Re: [exim] DNS Block List Server

Top Page
Delete this message
Reply to this message
Author: D Hill
Date:  
To: exim-users
Subject: Re: [exim] DNS Block List Server
On Thu, 27 Mar 2008 at 11:12 -0600, wilton@??? confabulated:

> I run Exim 4.52 on RedHat Ent Linux 4.6
>
> I am implementing Spamhaus DNS block lists and have set up my own rbl
> DNS server
> for the purpose, as required by our volume of mail. We have set our
> main DNS servers
> to forward requests for the dnsbl zone to my new rbl DNS server, but we
> are having difficulty
> meeting Spamhaus' requirement that we restrict access to only our own
> machines. We
> have a fairly complicated DNS setup and our DNS expert says he has been
> unable to
> find a way to restrict forwarding without breaking something else.
>
> It occurs to me that if there was some option for the dnslists condition
> that would let me
> specify the DNS server to use, I could scrap the forwarding and just
> restrict access to
> the rbl DNS server to only my mail systems. I have read the docs fairly
> closely but
> I don't see any mention of this type of functionality. Am I missing
> something? Is there
> some other way to do this? Any pointers greatly appreciated.


We have the datafeed service here as well. I have bind and rbldnsd running
on each of our servers on the loopback IP only. Bind listens on the normal
DNS port while rbldnsd is listing on port 54. I have set up a forward in
the bind configuration for the zone 'spamhaus.local'. The RBL the email
server queries is 'zen.spamhaus.local'. That keeps the lookups from
trailing off to the spamhaus.org servers.

# This is the bind zone for SpamHaus

zone "spamhaus.local" {
         type forward;
         forward only;
         forwarders {
                 127.0.0.1 port 54;
         };
};


# rbldnsd is started like such

rbldnsd -w /usr/local/etc/rbldnsd -b 127.0.0.1/54 -u rbldns \
sbl.spamhaus.local:ip4set:sbl pbl.spamhaus.local:ip4trie:pbl \
xbl.spamhaus.local:ip4tset:xbl zen.spamhaus.local:ip4set:sbl \
zen.spamhaus.local:ip4trie:pbl zen.spamhaus.local:ip4tset:xbl

I have our other two email servers rsync the zone information from our
primary filter server at time offsets from when the primary filter server
rsync's from the spamhaus rsync servers.

This has worked flawlessly since our subscription to SpamHaus' datafeed
(just over three months).

----
_|
|_|