Introduction

Last Updated: 18 Jul 2013 GMT +8.

A mailfront plugin to provide DNSBL/DNSWL checking of sender's IP address and to defer, reject or accept mails based on its check. This plugin will add its checking results to each mail message header for all mails accepted depending on environment variables configurations.

IMPORTANT: This plugin is written for and tested with mailfront 2.00 but should work with version 1.12 and above.


Environment Configuration

$DNSBL_CHECK_SKIP
If set, this plugin will be skipped.
$RELAYCLIENT
If set, add to message header and skip the remaining checks. Example of message header added:

X-DNSBL-Check-Result: SKIPPED: $RELAYCLIENT is set for 1.2.3.4

$RBLSMTPD
If set and empty, add to message header and skip the remaining checks. If $RBLSMTPD is set and not empty, the reply code is set to 553 if the first character of $RBLSMTPD is "-" otherwise the reply code is set to 451. The reply message will be copied from $RBLSMTPD and will skip "-" if it is the starting character of $RBLSMTPD. Examples of smtp.rules for tcprules:

1.1.1.1:allow,RBLSMTPD=""
2.2.2.2:allow,RBLSMTPD="-Your IP is listed in our denied list."
3.3.3.3:allow,RBLSMTPD="Your IP is listed in our denied list."

The above will cause this plugin to accept mails from IP 1.1.1.1, reject mails from IP 2.2.2.2 and defer mails from IP 3.3.3.3. Below are the reply to sender's IP 2.2.2.2 and 3.3.3.3 respectively:

553 Your IP is listed in our denied list.
451 Your IP is listed in our denied list.

Example of message header added for IP 1.1.1.1:

X-DNSBL-Check-Result: SKIPPED: $RBLSMTPD is set and empty for 1.1.1.1

$RWLDOMAINS
This is the list of servers/domains to check for whitelisting (DNSWL). If $RWLDOMAINS is set and not empty, the domains listed will be used for DNSWL checking. Each domain needs to be seperated with a SPACE or a colon ":".
$RWLDOMAINSFILE
This is a file with list of servers/domains to check for whitelisting (DNSWL). This will only be used if $RWLDOMAINS is not set. i.e. copy the content into $RWLDOMAINS. If $RWLDOMAINSFILE not set will default to /var/qmail/control/rwldomains for IPv4 and /var/qmail/control/rwldomains6 for IPv6 which are defined as constant of DNSBL_RWLDOMAINS_FILE and DNSBL_RWLDOMAINS_FILE_IPV6. Format in this file is one domain per line. Lines started with # are ignored.
$RBLDOMAINS
This is the list of servers/domains to check for blacklisting (DNSBL). If $RBLDOMAINS is set and not empty, the domains listed will be used for DNSBL checking. Each domain needs to be seperated with a SPACE or a colon ":".
$RBLDOMAINSFILE
This is a file with list of servers/domains to check for blacklisting (DNSBL). This will only be used if $RBLDOMAINS is not set. i.e. copy the content into $RBLDOMAINS. If $RBLDOMAINSFILE not set will default to /var/qmail/control/rbldomains for IPv4 and /var/qmail/control/rbldomains6 for IPv6 which are defined as constant of DNSBL_RBLDOMAINS_FILE and DNSBL_RBLDOMAINS_FILE_IPV6. Format in this file is one domain per line. Lines started with # are ignored.
NOTE:
If $RWLDOMAINS and $RBLDOMAINS not set or empty, add to mail message header and skip the DNSWL/DNSBL checks. Example of mail header added:

X-DNSBL-Check-Result: SKIPPED: $RWLDOMAINS and $RBLDOMAINS not set or empty for 1.2.3.4

$DNSBL_CHECK_REJECT
If set, sender will be rejected with reply code 553 if sender's IP is listed in one of the $RBLDOMAINS domain. If sender's IP is listed in one of the $RWLDOMAINS domains, mail message will be accepted as this plugin take preference of $RWLDOMAINS domains then $RBLDOMAINS domains.
$DNSBL_CHECK_DEFER
If $DNSBL_CHECK_DEFER is set, sender will be rejected with reply code 451 if sender's IP is listed in one of the $RBLDOMAINS domain. If sender's IP is listed in one of the $RWLDOMAINS domains, mail message will be accepted as this plugin take preference of $RWLDOMAINS domains then $RBLDOMAINS domains.
NOTE: $DNSBL_CHECK_REJECT take preference of $DNSBL_CHECK_DEFER.
$DNSBL_CHECK_VERBOSE
If $DNSBL_CHECK_VERBOSE is set, this plugin will log its checking to stderr.
DEFAULT
If sender is authenticated, add to message header and skip the DNSWL/DNSBL checks. Example of message header added:

X-DNSBL-Check-Result: SKIPPED: authenticated user from 1.2.3.4

Mails that are rejected/deferred due to blacklist, this plugin will use the first listed domain's TXT record in its reply message. If there isn't such will default to the following:

Sorry, your ip ${PROTO}REMOTEIP is listed in one or more of the DNSBL: $RBLDOMAINS

NOTE: The ${PROTO}REMOTEIP and $RBLDOMAINS will be parsed accordingly.

If sender's IP is listed in one of the $RWLDOMAINS domain, instead of rejecting/deferring mail, mail message will be accepted and all the DNSWL/DNSBL check results will be added to each mail message header.

If $DNSBL_CHECK_REJECT and $DNSBL_CHECK_DEFER not set, all mail message will be accepted with DNSWL/DNSBL check results added to each mail message header.


Sender Action

This plugin starts to check the environment variables configurations and do all its checking for listing in $RWLDOMAINS and $RWLDOMAINS after sender issued the MAIL FROM command.

If sender's IP is listed in one of the $RBLDOMAINS domain and not in any of the $RWLDOMAINS domain, then sender will be rejected/deferred depending whether $DNSBL_CHECK_REJECT or $DNSBL_CHECK_DEFER is set.


Recipient Action

None

Data Action

All mails pass the DNSBL checks or sender's IP is listed in one of the $RWLDOMAINS domain or $DNSBL_CHECK_DEFER and $DNSBL_CHECK_REJECT are not set, the results will be added to each mail message header.

An example in one of my personal mail headers as I didn't set $DNSBL_CHECK_DEFER or $DNSBL_CHECK_REJECT:

Sorry, your ip ${PROTO}REMOTEIP is listed in one or more of the DNSBL: $RBLDOMAINS
X-DNSBL-Check-Result: FAILED for ip 114.39.67.75
X-DNSBL-Check-Report: rbldomain=zen.spamhaus.org result=http://www.spamhaus.org/query/bl?ip=114.39.67.75
X-DNSBL-Check-Report: rbldomain=cbl.abuseat.org result=Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=114.39.67.75
X-DNSBL-Check-Report: rbldomain=dnsbl.sorbs.net result=Dynamic IP Addresses See: http://www.sorbs.net/lookup.shtml?114.39.67.75

An example of headers for listed in one of the $RWLDOMAINS domain (look for X-DNSWL-Check-Report):

X-DNSBL-Check-Result: PASSED for 1.2.3.4
X-DNSWL-Check-Report: rwldomain=rwl.yourdomain.com result=whitelist IP
X-DNSBL-Check-Report: rbldomain=rbl.other1.com result=whatever
X-DNSBL-Check-Report: rbldomain=rbl.other2.com result=whatever
X-DNSBL-Check-Report: rbldomain=rbl.other3.com result=whatever

NOTE: If sender is authenticated, then this plugin will skip the DNSWL/DNSBL checks and add information about it in the mail header.


Message Action

None

Requirements

  • mailfront version 2.00 or later (might work with earlier version)
  • bglibs version 1.104 or later (might work with earlier version)
  • libowfat (http://www.fefe.de/libowfat/)

Installation

  • Build and install mailfront
  • Switch back to this package
  • Adjust the contents of the conf-* files
  • Build the sources by running "make"
  • Install the plugin by running "make install"

Mailfront Plugins Configuration

Place check-dnsbl in mailfront's plugin list. Depending on your setup:

  • edit the smtpfront-qmail shell script and place the string check-dnsbl after add-received
  • edit the PLUGINS environment variable and place the string check-dnsbl after add-received
  • place the argument check-dnsbl after the add-received of the mailfront command

Set up environment as described in Environment Configuration above or plugin-check-dnsbl.html which is included in the package.


License

This package is copyright © 2013 Giam Teck Choon or CHOON.NET, and may be copied according to the GNU GENERAL PUBLIC LICENSE (GPL) Version 2 or a later version. A copy of this license is included with this package. This package comes with no warranty of any kind.


Changes

  • 10 Jun 2013 GMT +8 : version 0.01
  • Initial release
  • 23 Jun 2013 GMT +8 : version 0.02
  • Fix bug in defer/reject message being corrupted due to freeing not suppose to free tmpstr by using global str estr instead
  • Coding style change to 2 SPACING instead of using TAB
  • 18 Jul 2013 GMT +8 : version 0.03
  • Add IPv6 support

Portal Log In/Sign In

Log In/Sign In to the Portal requires cookies and javascript.

×
×