Realtime Block List (RBL) - qmail-dnsbl

Hi Roberto,

here at our site we have a bordermailer who "prechecks" the EMails and puts a "Received" Line with its name and IP into the EMails.

So the RBL checks the IP of our Bordermailer which is of course normally not blacklisted.

Do you know a solution Where I can skip "Received" Lines in the Header for RBL checks?

Otherwise I have to disable RBL because its useless.....

Regards,

Herbert

Try to use DNSBLSKIP with that ip in the tcprules. Let me know...

....nope...not working...

I tried in smtpd run:

export DNSBLSKIP="ip.of.border.mailer"

and/or in tcp.smtp:

DNSBLSKIP="ip.of.border.mailer"

same behavior with both - it completely skips RBL check then....

Regards,

Herbert

I did some tests and it's working as expected by declaring DNSBLSKIP in my tcp.smtp

1.2.3.4:DNSBLSKIP=""

Hi Roberto,

I suppose the IP 1.2.3.4 in your example is the IP of the bordermailer ?

When I put this line into tcp.smtp I get the error message:

tcprules: syntax: unable to parse this line: 1.2.3.4:DNSBLSKIP=""

Maybe my problem was not described detailed enough.... 

I don't want to skip RBL checking for EMail from the bordermailer!

Because all EMails have a "Received" Line with the IP from the bordermailer, I only want to SKIP this "Received" line so that the next Received line will be checked or all "Received" lines are checked.

But maybe this is impossible?

Yes . The syntax is correct. Double check

If your server gets the IP of the bordermailer then you can't have an rbl filter

I've never used it. I'll look at the code when I have some time

Great! Thank you!

Hi, I have psbl.surriel.com and spamhaus in my dnslist.

[root@brilliance bin]# qmail-showctl |grep dnsbl
dnsbllist:
List at zen.spamhaus.org configured for dnsbl check.
List at sbl.spamhaus.org configured for dnsbl check.
List at pbl.spamhaus.org configured for dnsbl check.
List at xbl.spamhaus.org configured for dnsbl check.
List at bl.spamcop.net configured for dnsbl check.
List at psbl.surriel.com configured for dnsbl check.
List at b.barracudacentral.org configured for dnsbl check.

I noticed that at times listed IPs are not blocked.

Take for example IP 213.142.156.102. This IP was listed multiple times on psbl.surriel.com since 2019 July. But in my log, netqmail still allows it to pass thru

surriel.com
@400000005ece1c472916a37c qmail-smtpd[3241]: rbl: ip=213.142.156.102 query=102.156.142.213.psbl.surriel.com result=ignore message=''

spamhaus
@400000005ece1c4718fd7024 qmail-smtpd[3241]: rbl: ip=213.142.156.102 query=102.156.142.213.zen.spamhaus.org result=ignore message=''
@400000005ece1c47196c915c qmail-smtpd[3241]: rbl: ip=213.142.156.102 query=102.156.142.213.sbl.spamhaus.org result=ignore message=''
@400000005ece1c4719cb7a3c qmail-smtpd[3241]: rbl: ip=213.142.156.102 query=102.156.142.213.pbl.spamhaus.org result=ignore message=''
@400000005ece1c471a3309f4 qmail-smtpd[3241]: rbl: ip=213.142.156.102 query=102.156.142.213.xbl.spamhaus.org result=ignore message=''

My nslookup captured it correctly.

[root@brilliance bin]# nslookup 102.156.142.213.psbl.surriel.com
Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
Name: 102.156.142.213.psbl.surriel.com
Address: 127.0.0.2

[root@brilliance bin]# nslookup 102.156.142.213.zen.spamhaus.org
Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
Name: 102.156.142.213.zen.spamhaus.org
Address: 127.0.0.3

[root@brilliance bin]# nslookup 102.156.142.213.sbl.spamhaus.org
Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
Name: 102.156.142.213.sbl.spamhaus.org
Address: 127.0.0.3

As my volume is not large, i don't think i am blocked.

Any idea what went wrong?

Thanks
nic

Hi Roberto.

Thanks for your job.

I want to tell you and your visitors, that pay attention on gateway and mail servers.

If you are using a public DNS like 8.8.8.8 or 1.1.1.1, and others, the /var/qmail/control/dnsbllist will be IGNORED.
https://www.spamhaus.com/resource-center/successfully-accessing-spamhauss-free-block-lists-using-a-public-dns/

If you got receiving LOGs ONLY bypassing dnsbllist on /var/log/qmail/smtpd/current

rbl: ip=xxx.yyy.zzz.ttt query=ttt.zzz.yyy.xxx.b.barracudacentral.org result=ignore message=''
rbl: ip=xxx.yyy.zzz.ttt query=ttt.zzz.yyy.xxx.zen.spamhaus.org result=ignore message=''
rbl: ip=xxx.yyy.zzz.ttt query=ttt.zzz.yyy.xxx.sbl.spamhaus.org result=ignore message=''

then you MUST change your GATEWAY, not using public DNS (now I'm using my own public IP with my own DNS Server)
and after that, dnsbllist finally will works and REJECT some IPs with bad reputation:

rbl: ip=188.121.120.30 query=30.120.121.188.b.barracudacentral.org result=reject message='http://www.barracudanetworks.com/reputation/?pr=1&ip=188.121.120.30'
rbl: ip=37.32.8.31 query=31.8.32.37.sbl.spamhaus.org result=reject message='https://www.spamhaus.org/sbl/query/SBLCSS'

Thanks again !

spamhaus started to work again here. Thanks Marco, I will add a note about this

Good to know. Do you get any error code from spamhaus?

I disabled spamhaus a couple of years ago because they were bypassing my queries, and I hope this is the reason why. Now I changed my dns' forwarders and restored spamhaus. Let's see if it works again.

These three blocklists work well even with public dns

b.barracudacentral.org 
psbl.surriel.com 
bl.spamcop.net

At any rate, just to clarify, a log message like this is not an error return code

@400000006358736e0a44c2e4 qmail-smtpd[17480]: rbl: ip=121.5.19.34 query=34.19.5.121.b.barracudacentral.org result=ignore message=''

it just means that the IP is not listed.

Hi,

I don't think i am blocked at all. I received those spams and immediately do a lookup the IPs against the list.

Very strange indeed.  

Looks like i will have to create a blacklist myself.

Thanks
nic

Nic, this only proves that you did the query to those block list, not that they considered your query and provided a response

Hi, I think you have been blocked by those rbl. I also don't have a very busy server, but I think that spamhaus is blocking me.

Unfortunately there is no way to check if the server has been blocked or not. Any hint on the purpose would be appreciated.

I suggest to turn on fail2ban in order to decrease the number of calls to rbl

Hi Roberto

First, thank you for your guide, which saved me countless hours getting our mailserver up and running!

I've got a problem though when trying to enable dnsbl like described here. I'm using your combined patch (current version as of now), but qmail seems not to recognize the dnsbllist file.

# qmail-showctl |grep dnsbl
dnsbllist: I have no idea what this file does.

Do you have any idea what I might have missed?

Sincerely
Steffen

Hi Steffen,

it's strange.. it's like you haven't patched qmail with the qmail-dnsbl patch... are you absolutely sure that you have actually patched qmail?

OK, please discard my comment.

Issue was that I had an old (timestamp indicates it's from the qmail compile before vpopmail install and patching qmail) qmail-showctl in /usr/sbin which was beeing called...

All is fine, dnsbl working as expected. Thank you!

Yes, I have checked the patched source files and they contain the patched lines.
I've also checked the compiled and installed binaries (qmail-smtpd and qmail-showctl) and they contain the dnsbllist string.

Indeed, very strange.

Hello Roberto,

i have the problem that local users with dynamic ips get banned from list even if i use submission port 587 with this user. Is it possible to whitelist local users? Thanks for helping.

Greetings

Marc

Marc, I think you can change your outgoing ip, adding it to control/outgoingip. take a look here http://notes.sagredo.eu/node/82#outgoingip

let us know if it will do the case, please

Hi, the server has only one ip adress -  i know this outgoingip from another server which has more network interfaces and i don't think that  this is the reason. The user has an dynamic ip from his dsl provider, which is on zehnaus blacklist. And i thought when he use the port 587 the RBL filter is bypassed. The log shows this:
qmail-smtpd: message rejected (qmail-dnsbl) (1.1.1.1.zen.spamhaus.org): info@localdomain.xy from 1.1.1.1 to info@localdomain.xy helo PCLokal    1.1.1.1=DynamicDSL.IP.Adress from User

You wrote in the description: RBL filter *before* qmail-smtpd as rblsmtpd did is that the authenticated users who want to send messages from a remote dynamic IP will not be banned - but in this case it get banned and i don't know why. For the moment i have deleted spamhaus from the dnsbllist file and then it works for the client. But Zenhaus catches a much amount of spam an i like to use this again. Do you have another suggestion? Thanks!

can you post your qmail-submission run file and a smtp telnet session on 587 port?

Telnet Output:

telnet 127.0.0.1 587
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 xyz.net ESMTP
EHLO test
250-xyz.net
250-STARTTLS
250-PIPELINING
250-8BITMIME
250-AUTH LOGIN PLAIN
250 SIZE 30000000
mail from:mail@test.xy
250 ok
quit
221 xyz.net
Connection closed by foreign host.

submission run file:

#!/bin/sh

QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
SOFTLIMIT=`cat /var/qmail/control/softlimit`

# You MUST export this, otherwise you'd get a 30 sec timeout
export SMTPAUTH=""

# This enables greetdelay for qmail-smtpd.
export SMTPD_GREETDELAY=1
export DROP_PRE_GREET=1

# This disables FORCETLS
#export FORCETLS=1

# This enables chkuser
export CHKUSER_START=ALWAYS

# This enables simscan debug
#export SIMSCAN_DEBUG=2

exec /usr/local/bin/softlimit -m "$SOFTLIMIT" \
    /usr/local/bin/tcpserver -v -H -R -l 0 \
    -x /home/vpopmail/etc/tcp.submission.cdb -c "$MAXSMTPD" \
    -u "$QMAILDUID" -g "$NOFILESGID" 0 587 \
    /var/qmail/bin/qmail-smtpd \
    /home/vpopmail/bin/vchkpw /bin/true 2>&1

if you want to allow your LAN to relay without authentication, use port 25 and put your localnet in the REALYCLIENT variable inside tcp.smtp...

you are not authenticating, so it's normal that qmail-dnsbl checks for the block list and you are banned. You have to do the auth before the mail from: command, as this is not an open relay.

As an alternative you can always decide to turn off dnsbl:

Exception: If the environment variable DNSBLSKIP is set, qmail- smtpd ignores dnsbllist, and the dnsbl check is not performed. The check is skipped even if some other authentication method succedeed and authorized the client to relay (smtp-auth or tls client certificate), or if RELAYCLIENT enviromnent variable is set.

Hello Roberto, thanks for helping. Just for clearing it more up to me, there is one thing that i didn't understand:

In the telnet sesion i missed the authentification, but when the user connects with his Mailclient to send the Mail, he gets forwarded to the submission run file and in this the authentification comes first or do i have to change something in the run file? 
And if i want to use the DNSBLSKIP parameter i have to write the following in the submission run file?:
export RBLSMTPD=""

Thanks!

the run file is correct. But you must do the auth if you want to relay with the 587 port, unless you are a RELAYCLIENT. And if you do the auth, dnsbl is turned off, so no need to use DNSBLSKIP

Anyway,

export RBLSMTPD=""

disables rblsmtpd, but we are not using it anymore, so forget.

Instead, if for some reason you want to disable qmail-dnsbl check just do this in your run file (qmail-smtpd or qmail-submission or both)

export DNSBLSKIP=""

but I can assure that it works if you do the auth

EDIT:

as already said, the simplest thing to do is assign the RELAYCLIENT on port 25 to the IPs that have to do the relay without auth (localnets for instance) and force the auth on port 587, but I guess that port 587 cannot be used without authentication.