GreenArrow Email Software Documentation

DNSBLs and RBLs

How To Configure GreenArrow To Use DNSBLs

GreenArrow Engine can optionally use DNSBLs (DNS-based Blackhole Lists), such as the ZEN Spamhaus List to filter incoming mail.

  1. To control which DNSBLs to use, list them one per line in the /var/hvmail/control/smtp.rbls file. For example:

    echo "zen.spamhaus.org" >> /var/hvmail/control/smtp.rbls
    

  2. To disable checking DNSBLs, delete the /var/hvmail/control/smtp.rbls file:

    rm -f /var/hvmail/control/smtp.rbls
    

  3. Apply changes by restarting the SMTP service, and verifying that it stays up:

    svc -t /service/hvmail-qmail-smtpd
    sleep 7
    hvmail_init status | grep "hvmail-qmail-smtpd "
    

    If the SMTP service does not show the status “UP”, reverse your change.

Important Note About Spamhaus’ DNSBLs

If you followed our instructions for configuring /etc/resolv.conf public DNS resolvers, such as Google and Cloudflare, you need to be aware of Spamhaus’ DNS Blocklists Fair Use Policy, specifically section 1.1.3 of that policy.

In addition to setting forth guidelines for query volume, the policy also says this:

The network originating the DNS Query must be identifiable. This means you must query the Spamhaus DNSBL Public Mirrors from a recursive resolver run on your own network or from a public resolver which supports ECS.

“ECS” is an acronym which stands for “EDNS Client Subnet”, and it’s a protocol that defines a method for the public resolver to pass the IP address of the querying client to the authoritative server for the record being queried. Put another way, a public resolver that supports ECS will pass the IP address of your GreenArrow server to the public mirror for a the Spamhaus DNSBL as part of the query, as per Spamhaus’ requirements.

As of this writing, Google’s public resolvers (IP addresses 8.8.8.8 and 8.8.4.4) do support ECS, while Cloudflare (1.1.1.1) does not.

If you’re using public resolvers, there’s an easy way for you to identify whether or not the resolver supports ECS. From the command line on your GreenArrow server, run the following command:

# host SS.RE.ADD.IP.zen.spamhaus.org a.b.c.d

where:

  • SS.RE.ADD.IP is a public IP address, but reversed, that is used by your GreenArrow server, and
  • a.b.c.d is the IP address of the public resolver

For example, these two queries are meant to check IP address 205.159.93.168 against the Spamhaus Zen DNSBL using first 8.8.8.8 and then 1.1.1.1 as the public resolvers:

# host 168.93.159.205.zen.spamhaus.org 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases: 

Host 168.93.159.205.zen.spamhaus.org not found: 3(NXDOMAIN)

# host 168.93.159.205.zen.spamhaus.org 1.1.1.1
Using domain server:
Name: 1.1.1.1
Address: 1.1.1.1#53
Aliases: 

168.93.159.205.zen.spamhaus.org has address 127.255.255.254

Spamhaus DNSBL queries that return results beginning with 127.255.255 are an indication that you have a serious problem to address regarding your methods for querying Spamhaus’ DNSBLs.

Spamhaus DNSBL queries that return results beginning with 127.0 are an indication that the queried IP address is listed in a Spamhaus DNSBL so if your test query used one of your GreenArrow IP addresses and received a result like 127.0.0.2 instead of the NXDOMAIN shown in the first example, you’ll need to open a support request with Spamhaus to get delisted.


Copyright © 2012–2025 GreenArrow Email