ClearFoundation Tracker - ClearOS
View Issue Details
0008911ClearOSspamassassinpublic2016-05-27 07:362019-06-06 06:02
NickH 
 
normalminoralways
closedno change required 
6.7.0 
 
0008911: Certain spamassassin checks fail because clearos uses dnsmasq for DNS resolution
Certain spamassassin (SA) checks fail because clearos uses dnsmasq for DNS resolution. These are the X-Spam-Status messages URIBL_BLOCKED=0.001. They occur because the SA DNS RBL checks are sent via dnsmasq to your external DNS provider (ISP or public) and look, to the RBL, as if they come from your DNS provider and not from you. The daily free quota of RBL checks from a single source get rapidly used up if you use an external DNS provider and the likelihood is they will fail.

To mitigate the problem you need to run your own DNS recursive resolver, at least for spamassassin. This can be done on one of three ways:

1 - install your chosen resolver (unbound, BIND, PowerDNS etc, but preferably simple to configure). Configure it to listen on localhost:1053 and add the following line to /etc/mail/spamassassin/local.cf:
dns_server [127.0.0.1]:1053
This is the simplest case and uses your chosen resolver for spamassassin only.

2 - Install the chosen resolver as above, but don't change /etc/mail/spamassassin/local.cf. Then point dnsmasq to your chosen resolver by adding the following to /etc/dnsmasq.conf:
no-resolv
server=127.0.0.1#1053
This means dnsmasq uses your chosen resolver as its upstream resolver. No further changes are needed to ClearOS.

3 - remove dnsmasq DNS resolution capability by adding cache-size=0 to /etc/dnsmasq.conf and install your chosen DNS resolver without restricting its listening IP and port. This is the trickiest one as the webconfig is a bit tied into dnsmasq with the hosts file. dnsmasq would still be needed to handle DHCP

This is not a magic bullet as you can still exceed your free limit of lookups even on a modest volume of e-mails, but now you get the possibility of subscribing to the RBL you want as DNS lookups will appear to come from you.
No tags attached.
Issue History
2016-05-27 07:36NickHNew Issue
2016-06-09 10:02user2Statusnew => confirmed
2016-06-09 10:02user2Target Version => 7.2.0 Updates
2016-07-07 12:54user2Target Version7.2.0 Updates => 7.3.0 Beta 1
2016-11-16 09:12user2Target Version7.3.0 Beta 1 => 7.3.0 Beta 1
2016-11-16 09:19user2Target Version7.3.0 Beta 1 =>
2019-06-06 06:02NickHNote Added: 0012101
2019-06-06 06:02NickHStatusconfirmed => closed
2019-06-06 06:02NickHResolutionopen => no change required

Notes
(0012101)
NickH   
2019-06-06 06:02   
Only an issue with manually configured rules