Exempt domains from RBL checking?

sawbuck

Well-Known Member
Jan 18, 2004
1,365
10
168
cPanel Access Level
Root Administrator
We have customers that occasionally request to be exempted from incoming mail RBL checking. Prior to the new Exim Advanced Editor system this could be accomplished by various mechanisms. After this original discussion, Nick (the founder of cPanel) has provided a patch later in this thread at this location:

http://forums.cpanel.net/f43/exempt-domains-rbl-checking-335422.html#post1362871

The previously mentioned options that do not work are now being removed, since a working patch does exist.
 
Last edited by a moderator:

sawbuck

Well-Known Member
Jan 18, 2004
1,365
10
168
cPanel Access Level
Root Administrator
Re: Exempt domains from RBL checking no longer working

Unfortunately this solution doesn't work either.

1) in the options section, define the file that will house a line-separated list of domains to skip:

domainlist skip_rbl_domains = ${if exists{/etc/skip_rbl_domains} {lsearch;/etc/skip_rbl_domains} fail}

2) In the spamcop_rbl (and spamhaus_rbl) sections, add the skip line under 'hosts', ie:

deny message = JunkMail rejected - $sender_fullhost is in an RBL, see $dnslist_text
dnslists = bl.spamcop.net
hosts = +backupmx_hosts
domains = ! +skip_rbl_domains
 

sawbuck

Well-Known Member
Jan 18, 2004
1,365
10
168
cPanel Access Level
Root Administrator
Thank you Nick.

I've struggled with this one for awhile and your personal help while unexpected is very much appreciated.

Have applied the patch and in the process of determining exactly which directives will work and once confirmed will post that information as follow up for anyone else that might be looking for this solution.

Ed
 

Brian

Well-Known Member
Dec 1, 2010
117
3
68
Texas
cPanel Access Level
Root Administrator
Greetings sawbuck,

The patch provided by Nick would implement the /etc/skiprbldomains behavior across all RBL configurations deployed through the "RBLs" tab of the Basic Editor under the Exim Configuration page. No changes through the Advanced Editor would be needed with Nick's patch. It'd just be a means of following Nick's post of applying the patch, running the necessary commands he posted to build out a new exim.conf, and editing /etc/skiprbldomains. Keep in mind that cPanel updates will revert the patched perl modules, meaning that if you were to ever need to re-save Exim configurations you should re-apply Nick's patch before each Exim config save to ensure the patched behavior is present.

The steps you've posted could be deployed as an *alternate* solution to Nick's patch. You've basically pulled out the changes Nick made and wrote them in a suitable instruction set for the Advanced Editor.

The only item of note I'd remind folks about with your manual deployment, though, is that you deployment would be best suited for if all of the default RBLs were *disabled* in the Basic Editor, since you are effectively adding in a custom RBL manually. If the default ones were left in, it would result in duplicate RBL configs.

In short, if your steps were used in conjunction with leaving the cPanel deployed RBL configurations on, then the whitelisted domains would appropriately skip your custom RBL acl but trip on the default RBL acl. If your steps were used in conjunction with Nick's patch, efforts would be duplicated and potentially result in a failed exim.conf build at worst and multiple DNS requests to the RBLs at best.

In short, whichever method is chosen, only one of those methods should be deployed. Both accomplish similar end goals and are completely acceptable.

At the very least I'd recommend opening a feature request at cPanel Feature Requests for this so we can see the demand for this functionality being added to the product.
 

sawbuck

Well-Known Member
Jan 18, 2004
1,365
10
168
cPanel Access Level
Root Administrator
Thank you Brian.

When I applied Nick's patch without the additional "manual" directives the domains in /etc/skiprbldomains were not exempted from RBL checking.

Using the manual directives without applying the patch didn't work either.

One option I didn't try but apparently should is to disable RBLs in the default editor.

Good to know that the patch would need to be reapplied on Exim upgrades. Assume then that to revert Exim to pre-patch status would be to run /script/eximup --force.

As to a feature request - doubt there is much interest in this solution as RBLs for spam blocking (other than spamhaus and spamcop and perhaps barracudacentral.org) don't seem to be widely deployed anymore.

Ed
 

Brian

Well-Known Member
Dec 1, 2010
117
3
68
Texas
cPanel Access Level
Root Administrator
If you'd like to open a ticket on this I can take a further look as time permits. Nick's patch on its own should automatically cover all of the RBLs as enabled through the Basic Editor interface (after the conf is rebuilt). Your patch would be required if the individual manually deployed an RBL acl through the Advanced Editor, which would be by updating their manually deployed RBL acl to include the "domains = ! +skip_rbl_domains" exemption (in addition to defining skip_rbl_domains).

It's kind of an either/or situation. If the RBLs used are the ones under the RBLs tab in the Basic Editor, Nick's patch should be able to solve the issue in of itself. If the RBLs used were custom written in the Advanced Editor, your patch would be applicable.

I just want to make sure everything is sorted so you aren't doubling up on DNS requests and otherwise just have the ACLs and directives set forth that are required. I know a lot of individuals use our forums posts for reference as well, so ensuring the instruction set we have here is the correct one is certainly something I want to make sure we iron out. If you do open a ticket, please post the Ticket ID here.
 

sawbuck

Well-Known Member
Jan 18, 2004
1,365
10
168
cPanel Access Level
Root Administrator
I know a lot of individuals use our forums posts for reference as well, so ensuring the instruction set we have here is the correct one is certainly something I want to make sure we iron out. If you do open a ticket, please post the Ticket ID here.
That was my intention also and did take the extra time to detail all of the steps and would be interested in revising them to be accurate.

Ticket# 3967391

Thank you Brian for taking the time to investigate this issue.
 

shenzy

Well-Known Member
Apr 27, 2008
86
33
68
Chile
cPanel Access Level
Root Administrator
This option (skiprbldomains) work fine to indicate local domains (local accounts) who do not use the rbl, but would be great another option for whitelist remote domains against the rbls.

Maybe something like:

#To indicate local domains (local accounts) who do not use the rbl
domainlist skip_rbl_domains = lsearch;/etc/skiprbldomains

#To indicate incoming email domains that will not be checked against the rbl.
domainlist whitelist_rbl_senders = lsearch;/etc/whitelistrblsenders


# BEGIN INSERT spamhaus_rbl

deny message = JunkMail rejected - $sender_fullhost is in an RBL, see $dnslist_text
hosts = +backupmx_hosts
dnslists = zen.spamhaus.org

warn
!sender_domains = +whitelist_rbl_senders
!domains = +skip_rbl_domains
dnslists = zen.spamhaus.org
set acl_m8 = 1
set acl_m9 = "JunkMail rejected - $sender_fullhost is in an RBL, see $dnslist_text"

warn
condition = ${if eq {${acl_m8}}{1}{1}{0}}
ratelimit = 0 / 1h / strict / per_conn
log_message = "Increment Connection Ratelimit - $sender_fullhost because of RBL match"

drop
condition = ${if eq {${acl_m8}}{1}{1}{0}}
message = ${acl_m9}


# END INSERT spamhaus_rbl
This configuration works well for me, but I have edit exim.conf manually every time I change the exim config from whm.
 

Serra

Well-Known Member
Oct 27, 2005
272
21
168
Florida
I would like to see a remote domain option as well. Local domains is a hammer, but remote domains is much more precise. I have a few clients who have clients who are constantly on RBLs. I would like to allow those domains (or anyone spoofing those domains) to pass the RBL rather than having my client get all of the spam that would be blocked by the RBL.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,261
463
It takes time for approval. You should be able to view it now.