May 252016
 

in order to make rbldnsd as rhsbl authoritative nameserver for unbound, the simple way is to create stub-zone like this:

stub-zone:
        name: "rhsbl.example.com."
        stub-addr: 172.18.1.1@530

if we configured unbound as iterator and validator, this minimal configuration will not work. when you query for example:

# dig blacklisted.domain.com.rhsbl.example.com

we will get “SERVFAIL” replied.
the simple way is by turned off validator function in unbound, but if we still want validator function in unbound, we can simply exclude our rhsbl zone in stub-zone as insecure domain.

domain-insecure: "rhsbl.example.com."

now, we wlll get reply as expected

# dig blacklisted.domain.com.rhsbl.example.com +short
127.0.0.2

and in rbldnsd start up config

RBLDNSD="dsbl -r/var/lib/rbldnsd -t 300 -b 172.18.1.1/530 rhsbl.example.com:dnset:hosts"

happy blacklisting 😀

edited:
combined with checkdbl.pl script here: http://www.kutukupret.com/2010/12/03/postfix-header_checks-using-tcp_table-and-checkdbl-pl-script/ we can use it as header_checks map. here’s the result:

May 25 19:11:31 mx1 postfix/cleanup[146988]: 68A203080DD: reject: header From: Dominic McXXX <McXXX@domainspammer.com> from sub.domainspammer.com[xxx.xxx.xxx.xx]; from=<McXXX@domainspammer.com> to=<myuser@example.org> proto=ESMTP helo=<spammer>: 5.7.1 domainspammer.com, which appears in the 'From' header, is listed on rhsbl.example.com
Sep 122009
 

Sometimes we need to do manual whitelisting for mail users whose customers’ admins don’t respond to your complaints about their server settings.

Another option to consider ist automatic whitelisting by using the hand-crafted DNSWL ( http://www.dnswl.org/ ). We should also consider requesting to get added to DNSWL.

dnswl-update.sh

#!/bin/sh
rsync --times rsync1.dnswl.org::dnswl/postfix-* /some/path/

In /etc/postfix/main.cf add this line within the smtpd_recipient_restrictions :

smtpd_recipient_restrictions = ...
     reject_unauth_destination,
     ...
     check_client_access cidr:/etc/postfix/postfix-dnswl-permit,
     ...

Note that reject_unauth_destination must should come before the check_client_access to ensure you do not become an open relay for the whitelisted networks.

After that reload postfix

# postfix reload

we can also put dnswl-update.sh in cronjob/crontab for autmatically updating dnswl db.

01 * * * * root /path-to/dnswl-update.sh > /dev/null 2>&1