mod-bwl : Valvula blacklisting module

Introduction

mod-bwl is a handy module that allows implementing blacklisting rules that are based on source and destination at the same time. As opposed postfix which implements only source OR destination rules. This allow implementing rules that accept (whitelist) or blocks (blacklist) traffic for certain domains or even certain accounts.

At the same time, mod-bwl implement different blocking/whitelist levels (global, domain and account). This way, domain administrators and end users can administrate their own set of rules without affecting other domain and accounts. This allows:

The module also uses valvula support to detect local users and local domains to make better decisions while handling requests received. These includes:

The module also support blocking SASL users. This allows to have a working account but temporally/permanently blocked.

How mod-bwl works

The module install three tables to handle different levels of blacklists and whitelists. They are applied in the following order and each one takes precedence:

If no rule "reject"s or "discard"s the message, the request is let to continue to the next module configure (by reporting internally DUNNO).

mod-bwl How rules are differenciated (whitelists and blacklists)

Now, whitelists and blacklists are differenciated through the status field in every table (we will see examples later):

mod-bwl How to block SASL users

To block an account, use the following SQL to update valvula database:

INSERT INTO bwl_global_sasl (is_active, sasl_user) VALUES ('1', 'certain.user@domain.com');

mod-bwl Rules examples

To block a certain user from receiving any traffic (outgoing) globally run use the following SQL:

-- Block * -> certain.user@domain.com
INSERT INTO bwl_global (is_active, destination, status) VALUES ('1', 'certain.user@domain.com', 'reject')

To block a certain user from receiving traffic from a particular user globally run use the following SQL:

-- Block anotheruser@anotherdomanin.com -> certain.user@domain.com
INSERT INTO bwl_global (is_active, source, destination, status) VALUES ('1', 'anotheruser@anotherdomain.com', 'certain.user@domain.com', 'reject')

To block globally generic accounts webmaster@ without considering destination domain use:

-- Block * -> webmaster@*
INSERT INTO bwl_global (is_active, destination, status) VALUES ('1', 'webmaster@', 'reject')