User Tools

Site Tools


doc:appunti:linux:sa:spamassassin_private_dnsbl

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
Next revisionBoth sides next revision
doc:appunti:linux:sa:spamassassin_private_dnsbl [2020/02/17 17:48] – [Configure the DNS] niccolodoc:appunti:linux:sa:spamassassin_private_dnsbl [2020/02/17 18:23] – [How to run a private DNSBL with SpamAssassin] niccolo
Line 1: Line 1:
-====== How to use a private DNSBL with SpamAssassin ======+====== How to run a private DNSBL for SpamAssassin ======
  
 Here we will present a recipe to create a personal **[[wp>Domain_Name_System-based_Blackhole_List|Domain Name System-based Blackhole List]]** to be used with **SpamAssassin**. This will enable you to assign a **custom SPAM score** to mails coming from **specific IP addresses** (at the moment only IPv4 addresses). Here we will present a recipe to create a personal **[[wp>Domain_Name_System-based_Blackhole_List|Domain Name System-based Blackhole List]]** to be used with **SpamAssassin**. This will enable you to assign a **custom SPAM score** to mails coming from **specific IP addresses** (at the moment only IPv4 addresses).
Line 5: Line 5:
 We will use the well-known mechanism of DNSBLs, so that the general-purpose DNS server software **Bind9** and **SpamAssassin** are used, just with some specific configuration. This allows us to combine our blackhole list with the traditional ones provided by e.g. **dnsbl.sorbs.net** and **zen.spamhaus.org**. We will use the well-known mechanism of DNSBLs, so that the general-purpose DNS server software **Bind9** and **SpamAssassin** are used, just with some specific configuration. This allows us to combine our blackhole list with the traditional ones provided by e.g. **dnsbl.sorbs.net** and **zen.spamhaus.org**.
  
-====== Configure the DNS ======+===== Configure the DNS =====
  
-===== Dynamic updates using an HMAC-MD5 key =====+==== Dynamic updates using an HMAC-MD5 key ====
  
 Our DNSBL zone will be **updated dynamically** on our **DNS server** using a Python script; to allow only authenticated queries we create a **DNS key**. To generate the key we run the command: Our DNSBL zone will be **updated dynamically** on our **DNS server** using a Python script; to allow only authenticated queries we create a **DNS key**. To generate the key we run the command:
Line 33: Line 33:
 </file> </file>
  
-===== The Dynamic Zone =====+==== The dynamic zone ====
  
 Your DNS server will manage a **dynamic zone** dedicated to the DNSBL service. Create a file **/var/cache/bind/bl.rigacci.org** owned by **bind:bind**: Your DNS server will manage a **dynamic zone** dedicated to the DNSBL service. Create a file **/var/cache/bind/bl.rigacci.org** owned by **bind:bind**:
Line 70: Line 70:
 </file> </file>
  
-====== Configure SpamAssassin ======+===== Configure SpamAssassin =====
  
 +To add a check against our DNSBL, just edit **/etc/spamassassin/local.cf** and add a section like this:
 +
 +<file>
 +header        CUSTOM_DNSBL    eval:check_rbl('bl-rigacci','bl.rigacci.org.')
 +describe      CUSTOM_DNSBL    Entries listed in bl.rigacci.org RBL
 +score         CUSTOM_DNSBL    100.0
 +</file>
 +
 +You can customize the **score** (default SPAM score is 5.0 in SpamAssassin) to match your requirements.
 +
 +===== Python script to manage the dynamic zone =====
 +
 +Finally we need a script to add, remove or query IP address into the DNSBL zone. We have written a **{{.:dnsbl-tool.txt|dnsbl-tool}}** which can be used as follow:
 +
 +<code>
 +dnsbl-tool -a 192.168.10.1
 +Adding record type "A" for 1.10.168.192.bl.rigacci.org
 +</code>
 +
 +<code>
 +dnsbl-tool -q 192.168.10.1
 +Address 192.168.10.1 is listed: 1.10.168.192.bl.rigacci.org => 127.0.0.1
 +</code>
 +
 +<code>
 +dnsbl-tool -r 192.168.10.1
 +Removing record type "A" for 1.10.168.192.bl.rigacci.org
 +</code>
 +
 +To query the entire zone from the DNS server, you can request an **AXFR** (zone transfer). For doing that, you must do it from an IP address listed into the **allow-transfer** declared into named.conf.local:
 +
 +<code>
 +dig -tAXFR zen.texnet.it
 +</code>
doc/appunti/linux/sa/spamassassin_private_dnsbl.txt · Last modified: 2021/10/08 10:45 by niccolo