rigacci.org

User Tools

Site Tools

Trace:
doc:appunti:linux:sa:spamassassin_private_dnsbl

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Next revisionBoth sides next revision
doc:appunti:linux:sa:spamassassin_private_dnsbl [2020/02/17 17:48] – [Configure the DNS] niccolodoc:appunti:linux:sa:spamassassin_private_dnsbl [2020/02/17 18:22] – [Python Script to Manage the Dynamic Zone] niccolo
Line 5: Line 5:
 We will use the well-known mechanism of DNSBLs, so that the general-purpose DNS server software **Bind9** and **SpamAssassin** are used, just with some specific configuration. This allows us to combine our blackhole list with the traditional ones provided by e.g. **dnsbl.sorbs.net** and **zen.spamhaus.org**. We will use the well-known mechanism of DNSBLs, so that the general-purpose DNS server software **Bind9** and **SpamAssassin** are used, just with some specific configuration. This allows us to combine our blackhole list with the traditional ones provided by e.g. **dnsbl.sorbs.net** and **zen.spamhaus.org**.
  
-====== Configure the DNS ======+===== Configure the DNS =====
  
-===== Dynamic updates using an HMAC-MD5 key =====+==== Dynamic updates using an HMAC-MD5 key ====
  
 Our DNSBL zone will be **updated dynamically** on our **DNS server** using a Python script; to allow only authenticated queries we create a **DNS key**. To generate the key we run the command: Our DNSBL zone will be **updated dynamically** on our **DNS server** using a Python script; to allow only authenticated queries we create a **DNS key**. To generate the key we run the command:
Line 33: Line 33:
 </file> </file>
  
-===== The Dynamic Zone =====+==== The Dynamic Zone ====
  
 Your DNS server will manage a **dynamic zone** dedicated to the DNSBL service. Create a file **/var/cache/bind/bl.rigacci.org** owned by **bind:bind**: Your DNS server will manage a **dynamic zone** dedicated to the DNSBL service. Create a file **/var/cache/bind/bl.rigacci.org** owned by **bind:bind**:
Line 70: Line 70:
 </file> </file>
  
-====== Configure SpamAssassin ======+===== Configure SpamAssassin =====
  
 +To add a check against our DNSBL, just edit **/etc/spamassassin/local.cf** and add a section like this:
 +
 +<file>
 +header        CUSTOM_DNSBL    eval:check_rbl('bl-rigacci','bl.rigacci.org.')
 +describe      CUSTOM_DNSBL    Entries listed in bl.rigacci.org RBL
 +score         CUSTOM_DNSBL    100.0
 +</file>
 +
 +You can customize the **score** (default SPAM score is 5.0 in SpamAssassin) to match your requirements.
 +
 +===== Python Script to Manage the Dynamic Zone =====
 +
 +Finally we need a script to add, remove or query IP address into the DNSBL zone. We have written a **{{.:dnsbl-tool.txt|dnsbl-tool}}** which can be used as follow:
 +
 +<code>
 +dnsbl-tool -a 192.168.10.1
 +Adding record type "A" for 1.10.168.192.bl.rigacci.org
 +</code>
 +
 +<code>
 +dnsbl-tool -q 192.168.10.1
 +Address 192.168.10.1 is listed: 1.10.168.192.bl.rigacci.org => 127.0.0.1
 +</code>
 +
 +<code>
 +dnsbl-tool -r 192.168.10.1
 +Removing record type "A" for 1.10.168.192.bl.rigacci.org
 +</code>
 +
 +To query the entire zone from the DNS server, you can request an **AXFR** (zone transfer). For doing that, you must do it from an IP address listed into the **allow-transfer** declared into named.conf.local:
 +
 +<code>
 +dig -tAXFR zen.texnet.it
 +</code>
doc/appunti/linux/sa/spamassassin_private_dnsbl.txt · Last modified: 2021/10/08 10:45 by niccolo