How to allow authenticated SMTP from RBL blocked IPs?

[afassl]

Hi,

after using some of the more strict servers as found at
http://www.dnsstuff.com/tools/ip4r.ch?ip=
If I activate for example
SUBMIT log_reject DNSBL,sbl-xbl.spamhaus.org,ALL
SUBMIT log_reject DNSBL,bl.spamcop.net,ALL
# SUBMIT log_reject DNSBL,dnsbl.sorbs.net,ALL
SUBMIT log_reject DNSBL,l2.spews.dnsbl.sorbs.net,ALL

dnsbl.sorbs.net dynamic IP hosts are blocked. That's good. But I do want to accept mail from my users via smtp from dynamic host ips. How (if at all possible) do I configure this?

I tried a line

AUTH_SUCCESS accept ALL

but all I get is a "550 denied".

Any hints/help?

Best regards

Andreas

[swordfish]

Did you put the line

AUTH_SUCCESS accept ALL

before or after the

SUBMIT log_reject DNSBL,sbl-xbl.spamhaus.org,ALL
SUBMIT log_reject DNSBL,bl.spamcop.net,ALL
# SUBMIT log_reject DNSBL,dnsbl.sorbs.net,ALL
SUBMIT log_reject DNSBL,l2.spews.dnsbl.sorbs.net,ALL

lines?

[afassl]

After reading the docs I put it before, as the ruleset will be scanned this way. Correct?

###############################################################################
# SMTP Relay Configuration
# ########################
#
# For details please see Scalix Overview - Security
#
###############################################################################

###############################################################################
# Relay Configuration
# ###################
#
# EXTENSIONS These extensions will be advertised by the EHLO reply
# DOMAIN_NAME Local host FQDN
# LOCAL_NAMES Local aliases of DOMAIN_NAME
# MAX_HOP_COUNT If the number of Received: header lines in a message sent to
# the relay exceed this number then the message will be
# rejected by the relay. The default value is zero and any
# non-positive value is interpreted as infinity. The default
# value means that no loop detection is done by the relay,
# any loop detection will only be done by sendmail.
# GREETING This is the text after the 220 on the connection
# greeting line some tokens can be used:
# %F - FQDN, %P - protocol, %N program name,
# %V - version, %D date
# LISTEN Comma separated host:port to listen to eg.
# LISTEN=mail.example.com:25,10.100.100.1:smtp
#
###############################################################################
# GREETING %D %F

EXTENSIONS=AUTH,DSN,8BITMIME

# Uncomment the following lines to enable the Submission and LMTP listeners
#SUBMIT=ON
#LMTP=ON

###############################################################################
# Catch-all recipients
# ####################
#
# Catch-all recipients are for catching email sent to unknown users, instead
# of non-delivering the email. More than one CATCH line can be used.
#
# CATCH PATTERN RECIPIENT
#
# PATTERN can be:
# user* - any unknown address starting with user
# @domain.com - any unknown address in domain.com
# user*@domain.com - any unknown user starting with user in domain.com
# RECIPIENT
# this is the recipient email address to redirect the email to. It can
# be local or remote, but is subject to any relay rules if remote.
#
# Authentication and Anti-Spamming Measures
# #########################################
#
# Each line is of the form:
# EVENT ACTION PATTERN PATTERN...
# When an event happens the SMTP Relay checks for a matching event/pattern
# sequentially in this file. When it finds the first match, it takes the
# action specified.
#
# ######
# EVENTS
# ######
#
# AUTH_SUCCESS An attempt is made to submit a
# successfully authenticated message.
#
# AUTH_MISMATCH An attempt is made to submit a
# successfully authenticated message but
# the originator name does not match
# the authenticated name.
#
# ANONYMOUS An attempt is made to submit a message
# sent without authentication or after
# failed authentication.
#
# SUBMIT An attempt is made to submit a message from
# the host specified in pattern
#
# RELAY An attempt is made to relay a message through the SMTP Relay
#
# ORIGINATOR An attempt is made to submit a message from a user whose
# email address matches pattern
#
# RECIPIENT An attempt is made to submit a message to a user whose
# email address matches pattern
#
# #######
# ACTIONS
# #######
#
# Accept The message is unconditionally accepted and processed
# normally.
#
# Defer The message is deferred with a 400 code
#
# Discard The message is accepted but then discarded
#
# Header The message is accepted, but an extra header is inserted.
#
# Reject The message is rejected with a 500 code
#
# If Log_ added to the start of an action, then the action is also recorded
# in the SMTP Relay log file.
#
# ########
# PATTERNS
# ########
#
# Hostname Patterns
# - an IP address, eg 123.234.132.231
# - an IP subnet and mask, eg 123.234.200.0/255.255.240.0
# - a hostname, eg bert.loc.co.uk
# - the end of a domain, eg .spammer.net
# - the start of a domain, 123.234.
# - the keyword ALL matches all hosts
# - the keyword LOCAL matches all hosts that do not contain a .
#
# Email Patterns - used by ORIGINATOR and RECIPIENT
# - *@*.spam.net
#
# DNSBL Patterns - These can be used by the SUBMIT EVENT to use DNS black
# list systems (See http://en.wikipedia.org/wiki/DNSBL )
# - DNSBL,host,reply eg DNSBL,bl.spamcop.net,ALL
#
###############################################################################
# SMTPFILTER=TRUE
# NB Authenticated RELAYs are always allowed
AUTH_SUCCESS accept ALL
RELAY accept 127.0.0.1
# RELAY accept xxxxx
RELAY Log_Reject ALL
SUBMIT log_reject DNSBL,sbl-xbl.spamhaus.org,ALL
SUBMIT log_reject DNSBL,bl.spamcop.net,ALL
# SUBMIT log_reject DNSBL,dnsbl.sorbs.net,ALL
SUBMIT log_reject DNSBL,l2.spews.dnsbl.sorbs.net,ALL

# extra rules added to prevent open relay usage
RECIPIENT Log_Reject *@*@*
RECIPIENT Log_Reject *%*
RECIPIENT Log_Reject *!*
RECIPIENT Log_Reject *#*@*

# The following group sets the configuration for the submission listener
# This listener is only active if SUBMIT=ON is above
# By default it binds to port 587
[SUBMIT]
#LISTEN=localhost:587
# Reject all anonymous connections
ANONYMOUS Log_Reject ALL
# The following group sets the configuration for the lmtp listener
# This listener is only active if LMTP=ON is above
[LMTP]
LISTEN=localhost:24
# Use the following line to listen on a unix domain socket
#LISTEN=~/tmp/lmtp.unix

[selerum]

afassl, did you get this resolved?

I need to resolve the same issue and have turned off the dns rbl check.

[afassl]

Hi,

no, haven't been successful yet. I'm only using two rbl-providers, which don't block dynamic nets.

Regards

Andreas

[swordfish]

Hi again,

I have a theory about this problem. It appears that as soon as the Scalix server sees the connecting IP address which is in the RBLs it drops the connection and doesn't wait for the SMTP AUTH command. I don't know if there is any possible way around this with the current Scalix implementation to bypass the RBLs for authenticating users. Please someone correct me, if my assumptions are wrong and there is a solution with the Scalix configuration. I know that you can pass the incoming connections to Sendmail instead, which will probably resolve it but that is not what you are after in this issue.

[selerum]

That's exactly what's happening. There's no change to authenticate, the connection is immediately sent a 550 denied message.

Why not route it through sendmail? is there any reason to avoid this?

From my users perspective they don't care how it gets done. Has anyone else done this already?

[afassl]

Hi swordfish,

as described in the docs, the ruleset will be parsed line by line. Probably it is a bug?

Regards

Andreas

[swordfish]

I would see it more as a bug in the documentation or not explained properly than a bug with the Scalix software as I think they intentionally made it work like this With the blacklist apparently that statement doesn't apply or they didn't explain which checks are executed first line by line, which next line by line again and so on.

[afassl]

Hi,

routing through sendmail doesn't do the "trick".
After activating RBL-Checks, especially with those denying mail from dynamic IPs my SPAM volume decreased significantly. But I have users sending mail via my mail server from dynamic IP addresses. And there is no reason to refuse smtp from authenticated senders. Probably swordfish is right - the architectural concept won't deliver this functional concept.

If the RBL-check happens at a very early stage, there is no chance. Maybe one of the scalix engineers can clarify this.

[swordfish]

Sendmail should be able to do the trick if you use FEATURE delay_checks in the .mc file and recompile the .cf file. But anyway I think Scalix is not aiming to be a an anti spam solution and just putting a couple of RBLs won't solve your spam problem entirely. I'd suggest use another dedicated SPAM device in the front of your Scalix mail server.

[afassl]

Yes, you are right - the main purpose of scalix isn't spam killing. But if you use RBLs (as I read in the webwasher docs) you'll get rid of about 60-70% of the spam. The rest will eventually get marked by a spam filter like webwasher or spamassassin.
And at least spam assassin doesn't kill mail, it just marks it as spam. And I'm quite happy with the junk filter offered by thunderbird or Apple Mail (the latter I'm using).

Thanks for the hint with this FEATURE, I'll tried it. A follow-up will be posted.

Best regards

Andreas

[swordfish]

I think Scalix somehow overlooked explaining this properly in the documentation. They say: "Yes, you can use RBLs". But they never said "If you use RBLs, this is how the checks are performed and you can't use it together with some other features (like SMTP AUTH) for example or you can use it with SMTP AUTH but then it'll work only if the client doesn't come from a blacklisted IP". When I first saw your post and from what've read in the documentation initially I though - "this should be possible". But then, when I started playing around, I realised that something is not explained properly in the documentation. Anyway, that's why we have this forum - to fill in the gaps whenever we can

[TRACKS]

see this post
viewtopic.php?p=31458#31458

I was having the same issue

[swordfish]

Tracks,

Your issue is different. You wanted to whitelist IPs, while Afassl needs to allow authenticated users from blacklisted IPs.