Configuring rbldns with qmail

A Real-time Blackhole List (RBL) is a list of IP addresses published in a format which can be easily queried by programs on the Internet. An RBL is a name server which accepts Domain Name Service (DNS) queries asking whether a particular IP address is a part of the RBL. People commonly use an RBL to return IP addresses known to send spam. Below is an example of what happens when a program such as rblsmtpd accepts a connection from a client and wishes to check rbl.domain.xyz for inclusion of the client's IP address.

• rblsmtpd takes the client's IP address and reverses the bytes. For example 1.2.3.4 becomes 4.3.2.1.
• The RBL's domain name is appended to the reversed IP address. For example 4.3.2.1 becomes 4.3.2.1.rbl.domain.xyz.
• The name from the previous step is looked up in DNS an A record. The server either returns an IP address (client is listed) or a "NXDOMAIN" code (client is not listed).
• Optionally, if the client's IP address is listed, a secondary query is made this time for the name as a TXT record. It is standard for the TXT record to include the reason of the client being listed.

rbldns is a program part of the djbdns, specifically designed to serve RBL data. While it is possible to serve RBL data from an authoritative server, such as tinydns; rbldns is preferred as it is significantly faster, uses less memory and allows you to house your RBL data separate from your normal DNS data.

Setting up the Service Directories

The below section details the configuration of rbldns using the rbldns-conf program. rbldns-conf requires four arguments which are detailed below.

• The first argument is the account which will run rbldns.
• The second argument is the account which will run the log service for rbldns.
• The third argument is the directory which will house the configuration files. You can choose whichever directory you like as long as it is not under /service.
• The fourth argument is the IP to which rbldns will bind. The IP address needs to have UDP 53 free in order to bind.
• The final argument is the base (FQDN) for the rbldns.

# rbldns-conf rbldns dnslog /etc/black 1.2.3.4 rbl.domain.xyz

The above command creates the rbldns configuration under the directory "/etc/black" with the account "rbldns" and a log account "dnslog" which will bind on UDP port 53 to the IP address 1.2.3.4 for the base, rbl.domain.xyz.

Activating the Service

(The below section is taken almost verbatim from the following page created by John Simpson. I felt that his description on what happens when you activate a service was the most clear and easy to understand, so why change a thing?)

Once the directories are set up, you need to make them start running. This is done by creating a symbolic link from /service/(whatever) to the physical directory where the service lives. The "svscan" program checks /service every five seconds, and when it sees a new directory (or symbolic link) there, it starts a "supervise" process for that directory. In addition, if the directory has the sticky bit set and a child directory called "log", it starts a "supervise" process for the "log" child directory and sets up a pipe between the two processes (so that the main process's logs end up being sent to the log process).

The "supervise" program works by running the "run" script inside of whatever directory it's watching. If that child process (either the "run" script itself, or whatever process it runs using "exec") stops, it starts it back up by running the "run" script again.

Once the directories are set up, you need to make them start running. This is done by creating a symbolic link from /service/(whatever) to the physical directory where the service lives. The "svscan" program checks /service every five seconds, and when it sees a new directory (or symbolic link) there, it starts a "supervise" process for that directory. In addition, if the directory has the sticky bit set and a child directory called "log", it starts a "supervise" process for the "log" child directory and sets up a pipe between the two processes (so that the main process's logs end up being sent to the log process.)

The "supervise" program works by running the "run" script inside of whatever directory it's watching. If that child process (either the "run" script itself, or whatever process it runs using "exec") stops, it starts it back up by running the "run" script again.

The following commands will create the symbolic links needed to start the RBL service.

# ln -s /etc/black /service/

After running this command, wait ten seconds (to give it time to start) and then run the "svstat" command to see what's running:

# svstat /service/black /service/black/log
/service/black: up (pid 27679) 10 seconds
/service/black/log: up (pid 27679) 10 seconds

As long as the new services show "up" with a timer of more than one second, the services are running correctly. If the timer on a service is 0 or 1 second, then wait about five seconds and run the same command- it should now be higher than 1 second. If it's still 0 or 1, then that service is having a problem and you need to fix it. This page provides some steps to troubleshoot daemontools service installations.

Defining the RBL as a Name Server

To resolve queries for rbl.domain.xyz, the authoritative name server for domain.xyz needs to be configured with the IP address, 1.2.3.4 as the child name server for rbl.domain.xyz domain. To configure this example using tinydns, run the following commands.

# cd /service/tinydns/root
# echo "&rbl.domain.xyz:1.2.3.4:a" >> data
# make

The above lines tell tinydns the name server for rbl.domain.xyz is 1.2.3.4. This means for any query ending with rbl.domain.xyz is answered by 1.2.3.4.

Adding IP addresses to your RBL

An RBL is not useful unless it has IP addresses in it. The section below shows how to add an IP address to the RBL. Replace IP_ADDRESS with the IP address you want in the RBL.

# cd /service/black/root
# echo IP_ADDRESS >> data
# make

Checking with RBL for qmail

To add an RBL service to qmail, edit your /service/qmail-smptd/run file to resemble the file below. The file below is the run script taken from Life with Qmail and can be found in its original form here. The lines of note and ones which do not exist in the Life with Qmail example are in red.

#!/bin/sh

QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
LOCAL=`head -1 /var/qmail/control/me`

if [ -z "$QMAILDUID" -o -z "$NOFILESGID" -o -z "$MAXSMTPD" -o -z "$LOCAL" ]; then
    echo QMAILDUID, NOFILESGID, MAXSMTPD, or LOCAL is unset in
    echo /var/qmail/supervise/qmail-smtpd/run
    exit 1
fi

if [ ! -f /var/qmail/control/rcpthosts ]; then
    echo "No /var/qmail/control/rcpthosts!"
    echo "Refusing to start SMTP listener because it'll create an open relay"
    exit 1
fi

exec /usr/local/bin/softlimit -m 2000000 \
    /usr/local/bin/tcpserver -v -R -l "$LOCAL" -x /etc/tcp.smtp.cdb -c "$MAXSMTPD" \
        -u "$QMAILDUID" -g "$NOFILESGID" 0 smtp \
        /usr/local/bin/rblsmtpd \
        -r rbl.domain.xyz \
 /var/qmail/bin/qmail-smtpd 2>&1

The rblsmtpd program blocks mail from RBL-listed sites. The "-r" option blocks any IP address listed in the RBL. The "-a" option says if the IP address is listed to allow the connection.

To have qmail start using the RBL, send a TERM signal to qmail-smtpd with the following command. This stops the current running instance of qmail-smtpd and then "supervise" seeing the process has ended, restarts the run file with its new contents.

# svc -t /service/qmail-smtpd

2007-11-28 Thanks to Paul Swainson for pointing out the Makefile is in /service/black/root and not in /service/black.

2006-12-11 Thanks to John Simpson for pointing out several typos on the page.

Copyright 2006-2008 Patrick R. McDonald <marlowe@antagonism.org> (GPG key)
This document last modified Thursday, 05-Jun-2008 09:22:47 PDT