Whitelisting Blacklisted Sites

You use a blackhole list service that blacklists a few sites with which you must communicate. You need to configure sendmail to override the blackhole list for specific addresses.

To override the blackhole list service for a given address, add the address to the /etc/mail/access text file, and assign the keyword OK as the return value for the address. Use makemap to build a hash type database from the text file.

Create a sendmail configuration that uses either the dnsbl feature or the enhdnsbl feature to select a blackhole list service and the access_db feature to override the blackhole list for selected sites. Here are samples lines that might be added to the sendmail configuration to enable these features:

dnl Use dnsbl and select a blacklist service
FEATURE(`dnsbl', `list.dsbl.org')
dnl Use the access database
FEATURE(`access_db')

Rebuild the sendmail.cf file, copy the new sendmail.cf file to /etc/mail, and restart sendmail.

The dnsbl feature adds support for a DNS blackhole list service to the sendmail.cf configuration, and it specifies the service that will be used.If no service is selected, the MAPS RBL is used by default. Choose a service carefully.

The sample blackhole list is configured to block email from 192.168.0.3, as this test, run from 192.168.0.3, shows:

# telnet chef smtp

Trying 192.168.0.8...

Connected to 192.168.0.8.

Escape character is '^]'.

220 chef.wrotethebook.com ESMTP Sendmail 8.12.9/8.12.9; Fri, 22 Aug 2003 12:01:37 -  0400

helo rodent.wrotethebook.com

250 chef.wrotethebook.com Hello rodent.wrotethebook.com [192.168.0.3], pleased to   meet you

MAIL From:<craig@rodent.wrotethebook.com>
550 5.7.1 Rejected: 192.168.0.3 listed at list.dsbl.org

QUIT
221 2.0.0 chef.wrotethebook.com closing connection  Connection closed by foreign host.

Use the access database to override some entries in the blackhole database. In this example, we override the blackhole list service for the following sites:

# cd /etc/mail   # cat > access 

192.168.0.3        OK

24.199.249.90      OK

Ctrl-D 

# makemap hash access < access 

After building the access database, rerunning the telnet test from 192.168.0.3 shows the following result:

# telnet chef smtp

Trying 192.168.0.8...

Connected to 192.168.0.8.

Escape character is '^]'.  220 chef.wrotethebook.com ESMTP Sendmail 8.12.9/8.12.9;
Fri, 22 Aug 2003 12:01:37 -  0400  

helo rodent.wrotethebook.com
250 chef.wrotethebook.com Hello rodent.wrotethebook.com [192.168.0.3],pleased to   meet you  

MAIL From:<craig@rodent.wrotethebook.com>

250 2.1.0 <craig@rodent.wrotethebook.com>... Sender ok

QUIT
221 2.0.0 chef.wrotethebook.com closing connection

Connection closed by foreign host.

Now, mail from 192.168.0.3 is accepted, even though 192.168.0.3 is still listed in the blackhole list, because the action listed for address 192.168.0.3 in the access database is OK.

Using the access database to override a blackhole list service makes creating your own DNS blackhole list unnecessary for most organization. Generally, organizations shy away from using a blackhole list service because it can block mail from a friendly site. Combining the access database with the blackhole service gives you the simplicity of the blackhole service and the flexibility of directly controlling which sites you communicate with.