FAQ: RBLSMTPD with SYSLOG

+Click to show this topic. What is rblsmtpd anyway?

The rblsmtpd program is a smtp filter that rejects or accepts incoming smtp e-mail based on the IP address of the host that is attempting to deliver the e-mail to your server. The decision to reject the message is based on a query to one or more RBL servers.

+ How do I use rblsmtpd in my server?

Using and installing the original rblsmtpd is beyond the scope of this FAQ. Please see one of the following on how to install and use the rblsmtpd program. Once you have installed and confirmed that it is functional, then you can install this modified version.

http://cr.yp.to/ucspi-tcp/rblsmtpd.html

http://www.flounder.net/qmail/qmail-howto.html#12

http://Web.InfoAve.Net/~dsill/lwq.html

+ Why modify rblsmtpd in the first place?

The current versions of rblsmtpd do not include any logging. The modification was made to allow logging of the rejected e-mails. This can be useful for confirming proper configuration of the installation of rblsmtpd and also for statistical reports (i.e. how many e-mails were rejected per month).

+ What was modified?

The modification is actually quite simple (as in not a lot of code) and elegant (IMHO). Since the IP address, host name and host info were already gathered by tcp_env (required by original rblsmtpd install), all of the information required is readily available. Additionally, since the syslog function of Linux is already being used for many other tasks (including qmail), the solution is to have syslog also log this info. So basically the modification consists of:

  • request the hostid from the tcp_env settings;
  • request the hostinfo from the tcp_env settings;
  • concatenating the IP, hostid and hostinfo into a single string;
  • call syslog with the appropriate log parameters;
  • submit the string to syslog.

Notes:

  • the IP address was requested as part of the original rblsmtpd code;
  • the hostid and hostinfo is not transmitted by every host, so this info may be blank;
  • in order to avoid errors (and make the log easier to understand), blank fields are replaced by '-';
  • the call to syslog is set to priority "LOG_INFO" to be consistent with other mail log entries;
  • the call to syslog is set to facility "LOG_MAIL" to be consistent with other mail log entries;
  • the call to syslog uses 'rblsmtpd' as the process identifier making the log entries easy to identify;
  • use of syslog was specifically chosen to support user specified settings in the syslog.conf file;
  • for more info on priorities, facilities and syslog.conf settings, please refer to the syslog documentation (i.e. man syslog);
  • if syslog.conf does not satisfy specific requirements, all of the syslog settings can be easily changed in the source code.

+ Can I test the binary before installing it?

Yes. It is step 2 of the installation procedure outlined below.

+ How do I run this modified version instead? (aka Installation)

+ Step 1: Download the modified program to your server.

Log into your server as root (if you don't what this means, please ask your system administrator to install this).

Change to 'temporary' directory where we can work without overwriting anything:

cd ~

Download the tarball:

wget http://www.tjsi.com/rblsmtpd/rblsmtpd-syslog.tar.gz

Extract the files from the tarball:

tar -xzf rblsmtpd-syslog.tar.gz

Change to the directory that was created by the command above:

cd rblsmtpd-syslog

Read the documentation for anything important that may not have made it to the FAQ yet!

cat rblsmtpd.txt | more

+ Step 2: Test the binary to see it is compatible with your server.

Run the modified program:

./rblsmtpd

This should result in the 'usage' line shown below:

usage: rblsmtpd [-b][-R][-t timeout][-r base][-v][-a base] smtpd [arg...]

Please take careful notice that the [-v] parameter is included in the message. If not, then the reply is most likely being generated by the existing rblsmtpd program which was triggered because it is in your default path. Please verify that the binary is in the current directory and that it has the correct attributes:

ls -l rblsmtpd

And you should get the following:

-rwxr-xr-x 1 root root 30324 Jun 30 15:12 rblsmtpd

If the access attributes are not -rwxr-xr-x then you will need to do the following:

chmod 755 rblsmtpd

If the user and group are not root root then you will need to do the following:

chown root:root rblsmtpd

If you are unable to get the binary to work on your server, you will have to re-compile the source (see below).

+ Step 3: Replace the existing binary and test.

We will need to get some information about the current system configuration and make some small adjustments.

First it is necessary to know the location of the current rblsmtpd . If you don't already know where it is, you can use the following command to search your drive:

find / -name rblsmtpd

The result should show two files, the current one and the modified version. Write down the path for the original. For the sake of this FAQ, the path below will be used (from RedHat 7.2 with PSA 5.05 RPM):

/usr/sbin/rblsmtpd
/root/rblsmtpd-syslog/rblsmtpd

Next we will copy the original to a back up and then copy the modified version over the original:

cp /usr/sbin/rblsmtpd /usr/sbin/rblsmtpd.original
cp ~/rblsmtpd-syslog/rblsmtpd /usr/sbin/rblsmtpd

Answer "yes" when it asks you to overwrite the file.

Now we are ready to test it. You will want to send a message from an external account to a mailbox on the server and confirm that your server is properly receiving mail, it can take a couple minutes depending on the servers involved. If after about 15 min you do not receive the message, you may need to re-compile the source to get it to work on your server. So, copy the original back and follow the re-compile instructions below. Just FYI, during the short period that the non-working rblsmtpd was in place any incoming mail will be 'delayed' by the server, and it will be re-delivered later (usually within a couple hours, but could be as soon as a couple minutes). So, there should be no lost mail in the event that rblsmtpd didn't work.

+ Step 4: Adjust the command-line parameters and test.

At this point you have successfully installed and tested the modified version of rblsmtpd , but you are still not getting any log entries. This is normal. In order to start the logging you will need to add the -v parameter to the command that calls rblsmtpd each time an incoming message is detected. There are several programs that may be calling rblsmtpd although it is probably inetd (BSD), xinetd (RedHat) or tcpserver (part of ucspi-tcp). Due to the many ways even xinetd could be installed, I will use the following as an example. The theory is the same for all installs, but the file and path names will vary.

The last line in the /etc/xinetd.conf file reads includedir /etc/xinetd.d which causes xinetd to process all of the files in the /etc/xinetd.d/ directory. A listing of that directory reveals a file called smtp_psa so that is the file that needs to be edited in this example. Depending on your setup, your service smtp settings could be in the main xinetd.conf file. We are adding the -v right in front of the RBL server parameters, so you are looking for the same file that you used to install/configure the original rblsmtpd program. Basically, your are looking for something like this:


service smtp
{
    socket_type     = stream
    protocol        = tcp
    wait            = no
    disable         = no
    user            = root
    instances       = UNLIMITED
    server          = /var/qmail/bin/tcp-env
    server_args     = /usr/sbin/rblsmtpd -r relays.ordb.org /var/qmail/bin/relaylock
/var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true
/var/qmail/bin/cmd5checkpw /var/qmail/bin/true
}

The last command (wrapped to three lines) is the call to rblsmtpd and we will insert the -v parameter before any -r parameters:


    server_args = /usr/sbin/rblsmtpd -v -t 90 -r relays.ordb.org -r dnsbl.njabl.org -r
bl.spamcop.net -r relays.osirusoft.com -r sbl.spamhaus.org /var/qmail/bin/relaylock
/var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true
/var/qmail/bin/cmd5checkpw /var/qmail/bin/true

In the example above I have extended the timeout to 90 seconds (-t parameter) and also included a few additional RBL servers. Note that this is the correct way to use multiple servers.

When you save the file be sure that there is no line-wrap inserted by your editor (not a problem with vi).

Now, you need to give your daemon a kick to make sure it loads the changes. In my case, I use the following to force xinetd to do a 'soft restart':

/etc/rc.d/init.d/xinetd reload

Although the following may work for different configurations:

service xinetd reload

Or using the process id <pid> of the current running daemon:

kill -USR1 <pid>

Please refer to the documentation for the respective daemons to determine the appropriate command.

Finally, we need to test to see that it is working by sending the following two test messages:

echo "test rblsmtpd" | mail -s "test rblsmtpd" nelson-sbl-test@crynwr.com
echo "test rblsmtpd" | mail -s "test rblsmtpd" ask-test-ordb@null.dk

If your root account is setup accordingly, you should get a reply from each of these servers indicating that the message was bounced. But more importantly, you will also be able to confirm the messages got bounced by the log entries. The entries will appear with your other mail entries. In this case it is in the /var/log/maillog so after waiting a couple minuted use the following to see the entries:

grep "rblsmtpd:" /var/log/maillog

+ The binary won't run on my server? (aka How do I re-compile the source?)

This version of rblsmtpd is based on the ucspi-tcp v0.88 source code. In order to re-compile the source code you will need several files from there. To keep things simple, the following instructions will guide you to download, expand, re-compile the original ucspi-tcp files, and if that works, re-compile the modified rblsmtpd .

Since the original ucspi-tcp is known valid code, if you have any problems compiling that, you will need to make the required adjustments to your server before you will be able to compile my source code. Configuring your server to be able to compile programs is beyond the scope of this FAQ. However, you may want to start with the following web site to get help on configuring your server to compile the ucspi-tcp programs (which should be enough to compile the modified rblsmtpd source code):

http://cr.yp.to/ucspi-tcp.html (opens in a new window)

First, we change to our work directory, download the original ucspi-tcp, expand it and change to the directory that was created:

cd ~
wget http://www.tjsi.com/rblsmtpd/ucspi-tcp-0.88.tar.gz
tar -xzf ucspi-tcp-0.88.tar.gz
cd ucspi-tcp-0.88

Then compile the original rblsmtpd.c files:

make rblsmtpd

Note: Do not install the ucspi-tcp files (i.e. do not follow the ucspi-tcp instructions to setup or check).

If the files compiled without error swap out the original rblsmtpd.c with the modified one, and re-compile. This time the compile will be much quicker since it will compile just that one file:

cp rblsmtpd.c rblsmtpd.c.bak
cp ~/rblsmtpd-syslog/rblsmtpd.c .
make rblsmtpd

If that compiled without error you should get something like:

./compile rblsmtpd.c
./load rblsmtpd commands.o dns.a time.a unix.a byte.a \
`cat socket.lib`

Now, in order to proceed with the install steps above, we will replace the binary that was downloaded with the newly compiled program:

rm ~/rblsmtpd-syslog/rblsmtpd
cp rblsmtpd ~/rblsmtpd-syslog/rblsmtpd
cd ~/rblsmtpd-syslog

Proceed to verify that everything worked and install the program starting with Step 2 in the install process above.

+ What does the log output look like?

Below are the two test entries generated by the test e-mails sent in Step 4 of the install procedure.

Jun 30 15:13:33 ns1 rblsmtpd: relays.ordb.org blocked 193.111.120.47 ordb-test.null.dk -
Jun 30 15:13:55 ns1 rblsmtpd: relays.osirusoft.com blocked 192.203.178.107 sbl.crynwr.com -

This is what each part represents:

  • Jun 30 15:13:33 : date and time stamp generated by syslog
  • ns1 : local server identification generated by syslog
  • rblsmtpd: : process name specified by modified rblsmtpd
  • relays.ordb.org blocked : RBL server that caused the message to bounce
  • 193.111.120.47 : IP address of the host server attempting to transmit the message
  • ordb-test.null.dk : host ID of the host attempting to transmit (if available)
  • - : host info of the host attempting to transmit (if available)

In the examples above both hosts include their ID but do not include any info when they connect and attempt to transmit the message. You will find that many SPAM servers do not include either the ID or the info. In the event that the ID or info are not submitted, a single hyphen is inserted to allow for easy reporting (i.e. each entry is a fixed number of columns).

Additional notes on log entries:

The rblsmtpd program queries the RBL servers in sequence, and the first server in your list to cause the reject is the only one listed in the log. The program does not query the remaining RBL servers if it has already decided to bounce the message. Additionally, since it can take up to 60 seconds (default setting) for each RBL to reply or time-out, having many RBL servers could cause significant delays should one or more of the RBL servers be unavailable. Therefore I strongly suggest that you initially watch your logs to see which of the RBLs you are using tends to reject the most messages, and place that one FIRST in the list of RBLs. That way, the decision to reject the message will most often occur based on the first query, speeding up the mail delivery process.

If relaying is allowed on your server (not advised), all messages received directly from the mail client is also put through the RBL tests (it is just another smtp connection as far as the server is concerned). So, if your clients/users start to complain about excessively long smtp delays, or possibly even time-outs, you may need to remove one or more of the RBL servers.

+ Miscelaneous (Links, To Do, Legalese, Donations)

+ Links & References

Below are some links related to this modification that may be of interest (all links open in a new window):

http://cr.yp.to/ucspi-tcp.html: source which the modification was based on.

http://forum.plesk.com/...: thread regarding this modification at the Plesk PSA Forums.

http://ns.at.com.au/rblsmtpd-with-log.tar.gz: an additional modification that logs only the IP to a specific log file.

http://forum.plesk.com/...: thread regarding the modification indicated above.

+ Still to do!

There are two things that I still need to do to this code...

1) UPDATE: There seems to be a problem running the 'rss' patched code from within certain 'wrappers' like xinetd. And, since I happen to be running xinted, I am unable to test if the 'rss' patch has been successfully implemented in a working environment (although it 'tests' just fine running on a local machine). Additionally, since I don't know of any IP's in the RBLs that do not have 'text' entries, I can't test if it is actually working either way. Curently laid a trap for a non-text IP to hit my server... As soon as I catch one I will be able to test the new code and get it out!

2) UPDATE: Successfully added the 'To' and 'From' fields to the log entries -- will be released as soon as I can get the 'rss' issues resolved.

If you happen to know of any IP addresses that are in an RBL without a 'text' record, please contact me via the e-mail address found in the rblsmtpd-syslog files (source or documentation). I am not including the address in this post only because I already get enough spam as it is! ;-)

+ Legalese and Donations

Please read the comments in the source code or the documentation for the full disclaimer of liability.

Basically, use at your own risk. I do not make any guaranties whatsoever, that this will work for you.

This modification is free software. Permission to use, copy, modify and distribute this software for any purpose with or without fee is hereby granted, provided that the copyright notice and the permission notice appear in all copies.

However, if you would like to encourage me to continue 'customizing' software to better fit your needs, a donation is gladly accepted via PayPal using the link below. The amount of your donation is at your discretion. I will gladly reference (read advertise) any major contributors in this section of the FAQ. As you can see, no major donations to date! :-(

© 2003 T.J. Systems, Inc.