Name

dnsbl.conf — configuration file for dnsbl sendmail milter

Synopsis

dnsbl.conf

Description

The dnsbl.conf configuration file is specified by this partial bnf description. Comments start with // or # and extend to the end of the line. To include the contents of some file verbatim in the dnsbl.conf file, use

include "<file>";

CONFIG     = {CONTEXT ";"}+
CONTEXT    = "context" NAME "{" {STATEMENT}+ "}"
STATEMENT  = ( DNSBL  | DNSBLLIST  | DNSWL   | DNSWLLIST | CONTENT | ENV-TO
             | VERIFY | GENERIC    | W_REGEX | AUTOWHITE | CONTEXT | ENV-FROM
             | RATE-LIMIT | REQUIRERDNS) ";"

DNSBL      = "dnsbl" NAME DNSPREFIX ERROR-MSG1
DNSBLLIST  = "dnsbl_list" {NAME}*

DNSWL      = "dnswl" NAME DNSPREFIX LEVEL
DNSWLLIST  = "dnswl_list" {NAME}*
LEVEL      = INTEGER

REQUIRERDNS = "require_rdns" ("yes" | "no")

CONTENT    = "content" ("on" | "off") "{" {CONTENT-ST}+ "}"
CONTENT-ST = (FILTER     | URIBL   | IGNORE  | TLD     | HTML-TAGS | HTML-LIMIT  |
              HOST-LIMIT | SPAMASS | REQUIRE | DCCGREY | DCCBULK   | DKIM_SIGNER |
              DKIM_FROM) ";"
FILTER     = "filter" DNSPREFIX ERROR-MSG2
URIBL      = "uribl"  DNSPREFIX ERROR-MSG3
IGNORE     = "ignore"     "{" {HOSTNAME [";"]}+ "}"
TLD        = "tld"        "{" {TLD      [";"]}+ "}"
HTML-TAGS  = "html_tags"  "{" {HTMLTAG  [";"]}+ "}"
ERROR-MSG1 = string containing exactly two %s replacement tokens
             both are replaced with the client ip address
ERROR-MSG2 = string containing exactly two %s replacement tokens
             the first is replaced with the hostname, and the second
             is replaced with the ip address
ERROR-MSG3 = string containing exactly two %s replacement tokens
             both are replaced with the hostname

HTML-LIMIT = "html_limit" ("on" INTEGER ERROR-MSG | "off")

HOST-LIMIT = "host_limit" ("on" INTEGER ERROR-MSG | "off" |
                                                    "soft" INTEGER)
SPAMASS    = "spamassassin"         INTEGER
REQUIRE    = "require_match"        ("yes" | "no")
DCCGREY    = "dcc_greylist"         ("yes" | "no")
DCCBULK    = "dcc_bulk_threshold"   (INTEGER | "many" | "off")

DKIMSIGNER = "dkim_signer" "{" {SIGNING_DOMAIN DEF [";"]}+ "}"
DKIMFROM   = "dkim_from"   "{" {HEADER_FROM_DOMAIN DKIMVALUE SIGNERS [";"]}+ "}"
DKIMVALUE  = "signed_white" | "signed_black" | "require_signed" | "unsigned_black"
SIGNERS    = '"' SIGNING_DOMAINS[;EXTRA_SPF_DATA] '"'
SIGNING_DOMAINS = SIGNING_DOMAIN[,SIGNING_DOMAINS]

ENV-TO     = "env_to"     "{" {(TO-ADDR | DCC-TO)}+ "}"
TO-ADDR    = ADDRESS [";"]
DCC-TO     = "dcc_to" ("ok" | "many") "{" DCCINCLUDEFILE "}" ";"

VERIFY     = "verify" HOSTNAME ";"
GENERIC    = "generic" REGULAREXPRESSION ERROR-MSG4 ";"
W-REGEX    = "white_regex" REGULAREXPRESSION ";"
ERROR-MSG4 = string containing exactly one %s replacement token
             which is replaced with the client name
AUTOWHITE  = "autowhite" DAYS FILENAME ";"

ENV_FROM   = "env_from" [DEFAULT] "{" {(FROM-ADDR | DCC-FROM)}+ "}"
FROM-ADDR  = ADDRESS VALUE [";"]
DCC-FROM   = "dcc_from" "{" DCCINCLUDEFILE "}" ";"

RATE-LIMIT     = "rate_limit" DEFAULT_RCPT_LIMIT DAILY_MULTIPLE_RCPT
                              DEFAULT_IP_LIMIT   DAILY_MULTIPLE_IP "{" (RATE)+ "}"
RATE           = USER RCPTLIMIT IPLIMIT ";"
RCPTLIMIT      = INTEGER
DEFAULT_RCPT_LIMIT  = INTEGER
DAILY_MULTIPLE_RCPT = INTEGER
DEFAULT_IP_LIMIT    = INTEGER
DAILY_MULTIPLE_IP   = INTEGER

DEF        = ("white" | "black" | "unknown")
DEFAULT    = (DEF | "inherit" | "")
ADDRESS    = (USER@ | DOMAIN | USER@DOMAIN)
VALUE      = (DEF | "inherit" | CHILD-CONTEXT-NAME)

Sample

context main-default {
    // outbound dnsbl filtering to catch our own customers that end up on the sbl
    dnsbl   sbl     sbl-xbl.spamhaus.org        "Mail from %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s";
    dnsbl_list  sbl;

    // outbound content filtering to prevent our own customers from sending spam
    content on {
        filter    sbl-xbl.spamhaus.org        "Mail containing %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s";
        uribl     multi.surbl.org             "Mail containing %s rejected - surbl; see http://www.surbl.org/surbl-analysis?d=%s";
        #uribl    multi.uribl.com             "Mail containing %s rejected - uribl; see http://l.uribl.com/?d=%s";
        #uribl    dbl.spamhaus.org            "Mail containing %s rejected - dbl; see http://www.spamhaus.org/query/domain?domain=%s";
        ignore    { include "hosts-ignore.conf"; };
        tld       { include "tld.conf"; };
        html_tags { include "html-tags.conf"; };
        html_limit on 20 "Mail containing excessive bad html tags rejected";
        html_limit off;
        host_limit on 20 "Mail containing excessive host names rejected";
        host_limit soft 20;
        spamassassin        4;
        require_match       yes;
        dcc_greylist        yes;
        dcc_bulk_threshold  50;
    };

    // backscatter prevention - do not send bounces for mail that we accepted but could not forward
    // we only send bounces to our own customers
    env_from unknown {
        "<>"    black;
    };

    // hourly recipient rate limit by smtp auth client id, or unauthenticated mail from address
    // hourly unique ip addresses  by smtp auth client id, or unauthenticated mail from address
    // default hourly recipient rate limit is 30
    // daily recipient rate limits are 4 times the hourly limit
    // default hourly unique ip addresses is 5
    // daily unique ip addresses are 4 times the hourly limit
    rate_limit 30 4 5 4 { // default
        fred 100 10;   // override default limits
        joe  10  2;    // ""
        "sam@somedomain.tld"  500 2;
        "@otherdomain.tld"    100 2;
    };
};

context main {
    dnsbl   localp  partial.blackholes.five-ten-sg.com  "Mail from %s rejected - local; see http://www.five-ten-sg.com/blackhole.php?%s";
    dnsbl   local   blackholes.five-ten-sg.com  "Mail from %s rejected - local; see http://www.five-ten-sg.com/blackhole.php?%s";
    dnsbl   sbl     zen.spamhaus.org            "Mail from %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s";
    dnsbl   xbl     xbl.spamhaus.org            "Mail from %s rejected - xbl; see http://www.spamhaus.org/query/bl?ip=%s";
    dnswl   dnswl.org  list.dnswl.org   2;
    dnsbl_list  local sbl;
    dnswl_list  dnswl.org;
    require_rdns    yes;

    content on {
        dkim_signer {
            #
            # anything signed by this is accepted.
            accounts.google.com     white;
        };
        dkim_from {
            #
            # dmarc enforcement
            aim.com             unsigned_black  "aim.com,mx.aim.com";
            aol.com             unsigned_black  "aol.com,mx.aol.com";
            yahoo.co.uk         unsigned_black  yahoo.co.uk;
            yahoo.com           unsigned_black  yahoo.com;
            yahoo.in            unsigned_black  yahoo.in;
            #
            # white/blacklisting based on presence of valid signatures
            credit.paypal.com   require_signed  credit.paypal.com;
            paypal.com          require_signed  paypal.com;
            dhl.com             require_signed  dhl.com;
            adp.com             require_signed  "adp.com,bmi.adp.com";
            #
            # blacklisting based on header from value - requiring signatures
            # from an impossible signer.
            spammer.domain      require_signed  .;
            #
            # whitelisting based on strong spf pass - whitelisted if signed by
            # an impossible signer (which will never happen) or strong spf pass.
            some.domain         signed_white    .;
            #
            # whitelisting based on strong spf pass - whitelisted if signed by
            # an impossible signer (which will never happen) or strong spf pass
            # adding some extra spf data to their record. This whitelists their
            # email that arrives via 10.0.0.0/16 (or via anything listed in their
            # actual spf record).
            some.other.domain   signed_white    ".;ip4:10.0.0.0/16";
            #
            # whitelisting based on valid signature or strong spf pass.
            # some paychex mail is signed, some is unsigned but passes strong spf.
            paychex.com         require_signed  paychex.com;
            #
            # whitelisting from mailchimp which needs wildcards
            princetheater.org   require_signed "mandrillapp.com,*.mcsignup.com,*.mcsv.net,*.rsgsv.net,*.mcdlv.net";
            #
        };
        filter    sbl-xbl.spamhaus.org        "Mail containing %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s";
        uribl     multi.surbl.org             "Mail containing %s rejected - surbl; see http://www.surbl.org/surbl-analysis?d=%s";
        #uribl    multi.uribl.com             "Mail containing %s rejected - uribl; see http://l.uribl.com/?d=%s";
        #uribl    dbl.spamhaus.org            "Mail containing %s rejected - dbl; see http://www.spamhaus.org/query/domain?domain=%s";
        ignore    { include "hosts-ignore.conf"; };
        tld       { include "tld.conf"; };
        html_tags { include "html-tags.conf"; };
        html_limit off;
        host_limit soft 20;
        spamassassin    5;
        require_match       yes;
        dcc_greylist        yes;
        dcc_bulk_threshold  20;
    };

    generic "^dsl.static.*ttnet.net.tr$|(^|[x.-])(ppp|h|host)?([0-9]{1,3}[x.-](Red-|dynamic[x.-])?){4}"
            "your mail server %s seems to have a generic name";

    white_regex "=example.com=user@yourhostingaccount.com$";

    env_to {
        # !! replace this with your domain names
        # child contexts are not allowed to specify recipient addresses outside these domains
        # if this is a backup-mx, you need to include here domains for which you relay to the primary mx
        include "/etc/mail/local-host-names";
    };

    context whitelist {
        content off {};
        env_to {
            # dcc_to ok { include "/var/dcc/whitecommon"; };
        };
        env_from white {};      # white forces all unmatched from addresses (everyone in this case) to be whitelisted
                                # so all mail TO these env_to addresses is accepted
    };

    context abuse {
        dnsbl_list xbl;
        content off {};
        generic "^$ " " ";      # regex cannot match, to disable generic rdns rejects
        env_to {
            abuse@              # no content filtering on abuse reports
            postmaster@         # ""
        };
        env_from unknown {};    # ignore all parent white/black listing
    };

    context minimal {
        dnsbl_list sbl;
        content on {
            spamassassin        10;
            dcc_bulk_threshold  many;
        };
        generic "^$ " " ";      # regex cannot match, to disable generic rdns rejects
        env_to {
        };
    };

    context blacklist {
        dnsbl_list ;
        dnswl_list ;
        env_to {
            # dcc_to many { include "/var/dcc/whitecommon"; };
        };
        env_from black {};      # black forces all unmatched from addresses (everyone in this case) to be blacklisted
                                # so all mail TO these env_to addresses is rejected
    };

    env_from unknown {
        abuse@  abuse;  # replies to abuse reports use the abuse context
        # dcc_from { include "/var/dcc/whitecommon"; };
    };

    autowhite 90 "autowhite/my-auto-whitelist";
    # install should create /etc/dnsbl/autowhite writable by userid dnsbl
};

Version

6.78