rblsmtpd blocks mail from RBL-listed sites. It works with any SMTP server that can run under tcpserver.
Interface
rblsmtpd optsprog
opts is a series of getopt-style options. prog consists of one or more arguments.
Normally rblsmtpd runs prog. prog is expected to carry out an SMTP conversation to receive incoming mail messages.
However, rblsmtpd does not invoke prog if it is told to block mail from this client. Instead it carries out its own limited SMTP conversation, temporarily rejecting all attempts to send a message. Meanwhile it prints one line on descriptor 2 to log its activity.
rblsmtpd drops the limited SMTP conversation after 60 seconds, even if the client has not quit by then.
Options:
-t n: Change the 60-second timeout to n seconds.
Blocked clients
If the $RBLSMTPD environment variable is set and is nonempty, rblsmtpd blocks mail. It uses $RBLSMTPD as an error message for the client. Normally rblsmtpd runs under tcpserver; you can use tcprules to set $RBLSMTPD for selected clients.
If $RBLSMTPD is set and is empty, rblsmtpd does not block mail.
If $RBLSMTPD is not set, rblsmtpd looks up $TCPREMOTEIP in the RBL, and blocks mail if $TCPREMOTEIP is listed. tcpserver sets up $TCPREMOTEIP as the IP address of the remote host.
Options:
-r base: Use base as an RBL source. An IP address a.b.c.d is listed by that source if d.c.b.a.base has a TXT record. rblsmtpd uses the contents of the TXT record as an error message for the client.
-a base: Use base as an anti-RBL source. An IP address a.b.c.d is anti-listed by that source if d.c.b.a.base has an A record. In this case rblsmtpd does not block mail.
You may supply any number of -r and -a options. rblsmtpd tries each source in turn until it finds one that lists or anti-lists $TCPREMOTEIP.
If you do not supply any -r options, rblsmtpd tries an RBL source of rbl.maps.vix.com. This will be changed in subsequent versions.
RBL sources
If you want to run your own RBL source or anti-RBL source for rblsmtpd, you can use rbldns from the djbdns package.
I've heard about the following public RBL sources:
dev.null.dk
list.dsbl.org, using rbldns as of 2002-03
multihop.dsbl.org, using rbldns as of 2002-03
orbs.dorkslayers.com
orbz.gst-group.co.uk
relays.osirusoft.com
unconfirmed.dsbl.org, using rbldns as of 2002-03
dnsbl.sorbs.net
cbl.abuseat.org
I've given up on the following RBL sources for various reasons:
blackholes.mail-abuse.org, demanding money for access as of 2001-07
dialups.mail-abuse.org, demanding money for access as of 2001-07
relays.mail-abuse.org, TXT records eliminated in 2000-08, demanding money for access as of 2001-07
relays.msci.memphis.edu, a copy of relays.mail-abuse.org with TXT records, disabled in 2001-01 because mail-abuse.org started demanding money
rss.maps.vix.com, renamed relays.mail-abuse.org
or.orbl.org, down as of 2001-10
relays.ordb.org, no longer in operation
bl.spamcop.net, fails to interoperate with deferred-delivery ISPs
relays.mail-abuse.org stopped working with rblsmtpd in August 2000, because all the TXT records were removed. ``They were eliminated because the zone file is growing rather large,'' the maintainers said. This problem wouldn't occur with rbldns, because rbldnsdatabases are much smaller than zone files. However, the people who run MAPS also have financial interests in BIND, and they refuse to use rbldns.
Temporary errors
Normally, if $RBLSMTPD is set, rblsmtpd uses a 451 error code in its limited SMTP conversation. This tells legitimate clients to try again later. It gives innocent relay operators a chance to see the problem, prohibit relaying, get off the RBL, and get the mail delivered.
However, if $RBLSMTPD begins with a hyphen, rblsmtpd removes the hyphen and uses a 553 error code. This tells legitimate clients to bounce the message immediately.
There are several error-handling options for RBL lookups:
-B: (Default.) Use a 451 error code for IP addresses listed in the RBL.
-b: Use a 553 error code for IP addresses listed in the RBL.
-C: (Default.) Handle RBL lookups in a ``fail-open'' mode. If an RBL lookup fails temporarily, assume that the address is not listed; if an anti-RBL lookup fails temporarily, assume that the address is anti-listed. Unfortunately, a knowledgeable attacker can force an RBL lookup or an anti-RBL lookup to fail temporarily, so that his mail is not blocked.
-c: Handle RBL lookups in a ``fail-closed'' mode. If an RBL lookup fails temporarily, assume that the address is listed (but use a 451 error code even with -b). If an anti-RBL lookup fails temporarily, assume that the address is not anti-listed (but use a 451 error code even if a subsequent RBL lookup succeeds with -b). Unfortunately, this sometimes delays legitimate mail.
Acknowledgments
Thanks to Andrew Richards for his comments on this documentation.
rblsmtpd blocks mail from RBL-listed sites. It works with any SMTP server that can run under tcpserver.
Interface
rblsmtpd optsprog
opts is a series of getopt-style options. prog consists of one or more arguments.
Normally rblsmtpd runs prog. prog is expected to carry out an SMTP conversation to receive incoming mail messages.
However, rblsmtpd does not invoke prog if it is told to block mail from this client. Instead it carries out its own limited SMTP conversation, temporarily rejecting all attempts to send a message. Meanwhile it prints one line on descriptor 2 to log its activity.
rblsmtpd drops the limited SMTP conversation after 60 seconds, even if the client has not quit by then.
Options:
-t n: Change the 60-second timeout to n seconds.
Blocked clients
If the $RBLSMTPD environment variable is set and is nonempty, rblsmtpd blocks mail. It uses $RBLSMTPD as an error message for the client. Normally rblsmtpd runs under tcpserver; you can use tcprules to set $RBLSMTPD for selected clients.
If $RBLSMTPD is set and is empty, rblsmtpd does not block mail.
If $RBLSMTPD is not set, rblsmtpd looks up $TCPREMOTEIP in the RBL, and blocks mail if $TCPREMOTEIP is listed. tcpserver sets up $TCPREMOTEIP as the IP address of the remote host.
Options:
-r base: Use base as an RBL source. An IP address a.b.c.d is listed by that source if d.c.b.a.base has a TXT record. rblsmtpd uses the contents of the TXT record as an error message for the client.
-a base: Use base as an anti-RBL source. An IP address a.b.c.d is anti-listed by that source if d.c.b.a.base has an A record. In this case rblsmtpd does not block mail.
You may supply any number of -r and -a options. rblsmtpd tries each source in turn until it finds one that lists or anti-lists $TCPREMOTEIP.
If you do not supply any -r options, rblsmtpd tries an RBL source of rbl.maps.vix.com. This will be changed in subsequent versions.
RBL sources
If you want to run your own RBL source or anti-RBL source for rblsmtpd, you can use rbldns from the djbdns package.
I've heard about the following public RBL sources:
dev.null.dk
list.dsbl.org, using rbldns as of 2002-03
multihop.dsbl.org, using rbldns as of 2002-03
orbs.dorkslayers.com
orbz.gst-group.co.uk
relays.osirusoft.com
unconfirmed.dsbl.org, using rbldns as of 2002-03
dnsbl.sorbs.net
cbl.abuseat.org
I've given up on the following RBL sources for various reasons:
blackholes.mail-abuse.org, demanding money for access as of 2001-07
dialups.mail-abuse.org, demanding money for access as of 2001-07
relays.mail-abuse.org, TXT records eliminated in 2000-08, demanding money for access as of 2001-07
relays.msci.memphis.edu, a copy of relays.mail-abuse.org with TXT records, disabled in 2001-01 because mail-abuse.org started demanding money
rss.maps.vix.com, renamed relays.mail-abuse.org
or.orbl.org, down as of 2001-10
relays.ordb.org, no longer in operation
bl.spamcop.net, fails to interoperate with deferred-delivery ISPs
relays.mail-abuse.org stopped working with rblsmtpd in August 2000, because all the TXT records were removed. ``They were eliminated because the zone file is growing rather large,'' the maintainers said. This problem wouldn't occur with rbldns, because rbldnsdatabases are much smaller than zone files. However, the people who run MAPS also have financial interests in BIND, and they refuse to use rbldns.
Temporary errors
Normally, if $RBLSMTPD is set, rblsmtpd uses a 451 error code in its limited SMTP conversation. This tells legitimate clients to try again later. It gives innocent relay operators a chance to see the problem, prohibit relaying, get off the RBL, and get the mail delivered.
However, if $RBLSMTPD begins with a hyphen, rblsmtpd removes the hyphen and uses a 553 error code. This tells legitimate clients to bounce the message immediately.
There are several error-handling options for RBL lookups:
-B: (Default.) Use a 451 error code for IP addresses listed in the RBL.
-b: Use a 553 error code for IP addresses listed in the RBL.
-C: (Default.) Handle RBL lookups in a ``fail-open'' mode. If an RBL lookup fails temporarily, assume that the address is not listed; if an anti-RBL lookup fails temporarily, assume that the address is anti-listed. Unfortunately, a knowledgeable attacker can force an RBL lookup or an anti-RBL lookup to fail temporarily, so that his mail is not blocked.
-c: Handle RBL lookups in a ``fail-closed'' mode. If an RBL lookup fails temporarily, assume that the address is listed (but use a 451 error code even with -b). If an anti-RBL lookup fails temporarily, assume that the address is not anti-listed (but use a 451 error code even if a subsequent RBL lookup succeeds with -b). Unfortunately, this sometimes delays legitimate mail.
Acknowledgments
Thanks to Andrew Richards for his comments on this documentation.
[Howto 관련글]
What is this document?
I wrote this HOWTO so that others can have one place to stop and see how to setup their own private RBL list. The information is out there, but scattered all over the place.
The color convention I use is to have the headlines in gray and the code / shell scripts in yellow
What is rbldns?
Rbldns is a suite of programs in conjunction with dnscache to provide RBL service. In a nutshell IPs put into the rbldns data file show up as 127.0.0.1 responses to a specially crafted DNS query.
The IP address go into the file in the normal readable way, ie 192.168.0.1, and you query for them by reversing the address, like 1.0.168.192.example.com
How do I use rbldns?
Normally you don't use it directly, you have a program query an RBL server and based on the result of the query it either runs or doesn't run the program following it.
For example with Qmail you'll change your qmail-smtpd/run file from tcpserver 0 smtp /var/qmail/bin/qmail-smtpd to tcpserver 0 smtp /usr/local/bin/rblsmtpd -a whitelist.example.com -r blacklist.example.com -r relays.ordb.org /var/qmail/bin/qmail-smtpd
According to the rblsmtpd man page, the -r and -a switches mean:
Switch
If successful, do this
-r
Quit
-a
Don't do other lookups, and continue on
In this case the steps are: 1. Do a lookup against whitelist.example.com, if sucessful then skip the other lookups and go on to accepting the smtp request 2. Do a lookup against blacklist.example.com, if that's successful then quit out printing a "RBL denied" message to the client. 3. Same as #2 but against relays.ordb.org
How do I make my own RBL?
You should know how to setup Dnscache before trying to do this. The steps are pretty easy, but its helpful if you know your way around
Setting up the rbldns is pretty easy, just follow the directions on the RBLdns-conf page:
This says to setup a RBL on 127.0.0.2 that answers queries for *.rbl.example.com, and and RBL on 127.0.0.3 that answers for *.whitelist.example.com
Note: the 'rbl' and 'whitelist' names are arbitrary. RBLdns doesn't know if this is a 'good' or a 'bad' list of addresses -- it just knows that if someone asks for 1.0.168.192.bad.example.com on IP 127.0.0.2 it should answer with a 127.0.0.1 if it has it, or nothing if it doesn't.
Start these services up like all of DJB's other daemons:
And you should see listeners on 127.0.0.2 and 127.0.0.3
Why would I want to use a local RBL?
Why shouldn't you just relay on publically available RBLs? For a couple of reasons: 1. You know a couple of IPs are good and you don't want to waste bandwith by checking them against an RBL on the internet 2. Same thing for bad ones 3. You know your friend has a DSL line at home and an RBL blocks all home DSL users, you want to continue using the service but want to accept his mail. 4. You want to keep a 2nd source of information about who is sending mail to your server
So part of this is being a good netizen. If you know you're getting a lot of email from a handful of IPs, you should put those in your own whitelist so that you're not continously asking the public RBLs if they are okay
How to resolve *.(whitelist|rbl).example.com -- DNScache way
Now that we have the RBL service ready to go we have to be able to query it. Like we told dnscache to send all queries for *.example.com to the local tinydns IP address, we're going to do that for the RBL service.
This is the part that took me a while to think about: how do I serve both *.example.com and *.rbl.example.com? Well the same way you've already done it: through a dnscache setting.
Add two entries to your dnscache "forwarding" information:
This tells dnscache that when it gets a query for *.whitelist.example.com to send it off to the server on 127.0.0.3, *.rbl.example.com queries should go to 127.0.0.2. If you're setup TinyDns this should be familiar
How to resolve *.(whitelist|rbl).example.com -- TinyDns way
This might be a little cleaner if you're already serving up *.example.com results. You put in your tinydns file pointers to the (rbl|whitelist) lists:
cd /service/tinydns/root/
echo "&rbl.example.com:127.0.0.2:a" >> data
echo "&whitelist.example.com:127.0.0.3:a" >> data
make
svc -h /service/tinydns
So now when your tinydns server is queried for 1.0.168.192.rbl.example.com it will look at its file and say "That's handled by 127.0.0.2 and I'll ask it"
How do I add entries to my RBL?
Scenerio: a spammer is continously sending us email from 192.168.5.100 while our friend is sending from 192.168.6.56. We would like to avoid using public RBL servers for these two addresses.
Step 1: add the spammer to your spam list:
cd /service/rbl/black/root
echo 192.168.5.100 >> data
make
Step 2: Add your friend to your good list:
cd /service/rbl/white/root
echo 192.168.6.56 >> data
make
This is what your implementation will probably look like: an initial test against your goodlist, if that passes the continue on to the qmail-smtpd part. If that fails, then test against your local bad list. If that is sucessful then quit out. If not, continue on to your 2nd and 3rd RBLs.
How do I test my RBL?
You test an RBL by sending it a query. If it is in the database then it should return with a 127.0.0.x (1 or 2) answer. If it isn't in there, then nothing comes back.
The trick is to remember to reverse your IP address, so that 192.168.0.1 becomes 1.0.168.192.myrbldomain.com
Here's a simple program to check names fed on stdin:
#!/usr/bin/perl
use Net::DNS;
use strict;
my ($res, @rbls);
@rbls = qw (rbl.example.com whitelist.example.com);
$res = Net::DNS::Resolver->new;
while (<>) {
my ($rev, $ip);
chomp;
$ip = $_;
$rev = (join ".", reverse (split /\./, $ip) ); # ie 4.3.2.1.
foreach my $rbl (@rbls) {
my $query = $res->search("$rev.$rbl");
next unless ($query);
my $hit;
foreach my $rr ($query->answer) {
next unless $rr->type eq "A";
$hit = $rr->address;
last;
}
next unless $hit;
printf "%-20s %-20s $hit\n", $ip, $rbl;
}
}
How do I contact you?
If you have any questions or comments, or just want to say thanks, drop me a line at Chris Wilkes.
rblsmtpd-0.70.tar.gz