DNSBL not working

[TRACKS]

Kevin,

Just an FYI I have two more installations just like mine and where all having this issue. It appears that inbound mail never gets submitted to the DNSBL

[m2pilot]

I am also having problems with DNSBL in the smtpd.cfg file -- only in my case it is rejecting *everything*. And, per a previous question, yes i can see when it is doing it in the logs.

Interestingly, when an email gets rejected for a relay attempt by Scalix, it is reported using the FQDN of the sender. When it was getting clobbered by DNSBL, it was only reported as the IP address getting clobbered. As to how thorough it was -- it was killing everything including internal emails I would send to myself from SWA. That's how I figured out DNSBL must be wrong somehow -- I couldn't even "talk to myself", much less send or receive any email from an external host. After I removed the two DNSBL entries I had made, suddenly email started getting delivered again.

The manual gives no hint as to where to put the SUBMIT line -- perhaps this is why we are seeing different results? Anyone have it working & know where to put this line in the file? I had the lines placed immediately before the RELAY lines & everything was getting rejected. Perhaps the others are placing the lines elsewhere (but still not right) and thus getting ignored?

Mark

[TRACKS]

Very interesting thought this is what my entry looks like. What Version of Scalix and os are you running?

# NB Authenticated RELAYs are always allowed
RELAY accept 127.0.0.1
RELAY accept .mydomain.com
RELAY accept server. mydomain.com
RELAY Log_Reject ALL

# extra rules added to prevent open relay usage
RECIPIENT Log_Reject *@*@*
RECIPIENT Log_Reject *%*
RECIPIENT Log_Reject *!*
RECIPIENT Log_Reject *#*@*

# The following group sets the configuration for the submission listener
# This listener is only active if SUBMIT=ON is above
# By default it binds to port 587
[SUBMIT]
#LISTEN=localhost:587
# Reject all anonymous connections
ANONYMOUS Log_Reject ALL

# Reject and log submission from addresses listed following DNSBL
SUBMIT log_reject DNSBL,bl.spamcop.net,ALL

# The following group sets the configuration for the lmtp listener
# This listener is only active if LMTP=ON is above
[LMTP]
LISTEN=localhost:24
# Use the following line to listen on a unix domain socket
#LISTEN=~/tmp/lmtp.unix

[m2pilot]

I'm running the latest Scalix release (I updated this morning) and FedoraCore 5.

As I suspected, you have the line on the opposite end of the file from where I placed it. In your listing, I had the line immediately above the relay section.

So... what do you think; placing it somewhere in the magic middle to 'fix' the problem??

Mark

[TRACKS]

I am going to move it around in the file and see if that really makes any difference. I will post the results.

[m2pilot]

FWIW -

Here's exactly what my smtpd.cfg file was looking like. Obviously I didin't have the lines commented out at the time!

Code: Select all

# Reject and log submission from addresses listed in various blacklists:
#SUBMIT Log_Reject DNSBL,bl.spamcop.net,ALL
#SUBMIT Log_Reject DNSBL,sbl-xbl.spamhaus.org,ALL

# NB Authenticated RELAYs are always allowed
RELAY accept 127.0.0.1

Mark

[TRACKS]

Well I moved the files all over the smtpd file and was not able to recreate your issue or fix mine.

[TRACKS]

If I add DEBUG_LOG=TRUE to the smptd file should I see when something gets checked by the DNSBL?

[markd]

I am currently using
SUBMIT log_reject DNSBL,sbl-xbl.spamhaus.org,ALL
SUBMIT log_reject DNSBL,bl.spamcop.net,ALL
SUBMIT log_reject DNSBL,dnsbl.sorbs.net,ALL
SUBMIT log_reject DNSBL,l2.spews.dnsbl.sorbs.net,ALL

on one of my servers. These lines are after the first block of event/action/pattern lines and before the [SUBMIT] group header. Multiple lines are fine, they are done in turn until a reject is found, or they all pass.

omshowlog -s smtpd -l 9 should show lines like the following if it is working:
REPORT SMTP Relay (SMTPD Relay Pr) 03.04.07 14:34:18
[OM.DMON 2172] SMTP: Rejected connection from xx.xxx.xxx.xxx

The location of the lines in the config file is important. The [SUBMIT] and [LMTP] group headers hold config for these listeners (port 587 and port 24 if switched on). Lines above these headers are port 25 SMTP config.
The DNSBL lines must be in the port25 SMTP config area.

I'm running 11.0.2 (March patch)

[TRACKS]

I added this I will watch and see if it rejects anything

# NB Authenticated RELAYs are always allowed
RELAY accept 127.0.0.1
RELAY accept .mydomain.com
RELAY accept host.mydomain.com
RELAY Log_Reject ALL



# extra rules added to prevent open relay usage
RECIPIENT Log_Reject *@*@*
RECIPIENT Log_Reject *%*
RECIPIENT Log_Reject *!*
RECIPIENT Log_Reject *#*@*

# reject and log submissions from following DNSBL
SUBMIT log_reject DNSBL,sbl-xbl.spamhaus.org,ALL
SUBMIT log_reject DNSBL,bl.spamcop.net,ALL
SUBMIT log_reject DNSBL,dnsbl.sorbs.net,ALL
SUBMIT log_reject DNSBL,l2.spews.dnsbl.sorbs.net,ALL


# The following group sets the configuration for the submission listener
# This listener is only active if SUBMIT=ON is above
# By default it binds to port 587
[SUBMIT]


#LISTEN=localhost:587
# Reject all anonymous connections
ANONYMOUS Log_Reject ALL


# The following group sets the configuration for the lmtp listener
# This listener is only active if LMTP=ON is above
[LMTP]
LISTEN=localhost:24
# Use the following line to listen on a unix domain socket
#LISTEN=~/tmp/lmtp.unix

[TRACKS]

Update

Ok everything is now working. The placement of the SUBMIT lines in the SMTPD.cfg does make a difference. It would be nice if Scalix would add that to the documentation.

I must say thanks markd the “omshowlog -s smtpd -l 9â€

[TRACKS]

Now that it’s working I have run into another issue. I have several remote users that are popping the Scalix server apparently several of their IP’s are on the DNSBL so the server is dropping their connections. Each of the users is using Outlook 2003 and all of them have authentication turned. They receive mail just can’t sent.

Did I configure something wrong? I thought an authenticated user would pass the DNSBL

Is their a way to whitelite the specific IP’s