Monday, November 2, 2009

Sendmail: How To Configure Sendmail for DNS-based Blacklisting

As soon as a host connects to SMTP port running a sendmail MTA, sendmail can also be configured to check and block IP addresses of incoming emails that are found to be listed on one or more DNS blacklists. This is possible by configuring sendmail directive dnsbl or DNS blacklists. During the SMTP handshake and conversation of host’s IP address to sendmail SMTP port, sendmail can check the connecting hosts for possible black listed IP address from DNS blacklists, lowering down the percentage of incoming SPAM emails.
Basically, here are the steps on how this sendmail dnsbl blacklisting works as an added builtin antispam sendmail directive feature.

1. A computer host attempts to establish SMTP connections to sendmail. All connecting SMTP host brings with them originating IP address.
2. Sendmail examines SMTP conversation and determines the connecting IP address at the other end of the connection.
3. Sendmail then rearrange the IP address in a format recognizeable by DNS blacklist and submit it to DNS explicitly specified blacklists servers.
4. If the submitted query resolves from the DNS blacklist check, then the sender’s IP address is most likely to be a spammer.

HowTo Configure Sendmail for DNS-based Blacklisting

Here’s a quick entry on how to configure sendmail to check the incoming IP address of connecting host during the SMTP conversation.

Minimum Requirements

a. Linux OS
b. Existing Sendmail setup
c. Existing DNS setup
d. Internet connection


Steps on how to configure sendmail to check with DNS Blacklists

Step One

Choose which DNS blacklists are active with a high history of reliability for blacklisting IP address. As an example here, we would be using three DNS blacklists servers.

zen.spamhaus.org
list.dsbl.org
combined.njabl.org

You can use your choice of DNS blacklists server sources to suit your needs.

Step Two

Configure sendmail to use dnsbl sendmail directive. Backup and modify /etc/mail/sendmail.mc and insert the below details:


FEATURE(`dnsbl', `zen.spamhaus.org', `"550 Refused unsolicited email from " $`'&{client_addr} " - Request access at http://www.spamhaus.org/query/bl?ip=" $`'&{client_addr} ')dnl
FEATURE(`dnsbl', `list.dsbl.org', `"550 Refused unsolicited email from " $`'&{client_addr} " - Request access see http://dsbl.org/listing?"$&{client_addr}')dnl
FEATURE(`dnsbl', `combined.njabl.org', `"550 Refused unsolicited email from " $`'&{client_addr} " - Request access see http://njabl.org/lookup?$&{client_addr}')dnl


The above has been customized to reflect the following useful details:

a. IP address of the denied computer hosts
b. DNS blacklist server that has been used for checking the denied host
c. Error message with URL site to be shown to computer host for further course of action and why he has been blocked.

The above sendmail details would also be reflected to sendmail’s default log file for further statistics and monitoring details.

By default, dnsbl sendmail directive is not included with default sendmail configuration setup.

Step Three

Recompile and restart sendmail daemon service

# m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
# service sendmail restart

Monitoring DNS Blacklist Logs with Sendmail

# tailf /var/log/maillog | grep ‘Refused unsolicited’

Counting blocked hosts by Sendmail DNS blacklists

# cat /var/log/maillog | grep ‘Refused unsolicited’ | wc -l

You can further use more linux command combination like grep and awk to fetch all DNS blocked IP addresses and dump it to a single file.
To be more paranoid, create a script that route blocks all IP addresses dumped from this file. Further action of this scenario would be covered on other separate post.
To be more creative, these number counts can also be graphed and feed to MRTG details for further graphing actions.

1 comment: