Re: rblsmtpd emergency
Hello, On Wed, Aug 16, 2000 at 10:28:48AM -0500, Mate Wierdl wrote: On Wed, Aug 16, 2000 at 09:55:53AM -0500, Ben Beuchler wrote: On Wed, Aug 16, 2000 at 07:08:28AM -0500, Mate Wierdl wrote: but would not it be relatively simple to implement a server software using tcpserver that would just lookup an IP number in a .cdb database of IP numbers, and send an appropriate response? A client might be hmm. I don't understand the question. For ucspi-tcp-0.88, I get from http://cr.yp.to/ucspi-tcp/rblsmtpd.html (slightly wrapped): - cut Options: -r base: Use base as an RBL source. An IP address a.b.c.d is listed by that source if d.c.b.a.base has a TXT record. rblsmtpd uses the contents of the TXT record as an error message for the client. - cut and: - cut You may supply any number of -r and -a options. rblsmtpd tries each source in turn until it finds one that lists or anti-lists $TCPREMOTEIP. It also tries an RBL source of rbl.maps.vix.com if you do not supply any -r options. See http://maps.vix.com/rbl/ for more information about rbl.maps.vix.com. If you want to run your own RBL source or anti-RBL source for rblsmtpd, you can use rbldns from the djbdns package. - cut I didn't try this, but imho this clearly says "-r maps.vix.com gets you the default behaviour of asking Paul Vixie". So, what's the problem? You need to axfr the zone from somewhere and massage that into a cdb the rbldns would probably use. That could be done with a cron job. How much mail you then deny is up to you... But that's one thing every sysadmin has to decide for oneself, do I have a default closed (-c) or open (-C) setup when my rbl servers fail? Best Regards, --Toni++
Re: rblsmtpd emergency
You're right -- there's no doubt that the TXT record is useful (or was ;-) ). But my point is that the lookups (according to the spec) were to be done on A records, and the TXT records fetched if you wanted that description. This is two lookups, so no qmail person would settle for that (humour). That was the jist of my original coment. - Original Message - From: "Mate Wierdl" [EMAIL PROTECTED] On Thu, Aug 17, 2000 at 06:34:21PM -0400, Michael T. Babcock wrote: The best approach to this is to have rblsmtpd use A records, as it should have from the beginning (that's what you get for optimising solely for speed, not for correctness). But then the TXT record is really useful: it does give a clue to the client how to get out of the mess.
Re: rblsmtpd emergency
- Original Message - From: "Mate Wierdl" [EMAIL PROTECTED] On Wed, Aug 16, 2000 at 09:55:53AM -0500, Ben Beuchler wrote: On Wed, Aug 16, 2000 at 07:08:28AM -0500, Mate Wierdl wrote: That would not allow for the rapid changes necessary in a blackhole list. Imagine you are an ISP with several thousand customers. Through an oversight, your mail server is blacklisted. Would you rather wait for the tens or hundreds of thousands of sysadmins out there administering mail servers to remove you from their blackhole list or just submit it to the maintainer of the list and have it fixed in minute or hours? The fact is a few thousand mail servers running rblsmtpd cannot use relays.mail-abuse.org. So now they all have to apply for a domain so that they can use rbldns. Or they can start patching rblsmtpd to use A records---until relays.mail-abuse.org will change the record structure again. The best approach to this is to have rblsmtpd use A records, as it should have from the beginning (that's what you get for optimising solely for speed, not for correctness).
Re: rblsmtpd emergency
On Thu, Aug 17, 2000 at 06:34:21PM -0400, Michael T. Babcock wrote: The best approach to this is to have rblsmtpd use A records, as it should have from the beginning (that's what you get for optimising solely for speed, not for correctness). But then the TXT record is really useful: it does give a clue to the client how to get out of the mess. Mate
rblsmtpd emergency
Thx for Chris J. for explaining why rblsmtpd stopped working with relays.mail-abuse.org. Such emergencies I think just really show the necessity to simplify "rbl" lookups. Namely, I think rblsmtpd/rbldns should work in such a way that any mail administrator should be able to set up a local mirror of mail-abuse.org. This means, there should not be a need to have a domain delegated to the rbldns server. So what if there was a flag `R" to rblsmtpd so that rblsmtpd -R a.b.c would mean in essence "check the connecting IP at the server a.b.c running rbldns". BTWY, I know many people are attached to using DNS for rbl lookups, but would not it be relatively simple to implement a server software using tcpserver that would just lookup an IP number in a .cdb database of IP numbers, and send an appropriate response? A client might be similarly simple to implement using tcpclient. Mate
Re: rblsmtpd emergency
On Wed, Aug 16, 2000 at 07:08:28AM -0500, Mate Wierdl wrote: BTWY, I know many people are attached to using DNS for rbl lookups, but would not it be relatively simple to implement a server software using tcpserver that would just lookup an IP number in a .cdb database of IP numbers, and send an appropriate response? A client might be similarly simple to implement using tcpclient. That would not allow for the rapid changes necessary in a blackhole list. Imagine you are an ISP with several thousand customers. Through an oversight, your mail server is blacklisted. Would you rather wait for the tens or hundreds of thousands of sysadmins out there administering mail servers to remove you from their blackhole list or just submit it to the maintainer of the list and have it fixed in minute or hours? Ben -- Ben Beuchler [EMAIL PROTECTED] MAILER-DAEMON (612) 321-9290 x101 Bitstream Underground www.bitstream.net
Re: rblsmtpd emergency
On Wed, Aug 16, 2000 at 09:55:53AM -0500, Ben Beuchler wrote: On Wed, Aug 16, 2000 at 07:08:28AM -0500, Mate Wierdl wrote: BTWY, I know many people are attached to using DNS for rbl lookups, but would not it be relatively simple to implement a server software using tcpserver that would just lookup an IP number in a .cdb database of IP numbers, and send an appropriate response? A client might be similarly simple to implement using tcpclient. That would not allow for the rapid changes necessary in a blackhole list. Imagine you are an ISP with several thousand customers. Through an oversight, your mail server is blacklisted. Would you rather wait for the tens or hundreds of thousands of sysadmins out there administering mail servers to remove you from their blackhole list or just submit it to the maintainer of the list and have it fixed in minute or hours? I do not understand this comment: it seems you are arguing against the very existence of rbldns. And I was asking if rbldns could be implemented in a less restrictive way---without the need for a domain delegation. As a separate but related question, I was also asking if DNS needs to be involved in the first place. The fact is a few thousand mail servers running rblsmtpd cannot use relays.mail-abuse.org. So now they all have to apply for a domain so that they can use rbldns. Or they can start patching rblsmtpd to use A records---until relays.mail-abuse.org will change the record structure again. To address your concern: a reasonable site running rbldns would transfer the zone from relays.mail-abuse.org frequently, so a change at relays.mail-abuse.org would propagate to the mirrors quite quickly. Mate