Realtime Blackhole List (RBL) - qmail-dnsbl
December 19, 2016 Roberto Puzzanghera13 comments
- Download qmail-dnsbl patch (local copy)
- Code and logic from rblsmtpd and qmail-dnsbl patch by Fabio Busatto
- Added support for whitelists, TXT and A queries, configurable return codes 451 or 553 with custom messages (by Luca Franceschini)
This patch replaces the djb's rblsmtpd program. It incorporates into qmail-smtpd the rbl stuff with the advantage that you can see the envelope in the logs. Registering the envelope as well as the sender ip is important to always know what happened to not received messages.
An additional improvement with respect to the use of the RBL filter *before* qmail-smtpd as rblsmtpd did is that the authenticated users who want to send messages from a remote dynamic IP will not be banned; this means that we are able to switch on the filter on the 587 submission port as well :)
To activate the rbl check just add your favourite block lists in the dnsbllist control file (one per line).
cat > /var/qmail/control/dnsbllist << __EOF__ -b.barracudacentral.org -zen.spamhaus.org __EOF__
Now restart qmail and check that the RBL lists have been parsed:
> qmailctl restart > qmail-showctl |grep dnsbl dnsbllist: List at -b.barracudacentral.org configured for dnsbl check. List at -zen.spamhaus.org configured for dnsbl check.
Improvements with respect to the original qmail-dnsbl patch
- default file
control/dnsbllistcan be overridden with env variable DNSBLLIST - if DNSBLSKIP env variable is set, qmail-smtpd skips the rbl check
- if
control/dnsblfailclosedor DNSBLFAILCLOSED are defined,qmail-smtpdconsiders the source ip as blacklisted even in case of lookup failures (checkrblsmtpdman page for more details) - support for environment variable RBLSMTPD (check
rblsmtpdman page for more details) - dnsbllist can contain empty lines and comments with '#' at start or end of lines; leading and trailing spaces are automatically removed
Examples and formats
Query rbl for TXT records, return code 451: "451 http://www.spamhaus.org/query/bl?ip=30.50.20.3"
zen.spamhaus.org
Query rbl for TXT records, return code 553: "553 http://www.spamhaus.org/query/bl?ip=30.50.20.3"
-zen.spamhaus.org
Query rbl for A records, custom return message with ret code 451: "451 Message rejected"
zen.spamhaus.org:Message rejected
Query rbl for A records, custom return message with ret code 553: "553 Message rejected", the following syntaxes are allowed:
-zen.spamhaus.org:Message rejected zen.spamhaus.org:-Message rejected -zen.spamhaus.org:-Message rejected
Query rbl for A records, custom return message with IP variable, replaced by remote ip:
zen.spamhaus.org:Message blocked from %IP%
dns whitelist A query:
+white.dnsbl.local:Whitelist test +white.dnsbl.local
The following syntaxes are NOT ALLOWED:
zen.spamhaus.org: zen.spamhaus.org:-
Howto avoid being "cut off" by spamhaus.org
At the end of this guide I will show how to set up fail2ban in order to ban malicious IPs in order to decrease the amount of connections to the RBL lists and to avoid to be banned consequently.
As an alternative, you may be interested to take a look to the idea of Costel Balta, which is addressed to solve the same problem.
Check your IP's reputation
When you buy an IP address, you know that it's not new and you inherit its reputation. So the first thing you may want to do is to check if it's listed in some RBL here: http://multirbl.valli.org or https://mxtoolbox.com/SuperTool.aspx
qmail notes
Pay me a coffee:
Other contents
Recent comments
Link broken
January 26, 2020 13:58
Link broken
January 26, 2020 13:30
Thanks for the config help with sauserprefs
January 11, 2020 13:05
Thanks for the config help with sauserprefs
January 11, 2020 13:02
Thanks for the config help with sauserprefs
January 11, 2020 08:54
Thanks for the config help with sauserprefs
January 11, 2020 01:25
qmail-send concurrency issue
January 8, 2020 18:43
qmail-send concurrency issue
January 7, 2020 12:26
clamav parte da solo
January 4, 2020 10:45
clamav parte da solo
January 4, 2020 01:21
Tags
apache clamav dkim dovecot ezmlm fail2ban hacks lamp letsencrypt linux linux-vserver lxc mariadb mediawiki mozilla mysql owncloud patches php proftpd qmail qmailadmin rbl roundcube rsync sieve simscan slackware spamassassin ssh ssl surbl tcprules tex ucspi-tcp vpopmail vqadmin
Comments
dnsbllist: I have no idea what this file does.
Steffen Roßkamp April 7, 2015 19:18
Hi Roberto
First, thank you for your guide, which saved me countless hours getting our mailserver up and running!
I've got a problem though when trying to enable dnsbl like described here. I'm using your combined patch (current version as of now), but qmail seems not to recognize the dnsbllist file.
Do you have any idea what I might have missed?
Sincerely
Steffen
Reply | Permalink
Hi Steffen, it's strange..
roberto puzzanghera Steffen Roßkamp April 7, 2015 19:43
Hi Steffen,
it's strange.. it's like you haven't patched qmail with the qmail-dnsbl patch... are you absolutely sure that you have actually patched qmail?
Reply | Permalink
OK, please discard my
Steffen Roßkamp roberto puzzanghera April 8, 2015 11:39
OK, please discard my comment.
Issue was that I had an old (timestamp indicates it's from the qmail compile before vpopmail install and patching qmail) qmail-showctl in /usr/sbin which was beeing called...
All is fine, dnsbl working as expected. Thank you!
Reply | Permalink
Yes, I have checked the
Steffen Roßkamp roberto puzzanghera April 8, 2015 10:55
Yes, I have checked the patched source files and they contain the patched lines.
I've also checked the compiled and installed binaries (qmail-smtpd and qmail-showctl) and they contain the dnsbllist string.
Indeed, very strange.
Reply | Permalink
Local User with Dynamic IP get banned
Marc September 16, 2014 10:54
Hello Roberto,
i have the problem that local users with dynamic ips get banned from list even if i use submission port 587 with this user. Is it possible to whitelist local users? Thanks for helping.
Greetings
Marc
Reply | Permalink
outgoingip
roberto puzzanghera Marc September 16, 2014 11:39
Marc, I think you can change your outgoing ip, adding it to control/outgoingip. take a look here http://notes.sagredo.eu/node/82#outgoingip
let us know if it will do the case, please
Reply | Permalink
Hi, the server has only one
Marc roberto puzzanghera September 16, 2014 12:31
Hi, the server has only one ip adress - i know this outgoingip from another server which has more network interfaces and i don't think that this is the reason. The user has an dynamic ip from his dsl provider, which is on zehnaus blacklist. And i thought when he use the port 587 the RBL filter is bypassed. The log shows this:
qmail-smtpd: message rejected (qmail-dnsbl) (1.1.1.1.zen.spamhaus.org): info@localdomain.xy from 1.1.1.1 to info@localdomain.xy helo PCLokal 1.1.1.1=DynamicDSL.IP.Adress from User
You wrote in the description: RBL filter *before* qmail-smtpd as rblsmtpd did is that the authenticated users who want to send messages from a remote dynamic IP will not be banned - but in this case it get banned and i don't know why. For the moment i have deleted spamhaus from the dnsbllist file and then it works for the client. But Zenhaus catches a much amount of spam an i like to use this again. Do you have another suggestion? Thanks!
Reply | Permalink
can you post your
roberto puzzanghera Marc September 16, 2014 12:45
can you post your qmail-submission run file and a smtp telnet session on 587 port?
Reply | Permalink
Telnet Output:telnet
Marc roberto puzzanghera September 16, 2014 13:22
Telnet Output:
submission run file:
#!/bin/sh QMAILDUID=`id -u vpopmail` NOFILESGID=`id -g vpopmail` MAXSMTPD=`cat /var/qmail/control/concurrencyincoming` SOFTLIMIT=`cat /var/qmail/control/softlimit` # You MUST export this, otherwise you'd get a 30 sec timeout export SMTPAUTH="" # This enables greetdelay for qmail-smtpd. export SMTPD_GREETDELAY=1 export DROP_PRE_GREET=1 # This disables FORCETLS #export FORCETLS=1 # This enables chkuser export CHKUSER_START=ALWAYS # This enables simscan debug #export SIMSCAN_DEBUG=2 exec /usr/local/bin/softlimit -m "$SOFTLIMIT" \ /usr/local/bin/tcpserver -v -H -R -l 0 \ -x /home/vpopmail/etc/tcp.submission.cdb -c "$MAXSMTPD" \ -u "$QMAILDUID" -g "$NOFILESGID" 0 587 \ /var/qmail/bin/qmail-smtpd \ /home/vpopmail/bin/vchkpw /bin/true 2>&1Reply | Permalink
REALYCLIENT
roberto puzzanghera Marc September 16, 2014 13:39
if you want to allow your LAN to relay without authentication, use port 25 and put your localnet in the REALYCLIENT variable inside tcp.smtp...
Reply | Permalink
auth first
roberto puzzanghera Marc September 16, 2014 13:31
you are not authenticating, so it's normal that qmail-dnsbl checks for the block list and you are banned. You have to do the auth before the mail from: command, as this is not an open relay.
As an alternative you can always decide to turn off dnsbl:
Reply | Permalink
Need some more explantion
Marc roberto puzzanghera September 16, 2014 14:30
Hello Roberto, thanks for helping. Just for clearing it more up to me, there is one thing that i didn't understand:
In the telnet sesion i missed the authentification, but when the user connects with his Mailclient to send the Mail, he gets forwarded to the submission run file and in this the authentification comes first or do i have to change something in the run file?
And if i want to use the DNSBLSKIP parameter i have to write the following in the submission run file?:
export RBLSMTPD=""
Thanks!
Reply | Permalink
the run file is correct
roberto puzzanghera Marc September 16, 2014 14:55
the run file is correct. But you must do the auth if you want to relay with the 587 port, unless you are a RELAYCLIENT. And if you do the auth, dnsbl is turned off, so no need to use DNSBLSKIP
Anyway,
disables rblsmtpd, but we are not using it anymore, so forget.
Instead, if for some reason you want to disable qmail-dnsbl check just do this in your run file (qmail-smtpd or qmail-submission or both)
but I can assure that it works if you do the auth
EDIT:
as already said, the simplest thing to do is assign the RELAYCLIENT on port 25 to the IPs that have to do the relay without auth (localnets for instance) and force the auth on port 587, but I guess that port 587 cannot be used without authentication.
Reply | Permalink