You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2014/12/18 03:03:26 UTC

[Bug 6652] Enable/disable DNS lookups by domain

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6652

Mark Martinec <Ma...@ijs.si> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED
   Target Milestone|Undefined                   |3.4.0

--- Comment #2 from Mark Martinec <Ma...@ijs.si> ---
This was made possible by option dns_query_restriction,
probably in version 3.4.0.  Closing.



dns_query_restriction (allow|deny) domain1 domain2 ...
  Option allows disabling of rules which would result in a DNS query
  to one of the listed domains. The first argument must be a literal
  "allow" or "deny", remaining arguments are domains names.

  Most DNS queries (with some exceptions) are subject to
  dns_query_restriction.  A domain to be queried is successively
  stripped-off of its leading labels (thus yielding a series of its
  parent domains), and on each iteration a check is made against an
  associative array generated by dns_query_restriction options.
  Search stops at the first match (i.e. the tightest match), and the
  matching entry with its "allow" or "deny" value then controls
  whether a DNS query is allowed to be launched.

  If no match is found an implicit default is to allow a query. The
  purpose of an explicit "allow" entry is to be able to override a
  previously configured "deny" on the same domain or to override an
  entry (possibly yet to be configured in subsequent config
  directives) on one of its parent domains.  Thus an 'allow
  zen.spamhaus.org' with a 'deny spamhaus.org' would permit DNS
  queries on a specific DNS BL zone but deny queries to other zones
  under the same parent domain.

  Domains are matched case-insensitively, no wildcards are
  recognized, there should be no leading or trailing dot.

  Specifying a block on querying a domain name has a similar effect
  as setting a score of corresponding DNSBL and URIBL rules to zero,
  and can be a handy alternative to hunting for such rules when a
  site policy does not allow certain DNS block lists to be queried.

  Example:
    dns_query_restriction deny  dnswl.org surbl.org
    dns_query_restriction allow zen.spamhaus.org
    dns_query_restriction deny  spamhaus.org mailspike.net spamcop.net

-- 
You are receiving this mail because:
You are the assignee for the bug.