doc:appunti:linux:sa:spamassassin_private_dnsbl
Differences
This shows you the differences between two versions of the page.
Next revision | Previous revisionNext revisionBoth sides next revision | ||
doc:appunti:linux:sa:spamassassin_private_dnsbl [2020/02/17 17:02] – created niccolo | doc:appunti:linux:sa:spamassassin_private_dnsbl [2020/02/17 18:23] – niccolo | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== How to use a private | + | ====== How to run a private |
+ | Here we will present a recipe to create a personal **[[wp> | ||
+ | |||
+ | We will use the well-known mechanism of DNSBLs, so that the general-purpose DNS server software **Bind9** and **SpamAssassin** are used, just with some specific configuration. This allows us to combine our blackhole list with the traditional ones provided by e.g. **dnsbl.sorbs.net** and **zen.spamhaus.org**. | ||
+ | |||
+ | ===== Configure the DNS ===== | ||
+ | |||
+ | ==== Dynamic updates using an HMAC-MD5 key ==== | ||
+ | |||
+ | Our DNSBL zone will be **updated dynamically** on our **DNS server** using a Python script; to allow only authenticated queries we create a **DNS key**. To generate the key we run the command: | ||
+ | |||
+ | < | ||
+ | dnssec-keygen -a HMAC-MD5 -b 512 -n USER bl-rigacci-org_rndc-key | ||
+ | </ | ||
+ | |||
+ | Notice that **bl-rigacci-org_rndc-key** is the // | ||
+ | |||
+ | < | ||
+ | cat Kbl-rigacci-org_rndc-key.+157+27575.private | ||
+ | ... | ||
+ | Key: rg2aizg+T6XkKkmpI42K7g== | ||
+ | ... | ||
+ | </ | ||
+ | |||
+ | Now create a file name **/ | ||
+ | |||
+ | < | ||
+ | key " | ||
+ | algorithm hmac-md5; | ||
+ | secret " | ||
+ | }; | ||
+ | </ | ||
+ | |||
+ | ==== The dynamic zone ==== | ||
+ | |||
+ | Your DNS server will manage a **dynamic zone** dedicated to the DNSBL service. Create a file **/ | ||
+ | |||
+ | < | ||
+ | $TTL 900 ; 15 minutes | ||
+ | bl.rigacci.org | ||
+ | 1 ; serial | ||
+ | 3600 ; refresh (1 hour) | ||
+ | 600 ; retry (5 minutes) | ||
+ | 432000 | ||
+ | 10 ; minimum (10 seconds) | ||
+ | ) | ||
+ | |||
+ | NS ns1.rigacci.org. | ||
+ | NS ns2.rigacci.org. | ||
+ | |||
+ | $ORIGIN bl.rigacci.org. | ||
+ | $TTL 900 ; 15 minutes | ||
+ | </ | ||
+ | |||
+ | Add that zone to **/ | ||
+ | |||
+ | < | ||
+ | // | ||
+ | // Dynamic update zone for DNS Blackhole List. | ||
+ | // | ||
+ | zone " | ||
+ | type master; | ||
+ | allow-update { 127.0.0.1; 10.100.101.102; | ||
+ | allow-transfer { 127.0.0.1; 10.100.101.102; | ||
+ | file " | ||
+ | max-journal-size 500k; | ||
+ | }; | ||
+ | include "/ | ||
+ | </ | ||
+ | |||
+ | ===== Configure SpamAssassin ===== | ||
+ | |||
+ | To add a check against our DNSBL, just edit **/ | ||
+ | |||
+ | < | ||
+ | header | ||
+ | describe | ||
+ | score | ||
+ | </ | ||
+ | |||
+ | You can customize the **score** (default SPAM score is 5.0 in SpamAssassin) to match your requirements. | ||
+ | |||
+ | ===== Python script to manage the dynamic zone ===== | ||
+ | |||
+ | Finally we need a script to add, remove or query IP address into the DNSBL zone. We have written a **{{.: | ||
+ | |||
+ | < | ||
+ | dnsbl-tool -a 192.168.10.1 | ||
+ | Adding record type " | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | dnsbl-tool -q 192.168.10.1 | ||
+ | Address 192.168.10.1 is listed: 1.10.168.192.bl.rigacci.org => 127.0.0.1 | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | dnsbl-tool -r 192.168.10.1 | ||
+ | Removing record type " | ||
+ | </ | ||
+ | |||
+ | To query the entire zone from the DNS server, you can request an **AXFR** (zone transfer). For doing that, you must do it from an IP address listed into the **allow-transfer** declared into named.conf.local: | ||
+ | |||
+ | < | ||
+ | dig -tAXFR zen.texnet.it | ||
+ | </ |
doc/appunti/linux/sa/spamassassin_private_dnsbl.txt · Last modified: 2021/10/08 10:45 by niccolo