Spamhaus XBL with DCC (Was: Experience with DKIM...)

Gary Mills mills@cc.umanitoba.ca
Mon Mar 31 01:50:12 UTC 2008


On Sun, Mar 30, 2008 at 02:17:09PM +0000, Vernon Schryver wrote:
> > From: Gary Mills <mills@cc.umanitoba.ca>
> 
> > > DNSBL_ARGS="'-Bset:rej-msg=5.7.1 550 %ID %BT http://www.spamhaus.org/query/bl?ip=%BIP' -Bsbl-xbl.spamhaus.org -Bset:no-NS -Bzen.spamhaus.org"
> 
> > Yes, I'm using XBL through DCC because I want users to be able to
> > whitelist messages rejected by XBL in the same manner that they can
> > for messages rejected for bulkiness.  I'm using this setting:
> >
> >     DNSBL_ARGS="'-Bset:rej-msg=5.7.1 550 id %s from %s rejected. See http://www.spamhaus.org/xbl/' -Bset:no-body -Bset:no-MX -Bset:no-NS -Bxbl.dnsbl,any"
> 
> Why turn off XBL MX and NS checks for the SMTP envelope mail sender domain?

I was trying to minimize the amount of nameserver queries done for each
e-mail message.  I assume that other envelope checks are still done.
I could ramp it up a bit to see what happens.

> > I don't want to use PBL, included in ZEN I believe, because it includes
> > the IP networks of many of our SMTP mail submission clients.  I don't
> > want to reject those.  Now that most ISPs are blocking the SMTP port,
> > it may be possible to revisit that decision.
> 
> So your SMTP mail submission clients are on too many networks to whitelist?

Yes, that's correct.  They could be anywhere in the world.  It's the
old problem that SMTP servers can't distinguish between clients and
other SMTP servers.

> And they don't use SMTP-AUTH or TLS and that could be automatically
> whitelisted by modifying sendmail.cf with /var/dcc/libexec/hackmc -T
> and doing the things mentioned in the comments in hackmc?  Or turning
> off FEATURE(`delay_checks') or setting TRUST_AUTH_MECH can't be done
> in your situation?  ok.

Yes, I am using some of those features.  Most clients will use SMTP
authentication or DRAC, but a few still use plain SMTP.  Our two large
local ISPs now block the SMTP port.  For clients there we do require
SMTP authentication.  I just can't tell what other clients will be
affected if I start using the PBL.

-- 
-Gary Mills-    -Unix Support-    -U of M Academic Computing and Networking-



More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.