Spamassin 4: RBL-Checks and SpamCop + Razor2 not working!

sidney2017 · Sunday at 2:54 PM

Hello,

I use Spamassassin in conjunction with spamd and unfortunately have the problem that apparently DNSBL checks do not work. The same applies to Razor2 and SpamCop.

13.3-RELEASE-p3 FreeBSD 13.3-RELEASE-p3 GENERIC amd64
p5-WWW-Mechanize-SpamCop-0.08_1 SpamCop reporting automation
py38-pyzor-1.0.0_1 Collaborative, networked system to detect and block spam
razor-agents-2.85 Distributed, collaborative, spam detection and filtering network
spamassassin-4.0.1_1 Highly efficient mail filter for identifying spam
spamd-4.9.1_7 Traps spammers with a very slow smtp-login and return 4xx error

The problem is independent of the name servers entered in /etc/resolv.conf, e.g. 1.1.1.1

X-Spam-RBL-Check:
X-Spam-Razor2-Result: _RESULT_

Despite local.cf:
header RCVD_IN_NIX_SPAM eval:check_rbl('nix-spam-lastexternal','ix.dnsbl.manitu.net.'

does not appear in the output of spamassassin -t -D < testmail.txt zt. B. no reference to "nix-spam-lastexternal".

X-Spam-Checker version: SpamAssassin 4.0.1 (2024-03-26) on mail.domain.com
X-Spam level: *******
X-Spam-Status: No, score=7.9 required=8.0 tests=EMPTY_MESSAGE=2.32,MISSING_DATE=1.36,MISSING_FROM=1,MISSING_HEADERS=1.021,MISSING_MID=0.497,MISSING_SUBJECT=1.799,NO_HEADERS_MESSAGE=0. 001,NO_RECEIVED=-0.001,NO_RELAYS=-0.001 BAYES=0.5 DCC: Pyzor=Reported 28728848 times, welcomelisted 305295 times. autolearn=no autolearn_force=no version=4.0.1 report=
* 0.5 MISSING_MID Missing Message-Id: header
* 1.0 MISSING_FROM Missing From: header
* 1.4 MISSING_DATE Missing Date: header
* 1.8 MISSING_SUBJECT Missing Subject: header
-0.0 NO_RECEIVED Informational: message has no Received headers
* 2.3 EMPTY_MESSAGE Message appears to have no textual parts
-0.0 NO_RELAYS Informational: message was not relayed via SMTP
* 1.0 MISSING_HEADERS Missing To: header
* 0.0 NO_HEADERS_MESSAGE Message appears to be missing most RFC-822
* headers
X-Spam-RelayCountry:
X-Spam-RBL-Check:
X-Spam-Pyzor: PYZOR
X-Spam-Razor2-Result: _RESULT_

I have checked everything carefully, but cannot find the error.

Below are the relevant excerpts from

1. v310.pre
2. /usr/local/etc/mail/spamassassin/local.cf
3. spamassassin -t -D < testmail.txt
4. spamassassin --lint --debug

What am I doing wrong?

Kind regards and thanks in advance

Sidney2017

V310.pre

Code:

loadplugin Mail::SpamAssassin::Plugin::DCC
loadplugin Mail::SpamAssassin::Plugin::Pyzor
loadplugin Mail::SpamAssassin::Plugin::Razor2
loadplugin Mail::SpamAssassin::Plugin::SpamCop
loadplugin Mail::SpamAssassin::Plugin::AutoLearnThreshold
loadplugin Mail::SpamAssassin::Plugin::TextCat
loadplugin Mail::SpamAssassin::Plugin::WhiteListSubject
loadplugin Mail::SpamAssassin::Plugin::MIMEHeader
loadplugin Mail::SpamAssassin::Plugin::ReplaceTags

/usr/local/etc/mail/spamassassin/local.cf

Code:

clear_trusted_networks
score ALL_TRUSTED 0
#dns_server 127.0.0.1 # added to fix blocking of URIBL and DNSWL queries
dns_server 127.0.0.1
# lock_method type
lock_method flock
#add_header all Level _STARS(*)_
add_header all Status _YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTSSCORES(,)_ BAYES=_BAYES_ DCC:_DCCB_ _DCCR_ Pyzor=_PYZOR_ autolearn=_AUTOLEARN_ version=_VERSION_ report=_REPORT_
add_header all RelayCountry _RELAYCOUNTRY_
add_header all RBL-Check _RBL_
core RCVD_IN_XBL 1
rewrite_header subject *****SPAM*****
report_safe             1

# Enable the Bayes system
# Enable Bayes auto-learning
bayes_auto_learn 1
bayes_auto_expire 1
use_bayes    1
bayes_path /home/vj/.spamassassin/bayes
bayes_file_mode 777
#bayes_auto_learn_threshold_nospam 0.1
#bayes_auto_learn_threshold_spam 7.0
score BAYES_00 0
score BAYES_80 4.6
score BAYES_95 5.0
score BAYES_99 6.5
score BAYES_999 7.0
bayes_learn_to_journal 1

# Pyzor
use_pyzor 1
pyzor_timeout 15
score PYZOR_CHECK 6
pyzor_options --homedir /usr/local/etc/mail/spamassassin/.pyzor
pyzor_path /usr/local/bin/pyzor
add_header all Pyzor PYZOR
 
#DCC
use_dcc 1
dcc_path /usr/local/bin/dccproc
dcc_dccifd_path    /usr/local/libexec/dccifd  
dcc_learn_score 1
score DCC_CHECK 6.5

# Razor
use_razor2 1
add_header all Razor2-Result _RESULT_
#razor_config /usr/local/etc/mail/spamassassin/.razor/razor-agent.conf
razor_config /root/.razor/razor-agent.conf
razor_timeout 120
score RAZOR2_CHECK 4.8

# Enable or disable network checks
skip_rbl_checks 0
rbl_timeout 120

score UNWANTED_LANGUAGE_BODY 1.0
score CHARSET_FARAWAY 1.0
score CHARSET_FARAWAY_BODY 1.0

required_score 8
#use_auto_whitelist 0
#auto_whitelist_path none
header RCVD_IN_DNSBL_INPS_DE eval:check_rbl('inps-de','dnsbl.inps.de.')
describe RCVD_IN_DNSBL_INPS_DE Received via a relay in inps.de DNSBL
tflags RCVD_IN_DNSBL_INPS_DE net
score RCVD_IN_DNSBL_INPS_DE 3.0

#header RCVD_IN_BNBL eval:check_rbl('bl','bl.blueshore.net.')
#describe RCVD_IN_BNBL Listed by BNBL
#tflags RCVD_IN_BNBL net
#score RCVD_IN_BNBL 1.00

header RCVD_IN_SPAMCOP_NET eval:check_rbl('bl.spamcop.net')
describe RCVD_IN_SPAMCOP_NET Received via a relay in bl.spamcop.net
tflags RCVD_IN_SPAMCOP_NET net
score RCVD_IN_SPAMCOP_NET 5.00

header        RCVD_IN_NIX_SPAM  eval:check_rbl('nix-spam-lastexternal','ix.dnsbl.manitu.net.')
describe      RCVD_IN_NIX_SPAM  Listed in NIX-SPAM DNSBL (heise.de)
tflags        RCVD_IN_NIX_SPAM  net
score         RCVD_IN_NIX_SPAM  3.0 # please adjust the score value

header   RCVD_IN_UCEPROTECT2  eval:check_rbl_txt('uceprotect2-lastexternal', 'dnsbl-2.uceprotect.net.')
describe RCVD_IN_UCEPROTECT2  Received via a relay in UCEPROTECT Level 2 DNSBL
tflags   RCVD_IN_UCEPROTECT2  net
score    RCVD_IN_UCEPROTECT2  3.0

# Deactivate problematic rules
score RCVD_IN_VALIDITY_RPBL_BLOCKED 0
score RCVD_IN_VALIDITY_RPBL 0
score AUTH_SMTP -10.0
fold_headers 1
dns_available yes

spamassassin -t -D < testmail.txt

Code:

[53269] dbg: timing: total 1167 ms - init: 859 (73.6%), parse: 0.80 (0.1%), extracttext: 0.23 (0.0%), extract_message_metadata: 1.86 (0.2%), tests_pri_-10000: 4.8 (0.4%), compile_gen: 126 (10.8%), get_uri_detail_list: 2.8 (0.2%), tests_pri_-2000: 2.5 (0.2%), compile_eval: 15 (1.3%), tests_pri_-1000: 2.1 (0.2%), tests_pri_-950: 1.37 (0.1%), tests_pri_-900: 1.75 (0.2%), tests_pri_-200: 1.31 (0.1%), tests_pri_-100: 65 (5.5%), dkim_load_modules: 27 (2.3%), check_dkim_signature: 0.41 (0.0%), check_spf: 10 (0.8%), check_pyzor: 2.5 (0.2%), check_razor2: 44 (3.8%), check_dcc: 6 (0.5%), tests_pri_-90: 5 (0.5%), check_bayes: 2.3 (0.2%), b_tokenize: 0.53 (0.0%), b_tok_get_all: 0.01 (0.0%), b_comp_prob: 0.08 (0.0%), b_finish: 0.00 (0.0%), tests_pri_0: 174 (14.9%), tests_pri_10: 2.2 (0.2%)
Jun 30 14:10:14.410 [53269] dbg: markup: mime_encode_header: SpamAssassin 4.0.1 (2024-03-26) on mail.domain.com
Jun 30 14:10:14.410 [53269] dbg: markup: mime_encode_header: *******
Jun 30 14:10:14.410 [53269] dbg: markup: mime_encode_header: No, score=7.9 required=8.0 tests=EMPTY_MESSAGE=2.32,MISSING_DATE=1.36,MISSING_FROM=1,MISSING_HEADERS=1.021,MISSING_MID=0.497,MISSING_SUBJECT=1.799,NO_HEADERS_MESSAGE=0.001,NO_RECEIVED=-0.001,NO_RELAYS=-0.001 BAYES=0.5 DCC:  Pyzor=Reported 28728848 times, welcomelisted 305295 times. autolearn=no autolearn_force=no version=4.0.1 report=
Jun 30 14:10:14.410 [53269] dbg: markup: [...] \t*  0.5 MISSING_MID Missing Message-Id: header
Jun 30 14:10:14.410 [53269] dbg: markup: [...] \t*  1.0 MISSING_FROM Missing From: header
Jun 30 14:10:14.410 [53269] dbg: markup: [...] \t*  1.4 MISSING_DATE Missing Date: header
Jun 30 14:10:14.410 [53269] dbg: markup: [...] \t*  1.8 MISSING_SUBJECT Missing Subject: header
Jun 30 14:10:14.410 [53269] dbg: markup: [...] \t* -0.0 NO_RECEIVED Informational: message has no Received headers
Jun 30 14:10:14.410 [53269] dbg: markup: [...] \t*  2.3 EMPTY_MESSAGE Message appears to have no textual parts
Jun 30 14:10:14.410 [53269] dbg: markup: [...] \t* -0.0 NO_RELAYS Informational: message was not relayed via SMTP
Jun 30 14:10:14.410 [53269] dbg: markup: [...] \t*  1.0 MISSING_HEADERS Missing To: header
Jun 30 14:10:14.410 [53269] dbg: markup: [...] \t*  0.0 NO_HEADERS_MESSAGE Message appears to be missing most RFC-822
Jun 30 14:10:14.410 [53269] dbg: markup: [...] \t*      headers
Jun 30 14:10:14.411 [53269] dbg: markup: mime_encode_header:
Jun 30 14:10:14.411 [53269] dbg: markup: mime_encode_header:
Jun 30 14:10:14.411 [53269] dbg: markup: mime_encode_header: PYZOR
Jun 30 14:10:14.411 [53269] dbg: markup: mime_encode_header: _RESULT_
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on mail.domain.com
X-Spam-Level: *******
X-Spam-Status: No, score=7.9 required=8.0 tests=EMPTY_MESSAGE=2.32,MISSING_DATE=1.36,MISSING_FROM=1,MISSING_HEADERS=1.021,MISSING_MID=0.497,MISSING_SUBJECT=1.799,NO_HEADERS_MESSAGE=0.001,NO_RECEIVED=-0.001,NO_RELAYS=-0.001 BAYES=0.5 DCC:  Pyzor=Reported 28728848 times, welcomelisted 305295 times. autolearn=no autolearn_force=no version=4.0.1 report=
        *  0.5 MISSING_MID Missing Message-Id: header
        *  1.0 MISSING_FROM Missing From: header
        *  1.4 MISSING_DATE Missing Date: header
        *  1.8 MISSING_SUBJECT Missing Subject: header
        * -0.0 NO_RECEIVED Informational: message has no Received headers
        *  2.3 EMPTY_MESSAGE Message appears to have no textual parts
        * -0.0 NO_RELAYS Informational: message was not relayed via SMTP
        *  1.0 MISSING_HEADERS Missing To: header
        *  0.0 NO_HEADERS_MESSAGE Message appears to be missing most RFC-822
        *      headers
X-Spam-RelayCountry:
X-Spam-RBL-Check:
X-Spam-Pyzor: PYZOR
X-Spam-Razor2-Result: _RESULT_
Subject:

Spam detection software, running on the system "mail.domain.com",
has NOT identified this incoming email as spam.  The original
message has been attached to this so you can view it or label
similar future email.  If you have any questions, see
The administrator of that system for details.

Content preview:

Content analysis details:   (7.9 points, 8.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 0.5 MISSING_MID            Missing Message-Id: header
 1.0 MISSING_FROM           Missing From: header
 1.4 MISSING_DATE           Missing Date: header
 1.8 MISSING_SUBJECT        Missing Subject: header
-0.0 NO_RECEIVED            Informational: message has no Received headers
 2.3 EMPTY_MESSAGE          Message appears to have no textual parts
-0.0 NO_RELAYS              Informational: message was not relayed via SMTP
 1.0 MISSING_HEADERS        Missing To: header
 0.0 NO_HEADERS_MESSAGE     Message appears to be missing most RFC-822 headers

Jun 30 14:10:14.412 [53269] dbg: check: tagrun - tag DKIMDOMAIN is still blocking action 1, 2, 5, 6, 8, 9, 11
Jun 30 14:10:14.412 [53269] dbg: check: tagrun - tag LASTEXTERNALDNS is still blocking action 15, 16, 18
Jun 30 14:10:14.412 [53269] dbg: check: tagrun - tag SENDERDOMAIN is still blocking action 3
Jun 30 14:10:14.412 [53269] dbg: check: tagrun - tag LASTEXTERNALHELO is still blocking action 10, 13, 14, 17
Jun 30 14:10:14.412 [53269] dbg: check: tagrun - tag AUTHORDOMAIN is still blocking action 0, 4, 7, 12
Jun 30 14:10:14.414 [53269] dbg: plugin: Mail::SpamAssassin::Plugin::MIMEHeader=HASH(0x83bb292b8) implements 'finish_tests', priority 0
Jun 30 14:10:14.414 [53269] dbg: plugin: Mail::SpamAssassin::Plugin::Check=HASH(0x83bb297f8) implements 'finish_tests', priority 0

Output from "spamassassin --lint -D " is too long for posting here due to 25.000 Character Limit

sidney2017 · Sunday at 2:57 PM

Placeholder Originally intended for spamassassin --lint -D, can't delete this reply!

VladiBG · Sunday at 3:16 PM

Missing ")" in local.cf at:

Despite local.cf:
header RCVD_IN_NIX_SPAM eval:check_rbl('nix-spam-lastexternal','ix.dnsbl.manitu.net.'

header RCVD_IN_NIX_SPAM eval:check_rbl('nix-spam-lastexternal','ix.dnsbl.manitu.net.')
describe RCVD_IN_NIX_SPAM Listed in NIX-SPAM DNSBL (heise.de)
tflags RCVD_IN_NIX_SPAM net
score RCVD_IN_NIX_SPAM 10 # please adjust the score value

Also don't use public DNS like 1.1.1.1 or 8.8.8.8 they are banned in some dnsbl. You need to use your local ISP DNS

sidney2017 · Sunday at 3:26 PM

Thank you very much!

But this is just a copy & paste error in connection with the forum post. At the bottom of the local.cf you can see that the bracket is not missing!

I use local ISP DNS!

I had only pointed out that it does not work, no matter which NS I enter in resolv.conf. nslookup, host etc. works perfectly with the HETZNER NS.

Kind regards
Sidney2017

P. S.:
Strangely enough, the following suddenly appears in the mail headers:

X-Spam-RBL-Check: <dns:164.228.253.x.wl.mailspike.net> [127.0.0.19]
<dns:164.228.253.x.list.dnswl.org> [127.0.10.3]

That suggests that RBL checks should work in principle, doesn't it?

VladiBG · Sunday at 3:45 PM

Can you attach the entire output of
spamassassin -t -D < testmail.txt

p.s.
Your testmai.txt need to have valid from: which can be resolved via dns in order to work. If you are using gtube it wont work.

https://spamassassin.apache.org/gtube/gtube.txt

sidney2017 · Sunday at 5:23 PM

Hi VladiBG,

I think your hint was very important because the "From" was really missing!

Something is wrong with the DNS resolution in Spamassassin.

Is dns_available YES correct?

spamassassin -t -D < testmail.txt gives at the very end then in an endless loop (see attachment):

Jun 30 17:34:10.408 [64618] dbg: async: select found 0 responses ready (t.o.=0.0), did 0 callbacks
Jun 30 17:34:10.408 [64618] dbg: async: queries still pending: AskDNS=2 DNSBL=10 DNSBL-Sender=1 HASHBL=2 URIBL=6
Jun 30 17:34:10.408 [64618] dbg: dns: harvest_dnsbl_queries - check_tick
Jun 30 17:34:11.416 [64618] dbg: dns: select timed out 1.000 s
Jun 30 17:34:11.416 [64618] dbg: async: select found 0 responses ready (t.o.=1.0), did 0 callbacks
Jun 30 17:34:11.417 [64618] dbg: async: queries still pending: AskDNS=2 DNSBL=10 DNSBL-Sender=1 HASHBL=2 URIBL=6
Jun 30 17:34:11.417 [64618] dbg: dns: harvest_dnsbl_queries - check_tick
Jun 30 17:34:12.480 [64618] dbg: dns: select timed out 1.000 s
Jun 30 17:34:12.480 [64618] dbg: async: select found 0 responses ready (t.o.=1.0), did 0 callbacks
Jun 30 17:34:12.481 [64618] dbg: async: queries still pending: AskDNS=2 DNSBL=10 DNSBL-Sender=1 HASHBL=2 URIBL=6
Jun 30 17:34:12.481 [64618] dbg: dns: harvest_dnsbl_queries - check_tick
Jun 30 17:34:13.507 [64618] dbg: dns: select timed out 1.000 s

Thanks a lot and kind regards
Brain2017

VladiBG · 2024-07-01T05:36:08+0100

warn: dns: sendto() to [127.0.0.1]:53 failed: Connection refused, no more alternatives

Use your ISP DNS or fix your local dns.

Jun 30 17:33:59.259 [64618] dbg: dns: launching rule RCVD_IN_NIX_SPAM, set nix-spam-lastexternal, type A, no subtest
Jun 30 17:33:59.259 [64618] dbg: async: launching A/77.84.225.206.ix.dnsbl.manitu.net, rules: RCVD_IN_NIX_SPAM
Jun 30 17:33:59.259 [64618] dbg: dns: bgsend, DNS servers: [127.0.0.1]:53
Jun 30 17:33:59.259 [64618] dbg: dns: attempt 1/1, trying connect/sendto to [127.0.0.1]:53
Jun 30 17:33:59.260 [64618] warn: dns: sendto() to [127.0.0.1]:53 failed: Connection refused, no more alternatives

After you change or fix your DNS run the test again and verify if this warning is also resolved:

info: dns: bad dns reply: bgread: recv() failed: Connection refused at /usr/local/lib/perl5/site_perl/Mail/SpamAssassin/DnsResolver.pm line 756

sidney2017 · 2024-07-01T09:43:41+0100

Hi,

It's not that simple! On the contrary, the entry 127.0.0.1 is often recommended. Incidentally, I do NOT have an entry 127.0.0.1 in resolv.conf, but only the "dns_server" 127.0.0.1 fix for local.cf.

URIBL_BLOCKED - ADMINISTRATOR NOTICE: The query to URIBL was blocked.https://www.dotcomunderground.com/blogs/2020/06/19/uribl-blocked-the-query-to-uribl-was-blocked/

To solve the issue edit the file /etc/mail/spamassassin/local.cf and add this line:
dns_server 127.0.0.1 # added to fix blocking of URIBL and DNSWL queries

Possibly the main problem was the following, which was brought to my attention by cwiki.apache.org:

Q: The dns-blocklists just don't appear to be used. What is going wrong?
A: First, make sure "Net:: DNS" for perl is installed. Without this the blocklists will not be used.

Although
spamassassin -t -D < spamtest.txt
had specified the availability of "Net:: DNS" for perl, this was not the case under CPAN. I therefore reinstalled it with "CPAN install".

Everything finally seems to be working.
Thank you very much for your support!!!!!

sko · 2024-07-01T09:49:53+0100

You should *always* use a caching resolver on/for a mailserver. Especially with DNS based RBLs they will generate a lot of DNS queries. Count in the normal hostname and RR-lookups, checking SPF and MX records, DKIM and maybe lookup for local addresses (if you use distinct hostnames for each jail and use them in your configs) you will easily end up at 10+ DNS requests for every mail your system receives. You absolutely don't want to hit your ISPs (or anyones) DNS servers with that.
Plus many RBLs nowadays also have rate limiting in place, so you absolutely want to cache their responses to not hit rate limiting and also to keep processing time of your milters down.

You could use the ISPs local DNS as an upstream forwarder for your local caching DNS resolver (e.g. unbound), but I'd still ask their support if this is fine and if they have any rate-limiting in place.

I completely switched to (caching) recursive resolvers on every mailserver several years ago. This way your mailserver isn't dependent on a single DNS server that might go offline or act up and bring your mail delivery to a complete halt.

Regarding your specific configuration: I see you are using 3 different RBLs - I'd advise against that. Pick one that meets your needs (e.g. I'm using the spamhaus zen list), but not multiple. DNS checks are expensive, so you shold be scarce with them to reduce load on your system (and DNS resolver) and to keep the total processing time and hence delay for mail delivery low. If 2 of those 3 DNSBLs are slow to answer, your whole chain might take too long and cause the SA-milter to timeout. Depending on your default action this might lead to rejects even for legitimate mail, which is bad for your domain reputation as well as for your users (and your nerves, as they *will* start nagging that they dont receive mail), or the check is simply discarded/skipped, which lets everything through even if spamassassin would have flagged/rejected that message and hence your mailboxes will be littered with spam.

To minimize the amount of mail that actually hits 'expensive' milters like spamassassin or rspamd, you can filter or completely block malicious hosts earlier in the chain, e.g. by using greylisting (mail/spamd) and/or using DROP lists on the host or jail that answers to incoming connections. This can easily reduce the amount of crap reaching your MTA by 50%+, especially if you are able to block whole ASNs that are known to host mainly spam.

sidney2017 · 2024-07-01T10:48:55+0100

Hello,

Thank you very much for your very good advice!

I can completely understand them and their meaning.

But as far as I know, various DNS checks have been active by default since Spammassassin version 4.X:

Mailspike
SORBS
SpamCop
Spamhaus ZEN
SURBL
URIBL

A look at

Blacklist Monitor » Wöchentliche Statistiken

also shows that the performance of different blacklist providers varies considerably, which is why even providers of professional anti-spam products such as the company mentioned above combine several RBL checks.

I will take care of the local caching DNS resolver you recommended as soon as possible!

Kind regards
Sidney2017

VladiBG · 2024-07-01T11:13:38+0100

SORBS service has been decommissioned
Spamhaus deny usage from public DNS servers like 1.1.1.1 Cloud9 8.8.8.8 etc. You need registration. Fair Use Policy

1.1.4 Queries originating from large shared hosting environments are not accepted. As a workaround, please apply for a free Datafeed Query Key from Spamhaus Technology. A private DNS server with a correct, attributable host name can also be used.

sidney2017 · 2024-07-01T11:57:54+0100

Only for spamhaus DSQ you need a registration to get the key!

And in my case, fortunately, it's not about 100,000 emails a day!

I do not use DNS servers like 1.1.1.1 or Cloud9 8.8.8 but the ones of Hetzner.

Kind regards
Sidney2017

sidney2017 · 2024-07-01T14:10:42+0100

sko said:
...
You could use the ISPs local DNS as an upstream forwarder for your local caching DNS resolver (e.g. unbound), but I'd still ask their support if this is fine and if they have any rate-limiting in place.

I completely switched to (caching) recursive resolvers on every mailserver several years ago. This way your mailserver isn't dependent on a single DNS server that might go offline or act up and bring your mail delivery to a complete halt.

Will I have to install unbound via pkg install?
Or can I work with the already integrated "unbound" DNS resolver of FreeBSD 13.3?

Presumably the integrated one (local_unbound) will be sufficient for use as a local dns resolver for working with Spamassassin and RBLs, corect?

Thanks and kind regards
Sidney2017

EDIT:

I have now quickly configured local_bound and after initial tests it resolves wonderfully!

sidney2017 · 2024-07-02T00:32:37+0100

sko said:
...

You could use the ISPs local DNS as an upstream forwarder for your local caching DNS resolver (e.g. unbound), but I'd still ask their support if this is fine and if they have any rate-limiting in place.

I completely switched to (caching) recursive resolvers on every mailserver several years ago. This way your mailserver isn't dependent on a single DNS server that might go offline or act up and bring your mail delivery to a complete halt.

Hi Sko,

one more question for you in particular, as you have indicated that you have been using a DNS cache resolver for some time:

I set up local-unbound according to these instructions (FreeBSD.org), but in hindsight there is a catch: It is advised there to leave the previous name server entries in the resolv.conf (Upstream forwarder). The local_unbound-setup program then comments these out in resolv.conf, but transfers these name server entries - e.g. 88.198.139.3 from Hetzner - to /var/unbound/forward.conf

This then leads, for example, to
dig test.uribl.com.multi.uribl.com txt +short "127.0.0.1 -> Query Refused. See http://uribl.com/refused.shtml for more information [Your DNS IP: 88.198.139.3]"

I have read here

Where are the root DNS servers list?

Unbound and other DNS forwarders/resolvers can use a separate file for root servers but since they change so rarely it's not worth it and the compiled-in lis...

forum.netgate.com

"Unbound and other DNS forwarders/resolvers can use a separate file for root servers but since they change so rarely it's not worth it and the compiled-in list is sufficient."

I set up local_bound in "resolver mode" meanwhile using the compiled-in list which works now!

Thanks in advance and best regards
Sidney2017

sko · 2024-07-02T07:19:41+0100

I run unbound in a separate jail and its listening only on the interface that is used to communicate with other jails. The host has to be able to resolve addresses even if the jail is not (yet) running, otherwise various things might fail (e.g. the most common example is ntp being unable to set host time at boot).

I usually use a free resolver (e.g. quad-9) on the host. The jails and hence all DNS queries related to mail delivery go to unbound which is running as a recursive resolver.

However, I'm not using local-unbound anywhere as it wasn't available in base when my production hosts were set up, so they are all running unbound from ports. I have no idea if 'local-unbound' has any restrictions or implications other than it interfering with resolv.conf...
Regarding the root server list; this has been changed a while ago - you don't need to set them as they are compiled in, just as the message already suggests.

Another thing: Hetzner is known as a bot-/spamhoster that is rather slow/ignorant in responding to abuse reports, so reputation of their prefixes is rather bad. I wouldn't use a host in their network for mail delivery (or anything else for that matter...)

Spamassin 4: RBL-Checks and SpamCop + Razor2 not working!

Attachments