Re: [exim-dev] feature request for exim: query DNSBL providers' DNS servers directly

[Phil Pennock]

On 2017-09-09 at 14:59 -0400, Rob McEwen wrote:
> I have a feature request for Exim. Or, since Exim is clearly one of the
> world's most flexible/configurable MTAs, is... what I'm about to describe...
> already be possible with existing features?

Not quite possible, but could be a fairly small modification to the
dnsdb lookup type.  But a bad idea because of Exim's architecture.

> (Ideally, Exim would internally cache the answer for the NS lookups... so
> that it wouldn't have to do this NS lookup with every single DNSBL lookup.
> But technically, that part is a bit more exotic.)

Exim forks a new process for every accepted connection and every
outbound delivery.  Exim's lookup system isn't really designed for any
kind of programmable write-back caching (redis/whatever).

For the short lifetime of the process, lookup results are remembered in
an LRU, but that's about it.

Further, Exim is currently using OS native libresolv-style interfaces
and knows nothing except how to issue a query using those.

The normal approach for postmasters running mail-servers is to install a
dedicated DNS resolver either on the box, or serving the boxes, so that
all the DNS traffic from the mail-system doesn't push out of cache the
lookups which outbound query folks care about.

Then if a particular zone needs to be handled specially, that can be
configured in the DNS resolver's setup accordingly.  Encapsulate the
special DNS logic in the DNS resolver.

If someone really wants something special but can't run a separate DNS
server (personal development box in colocation somewhere) then I'd look
at using pf/iptables user-based filtering to divert DNS traffic to the
resolver on port 53 to port 63 instead and run a second DNS resolver on
port 63, which is configured with a tiny cache, to forward most traffic
to the main resolver and handle the special zones accordingly.

-Phil

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] feature request for exim: query DNSBL providers' DNS servers directly

[Rob McEwen]

Hi! This is Rob McEwen from the invaluement.com anti-spam blacklist. (I 
just joined this list.)


I have a feature request for Exim. Or, since Exim is clearly one of the 
world's most flexible/configurable MTAs, is... what I'm about to 
describe... already be possible with existing features?


What I want to accomplish is this: provide subscribers to the 
invaluement anti-spam blacklist... who use exim... the ability to have 
their DNS queries to DNSBLs... come directly from Exim, skipping the 
normal DNS resolver. (and other DNSBLs could benefit from this too!)


The way this would work... is that Exim would do a normal NS lookup on 
the host name at the root of a DNSBL (eg "zen.spamhaus.org", for 
example), then collect IP address(es) that those authoritative name 
servers resolve to, and then do the actual DNSBL lookup *directly* on 
that DNSBL's authoritative servers, skipping the regular caching DNS 
server "middleman".


(Ideally, Exim would internally cache the answer for the NS lookups... 
so that it wouldn't have to do this NS lookup with every single DNSBL 
lookup. But technically, that part is a bit more exotic.)


Is there a way to do this already in Exim? If not, does anyone have any 
suggestions regarding how this might be implemented? For example, if it 
can't be done with Exim's current features, is there some kind of way 
that I could write a custom plugin for Exim that could possibly 
accomplish this? (if that is the best option, please point me in the 
right direction for investigating way to write Exim plugins)


Thanks!

PS - This can be beneficial for other uses besides my "invaluement" 
commercial anti-spam blacklist. For example, sometimes, those who host 
their own mail servers... are on remote systems that default to Google's 
DNS servers - and it becomes a hassle for them to set up their own DNS 
resolver and/or the server provider or datacenter constantly overwrites 
their DNS settings, forcing them back to Google (etc). Some of these 
organizations have subscriptions to Spamhaus, which then become useless 
when they have trouble reliably running their own DNS server... then 
their DNSBL queries for Spamhaus (and others) are sometimes blocked. For 
this reason, Kerio Connect has a feature called "use DNSBL provider's 
server directly". I'm now working towards trying to find ways to 
implement this same technology into other MTAs and spam filters. (thus 
this post!)


--
Rob McEwen
http://www.invaluement.com
+1 (478) 475-9032



--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##