Menu
▾
▴
#76 DNSBL sample
Could you please provide a good sample of the --dsnbl option? Probably that one that you are using yourself.
I tried this one:
--dsnbl 127.0.0.1:53,500,1,dbl.spamhaus.org
And guess what, it blocked me :)
I just can't event telnet to the 25 port.
Turns out that my ISP is in the blocklist and the smtp server is on a router from another ISP is blocked too. From logread I see
dnsbl: client address [46.98.212.67] blocked by [dbl.spamhaus.org]
That's probably because I have a residential IP and some other PC in the network were infected.
Here it's not clear for me why it checked my IP on connection. I expected that the DNSBL will verify domain of MAIL FROM: instead.
From the FAQ https://www.spamhaus.org/faq/section/Spamhaus%20DBL
It says "The DBL is a domain-only blocklist and does not include or support IP addresses."
So now I'm confusing and don't know how it actually checked my IP.
Also the returned IP from DNSBL means different things:
127.0.1.2 spam domain
127.0.1.4 phish domain
127.0.1.5 malware domain
127.0.1.6 botnet C&C domain
127.0.1.102 abused legit spam
127.0.1.103 abused spammed redirector domain
127.0.1.104 abused legit phish
127.0.1.105 abused legit malware
127.0.1.106 abused legit botnet C&C
127.0.1.255 IP queries prohibited!
Does ER relays on these codes? Are they affecting behaviour?
I'm asking because probably residential area IPs may be represented by some of the code and in practice can be allowed.
It's not something that I use in earnest; there was a feature request for it and I had all the DNS code lying around so it went in quite easily.
For testing purposes I use a zero threshold value so that the DNSBL queries are made and reported in the logs but not acted upon:
1.1.1.1:53,1000,0,spam.dnsbl.sorbs.net,bl.blocklist.de,b.barracudacentral.org
I reviewed the logs during a recent spam attack but did not see much value in the results. Perhaps spamhaus would have done a better job.
The different 'result codes' are not interpreted by emailrelay, they are just logged. IIRC some DNSBL providers have subdomains to provide a similar degree of flexibility (eg. nomail.rhsbl.sorbs.net as a sub-set of spam.dnsbl.sorbs.net).
For those who following: I found a good list of the DNSBL
https://docs.cloudron.io/email/#dnsbl
Sorry for the late question but maybe we can simplify the --dnsbl option.
I'm confused: why to we need to specify the transport DNS server? Maybe the ER can use a default system DNS.
The timeout of DNS on Linux is 5 sec on Windows it's 15. That's not that much.
Also for me it's not clear why I may use the treshhold different than 0 or 1. If I have two DNBSL servers and I want to avoid false positives then I can require both 2. But anyway the DNSBL lists are usually sharing information between each others.
So maybe it can be also omitted.
Based on the thread https://forum.cloudron.io/topic/4677/is-there-a-way-to-add-in-more-dnsbl-rbl-sources/30 I crafted the following --dnsbl option:
So it uses a local DNS resolver, wait's for 5 seconds and if any of the two DNSBL denied then the connection is dropped.
Maybe it makes sense to add this option as an example to documentation so lazy users will just copy it.
Also it makes sense to add the link to list of DNSBL services:
https://en.wikipedia.org/wiki/Comparison_of_DNS_blacklists
Last edit: Sergey Ponomarev 2023-08-07
You're right that the DNS server address should be optional. I have recently added code (for the new "mx:" filter) that obtains the system's DNS server address list, so I could use that for the default.
If I understand you correctly, you are suggesting that the timeout could reasonably default to 5s (or 15s) and the threshold could default to 1. Is that right?
The current syntax for the --dnsbl option string does not work well with defaults though: you would have something like ",10000,,spamhaus.org,mailspike.net" to default the DNS server and threshold but override the timeout, which is ugly. Using keywords is easier to default, but still clumsy when you end up with this sort of thing: "--dnsbl=ns=10.0.0.1:53,timeout=10000,threshold=0,spamhaus.org,mailspike,net"
Perhaps the fields could be reversed, with trailing fields that are omitted taking a default value, like "--dnsbl=spamhaus.org,bl.mailspike.net,2,10000,10.0.0.1:53" or, with defaults, just "--dnsbl=spamhaus.org,bl.mailspike.net". The parser would just see if the first field looks like domain name to decide which way to work; if the first field looks like a domain name (ie. not an integer and not a valid TCP address) then all following fields that also look like a domain name are the DNSBL list and any remaining fields are the threshold, timeout and nameserver.
Thank you for the explanation. I think that we can just check if the first comma separated part contains : e.g. 10.0.0.1:53 and that will mean a full form.
The short form with domains only will make it easier to configure and simplify understanding (which is important for self-hosters).
But this is a minor thing. Thank you for the clarification.
I've added this to the 2.5 release and committed it as 2.5rc7 to the sf svn trunk. If you want to test it you will have to be quick because I think this release will have to go out soon so that I can work on other stuff!
That's great news, thank you.
Meanwhile, I developed a plugin for OpenWrt admin dashboard Luci that will
provide a GUI to configure the EmailRelay. So it would be much easier for
non experienced users to set up their own email server just on a router.
Today it was merged so I believe soon it will be available to install with
the luci-app-email package.
https://github.com/openwrt/luci/tree/master/applications/luci-app-email
When a new version of the ER will be released and the corresponding package
in OpenWrt updated then I'll send another PR for the GUI with more options.
I will simplify the DNSBL option to use the new short form.
Additionally I am going to add a dedicated page to view and send mail.
Also I tried to play and learn the code of the ER but CPP is too
complicated for me.
It's especially hard to debug because I am using JetBrains Clion IDE which
supports debugging only for CMake projects.
I made some minor changes with docs changes and reduced some code.
I already acked you but can you please import the ER to Git and make a
GitHub mirror?
That will simplify contribution and I can send pull requests to you.
Also many developers already know about GitHub and how to work with it.
You can try importer that will fetch history from SVN and convert to Git:
https://docs.github.com/en/migrations/importing-source-code/using-github-importer/importing-a-repository-with-github-importer
It's arlready quite a lot of ER related repostitories
https://github.com/search?q=+emailrelay&type=repositories
On Wed, Aug 9, 2023 at 6:40 PM Graeme Walker graeme_walker@users.sourceforge.net wrote:
--
Sergey Ponomarev https://linkedin.com/in/stokito,
stokito.com
Related
Support Requests:
#76I love what you are doing with OpenWRT; it's one of my favourite projects and I use it for all my wifi routers. And I think emailrelay is a good fit for OpenWRT because it is (now) a single executable that runs as a single process, configurable from the command-line.
You can use cmake to build emailrelay: just run "./configure.sh -q ; make cmake" or just "sh libexec/make2cmake". The make2cmake script parses the automake files and generates all the CMakeLists.txt files.
It's a shame you did not make progress with the code. I used to think that most developers would be put off my the fact that it is event-driven, which makes some simple things annoyingly difficult. Perhaps nowadays asynchronisity is coming back into fashion so that might be less of a barrier. In case it's not obvious, the code is documented in header files rather than cpp files, and there is a developer.txt file for a higher-level perspective.
Moving to git is a good idea. I did give it a go when you mentioned it before, but as I have never used git for development the learning curve at the time was too steep. SourceForge can do git, so perhaps that would be a gentler first step. I can give you admin rights if you want to make that happen.
the ER git repo is not synced automatically with SVN and outdated https://sourceforge.net/p/emailrelay/git/ci/master/tree/
And as far I understood when a PR merged this will require for cherry picking back to svn.
In practice it may be easier to switch to git completely and leave the SVN as an archive.
Ah yes, it looks like I made a mess when I tried sourceforge git previously. Let me get this 2.5 release out before anything else but I would be very happy with a complete switch to git on sourceforge straight after that. I am less keen on rehosting to github .
great, ty
I tested the new dnsbl form and looks like there is a bug:
This works
-dnsbl=spamhaus.com
But this doesn't:
-dnsbl=zen.spamhaus.com
I believe this may be because the DnsBlock::isDomain() doesn't detect properly.
src/gnet/gdnsblock.cpp:170
Maybe the isDomain check can be removed?
The dnsbl option can be used many times, so maybe if anyone wants to use
the short form just add an option to each domain.
Then we can simplify parsing to just check for a comma.
On Fri, Sep 1, 2023 at 6:43 PM Sergey Ponomarev stokito@users.sourceforge.net wrote:
Related
Support Requests:
#76Ah yes, there is a bug in isDomain() because the tailView is intended to give the top-level-domain (eg, "com") but it matches on the first dot, not the last. The fix is to use rfind() to get the position of the last dot:
I should have added a comment that in order to distinguish the old and new dnsbl formats the isDomain() function has to accept "127.0.0.com" as a domain but reject an IP address like "127.0.0.1". It can test the top-level domain part because there are no top-level domains that are numeric.