Recipe 6.4 Using a DNS Blackhole List Service

Previous page
Table of content
Next page

Problem

You have been asked to configure sendmail to use a blackhole list service to stop a large amount of UCE from a wide array of sources with a minimal amount of effort.

Solution

Add the dnsbl feature to the sendmail configuration. Identify the specific blackhole list service you wish to use on the dnsbl command line. Here is an example: 

 dnl Use the DSBL blacklist service FEATURE(`dnsbl', `list.dsbl.org')

Using Recipe 1.8 as a guide, rebuild the sendmail.cf file, copy the new sendmail.cf file to /etc/mail , and restart sendmail.

Discussion

The dnsbl feature adds the sendmail.cf code needed to enable a DNS blacklist service. The dnsbl feature uses a K command to define the dnsbl database as a host type database, which means lookups in dnsbl are really passed to DNS for resolution. [5] The dnsbl feature also adds a few rules to the Basic_check_relay ruleset, which is called from the check_relay ruleset. The added rules lookup the connection address in the dnsbl database. If the connection address is found in the database, mail from that address is rejected with an error message. If the connection address is not found in the dnsbl database, the mail is passed on for further processing. A sendmail -bt test shows the impact of the added rewrite rules:

[5] This assumes the service switch file maps host lookups to DNS. See Chapter 5 for information on the service switch file. 

 #  sendmail -bt  ADDRESS TEST MODE (ruleset 3 NOT automatically invoked) Enter <ruleset> <address> >  .D{client_addr}192.168.111.68  >  Basic_check_relay <>  Basic_check_rela   input: < > Basic_check_rela returns: $# error $@ 5 . 7 . 1 $: "550 Rejected: " 192 . 168 . 111 . 68 " listed at list.dsbl.org" >  /quit

Because there is no active connection ”this is just a test ”the first step is to statically define a connection address for the test. Next, the Basic_check_relay ruleset is called and passed to an empty workspace. The workspace passed to the ruleset in this test is unimportant because the first rule added to the ruleset by the dnsbl feature unconditionally replaces the workspace with the value found in ${client_addr} . Therefore, the value looked up in the dnsbl database is the connection address stored in the ${client_addr} macro. In this test, the address 192.168.111.68 is found in the blackhole list maintained at list.dsbl.org , so mail from that address is rejected. The mail is rejected with the error message: 

 550 Rejected: 192.168.111.68 listed at list.dsbl.org

The error message displays the address that was rejected and the service that recommended the rejection . This information is important. The administrators at 192.168.111.68 might need to contact the blackhole service to find out why their system is blacklisted and what they can do to get it removed from the blackhole list. Often, a system is blacklisted because of a configuration error that creates an open relay. As soon as the error is fixed, the administrator wants to get the system removed from the blackhole list. Knowing which services have blacklisted the system tells the administrator which services must be contacted to get full mail service restored.

This configuration uses the blackhole server at list.dsbl.org because that is the service specified with the dnsbl feature command in this recipe, which is just an example; it is not a recommendation for the list.dsbl.org service. There are many blackhole services available, some of which are listed in Table 6-2. Go to each service's web site and evaluate their policy for listing hosts in the database. Select the service whose policy most closely matches the policy you want to enforce on your server.

When no service is specified on the dnsbl feature command line, sendmail defaults to using blackholes.mail-abuse.org , which is the same service that was used by the deprecated sendmail rbl feature.

The enhdnsbl feature could be used as an alternative to dnsbl for this recipe. However, the enhdnsbl feature provides no real advantage in this particular case.

See Also

Before using any blackhole service, visit its web site. Using a blackhole service places an external organization in charge of the mail that your system receives. Evaluate the policy and mission of the blackhole listing service to ensure that its goals are compatible with yours. See Recipe 6.5 and Recipe 6.6 for additional information about blackhole services before implementing this recipe. The sendmail book covers the dnsbl feature in Section 7.2.1 and the enhdnsbl feature in 7.2.2.


Previous page
Table of content
Next page
Sendmail Cookbook
sendmail Cookbook
ISBN: 0596004710
EAN: 2147483647
Year: 2005
Pages: 178
Authors: Craig Hunt
BUY ON AMAZON
Cisco IP Communications Express: CallManager Express with Cisco Unity Express
Programming Microsoft ASP.NET 3.5
Information Dashboard Design: The Effective Visual Communication of Data
Cultural Imperative: Global Trends in the 21st Century
VBScript in a Nutshell, 2nd Edition
Python Standard Library (Nutshell Handbooks) with
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy