On Sat, Dec 31, 2016 at 7:06 PM Mukund Sivaraman <m...@isc.org> wrote:
> On Sat, Dec 31, 2016 at 11:32:02PM +0000, Warren Kumari wrote: > > P.S / full-disclosure: I happen to use RPZ, and have for a number of > years > > -- I run a number of (personal) mailing lists on my own mailserver, and > use > > a number of RPZ feeds (e.g Spamhaus' DBL) for spam mitigation. > > Are you thinking of DNSBL instead of RPZ? > Nope. This is an older page, but has more readable information: https://www.spamhaus.org/news/article/669/spamhaus-dbl-as-a-response-policy-zone-rpz More info: https://www.spamhaustech.com/protecting-networks/security-solutions/dns-rpz/rpz-zone-transfer/ root@vimes:/etc/namedb/rpz# wc -l ~/tmp/rpz.spamhaus.org.text 3316563 /home/wkumari/tmp/rpz.spamhaus.org.text This contains things like: smalbany.academy.rpz.spamhaus.org. 300 IN CNAME . *.smalbany.academy.rpz.spamhaus.org. 300 IN CNAME . My named.conf contains: response-policy { # Rewrite all responses to blackhole.ne-where.com, which is 127.0.0.2 zone "rpz.spamhaus.org" policy CNAME blackhole.ne-where.com; }; and then I have a postfix access file: root@vimes:/etc/postfix# more access # REMEMBER: Run postmap hash:/etc/postfix/access to rebuild this. # # THIS FILE MANAGED BY PUPPET! 192.0.2.1 REJECT This domain is listed in an RPZ zone. 127.0.0.200 REJECT This domain is listed in an RPZ zone. (yup, the comments are wrong...) This has been working nicely for me with (so far) no false positives. Because I have the RPZ zone locally I'm not leaking private info by doing DBL lookups, it is nice and fast, etc... It cut down on my sysadmin work drastically, and I ended up disabling spamassassin because it wasn't needed any more... W > > Mukund >
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop