Products that use the MAPS DUL^SM and Examples

• Sendmail 8.10.x (Including v8.11 and later 02 AUG 2001)
• Sendmail 8.9.x
• Sendmail 8.8.x with other check_* patches
• Exim
• MailShield
• Postfix
• EMWAC IMS (and clones) with SCSMFILTER (Updated 27 JUN 2001)
• TCP Wrappers (Discontinued 27 JUN 2001)
• EIMS for Macintosh (Updated 27 JUN 2001)
• Obtuse SMTPD
• QMail
• Netscape Messaging Server 3.x

Sendmail 8.10.x

Probably the best solution for providing RBL protection and permitting roaming users, Sendmail 8.10 has support for multiple DNS based lists, local access control by IP address, and SMTP authentication via RFC 2554. Chuck Yerkes explains how:

FEATURE(dnsbl,`blackholes.mail-abuse.org',` Mail from $&{client_addr} rejected; see http://mail-abuse.org/cgi-bin/lookup?$& {client_addr}')dnl
FEATURE(dnsbl,`relays.mail-abuse.org',` Mail from $&{client_addr} rejected; see http://work-rss.mail-abuse.org/cgi-bin/nph-rss?$& {client_addr}')dnl
FEATURE(dnsbl,`dialups.mail-abuse.org',` Mail from dial-up rejected; see http://mail-abuse.org/dul/enduser.htm')

NOTE: Sendmail 8.11 and later doesn't like commas in the error strings. The examples for Sendmail 8.11 and later should read:

FEATURE(dnsbl,`blackholes.mail-abuse.org',` Mail from $&{client_addr} rejected; see http://mail-abuse.org/cgi-bin/lookup?$& {client_addr}')dnl
FEATURE(dnsbl,`relays.mail-abuse.org',` Mail from $&{client_addr} rejected; see http://work-rss.mail-abuse.org/cgi-bin/nph-rss?$& {client_addr}')dnl
FEATURE(dnsbl,`dialups.mail-abuse.org',` Mail from dial-up rejected; see http://mail-abuse.org/dul/enduser.htm')

Want to ensure that YOUR dialups are always accepted?
In 8.9.x and 8.10, the ACCESS_DB file is checked before RBL or
others, so mark your network as OK in the acccess.db.  As in:
-----------------------------------
10.11.12		OK
-----------------------------------

This ensures that 10.11.12.* can get in (and when a client got onto
the RBL and couldn't reach me to get their firewall fixed, I learned
to always put clients into access).

-------------------------------------------------------------------
Further, with SMTP-AUTH enabled and used, we can override the rules
by authenticating properly - eg. no more POP before SMTP hacks.
So if you've authenticated and you want to relay fine.  This is
great for when a user is on the road but still using the corporate
mail server.

Mail clients supporting SMTP AUTH include Pegasus Mail, Eudora (including free versions later than 4.0), Netscape Communicator 4.6 or later, Microsoft Outlook 98 or later (or Outlook 97 with Microsoft's Outlook Internet Mail Update), and Outlook Express 4.0 or later.

Sendmail 8.9.x

If you run Sendmail 8.8, you should consider upgrading to Sendmail 8.9.3 or later which includes these features, and also a patch to support multiple DNS lists in a much cleaner manner. Once you install the mrbl.p3 patch, you can use these lines in your sendmail.cf file:

FEATURE(rbl,`blackholes.mail-abuse.org',` Mail from $&{client_addr} rejected; see http://mail-abuse.org/cgi-bin/lookup?$&{client_addr}')
FEATURE(rbl,`dialups.mail-abuse.org',` Mail from dial-up rejected; see http://mail-abuse.org/dul/enduser.htm')

If you use FEATURE(access_db) before these rules, you can permit access from your own (possibly listed) dial-ups. Adding FEATURE(check_rcpt) with _POPAUTH_ enabled before these rules will permit relay access from DUL-listed networks, provided the user checks mail with POP3 first.

NOTE: I am not by any means a Sendmail expert. I can really use a "cookbook" example of how to set up an access_db properly, how to implement _POPAUTH_ properly, and how to install the mrbl.p3 patch to support multiple DNS-based lists.

Sendmail 8.8.x with other check_* patches (Built into Sendmail 8.9.x)

There are several HACKs for the check_* rule sets in Sendmail 8.8. Included in these are use of the RBL and DUL, supplying a local exclusion list, and permitting POPAUTH / POP before SMTP.

An example from Claus Aßmann, author of these patches:

Put at least this in your .mc file:

define(`_IP_LOOKUP_')
define(`_DNSVALID_')
define(`_MAPS_RBL_')
define(`_MAPS_RBL_2_',`dialups.mail-abuse.org')
define(`_MAPS_RBL_URL_2_',`http://mail-abuse.org/dul/enduser.htm')
define(`_RBLOVERRIDE_IP_')
HACK(use_ip)
HACK(use_relayto)
HACK(check_mail3)
HACK(check_rcpt4)

Put local IP numbers/nets in
/etc/mail/rblovrip
and create the appropriate map:
cd /etc/mail
makemap dbm rblovrip <rblovrip

General information:
http://www.sendmail.org/~ca/email/check.html

Further options:
http://www.sendmail.org/~ca/email/chk-opt.html

Exim

From Benton Bronnenburg's example for the DUL, these go in your Exim 'configure' file:

This example sets up the three Lists, and excludes three networks from
being blocked.  Entries need to be separated by a ':'.

rbl_domains = "blackholes.mail-abuse.org:dialups.mail-abuse.org"
rbl_except_nets = "192.168.0.0/24:10.0.0.0/16:127.0.0.1/32"

MailShield

MailShield provides a proxy server that pre-processes mail for the actual mail server. Its features include a DUL filter.

Postfix

Oliver Robert made an example config for Postfix but it changed with the latest known Postfix (20010228_pl03). The following example is valid for the 20010228_pl03 version:

Here is an entry for the HOWTO configure DUL into Postfix (mailer made by
W. Venema).Enjoy !

* Postfix

  You need to edit the "maps_rbl_domains" parameter in the "main.cf" file,
  located in /etc/postfix.

  Add dialups.mail-abuse.org in the list of RBL-like system you want to use. It
  will look like the following:

  # MAPS RBL DOMAINS (see also: CLIENT NAME/ADDRESS RESTRICTIONS)
  # 
  # The real-time blackhole list works as follows: reverse the client
  # network address, and reject service if it is listed below any of
  # the following domains.

  maps_rbl_domains = blackholes.mail-abuse.org dialups.mail-abuse.org

  If you're already using the RBL, then you're finished. If not, you'll
  need to a restriction in the "smtpd_client_restrictions" parameter to add 
  "reject_maps_rbl" like the following:

  smtpd_client_restrictions = permit_mynetworks, reject_unknown_client,
        hash:$config_directory/access, reject_maps_rbl

  Don't forget to run "postfix reload" to refresh the configuration.

The "permit_mynetworks" feature lets you specify your dial-up pools as excluded from checks.

EMWAC IMS (and clones) and SCSMFILTER

A replacement for SMTPRS.EXE available at http://www.fast351.com/ims/ allows blocking at the receiver level, obsoleting the antirelay plugin for SCSMFILTER. Both SMTPRCV and ANTIRELAY use the same configuration file and the same settings for controlling relay access and using MAPS projects. Do not use both SMTPRCV and ANTIRELAY at the same time. We recommend using SMTPRCV.

IMS is a popular mail service for Windows NT. There is one commercial implementation (MailSite from Rockliffe) and several clones. If your mailer adds a Received: line claiming to come from "SMTPRS"", "SMTPRA", "SMTPR_" (whatever) and you run NT, you have a version of IMS.

First, if you are using one of the clones or an older release of IMS (MailSite is already up to date), upgrade to IMS 0.83 from the Unofficial IMS support site. Then obtain SCSMFILTER from the same site, and the Antirelay plugin. (By Summer 1999, Antirelay will come pre-configured with SCSMFILTER.)

Antirelay (written by yours-truly) provides defense against relay spammers, and supports filtering based on the RBL and DUL. Specifically, add an entry into the [dnslists] section in antirelay.ini:

[dnslists]
list1=blackholes.mail-abuse.org
list2=dialups.mail-abuse.org

And create a [dialups.mail-abuse.org] section:

[dialups.mail-abuse.org]
allowlocal=yes
allowpopauth=yes
addheader=yes
deletetrash=no
headertext="Please see <http://mail-abuse.org/dul/enduser.htm>"

Set allowlocal and allowpopauth to permit relay access to your own networks listed in [localnets], and to authorized users via POP3.

TCP Wrappers

As the DUL cidr-data file was abused by third parties and subsequently removed, the example which uses tcp-wrappers is no longer useful. We recommend using a mail server or mail server add-on which produces a meaningful error message when refusing mail based on a MAPS project.

EIMS for Macintosh

Newer versions (3.0.2 and later) come with prebuilt DUL filters, so hacking an existing filter is no longer required.

Qualcomm's Eudora Internet Mail Server for Mac servers work immediately with the RBL, but take some editing to work with the DUL. You will need a version of ResEdit to make these changes. Thanks to Christian Mønsted and the EIMS mailing list for this one:

You can get the latest RBL and ORBS filters with EIMS 2.2.1b4 from 
http://eudora.qualcomm.com/betas/. If you duplicate the RBL or ORBS 
filter, open it in ResEdit, and edit the STR# 128 resource.
Change string 1 to ".dialups.mail-abuse.org"
Change string 2 to "MAPS DUL blocked connection from "
Change string 3 to "550 5.7.1 No trespassing - please see <http://mail-abuse.org/dul/enduser.htm>"

Save and close the new filter, quit and relaunch EIMS, and it will be
working.

EIMS's local exclusion list allows skipping all RBL-style checks for listed addresses.

Obtuse SMTPD

Christopher Schulte pointed me to an SMTPD example. SMTPD is part of the Juniper firewall kit.

Smtpd can be easily configured to use the MAPS DUL.

If you are already using MAPS RBL, then just add this single line to your
smtpd_check_rules (or whatever file contains the connection rules)

noto:RBL.dialups.mail-abuse.org:ALL:ALL:550 Mail refused from host %I in MAPS
DUL, see http%C//mail-abuse.org/dul/enduser.htm

Note if you have local dialup users connecting to the server to relay their
mail, it's necessary to add rules that will allow local networks, if you do
not have them defined already.  Put these rules above DUL, since the rules
are read from the top down and the first one matched is used.  Keep this in
mind, because it should also influence where you place the new
configuration.  I suggest you put all rules in this order:

1) allow statements from local source networks (so local users can send mail)
2) deny statements from MAPS services (to block incoming spam)
3) allow statements to local domains (so mail to local domains is accepted)
4) last line should be a deny (to catch all the people trying to relay, and
other misc abuse)

If you are not using RBL yet, you will need to patch the smtpd-2.0 source
code first. See http://www.obtuse.com/smtpd.html for more info.

--
Christopher Schulte
http://www.schulte.org/
christopher@schulte.org

QMail

QMail already supports the RBL, and the RBL patch also works with the DUL with the following instructions from Devin Carraway:

Obtain, compile and install rblsmtpd if you haven't already.  Adjust your   
qmail-smtpd commandline, inserting 'rblsmtpd -rdialups.mail-abuse.org' before
qmail-smtpd, as follows:

/usr/local/bin/supervise /var/lock/qmail-smtpd tcpserver -v \
        -x/etc/tcprules/smtprules.cdb 0 25 \
        rblsmtpd -rdialups.mail-abuse.org \
        /var/qmail/bin/qmail-smtpd 2>&1 | setuser qmaill accustamp \
        | setuser qmaill cyclog -s10000000 -n10 /var/log/qmail/qmail-smtpd &

To permit incoming mail from your own dialup hosts, adjust the tcprules
sourcefile to set the environment variable RBLSMTPD="" (set but empty),
which instructs rblsmtpd to accept mail without checking DUL; for example:

123.122.121.:allow,RBLSMTPD="",REASON="local dialup"
207.105.181.:deny,RBLSMTPD="-evil.spammer.com",REASON="spam"
:allow

I'm still looking for a POP3 authentication example, but you might be able to accomplish something similar to the rblsmtpd exclusions above using the smtpd-poplock patch. The QMail site links to another POPAUTH example and one SMTP AUTH example.

Netscape Messaging Server 3.x

Bob Poortinga maintains an example filter.cfg file at his web site. NMS does not have RBL or DUL capability built in, but you can invoke external programs using the RUN directive. He includes example .sh scripts which will work on any OS that supports them, and is developing a Perl script that will work on any OS that supports Perl, including Windows NT.

More important than installing RBL or DUL capability, however, is securing the NMS server against relay theft. Bob explains how to do this properly.