HTML-LIMIT = "html_limit" ("on" INTEGER ERROR-MSG | "off") HOST-LIMIT = "host_limit" ("on" INTEGER ERROR-MSG | "off" | "soft" INTEGER) SPAMASS = "spamassassin" INTEGER REQUIRE = "require_match" ("yes" | "no") DCCGREY = "dcc_greylist" ("yes" | "no") DCCBULK = "dcc_bulk_threshold" (INTEGER | "many" | "off") DKIMSIGNER = "dkim_signer" "{" {SIGNING_DOMAIN DEF [";"]}+ "}" DKIMFROM = "dkim_from" "{" {HEADER_FROM_DOMAIN DKIMVALUE SIGNERS [";"]}+ "}" DKIMVALUE = "signed_white" | "signed_black" | "require_signed" | "unsigned_black" SIGNERS = '"' SIGNING_DOMAINS[;EXTRA_SPF_DATA] '"' SIGNING_DOMAINS = SIGNING_DOMAIN[,SIGNING_DOMAINS] ENV-TO = "env_to" "{" {(TO-ADDR | DCC-TO)}+ "}" TO-ADDR = ADDRESS [";"] DCC-TO = "dcc_to" ("ok" | "many") "{" DCCINCLUDEFILE "}" ";" VERIFY = "verify" HOSTNAME ";" GENERIC = "generic" REGULAREXPRESSION ERROR-MSG4 ";" W-REGEX = "white_regex" REGULAREXPRESSION ";" ERROR-MSG4 = string containing exactly one %s replacement token which is replaced with the client name AUTOWHITE = "autowhite" DAYS FILENAME ";" ENV_FROM = "env_from" [DEFAULT] "{" {(FROM-ADDR | DCC-FROM)}+ "}" FROM-ADDR = ADDRESS VALUE [";"] DCC-FROM = "dcc_from" "{" DCCINCLUDEFILE "}" ";" RATE-LIMIT = "rate_limit" DEFAULT_RCPT_LIMIT DAILY_MULTIPLE_RCPT DEFAULT_IP_LIMIT DAILY_MULTIPLE_IP "{" (RATE)+ "}" RATE = USER RCPTLIMIT IPLIMIT ";" RCPTLIMIT = INTEGER DEFAULT_RCPT_LIMIT = INTEGER DAILY_MULTIPLE_RCPT = INTEGER DEFAULT_IP_LIMIT = INTEGER DAILY_MULTIPLE_IP = INTEGER DEF = ("white" | "black" | "unknown") DEFAULT = (DEF | "inherit" | "") ADDRESS = (USER@ | DOMAIN | USER@DOMAIN) VALUE = (DEF | "inherit" | CHILD-CONTEXT-NAME)
context main-default { // outbound dnsbl filtering to catch our own customers that end up on the sbl dnsbl sbl sbl-xbl.spamhaus.org "Mail from %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s"; dnsbl_list sbl; // outbound content filtering to prevent our own customers from sending spam content on { filter sbl-xbl.spamhaus.org "Mail containing %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s"; uribl multi.surbl.org "Mail containing %s rejected - surbl; see http://www.surbl.org/surbl-analysis?d=%s"; #uribl multi.uribl.com "Mail containing %s rejected - uribl; see http://l.uribl.com/?d=%s"; #uribl dbl.spamhaus.org "Mail containing %s rejected - dbl; see http://www.spamhaus.org/query/domain?domain=%s"; ignore { include "hosts-ignore.conf"; }; tld { include "tld.conf"; }; html_tags { include "html-tags.conf"; }; html_limit on 20 "Mail containing excessive bad html tags rejected"; html_limit off; host_limit on 20 "Mail containing excessive host names rejected"; host_limit soft 20; spamassassin 4; require_match yes; dcc_greylist yes; dcc_bulk_threshold 50; }; // backscatter prevention - do not send bounces for mail that we accepted but could not forward // we only send bounces to our own customers env_from unknown { "<>" black; }; // hourly recipient rate limit by smtp auth client id, or unauthenticated mail from address // hourly unique ip addresses by smtp auth client id, or unauthenticated mail from address // default hourly recipient rate limit is 30 // daily recipient rate limits are 4 times the hourly limit // default hourly unique ip addresses is 5 // daily unique ip addresses are 4 times the hourly limit rate_limit 30 4 5 4 { // default fred 100 10; // override default limits joe 10 2; // "" "sam@somedomain.tld" 500 2; "@otherdomain.tld" 100 2; }; }; context main { dnsbl localp partial.blackholes.five-ten-sg.com "Mail from %s rejected - local; see http://www.five-ten-sg.com/blackhole.php?%s"; dnsbl local blackholes.five-ten-sg.com "Mail from %s rejected - local; see http://www.five-ten-sg.com/blackhole.php?%s"; dnsbl sbl zen.spamhaus.org "Mail from %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s"; dnsbl xbl xbl.spamhaus.org "Mail from %s rejected - xbl; see http://www.spamhaus.org/query/bl?ip=%s"; dnswl dnswl.org list.dnswl.org 2; dnsbl_list local sbl; dnswl_list dnswl.org; require_rdns yes; content on { dkim_signer { # # anything signed by this is accepted. accounts.google.com white; }; dkim_from { # # dmarc enforcement aim.com unsigned_black "aim.com,mx.aim.com"; aol.com unsigned_black "aol.com,mx.aol.com"; yahoo.co.uk unsigned_black yahoo.co.uk; yahoo.com unsigned_black yahoo.com; yahoo.in unsigned_black yahoo.in; # # white/blacklisting based on presence of valid signatures credit.paypal.com require_signed credit.paypal.com; paypal.com require_signed paypal.com; dhl.com require_signed dhl.com; adp.com require_signed "adp.com,bmi.adp.com"; # # blacklisting based on header from value - requiring signatures # from an impossible signer. spammer.domain require_signed .; # # whitelisting based on strong spf pass - whitelisted if signed by # an impossible signer (which will never happen) or strong spf pass. some.domain signed_white .; # # whitelisting based on strong spf pass - whitelisted if signed by # an impossible signer (which will never happen) or strong spf pass # adding some extra spf data to their record. This whitelists their # email that arrives via 10.0.0.0/16 (or via anything listed in their # actual spf record). some.other.domain signed_white ".;ip4:10.0.0.0/16"; # # whitelisting based on valid signature or strong spf pass. # some paychex mail is signed, some is unsigned but passes strong spf. paychex.com require_signed paychex.com; # # whitelisting from mailchimp which needs wildcards princetheater.org require_signed "mandrillapp.com,*.mcsignup.com,*.mcsv.net,*.rsgsv.net,*.mcdlv.net"; # }; filter sbl-xbl.spamhaus.org "Mail containing %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s"; uribl multi.surbl.org "Mail containing %s rejected - surbl; see http://www.surbl.org/surbl-analysis?d=%s"; #uribl multi.uribl.com "Mail containing %s rejected - uribl; see http://l.uribl.com/?d=%s"; #uribl dbl.spamhaus.org "Mail containing %s rejected - dbl; see http://www.spamhaus.org/query/domain?domain=%s"; ignore { include "hosts-ignore.conf"; }; tld { include "tld.conf"; }; html_tags { include "html-tags.conf"; }; html_limit off; host_limit soft 20; spamassassin 5; require_match yes; dcc_greylist yes; dcc_bulk_threshold 20; }; generic "^dsl.static.*ttnet.net.tr$|(^|[x.-])(ppp|h|host)?([0-9]{1,3}[x.-](Red-|dynamic[x.-])?){4}" "your mail server %s seems to have a generic name"; white_regex "=example.com=user@yourhostingaccount.com$"; env_to { # !! replace this with your domain names # child contexts are not allowed to specify recipient addresses outside these domains # if this is a backup-mx, you need to include here domains for which you relay to the primary mx include "/etc/mail/local-host-names"; }; context whitelist { content off {}; env_to { # dcc_to ok { include "/var/dcc/whitecommon"; }; }; env_from white {}; # white forces all unmatched from addresses (everyone in this case) to be whitelisted # so all mail TO these env_to addresses is accepted }; context abuse { dnsbl_list xbl; content off {}; generic "^$ " " "; # regex cannot match, to disable generic rdns rejects env_to { abuse@ # no content filtering on abuse reports postmaster@ # "" }; env_from unknown {}; # ignore all parent white/black listing }; context minimal { dnsbl_list sbl; content on { spamassassin 10; dcc_bulk_threshold many; }; generic "^$ " " "; # regex cannot match, to disable generic rdns rejects env_to { }; }; context blacklist { dnsbl_list ; dnswl_list ; env_to { # dcc_to many { include "/var/dcc/whitecommon"; }; }; env_from black {}; # black forces all unmatched from addresses (everyone in this case) to be blacklisted # so all mail TO these env_to addresses is rejected }; env_from unknown { abuse@ abuse; # replies to abuse reports use the abuse context # dcc_from { include "/var/dcc/whitecommon"; }; }; autowhite 90 "autowhite/my-auto-whitelist"; # install should create /etc/dnsbl/autowhite writable by userid dnsbl };