[qmail] mysql 연동을 위한 링크 keep..
ITWeb/서버관리 2012. 7. 12. 18:53[vpopmail+mysql 연동]
http://coffeenix.net/board_view.php?bd_code=1476
[mysql 소스설치]
http://blog.beany.co.kr/archives/26
'ITWeb/서버관리'에 해당되는 글 125건
[qmail] mysql 연동을 위한 링크 keep..ITWeb/서버관리 2012. 7. 12. 18:53[vpopmail+mysql 연동] http://coffeenix.net/board_view.php?bd_code=1476 [mysql 소스설치] http://blog.beany.co.kr/archives/26 tomcat server.xml 의 connector 설정 값.ITWeb/서버관리 2012. 6. 13. 19:48그냥 기본 설정 값으로 사용하기 위해서 정리한 내용입니다. 서비스 특성과 장비 사양에 맞게 값은 수정해서 사용하시길 권장 합니다. [기본설정] [Tomcat 만 사용] <Connector enableLookups="false" protocol="HTTP/1.1" URIEncoding="UTF-8" compression="on" connectionTimeout="5000" disableUploadTimeout="true" maxHttpHeaderSize="8192" maxSpareThreads="75" maxThreads="1024" minSpareThreads="25" port="80" /> [Httpd + Tomcat 사용] <Connector enableLookups="false" protocol="AJP/1.3" URIEncoding="UTF-8" connectionTimeout="5000" maxSpareThreads="75" maxThreads="1024" minSpareThreads="25" port="8100" /> [주석포함] [Tomcat 만 사용] <Connector enableLookups="false" // 기본값이 enabled 입니다. false 설정을 해야 합니다. 이 설정은 remote ip 에 대해서 DNS lookup 을 하여 ip 를 dns 형태로 변형을 하기 때문에 성능에 영향을 줍니다. protocol="HTTP/1.1" // HTTP handler를 사용하기 위해서는 반드시 HTTP/1.1 이어야 합니다. URIEncoding="UTF-8" // URI Encoding Type 을 지정 합니다. compression="on" // text data 에 대해서 압축 전송을 하게 됩니다. connectionTimeout="5000" // 설정하지 않을 경우 기본 60초로 설정 됨, 5초로 connectionTimeout 지정을 합니다. disableUploadTimeout="true" // Data upload 시 connection timeout 을 좀더 길게 유지 해줍니다. maxHttpHeaderSize="8192" // HTTP Header 에 정보가 많이 실릴 경우 기본 값이 4KB 이기 때문에 서비스 특성에 맞게 조정이 필요 합니다. maxSpareThreads="75" // idle 상태로 유지 할 max thread pool size, 설정하지 않을 경우 50으로 설정 됩니다. maxThreads="1024" // 동시 요청에 의해 Connector 가 생성할 수 있는 최대 request size 입니다. minSpareThreads="25" // tomcat 이 실행 될때 생성되는 thread size 입니다. port="80" // tomcat 에서 사용할 port 예) http://localhost:80/ /> [Httpd + Tomcat 사용] <Connector enableLookups="false" // 기본값이 enabled 입니다. false 설정을 해야 합니다. 이 설정은 remote ip 에 대해서 DNS lookup 을 하여 ip 를 dns 형태로 변형을 하기 때문에 성능에 영향을 줍니다. protocol="AJP/1.3" // AJP handler를 사용하기 위해서는 반드시 AJP/1.3 이어야 합니다. URIEncoding="UTF-8" // URI Encoding Type 을 지정 합니다. connectionTimeout="5000" // 설정하지 않을 경우 기본 60초로 설정 됨, 5초로 connectionTimeout 지정을 합니다. maxSpareThreads="75" // idle 상태로 유지 할 max thread pool size, 설정하지 않을 경우 50으로 설정 됩니다. maxThreads="1024" // 동시 요청에 의해 Connector 가 생성할 수 있는 최대 request size 입니다. minSpareThreads="25" // tomcat 이 실행 될때 생성되는 thread size 입니다. port="8100" // httpd 와 tomcat 연동 시 사용할 port /> JVM Memory 튜닝.ITWeb/서버관리 2012. 6. 13. 18:11tomcat 실행 시 JVM 메모리 튜닝을 하게 됩니다. 서비스 특성과 서버 사양에 따라 다르겠지만.. VM 에서 설정하려고 구성한 값이라 그냥 기본값으로 사용을 하고자 작성해봅니다. VM 장비 4G 램 사용. [실서비스용] JAVA_OPTS="-server -Xms1024m -Xmx1024m -XX:PermSize=256m -XX:MaxPermSize=256m -XX:+DisableExplicitGC -XX:-UseAdaptiveSizePolicy" [개발서비스용] JAVA_OPTS="-server -Xms512m -Xmx512m -XX:PermSize=128m -XX:MaxPermSize=128m -XX:+DisableExplicitGC -XX:-UseAdaptiveSizePolicy" 여기서 실서비스용에 -XX:PermSize=256m -XX:MaxPermSize=256m svn merge 시 오류 - 중복 머지..ITWeb/서버관리 2012. 6. 12. 19:41진행하고 있는 업무 중 빈번한 코드 머지 작업이 있는데 작업중 발생하는 오류에 대해서 팀원이 문제 해결한 내용을 공유해 줘서 keeping 합니다. 요약: 1. Windows 용 SVN Clinet 다운 및 설치(현재 Eclipse plugin으로 사용하는 SVN과 버전 일치 시켜야함) 2. 해당 프로젝트 workspace로 들어가서 svn propget -R svn:mergeinfo 로 확인 3. svn propdel -R svn:mergeinfo 로 모든 property 삭제 4. 커밋 후, merge 진행
자세한 설명입니다:
현상: SVN Merge를 사용해 첫 merge는 되지만, 두번째 merge는 안됩니다. 이유: 첫 번째 merge를 했을때 몇몇 파일에 mergeinfo property라는 것이 남게 됩니다. 해당 workspace/project 에서
로 확인하실 수 있습니다 더 근본적인 원인은 정확히 증거를 가지고 있지 않지만, 작업에서 trunk, branch간의 작업사이에 revision이 약간씩 꼬여서 발생하는 것 같습니다.
위와 비슷한 에러가 나는데(에러메시지는 같습니다) 머지는 한 소스가 아니라 다른 소스이면, 비록 그 조상이 같아 revision을 공유하더라도 에러가 나는듯 합니다. (같이 좀 고민해 주세요)
그래서 해결책은! 해결: mergeinfo property 삭제 방법: 해당 workspace/project 에서
로 property를 삭제하고 merge를 진행하시면 됩니다. 서버 Port 확인방법.ITWeb/서버관리 2012. 6. 12. 16:40nmap 을 이용해서 확인이 가능 합니다.
[Command] sudo nmap -sT -O localhost 자세한 정보는 아래 링크 참고하세요. [qmail] qmail 실행 오류 또는 설치 오류ITWeb/서버관리 2012. 6. 11. 18:11sudo rpm –Uvh /usr/src/redhat/RPMS/x86_64/knetqmail-0.0.1-5.x86_64.rpm knetqmail 을 rpm 설치 시 아래와 같은 오류가 날때가 있습니다. /var/tmp/rpm-tmp.80051: line 31: /etc/inittab: 허가
거부됨 보통은 이런 오류가 안날텐데요. [원본링크] [원본내용] [오류] [root@mail service]# /etc/init.d/qmail stop > stop 은 위와 같은 에러가 출력되고, start 는 에러가 발생하지 않으나 포트가 오픈되지 않을때.
[해결] # /command/svscanboot & # /etc/init.d/qmail start
/etc/inittab 에도 아래 행을 삽입하여 부팅시 정상 작동되도록 합니다.
SV:123456:respawn:/command/svscanboot vimrc 설정ITWeb/서버관리 2012. 6. 11. 12:51[원본글] 저는 최소 설정만 주로 사용합니다. syntax on filetype on set encoding=utf-8 set fileencodings=utf-8,cp949,default,latin1 set termencoding=utf-8 set number set autoindent set cindent set smartindent set ruler set nocompatible set shiftwidth=4 set tabstop=4 set showmatch set backspace=indent,eol,start set backspace=2 set paste set history=500 set hlsearch set wrapscan [원본내용] 1 " #################### Vim #################### 2 " ########## File ########## 3 set nocompatible 4 set backspace=indent,eol,start " Backspace 사용에 이전 줄과 연결 5 set backup " Backup 활성화 6 set backupdir=~/.vim/backup 7 set history=50 " 명령어 기록 수 8 set novisualbell " 화면 깜빡임 사용안함 9 set noerrorbells " 오류음 사용안함 10 set lazyredraw " 매크로 실행중 화면을 다시 그리지 않음 11 set loadplugins " 프로그램 시작시에 플러그인 로딩 12 13 set encoding=utf-8 " encoding 설정 14 set fileencodings=utf-8,cp949,default,latin1 15 set termencoding=utf-8 16 17 set printencoding=utf-8 " 인쇄 encoding 옵션 18 set printmbcharset=ISO10646 19 set printmbfont=r:NanumGothiccoding,c:yes,a:yes 20 21 " GUI 설정 22 if has("gui_running") 23 " 글꼴 설정 24 if has("win32") 25 set guifont=Consolas:h9:cHANGEUL 26 elseif has("unix") 27 set guifont=Consolas\ 9 " 글꼴 설정 28 set guifontwide=NanumGothicCoding\ 9 29 endif 30 set printfont=NanumGothicCoding\ 9 31 32 " 메뉴 설정 33 " set go-=m " 메뉴 34 " set go-=T " 툴바 35 set go-=l " 스크롤바 36 set go-=L 37 set go-=r 38 set go-=R 39 set go-=b 40 41 " 마우스 설정 42 set mouse=n " 마우스 이동제한 43 set nomousefocus 44 set mousemodel=popup " 마우스 동작은 popup 45 46 " 창 크기 설정 47 set lines=40 48 set co=90 49 endif 50 51 " 이전 편집 부분에서 다시 열기 52 autocmd BufReadPost * 53 \ if line("'\"") > 1 && line("'\"") <= line("$") | 54 \ exe "normal! g`\"" | 55 \ endif 56 57 " ########## Edit ########## 58 set paste " 붙여넣기시 계단 현상 제거 59 set foldmethod=manual " 코드 생략은 파일형식에서 설정 60 set autoindent " 자동 들여쓰기 사용 61 set wrapscan " 검색시, 파일 끝에서 되돌리기 62 set nojoinspaces " 줄 연결은 공백을 하나만 지정함 63 set tabstop=4 " tab 간격 64 set expandtab 65 set softtabstop=4 66 set shiftwidth=4 " 자동 들여쓰기 간격 67 set showmatch " 괄호 반전 68 set autowrite " 자동저장 69 set listchars=tab:\|\ ,trail:.,extends:>,precedes:<,eol:$ " 공백문자 표시 70 set list 71 set dip=iwhite " 파일비교시 공백만 무시 72 set textwidth=0 " 텍스트 입력의 width 제한은 없음 73 74 " ########## Tool ########## 75 " ########## Syntax ########## 76 " highlight를 표시함 77 if &t_Co > 2 || has("gui_running") 78 syntax on 79 set hlsearch 80 endif 81 82 highlight clear 83 set background=dark 84 highlight Normal guifg=Gray80 guibg=Black ctermfg=White 85 highlight Search guifg=LightRed guibg=Black gui=reverse ctermfg=LightRed ctermbg=DarkGray cterm=reverse 86 highlight Visual guifg=Gray25 guibg=DarkGray ctermfg=LightGray ctermbg=DarkGray 87 highlight Cursor guifg=Black guibg=Green ctermfg=Black ctermbg=Green 88 highlight CursorIM guifg=Black guibg=Yellow ctermfg=Black ctermbg=Yellow 89 highlight Special guifg=Orange ctermfg=Brown 90 highlight Comment guifg=Green guibg=Black ctermfg=DarkGreen gui=italic 91 highlight StatusLine guifg=White guibg=Blue gui=NONE ctermfg=White ctermbg=Blue 92 highlight Statement guifg=Yellow gui=NONE ctermfg=Yellow cterm=NONE 93 highlight Type guifg=Cyan gui=NONE ctermfg=Cyan 94 highlight Structure guifg=Red guibg=Black 95 highlight Constant guifg=Green guibg=Black ctermfg=Gray 96 highlight String guifg=LightMagenta guibg=Black ctermfg=LightMagenta gui=italic 97 highlight Number guifg=Magenta ctermfg=Magenta 98 highlight Identifier guifg=Orange guibg=Black ctermfg=DarkYellow 99 highlight MatchParen guifg=Black guibg=LightBlue 100 highlight Folded guifg=Orange guibg=Black ctermfg=DarkGreen 101 highlight link IncSearch Visual 102 highlight link Character Constant 103 highlight link Boolean Constant 104 highlight link Float Number 105 highlight link typedef Type 106 highlight link Operator Statement 107 highlight link Keyword Statement 108 highlight link Exception Statement 109 110 " ########## Window ########## 111 set number " 줄번호 표시 112 set nuw=5 113 set linespace=0 " 줄간격 114 set nowrap " 줄바꿈 안함 115 set ruler " 커서 위치를 표시함 116 set showcmd " 마지막 라인에 커맨드표시 117 118 " Status 모양 119 highlight User1 term=underline cterm=bold ctermfg=Cyan ctermbg=Blue gui=underline gui=bold guifg=#40ffff guibg=#0000aa 120 highlight User2 term=underline cterm=underline ctermfg=green gui=underline guifg=#00ff00 121 highlight User3 term=underline cterm=underline ctermfg=yellow gui=underline guifg=#ffff00 122 highlight User4 term=underline cterm=underline ctermfg=white gui=underline guifg=#ffffff 123 highlight User5 ctermfg=cyan 124 highlight User6 ctermfg=white 125 set statusline=%4*%<\ %1*[%F] 126 set statusline+=%4*\ %5*[%{&encoding}, " encoding 127 set statusline+=%{&fileformat}]%m " file format 128 set statusline+=%4*%=\ %6*%y%4*\ %3*%l%4*/%L,\ %3*%c%4*\ \<\ %2*%P%4*\ \> 129 set laststatus=2 130 131 " ########## Short Cuts ########## 132 " Shift+Enter로 아래줄로 커서 넘기기 기능 133 map <S-CR> <ESC>o 134 map! <S-CR> <ESC>o 135 "현재 줄의 마지막에 이어 쓰기 136 map! <C-TAB> <S-CR><ESC>i<BACKSPACE> 137 " 영역이 지정된 상태에서 Tab과 Shift+Tab으로 들여쓰기/내어쓰기를 할 수 있도록 함. 138 " map <Tab> >gv 139 " map <S-Tab> <gv 140 " Tab 열기, 이동 141 map <F2> :tabnew<CR> 142 map <F4> :w<CR> 143 map <C-h> gT 144 map <C-l> gt 145 " 코드 폴딩 146 " map <C-k> zc 147 " map <C-j> zo 148 " Shell 호출 149 map <F9> :shell<CR> 150 151 " Trinity의 설정 152 "" Open and close all the three plugins on the same time 153 nmap <F8> :TrinityToggleAll<CR> 154 " // Set the height of Source Explorer window 155 let g:SrcExpl_winHeight = 8 156 " // Set 100 ms for refreshing the Source Explorer 157 let g:SrcExpl_refreshTime = 100 158 " // Set "Enter" key to jump into the exact definition context 159 " let g:SrcExpl_jumpKey = "<ENTER>" 160 " // Set "Space" key for back from the definition context 161 let g:SrcExpl_gobackKey = "<SPACE>" 162 " // In order to Avoid conflicts, the Source Explorer should know what plugins 163 " // are using buffers. And you need add their bufname into the list below 164 " // according to the command ":buffers!" 165 let g:SrcExpl_pluginList = [ 166 \ "__Tag_List__", 167 \ "_NERD_tree_", 168 \ "Source_Explorer" 169 \ ] 170 " // Enable/Disable the local definition searching, and note that this is not 171 " // guaranteed to work, the Source Explorer doesn't check the syntax for now. 172 " // It only searches for a match with the keyword according to command 'gd' 173 let g:SrcExpl_searchLocalDef = 1 174 " // Do not let the Source Explorer update the tags file when opening 175 let g:SrcExpl_isUpdateTags = 0 176 " // Use 'Exuberant Ctags' with '--sort=foldcase -R .' or '-L cscope.files' to 177 " // create/update a tags file 178 let g:SrcExpl_updateTagsCmd = "ctags --sort=foldcase -R ." 179 " // Set "<F12>" key for updating the tags file artificially 180 let g:SrcExpl_updateTagsKey = "<F12>" 181 182 " ########## File Type ########## 183 filetype plugin on " 파일 종류 자동 인식 184 filetype indent on 185 186 if has("autocmd") 187 autocmd FileType * map <F12> :w<CR> 188 189 " 자동완성 190 autocmd FileType * inoremap { {}<LEFT> 191 autocmd FileType * inoremap [ []<LEFT> 192 autocmd FileType * inoremap ( ()<LEFT> 193 autocmd FileType * inoremap " ""<LEFT> 194 autocmd FileType * inoremap ' ''<LEFT> 195 196 " Python 설정 197 autocmd BufNewFile,BufRead *.py setfiletype python 198 autocmd BufNewFile *.py 0r ~/.vim/templetes/skeleton.py 199 autocmd FileType python set syntax=python 200 autocmd FileType python set autoindent 201 autocmd FileType python set foldmethod=indent 202 autocmd FileType python set complete+=k~/.vim/syntax/python.vim isk+=.,( 203 autocmd FileType python noremap <F12> :w<CR>:!python %<CR> 204 autocmd FileType python noremap <C-F12> :w<CR>:!python % 205 206 " R 설정 207 autocmd BufNewFile,BufRead *.R setfiletype r 208 autocmd BufNewFile *.R 0r ~/.vim/templetes/skeleton.R 209 autocmd FileType r set syntax=r 210 autocmd FileType r set autoindent 211 autocmd FileType r set foldmethod=indent 212 autocmd BufNewFile,BufRead *.R inoremap { {<CR>}<C-O>O 213 214 " Graphviz 설정 215 autocmd BufNewFile,BufRead *.dot set autoindent 216 autocmd BufNewFile *.dot 0r ~/.vim/templetes/skeleton.dot 217 autocmd BufNewFile,BufRead *.dot noremap <F12> :w<CR>:!dot -Tpng % -O<CR>:!eog %.png<CR> 218 endif [Qmail] Spamhaus FAQITWeb/서버관리 2012. 5. 22. 11:10Spamhaus FAQ Lists.
[Qmail] Spamhaus Rsync 설치 가이드ITWeb/서버관리 2012. 5. 22. 11:09Datafeed Installation Guide Contents1.0 Introduction1.1 Using The Service1.2 The Plan2.0 Preparation2.1 Requirements2.2 Directory organization2.3 Users and groups2.4 Clock2.5 Firewall settings3.0 Installing and running rsync3.1 Why rsync ?3.2 Installation3.3 Syntax3.4 Running via cron3.5 Configuring spamhaus-sync.sh3.6 Verifying data integrity3.7 Limiting bandwidth usage4.0 Installing and running rbldnsd4.1 Installation4.1.1 Installation on Linux Debian and Ubuntu4.2 Running4.3 Options and arguments4.3.1 Select an IP (-b option)4.3.2 Select the root directory (-r option)4.3.3 Select the working directory (-w option)4.3.4 Fork a child during reloads (-f option)4.3.5 Arguments: mapping datasets to zones4.3.6 Restricting access4.4 Launching at boot4.4.1 Launching at boot using Linux Debian and Ubuntu4.5 Security and access limitation4.6 Testing rbldnsd5.0 Configuring your DNS resolver5.1 Delegation method5.2 Forwarding method5.2.1 Forwarding method using Bind 8 and 95.2.2 Forwarding method using dnscache5.2.3 Forwarding method using Microsoft DNS Server5.3 Security and access limitation5.4 Testing dnsbl resolution6.0 Configuring your mail servers6.1 General indications6.1.1 Configuring sendmail6.1.2 Configuring postfix6.1.3 Configuring qmail6.1.4 Configuring SpamAssassin6.1.5 Configuring a Barracuda Spam Firewall appliance6.1.6 Configuring a SonicWALL Email Security appliance6.1.7 Configuring a Symantec Mail Security appliance6.1.8 Configuring Clearswift MIMEsweeper1.0 Introduction1.1 Using The ServiceThis document describes how to use the Datafeed Rsync Service to block spam using the Spamhaus Project blocking lists (BL). The Datafeed Rsync Service has these advantages over the traditional scheme based on DNS queries over the public DNS infrastructure of the Spamhaus Project:
Besides the four BL (SBL, PBL, XBL and DBL), the Datafeed Rsync Service also includes access to two whitelists (WL), SWL and DWL, introduced in September 2010 and currently in the process of being populated. The Datafeed Rsync Service requires availability of a machine running Linux, FreeBSD, OpenBSD, NetBSD or some other variety of Unix (such as Mac OS/X, Solaris, Tru64, HPUX, AIX, Irix, etc.) The memory and CPU requirements are usually modest, so that old PCs are typically up to the task. For instance, a 400 MHz Pentium with 512 MB of memory is usually sufficient for small organizations. A virtual machine with 512 MB would also be fine. For customers running Microsoft operating systems, we recommend using the Datafeed Query Service instead. This service is based on DNS queries sent to the Internet rather than local, but answered by an infrastructure entirely separate from the public infrastructure. 1.2 The PlanYou will need to do the following:
2.0 Preparation2.1 RequirementsYou need a server with a Linux or Unix-like operating system to be able to run rsync and rbldnsd.rsync is a program to maintain a mirror copy of one or more files, and is nowadays available in the base distribution or as a package on all the major platforms. rbldnsd is a DNS server specialized to serve blocking list data, and can also run on several Unix-like operating system. It is known to be working on Linux, FreeBSD, NetBSD, OpenBSD, Mac OS X, Solaris, HP-UX, AIX. Unless your traffic volumes are high (on the scale of millions of messages per day), the hardware requirements for your server are moderate. Normally a server with, say, a 400 MHz CPU and 512MB of RAM is adequate. In particular, the rbldnsd process with all the lists loaded takes usually between 100MB and 150MB of RAM. Disk space usage should remain within 500 MB (also considering the increased storage requirements during the rsync updates). It is not necessary to assign a dedicated server for this task; most organizations install the software on an existing server, or on a virtual machine. At the time of this manual version, synchronizing the zones usually implies about 50 MB of incoming data per hour. This quite large amount is mostly caused by the highly dynamic nature of ``zombie'' (trojaned) PCs: hundreds of thousands of IP addresses can enter and leave our XBL database in a single day. For this reason, a bandwidth of at least 512 kbps is recommended to run a Data Feed, and 2 Mbps is desirable. It is possible to confine a Datafeed to use a lesser amount of bandwidth using techniques discussed in the rsync configuration section, but we do not recommend to assign less than 256 kbps. We recommend that users with limited bandwidth use the Rsync Query service instead. You need to be in control of the DNS server(s) handling general DNS resolutions on your network. If you are currently using DNS resolvers provided by your ISP, prepare to install and use your own (using the DNS server software of your choice). This has nothing to do with the authoritative DNS service for your domain(s), which may well remain hosted by an ISP. 2.2 Directory organizationYou need to define a directory where Spamhaus files are imported by the rsync process, and another where they are used by the rbldnsd process. In the remainder of this document it will be assumed that these two directories are respectively /usr/local/dnsbl/spamhaus and /usr/local/dnsbl/rbldnsd, although you can relocate these directories in any place on your system. You will not need to define any subdirectory within those directories.2.3 Users and groupsYou will need to create a user named rbldns and a group also named rbldns (note that, for historical reasons, there is no "d" at the end of the name). This user will have no shell and no home directory. The most common choice for UID and GID is perhaps 153, but you may choose any unused number. rbldnsdwill run under this user and group. If you install rbldnsd as a package prepared for your operating system (if available), this step will likely be done automatically during the installation process, with UID and GID assigned automatically.Note that rbldnsd does not need write access to the dataset files. For security reasons, all datasets used by rbldnsd must not be owned by the user rbldns. rsync can run under any existing user in the system. 2.4 ClockMake sure that your machine is running with the correct clock, so that your server will synchronize the zone files at the times indicated in the instructions.It is a good idea to keep the time synchronized with an external source using the ntpd daemon. Please check your system documentation for details. 2.5 Firewall settingsYou need to allow outgoing traffic to port 873/tcp in order to reach the Spamhaus rsync servers. Note that Spamhaus has several servers at different IPs scattered throughout the world, that may change because of maintenance, hardware failures, network malfunctions, IP relocations, DDOS attacks, supplier changes, etc. While the service is stable, IPs of specific servers are not. We therefore discourage people from allowing only rsync traffic going to specific IPs. Since the rsync connections are initiated by you and you will not be running a rsync server (just a client), opening outbound rsync traffic to any destination does not constitute a significant security risk. A large fraction of support tickets opened by our customers is related with useless firewalling of outbound rsync traffic at the customer site.If your server is running ntpd, traffic from 123/udp and directed to 123/udp should also be allowed in both directions to allow your server to talk with the time servers on the Internet. Of course, to and from DNS traffic between the rbldnsd server and its clients must also be allowed.rbldnsd only uses 53/udp -- it does not use 53/tcp. Access to the rbldnsd server should be limited to your local DNS resolvers and to any other IP that needs to be able to send queries directly to therbldnsd server. In all cases, do not allow access to the rbldnsd server from unknown clients outside your network. 3.0 Installing and running rsync3.1 Why rsync ?The rsync program is one of the best options for data transfer in all cases where a previous version of the file is already available. Since rsync transmits only file differences across the communication channel, this allows for high efficiency when changes between the current and the previous version constitute a small fraction of the whole file.This is the typical scenario for blocking lists, which are usually rather large files with a limited number of modifications between one version and the next. Keeping a copy updated using rsync is therefore much more efficient than using ftp or http even when compression schemes are used. While compression can still be used, it brings limited advantages and some important disadvantages (for instance increased CPU load), so we do not use it. Rather, we have tried to organize data within the XBL zone (which is by far larger than SBL, PBL and DBL) so that file changes between updates tend to cluster in specific areas of the file. Due to the way the rsync algorithm works, such measure decreases the number of bytes transferred in each update and makes the whole synchronization process more efficient. 3.2 InstallationNowadays rsync can usually be found within the regular operating system distributions. Otherwise, it can be downloaded from the rsync home site and installed ("make install"). Note that you will need only the client component, so you do not need to run the server daemon. Also, there is no need to edit any configuration file.To verify that your client is working, try the command rsync na.dr.spamhaus.net::You should see a 'Welcome' message and a directory list from our server. Note: If you see a message like Please contact Spamhaus Technology if you are interested in using this service. See http://www.spamhaus.org/datafeed/ for further informations.it means that you are connecting from an IP address not authorized to connect to our Datafeed servers. If the machine has multiple interfaces, try again making sure that the source IP of the connection is the one that you sent to Spamhaus. This can be done using the --address option of rsync, like in rsync --address=1.2.3.4 na.dr.spamhaus.net::(replace "1.2.3.4" with the IP address on your machine supposed to be authorized to use the Datafeed Rsync service). If this does not solve the problem, contact support. Note: If you get a "Connection refused" message or can not connect for other reasons, it is likely that some firewall at your side is blocking outbound rsync traffic. Please see the subsection on Firewall settings about the firewalling policies for rsync outbound traffic. 3.3 SyntaxIn general, calling rsync with one argument results in a directory listing, while calling it with two arguments results in a file synchronization. The second argument must be the name of the local file.The spamhaus-sync.sh script takes care of details, so you do not really need to worry about the command syntax if you are not using rsync for other purposes. In case you need to access the directory directly, rather than through spamhaus-sync.sh, keep in mind that there are two different but equivalent syntaxes to specify the location of a remote file. One is the traditional rsync syntax rsync na.dr.spamhaus.net::rbldnsd/remotefile localfilewhile the other is the more recent URL syntax rsync rsync://na.dr.spamhaus.net/rbldnsd/remotefile localfileChoose the syntax style that you prefer. 3.4 Running via cronYou will use a cron job to call a script named spamhaus-sync.sh every minute. This does not mean that all the zone files will be synchronized every minute. SpamTeq controls the zones update policies through some parameters contained in the zone files, and tuned to optimize the service and avoid congestions when there are major updates. On the basis of these parameters and of the current time, every minute the script will decide what BL and WL files will be updated.The service now requires version 3.1.2 of spamhaus-sync.sh, distributed since October 27, 2010. If you are a Datafeed customer from before that date, please replace your script with the current one. If you were still running a version 2.x.x script, you also need to change the crontab entry to call the script every minute rather than every 30 minutes. The line to be defined in /etc/crontab will be like * * * * * service /usr/local/bin/spamhaus-sync.shThe shell script spamhaus-sync.sh can be downloaded using the command rsync na.dr.spamhaus.net::tools/spamhaus-sync.sh spamhaus-sync.shIn this example the script will be run as user service (of course this can be any valid username in your system, but please do not use root!). The reason we execute a script rather than the rsync program itself is the script allows us to do some additional bookkeeping, get some better diagnostics in case of errors, and to make the system more robust against possible network troubles. Note: We are not supporting usage of scripts different from spamhaus-sync.sh (which is designed to minimize the risk of congestions). If you have particular needs that spamhaus-sync.sh can not address, please contact us. Note: In all cases, never use the IP address of a specific Spamhaus rsync server in scripts. IPs can change at any time and without notice in advance. This is essential to achieve continuity of service in presence of adverse network conditions (such as DDoS attacks, etc), or we can simply decide to distribute traffic between different servers, change IPs for server maintenance purposes, add new servers, etc. Note that the time-to-live of DNS records for our rsync servers is very short exactly for these reasons. In practice, a DNS lookup to discover the rsync server IPs should be made before any synchronization. Note: For the same reasons given above, we do not recommend you block outbound rsync traffic by default, "punching holes" for the Spamhaus servers IPs. These IPs can change at any time, resulting in troubles until you reconfigure the firewall rules. If security is a concern, we recommend you define a rule acting on the source IP, allowing outbound rsync connections to any destination but only if coming from the specific IP of your machine initiating the rsync connections. Remember that we are talking about outbound connections only: you will not have any rsync server running, just a client. Risks are minimal and not larger than the risks associated with running a web browser in your network (which you probably do without having to punch a hole in the firewall for any web site you want to visit). Note: If your bandwidth availability is limited (of the order of 1 Mbps or less) and the synchronization causes a congestion of your link affecting other activites, you may consider to use the --bwlimit=KBPSoption of rsync, that can decrease the bandwidth at the expense of a longer synchronization time, as discussed in a subsection below. 3.5 Configuring spamhaus-sync.shBefore using it, you need to edit spamhaus-sync.sh to tailor it to your environment. The configuration variables are confined in the initial section of the script, and you are not supposed to need making changes outside of this section.These notes refer to version 3.1.2 or later of spamhaus-sync.sh, available since October 27, 2010. If you have a version 2.x.x or 3.0.x script from a previous installation, please download the most recent version from our rsync server before proceeding. We now review the configuration variables. In the most common situations, only TROUBLES, WORKDIR and RSYNCPOOL need to be changed.
Finally note there should be no output sent to stdout or stderr, as output will go to spamhaus-sync.out in the OUTDIR directory independently on how the script is run. This file is costantly overwritten by different executions, and it is generated only for diagnostic purposes. 3.6 Verifying data integrityThe data integrity verification is incorporated in the spamhaus-sync.sh script. We describe it here briefly, mainly for the benefit of users setting up their own scripts.If you look at the bottom of a Spamhaus zone file, you will see a line like # CKSUM: 2767122920 379852This line, generated by Spamhaus at the end of the zone file construction process, contains the output of the cksum program (available in nearly all the most common Unix/Linux distributions). The two numbers are in the order a checksum CRC and the total number of bytes in the file, computed by considering the whole zone file except the last line (the one we are talking about). Therefore, this line can be used to verify the integrity of the file at the end of the synchronization procedure. Files that do not pass the verification should not be put into production. Likewise, files that do not contain the CKSUM line at the end are corrupted and should not be put into production. Verification failures are rather uncommon, and if they occur repeatedly they may indicate the presence of serious network or hardware malfunctions. The Bourne shell code accomplishing the verification is usually the following: CRC0=`tail -1 xbl | awk '{print $3}'` CRC1=`sed '$d' xbl | cksum | awk '{print $1}'` if [ "$CRC0" = "$CRC1" ] then (ok) else (fail) fiwhere (ok) and (fail) should be expanded to the appropriate commands to handle success or failure respectively. $CRC0 is the checksum as extracted from the file, while $CRC1 is the checksum as computed from the file. 3.7 Limiting bandwidth usageIf it is found that the Datafeed Rsync service is using up too much bandwidth during updates, saturating your line and slowing down other activities, bandwidth usage can limited using the --bwlimit=KBPS option of rsync. This option can be added in the RSYNCOPTS variable in the spamhaus-sync.sh script. For instance:RSYNCOPTS="-L -t --timeout=120 --bwlimit=64"Note: the bandwidth is expressed in kilobytes per second, while line speeds are usually given in bits per second (bps). Therefore, the KBPS parameter must be multipled by 8K to give the actual bandwidth limit in bps. In the example given above, the limit would be 512 kbps. Since large updates currently may require transferring about 15 MB (with occasional peaks up to 20 MB or possibly more), the updating time with a limit of KBPS kilobytes per second would result in a transfer time of the order of 250/KBPS minutes: or about 2 minutes for KBPS=128, 4 minutes for KBPS=64, etc. Given that updates should complete within at most a few minutes, going below KBPS=64 (512 kbps) should be regarded as risky in terms of performance. A value as low as KBPS=16 (128 kbps) is almost guaranteed to give problems, and we recommend not to go below 32 ever. Also note that this mechanism is only effective to decrease the intensity of bandwidth peaks by increasing their duration. It will not decrease the average bandwidth, which is determined by the amount of data to be transferred. For the same reason, changing the updating interval can not improve the situation much. Updating less often would result in a larger amount of data transferred for each synchronization, and viceversa. In other words, if you can not dedicate enough bandwidth you will simply not be able to keep up with the astounding rate of creation of new spam emitters and spam domains on the Internet. Considering that having fresh copies of XBL and DBL is important to block spam from new emitters and advertising new domains, we do not recommend to increase the updating intervals, as this would mean more spam with limited bandwidth savings. Users with bandwidth problems should consider the Datafeed Query service instead. 4.0 Installing and running rbldnsdrbldnsd is a specialized DNS server, written by Michael J. Tokarev, designed and optimized to answer blocking list queries. Among its advantages:
It is important to note that rbldnsd is not a complete nameserver (such as, for instance, Bind) and, in particular, it does not have a caching facility: it can only answer (authoritatively) queries about the blocking list zones it has loaded, and nothing else. Therefore, it will not replace the DNS resolver(s) you are using in your network. The thing to do is to inform the resolver(s) that the local BL/WL queries (and only those!) are answered by the rbldnsd server, and this point is discussed in section 5. 4.1 InstallationAs already indicated, rbldnsd can run on all the major Unix-like operating systems. Check if a rbldnsdpackage is available for your platform. If not, download the source code, compile it (usually this means giving the commands ./configure and make), and install the resulting executable file in an appropriate directory, such as for instance /usr/local/sbin. This can be done simply by copying the rbldnsdexecutable file. You may also wish to install the man page, and check the existence of user and grouprbldns as indicated in a previous section. That is all: there are no configuration files, all the relevant informations are passed via command line when starting the program as described below.In case of installation troubles please refer to the program documentation or to the rbldnsd mailing list. We suggest that you subscribe to the mailing list anyway (mail volumes are moderate). 4.1.1 Installation on Linux Debian and UbuntuUsers of the Debian and Ubuntu Linux distributions can install rbldnsd as a package usingapt-get install rbldnsd 4.2 RunningWe recommend that you create a local domain -- one which does not exist on the Internet -- to host your local blocking lists. This has several advantages:
In this document it will be assumed that your BL and WL domain will be dnsbl. Therefore, for instance, you will send queries to sbl.dnsbl rather than to sbl.spamhaus.org. Note that this local domain name is totally arbitrary and can be changed at will. rbldnsd can combine one or more datasets into a DNS zone, and can simultaneously serve different DNS zones. A dataset is, basically, a file containing IP addresses and ranges; a DNS zone is the domain queried via DNS to obtain informations about an IP address. As far as we are concerned, you will deal with six datasets (sbl, pbl, xbl, dbl, swl and dwl) that will be mapped onto six zones (sbl.dnsbl,pbl.dnsbl, xbl.dnsbl, dbl.dnsbl, swl.dnsbl and dwl.dnsbl). It is also possible to combine the first three datasets (all containing IP addresses) into a single zone zen.dnsbl, with a slight gain in efficiency and a slight loss in flexibility. Furthermore, it is possible to define the individual zones and the combined zone. The kind of mapping to use is entirely up to you. Mappings are defined in the command line arguments used to launch rbldnsd, as discussed in the next section. rbldnsd reloads itself when it notices that a dataset file changed. So there is no need to give any "reload" command during normal operation. 4.3 Options and argumentsIn this section we discuss the options of the rbldnsd command which we considered relevant for the operation of your Datafeed Rsync service. A complete list of options can be found on the rbldnsd man page.4.3.1 Select an IP (-b option)Specifying this option is required: there is no default. You will give this option multiple times if yourrbldnsd needs to listen to several IP addresses.If you are going to run rbldnsd on a machine with no regular DNS server (the simplest situation), you will specify the option -b IP.ad.dre.ss, where IP.ad.dre.ss is the primary IP address of your system. This must be an address visible by all the DNS resolver(s) in your network that need to be able to send BL queries -- the resolver(s) used by your mail servers. If, on the other hand, you are going to run rbldnsd on the same machine hosting your local DNS resolver, or any other DNS server, you need to assign different IPs to the two servers to avoid a conflict on port 53 (if your resolver is Bind 9, it is also possible to bind rbldnsd to a different port, as detailed in section 5.2.1, however this is often problematic and we do not recommend it). If you wish, you can bindrbldnsd to the localhost interface 127.0.0.1 and Bind (or whatever your DNS server is) on the main Ethernet interface. This is valid if rbldnsd needs to be accessed only from the DNS resolver on the same machine. If your DNS server is already occupying port 53 of 127.0.0.1, you can also create a second localhost address (such as 127.0.0.2) and bind rbldnsd to this address (this is often preferable to using a non-standard port number). If you need to access rbldnsd from other machines in your network, you will have to create an IP alias for the Ethernet interface and bind rbldnsd to that alias. rbldnsd can be simultaneously bound to several IP addresses on the machine. According to the program documentation, using more than one address implies a small performance penalty. We will assume that you will use just one address; let this address be, for sake of simplicity, 1.2.3.4. Once you have selected the address, make sure that Bind (or whatever your DNS server is) will not bind to this address when starting. By default Bind binds all the available addresses, so to obtain this result you have to editnamed.conf specifying the addresses you want Bind to use. For instance, if your machine has 1.2.3.3 and 1.2.3.4 as IP addresses of the main Ethernet interface, options { ... listen-on { 127.0.0.1; 1.2.3.3; }; ... };in named.conf would leave 1.2.3.4 available for rbldnsd. The rbldnsd command line option -b 1.2.3.4 will then instruct rbldnsd to use that IP. 4.3.2 Select the root directory (-r option)rbldnsd will do a "chroot" within the directory you indicate with the -r directory option. This means that this directory will play the role of the root directory / as far as the program is concerned, and so the program will be unable to access anything outside it, with an obvious security advantage.Using the organization discussed in section 2.2, we will use -r /usr/local/dnsbl As far as rbldnsd is concerned, the directory that you specify with this option becomes the root directory. Therefore, the program will map an absolute path name like /path/na/me into a filename/usr/local/dnsbl/path/na/me in your filesystem. Moreover, there is no way to refer to files outside the root directory: do not attempt to use symbolic links to escape the root jail. Moreover, you should use relative pathnames in symbolic links, as in % cd /usr/local/dnsbl/rbldnsd % ln -s ../spamhaus/sbl sbl % ln -s ../spamhaus/pbl pbl % ln -s ../spamhaus/xbl xbl % ln -s ../spamhaus/dbl dbl % ln -s ../spamhaus/swl swl % ln -s ../spamhaus/dwl dwlSymbolic links defined using full pathnames would not work correctly when using the chroot option, and would cause rbldnsd to be unable to find the zone files. Note: sbl, pbl, xbl, dbl, swl, dwl above are files, not subdirectories. 4.3.3 Select the working directory (-w option)Within the root directory defined by the -r option, and again referring to the structure discussed in section 2.2, we will use-w rbldnsdto specify the directory where rbldnsd expects to find its files. This will be /usr/local/dnsbl/rbldnsd in your filesystem. In our case these files are symbolic links. rbldnsd will be able to follow them, because the files themselves are still within the rbldnsd root directory. 4.3.4 Fork a child during reloads (-f option)rbldnsd can continue to process requests even during data reloads using the -f option. This is done by forking a child process to handle requests while the parent reloads the data. The price to pay is extra memory usage since two copies of the data are kept in memory during reloads.Unless you are very tight on memory, we recommend to select this option. If you do not select it, your mail servers may have to wait a few seconds (or queries may time out and cause some spam to flow through) when rbldnsd reloads. 4.3.5 Arguments: mapping datasets to zonesWe recommend, for maximum flexibility, to define independent zones for SBL, PBL, XBL, DBL, SWL, DWL, as well as the combined zone ZEN including SBL, PBL and XBL. This is done by calling rbldnsd with the following argument list:sbl.dnsbl:ip4set:sbl \ pbl.dnsbl:ip4trie:pbl \ xbl.dnsbl:ip4tset:xbl \ zen.dnsbl:ip4set:sbl \ zen.dnsbl:ip4trie:pbl \ zen.dnsbl:ip4tset:xbl \ dbl.dnsbl:dnset:dbl \ swl.dnsbl:ip4set:swl \ dwl.dnsbl:dnset:dwlThese arguments indicate how the XXX.dnsbl zones are composed out of the available datasets. Note how the zen combined zone is obtained simply by associating three different datasets to the same zone name. The string after the first colon specifies the method internally used by rbldnsd to map the file into a data structure:
Note: the \ characters are required to break the command into several lines, and they must be the last character in each line (in other words, make sure that you do not have any space after the \ !). Of course you can also define a single, long command line without any \ character. Note: the datasets must not be owned by user rbldns. The daemon only needs read access to the datasets. 4.3.6 Restricting accessIf you have bound rbldnsd to an IP address reachable from the external Internet, you may wish to restrict access to make it impossible for unauthorized third parties to use your server for BL lookups. While this can certainly be accomplished by using a firewall, it may be useful to know that rbldnsd has the possibility to define an ACL (Access Control List).To this end, create a file named acl into /usr/local/dnsbl/rbldnsd containing 0.0.0.0/1 :ignore 128.0.0.0/1 :ignore 1.2.3.0/24 :passThe first two lines indicate "block access to the whole Internet" (rbldnsd does not accept 0.0.0.0/0 as a valid entry), while the last line will contain the network range with allowed access to the service. To specify multiple networks just enter multiple pass lines. The ignore keyword means that all DNS queries received by source IPs not included in the pass lines will simply be absorbed and ignored, without returning any response. To use the acl file, add :acl:acl to the argument list in the command line (the first acl is a fixed keyword while the second acl is the file name). Do not forget the colon at the beginning; for more details see the rbldnsd man page under acl Dataset. Note: to implement access restrictions, you must be running rbldnsd release 0.996 or later. Since 0.996 was released in 2006, this condition should now be satisfied unless your O/S is really old. 4.4 Launching at bootrbldnsd is a daemon that is typically launched at boot time and left running permanently. You will therefore invoke rbldnsd at startup time, following the conventions of your operating system and giving all the options and arguments presented above. Remember to launch it in the final stage of the boot process, and particularly after the network interface has been brought up.If you installed rbldnsd as a package prepared for your operating system, there will be a script to start and stop the program, and a place where options and arguments have to be indicated. If you compiled and installed rbldnsd by yourself, you can use a simple startup script like the following: #!/bin/sh # Start the rbldnsd daemon /usr/local/sbin/rbldnsd -b 1.2.3.4 -f \ -r /usr/local/dnsbl -w rbldnsd \ sbl.dnsbl:ip4set:sbl \ pbl.dnsbl:ip4trie:pbl \ xbl.dnsbl:ip4tset:xbl \ zen.dnsbl:ip4set:sbl \ zen.dnsbl:ip4trie:pbl \ zen.dnsbl:ip4tset:xbl \ dbl.dnsbl:dnset:dbl \ swl.dnsbl:ip4tset:swl \ dwl.dnsbl:dnset:dwl \ :acl:acl(the last argument is required only if access control is used, as described in section 4.3.6). The termination script can be as simple as #!/bin/sh # Stop the rbldnsd daemon killall rbldnsd Note that -- since it binds to a privileged port -- rbldnsd must be started as root. The program drops the root privilege as soon as it binds to the DNS port. From that point on, it runs under the rbldns user. Verify that the program is started and stopped correctly using these scripts, or the similar scripts supplied by the rbldnsd package for your operating system. Note: Make sure that no space follows the \ continuation character at the end of each line, otherwise the command will be truncated and some zones will not be loaded! 4.4.1 Launching at boot using Linux Debian and UbuntuLinux Debian and Ubuntu users that have installed rbldnsd as a package (as described in section 4.1.1) should define the following variable in /etc/default/rbldnsd:RBLDNSD="dnsbl -b 1.2.3.4 -f -r /usr/local/dnsbl -w rbldnsd \ sbl.dnsbl:ip4set:sbl \ pbl.dnsbl:ip4trie:pbl \ xbl.dnsbl:ip4tset:xbl \ zen.dnsbl:ip4set:sbl \ zen.dnsbl:ip4trie:pbl \ zen.dnsbl:ip4tset:xbl \ dbl.dnsbl:dnset:dbl \ swl.dnsbl:ip4tset:swl \ dwl.dnsbl:dnset:dwl \ :acl:acl"(the last argument is required only if access control is used, as described in section 4.3.6). rbldnsd will be launched at boot, and /etc/init.d/rbldnsd {start|stop|restart|reload}will start/stop/restart/reload the daemon. 4.5 Security and access limitationWe recommend implementing an access control list (ACL) as described in section 4.3.6. Access to it can also be restricted by using a firewall to limit the transit of 53/UDP packets to and from the client systems. rbldnsd does not use TCP.4.6 Testing rbldnsdTo verify that the daemon is properly running, send A or TXT queries to the zone using the dig command or the host command. For instance,% dig A 2.0.0.127.sbl.dnsbl @1.2.3.4should show an answer 2.0.0.127.sbl.dnsbl. 300 IN A 127.0.0.2 Equivalently, host -t A 2.0.0.127.sbl.dnsbl 1.2.3.4should give 2.0.0.127.sbl.dnsbl has address 127.0.0.2 Note that these commands generate queries that are specifically directed to the rbldnsd server at the address 1.2.3.4. It is crucial to verify that these tests work as expected before proceeding to the next sections. 5.0 Configuring your DNS resolverYou now have a rbldnsd server capable of resolving queries in domains like sbl.dnsbl. However, dnsbl is not a top-level domain like com or org, and therefore your DNS resolver will not be capable of handling the queries until you inform it that those queries have to be sent to the local rbldnsd server. This is actually very simple, and this section explains how to do it. In the examples in this section it is assumed, like in the previous sections, that the rbldnsd server has IP address 1.2.3.4.There are two methods that can be used to achieve the desired goal: the NS delegation method and the forwarding method. The NS delegation method can be used regardless of the particular DNS server software that you are using. When using this method, your DNS resolver will learn, through the usual DNS delegation mechanisms, that BL/WL queries have to be sent to the rbldnsd server. The forwarding method can be used for some common DNS server software such as Bind (however, it can not be used with the Microsoft DNS Server). When using this method, your DNS resolver will forward the query to the rbldnsd server, get the answer and pass it back in a way completely transparent to the client. This method is slightly faster to implement, but it is somewhat less clean and finding errors is more tricky. We recommend to organizations with a complex infrastructure and several mail servers to choose the delegation method if they can. 5.1 Delegation methodIn the delegation method you create a local DNS zone named dnsbl, and explicitly define delegation records that indicate that the blocking list subzones are handled by your rbldnsd server. If you are using the Microsoft DNS Server, use the DNS Manager for this purpose. Otherwise, use the tool you commonly use to create or change information about your local domains.Create a new primary (master) zone called dnsbl, insert into it an A record pointing to your rbldnsdserver, and the NS record(s) for the list(s), like: rbldnsd IN A 1.2.3.4 sbl IN NS rbldnsd pbl IN NS rbldnsd xbl IN NS rbldnsd zen IN NS rbldnsd dbl IN NS rbldnsd swl IN NS rbldnsd dwl IN NS rbldnsdThis means that your rbldnsd server will be known with the name rbldnsd.dnsbl within your network. DNS queries like 2.0.0.127.sbl.dnsbl directed to the resolver will be diverted to the rbldnsd server for resolution. In this setup, the rbldnsd server receives query traffic directly from the machines originating the queries. Restart your DNS resolver after the changes. Note: sbl, pbl, xbl, zen, dbl, swl, dwl are DNS subdomains, not hosts. Any entry like zen IN A 1.2.3.4 ; *WRONG*will not produce any useful result. 5.2 Forwarding methodThis method does not require the creation of a new local zone. It is implemented by editing the DNS server configuration. The details depend on the DNS server you are using.Reports from the field indicates problems associated with the forwarding method used with DNSSEC. If your DNS infrastructure uses DNSSEC, we recommend using the delegation method instead. 5.2.1 Forwarding method using Bind 8 and 9If you are running Bind version 8 or version 9, edit the configuration file named.conf and insertzone "dnsbl" { type forward; forward only; forwarders { 1.2.3.4; }; };where the IP address of the rbldnsd server has been put in the forwarders list (if you have more than one rbldnsd server, include all of them in the list). Reload Bind, and it will now forward all queries ending with .dnsbl (that is, all blocking list queries, including non-Spamhaus zones that you might also have) to the rbldnsd server, wait for the answer, and return the answer to the client. In this setup, the rbldnsd server receives all query traffic from the Bind resolver. Note that Bind 9 also allow to specify a port different from port 53 for each forwarder. This allows you to put rbldnsd on the same IP as Bind, using a different port. This is done using a syntax like zone "dnsbl" { type forward; forward only; forwarders { 1.2.3.4 port 54; }; };In this way you can have Bind and rbldnsd on the same IP. This is not possible using Bind 8. This method sometimes leads to unexpected problems, and our recommendation is to use the standard port (creating new IP aliases if necessary) unless it is absolutely necessary to run on an alternate port. 5.2.2 Forwarding method using dnscacheIf you use the dnscache program within the djbdns suite, you should be able to define a forwarder by giving these commands:cd /service/dnscache echo 1.2.3.4 > root/servers/dnsbl chmod 644 root/servers/dnsbl svc -t .For further details please check the djbdns documentation. 5.2.3 Forwarding method using Microsoft DNS ServerYou can not use the forwarding method with the Microsoft DNS Server.5.3 Security and access limitationBy contractual terms you should not redistribute Spamhaus data outside your organization, even if unintentionally. In practice this means that your DNS servers should not answer dnsbl queries coming from unauthorized parties outside your network. Blocking direct access to rbldnsd has been already discussed in section 4.3.6, however you should also make sure that dnsbl queries sent to your DNS resolver from outside are not answered. This is particularly important if you chose the forwarding method.In fact, as a general rule it is recommended, for security reasons, to ignore all DNS traffic coming from external unauthorized parties -- with the only exception of requests relative to Internet domains for which your server has been designated as an authoritative server. Under Bind, access can be generally restricted by configuring ACLs in named.conf as follows: ... acl trusted { 192.168.0.0/24; 1.2.3.0/24; }; options { ... other options ... allow-query { trusted; }; allow-recursion { trusted; }; }; ...In this example, 192.168.0.0/24 is an internal network (RFC1918 addresses) used by your organization, and 1.2.3.0/24 are your external Internet addresses (they may not be present if your Internet gateway is using NAT and you only use internal addresses in your LAN). If your DNS server is also giving authoritative nameservice to specific domains, the general query access restrictions indicated in theoptions section can be overridden within the zone sections for those domains. For a more detailed discussion of these points, Bind users can consult this document prepared by Team Cymru, while users of the Microsoft DNS server can consult this and this Microsoft technical note. NOTE: if you chose the forwarding method and your DNS resolver is open to the world, you are likely redistributing Spamhaus data in violation of contractual terms. 5.4 Testing dnsbl resolutionAfter your DNS resolver has been reconfigured as indicated above and reloaded, the tests described in section 4.6 should also work without explicitly directing queries to the rbldnsd server, but simply using your local resolver. For instance,% dig A 2.0.0.127.sbl.dnsblshould produce 2.0.0.127.sbl.dnsbl. 300 IN A 127.0.0.2 We recommend that you perform this test from your mail servers, which will be the main "users". We also recommend to verify that the mail servers do not use any fallback resolver that does not know about the blocking lists. On Unix-like systems the list of resolvers is usually found in the file/etc/resolv.conf. All the nameserver directives in this file should point to DNS resolvers that know how to handle dnsbl resolutions. Do not proceed to the next section until these tests work as expected. 6.0 Configuring your mail serversThe last step to do is to configure your mail servers so that they send DNS queries to check if the client IPs are listed on the Spamhaus blocking lists, and reject all mails that satisfy this condition. This can be done using the generic BL lookup facility that you find in virtually all the mail server or antispam appliance products in use today. Please consult your mail server or appliance documentation for details. Moreover, the Spamhaus web site contains some useful instructions and pointers.In this section we start with some general indications, valid for all mail servers, and describe more in detail what to do for some common servers and appliances. The whitelists SWL and DWL are not covered in this section yet, firstly because several mail server products are not yet supporting their usage, but also because these lists are currently being constructed slowly and carefully and the number of entries they contain is still rather limited. We expect this situation to improve drastically during 2011. In the meanwhile, we recommend that you start serving them in your local DNS infrastructure as described in the previous sections. 6.1 General indicationsIn general, this is what you have to do:
Below are instructions on how to accomplish this for some specific cases. Note: if your setup makes use of a content analyzer separate from the mail server -- such as for instance SpamAssassin -- which also queries the Spamhaus databases to compute the spam scores assigned to messages, make sure to replace all references to spamhaus.org in its configuration with corresponding references to dnsbl. Note: do not use zen.dnsbl for content analyzers, URL verification, etc.: it contains the PBL database which is not designed for this purpose. Content analysis should be done with sbl-xbl.dnsbl or sbl.dnsbl. The former blocks more spam but may generate occasional false positives. 6.1.1 Configuring sendmailLocate the sendmail.mc file and edit it. Insert the following line (as a single line with no linefeeds):FEATURE(dnsbl, `zen.dnsbl', `"550 Mail from " $&{client_addr} " rejected using zen.spamhaus.org. Please see http://www.spamhaus.org/query/bl?ip=" $&{client_addr}')dnlThe location of the line of the file is not important. Produce a sendmail configuration file using the m4command: m4 sendmail.mc > sendmail.cfthen place sendmail.cf into the appropriate directory (usually /etc or /etc/mail) and restart sendmail. 6.1.2 Configuring postfixEdit main.cf (usually located in /etc/postfix), and addreject_rbl_client zen.dnsblin the list of recipient restrictions, as in smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, reject_rbl_client zen.dnsbl, permitThen create a file named for instance dnsbl-reply-map containing the line zen.dnsbl 554 $client blocked using zen.spamhaus.org. Please see $rbl_txtCreate a hash map of it with postmap hash:dnsbl-reply-mapthen insert rbl_reply_maps = hash:dnsbl-reply-mapin main.cf. Reload postfix. 6.1.3 Configuring qmailFirst of all, you must have ucspi-tcp installed to enable you to run rblsmtpd, the qmail module that does DNS lookups to blocking lists and uses the results to allow or disallow SMTP connections.Edit the run file (usually located in /var/qmail/supervise/qmail-smtpd) and locate the line invokingtcpserver at the bottom of the file. It will be something like /usr/local/bin/tcpserver (...options...) \ 0 smtp \ qmail-smtpd(the details can differ in your installation, and you may see 25 in place of smtp). Insert the invocation ofrblsmtpd just before the qmail-smtpd argument as follows: /usr/local/bin/tcpserver (...options...) \ 0 smtp \ /usr/local/bin/rblsmtpd -b -r zen.dnsbl \ qmail-smtpdWith this setting, an incoming SMTP connection will launch rblsmtpd, which will check if the client IP is listed in our databases. If it is listed rblsmtpd handles the rejection dialogue, while if it is not listedrblsmtpd launches qmail-smtpd for normal mail delivery. Note: Some qmail users have reported that the BL checks are made also for outgoing mail submitted by legitimate users of the mail server using authenticated SMTP. In these cases, the client IP is not a mail server and is likely to be listed in the PBL database. Therefore, users would not be able to send mail. The standard way to solve this problem is to run a separate qmail instance that listens on port 587, accepts only authenticated mail submissions and does not use rblsmtpd. See this example and this discussion. 6.1.4 Configuring SpamAssassinIn this section we describe how to configure SpamAssassin so that it sends query to your local server rather than to the public servers of the Spamhaus Project.Note that to take advantage of the DBL component, you need SpamAssassin 3.3.1 or later. These instructions assume that your SpamAssassin version is at least 3.3.1. If you are running an earlier release, you should omit all the lines including "DBL". Go to the SpamAssassin configuration directory, which is usually /etc/mail/spamassassin or/etc/spamassassin. Insert the following definitions (overriding SpamAssassin's own definitions, referring to the Spamhaus Project public service) in the file local.cf: header __RCVD_IN_ZEN eval:check_rbl('zen','zen.dnsbl.') header RCVD_IN_XBL eval:check_rbl('zen-lastexternal', 'zen.dnsbl.','127.0.0.[45678]') header RCVD_IN_PBL eval:check_rbl('zen-lastexternal', 'zen.dnsbl.', '127.0.0.1[01]') uridnssub URIBL_SBL zen.dnsbl. A 127.0.0.2 urirhssub URIBL_DBL_SPAM dbl.dnsbl. A 127.0.1.2 urirhssub URIBL_DBL_ERROR dbl.dnsbl. A 127.0.1.255 Restart SpamAssassin. For further information we recommend to consult the SpamAssassin documentation. 6.1.5 Configuring a Barracuda Spam Firewall applianceThis subsection applies only to owners of Barracuda Spam Firewall appliances.A Barracuda can be configured to query your local servers in place of the public Spamhaus infrastructure. To achieve this goal from the web interface of the appliance:
6.1.6 Configuring a SonicWALL Email Security applianceThis subsection applies only to owners of SonicWALL appliances with Email Security, version 6.x.A SonicWALL Email Security appliance can be configured to query your local servers in place of the public Spamhaus infrastructure. To achieve this goal from the control interface of the appliance:
6.1.7 Configuring a Symantec Mail Security applianceThis subsection applies only to owners of Symantec Mail Security appliances, 8200 Series.A Symantec Mail Security appliance can be configured to query your local servers in place of the public Spamhaus infrastructure. To achieve this goal from the web interface of the appliance:
6.1.8 Configuring Clearswift MIMEsweeperThis subsection applies only to owners of Clearswift MIMEsweeper software for Microsoft Windows. We assume here a version of MIMEsweeper 5.x equipped with the SpamLogic feature.MIMEsweeper can be configured to query your local servers in place of the public Spamhaus infrastructure. To achieve this goal:
[qmail] rblsmtpd...ITWeb/서버관리 2012. 5. 21. 12:34[원본링크] [원본글] TCP/IP ucspi-tcp The rblsmtpd programrblsmtpd blocks mail from RBL-listed sites. It works with any SMTP server that can run under tcpserver.Interfacerblsmtpd opts progopts is a series of getopt-style options. prog consists of one or more arguments. Normally rblsmtpd runs prog. prog is expected to carry out an SMTP conversation to receive incoming mail messages. However, rblsmtpd does not invoke prog if it is told to block mail from this client. Instead it carries out its own limited SMTP conversation, temporarily rejecting all attempts to send a message. Meanwhile it prints one line on descriptor 2 to log its activity. rblsmtpd drops the limited SMTP conversation after 60 seconds, even if the client has not quit by then. Options:
Blocked clientsIf the $RBLSMTPD environment variable is set and is nonempty, rblsmtpd blocks mail. It uses $RBLSMTPD as an error message for the client. Normally rblsmtpd runs under tcpserver; you can use tcprules to set $RBLSMTPD for selected clients.If $RBLSMTPD is set and is empty, rblsmtpd does not block mail. If $RBLSMTPD is not set, rblsmtpd looks up $TCPREMOTEIP in the RBL, and blocks mail if $TCPREMOTEIP is listed. tcpserver sets up $TCPREMOTEIP as the IP address of the remote host. Options:
You may supply any number of -r and -a options. rblsmtpd tries each source in turn until it finds one that lists or anti-lists $TCPREMOTEIP. If you do not supply any -r options, rblsmtpd tries an RBL source of rbl.maps.vix.com. This will be changed in subsequent versions. RBL sourcesIf you want to run your own RBL source or anti-RBL source for rblsmtpd, you can use rbldns from the djbdns package.I've heard about the following public RBL sources:
Temporary errorsNormally, if $RBLSMTPD is set, rblsmtpd uses a 451 error code in its limited SMTP conversation. This tells legitimate clients to try again later. It gives innocent relay operators a chance to see the problem, prohibit relaying, get off the RBL, and get the mail delivered.However, if $RBLSMTPD begins with a hyphen, rblsmtpd removes the hyphen and uses a 553 error code. This tells legitimate clients to bounce the message immediately. There are several error-handling options for RBL lookups:
AcknowledgmentsThanks to Andrew Richards for his comments on this documentation. |