doc:appunti:linux:sa:spamassassin_private_dnsbl
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
doc:appunti:linux:sa:spamassassin_private_dnsbl [2020/02/17 17:34] – [How to use a private DNSBL with SpamAssassin] niccolo | doc:appunti:linux:sa:spamassassin_private_dnsbl [2020/02/17 18:23] – niccolo | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== How to use a private DNSBL with SpamAssassin ====== | + | ====== How to run a private DNSBL with SpamAssassin ====== |
Here we will present a recipe to create a personal **[[wp> | Here we will present a recipe to create a personal **[[wp> | ||
- | We will use the well-known mechanism of DNSBLs, so that the general-purpose DNS server software **Bind9** and **SpamAssassin** | + | We will use the well-known mechanism of DNSBLs, so that the general-purpose DNS server software **Bind9** and **SpamAssassin** |
- | ====== Configure the DNS ====== | + | ===== Configure the DNS ===== |
- | **/ | + | ==== Dynamic updates using an HMAC-MD5 key ==== |
- | < | + | Our DNSBL zone will be **updated dynamically** on our **DNS server** using a Python script; to allow only authenticated queries we create a **DNS key**. To generate |
- | $TTL 900 ; 15 minutes | + | |
- | bl.rigacci.org | + | |
- | 1 ; serial | + | |
- | 3600 ; refresh (1 hour) | + | |
- | 600 ; retry (5 minutes) | + | |
- | 432000 | + | |
- | 10 ; minimum (10 seconds) | + | |
- | ) | + | |
- | + | ||
- | NS ns1.rigacci.org. | + | |
- | NS ns2.rigacci.org. | + | |
- | + | ||
- | $ORIGIN bl.rigacci.org. | + | |
- | $TTL 900 ; 15 minutes | + | |
- | </ | + | |
- | + | ||
- | Generate | + | |
< | < | ||
Line 32: | Line 15: | ||
</ | </ | ||
- | Get the secret from the generated | + | Notice that **bl-rigacci-org_rndc-key** is the // |
< | < | ||
Line 41: | Line 24: | ||
</ | </ | ||
- | **/ | + | Now create a file name **/ |
- | + | ||
- | Be sure to set the file into **640 mode** and owned by **bind: | + | |
< | < | ||
Line 52: | Line 33: | ||
</ | </ | ||
- | **/ | + | ==== The dynamic zone ==== |
- | Suppose that **10.100.101.102** is your secondary DNS server: | + | Your DNS server will manage a **dynamic zone** dedicated to the DNSBL service. Create a file **/ |
+ | |||
+ | < | ||
+ | $TTL 900 ; 15 minutes | ||
+ | bl.rigacci.org | ||
+ | 1 ; serial | ||
+ | 3600 ; refresh (1 hour) | ||
+ | 600 ; retry (5 minutes) | ||
+ | 432000 | ||
+ | 10 ; minimum (10 seconds) | ||
+ | ) | ||
+ | |||
+ | NS ns1.rigacci.org. | ||
+ | NS ns2.rigacci.org. | ||
+ | |||
+ | $ORIGIN bl.rigacci.org. | ||
+ | $TTL 900 ; 15 minutes | ||
+ | </ | ||
+ | |||
+ | Add that zone to **/ | ||
< | < | ||
// | // | ||
- | // Dynamic update zone for DNS BlockList. | + | // Dynamic update zone for DNS Blackhole List. |
// | // | ||
zone " | zone " | ||
Line 70: | Line 70: | ||
</ | </ | ||
+ | ===== Configure SpamAssassin ===== | ||
- | ====== Configure SpamAssassin ====== | + | To add a check against our DNSBL, just edit **/ |
+ | < | ||
+ | header | ||
+ | describe | ||
+ | score | ||
+ | </ | ||
+ | |||
+ | You can customize the **score** (default SPAM score is 5.0 in SpamAssassin) to match your requirements. | ||
+ | |||
+ | ===== Python script to manage the dynamic zone ===== | ||
+ | |||
+ | Finally we need a script to add, remove or query IP address into the DNSBL zone. We have written a **{{.: | ||
+ | |||
+ | < | ||
+ | dnsbl-tool -a 192.168.10.1 | ||
+ | Adding record type " | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | dnsbl-tool -q 192.168.10.1 | ||
+ | Address 192.168.10.1 is listed: 1.10.168.192.bl.rigacci.org => 127.0.0.1 | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | dnsbl-tool -r 192.168.10.1 | ||
+ | Removing record type " | ||
+ | </ | ||
+ | |||
+ | To query the entire zone from the DNS server, you can request an **AXFR** (zone transfer). For doing that, you must do it from an IP address listed into the **allow-transfer** declared into named.conf.local: | ||
+ | |||
+ | < | ||
+ | dig -tAXFR zen.texnet.it | ||
+ | </ |
doc/appunti/linux/sa/spamassassin_private_dnsbl.txt · Last modified: 2021/10/08 10:45 by niccolo