May 252016

in order to make rbldnsd as rhsbl authoritative nameserver for unbound, the simple way is to create stub-zone like this:

        name: ""

if we configured unbound as iterator and validator, this minimal configuration will not work. when you query for example:

# dig

we will get “SERVFAIL” replied.
the simple way is by turned off validator function in unbound, but if we still want validator function in unbound, we can simply exclude our rhsbl zone in stub-zone as insecure domain.

domain-insecure: ""

now, we wlll get reply as expected

# dig +short

and in rbldnsd start up config

RBLDNSD="dsbl -r/var/lib/rbldnsd -t 300 -b"

happy blacklisting 😀

combined with script here: we can use it as header_checks map. here’s the result:

May 25 19:11:31 mx1 postfix/cleanup[146988]: 68A203080DD: reject: header From: Dominic McXXX <> from[]; from=<> to=<> proto=ESMTP helo=<spammer>: 5.7.1, which appears in the 'From' header, is listed on
Sep 122009

Sometimes we need to do manual whitelisting for mail users whose customers’ admins don’t respond to your complaints about their server settings.

Another option to consider ist automatic whitelisting by using the hand-crafted DNSWL ( ). We should also consider requesting to get added to DNSWL.

rsync --times* /some/path/

In /etc/postfix/ add this line within the smtpd_recipient_restrictions :

smtpd_recipient_restrictions = ...
     check_client_access cidr:/etc/postfix/postfix-dnswl-permit,

Note that reject_unauth_destination must should come before the check_client_access to ensure you do not become an open relay for the whitelisted networks.

After that reload postfix

# postfix reload

we can also put in cronjob/crontab for autmatically updating dnswl db.

01 * * * * root /path-to/ > /dev/null 2>&1