Plesk and RBL checking versus SMTP Authentication
A couple of weeks ago at work, I was arguing which RBLs should be used with Plesk came up. I had always assumed that Plesk’s qmail setup would allow authenticated users regardless of any RBL results. If that were the case, then using zen.spamhaus.org wouldn’t pose any problem to mail users on a residential Internet service. I was wrong, but I wanted to sort out why and what options were available.
To begin, I setup the necessary DNS records for a test blacklist containing my laptop’s IP, 10.20.50.40.
40.50.20.10.rugmonster.org. 600 IN A 127.0.0.2 40.50.20.10.rugmonster.org. 600 IN TXT "go away"
Using a VM running CentOS 5.3 with Plesk 8.6, I setup rugmonster.org as a DNSBL for incoming mail. I connected to TCP port 25 on the VM using telnet to simulate an SMTP exchange.
1. rblsmtpd: 10.20.50.40 pid 8586: 451 go away 2. 220 rblsmtpd.local 3. EHLO daniel-nb.home 4. 250 rblsmtpd.local 5. AUTH PLAIN AGRhbmllbEBwbGVzazg2LmhvbWUAcGFzc3dvcmQ= 6. 451 go away
[1-2] Initial server response
[3] I send the reqired client identification
[4] Server responds, but doesn’t give any service extensions
[5] I tried to authenticate
[6] And the server
Once I looked at /etc/xinetd.d/smtp_psa, I realized why this was happening.
server_args = -Rt0 /usr/sbin/rblsmtpd -r rugmonster.org /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true
When the SMTP connection is made, rblsmtpd is handed the connection and does its DNSBL checking. It’s then responsible for either executing the next program (relaylock) if there’s no match, or handling the connection itself if it does find a match. It was rblsmtpd that I was interacting with above, which had no way of handling authenticiation, not qmail-smtpd.
I did find that you can patch qmail to use plugins thanks to qmail-spp and the . This solution would require qmail’s source to be patched and a custom compile done, which makes upgrading in the future much more complicated.
I also found spamdyke, “a drop-in connection-time filter for qmail…[that] does not require patching or recompiling qmail.” I also found a HOWTO for installing spamdyke and integrating it with Plesk. While I haven’t tried it, from what I saw on their site, spamdyke would be a great tool to ensure users can send mail properly while keeping spam out.
Finally, Plesk 9.x has included Postfix, which has no problem handling this sort of situation out of the box. I am making another assumption though, since I haven’t tested Plesk 9.x with Postfix yet. I’ve heard that Parallels hasn’t done the best job in with bringing Postfix into the mix. At work, there are only a handful of clients running Plesk 9 and Plesk 9.2.x seems to be less problematic than the 9.0.x releases, but I’m not giving any recommendations to upgrade yet.