[rbldnsd] The basics - help

Michael Tokarev mjt at tls.msk.ru
Thu Feb 15 00:59:43 MSK 2007 

Steve E. Mosher wrote:
> Hi folks,
> 
> I just have a couple questions and I am currently trying to pin point if
> I'm doing this correctly.
> 
> The scenario and setups are as follows.
> 
> This is a Gentoo Linux distro.
> BIND version 9.4.0
> rbldnsd version 0.996
> Postfix version 2.3.7
> 
> Sample of named.conf ...
> 
> Seeting up a forward of each CIDR ip pool based on country.
> 
> zone "AE.blocked.rbl" IN { ...
> zone "AF.blocked.rbl" IN { ...
> zone "AG.blocked.rbl" IN { ...

That's.. alot of zones ;)

> -----------------------------------------
> 
> Sample of RBLDNSD config file ...
> 
> OPTIONS="-r/var/lib/rbldns -b 127.0.0.1/530 -p/var/run/rbldnsd.pid \
> AE.blocked.rbl:ip4set:AE \
> AF.blocked.rbl:ip4set:AF \
> AG.blocked.rbl:ip4set:AG \
> AI.blocked.rbl:ip4set:AI \
> AL.blocked.rbl:ip4set:AL \
> AM.blocked.rbl:ip4set:AM \
> 
> Based on country ....
> 
> Sample of the files needed with CIDR format ip pools.
> 
> :127.0.0.2:AD. $ is BLOCKED from this MAILSERVER
> 85.94.160.0/19
> 194.158.64.0/19
> 
> -----------------------------------------
> 
> Sample of main.cf for postfix.
> 
> smtpd_recipient_restrictions =
>         check_recipient_access hash:/etc/postfix/filtered_domains,
>         permit_mynetworks,
>         reject_rbl_client AE.blocked.rbl,
>         reject_rbl_client AF.blocked.rbl,
>         reject_rbl_client AG.blocked.rbl,
>         reject_rbl_client AI.blocked.rbl,
>         reject_rbl_client AL.blocked.rbl,
>         reject_rbl_client AM.blocked.rbl,
>         reject_rbl_client AN.blocked.rbl,
>         reject_rbl_client AO.blocked.rbl,
>         .................

And I wonder what's the purpose of all this separations.
Why not list all the countries you don't need mail from (including .RU
I suppose?) in a SINGLE zone, say, by-country.blocked.rbl?

Like this:

 rbldnsd ...
   by-country.blocked.rbl:ip4set:AE,AF,AG,...

?

> I'm just trying to figure out if I'm getting this down right or not.

It depends on what you want to achieve.

> I seem to have issues with (I think) not picking up some of the country
> like per say the UK codes.  They are still getting thru.  I'm just

Please provide an example of what you think should be blocked but isn't -
together with the relevant data from the files (enclosing IP range etc).

> trying to get a grasp on if my approach is correct.  Any advice would be
> greatly appreciated.  If anyone needs more info I can provide that.

But I still fail to see how blocking email by-country can help in the first
place.  Yes, for a home mailserver which only communicates with a few
friends that may be useful, but in that context using WHITElist instead
of a BLACKlist is way simpler (just add a list of allowed addresses and
block the rest).

/mjt

More information about the rbldnsd mailing list