DNSBLs and RBLs
How To Configure GreenArrow To Use DNSBLs
GreenArrow Engine can optionally use DNSBLs (DNS-based Blackhole Lists), such as the ZEN Spamhaus List to filter incoming mail.
-
To control which DNSBLs to use, list them one per line in the
/var/hvmail/control/smtp.rbls
file. For example:echo "zen.spamhaus.org" >> /var/hvmail/control/smtp.rbls
-
To disable checking DNSBLs, delete the
/var/hvmail/control/smtp.rbls
file:rm -f /var/hvmail/control/smtp.rbls
-
Apply changes by restarting the SMTP service, and verifying that it stays up:
svc -t /service/hvmail-qmail-smtpd sleep 7 hvmail_init status | grep "hvmail-qmail-smtpd "
If the SMTP service does not show the status “UP”, reverse your change.
Important Note About Spamhaus’ DNSBLs
If you followed our instructions for configuring /etc/resolv.conf public DNS resolvers, such as Google and Cloudflare, you need to be aware of Spamhaus’ DNS Blocklists Fair Use Policy, specifically section 1.1.3 of that policy.
In addition to setting forth guidelines for query volume, the policy also says this:
The network originating the DNS Query must be identifiable. This means you must query the Spamhaus DNSBL Public Mirrors from a recursive resolver run on your own network or from a public resolver which supports ECS.
“ECS” is an acronym which stands for “EDNS Client Subnet”, and it’s a protocol that defines a method for the public resolver to pass the IP address of the querying client to the authoritative server for the record being queried. Put another way, a public resolver that supports ECS will pass the IP address of your GreenArrow server to the public mirror for a the Spamhaus DNSBL as part of the query, as per Spamhaus’ requirements.
As of this writing, Google’s public resolvers (IP addresses 8.8.8.8 and 8.8.4.4) do support ECS, while Cloudflare (1.1.1.1) does not.
If you’re using public resolvers, there’s an easy way for you to identify whether or not the resolver supports ECS. From the command line on your GreenArrow server, run the following command:
# host SS.RE.ADD.IP.zen.spamhaus.org a.b.c.d
where:
- SS.RE.ADD.IP is a public IP address, but reversed, that is used by your GreenArrow server, and
- a.b.c.d is the IP address of the public resolver
For example, these two queries are meant to check IP address 205.159.93.168
against the Spamhaus Zen DNSBL using first 8.8.8.8
and then 1.1.1.1
as the public
resolvers:
# host 168.93.159.205.zen.spamhaus.org 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:
Host 168.93.159.205.zen.spamhaus.org not found: 3(NXDOMAIN)
# host 168.93.159.205.zen.spamhaus.org 1.1.1.1
Using domain server:
Name: 1.1.1.1
Address: 1.1.1.1#53
Aliases:
168.93.159.205.zen.spamhaus.org has address 127.255.255.254
Spamhaus DNSBL queries that return results beginning with 127.255.255
are an indication that you have a serious problem to address regarding your methods for querying Spamhaus’ DNSBLs.
Spamhaus DNSBL queries that return results beginning with 127.0
are an indication that the queried IP address is listed in a Spamhaus DNSBL
so if your test query used one of your GreenArrow IP addresses and received a result like 127.0.0.2
instead of the NXDOMAIN
shown in the first example, you’ll need to open a support
request with Spamhaus to get delisted.