Supporting RBL in mod_smtpd

[Jem Berkes <jb...@users.pc9.org>]

Here is my current plan for introducing the RBL support in mod_smtpd, using 
the existing mod_dnsbl_lookup which I posted earlier. This way of 
accomplishing the RBL support should not require any code modification to 
mod_smtpd itself. Nick and Rian, let me know if I should be going about 
this a different way?

I thought the most modular fashion would be to create a mod_smtpd_rbl that 
registers the following mod_smtpd hooks:
smtpd_run_connect (might deny service to connecting IP, per request_rec)
smtpd_run_mail (might deny service to this envelope domain, per loc)

These would query whitelists and blacklists, whatever is available.

I don't mind whipping up this bridging mod_smtpd_rbl module, but if it 
seems excessive to introduce a new module for this purpose then the other 
way of doing this would be to add the RBL supporting code into mod_smtpd 
itself.

Either way it's done, RBLs are still not required and mod_dnsbl_lookup does 
not have to be present for mod_smtpd to function normally. However, adding 
a new bridging module has the advantage of leaving mod_smtpd code alone and 
taking advantage of the hooks interface.

Re: Supporting RBL in mod_smtpd

[Jem Berkes <jb...@users.pc9.org>]

> > smtpd_run_connect (might deny service to connecting IP, per
> > request_rec)
> > smtpd_run_mail (might deny service to this envelope domain, per loc)
> +1
> ...
> Don't do this just yet, mod_smtpd is changing completely! completely  =
> structures/io. I should commit my changes very soon so you can  start
> working on this.

OK, I'll watch for the changes. Make sure you keep what I need though :)

smtpd_run_connect should somehow pass the address of the peer (currently 
that's within the request_rec)

smtp_run_mail should still pass the MAIL FROM address the peer specifies, 
it currently comes in the char* loc.

As long as this data is still available to me and I can return a code to 
reject the mail, we should be good to go. Somewhat trivial I hope.

Committed mod_smtpd/trunk/mod_smtpd_rbl and mod_dnsbl_lookup

[Jem Berkes <jb...@users.pc9.org>]

> Hopefully later today I should have this completely done and checked in.

I waited for Rian to update the mod_smtpd structures, and I have now 
checked in my code for RBL functionality. There are README files in both 
directories describing use. However could someone tell me how to properly 
use mod_smtpd.h and dnsbl_lookup.h in the build process? I've copied them 
between directories but this can't be the right way to do it.

https://svn.apache.org/repos/asf/httpd/mod_smtpd/trunk/mod_smtpd_rbl/
- Adds RBL whitelisting and blacklisting to mod_smtpd, either
rejecting client IPs upon connection (DNSBL) or envelope sender
domains (RHSBL). By hooking into Rian's smtp this remains totally
modular and does not alter mod_smtpd itself.

https://svn.apache.org/repos/asf/httpd/mod_smtpd/trunk/mod_dnsbl_lookup/
- Does the actual DNSBL and RHSBL lookups, supporting rather advanced
configuration in the form of distinct query chains.  Many chains can
be defined so admins can use chains for different purposes.  Flags to
the lookup functions allow different query styles, such as either
stopping on one match or querying everything and returning a table of
response details.

Sample configuration for mod_smtpd + mod_smtpd_rbl + mod_dnsbl_lookup

# Enable mod_smtpd
SmtpProtocol On

# Define whitelist and blacklist chains for mod_smtpd_rbl
SmtpWhitelist mywhitelist
SmtpBlacklist myblacklist

# Enable mod_dnsbl_lookup
DnsblLookups On

# The zones and chains for mod_dnsbl_lookup

RhsblZone myblacklist	rhsbl.ahbl.org.		127.0.0.2
RhsblZone myblacklist	abuse.rfc-ignorant.org.	127.0.0.4

DnsblZone myblacklist	sbl.spamhaus.org.	any
DnsblZone myblacklist	cbl.abuseat.org.	any

Re: Supporting RBL in mod_smtpd

[Rian Hunter <ri...@MIT.EDU>]

On Aug 19, 2005, at 9:58 AM, Brian J. France wrote:

>
> On Aug 18, 2005, at 6:22 PM, Rian Hunter wrote:
>
>> Don't do this just yet, mod_smtpd is changing completely!  
>> completely = structures/io. I should commit my changes very soon  
>> so you can start working on this.
>>
>
> Any ETA on this?  I will be on a 4 hour flight on Monday and was  
> going to download svn head to play with and try to start building  
> some modules.

Hopefully later today I should have this completely done and checked in.
-rian

Re: Supporting RBL in mod_smtpd

[Rian Hunter <ri...@MIT.EDU>]

On Aug 18, 2005, at 7:11 PM, Jem Berkes wrote:

> Here is my current plan for introducing the RBL support in  
> mod_smtpd, using
> the existing mod_dnsbl_lookup which I posted earlier. This way of
> accomplishing the RBL support should not require any code  
> modification to
> mod_smtpd itself. Nick and Rian, let me know if I should be going  
> about
> this a different way?
>
> I thought the most modular fashion would be to create a  
> mod_smtpd_rbl that
> registers the following mod_smtpd hooks:
> smtpd_run_connect (might deny service to connecting IP, per  
> request_rec)
> smtpd_run_mail (might deny service to this envelope domain, per loc)

+1

> These would query whitelists and blacklists, whatever is available.
>
> I don't mind whipping up this bridging mod_smtpd_rbl module, but if it
> seems excessive to introduce a new module for this purpose then the  
> other
> way of doing this would be to add the RBL supporting code into  
> mod_smtpd
> itself.

Don't do this just yet, mod_smtpd is changing completely! completely  
= structures/io. I should commit my changes very soon so you can  
start working on this.

>
> Either way it's done, RBLs are still not required and  
> mod_dnsbl_lookup does
> not have to be present for mod_smtpd to function normally. However,  
> adding
> a new bridging module has the advantage of leaving mod_smtpd code  
> alone and
> taking advantage of the hooks interface.
>

+1
-rian