Postfix IPv6 + RBL + BIND9 as DNSBL

Here we go again for using ipv6 dnsbl, we need postfix version => 2.6 as the author of postfix state in postfix-users list. This site is a good reference on how to build postfix RPM under redhat based system

http://postfix.wl0.org/en/

How ipv6 dnsbl keep AAAA record in their zone? this is how it done. for example we got ipv6:

`1`	`2001:470:19:13c:219:d1ff:feea:ee16`

(this one of my workstation ipv6 address )

RBL query lookup would be like this:

`1`	`$` `dig` `aaaa 6.1.e.e.a.e.e.f.f.f.1.d.9.1.2.0.c.3.1.0.9.1.0.0.0.7.4.0.1.0.0.2.dnsbl.domain.tld.`

`2`	`$` `dig` `txt 6.1.e.e.a.e.e.f.f.f.1.d.9.1.2.0.c.3.1.0.9.1.0.0.0.7.4.0.1.0.0.2.dnsbl.domain.tld.`

So, we need configure our private BIND9 RBL like this: first create dnsbl.domain.tld zone in /etc/named.conf

1zone "dnsbl.domain.tld" {
2      type master;
3      file "dnsbl.domain.tld";
4};

second, we have to create dnsbl.domain.tld zone file.

1$TTL 86400
2@       IN      SOA     ns1.dnsbl.domain.tld.     hostmaster.dnsbl.domain.tld. (
3                        2009071228      ; serial number YYMMDDNN
4                        28800           ; Refresh
5                        7200            ; Retry
6                        864000          ; Expire
7                        86400           ; Min TTL
8                        )
9  
10                NS      ns1.dnsbl.domain.tld.
11                NS      ns2.dnsbl.domain.tld.
12  
13$ORIGIN dnsbl.domain.tld.
14blackhole       IN      A       127.0.0.2
15                IN      AAAA    ::2
16                IN      TXT     "Blocked by dnsbl.domain.tld for SPAM Sources"
171.3.0.c.a.0.0.2.0.0.8.0.a.0.0.0.0.0.a.0.f.6.3.8.f.f.f.f.e.f.f.3         IN      CNAME   blackhole
18e.c.a.f.e.b.a.b.0.0.0.0.0.0.0.0.1.0.0.0.7.e.8.f.0.7.4.0.1.0.0.2         IN      CNAME   blackhole
196.1.e.e.a.e.e.f.f.f.1.d.9.1.2.0.c.3.1.0.9.1.0.0.0.7.4.0.1.0.0.2         IN      CNAME   blackhole

why do i using CNAME instead of direct AAAA record? it’s just for efficiency, to avoid repetitions when adding ipv6 address on the blacklist. beside, postfix resolver can follow CNAME until found AAAA and TXT record. IN postfix configuration, main.cf add this line:

1smtpd_recipient_restrictions =
2    ...
3        reject_unauth_destination,
4        reject_rbl_client dnsbl.domain.tld,
5    ...

don’t forget to exclude 2001:470:19:13c:219:d1ff:feea:ee16 from mynetworks

`1`	`mynetworks = ![2001:470:19:13c:219:d1ff:feea:ee16], .....`

now test all the things we’ve configured.

1$ telnet mx.domain.tld 25
2220 mx.domain.tld ESMTP Postfix (2.6.1)
3ehlo wks.domain.tld
4250-mx.domain.tld
5250-PIPELINING
6250-SIZE 52428800
7250-ETRN
8250-STARTTLS
9250-AUTH PLAIN LOGIN
10250-AUTH=PLAIN LOGIN
11250-ENHANCEDSTATUSCODES
12250-8BITMIME
13250 DSN
14mail from:
15250 2.1.0 Ok
16rcpt to:
17554 5.7.1 Service unavailable; Client host [2001:470:19:13c:219:d1ff:feea:ee16] blocked using dnsbl.domain.tld;
18Blocked by dnsbl.domain.tld for SPAM Sources
19quit
20221 2.0.0 Bye
21 
22Connection to host lost.

In Postfix log, we will see rejection like this:

`1`	`Aug 14 08:56:16 fire postfix/qmgr[3237]: D10B1262DBB: removed`

2 Aug 14 08:56:19 fire postfix/smtpd[3239]: NOQUEUE: reject: RCPT from wks.domain.tld[2001:470:19:13c:219:d1ff:feea:ee16]: 554 5.7.1 Service unavailable; Client host [2001:470:19:13c:219:d1ff:feea:ee16] blocked using dnsbl.domain.tld; Blocked by dnsbl.domain.tld for SPAM Sources; from= to= proto=ESMTP helo=

that’s all

2 Comments

Leave a Reply to Jacko Cancel reply