PMG DNSBL blocked

W

winni444

New Member
Proxmox Subscriber
Dec 6, 2024
3
0
1
Hello,

on my pmg (8.1.4) i won´t get dnsbl working on incoming emails.
I need some hints please to figure out where it´s lagging. I a sure i have forgotten something but no idea where.

When i toggle the Spam Info - from a Mail in Quarantine - i got following results:
RCVD_IN_DNSWL_BLOCKED --> ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block
RCVD_IN_VALIDITY_CERTIFIED_BLOCKED --> ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information.
RCVD_IN_VALIDITY_RPBL_BLOCKED --> ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information.
RCVD_IN_VALIDITY_SAFE_BLOCKED --> ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information.
URIBL_BLOCKED --> ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block

What i have done so far:
  • Create SPAMHaus Account and got an Key. Used this Spamhaus URL with key in DNSBL. Configuration - Mailproxy - Options - DNSBL Sites are: bl.spamcop.net,b.barracudacentral.org,MYKEY.zen.dq.spamhaus.net
  • Created an Validity.com Account and entered there the public ip of my pmg
  • Have done am SPAMHaus Check which was successfull until the DomainBlocklist (which i havent activated)
Based on this Guide DNS-Server-on-Proxmox i have install an unbound on my pmg. I have used the last Option (Using the local unbound only for DNS Blocklist requests).

Output of the /etc/unbound/unbound.conf.d/pmg-dnsbl.conf. (hint: privatedomain + domain-insecure is used for disabling DNSSec).
server:
do-not-query-localhost: no
# depending on your internal DNS-servers capabilities these options might be necessary
# harden-dnssec-stripped: no
# module-config: "iterator"
private-domain:"INTERNAL-DOMAIN1"
domain-insecure:"INTERNAL-DOMAIN1"

private-domain:"INTERNAL-DOMAIN2"
domain-insecure:"INTERNAL-DOMAIN2"

private-domain:"INTERNAL-DOMAIN3"
domain-insecure:"INTERNAL-DOMAIN3"

private-domain:"INTERNAL-DOMAIN4"
domain-insecure:"INTERNAL-DOMAIN4"

forward-zone:
name: "uceprotect.net"
forward-addr: 127.0.0.1@5003

forward-zone:
name: "mailspike.net"
forward-addr: 127.0.0.1@5003

forward-zone:
name: "sorbs.net"
forward-addr: 127.0.0.1@5003

forward-zone:
name: "bl.spamcop.net"
forward-addr: 127.0.0.1@5003

forward-zone:
name: "spamhaus.org"
forward-addr: 127.0.0.1@5003

forward-zone:
name: "surbl.org"
forward-addr: 127.0.0.1@5003

forward-zone:
name: "uribl.com"
forward-addr: 127.0.0.1@5003

forward-zone:
name: "dnswl.org"
forward-addr: 127.0.0.1@5003

forward-zone:
name: "."
forward-addr: CORRECT-IP-OF-MY-INTERNAL-DNS-SERVER

And generall it seems to work, based on the dig requests:

root@mail:~# dig any test.uribl.com.multi.uribl.com @127.0.0.1 +short
127.0.0.14
"permanent testpoint"
root@mail:~# dig a proxmox.com @127.0.0.1 +short
212.224.123.69
root@mail:~#

Both unbound services are running:
root@mail:~# systemctl status unbound
● unbound.service - Unbound DNS server
Loaded: loaded (/lib/systemd/system/unbound.service; disabled; preset: enabled)
Active: active (running) since Fri 2024-12-06 11:17:07 CET; 24h ago
Docs: man:unbound(8)
Process: 113288 ExecStartPre=/usr/libexec/unbound-helper chroot_setup (code=exited, status=0/SUCCESS)
Process: 113290 ExecStartPre=/usr/libexec/unbound-helper root_trust_anchor_update (code=exited, status=0/SUCCESS)
Main PID: 113292 (unbound)
Tasks: 1 (limit: 4624)
Memory: 11.0M
CPU: 3.223s
CGroup: /system.slice/unbound.service
└─113292 /usr/sbin/unbound -d -p

Dec 06 11:17:07 mail systemd[1]: Starting unbound.service - Unbound DNS server...
Dec 06 11:17:07 mail unbound[113292]: [113292:0] notice: init module 0: subnetcache
Dec 06 11:17:07 mail unbound[113292]: [113292:0] notice: init module 1: validator
Dec 06 11:17:07 mail unbound[113292]: [113292:0] notice: init module 2: iterator
Dec 06 11:17:07 mail unbound[113292]: [113292:0] info: start of service (unbound 1.17.1).
Dec 06 11:17:07 mail systemd[1]: Started unbound.service - Unbound DNS server.
Dec 06 11:17:46 mail unbound[113292]: [113292:0] info: generate keytag query _ta-4f66. NULL IN
Dec 06 23:03:45 mail unbound[113292]: [113292:0] info: generate keytag query _ta-4f66. NULL IN
Dec 07 09:57:38 mail unbound[113292]: [113292:0] info: generate keytag query _ta-4f66. NULL IN

root@mail:~# systemctl status unbound-rbl
● unbound-rbl.service - Unbound DNS server for DNSBL lookups
Loaded: loaded (/etc/systemd/system/unbound-rbl.service; enabled; preset: enabled)
Active: active (running) since Fri 2024-12-06 11:17:11 CET; 24h ago
Docs: man:unbound(8)
Process: 113295 ExecStartPre=/usr/lib/unbound/package-helper chroot_setup (code=exited, status=0/SUCCESS)
Process: 113296 ExecStartPre=/usr/lib/unbound/package-helper root_trust_anchor_update (code=exited, status=0/SUCCESS)
Main PID: 113297 (unbound)
Tasks: 1 (limit: 4624)
Memory: 10.9M
CPU: 1.617s
CGroup: /system.slice/unbound-rbl.service
└─113297 /usr/sbin/unbound -c /etc/unbound/unbound-rbl.conf -d

Dec 06 11:17:11 mail systemd[1]: Starting unbound-rbl.service - Unbound DNS server for DNSBL lookups...
Dec 06 11:17:11 mail (e-helper)[113296]: unbound-rbl.service: Executable /usr/lib/unbound/package-helper missing, skipping: No such file or directory
Dec 06 11:17:11 mail systemd[1]: Started unbound-rbl.service - Unbound DNS server for DNSBL lookups.
Dec 06 11:17:11 mail unbound[113297]: [113297:0] notice: init module 0: subnetcache
Dec 06 11:17:11 mail unbound[113297]: [113297:0] notice: init module 1: validator
Dec 06 11:17:11 mail unbound[113297]: [113297:0] notice: init module 2: iterator
Dec 06 11:17:11 mail unbound[113297]: [113297:0] info: start of service (unbound 1.17.1).
Dec 06 11:17:46 mail unbound[113297]: [113297:0] info: generate keytag query _ta-4f66. NULL IN
Dec 06 22:16:35 mail unbound[113297]: [113297:0] info: generate keytag query _ta-4f66. NULL IN
Dec 07 09:08:38 mail unbound[113297]: [113297:0] info: generate keytag query _ta-4f66. NULL IN

Last but not least, on Configuration - Network/Time --> DNS is only one present: 127.0.0.1

Implementing the local DNS-Server has been done yesterday so quite unlikely that i have matched a rate limit on the dnsbl (even with the activated keys+ip adresses).

Anyone an idea what the issue / problem could be that dnsbl wont work?

Regards
Winni
 
Last edited:
winni444 said:
RCVD_IN_VALIDITY_CERTIFIED_BLOCKED --> ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information.
Click to expand...
seems this got added recently - see also:
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=8278

you could try adding their domain as well as forward-zone...
but check out this thread as well:
https://lists.apache.org/thread/lq0n7671wmd22whdc3p85mk18c5qlcfs

for DNSWL see:
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=8193

I hope this helps!
 
have opened a support ticket at validity.
so far they mentoined that using a local dns would solve this issue. i am using a local caching dns but i do not know which dns zone i should send to it.
i keep you updated.

an other question got in my mind.
as i wrote above in my dnsbl there are also zen.spamhaus.net and some others but when i toggle the spam info from an quarantined email i do not see them generally listed.
are they not shown in the toggle spam info section?

examples below.
quarantined emails but where do i see if my entered dnsbl (bl.spamcop.net,b.barracudacentral.org,MYKEY.zen.dq.spamhaus.net) are working or which dnsbl triggered the score?

1734337755788.png

1734338026641.png

as an example a definitely spam message that passed through...

2024-12-15T17:58:15.801743+01:00 mail postfix/smtpd[2467487]: connect from mail.timab.or.mg[193.109.84.159]
2024-12-15T17:58:16.148176+01:00 mail postfix/smtpd[2467487]: 2411D404A043: client=mail.timab.or.mg[193.109.84.159]
2024-12-15T17:58:16.184161+01:00 mail postfix/cleanup[2474592]: 2411D404A043: message-id=<248513273428856826020768783436217826204606134738@tevana.in.rs>
2024-12-15T17:58:16.304459+01:00 mail postfix/qmgr[1157683]: 2411D404A043: from=<yjkoxmr@tevana.in.rs>, size=41007, nrcpt=1 (queue active)
2024-12-15T17:58:16.304623+01:00 mail postfix/smtpd[2467487]: disconnect from mail.timab.or.mg[193.109.84.159] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
2024-12-15T17:58:16.421690+01:00 mail pmg-smtp-filter[2317317]: 611D10E675F0AA86315A: new mail message-id=<248513273428856826020768783436217826204606134738@tevana.in.rs>#012
2024-12-15T17:58:17.659121+01:00 mail pmg-smtp-filter[2317317]: 611D10E675F0AA86315A: SA score=0/5 time=1.144 bayes=undefined autolearn=disabled hits=HTML_IMAGE_ONLY_32(0.001),HTML_MESSAGE(0.001),KAM_DMARC_STATUS(0.01),RCVD_IN_VALIDITY_CERTIFIED_BLOCKED(0.001),RCVD_IN_VALIDITY_RPBL_BLOCKED(0.001),RCVD_IN_VALIDITY_SAFE_BLOCKED(0.001),SPF_HELO_NONE(0.001),SPF_PASS(-0.001),T_TVD_MIME_EPI(0.01)
2024-12-15T17:58:17.677833+01:00 mail postfix/smtpd[2474598]: connect from localhost.localdomain[127.0.0.1]
2024-12-15T17:58:17.679816+01:00 mail postfix/smtpd[2474598]: A5EC9404A04E: client=localhost.localdomain[127.0.0.1], orig_client=mail.timab.or.mg[193.109.84.159]
2024-12-15T17:58:17.684700+01:00 mail postfix/cleanup[2474592]: A5EC9404A04E: message-id=<248513273428856826020768783436217826204606134738@tevana.in.rs>
2024-12-15T17:58:17.733722+01:00 mail postfix/qmgr[1157683]: A5EC9404A04E: from=<yjkoxmr@tevana.in.rs>, size=42214, nrcpt=1 (queue active)


....based on the message tracking i do not even see that dnsbl are tried to query. Or are they shown somewhere else?
 
Last edited:
yes it´s configured there.
i have seen rejected emails, which were triggered by the dnsbl but not which result the accepted or quarantined emails got from those lists.
 
Stoiko Ivanov said:
where have you configured those? - if it's in GUI->Configuration->Mail Proxy->Options - these checks are done by postscreen, and the mails show up in the tracking center as rejected:
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmg_tracking_center
Click to expand...
abount Validity block.
I posted an article before but deleted it because I was afraid of giving you the wrong direction. However, I’ve noticed that this issue is becoming more common, and it seems that there still isn’t an effective solution. According to the official documentation, a non-forwarding DNS is required, and a DNS server needs to perform recursive queries to ultimately find the corresponding authoritative server for resolution. Based on this idea, we can use manual commands or online tools that others have already developed to query 1.0.0.127.bl.score.senderscore.com and find that the authoritative DNS server is nsb00.rpdns.net. Therefore, we can conditionally forward the bl.score.senderscore.com domain to the IP address of the authoritative server, nsb00.rpdns.net, on our DNS server.
test url https://dnsviz.net/d/1.0.0.127.bl.score.senderscore.com/dnssec/
Finally, remember to register your DNS server’s public IP with Validity to get more query allowances.
  1. bl.score.senderscore.com should query results from nsb00.rpdns.net.
  2. sa-accredit.habeas.com and sa-trusted.bondedsender.org should query results from nsw00.rpdns.net.
1735610814278.png
1735610919317.png
 
You must log in or register to reply here.
Top Bottom