Spamhaus RBL in exim

[dave9000]

I have added this to the exim.conf

# we accept if the source is local SMTP (i.e. not over TCP/IP).
# We do this by testing for an empty sending host field.
accept hosts = :

deny dnslists = sbl-xbl.spamhaus.org
message = Connection denied spamhaus.org

We are running chirpys mailscanner package and it works wonderfully but it is a bit resourse hoggish. This rbl deny rule seems to stop a lot of spam before it gets to the mailscanner and has dropped the mail load on the server by a lot.


Does anybody have any pros or cons to running this deny rule ? or suggestions how to make it more efficent or any other improvement?

edit

Make sure you put it after the dictionary deny rule so the dictionary rule can deny and ban before the rbl rule denies the mail

#!!# ACL that is used after the RCPT command
check_recipient:
# Exim 3 had no checking on -bs messages, so for compatibility
# we accept if the source is local SMTP (i.e. not over TCP/IP).
# We do this by testing for an empty sending host field.
accept hosts = :



drop hosts = /etc/exim_deny
message = Connection denied after dictionary attack
log_message = Connection denied from $sender_host_address after dictionary attack

drop message = Appears to be a dictionary attack
log_message = Dictionary attack (after $rcpt_fail_count failures)
condition = ${if > {${eval:$rcpt_fail_count}}{2}{yes}{no}}
condition = ${run{/etc/exim_deny.pl $sender_host_address }{yes}{no}}
!verify = recipient

deny dnslists = sbl-xbl.spamhaus.org
message = Connection denied spamhaus.org

 

[abubin]

you can seperate sbl and xbl

sbl.spamhaus.org
xbl.spamhaus.org


For me, xbl is too agressive because this blacklist will also list those IPs from virus infected users and other dial-up users. So, some of my users was complaining about them being banned when they dial up their ADSL and was assigned an IP which was banned.

Anyway, adding blacklist server is very specified to user's requirement. For me, the one that catches most BL is spamcop.net.

 

[fred123123]

does a exim update from cpanel will remove all your changes ? i think so...
Any confirmation ?

 

[dave9000]

if you use the exim editor in your whm to add this code it will not overwrite the code changes

if you manually edit the /etc/exim.conf then cpanel update will overwrite the changes

 

[fred123123]

great, this is good to know.
thanks for that info!

 

[GordonH]

I did not write this.
Unfortunately I can't remember where it came from as I have it in a text file in my "useful things" folder.
Apologies to whoever wrote it for not crediting them.

This allows you to have whitelist domaisn and domains for which RBL's are not used.
You can delete blacklists you don;t want to use or comment them out with a #.
I have commented out two in this example so you can see how to do it.

The advantage of this way of doing it is you can turn of filtering for people who don't want it and you can easily add or remove RBL's by commenting them in and out.


Creating lsearch files
*****************

Create three text files in the /etc directory:
/etc/rblblacklist
/etc/rblbypass
/etc/rblwhitelist


Do this by executing the following commands:

cd /etc
touch rblblacklist
touch rblbypass
touch rblwhitelist


SAMPLE DATA
/etc/rblblacklist is a manual blacklist, it rejects specific spammer hosts BEFORE they can send more email to your server:
domain1.com
domain2.com
domain3.com

/etc/rblbypass bypasses RBL email testing for specific destination (local) domains that don't want RBL filtering or prefer SpamAssassin tagging:
domain1.com
domain2.com
domain3.com

/etc/rblwhitelist blocks RBL email testing for listed incoming hosts, (wildcards allowed), in case an important client's mailserver is listed on an RBL you use, also automatically excludes relayhosts:
mail.domain1.com
*.domain2.com
*.domain3.com


-------------------------------
EXIM CONFIGURATION EDITOR
-------------------------------

If you use the WHM-based Exim Configuration Editor, all of your modifications will be reproduced after each update. If you edit exim.conf directly, cPanel updates MAY overwrite your changes! Because of this, the following changes should be entered using the Exim Configuration Editor.

------------------------
Setting up lsearch files
*******************

At the top of the editor, in the window below:
#!!# cPanel Exim 4 Config

Enter these lines:
domainlist rbl_blacklist = lsearch;/etc/rblblacklist
domainlist rbl_bypass = lsearch;/etc/rblbypass
hostlist rbl_whitelist = lsearch;/etc/relayhosts : partial-lsearch;/etc/rblwhitelist

----------------------------
RBL entries in ACL Section
*********************

RBL selection depends on many factors, be sure to edit the list below to reflect your priorities... Postmaster and abuse bypass allows blocked users to contact admin.

In the center window of the ACL section, directly below the line:
accept hosts = :

Enter these lines:

#**#
#**# RBL List Begin
#**#
#
# Always accept mail to postmaster & abuse for any local domain
#
accept domains = +local_domains
local_parts = postmaster:abuse
#
# Check sending hosts against DNS black lists.
# Reject message if address listed in blacklist.
deny message = Message rejected because $sender_fullhost \
is blacklisted at $dnslist_domain see $dnslist_text
dnslists = sbl-xbl.spamhaus.org : \
#bl.spamcop.net : \
#relays.ordb.org
# RBL Bypass Local Domain List
!domains = +rbl_bypass
# RBL Whitelist incoming hosts
!hosts = +rbl_whitelist
#**#
#**# RBL List End
#**#

--------------------------------
RBL entries in ROUTERS Section
**************************

In the ROUTERS section window, directly below the line:
# in the "local_domains" setting above.

Enter these lines:
# Deny and send notice to list of rejected domains.
reject_domains:
driver = redirect
# RBL Blacklist incoming hosts
domains = +rbl_blacklist
allow_fail
data = :fail: Connection rejected: SPAM source $domain is manually blacklisted.


-----------------------------
RBL Testing and Verification
***********************

Once your file changes are in place, be sure to keep an eye out for errors... missing files and other errors will be listed here:
tail -50 /var/log/exim_paniclog

You can view your spam filtering by reviewing the reject log:
tail -50 /var/log/exim_rejectlog

 

[Nico]

I have this setup and its been working great, but I can't seem to accept email from one domain that I have listed in /etc/rblwhitelist. I've added the domain name, mail server name and IP's for both and it still rejects the email since they are in the spamcop RBL. This has worked fine for all others with this same scenario.