ClearOS Bug Tracker


View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0008911ClearOSspamassassinpublic2016-05-27 07:362019-06-06 06:02
ReporterNickH 
Assigned To 
PrioritynormalSeverityminorReproducibilityalways
StatusclosedResolutionno change required 
PlatformOSOS Version
Product Version6.7.0 
Target VersionFixed in Version 
Summary0008911: Certain spamassassin checks fail because clearos uses dnsmasq for DNS resolution
DescriptionCertain spamassassin (SA) checks fail because clearos uses dnsmasq for DNS resolution. These are the X-Spam-Status messages URIBL_BLOCKED=0.001. They occur because the SA DNS RBL checks are sent via dnsmasq to your external DNS provider (ISP or public) and look, to the RBL, as if they come from your DNS provider and not from you. The daily free quota of RBL checks from a single source get rapidly used up if you use an external DNS provider and the likelihood is they will fail.

To mitigate the problem you need to run your own DNS recursive resolver, at least for spamassassin. This can be done on one of three ways:

1 - install your chosen resolver (unbound, BIND, PowerDNS etc, but preferably simple to configure). Configure it to listen on localhost:1053 and add the following line to /etc/mail/spamassassin/local.cf:
dns_server [127.0.0.1]:1053
This is the simplest case and uses your chosen resolver for spamassassin only.

2 - Install the chosen resolver as above, but don't change /etc/mail/spamassassin/local.cf. Then point dnsmasq to your chosen resolver by adding the following to /etc/dnsmasq.conf:
no-resolv
server=127.0.0.1#1053
This means dnsmasq uses your chosen resolver as its upstream resolver. No further changes are needed to ClearOS.

3 - remove dnsmasq DNS resolution capability by adding cache-size=0 to /etc/dnsmasq.conf and install your chosen DNS resolver without restricting its listening IP and port. This is the trickiest one as the webconfig is a bit tied into dnsmasq with the hosts file. dnsmasq would still be needed to handle DHCP

This is not a magic bullet as you can still exceed your free limit of lookups even on a modest volume of e-mails, but now you get the possibility of subscribing to the RBL you want as DNS lookups will appear to come from you.
TagsNo tags attached.
Attached Files

- Relationships

-  Notes
(0012101)
NickH (developer)
2019-06-06 06:02

Only an issue with manually configured rules

- Issue History
Date Modified Username Field Change
2016-05-27 07:36 NickH New Issue
2016-06-09 10:02 user2 Status new => confirmed
2016-06-09 10:02 user2 Target Version => 7.2.0 Updates
2016-07-07 12:54 user2 Target Version 7.2.0 Updates => 7.3.0 Beta 1
2016-11-16 09:12 user2 Target Version 7.3.0 Beta 1 => 7.3.0 Beta 1
2016-11-16 09:19 user2 Target Version 7.3.0 Beta 1 =>
2019-06-06 06:02 NickH Note Added: 0012101
2019-06-06 06:02 NickH Status confirmed => closed
2019-06-06 06:02 NickH Resolution open => no change required