RBL Control
The RBL control checks the client IP address against configured DNS blocklists. It is configured under auth.controls.rbl and enabled via auth.controls.enabled.
auth:
controls:
enabled:
- rbl
Main Paths
auth.controls.rbl.thresholdauth.controls.rbl.listsauth.controls.rbl.ip_allowlist
Example
auth:
controls:
enabled:
- rbl
rbl:
threshold: 10
lists:
- name: "SpamRats AuthBL"
rbl: "auth.spamrats.com."
ipv4: true
ipv6: true
return_codes:
- "127.0.0.43"
allow_failure: false
weight: 10
- name: "Abusix"
rbl: "YOUR-API-KEY.authbl.mail.abusix.zone."
ipv4: true
ipv6: true
return_codes:
- "127.0.0.4"
allow_failure: false
weight: 10
ip_allowlist:
- 127.0.0.0/8
- ::1
- 192.168.0.0/16
- 10.0.0.0/8
Notes
return_codesis the canonical list field.ip_allowlistis the canonical allowlist field.- hostnames may include a trailing dot to force a fully qualified DNS name.
Policy Attributes
When builtin.rbl is part of auth.policy.checks, Nauthilus exports aggregate RBL facts and generated per-list facts.
Aggregate attributes include:
auth.rbl.threshold_reachedauth.rbl.scoreauth.rbl.thresholdauth.rbl.matched_countauth.rbl.matched_listsauth.rbl.list_countauth.rbl.allow_failure_error_countauth.rbl.effective_errorauth.rbl.soft_allowlistedauth.rbl.ip_allowlistedauth.rbl.error
For each configured list, the list name is normalized into a policy-safe identifier segment and these attributes are registered:
auth.rbl.list.<list>.listedauth.rbl.list.<list>.weightauth.rbl.list.<list>.errorauth.rbl.list.<list>.allow_failure
Example: SpamRats AuthBL becomes spamrats_authbl, so the match attribute is auth.rbl.list.spamrats_authbl.listed.
If two RBL list names normalize to the same identifier, the policy snapshot fails validation. For policy examples, see Auth Policy Configuration Guide.