User Tools

Site Tools


doc:appunti:linux:sa:spamassassin_private_dnsbl

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:appunti:linux:sa:spamassassin_private_dnsbl [2020/02/17 17:35]
niccolo [How to use a private DNSBL with SpamAssassin]
doc:appunti:linux:sa:spamassassin_private_dnsbl [2020/02/19 15:11] (current)
niccolo [Python script to manage the dynamic zone]
Line 1: Line 1:
-====== How to use a private DNSBL with SpamAssassin ======+====== How to run a private DNSBL for SpamAssassin ======
  
 Here we will present a recipe to create a personal **[[wp>​Domain_Name_System-based_Blackhole_List|Domain Name System-based Blackhole List]]** to be used with **SpamAssassin**. This will enable you to assign a **custom SPAM score** to mails coming from **specific IP addresses** (at the moment only IPv4 addresses). Here we will present a recipe to create a personal **[[wp>​Domain_Name_System-based_Blackhole_List|Domain Name System-based Blackhole List]]** to be used with **SpamAssassin**. This will enable you to assign a **custom SPAM score** to mails coming from **specific IP addresses** (at the moment only IPv4 addresses).
Line 5: Line 5:
 We will use the well-known mechanism of DNSBLs, so that the general-purpose DNS server software **Bind9** and **SpamAssassin** are used, just with some specific configuration. This allows us to combine our blackhole list with the traditional ones provided by e.g. **dnsbl.sorbs.net** and **zen.spamhaus.org**. We will use the well-known mechanism of DNSBLs, so that the general-purpose DNS server software **Bind9** and **SpamAssassin** are used, just with some specific configuration. This allows us to combine our blackhole list with the traditional ones provided by e.g. **dnsbl.sorbs.net** and **zen.spamhaus.org**.
  
-====== Configure the DNS ======+===== Configure the DNS =====
  
-**/​var/​cache/​bind/​bl.rigacci.org**+==== Dynamic updates using an HMAC-MD5 key ====
  
-<​file>​ +Our DNSBL zone will be **updated dynamically** on our **DNS server** using a Python scriptto allow only authenticated queries we create a **DNS key**To generate ​the key we run the command:
-$TTL 900     15 minutes +
-bl.rigacci.org ​  IN SOA  ns1.rigacci.org. postmaster.rigacci.org. ( +
-                1       ; serial +
-                3600    ; refresh (1 hour) +
-                600     ; retry (5 minutes) +
-                432000 ​ ; expire (5 days) +
-                10      ; minimum (10 seconds) +
-                ) +
- +
-                NS      ns1.rigacci.org. +
-                NS      ns2.rigacci.org. +
- +
-$ORIGIN bl.rigacci.org. +
-$TTL 900        ; 15 minutes +
-</​file>​ +
- +
-Generate ​the DNS key:+
  
 <​code>​ <​code>​
Line 32: Line 15:
 </​code>​ </​code>​
  
-Get the secret from the generated ​//private// file:+Notice that **bl-rigacci-org_rndc-key** is the //​username//​ associated with the key. Two file will be created: one with the **.key** and one with the **.private** extension. ​Get the secret from the generated private file:
  
 <​code>​ <​code>​
Line 41: Line 24:
 </​code>​ </​code>​
  
-**/​etc/​bind/​bl-rigacci-org_rndc-key** +Now create a file name **/​etc/​bind/​bl-rigacci-org_rndc-key** ​containing the secret, be sure to set the file into **640 mode** and owned by **bind:​bind**:
- +
-Be sure to set the file into **640 mode** and owned by **bind:​bind**.+
  
 <​file>​ <​file>​
Line 52: Line 33:
 </​file>​ </​file>​
  
-**/​etc/​bind/​named.conf.local**+==== The dynamic zone ====
  
-Suppose that **10.100.101.102** is your secondary DNS server:+Your DNS server will manage a **dynamic zone** dedicated to the DNSBL service. Create a file **/​var/​cache/​bind/​bl.rigacci.org** owned by **bind:​bind**:​ 
 + 
 +<​file>​ 
 +$TTL 900     ; 15 minutes 
 +bl.rigacci.org ​  IN SOA  ns1.rigacci.org. postmaster.rigacci.org. ( 
 +                1       ; serial 
 +                3600    ; refresh (1 hour) 
 +                600     ; retry (5 minutes) 
 +                432000 ​ ; expire (5 days) 
 +                10      ; minimum (10 seconds) 
 +                ) 
 + 
 +                NS      ns1.rigacci.org. 
 +                NS      ns2.rigacci.org. 
 + 
 +$ORIGIN bl.rigacci.org. 
 +$TTL 900        ; 15 minutes 
 +</​file>​ 
 + 
 +Add that zone to **/​etc/​bind/​named.conf.local**. ​Suppose that **10.100.101.102** is your secondary DNS server, this is the snippet required:
  
 <​file>​ <​file>​
 //​-------------------------------------------------------------- //​--------------------------------------------------------------
-// Dynamic update zone for DNS BlockList.+// Dynamic update zone for DNS Blackhole List.
 //​-------------------------------------------------------------- //​--------------------------------------------------------------
 zone "​bl.rigacci.org"​ { zone "​bl.rigacci.org"​ {
Line 70: Line 70:
 </​file>​ </​file>​
  
 +===== Configure SpamAssassin =====
  
-====== Configure SpamAssassin ======+To add a check against our DNSBL, just edit **/​etc/​spamassassin/​local.cf** and add a section like this:
  
 +<​file>​
 +header ​       CUSTOM_DNSBL ​   eval:​check_rbl('​bl-rigacci','​bl.rigacci.org.'​)
 +describe ​     CUSTOM_DNSBL ​   Entries listed in bl.rigacci.org RBL
 +score         ​CUSTOM_DNSBL ​   100.0
 +</​file>​
 +
 +You can customize the **score** (default SPAM score is 5.0 in SpamAssassin) to match your requirements.
 +
 +===== Python script to manage the dynamic zone =====
 +
 +Finally we need a script to add, remove or query IP address into the DNSBL zone. We have written a **{{.:​dnsbl-tool.txt|dnsbl-tool}}** which can be used as follow:
 +
 +<​code>​
 +dnsbl-tool -a 192.168.10.1
 +Adding record type "​A"​ for 1.10.168.192.bl.rigacci.org
 +</​code>​
 +
 +<​code>​
 +dnsbl-tool -q 192.168.10.1
 +Address 192.168.10.1 is listed: 1.10.168.192.bl.rigacci.org => 127.0.0.1
 +</​code>​
 +
 +<​code>​
 +dnsbl-tool -r 192.168.10.1
 +Removing record type "​A"​ for 1.10.168.192.bl.rigacci.org
 +</​code>​
 +
 +To query the entire zone from the DNS server, you can request an **AXFR** (zone transfer). For doing that, you must do it from an IP address listed into the **allow-transfer** declared into named.conf.local:​
 +
 +<​code>​
 +dig -tAXFR bl.rigacci.org
 +</​code>​
doc/appunti/linux/sa/spamassassin_private_dnsbl.1581957308.txt.gz · Last modified: 2020/02/17 17:35 by niccolo