Note: This section describes features that only the CanIt-Domain-PRO System Administrator can use. Both Sendmail and CanIt-Domain-PRO can make use of DNS-based real-time blacklists. These black- lists allow you to look up the IP address of a host in a special DNS domain, and take action if the host is blacklisted.
You can configure Sendmail to use DNS-based blacklists directly, but you may prefer to handle this with CanIt-Domain-PRO, because CanIt-Domain-PRO allows you to hold or score messages from hosts on the blacklist rather than outright rejecting them.
6.3.1 Entering the Master List of DNS RBLs
To use DNS-based RBLs, you first enter amaster listof RBLs that CanIt-Domain-PRO can potentially use. To do this, click onAdministrationand thenMaster RBLs. The Master RBLs page appears:
Figure 6.2: Master RBLs
To enter an RBL:
1. Enter the domain in theRBL Domainbox.
2. Enter a brief (but meaningful) description in theDescriptionbox.
3. Enter a short tag in theTagbox. This tag is used in the mail log and incident reports to identify the RBL. If you leave it blank, CanIt-Domain-PRO will construct a unique identifier for the RBL based on the domain, type and data.
4. Select how the RBL is to be used:
(a) A Block RBL is used to block unwanted mail. Users will be able to create “Ignore”, “Hold/Tag”, “Reject” or “Score” RBL rules. Any “Score” rule will have to have a non- negative score.
(b) An Allow RBL is used to list known good mail servers. Users will be able to create “Ignore” or “Score” rules, but any “Score” rule will have to have a non-positive score. In addition, no extra greylist delay may be created for an Allow RBL.
6.3. REAL-TIME DNS BLACKLISTS 99
(a) If you know that the RBL lists only IPv4 addresses, set the Address Family toIPv4. (b) If you know that the RBL lists only IPv6 addresses, set the Address Family toIPv6. (c) If the RBL lists both IPv4 and IPv6 addresses, set the Address Family toBoth IPv4 and
IPv6. If you are not certain whether or not the RBL lists IPv6 addresses, the “Both” setting is safest.
6. Select the type of the RBL:
(a) If the RBL is considered to be “hit” if any record is returned, set the type tonormal. Most DNS-based blocklists are of this type.
(b) If the RBL returns specific A records to indicate a hit, set the type tomatchand enter the A record that indicates a hit in theDatafield.
(c) If the RBL returns information in a bitmask in the returned A record, set the type to
maskand enter the mask (for example, 0.0.0.4) in theDatafield. Amask-type RBL is considered to be hit if the returned A record bitwise-ANDed with the data field returns non-zero.
7. ClickSubmit Changes
To delete an RBL, enable the checkbox beside the entry you wish to delete and clickSubmit Changes. Deleting a master RBL also deletesallRBL rules that refer to it.
You can change the timeout for RBL lookups by adjusting the value in theTimeout in seconds for DNS-RBL lookupsbox.
The master RBL list is merely a list of all the RBLs that CanIt-Domain-PRO canpotentiallyuse. To actually set up RBL rules, please see the User’s Guide. RBL rules can be created on a per-stream basis, so different streams can elect to use none, some or all of the predefined Master RBLs.
Note: Various RBLs have different terms-of-service. Some require licensing or payment; please be sure you are allowed to use an RBL before entering it into CanIt-Domain-PRO’s RBL list.
6.3.2 combined.bl.rptn.ca
Roaring Penguin Software Inc. publishes for DNS-based lists for CanIt-Domain-PRO customers. These lists are automatically entered into the Master RBL list (but no rules are created automatically.) The four lists are:
• TheGreylist-Stumblerlist. These are machines known to have trouble getting past greylisting. The machines are very likely compromised PCs. We recommend making a rule to add one point for machines on this list, and also to extend the greylist period (if you use greylisting) to 60 minutes.
• The Dictionary-Attackerlist. These are machines known to send mail to many nonexistent addresses. We recommend a rule to add one point for machines on this list.
• TheSpam-Sourcelist. These are machines known to send spam and relatively little non-spam. We recommend adding three points for machines on this list.
• TheGoodlist. These are machines that send relatively little spam, quite a lot of non-spam, and have no trouble with greylisting or sending to nonexistent recipients. We recommend subtract- ing 0.5 points for machines on this list.
Note: The combined.bl.rptn.ca list requires a secret token for lookups to succeed; this token is changed once a day. CanIt-Domain-PRO automatically obtains and uses the token for as long as your support term is in force. This means that youcannotuse the list outside of CanIt-Domain-PRO. If you do a high volume of lookups, please contact Roaring Penguin Software to arrange for a zone transfer via rsync.