RBLDNSD

[drewmorris]

Does the EFA server have any mechanism for support RBLDNSD already in it if I want to use the rsync lists? I guess I am wondering if there is any already in the distribution that makes it possible to incorporate services like UCEProtect or Lashback any of the other providers that have rsync-based lists in that format.

[shawniverson]

drewmorris,

dns blocklist support is already built into EFA, so you can add block lists either to postfix or to mailscanner, depending on your needs.

[drewmorris]

Hey Shawn... I know I can add RBL entries to use DNS blocklists... but I was asking about whether there was anything in EFA to support a local DNSBL service where you rsync the RBLDNSD lists from services like Lashback or UCEProtect or any other that supply their lists so you can download them and process the checks locally.

This is particularly an issue if you have a volume that exceeds a specific threshold because some RBLs will require you to move to an rsync-model where you locally host your own RBL lookups from lists you assemble from these sources so it cuts down their traffic/overhead.

Are you saying this support is already built into EFA? If so... how would I added these blocklist downloads into my local DNSBL server?

[shawniverson]

I see.

rbldnsd isn't included in EFA, but I bet you could install it yourself. If you do, post steps/results, and we can consider rolling it into EFA.

[drewmorris]

It seems as though I will need to understand a bit more about the way DNS works in EFA when recursion is turned on. RBLDNSD requires a local DNS server to be running. Is EFA running one? I don't see any processes for dnsmasq or bind or anything that would suggest there is a local DNS server or cache as part of the installaion (perhaps I chose not to do it during setup?). Am I looking in the wrong place?

[drewmorris]

Ok... I did some more poking and see we are using unbound (I got confused because I saw it listen when I did a netstat -tulpn | grep :53 and saw "unbound" so I thought it meant no process was bound to the port).

The next question is whether it will let me install rdnsbld on to of it. Does anybody have experience doing this?

[shawniverson]

I will try to help.

rbldnsd doesn't appear to have much documentation, and the latest source (from 2013) only compiles a single binary. No init scripts. No samples...

[drewmorris]

It appears you can use "yum install rbldnsd" and most of the documentation I have found is on RBL provider sites thus far. I have also reached out to Rob Mcewen at invaluement and asked for a trial account and he said he will be sending me some instructions. I guess I can post them here once they arrive.

I found this URL for SURBL http://www.surbl.org/setup-local-rbl-mirror

[drewmorris]

Hi all... I figured out how to get this working and set it up with invaluement (a paid service). Here are the instructions but I hid the URLs for the service since they give them to you when you sign up.

These instructions would also work for other services like UCEProtect, Lashback, and other lists. I am pretty sure even spamhaus offers an rsync option. Its also a great way to maintain your own blacklist of IP's you might want to reject with extremely low cost since the lookups take about 1 millisecond. RBLDnsd supports a few different format types for the files but I wasn't able to find a good reference on the differences between ip4tset vs ip4set vs dnset.


1. Install rbldnsd

Code: Select all

yum install rbldnsd

2. Create the directory to put the invaluement files in underneath the /var/lib/rbldnsd/dnsbl directory

Code: Select all

mkdir -p /var/lib/rbldnsd/dsbl/invaluement"

3. Setup a cron job to rsync the data every 3 minutes

Code: Select all

*/3 * * * * root rsync -avz {placeholder_for_invaluement_rsync_url}::invaluement.com.rbldnsd_direct /var/lib/rbldnsd/dsbl/invaluement/

4. Edit the file /etc/sysconfig/rbldnsd to configure it to support the service that you are synchronizing the files from. In the case of invaluement the entry may look like this:

Code: Select all

RBLDNSD="dsbl -r/var/lib/rbldnsd/dsbl -q -b 127.0.0.2 \
       sip.invaluement.local:ip4tset:invaluement/sip.{placeholder_for_invaluement_url}.rbldnsd \
       sip24.invaluement.local:ip4set:invaluement/sip24.{placeholder_for_invaluement_url}.rbldnsd \
       uri.invaluement.local:dnset:invaluement/uri.{placeholder_for_invaluement_url}.rbldnsd \
"

* Note: Note that there is a format to this {domain}:{format}:{related file location underneath /var/lib/rbldnsd/dsbl}... the dbsl directory is set by the first word inside the quotations so you can choose your own name if you wish.

* Note2: I am using 127.0.0.2 to bound the rbldnsd server. You can use this or a different port or anything else you may need to bind to.


5. Go to /etc/unbound/unbound.conf and set "do-not-query-localhost" to "no" or it will not be able to query the 127.0.0.2 IP

Code: Select all

do-not-query-localhost: no

6. Go to /etc/unbound/conf.d/forwarders.conf and set your forward zone entry at the top of the file like:

Code: Select all

forward-zone:
  name: "invaluement.local"
  forward-addr: 127.0.0.2

7. Restart unbound
8. Add your new RBL entries to your /etc/postfix/main.cf for example:

Code: Select all

smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_rbl_client sip.invaluement.local, reject_rbl_client sip24.invaluement.local, check_policy_service inet:10.6.1.2:9009, reject_unauth_destination, reject_non_fqdn_recipient, reject_unknown_recipient_domain, check_recipient_access hash:/etc/postfix/recipient_access

9. Put the spamassassin cf configuration files in /etc/mail/spamassassin to help with scoring. At a minimum you should put the 99_ivmuri.cf file here and if you aren't outright blocking with either of the other 2 lists... put the corresponding files here as well.
10. Restart MailScanner

[drewmorris]

Shawn it would be pretty cool if this was installed as part of EFA and we could just configure the services we wanted to use underneath it.... what do you think?

[shawniverson]

Sure

[shawniverson]

https://github.com/E-F-A/v3/issues/216

[drewmorris]

Neat