sendmail 8.14 FEATURE dnsbl seems broken

Discussion in 'Sendmail' started by lxa, Jan 24, 2015.

  1. lxa

    lxa New Email

    Jan 24, 2015
    Likes Received:

    I am running three debian email servers and recently wanted to address spam coming in to them. One sever is sendmail version 8.14.4 the other two are 8.14.3. All three servers exhibit the same behavior.

    I added milter-greylist to each of them, it works brilliantly, stopping better than 50% of incoming spam.

    I then tried to install realtime dns blacklist checking using three popular free services with entries to my /etc/mail/ file.

    Two of the services, and cause sendmail to reject every single incoming message as observed in my /var/log/mail.log file.

    The third black list service, when enabled, doesn't seem to do anything at all.

    I have tried all sorts of combinations, disabling greylisting, inserting the ipv6 workaround ( define(`DNSBL_MAP'...), using the enhanced blacklist feature "enhdnsbl" and activating only one blacklist at a time. Each time recompiling my file and restarting sendmail.

    I cannot find any references to others that have had this behavior and I'm at a loss as how to troubleshoot it from here.

    If anyone has any suggestions or comments, they are greatly appreciated.

    My follows at the end of this posting.

    Thanks in advance,


    #   Copyright (c) 1998-2005 Richard Nelson.  All Rights Reserved.
    #  This file is used to configure Sendmail for use with Debian systems.
    VERSIONID(`$Id:, v 8.14.4-4 2013-02-11 11:12:33 cowboy Exp $')
    dnl # Items controlled by /etc/mail/sendmail.conf - DO NOT TOUCH HERE
    undefine(`confHOST_STATUS_DIRECTORY')dnl        #DAEMON_HOSTSTATS=
    dnl # Items controlled by /etc/mail/sendmail.conf - DO NOT TOUCH HERE
    dnl #
    dnl # General defines
    dnl #
    dnl # SAFE_FILE_ENV: [undefined] If set, sendmail will do a chroot()
    dnl #   into this directory before writing files.
    dnl #   If *all* your user accounts are under /home then use that
    dnl #   instead - it will prevent any writes outside of /home !
    dnl #   define(`confSAFE_FILE_ENV',             `')dnl
    dnl #
    dnl # Daemon options - restrict to servicing LOCALHOST ONLY !!!
    dnl # Remove `, Addr=' clauses to receive from any interface
    dnl # If you want to support IPv6, switch the commented/uncommentd lines
    dnl #
    dnl DAEMON_OPTIONS(`Family=inet6, Name=MTA-v6, Port=smtp, Addr=::1')dnl
    DAEMON_OPTIONS(`Family=inet,  Name=MTA-v4, Port=smtp')dnl
    dnl DAEMON_OPTIONS(`Family=inet6, Name=MSP-v6, Port=submission, M=Ea, Addr=::1')dnl
    DAEMON_OPTIONS(`Family=inet,  Name=MSP-v4, Port=submission, M=Ea')dnl
    dnl #
    dnl # Be somewhat anal in what we allow
    dnl #
    dnl # Define connection throttling and window length
    define(`confCONNECTION_RATE_THROTTLE', `15')dnl
    dnl #
    dnl # Features
    dnl #
    dnl # use /etc/mail/local-host-names
    dnl #
    dnl # The access db is the basis for most of sendmail's checking
    FEATURE(`access_db', , `skip')dnl
    dnl #
    dnl # The greet_pause feature stops some automail bots - but check the
    dnl # provided access db for details on excluding localhosts...
    FEATURE(`greet_pause', `1000')dnl 1 seconds
    dnl #
    dnl # Delay_checks allows sender<->recipient checking
    FEATURE(`delay_checks', `friend', `n')dnl
    dnl #
    dnl #
    dnl #
    dnl # the following was added to make milter-greylist work, see its readme
    dnl #
    define(`confMILTER_MACROS_CONNECT', `j, {if_addr}')
    define(`confMILTER_MACROS_HELO', `{verify}, {cert_subject}')
    define(`confMILTER_MACROS_ENVFROM', `i, {auth_authen}')
    define(`confMILTER_MACROS_ENVRCPT', `{greylist}')
    dnl #
    dnl # The following lines activate DNS based Black (HOLE) List testing on three different free services
    dnl #
    define(`DNSBL_MAP', `dns -R A')
    dnl #
    dnl #
    FEATURE(`dnsbl', `', `"571 IP=" $&{client_addr} " -see'")dnl
    FEATURE(`enhdnsbl', `',`"571 IP=" $&{client_addr} " -see"')dnl
    FEATURE(`dnsbl', `',  `"571 IP=" $&{client_addr} " -see"')dnl
    dnl # If we get too many bad recipients, slow things down...
    dnl #
    dnl # Stop connections that overflow our concurrent and time connection rates
    FEATURE(`conncontrol', `nodelay', `terminate')dnl
    FEATURE(`ratecontrol', `nodelay', `terminate')dnl
    dnl #
    dnl # If you're on a dialup link, you should enable this - so sendmail
    dnl # will not bring up the link (it will queue mail for later)
    dnl define(`confCON_EXPENSIVE',`True')dnl
    dnl #
    dnl # Dialup/LAN connection overrides
    dnl #
    dnl #
    dnl # Masquerading options
    dnl #
    dnl # Default Mailer setup
    dnl #  thatt's all folks

  2. popowich

    popowich EQ Forum Admin Staff Member

    Aug 12, 2008
    Likes Received:
    Hi John,

    For RBL's I prefer the Spamhaus Zen that you're already using, and the Invaluement DNSBL.

    The Invaluement DNSBL is a lesser known provider that has done an excellent job blocking the /24 snowshoe types of spammers for my systems.

    All other RBL's that I use are scored form within SpamAssassin and are not used to block incoming smtp connections directly.

    You are correct, if you're not careful about how you use SORBS you'll end up blocking too much good email. Try including the recent SORBS entries in your SpamAssassin scoring, then at least your users will have the ability to override blocked email if needed:

    # SORBS RBL - new (2 days) and recent (30 days) spam
    header RCVD_IN_SORBS_NR_SPAM eval:check_rbl_sub('sorbs-lastexternal' ,'')
    describe RCVD_IN_SORBS_NR_SPAM SORBS: sender is listed in new.spam or recent.spam
    tflags RCVD_IN_SORBS_NR_SPAM net
    score RCVD_IN_SORBS_NR_SPAM 3.0

    To answer your last question more directly, tinker with the ordering, in most mail servers once an RBL is found to have an IP listed the others will not be checked.

Want to reply or ask your own question?

It only takes a minute to sign up (and it's free!). Click the orange sign up button to choose a username and then you can ask your own questions on the forum.