User Tools

Site Tools


doc:appunti:linux:sa:spamassassin_private_dnsbl

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
Next revisionBoth sides next revision
doc:appunti:linux:sa:spamassassin_private_dnsbl [2020/02/17 17:34] – [How to use a private DNSBL with SpamAssassin] niccolodoc:appunti:linux:sa:spamassassin_private_dnsbl [2020/02/17 18:23] – [How to run a private DNSBL with SpamAssassin] niccolo
Line 1: Line 1:
-====== How to use a private DNSBL with SpamAssassin ======+====== How to run a private DNSBL for SpamAssassin ======
  
 Here we will present a recipe to create a personal **[[wp>Domain_Name_System-based_Blackhole_List|Domain Name System-based Blackhole List]]** to be used with **SpamAssassin**. This will enable you to assign a **custom SPAM score** to mails coming from **specific IP addresses** (at the moment only IPv4 addresses). Here we will present a recipe to create a personal **[[wp>Domain_Name_System-based_Blackhole_List|Domain Name System-based Blackhole List]]** to be used with **SpamAssassin**. This will enable you to assign a **custom SPAM score** to mails coming from **specific IP addresses** (at the moment only IPv4 addresses).
  
-We will use the well-known mechanism of DNSBLs, so that the general-purpose DNS server software **Bind9** and **SpamAssassin** is used, just with some specific configuration. This allows us to combine our blackhole list with the traditional ones provided by e.g. **dnsbl.sorbs.net** and **zen.spamhaus.org**.+We will use the well-known mechanism of DNSBLs, so that the general-purpose DNS server software **Bind9** and **SpamAssassin** are used, just with some specific configuration. This allows us to combine our blackhole list with the traditional ones provided by e.g. **dnsbl.sorbs.net** and **zen.spamhaus.org**.
  
-====== Configure the DNS ======+===== Configure the DNS =====
  
-**/var/cache/bind/bl.rigacci.org**+==== Dynamic updates using an HMAC-MD5 key ====
  
-<file> +Our DNSBL zone will be **updated dynamically** on our **DNS server** using a Python scriptto allow only authenticated queries we create a **DNS key**To generate the key we run the command:
-$TTL 900     15 minutes +
-bl.rigacci.org   IN SOA  ns1.rigacci.org. postmaster.rigacci.org. ( +
-                1       ; serial +
-                3600    ; refresh (1 hour) +
-                600     ; retry (5 minutes) +
-                432000  ; expire (5 days) +
-                10      ; minimum (10 seconds) +
-                ) +
- +
-                NS      ns1.rigacci.org. +
-                NS      ns2.rigacci.org. +
- +
-$ORIGIN bl.rigacci.org. +
-$TTL 900        ; 15 minutes +
-</file> +
- +
-Generate the DNS key:+
  
 <code> <code>
Line 32: Line 15:
 </code> </code>
  
-Get the secret from the generated //private// file:+Notice that **bl-rigacci-org_rndc-key** is the //username// associated with the key. Two file will be created: one with the **.key** and one with the **.private** extension. Get the secret from the generated private file:
  
 <code> <code>
Line 41: Line 24:
 </code> </code>
  
-**/etc/bind/bl-rigacci-org_rndc-key** +Now create a file name **/etc/bind/bl-rigacci-org_rndc-key** containing the secret, be sure to set the file into **640 mode** and owned by **bind:bind**:
- +
-Be sure to set the file into **640 mode** and owned by **bind:bind**.+
  
 <file> <file>
Line 52: Line 33:
 </file> </file>
  
-**/etc/bind/named.conf.local**+==== The dynamic zone ====
  
-Suppose that **10.100.101.102** is your secondary DNS server:+Your DNS server will manage a **dynamic zone** dedicated to the DNSBL service. Create a file **/var/cache/bind/bl.rigacci.org** owned by **bind:bind**: 
 + 
 +<file> 
 +$TTL 900     ; 15 minutes 
 +bl.rigacci.org   IN SOA  ns1.rigacci.org. postmaster.rigacci.org. ( 
 +                1       ; serial 
 +                3600    ; refresh (1 hour) 
 +                600     ; retry (5 minutes) 
 +                432000  ; expire (5 days) 
 +                10      ; minimum (10 seconds) 
 +                ) 
 + 
 +                NS      ns1.rigacci.org. 
 +                NS      ns2.rigacci.org. 
 + 
 +$ORIGIN bl.rigacci.org. 
 +$TTL 900        ; 15 minutes 
 +</file> 
 + 
 +Add that zone to **/etc/bind/named.conf.local**. Suppose that **10.100.101.102** is your secondary DNS server, this is the snippet required:
  
 <file> <file>
 //-------------------------------------------------------------- //--------------------------------------------------------------
-// Dynamic update zone for DNS BlockList.+// Dynamic update zone for DNS Blackhole List.
 //-------------------------------------------------------------- //--------------------------------------------------------------
 zone "bl.rigacci.org" { zone "bl.rigacci.org" {
Line 70: Line 70:
 </file> </file>
  
 +===== Configure SpamAssassin =====
  
-====== Configure SpamAssassin ======+To add a check against our DNSBL, just edit **/etc/spamassassin/local.cf** and add a section like this:
  
 +<file>
 +header        CUSTOM_DNSBL    eval:check_rbl('bl-rigacci','bl.rigacci.org.')
 +describe      CUSTOM_DNSBL    Entries listed in bl.rigacci.org RBL
 +score         CUSTOM_DNSBL    100.0
 +</file>
 +
 +You can customize the **score** (default SPAM score is 5.0 in SpamAssassin) to match your requirements.
 +
 +===== Python script to manage the dynamic zone =====
 +
 +Finally we need a script to add, remove or query IP address into the DNSBL zone. We have written a **{{.:dnsbl-tool.txt|dnsbl-tool}}** which can be used as follow:
 +
 +<code>
 +dnsbl-tool -a 192.168.10.1
 +Adding record type "A" for 1.10.168.192.bl.rigacci.org
 +</code>
 +
 +<code>
 +dnsbl-tool -q 192.168.10.1
 +Address 192.168.10.1 is listed: 1.10.168.192.bl.rigacci.org => 127.0.0.1
 +</code>
 +
 +<code>
 +dnsbl-tool -r 192.168.10.1
 +Removing record type "A" for 1.10.168.192.bl.rigacci.org
 +</code>
 +
 +To query the entire zone from the DNS server, you can request an **AXFR** (zone transfer). For doing that, you must do it from an IP address listed into the **allow-transfer** declared into named.conf.local:
 +
 +<code>
 +dig -tAXFR zen.texnet.it
 +</code>
doc/appunti/linux/sa/spamassassin_private_dnsbl.txt · Last modified: 2021/10/08 10:45 by niccolo