Setting up DNSBL for spam blocking
From CobaltFAQs
Contents |
Backup the original file
First change to the location where the .mc file used to build sendmail.cf is located, and make a backup copy of it:
cd /usr/lib/sendmail-cf/cf cp cobalt.mc cobalt.mc.safe
Add the DNSBL entries
Edit cobalt.mc using your favorite editor like vi or pico and add these entries:
FEATURE(`blacklist_recipients')dnl
FEATURE(`dnsbl',`sbl-xbl.spamhaus.org',`554 Rejected - see http://www.spamhaus.org/')dnl
FEATURE(`dnsbl',`relays.ordb.org',`554 Rejected - see http://www.ordb.org/')dnl
FEATURE(`dnsbl',`combined.njabl.org',`554 Message from $&{client_addr} rejected - see http://www.njabl.org/')dnl
FEATURE(`dnsbl',`dnsbl.sorbs.net',`554 Email rejected - $&{client_addr} found in dnsbl.sorbs.net')dnl
FEATURE(`dnsbl',`bl.spamcop.net',`554 Rejected - see http://www.spamcop.net/')dnl
or whatever other info is relevant for your particular DNSBLs. The main thing to get right is the
FEATURE(`dnsbl', `host.dnsbl.tld', `Message to display')dnl
format. Make sure to use the backtick and apostrophe properly.
Build the new sendmail.cf file
Then build the new sendmail.cf, install it, and restart sendmail:
cd /usr/lib/sendmail-cf m4 cf/cobalt.mc > /etc/mail/spamblock.cf cd /etc/mail cp sendmail.cf sendmail.cf.nodnsbl cp spamblock.cf sendmail.cf chmod 0644 sendmail.cf /etc/rc.d/init.d/sendmail restart
Immediately test sending mail to and through your server to make sure it is all working like it should. You can watch the sendmail log to see what's happening:
tail -f /var/log/maillog
Undoing the DNSBLs
If for some reason you need to stop using the blocking lists, just do
cp /etc/mail/sendmail.cf.nodnsbl /etc/mail/sendmail.cf /etc/rc.d/init.d/sendmail restart
Fix POP Before SMTP
The original Cobalt file does not have any commands in it to make the POP-Before-SMTP entries in sendmail.cf when building or rebuilding it with m4. So if you are using POP Authentication to allow mail relaying through your server, you will need to manually add the parts back into sendmail.cf after rebuilding. There does not appear to be a clean line or two that can be put into the cobalt.mc file that will autogenerate the POP relaying section via m4.
Edit /etc/mail/sendmail.cf. Find the lines
# Virtual user table (maps incoming users) Kvirtuser hash -o /etc/mail/virtusertable
and add these below them
# poprelay list Kpopip hash -a<MATCH> /etc/mail/popip
These should be around line 152.
Then add some lines to the relay checking section (around line 1010). Find the header block
###################################################################### ### check_relay -- check hostname/address on SMTP startup ######################################################################
and add/change the lines below it to read like this:
######################################################################
### check_relay -- check hostname/address on SMTP startup
######################################################################
SLocal_check_relay
# Put the address into cannonical form (even if it doesn't resolve to an MX).
R$* $: $>Parse0 03 $1
R$* < $* > $* $: $1 < $2 . > $3
R$* < $* . . > $* $1 < $2 . > $3
# Test against pop-before-relay hash
R$* $: < $&{client_addr} >
R< $* > $(popip $1 $)
R$* < MATCH > $#OK
Scheck_relay
R$* $: $1 $| $>"Local_check_relay" $1
R$* $| $* $| $#$* $#$3
R$* $| $* $| $* $@ $>"Basic_check_relay" $1 $| $2
SBasic_check_relay
# check for deferred delivery mode
R$* $: < ${deliveryMode} > $1
R< d > $* $@ deferred
R< $* > $* $: $2
R$+ $| $+ $: $>LookUpDomain < $1 > <?> < $2 > <+Connect>
R<?> <$+> $: $>LookUpAddress < $1 > <?> < $1 > <+Connect> no: another lookup
R<?> < $+ > $: $1 found nothing
R<$={Accept}> < $* > $@ $1 return value of lookup
R<REJECT> $* $#error $@ 5.7.1 $: "550 Access denied"
R<DISCARD> $* $#discard $: discard
R<ERROR:$-.$-.$-:$+> <$*> $#error $@ $1.$2.$3 $: $4
R<ERROR:$+> <$*> $#error $: $1
R<$+> <$*> $#error $: $1
VERY IMPORTANT! Use TABs to separate the two columns, not spaces (i.e., a copy/paste from this web page will not work!).
Note that immediately below this section is where the DNSBL lines will be entered:
# DNS based IP address spam list sbl-xbl.spamhaus.org
R$* $: $&{client_addr}
R::ffff:$-.$-.$-.$- $: <?> $(host $4.$3.$2.$1.sbl-xbl.spamhaus.org. $: OK $)
R$-.$-.$-.$- $: <?> $(host $4.$3.$2.$1.sbl-xbl.spamhaus.org. $: OK $)
R<?>OK $: OKSOFAR
R<?>$+ $#error $@ 5.7.1 $: "550 Email rejected. See http://www.spamhaus.org/"
# DNS based IP address spam list relays.ordb.org
R$* $: $&{client_addr}
R::ffff:$-.$-.$-.$- $: <?> $(host $4.$3.$2.$1.relays.ordb.org. $: OK $)
R$-.$-.$-.$- $: <?> $(host $4.$3.$2.$1.relays.ordb.org. $: OK $)
R<?>OK $: OKSOFAR
R<?>$+ $#error $@ 5.7.1 $: "550 Email rejected. See http://www.ordb.org/faq/\#why_rejected"
# DNS based IP address spam list combined.njabl.org
R$* $: $&{client_addr}
R::ffff:$-.$-.$-.$- $: <?> $(host $4.$3.$2.$1.combined.njabl.org. $: OK $)
R$-.$-.$-.$- $: <?> $(host $4.$3.$2.$1.combined.njabl.org. $: OK $)
R<?>OK $: OKSOFAR
R<?>$+ $#error $@ 5.7.1 $: "550 Email rejected. See http://www.njabl.org/"
# DNS based IP address spam list dnsbl.sorbs.net
R$* $: $&{client_addr}
R::ffff:$-.$-.$-.$- $: <?> $(host $4.$3.$2.$1.dnsbl.sorbs.net. $: OK $)
R$-.$-.$-.$- $: <?> $(host $4.$3.$2.$1.dnsbl.sorbs.net. $: OK $)
R<?>OK $: OKSOFAR
R<?>$+ $#error $@ 5.7.1 $: "554 Email rejected. " $&{client_addr} " found in dnsbl.sorbs.net"
# DNS based IP address spam list bl.spamcop.net
R$* $: $&{client_addr}
R::ffff:$-.$-.$-.$- $: <?> $(host $4.$3.$2.$1.bl.spamcop.net. $: OK $)
R$-.$-.$-.$- $: <?> $(host $4.$3.$2.$1.bl.spamcop.net. $: OK $)
R<?>OK $: OKSOFAR
R<?>$+ $#error $@ 5.7.1 $: "550 Email rejected. See http://www.spamcop.net/"
