Thanks to Michael Tokarev and Paul Howarth who helped me muddle my way through this.
OVERVIEW:
Postfix provides a powerful arsenal of anti-spam tools. So why go to the trouble of setting up and utilizing a local DNS blocklist? Aside from the fact that doing so is fun and educational, I find it these zone lists easier to maintain than Postfix hash files. Rbldnsd has a minuscule footprint. NJABL claims an 85% reduction in memory consumption in comparison to creating BL zones in Bind. Furthermore, rbldnsd is ideal for larger files in "classful" syntax like the country blocklists provided by blackholes.us.
When you have completed this example, you will have a working installation that will block all mail originating from China as well as a few hundred hosts and client IP addresses that we block. I'm sure that there is some duplication in the lists that are provided.
There are six simple steps to putting this together:
1)Download and install the rbldnsd rpm.
2) Download and install the sample blocklist tarball.
3) Configure rbldnsd.
4) Edit named.conf Bind configuration file.
5) Test.
6) Edit the main.cf postfix configuration file.The following presumes that you already have Postfix up and running and that you have Bind running on a machine on the network. You can install rbldnsd on the machine running bind or any machine on the network. I'll provide instructions for both configurations.
Before we go any further, this is a "works for me" example. The system can be fine tuned to block precisely what you want or altered to a structure that is most efficient for you to setup and maintain. In this example, we are using two zones with three blocklists. This could easily be structured as three separate zones or all in one zone. The idea is to get the system up and running while utilizing an example that offers some insight into the options.
DOWNLOAD AND INSTALL RBLDNSD:
The latest RPM is available here: http://www.corpit.ru/mjt/rbldnsd.
Rbldnsd will be installed as a service. The installation will also create the user and group "rbldns" with a home directory at /var/lib/rbldns.
DOWNLOAD AND INSTALL THE SAMPLE BLOCKLISTS:
In the following example, we'll create two zones; one for clients (a list of IP addresses) that are banned and another for banned hosts which will be blocked as both clients and senders. Our client dnsrbl zone will include two files; a custom file and a list of IP addresses for China that I already downloaded from "blackholes.us." For simplicity, the three sample data files are in a tarball here. These three files are a good start. They are used, with others, on our mail server.
Untar the sample files (tar -p -P -jxf blocklists.tar.bz2). This should create the three sample lists (hosts, clients and china) in /var/lib/rbldns and the files should be owned by rbldns. Check the directory before proceeding.
Rbldns is extremely flexible. You can create IP client lists with single IPs, CIDR notation or even shorthand. The following are all valid entries:
4.46.106.110 # A single IP address. 4.46.0.0/16 # A CIDR range of IP addresses. 4.46 # The same result as the above CIDR range. Used in the "china" file. 4.46.106-225 # The range of 4.46.106.0 through 4.35.225.255. !4.46.106.53 # Excludes this IP address from being blocked. To make life even simpler, the files start with a default instruction. A line that starts with a colon will be the default for all subsequent lines. You can alter the message for various clients if you like but that's too much work. The "clients" and "hosts" lists start with:
:127.0.0.2:$ is a known spam source # "$" will be replaced with the IP. Postfix will prepend this with a 554 message. The hosts list is a simple list of banned domains, one per line. Prefixing host names with a period (".") acts as a wild card. ".spammer.net" will cause spammer.net and sociopathic.spammer.net to be rejected.
Our china list has a slightly different default:
:127.0.0.2:$ originates from an area that is banned on this server.
It is then a list of IP addresses, one per line, in "classful" shorthand. For example, the first line is 95.32 which is the equivalent of 95.32.0.0/16.
You can add or delete entries to the files. By default, rbldnsd refreshes every 60 seconds, You can change the refresh rate to your liking or turn it off completely (see man rbldnsd).
CONFIGURE RBLDNSD:
While there are workarounds, do NOT name your zones as sub-domains of yourdomain.com. We'll use zones named "clients.blocked.rbl" and "hosts.blocked.rbl."
The configuration file is /etc/sysconfig/rbldnsd. There are numerous configuration options that are commented out. Place the following lines in rbldnsd without comments:
RBLDNSD="dsbl -r/var/lib/rbldns -b <address>[/port] \
clients.blocked.rbl:ip4set:clients,china \
hosts.blocked.rbl:dnset:rblhosts \
"If you are running bind on the same machine as rbldnsd, then the address/port to use is 127.0.0.1/530. If this is on a separate machine then use the machine's IP as the address without designating a port (it will default to 53).
The first line tells rbldnsd to chroot to /var/lib/rbldns for the data files and to listen on the address and port that you designated.
The second line defines the zone "clients.blocked.rbl". "ip4set" defines the file type (see man rbldnsd for more information). This is followed by the two data files separated by commas and NO SPACES (a space indicates another zone). The third line defines the second zone. Note that a hosts list is specified as type "dnset".
CONFIGURE BIND:
We're done with rbldnsd. Now we need to make a small adjustment to Bind. On the machine running Bind, add the following lines to /etc/named.conf. Make sure that you choose the appropriate last text line in each of the two blocks to correspond to your configuration; Bind and RBLDNSD on separate servers or both running on the same machine.
zone "clients.blocked.rbl" IN {
type forward;
forward first;
forwarders {
<machine IP address>; # or
127.0.0.1 port 530; # if bind and rbldnsd are on the same server
};
};zone "hosts.blocked.rbl" IN {
type forward;
forward first;
forwarders {
<machine IP address>; # or
127.0.0.1 port 530; # if bind and rbldnsd are on the same server
};
};
TESTING:
OK. Let's fire it all up and test it. We'll configure postfix after testing. On the appropriate machines:
service named restart
service rbldnsd startFor testing, we'll use IP 162.83.61.223 which is in the clients list (it's a Verizon dial-up).
From a console 'dig 223.61.83.162.clients.blocked.rbl' (notice that the octets are reversed).
This should produce:;; ANSWER SECTION:
223.61.83.162.clients.blocked.rbl. 2048 IN A 127.0.0.2dig 223.61.83.162.clients.blocked.rbl -t txt
This should produce:;; ANSWER SECTION:
223.61.83.162.clients.blocked.rbl. 2048 IN TXT "DNSBL. 162.83.61.223 is a known spam source. Mail from 162.83.61.223 is NOT accepted on this server!"You can repeat the test with 'dig drugstore.com.hosts.blocked.rbl' to test a host block. You should get similar results.
CONFIGURE POSTFIX FOR THE NEW RBL CHECKS:
Finally, we need to add these checks to postfix. In the UCE controls section of main.cf. Add the lines after permit_mynetworks.
reject_rbl_client clients.blocked.rbl,
reject_rhsbl_client hosts.blocked.rbl,
reject_rhsbl_sender hosts.blocked.rbl,
. . . .remaining restrictions
"postfix reload" and you are done. Bring up a tail of maillog and watch the results.
AFTERTHOUGHTS:
This seemingly represents the completion of my "conversion." Two or three years ago, I was one of those individuals who recklessly ranted about sinister blacklists. My apologies. That said, the system presented herein does create collateral damage. Not all mailers from the PRC are spammers. One needs to carefully consider the antisocial nature of gratuitously blocking senders. I strongly encourage the use of Jim Seymour's excellent PFLogSumm and a thorough daily review of whom you are denying access to. You can easily alter the default lines to point to a web contact form.