Recipe 6.6 Whitelisting Blacklisted Sites
ProblemYou use a blackhole list service that blacklists a few sites with which you must communicate. You need to configure sendmail to override the blackhole list for specific addresses. SolutionTo override the blackhole list service for a given address, add the address to the /etc/mail/access text file, and assign the keyword OK as the return value for the address. Use makemap to build a hash type database from the text file. Create a sendmail configuration that uses either the dnsbl feature or the enhdnsbl feature to select a blackhole list service and the access_db feature to override the blackhole list for selected sites. Here are samples lines that might be added to the sendmail configuration to enable these features: dnl Use dnsbl and select a blacklist service FEATURE(`dnsbl', `list.dsbl.org') dnl Use the access database FEATURE(`access_db') Rebuild the sendmail.cf file, copy the new sendmail.cf file to /etc/mail , and restart sendmail. See Recipe Recipe 1.8 for an example. DiscussionThe dnsbl feature adds support for a DNS blackhole list service to the sendmail.cf configuration, and it specifies the service that will be used. Table 6-2 provides a list of some of the available services. If no service is selected, the MAPS RBL is used by default. Choose a service carefully . The sample blackhole list is configured to block email from 192.168.0.3, as this test, run from 192.168.0.3, shows: # telnet chef smtp Trying 192.168.0.8... Connected to 192.168.0.8. Escape character is '^]'. 220 chef.wrotethebook.com ESMTP Sendmail 8.12.9/8.12.9; Fri, 22 Aug 2003 12:01:37 - 0400 helo rodent.wrotethebook.com 250 chef.wrotethebook.com Hello rodent.wrotethebook.com [192.168.0.3], pleased to meet you MAIL From:<craig@rodent.wrotethebook.com> 550 5.7.1 Rejected: 192.168.0.3 listed at list.dsbl.org QUIT 221 2.0.0 chef.wrotethebook.com closing connection Connection closed by foreign host. Use the access database to override some entries in the blackhole database. In this example, we override the blackhole list service for the following sites: # cd /etc/mail # cat > access 192.168.0.3 OK 24.199.249.90 OK Ctrl-D # makemap hash access < access After building the access database, rerunning the telnet test from 192.168.0.3 shows the following result: # telnet chef smtp Trying 192.168.0.8... Connected to 192.168.0.8. Escape character is '^]'. 220 chef.wrotethebook.com ESMTP Sendmail 8.12.9/8.12.9; Fri, 22 Aug 2003 12:01:37 - 0400 helo rodent.wrotethebook.com 250 chef.wrotethebook.com Hello rodent.wrotethebook.com [192.168.0.3], pleased to meet you MAIL From:<craig@rodent.wrotethebook.com> 250 2.1.0 <craig@rodent.wrotethebook.com>... Sender ok QUIT 221 2.0.0 chef.wrotethebook.com closing connection Connection closed by foreign host. Now, mail from 192.168.0. 3 is accepted, even though 192.168.0.3 is still listed in the blackhole list, because the action listed for address 192.168.0.3 in the access database is OK . Using the access database to override a blackhole list service makes creating your own DNS blackhole list unnecessary for most organization. Generally, organizations shy away from using a blackhole list service because it can block mail from a friendly site. Combining the access database with the blackhole service gives you the simplicity of the blackhole service and the flexibility of directly controlling which sites you communicate with. In addition, if the blackhole service does not list a site that you think should be blacklisted, you can blacklist a site using the access database as described in Recipe Recipe 6.1. See AlsoRecipe 6.4 and Recipe 6.5 provide further examples of using a blackhole list. Recipe 6.1 and Recipe 6.2 provide additional information about using the access database for spam control. For more about the access database in general, see Chapter 3. The sendmail book covers the dnsbl feature in Section 7.2.1, enhdnsbl in Section 7.2.2, and the access_db feature in 7.5. The Anti-Spam Configuration Control section of the cf/README file covers these topics.  |
