Realtime Blackhole List (RBL) - qmail-dnsbl

19 December 2016 Roberto Puzzanghera13 comments

This patch replaces the djb's rblsmtpd program. It incorporates into qmail-smtpd the rbl stuff with the advantage that you can see the envelope in the logs. Registering the envelope as well as the sender ip is important to always know what happened to not received messages.

An additional improvement with respect to the use of the RBL filter *before* qmail-smtpd as rblsmtpd did is that the authenticated users who want to send messages from a remote dynamic IP will not be banned; this means that we are able to switch on the filter on the 587 submission port as well :)

To activate the rbl check just add your favourite block lists in the dnsbllist control file (one per line).

cat > /var/qmail/control/dnsbllist << __EOF__
zen.spamhaus.org
bl.spamcop.net
__EOF__

Now restart qmail and check that the RBL lists have been parsed:

> qmailctl restart
> qmail-showctl |grep dnsbl
dnsbllist: 
List at zen.spamhaus.org configured for dnsbl check.
List at bl.spamcop.net configured for dnsbl check.

Improvements with respect to the original qmail-dnsbl patch

  • default file control/dnsbllist can be overridden with env variable DNSBLLIST
  • if DNSBLSKIP env variable is set, qmail-smtpd skips the rbl check
  • if control/dnsblfailclosed or DNSBLFAILCLOSED are defined, qmail-smtpd considers the source ip as blacklisted even in case of lookup failures (check rblsmtpd man page for more details)
  • support for environment variable RBLSMTPD (check rblsmtpd man page for more details)
  • dnsbllist can contain empty lines and comments with '#' at start or end of lines; leading and trailing spaces are automatically removed

Examples and formats

Query rbl for TXT records, return code 451: "451 http://www.spamhaus.org/query/bl?ip=30.50.20.3"

zen.spamhaus.org

Query rbl for TXT records, return code 553: "553 http://www.spamhaus.org/query/bl?ip=30.50.20.3"

-zen.spamhaus.org

 Query rbl for A records, custom return message with ret code 451: "451 Message rejected"

zen.spamhaus.org:Message rejected

 Query rbl for A records, custom return message with ret code 553: "553 Message rejected", the following syntaxes are allowed:

-zen.spamhaus.org:Message rejected
zen.spamhaus.org:-Message rejected
-zen.spamhaus.org:-Message rejected

Query rbl for A records, custom return message with IP variable, replaced by remote ip:

zen.spamhaus.org:Message blocked from %IP%

dns whitelist A query:

+white.dnsbl.local:Whitelist test
+white.dnsbl.local

The following syntaxes are NOT ALLOWED:

zen.spamhaus.org:
zen.spamhaus.org:-

Howto avoid being "cut off" by spamhaus.org

At the end of this guide I will show how to set up fail2ban in order to ban malicious IPs in order to decrease the amount of connections to the RBL lists and to avoid to be banned consequently.

As an alternative, you may be interested to take a look to the idea of Costel Balta, which is addressed to solve the same problem.

Check your IP's reputation

When you buy an IP address, you know that it's not new and you inherit its reputation. So the first thing you may want to do is to check if it's listed in some RBL here: http://multirbl.valli.org or https://mxtoolbox.com/SuperTool.aspx

Comments

dnsbllist: I have no idea what this file does.

Hi Roberto

First, thank you for your guide, which saved me countless hours getting our mailserver up and running!

I've got a problem though when trying to enable dnsbl like described here. I'm using your combined patch (current version as of now), but qmail seems not to recognize the dnsbllist file.

# qmail-showctl |grep dnsbl
dnsbllist: I have no idea what this file does.

Do you have any idea what I might have missed?

Sincerely
Steffen

Reply | Permalink

Hi Steffen, it's strange..

Hi Steffen,

it's strange.. it's like you haven't patched qmail with the qmail-dnsbl patch... are you absolutely sure that you have actually patched qmail?

Reply | Permalink

OK, please discard my

OK, please discard my comment.

Issue was that I had an old (timestamp indicates it's from the qmail compile before vpopmail install and patching qmail) qmail-showctl in /usr/sbin which was beeing called...

All is fine, dnsbl working as expected. Thank you!

Reply | Permalink

Yes, I have checked the

Yes, I have checked the patched source files and they contain the patched lines.
I've also checked the compiled and installed binaries (qmail-smtpd and qmail-showctl) and they contain the dnsbllist string.

Indeed, very strange.

Reply | Permalink

Local User with Dynamic IP get banned

Hello Roberto,

i have the problem that local users with dynamic ips get banned from list even if i use submission port 587 with this user. Is it possible to whitelist local users? Thanks for helping.

Greetings

Marc

 

Reply | Permalink

outgoingip

Marc, I think you can change your outgoing ip, adding it to control/outgoingip. take a look here http://notes.sagredo.eu/node/82#outgoingip

let us know if it will do the case, please

Reply | Permalink

Hi, the server has only one

Hi, the server has only one ip adress -  i know this outgoingip from another server which has more network interfaces and i don't think that  this is the reason. The user has an dynamic ip from his dsl provider, which is on zehnaus blacklist. And i thought when he use the port 587 the RBL filter is bypassed. The log shows this:
qmail-smtpd: message rejected (qmail-dnsbl) (1.1.1.1.zen.spamhaus.org): info@localdomain.xy from 1.1.1.1 to info@localdomain.xy helo PCLokal    1.1.1.1=DynamicDSL.IP.Adress from User

You wrote in the description: RBL filter *before* qmail-smtpd as rblsmtpd did is that the authenticated users who want to send messages from a remote dynamic IP will not be banned - but in this case it get banned and i don't know why. For the moment i have deleted spamhaus from the dnsbllist file and then it works for the client. But Zenhaus catches a much amount of spam an i like to use this again. Do you have another suggestion? Thanks!
 

Reply | Permalink

can you post your

can you post your qmail-submission run file and a smtp telnet session on 587 port?

Reply | Permalink

Telnet Output:telnet

Telnet Output:

telnet 127.0.0.1 587
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 xyz.net ESMTP
EHLO test
250-xyz.net
250-STARTTLS
250-PIPELINING
250-8BITMIME
250-AUTH LOGIN PLAIN
250 SIZE 30000000
mail from:mail@test.xy
250 ok
quit
221 xyz.net
Connection closed by foreign host.

submission run file:

#!/bin/sh

QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
SOFTLIMIT=`cat /var/qmail/control/softlimit`

# You MUST export this, otherwise you'd get a 30 sec timeout
export SMTPAUTH=""

# This enables greetdelay for qmail-smtpd.
export SMTPD_GREETDELAY=1
export DROP_PRE_GREET=1

# This disables FORCETLS
#export FORCETLS=1

# This enables chkuser
export CHKUSER_START=ALWAYS

# This enables simscan debug
#export SIMSCAN_DEBUG=2

exec /usr/local/bin/softlimit -m "$SOFTLIMIT" \
    /usr/local/bin/tcpserver -v -H -R -l 0 \
    -x /home/vpopmail/etc/tcp.submission.cdb -c "$MAXSMTPD" \
    -u "$QMAILDUID" -g "$NOFILESGID" 0 587 \
    /var/qmail/bin/qmail-smtpd \
    /home/vpopmail/bin/vchkpw /bin/true 2>&1

Reply | Permalink

REALYCLIENT

if you want to allow your LAN to relay without authentication, use port 25 and put your localnet in the REALYCLIENT variable inside tcp.smtp...

Reply | Permalink

auth first

you are not authenticating, so it's normal that qmail-dnsbl checks for the block list and you are banned. You have to do the auth before the mail from: command, as this is not an open relay.

As an alternative you can always decide to turn off dnsbl:

Exception: If the environment variable DNSBLSKIP is set, qmail- smtpd ignores dnsbllist, and the dnsbl check is not performed. The check is skipped even if some other authentication method succedeed and authorized the client to relay (smtp-auth or tls client certificate), or if RELAYCLIENT enviromnent variable is set.

Reply | Permalink

Need some more explantion

Hello Roberto, thanks for helping. Just for clearing it more up to me, there is one thing that i didn't understand:

In the telnet sesion i missed the authentification, but when the user connects with his Mailclient to send the Mail, he gets forwarded to the submission run file and in this the authentification comes first or do i have to change something in the run file? 
And if i want to use the DNSBLSKIP parameter i have to write the following in the submission run file?:
export RBLSMTPD=""

Thanks!

 

Reply | Permalink

the run file is correct

the run file is correct. But you must do the auth if you want to relay with the 587 port, unless you are a RELAYCLIENT. And if you do the auth, dnsbl is turned off, so no need to use DNSBLSKIP

Anyway,

export RBLSMTPD=""

disables rblsmtpd, but we are not using it anymore, so forget.

Instead, if for some reason you want to disable qmail-dnsbl check just do this in your run file (qmail-smtpd or qmail-submission or both)

export DNSBLSKIP=""

but I can assure that it works if you do the auth

EDIT:

as already said, the simplest thing to do is assign the RELAYCLIENT on port 25 to the IPs that have to do the relay without auth (localnets for instance) and force the auth on port 587, but I guess that port 587 cannot be used without authentication.

Reply | Permalink