sendmail 8.14 FEATURE dnsbl seems broken

Discussion in 'Sendmail' started by lxa, Jan 24, 2015.

  1. lxa

    lxa New Email

    Joined:
    Jan 24, 2015
    Messages:
    1
    Likes Received:
    0
    Hello,

    I am running three debian email servers and recently wanted to address spam coming in to them. One sever is sendmail version 8.14.4 the other two are 8.14.3. All three servers exhibit the same behavior.

    I added milter-greylist to each of them, it works brilliantly, stopping better than 50% of incoming spam.

    I then tried to install realtime dns blacklist checking using three popular free services with entries to my /etc/mail/sendmail.mc file.

    Two of the services, bl.spamcop.net and dnsbl.sorbs.net cause sendmail to reject every single incoming message as observed in my /var/log/mail.log file.

    The third black list service, zen.spamhaus.org when enabled, doesn't seem to do anything at all.


    I have tried all sorts of combinations, disabling greylisting, inserting the ipv6 workaround ( define(`DNSBL_MAP'...), using the enhanced blacklist feature "enhdnsbl" and activating only one blacklist at a time. Each time recompiling my sendmail.mc file and restarting sendmail.


    I cannot find any references to others that have had this behavior and I'm at a loss as how to troubleshoot it from here.

    If anyone has any suggestions or comments, they are greatly appreciated.

    My sendmail.mc follows at the end of this posting.

    Thanks in advance,

    John


    Code:
    #
    #   Copyright (c) 1998-2005 Richard Nelson.  All Rights Reserved.
    #
    #  This file is used to configure Sendmail for use with Debian systems.
    #
    define(`_USE_ETC_MAIL_')dnl
    include(`/usr/share/sendmail/cf/m4/cf.m4')dnl
    VERSIONID(`$Id: sendmail.mc, v 8.14.4-4 2013-02-11 11:12:33 cowboy Exp $')
    OSTYPE(`debian')dnl
    DOMAIN(`debian-mta')dnl
    dnl # Items controlled by /etc/mail/sendmail.conf - DO NOT TOUCH HERE
    undefine(`confHOST_STATUS_DIRECTORY')dnl        #DAEMON_HOSTSTATS=
    dnl # Items controlled by /etc/mail/sendmail.conf - DO NOT TOUCH HERE
    dnl #
    dnl # General defines
    dnl #
    dnl # SAFE_FILE_ENV: [undefined] If set, sendmail will do a chroot()
    dnl #   into this directory before writing files.
    dnl #   If *all* your user accounts are under /home then use that
    dnl #   instead - it will prevent any writes outside of /home !
    dnl #   define(`confSAFE_FILE_ENV',             `')dnl
    dnl #
    dnl # Daemon options - restrict to servicing LOCALHOST ONLY !!!
    dnl # Remove `, Addr=' clauses to receive from any interface
    dnl # If you want to support IPv6, switch the commented/uncommentd lines
    dnl #
    FEATURE(`no_default_msa')dnl
    dnl DAEMON_OPTIONS(`Family=inet6, Name=MTA-v6, Port=smtp, Addr=::1')dnl
    DAEMON_OPTIONS(`Family=inet,  Name=MTA-v4, Port=smtp')dnl
    dnl DAEMON_OPTIONS(`Family=inet6, Name=MSP-v6, Port=submission, M=Ea, Addr=::1')dnl
    DAEMON_OPTIONS(`Family=inet,  Name=MSP-v4, Port=submission, M=Ea')dnl
    dnl #
    dnl # Be somewhat anal in what we allow
    define(`confPRIVACY_FLAGS',dnl
    `needmailhelo,needexpnhelo,needvrfyhelo,restrictqrun,restrictexpand,nobodyreturn,authwarnings')dnl
    dnl #
    dnl # Define connection throttling and window length
    define(`confCONNECTION_RATE_THROTTLE', `15')dnl
    define(`confCONNECTION_RATE_WINDOW_SIZE',`10m')dnl
    dnl #
    dnl # Features
    dnl #
    dnl # use /etc/mail/local-host-names
    FEATURE(`use_cw_file')dnl
    dnl #
    dnl # The access db is the basis for most of sendmail's checking
    FEATURE(`access_db', , `skip')dnl
    dnl #
    dnl # The greet_pause feature stops some automail bots - but check the
    dnl # provided access db for details on excluding localhosts...
    FEATURE(`greet_pause', `1000')dnl 1 seconds
    dnl #
    dnl # Delay_checks allows sender<->recipient checking
    FEATURE(`delay_checks', `friend', `n')dnl
    dnl #
    dnl #
    FEATURE(`virtusertable')dnl
    FEATURE(`mailertable')dnl
    dnl #
    dnl # the following was added to make milter-greylist work, see its readme
    dnl #
    INPUT_MAIL_FILTER(`greylist',
      `S=local:/var/run/milter-greylist/greylist.sock')
    define(`confMILTER_MACROS_CONNECT', `j, {if_addr}')
    define(`confMILTER_MACROS_HELO', `{verify}, {cert_subject}')
    define(`confMILTER_MACROS_ENVFROM', `i, {auth_authen}')
    define(`confMILTER_MACROS_ENVRCPT', `{greylist}')
    dnl #
    dnl # The following lines activate DNS based Black (HOLE) List testing on three different free services
    dnl #
    define(`DNSBL_MAP', `dns -R A')
    dnl #
    dnl #
    FEATURE(`dnsbl', `dnsbl.sorbs.net', `"571 IP=" $&{client_addr} " -see http://www.sorbs.net/'")dnl
    FEATURE(`enhdnsbl', `zen.spamhaus.org',`"571 IP=" $&{client_addr} " -see http://www.spamhaus.org/"')dnl
    FEATURE(`dnsbl', `bl.spamcop.net',  `"571 IP=" $&{client_addr} " -see http://spamcop.net/bl.shtml?"')dnl
     #
    dnl # If we get too many bad recipients, slow things down...
    define(`confBAD_RCPT_THROTTLE',`3')dnl
    dnl #
    dnl # Stop connections that overflow our concurrent and time connection rates
    FEATURE(`conncontrol', `nodelay', `terminate')dnl
    FEATURE(`ratecontrol', `nodelay', `terminate')dnl
    dnl #
    dnl # If you're on a dialup link, you should enable this - so sendmail
    dnl # will not bring up the link (it will queue mail for later)
    dnl define(`confCON_EXPENSIVE',`True')dnl
    dnl #
    dnl # Dialup/LAN connection overrides
    dnl #
    include(`/etc/mail/m4/dialup.m4')dnl
    include(`/etc/mail/m4/provider.m4')dnl
    dnl #
    dnl # Masquerading options
    FEATURE(`always_add_domain')dnl
    MASQUERADE_AS(`mydomain.com')dnl
    FEATURE(`allmasquerade')dnl
    FEATURE(`masquerade_envelope')dnl
    dnl #
    dnl # Default Mailer setup
    MAILER_DEFINITIONS
    MAILER(`local')dnl
    MAILER(`smtp')dnl
    dnl #  thatt's all folks
     


  2. popowich

    popowich EQ Forum Admin Staff Member

    Joined:
    Aug 12, 2008
    Messages:
    8,994
    Likes Received:
    120
    Hi John,

    For RBL's I prefer the Spamhaus Zen that you're already using, and the Invaluement DNSBL.

    The Invaluement DNSBL is a lesser known provider that has done an excellent job blocking the /24 snowshoe types of spammers for my systems.

    All other RBL's that I use are scored form within SpamAssassin and are not used to block incoming smtp connections directly.

    You are correct, if you're not careful about how you use SORBS you'll end up blocking too much good email. Try including the recent SORBS entries in your SpamAssassin scoring, then at least your users will have the ability to override blocked email if needed:

    # SORBS RBL - new (2 days) and recent (30 days) spam
    header RCVD_IN_SORBS_NR_SPAM eval:check_rbl_sub('sorbs-lastexternal' ,'127.0.0.6')
    describe RCVD_IN_SORBS_NR_SPAM SORBS: sender is listed in new.spam or recent.spam
    tflags RCVD_IN_SORBS_NR_SPAM net
    score RCVD_IN_SORBS_NR_SPAM 3.0

    To answer your last question more directly, tinker with the ordering, in most mail servers once an RBL is found to have an IP listed the others will not be checked.
     

Want to reply or ask your own question?

It only takes a minute to sign up (and it's free!). Click the orange sign up button to choose a username and then you can ask your own questions on the forum.
Loading...