[SOLVED] Anti Spamlisten und DNS-Server

Sep 20, 2024
5
0
1
Moin,

dank Suche konnte ich einige Dinge feststellen, warum die Antispam-Methoden nicht greifen.
Bisher.
- Account in Spamhouse angelegt
- DNS Server von 1.1.1.1 auf internen DNS (10.0.104.1) angepasst
- IPv4 und IPv6 in Validity.com hinterlegt

Damit wurde der Spamreport fast clean, also keine Fehlermeldungen mehr.
Allerdings habe ich immer noch folgendes (aber nicht immer):
Spam-Level Report

Message-ID: <20240920062154.573273000110@mail.sendtestemail.com>
Spam-Level: 2
Spam-Info: Spam detection results: 2 DMARC_MISSING 0.1 Missing DMARC policy ENA_SUBJ_LONG_WORD 2.2 Subject has a very long word HTML_MESSAGE 0.001 HTML included in message KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [sendtestemail.com]
Spam-Stars: **
Sender-IP: 143.244.187.129
System Version: pmg-api/8.1/c979cfd1d78a

Es ist wohl ein Ratelimit, weil einige kommen komplett clean durch:

--
Spam-Level Report

Message-ID:
Spam-Level: 0
Spam-Info: Spam detection results: 0 DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature DKIM_VALID_AU -0.1 Message has a valid DKIM or DK signature from author's domain DKIM_VALID_EF -0.1 Message has a valid DKIM or DK signature from envelope-from domain DMARC_PASS -0.1 DMARC pass policy HTML_MESSAGE 0.001 HTML included in message SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record
Spam-Stars:
Sender-IP: ***
System Version: pmg-api/8.1/c979cfd1d78a

Scheinbar ist das der letzte Schliff der fehlt, aber da fehlt mir jetzt der lösende Input.

Zusätzliche Frage:

Es gibt bei Configuration > Spam Detektor > Status > Channel ausstehende Updates. Werden die nicht automatisch ausgeführt?
Ist das Einbinden von eigenen ZEN Spamhouse überhaupt notwendig, wenn in spamassassin der lt. Beschreibung inkludiert ist?

Danke für Eure Hilfe!

Patrick
 
Nur ergänzend die Ausgangssituation:

Spam-Level Report

Message-ID: <2f553218130a45858582be75ce1c1ca5@***>
Spam-Level: 0
Spam-Info: Spam detection results: 0 DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature DKIM_VALID_AU -0.1 Message has a valid DKIM or DK signature from author's domain DKIM_VALID_EF -0.1 Message has a valid DKIM or DK signature from envelope-from domain DMARC_PASS -0.1 DMARC pass policy HTML_MESSAGE 0.001 HTML included in message RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_ZEN_BLOCKED_OPENDNS 0.001 ADMINISTRATOR NOTICE: The query to zen.spamhaus.org was blocked due to usage of an open resolver. See https://www.spamhaus.org/returnc/pub/ SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [***] URIBL_DBL_BLOCKED_OPENDNS 0.001 ADMINISTRATOR NOTICE: The query to dbl.spamhaus.org was blocked due to usage of an open resolver. See https://www.spamhaus.org/returnc/pub/ ***
Spam-Stars:
Sender-IP: ***
System Version: pmg-api/8.1/c979cfd1d78a

Die Fehler wurden wie geschrieben gefixt:
- IPs an Validity.com anlegen
- 1.1.1.1 auf 127.0.0.1& 10.0.104.1 abgeändert
- Reboot
 
Die Lösung war einfacher als ich dachte.

Man schmeisst auf den PMG selbst das paket unbound, recursiv und ohne forwarding konfigurieren, in PMG als DNS nur 127.0.0.1 eintragen, fertig.

Das ist so banal, dass ich mich frage, warum das nicht default schon so ausgeliefert wird. Anders scheinen die DNSBL ja sonst nur zu maulen.
 
Good day!

Sorry I will write in english... I ha ve the same problem but in PMG / configuration / DNS I have already :
- search domain : my domain
- DNS server 1 : 127.0.0.1

and I stil have the dbl.spamhaus.org message.

Did you do something else?

Thnaks
 
Good day!

Sorry I will write in english... I ha ve the same problem but in PMG / configuration / DNS I have already :
- search domain : my domain
- DNS server 1 : 127.0.0.1

and I stil have the dbl.spamhaus.org message.

Did you do something else?

Thnaks
Moin,

So just setting the DNS entry to "127.0.0.1" is not enough. By default, there is no DNS server running on the server.

You first need to install and configure one. With the configuration, the server will be forced to resolve DNS queries itself and not forward the requests to another public/open resolver. That's exactly where the DNSBL services are blocking.

Bash:
apt install unbound
nano /etc/unbound/unbound.conf

Code:
server:
        verbosity: 1
        interface: 127.0.0.1
        port: 53
        cache-min-ttl: 3600
        cache-max-ttl: 86400
        do-not-query-localhost: no
        num-threads: 2
        rrset-roundrobin: yes
        harden-glue: yes
        harden-dnssec-stripped: yes
        use-caps-for-id: yes
        qname-minimisation: yes
        hide-identity: yes
        hide-version: yes
        auto-trust-anchor-file: "/var/lib/unbound/root.key"
        access-control: 127.0.0.1/32 allow

remote-control:
        control-enable: yes
        control-interface: 127.0.0.1

Bash:
systemctl start unbound
systemctl enable unbound
dig @127.0.0.1 proxmox.com

That's how I set it up and run it successfully. But note that there are still rate limits, usually around 100,000 or so. After that, with some DNSBL resolvers, you need to create accounts, sometimes for a fee.

Also, keep in mind that I installed this on my PMG because I don't have any other use for my own DNS resolver. In larger installations (e.g., companies), a different concept should be considered.

Greetings, Patrick
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!