initial commit

.github/workflows/ci.yml

@@ -6,7 +6,6 @@ env:
   CI: true
 
 jobs:
-
   lint:
     uses: haraka/.github/.github/workflows/lint.yml@master
 

.github/workflows/publish.yml

@@ -1,8 +1,6 @@
 name: publish
 
 on:
-  release:
-    types: [ published ]
   push:
     branches:
       - master
@@ -16,3 +14,4 @@ jobs:
   publish:
     uses: haraka/.github/.github/workflows/publish.yml@master
     secrets: inherit
+

README.md

@@ -5,67 +5,96 @@
 
 # haraka-plugin-dns-lists
 
+## dns block lists
 
+Looks up the connecting IP address in an IP list. Remote hosts found in the list are rejected.
 
-# Template Instructions
 
-These instructions will not self-destruct after use. Use and destroy.
+## dns allow lists
 
-See also, [How to Write a Plugin](https://github.com/haraka/Haraka/wiki/Write-a-Plugin) and [Plugins.md](https://github.com/haraka/Haraka/blob/master/docs/Plugins.md) for additional plugin writing information.
+Looks up the connecting IP address in an IP list. When an IP matches, this plugin returns OK for all hooks up to hook\_data.
 
-## Create a new repo for your plugin
+IMPORTANT!  The order of plugins in config/plugins is important when this feature is used. It should be listed *before* any plugins that you wish to skip, but after any plugins that accept recipients.
 
-Haraka plugins are named like `haraka-plugin-something`. All the namespace after `haraka-plugin-` is yours for the taking. Please check the [Plugins](https://github.com/haraka/Haraka/blob/master/Plugins.md) page and a Google search to see what plugins already exist.
 
-Once you've settled on a name, create the GitHub repo. On the repo's main page, click the _Clone or download_ button and copy the URL. Then paste that URL into a local ENV variable with a command like this:
+## INSTALL
 
 ```sh
-export MY_GITHUB_ORG=haraka
-export MY_PLUGIN_NAME=haraka-plugin-SOMETHING
+cd /path/to/local/haraka
+npm install haraka-plugin-dns-list
+echo "dns-list" >> config/plugins
+service haraka restart
 ```
 
-Clone and rename the dns-list repo:
+### Configuration
+
+If the default configuration is insufficient, copy the config file from the distribution into your haraka config dir and modify it:
 
 ```sh
-git clone [email protected]:haraka/haraka-plugin-dns-list.git
-mv haraka-plugin-dns-list $MY_PLUGIN_NAME
-cd $MY_PLUGIN_NAME
-git remote rm origin
-git remote add origin "[email protected]:$MY_GITHUB_ORG/$MY_PLUGIN_NAME.git"
+cp node_modules/haraka-plugin-dns-list/config/dns-list.ini config/dns-list.ini
+$EDITOR config/dns-list.ini
 ```
 
-Now you'll have a local git repo to begin authoring your plugin
+dns-lists.ini - INI format with options described below:
 
-## rename boilerplate
+#### [main] periodic_checks=30
 
-Replaces all uses of the word `dns-list` with your plugin's name.
+    If enabled, this will check all the zones every n minutes. The minimum value that will be accepted here is 5.  Any value less than 5 will cause the checks to be run at start-up only.
+
+    The checks confirm that the list is responding and that it is not listing the world.  If any errors are detected, then the zone is disabled and will be re-checked on the next test.  If a zone subsequently starts working correctly then it will be re-enabled.
 
-./redress.sh [something]
 
-You'll then be prompted to update package.json and then force push this repo onto the GitHub repo you've created earlier.
+* [block] zones
 
+    A comma or semi-colon list of zones to query.
 
-# Add your content here
+* search: (default: first)
 
-## INSTALL
+    first: consider first DNSBL response conclusive. End processing.
+    all:   process all DNSBL results
 
-```sh
-cd /path/to/local/haraka
-npm install haraka-plugin-dns-list
-echo "dns-list" >> config/plugins
-service haraka restart
-```
 
-### Configuration
+* reject (default: true)
 
-If the default configuration is not sufficient, copy the config file from the distribution into your haraka config dir and then modify it:
+    Reject connections from IPs that are blacklisted. Setting this to false
+    makes dnsbl informational. reject=false is best used in conjunction with
+    plugins like [karma](/manual/plugins/karma.html) that employ a scoring
+    engine to make choices about message delivery.
 
-```sh
-cp node_modules/haraka-plugin-dns-list/config/dns-list.ini config/dns-list.ini
-$EDITOR config/dns-list.ini
-```
 
-## USAGE
+
+#### [stats] enable=true
+
+    To use this feature you must have installed and configured the 'redis' plugin.
+
+    When enabled, this will record several list statistics to redis.
+
+    It will track the total number of queries (TOTAL) and the average response time (AVG\_RT) and the return type (e.g. LISTED or ERROR) to a redis hash where the key is 'dns-list-stat:zone' and the hash field is the response type.
+
+    It will also track the positive response overlap between the lists in another redis hash where the key is 'dns-list-overlap:zone' and the hash field is the other list names.
+
+    Example:
+    <pre><code>redis 127.0.0.1:6379> hgetall dns-list-stat:zen.spamhaus.org
+    1) "TOTAL"
+    2) "23"
+    3) "ENOTFOUND"
+    4) "11"
+    5) "LISTED"
+    6) "12"
+    7) "AVG_RT"
+    8) "45.5"
+    redis 127.0.0.1:6379> hgetall dns-list-overlap:zen.spamhaus.org
+    1) "b.barracudacentral.org"
+    2) "1"
+    3) "bl.spamcop.net"
+    4) "1"
+    5) "TOTAL"
+    6) "1"
+    </code></pre>
+
+* [stats] redis\_host
+
+    In the form of `host:port` this option allows you to specify a different host on which redis runs.
 
 
 <!-- leave these buried at the bottom of the document -->
@@ -75,3 +104,4 @@ $EDITOR config/dns-list.ini
 [clim-url]: https://codeclimate.com/github/haraka/haraka-plugin-dns-list
 [npm-img]: https://nodei.co/npm/haraka-plugin-dns-list.png
 [npm-url]: https://www.npmjs.com/package/haraka-plugin-dns-list
+

config/dns-list.ini

@@ -1,2 +1,112 @@
 
 [main]
+
+; periodically check each DNS list, disabling ones that fail checks
+periodic_checks = 30
+
+; zones: a comma separated list of DNSBL zones
+;
+zones=b.barracudacentral.org, truncate.gbudb.net, psbl.surriel.com, bl.spamcop.net, dnsbl-1.uceprotect.net, zen.spamhaus.org, dnsbl.sorbs.net, dnsbl.justspam.org, list.dnswl.org, hostkarma.junkemailfilter.com
+
+; search: Default (first)
+;     first: consider first DNSBL response conclusive. End processing.
+;     all:   process all DNSBL results
+search=first
+
+
+[stats]
+
+; enable (Default: false)
+;   stores stats in a Redis DB (see dns_list_base)
+;enable=true
+
+;redis_host=127.0.0.1:6379
+
+
+
+; Per-Zone DNS list settings
+; ===================================
+; type=block    Default: listings are spammy, block 'em
+; type=allow    DNSWLs, give them some more benefit of doubt
+; type=karma    Results vary
+;
+; ipv6=true		DNS list supports IPv6
+; reject=true   Default: true. If list recomments blocking, reject the connection
+
+
+[zen.spamhaus.org]
+ipv6=false
+
+127.0.0.2=SBL
+127.0.0.3=CSS
+127.0.0.4=XBL
+127.0.0.5=XBL
+127.0.0.6=XBL
+127.0.0.7=XBL
+127.0.0.10=PBL
+127.0.0.11=PBL
+
+
+[b.barracudacentral.org]
+ipv6=false
+
+[truncate.gbudb.net]
+
+[psbl.surriel.com]
+
+[bl.spamcop.net]
+ipv6=true
+
+[dnsbl-1.uceprotect.net]
+
+[dnsbl.sorbs.net]
+
+[dnsbl.justspam.org]
+
+[hostkarma.junkemailfilter.com]
+type=karma
+ipv6=true
+loopback_is_rejected=true
+
+127.0.0.1=whilelist
+127.0.0.2=blacklist
+127.0.0.3=yellowlist
+127.0.0.4=brownlist
+127.0.0.5=NOBL
+127.0.1.1=USES_QUIT
+127.0.1.2=NO_QUIT
+127.0.1.3=MIXED_QUIT
+127.0.2.1=DAYS_2
+127.0.2.2=DAYS_10
+127.0.2.3=DAYS_11
+
+
+[list.dnswl.org]
+; https://www.dnswl.org/?page_id=15
+type=allow
+
+
+; 127.0.{2-20}.{0-3}
+; 3rd octet
+; ------------------
+; 2 – Financial services
+; 3 – Email Service Providers
+; 4 – Organisations (both for-profit [ie companies] and non-profit)
+; 5 – Service/network providers
+; 6 – Personal/private servers
+; 7 – Travel/leisure industry
+; 8 – Public sector/governments
+; 9 – Media and Tech companies
+; 10 – some special cases
+; 11 – Education, academic
+; 12 – Healthcare
+; 13 – Manufacturing/Industrial
+; 14 – Retail/Wholesale/Services
+; 15 – Email Marketing Providers
+; 20 – Added through Self Service without specific category
+;
+; 4th octet
+; 0 = none – only avoid outright blocking (eg large ESP mailservers, -0.1)
+; 1 = low – reduce chance of false positives (-1.0)
+; 2 = medium – make sure to avoid false positives but allow override for clear cases (-10.0)
+; 3 = high – avoid override (-100.0)