Realtime Blackhole List (RBL) - qmail-dnsbl
October 28, 2022 Roberto Puzzanghera 20 comments
Update as of Oct 28, 2022: added a note on how to avoid being cutoff by spamhaus (tx Marco Varanda)
- Download qmail-dnsbl patch (local copy)
- Code and logic from rblsmtpd and qmail-dnsbl patch by Fabio Busatto
- Added support for whitelists, TXT and A queries, configurable return codes 451 or 553 with custom messages (by Luca Franceschini)
This patch replaces the djb's rblsmtpd program. It incorporates into qmail-smtpd the rbl stuff with the advantage that you can see the envelope in the logs. Registering the envelope as well as the sender ip is important to always know what happened to not received messages.
An additional improvement with respect to the use of the RBL filter *before* qmail-smtpd as rblsmtpd did is that the authenticated users who want to send messages from a remote dynamic IP will not be banned; this means that we are able to switch on the filter on the 587 submission port as well :)
To activate the rbl check just add your favourite block lists in the dnsbllist control file (one per line).
cat > /var/qmail/control/dnsbllist << __EOF__ -b.barracudacentral.org -zen.spamhaus.org -psbl.surriel.com -bl.spamcop.net __EOF__
Now restart qmail and check that the RBL lists have been parsed:
> qmailctl restart > qmail-showctl |grep dnsbl dnsbllist: List at -zen.spamhaus.org configured for dnsbl check. List at -b.barracudacentral.org configured for dnsbl check. List at -psbl.surriel.com configured for dnsbl check. List at -bl.spamcop.net configured for dnsbl check.
Improvements with respect to the original qmail-dnsbl patch
- default file
control/dnsbllistcan be overridden with env variable DNSBLLIST - if DNSBLSKIP env variable is set, qmail-smtpd skips the rbl check
- if
control/dnsblfailclosedor DNSBLFAILCLOSED are defined,qmail-smtpdconsiders the source ip as blacklisted even in case of lookup failures (checkrblsmtpdman page for more details) - support for environment variable RBLSMTPD (check
rblsmtpdman page for more details) - dnsbllist can contain empty lines and comments with '#' at start or end of lines; leading and trailing spaces are automatically removed
Examples and formats
Query rbl for TXT records, return code 451: "451 http://www.spamhaus.org/query/bl?ip=30.50.20.3"
zen.spamhaus.org
Query rbl for TXT records, return code 553: "553 http://www.spamhaus.org/query/bl?ip=30.50.20.3"
-zen.spamhaus.org
Query rbl for A records, custom return message with ret code 451: "451 Message rejected"
zen.spamhaus.org:Message rejected
Query rbl for A records, custom return message with ret code 553: "553 Message rejected", the following syntaxes are allowed:
-zen.spamhaus.org:Message rejected zen.spamhaus.org:-Message rejected -zen.spamhaus.org:-Message rejected
Query rbl for A records, custom return message with IP variable, replaced by remote ip:
zen.spamhaus.org:Message blocked from %IP%
dns whitelist A query:
+white.dnsbl.local:Whitelist test +white.dnsbl.local
The following syntaxes are NOT ALLOWED:
zen.spamhaus.org: zen.spamhaus.org:-
Howto avoid being "cut off" by spamhaus.org
At the end of this guide I will show how to set up fail2ban in order to ban malicious IPs and then decrease the amount of connections to the RBL lists, avoiding to be banned consequently.
As an alternative, you may be interested to take a look to the idea of Costel Balta, which is addressed to solve the same problem.
One thing to pay close attention to when configuring the servers is avoiding to use public dns like google's 8.8.8.8 to resolve their services (more info here). This will cause a cut off due to the fact that they cannot measure our load of traffic on their servers if you use a public dns.
Check your IP's reputation
When you buy an IP address, you know that it's not new and you inherit its reputation. So the first thing you may want to do is to check if it's listed in some RBL here: http://multirbl.valli.org or https://mxtoolbox.com/SuperTool.aspx
qmail notes
Pay me a coffee:
LXC scripts
Other contents
Recent comments
IndiMailfilter command is missing?
January 31, 2023 19:02
IndiMailfilter command is missing?
January 31, 2023 18:30
smtproutes
January 31, 2023 17:45
IndiMailfilter command is missing?
January 31, 2023 17:40
smtproutes
January 31, 2023 17:39
IndiMailfilter command is missing?
January 31, 2023 17:33
IndiMailfilter command is missing?
January 31, 2023 17:25
IndiMailfilter command is missing?
January 31, 2023 17:21
IndiMailfilter command is missing?
January 31, 2023 17:11
IndiMailfilter command is missing?
January 31, 2023 17:03
Tags
apache clamav dkim dovecot ezmlm fail2ban hacks lamp letsencrypt linux linux-vserver lxc mariadb mediawiki mozilla mysql openboard owncloud patches php proftpd qmail qmail to postfix qmail-spp qmailadmin rbl roundcube rsync sieve simscan slackware solr spamassassin spf ssh ssl surbl tcprules tex ucspi-tcp vpopmail vqadmin
Comments
dnslist issue
Nic Chua May 27, 2020 10:25
Hi, I have psbl.surriel.com and spamhaus in my dnslist.
I noticed that at times listed IPs are not blocked.
Take for example IP 213.142.156.102. This IP was listed multiple times on psbl.surriel.com since 2019 July. But in my log, netqmail still allows it to pass thru
My nslookup captured it correctly.
As my volume is not large, i don't think i am blocked.
Any idea what went wrong?
Thanks
nic
Reply | Permalink
dnslist issue
Marco Varanda Nic Chua October 25, 2022 22:18
Hi Roberto.
Thanks for your job.
I want to tell you and your visitors, that pay attention on gateway and mail servers.
If you are using a public DNS like 8.8.8.8 or 1.1.1.1, and others, the /var/qmail/control/dnsbllist will be IGNORED.
https://www.spamhaus.com/resource-center/successfully-accessing-spamhauss-free-block-lists-using-a-public-dns/
If you got receiving LOGs ONLY bypassing dnsbllist on /var/log/qmail/smtpd/current
then you MUST change your GATEWAY, not using public DNS (now I'm using my own public IP with my own DNS Server)
and after that, dnsbllist finally will works and REJECT some IPs with bad reputation:
Thanks again !
Reply | Permalink
dnslist issue
Roberto Puzzanghera Marco Varanda October 28, 2022 13:57
spamhaus started to work again here. Thanks Marco, I will add a note about this
Reply | Permalink
dnslist issue
Roberto Puzzanghera Marco Varanda October 26, 2022 16:06
Good to know. Do you get any error code from spamhaus?
I disabled spamhaus a couple of years ago because they were bypassing my queries, and I hope this is the reason why. Now I changed my dns' forwarders and restored spamhaus. Let's see if it works again.
These three blocklists work well even with public dns
At any rate, just to clarify, a log message like this is not an error return code
it just means that the IP is not listed.
Reply | Permalink
dnslist issue
Nic Chua Nic Chua May 28, 2020 03:47
Hi,
I don't think i am blocked at all. I received those spams and immediately do a lookup the IPs against the list.
Very strange indeed.
Looks like i will have to create a blacklist myself.
Thanks
nic
Reply | Permalink
dnslist issue
Roberto Puzzanghera Nic Chua May 28, 2020 12:58
Nic, this only proves that you did the query to those block list, not that they considered your query and provided a response
Reply | Permalink
dnslist issue
Roberto Puzzanghera Nic Chua May 27, 2020 11:41
Hi, I think you have been blocked by those rbl. I also don't have a very busy server, but I think that spamhaus is blocking me.
Unfortunately there is no way to check if the server has been blocked or not. Any hint on the purpose would be appreciated.
I suggest to turn on fail2ban in order to decrease the number of calls to rbl
Reply | Permalink
dnsbllist: I have no idea what this file does.
Steffen Roßkamp April 7, 2015 19:18
Hi Roberto
First, thank you for your guide, which saved me countless hours getting our mailserver up and running!
I've got a problem though when trying to enable dnsbl like described here. I'm using your combined patch (current version as of now), but qmail seems not to recognize the dnsbllist file.
Do you have any idea what I might have missed?
Sincerely
Steffen
Reply | Permalink
Hi Steffen, it's strange..
roberto puzzanghera Steffen Roßkamp April 7, 2015 19:43
Hi Steffen,
it's strange.. it's like you haven't patched qmail with the qmail-dnsbl patch... are you absolutely sure that you have actually patched qmail?
Reply | Permalink
OK, please discard my
Steffen Roßkamp roberto puzzanghera April 8, 2015 11:39
OK, please discard my comment.
Issue was that I had an old (timestamp indicates it's from the qmail compile before vpopmail install and patching qmail) qmail-showctl in /usr/sbin which was beeing called...
All is fine, dnsbl working as expected. Thank you!
Reply | Permalink
Yes, I have checked the
Steffen Roßkamp roberto puzzanghera April 8, 2015 10:55
Yes, I have checked the patched source files and they contain the patched lines.
I've also checked the compiled and installed binaries (qmail-smtpd and qmail-showctl) and they contain the dnsbllist string.
Indeed, very strange.
Reply | Permalink
Local User with Dynamic IP get banned
Marc September 16, 2014 10:54
Hello Roberto,
i have the problem that local users with dynamic ips get banned from list even if i use submission port 587 with this user. Is it possible to whitelist local users? Thanks for helping.
Greetings
Marc
Reply | Permalink
outgoingip
roberto puzzanghera Marc September 16, 2014 11:39
Marc, I think you can change your outgoing ip, adding it to control/outgoingip. take a look here http://notes.sagredo.eu/node/82#outgoingip
let us know if it will do the case, please
Reply | Permalink
Hi, the server has only one
Marc roberto puzzanghera September 16, 2014 12:31
Hi, the server has only one ip adress - i know this outgoingip from another server which has more network interfaces and i don't think that this is the reason. The user has an dynamic ip from his dsl provider, which is on zehnaus blacklist. And i thought when he use the port 587 the RBL filter is bypassed. The log shows this:
qmail-smtpd: message rejected (qmail-dnsbl) (1.1.1.1.zen.spamhaus.org): info@localdomain.xy from 1.1.1.1 to info@localdomain.xy helo PCLokal 1.1.1.1=DynamicDSL.IP.Adress from User
You wrote in the description: RBL filter *before* qmail-smtpd as rblsmtpd did is that the authenticated users who want to send messages from a remote dynamic IP will not be banned - but in this case it get banned and i don't know why. For the moment i have deleted spamhaus from the dnsbllist file and then it works for the client. But Zenhaus catches a much amount of spam an i like to use this again. Do you have another suggestion? Thanks!
Reply | Permalink
can you post your
roberto puzzanghera Marc September 16, 2014 12:45
can you post your qmail-submission run file and a smtp telnet session on 587 port?
Reply | Permalink
Telnet Output:telnet
Marc roberto puzzanghera September 16, 2014 13:22
Telnet Output:
submission run file:
#!/bin/sh QMAILDUID=`id -u vpopmail` NOFILESGID=`id -g vpopmail` MAXSMTPD=`cat /var/qmail/control/concurrencyincoming` SOFTLIMIT=`cat /var/qmail/control/softlimit` # You MUST export this, otherwise you'd get a 30 sec timeout export SMTPAUTH="" # This enables greetdelay for qmail-smtpd. export SMTPD_GREETDELAY=1 export DROP_PRE_GREET=1 # This disables FORCETLS #export FORCETLS=1 # This enables chkuser export CHKUSER_START=ALWAYS # This enables simscan debug #export SIMSCAN_DEBUG=2 exec /usr/local/bin/softlimit -m "$SOFTLIMIT" \ /usr/local/bin/tcpserver -v -H -R -l 0 \ -x /home/vpopmail/etc/tcp.submission.cdb -c "$MAXSMTPD" \ -u "$QMAILDUID" -g "$NOFILESGID" 0 587 \ /var/qmail/bin/qmail-smtpd \ /home/vpopmail/bin/vchkpw /bin/true 2>&1Reply | Permalink
REALYCLIENT
roberto puzzanghera Marc September 16, 2014 13:39
if you want to allow your LAN to relay without authentication, use port 25 and put your localnet in the REALYCLIENT variable inside tcp.smtp...
Reply | Permalink
auth first
roberto puzzanghera Marc September 16, 2014 13:31
you are not authenticating, so it's normal that qmail-dnsbl checks for the block list and you are banned. You have to do the auth before the mail from: command, as this is not an open relay.
As an alternative you can always decide to turn off dnsbl:
Reply | Permalink
Need some more explantion
Marc roberto puzzanghera September 16, 2014 14:30
Hello Roberto, thanks for helping. Just for clearing it more up to me, there is one thing that i didn't understand:
In the telnet sesion i missed the authentification, but when the user connects with his Mailclient to send the Mail, he gets forwarded to the submission run file and in this the authentification comes first or do i have to change something in the run file?
And if i want to use the DNSBLSKIP parameter i have to write the following in the submission run file?:
export RBLSMTPD=""
Thanks!
Reply | Permalink
the run file is correct
roberto puzzanghera Marc September 16, 2014 14:55
the run file is correct. But you must do the auth if you want to relay with the 587 port, unless you are a RELAYCLIENT. And if you do the auth, dnsbl is turned off, so no need to use DNSBLSKIP
Anyway,
disables rblsmtpd, but we are not using it anymore, so forget.
Instead, if for some reason you want to disable qmail-dnsbl check just do this in your run file (qmail-smtpd or qmail-submission or both)
but I can assure that it works if you do the auth
EDIT:
as already said, the simplest thing to do is assign the RELAYCLIENT on port 25 to the IPs that have to do the relay without auth (localnets for instance) and force the auth on port 587, but I guess that port 587 cannot be used without authentication.
Reply | Permalink