The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spamhaus RBL in exim

Discussion in 'General Discussion' started by dave9000, Aug 2, 2005.

  1. dave9000

    dave9000 Well-Known Member

    Joined:
    Apr 7, 2003
    Messages:
    891
    Likes Received:
    1
    Trophy Points:
    16
    Location:
    arkansas
    cPanel Access Level:
    Root Administrator
    I have added this to the exim.conf

    # we accept if the source is local SMTP (i.e. not over TCP/IP).
    # We do this by testing for an empty sending host field.
    accept hosts = :

    deny dnslists = sbl-xbl.spamhaus.org
    message = Connection denied spamhaus.org

    We are running chirpys mailscanner package and it works wonderfully but it is a bit resourse hoggish. This rbl deny rule seems to stop a lot of spam before it gets to the mailscanner and has dropped the mail load on the server by a lot.


    Does anybody have any pros or cons to running this deny rule ? or suggestions how to make it more efficent or any other improvement?

    edit

    Make sure you put it after the dictionary deny rule so the dictionary rule can deny and ban before the rbl rule denies the mail

    #!!# ACL that is used after the RCPT command
    check_recipient:
    # Exim 3 had no checking on -bs messages, so for compatibility
    # we accept if the source is local SMTP (i.e. not over TCP/IP).
    # We do this by testing for an empty sending host field.
    accept hosts = :



    drop hosts = /etc/exim_deny
    message = Connection denied after dictionary attack
    log_message = Connection denied from $sender_host_address after dictionary attack

    drop message = Appears to be a dictionary attack
    log_message = Dictionary attack (after $rcpt_fail_count failures)
    condition = ${if > {${eval:$rcpt_fail_count}}{2}{yes}{no}}
    condition = ${run{/etc/exim_deny.pl $sender_host_address }{yes}{no}}
    !verify = recipient

    deny dnslists = sbl-xbl.spamhaus.org
    message = Connection denied spamhaus.org
     
    #1 dave9000, Aug 2, 2005
    Last edited: Aug 2, 2005
  2. abubin

    abubin Well-Known Member

    Joined:
    Dec 7, 2004
    Messages:
    393
    Likes Received:
    1
    Trophy Points:
    18
    you can seperate sbl and xbl

    sbl.spamhaus.org
    xbl.spamhaus.org


    For me, xbl is too agressive because this blacklist will also list those IPs from virus infected users and other dial-up users. So, some of my users was complaining about them being banned when they dial up their ADSL and was assigned an IP which was banned.

    Anyway, adding blacklist server is very specified to user's requirement. For me, the one that catches most BL is spamcop.net.
     
  3. fred123123

    fred123123 Well-Known Member

    Joined:
    Jul 23, 2005
    Messages:
    74
    Likes Received:
    0
    Trophy Points:
    6
    does a exim update from cpanel will remove all your changes ? i think so...
    Any confirmation ?
     
  4. dave9000

    dave9000 Well-Known Member

    Joined:
    Apr 7, 2003
    Messages:
    891
    Likes Received:
    1
    Trophy Points:
    16
    Location:
    arkansas
    cPanel Access Level:
    Root Administrator
    if you use the exim editor in your whm to add this code it will not overwrite the code changes

    if you manually edit the /etc/exim.conf then cpanel update will overwrite the changes
     
  5. fred123123

    fred123123 Well-Known Member

    Joined:
    Jul 23, 2005
    Messages:
    74
    Likes Received:
    0
    Trophy Points:
    6
    great, this is good to know.
    thanks for that info!
     
  6. GordonH

    GordonH Well-Known Member

    Joined:
    Sep 6, 2001
    Messages:
    104
    Likes Received:
    0
    Trophy Points:
    16
    I did not write this.
    Unfortunately I can't remember where it came from as I have it in a text file in my "useful things" folder.
    Apologies to whoever wrote it for not crediting them.

    This allows you to have whitelist domaisn and domains for which RBL's are not used.
    You can delete blacklists you don;t want to use or comment them out with a #.
    I have commented out two in this example so you can see how to do it.

    The advantage of this way of doing it is you can turn of filtering for people who don't want it and you can easily add or remove RBL's by commenting them in and out.


    Creating lsearch files
    *****************

    Create three text files in the /etc directory:
    /etc/rblblacklist
    /etc/rblbypass
    /etc/rblwhitelist


    Do this by executing the following commands:

    cd /etc
    touch rblblacklist
    touch rblbypass
    touch rblwhitelist


    SAMPLE DATA
    /etc/rblblacklist is a manual blacklist, it rejects specific spammer hosts BEFORE they can send more email to your server:
    domain1.com
    domain2.com
    domain3.com

    /etc/rblbypass bypasses RBL email testing for specific destination (local) domains that don't want RBL filtering or prefer SpamAssassin tagging:
    domain1.com
    domain2.com
    domain3.com

    /etc/rblwhitelist blocks RBL email testing for listed incoming hosts, (wildcards allowed), in case an important client's mailserver is listed on an RBL you use, also automatically excludes relayhosts:
    mail.domain1.com
    *.domain2.com
    *.domain3.com


    -------------------------------
    EXIM CONFIGURATION EDITOR
    -------------------------------

    If you use the WHM-based Exim Configuration Editor, all of your modifications will be reproduced after each update. If you edit exim.conf directly, cPanel updates MAY overwrite your changes! Because of this, the following changes should be entered using the Exim Configuration Editor.

    ------------------------
    Setting up lsearch files
    *******************

    At the top of the editor, in the window below:
    #!!# cPanel Exim 4 Config

    Enter these lines:
    domainlist rbl_blacklist = lsearch;/etc/rblblacklist
    domainlist rbl_bypass = lsearch;/etc/rblbypass
    hostlist rbl_whitelist = lsearch;/etc/relayhosts : partial-lsearch;/etc/rblwhitelist

    ----------------------------
    RBL entries in ACL Section
    *********************

    RBL selection depends on many factors, be sure to edit the list below to reflect your priorities... Postmaster and abuse bypass allows blocked users to contact admin.

    In the center window of the ACL section, directly below the line:
    accept hosts = :

    Enter these lines:

    #**#
    #**# RBL List Begin
    #**#
    #
    # Always accept mail to postmaster & abuse for any local domain
    #
    accept domains = +local_domains
    local_parts = postmaster:abuse
    #
    # Check sending hosts against DNS black lists.
    # Reject message if address listed in blacklist.
    deny message = Message rejected because $sender_fullhost \
    is blacklisted at $dnslist_domain see $dnslist_text
    dnslists = sbl-xbl.spamhaus.org : \
    #bl.spamcop.net : \
    #relays.ordb.org
    # RBL Bypass Local Domain List
    !domains = +rbl_bypass
    # RBL Whitelist incoming hosts
    !hosts = +rbl_whitelist
    #**#
    #**# RBL List End
    #**#

    --------------------------------
    RBL entries in ROUTERS Section
    **************************

    In the ROUTERS section window, directly below the line:
    # in the "local_domains" setting above.

    Enter these lines:
    # Deny and send notice to list of rejected domains.
    reject_domains:
    driver = redirect
    # RBL Blacklist incoming hosts
    domains = +rbl_blacklist
    allow_fail
    data = :fail: Connection rejected: SPAM source $domain is manually blacklisted.


    -----------------------------
    RBL Testing and Verification
    ***********************

    Once your file changes are in place, be sure to keep an eye out for errors... missing files and other errors will be listed here:
    tail -50 /var/log/exim_paniclog

    You can view your spam filtering by reviewing the reject log:
    tail -50 /var/log/exim_rejectlog
     
  7. Nico

    Nico Well-Known Member

    Joined:
    Dec 5, 2001
    Messages:
    233
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Edmond, OK
    I have this setup and its been working great, but I can't seem to accept email from one domain that I have listed in /etc/rblwhitelist. I've added the domain name, mail server name and IP's for both and it still rejects the email since they are in the spamcop RBL. This has worked fine for all others with this same scenario.
     

Share This Page