RBL - spam blacklists howto

Discussion in 'Installation/Configuration' started by alexnz, Jun 21, 2006.

  1. alexnz

    alexnz New Member

    can someone point me in the direction on how i setup my postfix system with maildir too support the RBL anti-spam blacklist system

    thanks,
     
  2. sjau

    sjau Local Meanie

    That is quite simple. You need them to add to the "smtpd_recipient_restrictions" in your main.cf file.

    All of mien looks like that:

    Code:
    smtpd_recipient_restrictions =
            reject_invalid_hostname,
            permit_sasl_authenticated,
            reject_non_fqdn_hostname,
            reject_non_fqdn_sender,
            reject_non_fqdn_recipient,
            reject_unknown_sender_domain,
            reject_unknown_recipient_domain,
            permit_mynetworks,
    #       permit_sasl_authenticated,
            reject_unauth_destination,
            check_recipient_access hash:/etc/postfix/recipient_checks,
            check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
            check_helo_access hash:/etc/postfix/helo_checks,
            check_sender_access hash:/etc/postfix/sender_checks,
            check_client_access hash:/etc/postfix/client_checks,
            check_client_access pcre:/etc/postfix/client_checks.pcre,
            reject_rbl_client relays.ordb.org,
            reject_rbl_client opm.blitzed.org,
            reject_rbl_client list.dsbl.org,
            reject_rbl_client cbl.abuseat.org,
            reject_rbl_client dul.dnsbl.sorbs.net,
            reject_rhsbl_client blackhole.securitysage.com,
            reject_rhsbl_sender blackhole.securitysage.com,
            reject_rbl_client relays.ordb.org,
            reject_rbl_client blackholes.easynet.nl,
            reject_rbl_client cbl.abuseat.org,
            reject_rbl_client proxies.blackholes.wirehub.net,
            reject_rbl_client bl.spamcop.net,
            reject_rbl_client dnsbl.njabl.org,
            permit
    
    As you can see in the first part I do some other checks and the RBLs start with that here:
    Just add those rbls that you want to use :)

    After you have altered the main.cf restart postfix ^^
     
    Last edited: Jun 22, 2006
  3. alexnz

    alexnz New Member

    thanks!

    ive added the full string too main.cf and restarted postfix with no issues

    ive installed rblcheck and rbldnsd using apt-get install - is this all i need too do for RBL blacklists too be added to my server?

    thanks!!!
     
  4. falko

    falko Super Moderator

    You don't need this. Just configure Postfix as outlined above. :)
     
  5. alexnz

    alexnz New Member

    thanks for that falko!
     
  6. keybd_user

    keybd_user Member

    Hi Falko,

    I have a SuSE 10.1 64bit system.
    In this case is this also the only thing necessary to put RBL's to work.

    My problem is that I have setup this in main.cf but in my postfix directory I still keep getting an enormous amount of trash mail going to :

    /var/spool/postfix/ ...

    either the emails are
    /deferred
    /defer
    /bounced (a bit less) or

    /active
    and
    /incomming

    At this point I have no user in the system! So I should get 0 emails. This is clearly spam :mad: .

    Regards,
    Pedro
     
    Last edited: Aug 17, 2006
  7. sjau

    sjau Local Meanie

    if you want to use some more checks you could also add this:

    Code:
            reject_invalid_hostname,
            reject_non_fqdn_hostname,
            reject_non_fqdn_sender,
            reject_non_fqdn_recipient,
            reject_unknown_sender_domain,
            reject_unknown_recipient_domain,
    
    Those are just standards checks on whether the email "appears" to be from a legit site.
    In order to see whether you rbls work you can look at your mail.log and see if any of the lists rbls will appear in there.
     
  8. keybd_user

    keybd_user Member

    Hi,



    Thanks,

    I did already looked at the mail logs.
    and making :
    prompt:/ less mail.log | grep blackhole.securitysage.com ... and the others rbnl's

    does not return nothing ?!!?

    Where can I see if the black lists servers are working?

    regards,
    Pedro
     
  9. keybd_user

    keybd_user Member

    Hi,

    Sorry once again.
    The RBL's are working!
    Just found several:
    bl.spamcop.net blocks for certain ip's!
    Funny but on 170MB of log :eek: no other RBL is invoked :confused:
    Is it necessary any type of registration for the others ?
    They seem free in a first glimpse. ...

    Well it escaped me.

    Your line are allready in your first post. The forced identification of hostname, sender and recipient, (fqdn).

    Even like this the problem maintains.
    In the mail logs I see a lot of emails sent!
    That means postfix is still making relay for some of those emails!
    In my server this at this current rate it will be 1,5GB in the end of the month! :mad:

    Regards,
    Pedro
     
  10. sjau

    sjau Local Meanie

    Do you haven an open relay server?
     
  11. keybd_user

    keybd_user Member

    Good question, one should never assume the obvious ...

    Let me take a look ... but the standard install of postfix smtp only delivers email generated locally and postfix only delivers email locally ...


    So in principle this should not happen.
    Lets see ...
    I have made
    mynetworks_style = host
    and relay is just from local machine
    mynetworks = 127.0.0.0/8 has indicated in the man pages.

    At what parameters should I take a look in the config to make absolute sure everything is setup correctly apart from this relating to relay ? :confused:

    Also to notice is that this particular server does not have no domain MX record pointed to it.
    It is a plain server, with just a few users.
    No A records point to it, no MX records point to it.

    Regards,
    Pedro
     
  12. keybd_user

    keybd_user Member

    Hi sjan,

    Actually I now know what is the problem.

    The deferred queue was made of a lot of emails that obviously had to enter when the server was not configured correctly.
    I did not noticed this in the beggining and postfix kept trying to send those spams ..
    It was a lot of email ... something like +/-23000 emails!

    My problem is that this server might go into a blacl list! :(

    Anyway I overloaded

    smtpd_sender_restrictions
    smtpd_client_restrictions

    smtpd_data_restrictions


    and has you suggested the most important :
    smtpd_recipient_restrictions


    Regards,
    Pedro
     
  13. falko

    falko Super Moderator

    Make sure you have
    Code:
    mynetworks = 127.0.0.0/8
    in /etc/postfix/main.cf. SuSE likes to add other networks to that variable (you can check with
    Code:
    postconf -d
    ) so these other networks would be allowed to send through your server without authentication.
     
  14. keybd_user

    keybd_user Member

    Hi Falko,


    You are right.
    The problem was the default config.
    At least in SuSE 10.1 64bit by default mynetwork_style = subnet.
    (i thought it was server and localhost by default!! )
    And worst, they add (I do not know how) your IP subnet xxx.xxx.xxx.xxx/24 !
    But it was really _really_ a coincidence as the server with IP next to mine is a (micros***t) spam server! Always trying to search for relay email.
    What a luck.
    Had it been an ip in another class C and I guess I would have been safe :).

    No problem
    Now everything is ok and my IP is not listed in no spam list anymore (I actually detected the thing very fast, it was only open for some hours).
    When I detected the problem with a trivial ps ax I imediately stoped ... postfix and fixed it :) :) :D

    Regards,
    Pedro
     
  15. keybd_user

    keybd_user Member

    Hi Falko,

    I just rechecked the config and what bothers me most is that I have specifically set on the config file

    mynetworks_style= host

    and also

    mynetworks = 127.0.0.0/8

    Yesterday I did not even made a check after the change to see if it was ok.
    Now that you have mentioned it I just gave it a try and to my surprise:

    the command postconf -d shows:

    mynetwork_style = subnet
    mynetworks = 127.0.0.0/8 xxx.xxx.xxx.xxx/24

    That is my subnet!!!

    Aparently this is not affecting me as all email received is not relayed and is rejected.
    But this is strange ...
    :confused:

    Regards,
    Pedro
     
  16. keybd_user

    keybd_user Member

    It seems that postfix has a will of it's own :)

    main.cf specifically contains:

    mynetworks_style = host

    and postconf -d always shows

    mynetworks_style = subnet

    same for mynetworks and also for relay_domains, the values do not match what is on the main.cf.

    Does someone know what is happening?

    Regards,
    Pedro
     
  17. keybd_user

    keybd_user Member

    Everyone sorry for the confusion in the previous comments.

    I have been very inacurate.

    The setup is perfect.
    My confusion was due to the fact that if one makes:

    postconf -d
    the parameters shown are the defaults.

    if one makes:
    postconf -n
    the listing shows the actual main.cf parameters.


    Regards,
    Pedro

    time to go to sleep :)
     
  18. falko

    falko Super Moderator

    One thing to add: If you specify mynetworks, you don't need mynetworks_style in /etc/postfix/main.cf.
     
  19. keybd_user

    keybd_user Member

    Hi Falko,

    I noticed, and I have on the server the correct setup right now.


    Regards,
    Pedro
     
  20. RicochetPeter

    RicochetPeter New Member

     

Share This Page