Differences

This shows you the differences between two versions of the page.

--- doc:appunti:linux:sa:spamassassin_private_dnsbl [2020/02/17 17:48] – [Configure the DNS] niccolo
+++ doc:appunti:linux:sa:spamassassin_private_dnsbl [2021/10/08 10:45] (current) – [Python script to manage the dynamic zone] niccolo
@@ Line 1: / Line 1: @@
-====== How to use a private DNSBL with SpamAssassin ======
+====== How to run a private DNSBL for SpamAssassin ======
 Here we will present a recipe to create a personal **[[wp>Domain_Name_System-based_Blackhole_List|Domain Name System-based Blackhole List]]** to be used with **SpamAssassin**. This will enable you to assign a **custom SPAM score** to mails coming from **specific IP addresses** (at the moment only IPv4 addresses).
@@ Line 5: / Line 5: @@
 We will use the well-known mechanism of DNSBLs, so that the general-purpose DNS server software **Bind9** and **SpamAssassin** are used, just with some specific configuration. This allows us to combine our blackhole list with the traditional ones provided by e.g. **dnsbl.sorbs.net** and **zen.spamhaus.org**.
-====== Configure the DNS ======
+===== Configure the DNS =====
-===== Dynamic updates using an HMAC-MD5 key =====
+==== Dynamic updates using an HMAC-MD5 key ====
 Our DNSBL zone will be **updated dynamically** on our **DNS server** using a Python script; to allow only authenticated queries we create a **DNS key**. To generate the key we run the command:
@@ Line 33: / Line 33: @@
 </file>
-===== The Dynamic Zone =====
+==== The dynamic zone ====
 Your DNS server will manage a **dynamic zone** dedicated to the DNSBL service. Create a file **/var/cache/bind/bl.rigacci.org** owned by **bind:bind**:
@@ Line 70: / Line 70: @@
 </file>
-====== Configure SpamAssassin ======
+===== Configure SpamAssassin =====
+To add a check against our DNSBL, just edit **/etc/spamassassin/local.cf** and add a section like this:
+<file>
+header     LOCAL_CUSTOM_DNSBL    eval:check_rbl('bl-rigacci','bl.rigacci.org.')
+describe   LOCAL_CUSTOM_DNSBL    Entries listed in bl.rigacci.org RBL
+score      LOCAL_CUSTOM_DNSBL    100.0
+</file>
+You can customize the **score** (default SPAM score is 5.0 in SpamAssassin) to match your requirements.
+===== Python script to manage the dynamic zone =====
+Finally we need a script to add, remove or query IP address into the DNSBL zone. We have written a **{{.:dnsbl-tool.txt|dnsbl-tool}}** (use this one if you have the **python3-dnspython** **2.0.0** library **{{.:dnsbl-tool_0.4.0.txt|dnsbl-tool_0.4.0}}**) which can be used as follow:
+<code>
+dnsbl-tool -a 192.168.10.1
+Adding record type "A" for 1.10.168.192.bl.rigacci.org
+</code>
+<code>
+dnsbl-tool -q 192.168.10.1
+Address 192.168.10.1 is listed: 1.10.168.192.bl.rigacci.org => 127.0.0.1
+</code>
+<code>
+dnsbl-tool -r 192.168.10.1
+Removing record type "A" for 1.10.168.192.bl.rigacci.org
+</code>
+To query the entire zone from the DNS server, you can request an **AXFR** (zone transfer). For doing that, you must do it from an IP address listed into the **allow-transfer** declared into named.conf.local:
+<code>
+dig -tAXFR bl.rigacci.org
+</code>