This is a small program that is part of the qmail daemon tools ucspi-tcp-0.88 (/usr/local/bin/rblsmtpd) package that blocks e-mail IP addresses that are on the Realtime Black Lists (RBL) of various DNSBL servers (ex. sbl-xbl.spamhaus ; cbl.abuseat.org).
rblsmtpd is executed from the supervised startup script for qmail-smtpd (/var/qmail/supervise/qmail-smtpd/run) and prior to qmail-smtpd.
The tcpserver (part of the qmail daemon tools ucspi-tcp-0.88) sets the TCPREMOTEIP environmental variable with the IP address of the server trying to send e-mail. rblsmtpd is run afterwards (as might be other programs – i.e. relay control) and does a basically arpa type, reverse DNS (A or TXT DNS record) on the IP. When rblsmtpd runs it looks at the TCPREMOTEIP environmental variable and performs a DNSBL query.
DNS query format
The DNS query format for numeric hosts follows the convention used by other DNSBL servers. The IP address of the target host is reversed and the zone name of the DNSBL server zone is appended. For example, if you want to see if 152.16.12.37 is listed in the cbl.abuseat.org zone, you would look up the A record for 37.12.16.152. cbl.abuseat.org
query about 152.16.12.37
look up 37.12.16.152.cbl.abuseat.org
DNS A record query with rblsmtpd having logging and A record capability [a patch to rblsmtpd]:
/usr/local/bin/rblsmtpd -b -v -r "cbl.abuseat.org:Spammer IP says cbl.abuseat.org"
Note that –b means 553 error code, –v means verbose for logging and that the quoted "cbl.abuseat.org:Spammer IP says cbl.abuseat.org" has a colon which indicates the A record of the DNS.
DNS TXT record query with rblsmtpd having logging [a patch to rblsptpd] (TXT record was original capability):
/usr/local/bin/rblsmtpd -b -v -r cbl.abuseat.org
Note that –b means 553 error code, –v means verbose for logging and that the UN-quoted cbl.abuseat.org and NO colon indicates DNS TXT record. The DNS TXT record would normally have information and a URL about the offending IP. DNS TXT has fallen out of favor with many DNSBL servers due to size of the return.
DNS answer format
If the IP address is not listed in the database, the DNSBL server will report that the A or TXT record is non-existent. Rblsmtpd would then run the next program in the smtpd run script (usually /var/qmail/bin/qmail-smtpd).
If the IP is listed in the database, an A record will be returned with a value of 127.0.0.xxx. TXT records could be available for each numeric record returned.
Rblsmtpd would then put out an error message and quit any further smtpd attempts. The error message for a DNS A record search would be 553 plus the part after the colon in ex. "sbl-xbl.spamhaus.org:Spammer IP says sbl-xbl.spamhaus.org"
The error message for a DNS TXT record search would be 553 plus the TXT part of the DNS query.
(3/4/2008 The TXT DNS seems to still work, but just TXT is returned. Actually had problems with the A DNS query)
To manually perform a test at the shell prompt:
#export TCPREMOTEIP="127.0.0.2"
The DNS A query:
#/usr/local/bin/rblsmtpd -b -v -r "cbl.abuseat.org:test " /var/qmail/bin/qmail-smtpd
The IP should be recognized by cbl.abuseat.org DNSBL server and the A record sent back which should be 127.0.0.2. The smtpd portion of rblsmtpd will then take over.
rblsmtpd: pid XXXXX: 553 test
220 rblsmtpd.local
If the IP was not on DNSBL, your regular qmail-smtpd should reply - ex.:
220 lilac.droittech.com ESMTP
The DNS TXT query:
#/usr/local/bin/rblsmtpd -b -v -r cbl.abuseat.org /var/qmail/bin/qmail-smtpd
rblsmtpd: 127.0.0.2 pid XXXXX: 553 Blocked – see http://cbl.abuseat.org/lookup.cgi?127.0.0.2
220 rblsmtpd.local
The patched rblsmtpd which includes DNS A & TXT record search and logging is here rblsmtpd.c. Put the file in the ucspi-tcp-0.88 directory, then recompile.
You may have to delete the object files [ #rm *.o ] and shut down Qmail, then #make setup check.
Sample startup script
/var/qmail/supervise/qmail-smtpd/run
#!/bin/sh
QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
LOCAL=`head -1 /var/qmail/control/me`
if [ -z "$QMAILDUID" -o -z "$NOFILESGID" -o -z "$MAXSMTPD" -o -z "$LOCAL" ];
then
echo QMAILDUID, NOFILESGID, MAXSMTPD, or LOCAL is unset in
echo /var/qmail/supervise/qmail-smtpd/run
exit 1
fi
if [ ! -f /var/qmail/control/rcpthosts ]; then
echo "No /var/qmail/control/rcpthosts!"
echo "Refusing to start SMTP listener because it'll create an open relay"
exit 1
fi
exec /usr/local/bin/softlimit -m 9000000 \
envdir /etc/relay-ctrl \
relay-ctrl-chdir \
/usr/local/bin/tcpserver -v -R -l "$LOCAL" -x /etc/tcp.smtp.cdb -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 smtp relay-ctrl-check \
/usr/local/bin/rblsmtpd -b -v -r "cbl.abuseat.org:Spammer IP says cbl.abuseat.org" \
-b -v -r "sbl-xbl.spamhaus.org:Spammer IP says sbl-xbl.spamhaus.org" /var/qmail/bin/qmail-smtpd 2>&1
maillog:
Apr 2 11:04:46 lilac msd[17265]: tab@droittech.com BLOCKED as non-valid user
Apr 2 15:01:30 lilac msd[19481]: Linux SMTPD started: connection from 201.10.65.244
Apr 2 15:01:58 lilac msd[19481]: Premature end of input data
Apr 2 15:05:35 lilac rblsmtpd: blocked 24.21.117.214 c-24-21-117-214.hsd1.wa.comcast.net -
Apr 2 15:11:55 lilac rblsmtpd: blocked 82.158.155.208 208.red-82-158-155.user.auna.net -
Apr 2 15:20:38 lilac rblsmtpd: blocked 82.226.13.143 ivry-6-82-226-13-143.fbx.proxad.net -
Apr 2 15:20:52 lilac rblsmtpd: blocked 82.67.183.23 nsg93-1-82-67-183-23.fbx.proxad.net -
Apr 2 15:32:55 lilac msd[19708]: Linux SMTPD started: connection from 58.8.250.98
Apr 2 15:33:20 lilac msd[19708]: frank.carizzo@lhcusa.com BLOCKED as non-valid user
Apr 2 15:40:18 lilac rblsmtpd: blocked 209.191.144.42 - -
Apr 2 16:11:54 lilac rblsmtpd: blocked 24.11.173.141 c-24-11-173-141.hsd1.mi.comcast.net -
Apr 2 16:12:11 lilac rblsmtpd: blocked 82.228.36.142 bondy-7-82-228-36-142.fbx.proxad.net -
Apr 2 16:17:20 lilac rblsmtpd: blocked 205.251.197.146 wiley-233-9610.roadrunner.nf.net -
Apr 2 16:23:24 lilac rblsmtpd: blocked 62.111.140.46 - -
Apr 2 16:29:09 lilac rblsmtpd: blocked 64.80.3.164 - -
Apr 2 16:32:56 lilac msd[20150]: Linux SMTPD started: connection from 194.145.96.25
Apr 2 16:32:56 lilac msd[20150]: contaminant@droittech.com BLOCKED as non-valid user