Skip to main content
Version: 1.10

Realtime Blackhole Lists

This is the rbl feature. It checks a remote client IP address against a list of defined RBL lists. The lists are run simultaneously. They may contain a weight parameter which is added to a total value. If that value raises a threshold, the features directly returns with a client reject.

Configuration Options

realtime_blackhole_lists::lists:

Default: empty list

This section defines one or more RBL lists. A RBL list requires the following fields:

Field nameDescription
nameExample RBL name
rblDomain part that is appended to the reversed IP address. Since v1.10.7 a trailing dot is allowed (FQDN) to prevent search domains from being appended by the resolver.
ipv4Boolean that enables the list for IPv4 support
ipv6Boolean that enables the list for IPv6 support
return_codeExpected DNS return code, if an IP address was listed
allow_failureReturn a temporary failure, if a DNS lookup to the given list failed (not NXDOMAIN errors!)
weightThis value defines the weight for the given RBL list. See the threshold description for the meaning

The weight value may be negative.

tip

The suggested weight value should be between -255 and 255. A negative weight turns the list into a whitelist

realtime_blackhole_lists::threshold

Default: 0

The threshold parameter defines an absolute value which tells Nauthilus, when to abort further list lookups. If the sum of all weights is above the threshold value, the feature triggers an immediate client reject.

realtime_blackhole_lists::ip_whitelist

Default: empty list

You can define IPv4 and IPv6 addresses with a CIDR mask to whitelist clients from this feature. If a client was found on this list, the feature is not enabled while processing the authentication request.

realtime_blackhole_lists:
  ip_whitelist:
    - 127.0.0.0/8
    - ::1
    - 192.168.0.0/16
    - 172.16.0.0/12
    - 10.0.0.0/8
    - fd00::/8
    - 169.254.0.0/16
    - fe80::/10

Example Configuration

realtime_blackhole_lists:
  threshold: 10

  lists:
    - name: SpamRats AuthBL
      rbl: auth.spamrats.com.
      ipv4: true
      ipv6: true
      return_code: 127.0.0.43
      weight: 10

    - name: AbusiX AuthBL
      rbl: YOUR-API-KEY.authbl.mail.abusix.zone.
      ipv4: true
      ipv6: true
      return_code: 127.0.0.4
      weight: 10

  ip_whitelist:
    - 127.0.0.0/8
    - ::1
    - 192.168.0.0/16
    - 172.16.0.0/12
    - 10.0.0.0/8
    - fd00::/8
    - 169.254.0.0/16
    - fe80::/10
note

New in v1.10.7: Hostnames in the RBL configuration may include a trailing dot (for example, "auth.spamrats.com."). This avoids automatic appending of search domains configured in /etc/resolv.conf.