Exempt domains from RBL checking?

[sawbuck]

We have customers that occasionally request to be exempted from incoming mail RBL checking. Prior to the new Exim Advanced Editor system this could be accomplished by various mechanisms. After this original discussion, Nick (the founder of cPanel) has provided a patch later in this thread at this location:

http://forums.cpanel.net/f43/exempt-domains-rbl-checking-335422.html#post1362871

The previously mentioned options that do not work are now being removed, since a working patch does exist.

 

[sawbuck]

Re: Exempt domains from RBL checking no longer working

Unfortunately this solution doesn't work either.

1) in the options section, define the file that will house a line-separated list of domains to skip:

domainlist skip_rbl_domains = ${if exists{/etc/skip_rbl_domains} {lsearch;/etc/skip_rbl_domains} fail}

2) In the spamcop_rbl (and spamhaus_rbl) sections, add the skip line under 'hosts', ie:

deny message = JunkMail rejected - $sender_fullhost is in an RBL, see $dnslist_text
dnslists = bl.spamcop.net
hosts = +backupmx_hosts
domains = ! +skip_rbl_domains

 

[cPanelNick]

View attachment skip_rbl_domains.diff.txt

cd /usr/local/cpanel
patch -p1 < skip_rbl_domains.diff.txt

EDIT: make sure to run /usr/local/cpanel/scripts/buildeximconf and restartsrv_exim afterwards (so used to doing that I forgot it in my post)

 

[sawbuck]

Thank you Nick.

I've struggled with this one for awhile and your personal help while unexpected is very much appreciated.

Have applied the patch and in the process of determining exactly which directives will work and once confirmed will post that information as follow up for anyone else that might be looking for this solution.

Ed

 

[sawbuck]

Patch provided by Nick is working without using any manually entered directives.

 

[Brian]

Greetings sawbuck,

The patch provided by Nick would implement the /etc/skiprbldomains behavior across all RBL configurations deployed through the "RBLs" tab of the Basic Editor under the Exim Configuration page. No changes through the Advanced Editor would be needed with Nick's patch. It'd just be a means of following Nick's post of applying the patch, running the necessary commands he posted to build out a new exim.conf, and editing /etc/skiprbldomains. Keep in mind that cPanel updates will revert the patched perl modules, meaning that if you were to ever need to re-save Exim configurations you should re-apply Nick's patch before each Exim config save to ensure the patched behavior is present.

The steps you've posted could be deployed as an *alternate* solution to Nick's patch. You've basically pulled out the changes Nick made and wrote them in a suitable instruction set for the Advanced Editor.

The only item of note I'd remind folks about with your manual deployment, though, is that you deployment would be best suited for if all of the default RBLs were *disabled* in the Basic Editor, since you are effectively adding in a custom RBL manually. If the default ones were left in, it would result in duplicate RBL configs.

In short, if your steps were used in conjunction with leaving the cPanel deployed RBL configurations on, then the whitelisted domains would appropriately skip your custom RBL acl but trip on the default RBL acl. If your steps were used in conjunction with Nick's patch, efforts would be duplicated and potentially result in a failed exim.conf build at worst and multiple DNS requests to the RBLs at best.

In short, whichever method is chosen, only one of those methods should be deployed. Both accomplish similar end goals and are completely acceptable.

At the very least I'd recommend opening a feature request at cPanel Feature Requests for this so we can see the demand for this functionality being added to the product.

 

[sawbuck]

Thank you Brian.

When I applied Nick's patch without the additional "manual" directives the domains in /etc/skiprbldomains were not exempted from RBL checking.

Using the manual directives without applying the patch didn't work either.

One option I didn't try but apparently should is to disable RBLs in the default editor.

Good to know that the patch would need to be reapplied on Exim upgrades. Assume then that to revert Exim to pre-patch status would be to run /script/eximup --force.

As to a feature request - doubt there is much interest in this solution as RBLs for spam blocking (other than spamhaus and spamcop and perhaps barracudacentral.org) don't seem to be widely deployed anymore.

Ed

 

[Brian]

If you'd like to open a ticket on this I can take a further look as time permits. Nick's patch on its own should automatically cover all of the RBLs as enabled through the Basic Editor interface (after the conf is rebuilt). Your patch would be required if the individual manually deployed an RBL acl through the Advanced Editor, which would be by updating their manually deployed RBL acl to include the "domains = ! +skip_rbl_domains" exemption (in addition to defining skip_rbl_domains).

It's kind of an either/or situation. If the RBLs used are the ones under the RBLs tab in the Basic Editor, Nick's patch should be able to solve the issue in of itself. If the RBLs used were custom written in the Advanced Editor, your patch would be applicable.

I just want to make sure everything is sorted so you aren't doubling up on DNS requests and otherwise just have the ACLs and directives set forth that are required. I know a lot of individuals use our forums posts for reference as well, so ensuring the instruction set we have here is the correct one is certainly something I want to make sure we iron out. If you do open a ticket, please post the Ticket ID here.

 

[sawbuck]

I know a lot of individuals use our forums posts for reference as well, so ensuring the instruction set we have here is the correct one is certainly something I want to make sure we iron out. If you do open a ticket, please post the Ticket ID here.

That was my intention also and did take the extra time to detail all of the steps and would be interested in revising them to be accurate.

Ticket# 3967391

Thank you Brian for taking the time to investigate this issue.

 

[sawbuck]

Thank you for including this functionality in the latest Edge builds.

 

[shenzy]

This option (skiprbldomains) work fine to indicate local domains (local accounts) who do not use the rbl, but would be great another option for whitelist remote domains against the rbls.

Maybe something like:

#To indicate local domains (local accounts) who do not use the rbl
domainlist skip_rbl_domains = lsearch;/etc/skiprbldomains

#To indicate incoming email domains that will not be checked against the rbl.
domainlist whitelist_rbl_senders = lsearch;/etc/whitelistrblsenders


# BEGIN INSERT spamhaus_rbl

deny message = JunkMail rejected - $sender_fullhost is in an RBL, see $dnslist_text
hosts = +backupmx_hosts
dnslists = zen.spamhaus.org

warn
!sender_domains = +whitelist_rbl_senders
!domains = +skip_rbl_domains
dnslists = zen.spamhaus.org
set acl_m8 = 1
set acl_m9 = "JunkMail rejected - $sender_fullhost is in an RBL, see $dnslist_text"

warn
condition = ${if eq {${acl_m8}}{1}{1}{0}}
ratelimit = 0 / 1h / strict / per_conn
log_message = "Increment Connection Ratelimit - $sender_fullhost because of RBL match"

drop
condition = ${if eq {${acl_m8}}{1}{1}{0}}
message = ${acl_m9}


# END INSERT spamhaus_rbl

This configuration works well for me, but I have edit exim.conf manually every time I change the exim config from whm.

 

[Serra]

I would like to see a remote domain option as well. Local domains is a hammer, but remote domains is much more precise. I have a few clients who have clients who are constantly on RBLs. I would like to allow those domains (or anyone spoofing those domains) to pass the RBL rather than having my client get all of the spam that would be blocked by the RBL.

 

[cPanelMichael]

Please ensure you submit a feature request for new features you would like to see implemented in cPanel:

Submit A Feature Request

Thank you.

 

[shenzy]

Please ensure you submit a feature request for new features you would like to see implemented in cPanel:

Submit A Feature Request

Thank you.

Submited!
thanks Michael.

 

[sawbuck]

@shenzy

Would help if you posted a link to the request so others can vote on it.

 

[shenzy]

@sawbuck ,Thank you!, I had forgotten that detail.

The Link:

Feature Request: Exempt Remote domains from RBL checking

 

[sawbuck]

Feature request link still showing an error: Access Denied! Insufficient permissions to view this object!

 

[cPanelMichael]

It takes time for approval. You should be able to view it now.