6

Question
Is there a way to let spamassassin bypass my linux system's dns servers to query DNSBLs?

Background Info
When my Server receives email, it is checked by spamassassin. One of this checks looks up the involved mail servers in DNS blacklists. Unfortunately the DNS of my provider is not allowed to query those BLs anymore. This is shown by spamassassin's header info URIBL_BLOCKED in all the emails I receive. I manually tested this too:

root@net:# dig 2.0.0.127.multi.uribl.com txt +short
"127.0.0.1 -> Query Refused. See http://uribl.com/refused.shtml for more information [Your DNS IP: 123.123.123.123]"

(123.123.123.123 is configured in my /etc/resolv.conf as dns.)

When I manually query one of their nameservers directly (see @cc.uribl.com.) without using my provider's recursor, I get an answer:

root@net:# dig 2.0.0.127.multi.uribl.com txt @cc.uribl.com. +short
permanent testpoint

(note that this is a testquery for that BL that's supposed to give this result)

Summary
So is there any way I can get spamassassin not to use the system default dns for dnsbl queries other than installing a dns recursor on this very system?

UPDATE
Okay, actually there is no problem in installing a local dns-recursor. It's lightweight and easy to setup and now I don't have the problems with the BLs anymore.

geruetzel
  • 143
  • 1
  • 1
  • 12

2 Answers2

5

Spamassassin (Mail::SpamAssassin::DnsResolver) uses Net::DNS::Resolver perl module.
It should allow you to change nameservers spamassassin uses via RES_NAMESERVERS environment variable.

chicks
  • 3,639
  • 10
  • 26
  • 36
AnFi
  • 5,883
  • 1
  • 12
  • 26
  • Do you (really) need solution redirecting only queries about specific list of domains domains? It may be possible but it is going to be "slightly" more complicated. Are you ready to patch spamassassin modules? – AnFi May 02 '16 at 14:40
  • Depending on how complicated that would be I might try it. But I have never done something like this. Also if I change a sa module, would that change survive an upgrade? **but**: would installing a local recursor not be easier? :) – geruetzel May 02 '16 at 15:26
  • Some people seem to be afraid to install Yet Another Free Software Package ;-) Using "flexible caching nameservers" is one of the best choices IMHO. – AnFi May 02 '16 at 16:45
1

I had set up BIND Named on my laptop, following an old version of Spamassassin's documentation to "Disable forwarding for DNSBL queries"; it requires that I point /etc/resolv.conf to 127.0.0.1.

But I could only get this to work by putting

static domain_name_servers=127.0.0.1

at the end of /etc/dhcpcd.conf. Then I had to copy the value which is usually in /etc/resolv.conf into /etc/named.conf (forwarders { 192.168.1.1; }). This worked great until I would take my laptop somewhere else, when after connecting to a new DHCP server I would be surprised to find DNS not working, because I had pointed Named to an old local address.

Much better in my opinion to avoid this problem by having only Spamassassin using the local Named; so I restored the original dhcpcd.conf and pointed Spamassassin to 127.0.0.1. You can do this in one of two ways:

Following the answer of AnFi, you can change the environment e.g. in the service file /etc/systemd/system/spamassassin.service:

[Service]
Environment="RES_NAMESERVERS=127.0.0.1"
...

But according to the above document you can also configure this in Spamassassin's configuration file local.cf. This is perhaps more elegant:

dns_server 127.0.0.1
Metamorphic
  • 121
  • 3