On Sat, Dec 31, 2016 at 7:06 PM Mukund Sivaraman <m...@isc.org> wrote:

> On Sat, Dec 31, 2016 at 11:32:02PM +0000, Warren Kumari wrote:
> > P.S / full-disclosure: I happen to use RPZ, and have for a number of
> years
> > -- I run a number of (personal) mailing lists on my own mailserver, and
> use
> > a number of RPZ feeds (e.g Spamhaus' DBL) for spam mitigation.
>
> Are you thinking of DNSBL instead of RPZ?
>

Nope.
This is an older page, but has more readable information:
https://www.spamhaus.org/news/article/669/spamhaus-dbl-as-a-response-policy-zone-rpz
More info:
https://www.spamhaustech.com/protecting-networks/security-solutions/dns-rpz/rpz-zone-transfer/


root@vimes:/etc/namedb/rpz# wc -l ~/tmp/rpz.spamhaus.org.text
3316563 /home/wkumari/tmp/rpz.spamhaus.org.text

This contains things like:
smalbany.academy.rpz.spamhaus.org.            300 IN CNAME      .
*.smalbany.academy.rpz.spamhaus.org.          300 IN CNAME      .

My named.conf contains:
   response-policy {
       # Rewrite all responses to blackhole.ne-where.com, which is 127.0.0.2
       zone "rpz.spamhaus.org" policy CNAME blackhole.ne-where.com;
      };

and then I have a postfix access file:
root@vimes:/etc/postfix# more access
# REMEMBER: Run  postmap hash:/etc/postfix/access to rebuild this.
#
# THIS FILE MANAGED BY PUPPET!

192.0.2.1   REJECT This domain is listed in an RPZ zone.
127.0.0.200   REJECT This domain is listed in an RPZ zone.


(yup, the comments are wrong...)
This has been working nicely for me with (so far) no false positives.
Because I have the RPZ zone locally I'm not leaking private info by doing
DBL lookups, it is nice and fast, etc...
It cut down on my sysadmin work drastically, and I ended up disabling
spamassassin because it wasn't needed any more...

W


>
>                 Mukund
>
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to