Disable list.dnswl.org

dmtinc

Verified User
Joined
May 10, 2008
Messages
153
Location
Chile
Hi Folks,

We are getting phishing emails from IPs presents in this whitelist, so I want to remove this, even if I remove it manually from exim.conf this will be added again on a update, so do you know a way to remove this and dont lose this config on a DA update? I think this have to be an option and not hardcoded...

#EDIT#35:
accept domains = +local_domains
sender_domains = !+blacklist_domains
hosts = !+bad_sender_hosts
hosts = !+bad_sender_hosts_ip
dnslists = list.dnswl.org&0.0.0.2
dnslists = list.dnswl.org!=127.0.0.255
logwrite = $sender_host_address whitelisted in list.dnswl.org

Thanks
Regards
 
the question is how to not loose own custom exim configuration or deletings on updates.
You're mistaken. It is mentioned in the docs ServerHealers is pointing to.

If direct modification of /etc/exim.conf is required and you want to preserve the changes, there are two options:
  • set eximconf to no in options.conf file
    or
  • set immutable bit on /etc/exim.conf with:
    chattr +i /etc/exim.conf
 
You're mistaken. It is mentioned in the docs ServerHealers is pointing to.
the problem with this way exim.conf will never be updated again by custombuild/directadmin, and in past updates of exim this was mandatory for some features or for exim itself.

I'm still for this kind of options as opt-in, because today we getting phishing emails without being checked by rspam or any rule based on a ip whitelisted on dnswl.
 
the problem with this way exim.conf will never be updated again by custombuild/directadmin,
Yes that is an issue with certain changed which have to be made which can not be done via the custom files.
However, if you immute exim.conf and leave the update option to on in the options.conf then it will be easy to update manually by just maken the file accessible again, update and create your change again.

I agree it's not the nicest option. I wonder if it's possible to have some custom file for these kind of things. Or maybe some config file in which you can state "Edit 35=on" (or off) or something like that.

I don't need it at the moment, but you can always try and write feature request for something like this. I guess you might get a bunch of support for it as more people change there exim.conf file.
 
Disabling dnswl from edit #35 is vital, because it doesn't take into account the response from dnswl if you get rate limited. So if you process a lot of email, edit #35 actually causes you to whitelist third parties constantly (IPs which are not even on dnswl, to be clear) which presents a wealth of negative implications and results. Unless you just don't run a busy server, or unless you pay for a subscription with dnswl to avoid rate limiting, the default exim.conf is at best dangerous for your users due to this ACL.

This is why I have scripts that I use to process upgrades. Here's my exim upgrade script: https://github.com/mxroute/da_server_updates/blob/master/exim/update_exim.sh

When a new exim config is put out, I update it, manually re-edit the parts I need, and then push it to my git repo so that I can update the whole fleet properly. It sucks, I hate it, but it works. You have to be on top of it, no way out of it.
 
That's nice. Still.... it would be better if DA could figure something out to remove certain things people don't need, without the need of immuting the exim.conf file.
 
Disabling dnswl from edit #35 is vital, because it doesn't take into account the response from dnswl if you get rate limited. So if you process a lot of email, edit #35 actually causes you to whitelist third parties constantly (IPs which are not even on dnswl, to be clear) which presents a wealth of negative implications and results. Unless you just don't run a busy server, or unless you pay for a subscription with dnswl to avoid rate limiting, the default exim.conf is at best dangerous for your users due to this ACL.

This is why I have scripts that I use to process upgrades. Here's my exim upgrade script: https://github.com/mxroute/da_server_updates/blob/master/exim/update_exim.sh

When a new exim config is put out, I update it, manually re-edit the parts I need, and then push it to my git repo so that I can update the whole fleet properly. It sucks, I hate it, but it works. You have to be on top of it, no way out of it.
Its a functional/dirty way, but in my case with a lots of final clients servers really hard to maintain.

Trying to think in something more general, as now DA maintain CB, and the CB software updates are published with a DA update, a script to change the default config can be combined with the "update_post.sh" hook ( https://docs.directadmin.com/developer/hooks/miscellaneous.html ), but if you execute manually a exim_conf rebuild this hook wont be triggered.

If we check a big part of the actual exim.conf its using the "spamblocker" config of nobaloney(We still miss you) but really needs a update to have a better handle of the mail service today to avoid a "hardcoded" way to work.
 
Hi!

I got the clue, related to https://docs.directadmin.com/custombuild/customize-everything.html and "Starting from version 2369, pre/post hooks were implemented", this hooks are per function, so a hook only for "./build exim_conf" can be created, at my first test:

Code:
mkdir -p /usr/local/directadmin/custombuild/custom/hooks/exim_conf/post

then create a ".sh"(this is mandatory) file in the new dir, in my case postconfig.sh , here is the content:

Code:
#!/bin/sh
sed -i '/#EDIT\#35/,/#EDIT\#36/{//!d}' /etc/exim.conf
service exim restart

Code:
chmod +x /usr/local/directadmin/custombuild/custom/hooks/exim_conf/post/postconfig.sh

The sed command will remove all the content between #EDIT#35 and #EDIT#36, after that the exim service will be restarted, using this method the acl for list.dnswl.org its removed and the modification will be done every time the "./build exim_conf" command is called.

@mxroute may be using this way, you can integrate the modifications that you do to exim manually.
 
Hi!

I got the clue, related to https://docs.directadmin.com/custombuild/customize-everything.html and "Starting from version 2369, pre/post hooks were implemented", this hooks are per function, so a hook only for "./build exim_conf" can be created, at my first test:

Code:
mkdir -p /usr/local/directadmin/custombuild/custom/hooks/exim_conf/post

then create a ".sh"(this is mandatory) file in the new dir, in my case postconfig.sh , here is the content:

Code:
#!/bin/sh
sed -i '/#EDIT\#35/,/#EDIT\#36/{//!d}' /etc/exim.conf
service exim restart

Code:
chmod +x /usr/local/directadmin/custombuild/custom/hooks/exim_conf/post/postconfig.sh

The sed command will remove all the content between #EDIT#35 and #EDIT#36, after that the exim service will be restarted, using this method the acl for list.dnswl.org its removed and the modification will be done every time the "./build exim_conf" command is called.

@mxroute may be using this way, you can integrate the modifications that you do to exim manually.

You're a damn genius. It's simple and elegant.
 
A little update if someone is using rspamd:

For disable list.dnswl.org on rspamd:

Create this file:
/etc/rspamd/local.d/rbl.conf

With this content:

Code:
rbls {
    dnswl {
      enabled = false;
    }

    dnswl_dwl {
      enabled = false;
    }

    "SURBL_MULTI" {
          enabled = false;
    }

    "URIBL_MULTI" {
          enabled = false;
    }

}

Disabling URBL its optional, but this rbl wont works well.

After create the file, you need to restart rspam:

service rspamd restart

or

systemctl restart rspamd
 
Back
Top