Tuesday, October 30, 2007

DNSBL server for Postfix

Personal DNSBL(RBL) server for Postfix

In this article described an example of installation and configuring local DNSBL (RBL) server,
for subsequent using it in the POSTFIX. For the simplicity DNSBL-server, DNS-server BIND and Postfix are being deployed altogether on one machine. The following software is being used in this example: Debian Linux, rbldnsd, BIND, rblcheck and Postfix.

* Configuring rbldnsd
* Configuring of DNS-Server BIND
* Configuring Postfix
* Checking

1) Configuring rbldnsd

First of all rbldnsd is being installed:

# apt-get install rbldnsd rblcheck

Everything is very simple
Further we need to download several DNSBL-zones from internet sites that manage it. For this purpose we will use included in Debian Linux software "rsync"

# rsync -tvPz rsync.dsbl.org::dsbl/rbldns-list.dsbl.org /var/db/rbldnsd/rbldns-list.dsbl.org
# rsync -tvPz rsync-mirrors.uceprotect.net::RBLDNSD-ALL/dnsbl-1.uceprotect.net
/var/db/rbldnsd/dnsbl- 1.uceprotect.net
# rsync -tvPz rsync.spamcannibal.org::zonefiles/bl.spamcannibal.org.in.ip4set.rbl
/var/db/rbldnsd/bl.spamcannibal.org.in.ip4set.rbl

It will be more than enough for the beginning - in "useful links" you may find some additional sites
that allow free access to their DNSBL-lists.
Continue with configuring of rbldnsd in the file /etc/default/rbldnsd:

RBLDNSD="dnsbl -r /var/db/rbldnsd -b 127.0.0.1/530 \
list.dsbl.org:ip4tset:rbldns-list.dsbl.org \
dnsbl-1.uceprotect.net:ip4tset:dnsbl-1.uceprotect.net \
rbl.spamcannibal.org:ip4set:bl.spamcannibal.org.in.ip4set.rbl \
"
Pay attention, that rbldnsd will use UDP-port 530, because UDP-port 53 will remain free for BIND.
Right now let launch rbldnsd and let add it to run level by default.

# /etc/init.d/rbldnsd start

2) Setting up DNS-Server-BIND

Installing
# apt-get install bind


Configuring the following file "/etc/bind/named.conf"

zone "list.dsbl.org" IN {
type forward;
forward first;
forwarders {
127.0.0.1 port 530;
};
};

zone " dnsbl-1.uceprotect.net" IN {
type forward;
forward first;
forwarders {
127.0.0.1 port 530;
};
};

zone "rbl.spamcannibal.org " IN {
type forward;
forward first;
forwarders {
127.0.0.1 port 530;
};
};

- this way we will point BIND to address regarding specified zones to our rbldnsd which is listening on
UDP-port 530 . Let's start BIND add it to run level by default.
# /etc/init.d/named start

Don`t forget to edit "/etc/resolv.conf" for addressing to our local BIND

nameserver 127.0.0.1

3) Configuring Postfix

We are consuming that Postfix already installed and basically configured. We will edit only one section in the following file: "/etc/postfix/main.cf"

smtpd_sender_restrictions =
reject_rbl_client list.dsbl.org,
reject_rbl_client dnsbl-1.uceprotect.net,
reject_rbl_client rbl.spamcannibal.org

We will add only the following lines: reject_rbl_client ..., - Let's consume that you already configured
all other restrictions and rejections.


let launch Postfix and let add it to run level by default.

# /etc/init.d/postfix start

4) Check out

For the check out very simple and comfortable to set up rblcheck software

For instance, let's grab IP address from file DNSBL of DSBL-zone.

# tail -n1 /var/db/rbldnsd/rbldns-list.dsbl.org
1.2.3.4

(the address is fake here) and lets check if our rbldnsd server will consider it as a spam:

# rblcheck -s l27.0.0.1 1.2.3.4
1.2.3.4 RBL filtered by bl.dsbl.org

-Yes, the answer is positive ! In case that IP address is missing from current DNSBL-zone, so answer will be
- not RBL filtered by -

Very simple, easy and short. As far as you see there is nothing complicated to set up and configure your own dedicated DNSBL server for using it with group of mail server and not only...