mod-bwl : Valvula blacklisting module

mod-bwl Index

mod-bwl Introduction

mod-bwl is a handy module that allows implementing blacklisting rules that are based on source and destination at the same time. As opposed postfix which implements only source OR destination rules. This allow implementing rules that accept (whitelist) or blocks (blacklist) traffic for certain domains or even certain accounts.

At the same time, mod-bwl implement different blocking/whitelist levels (global, domain and account). This way, domain administrators and end users can administrate their own set of rules without affecting other domain and accounts. This allows:

The module also uses valvula support to detect local users and local domains to make better decisions while handling requests received. These includes:

The module also support blocking SASL users. This allows to have a working account but temporally/permanently blocked.

How mod-bwl works

The module install three tables to handle different levels of blacklists and whitelists. They are applied in the following order and each one takes precedence:

If no rule "reject"s or "discard"s the message, the request is let to continue to the next module configure (by reporting internally DUNNO).

mod-bwl How rules are differenciated (whitelists and blacklists)

Now, whitelists and blacklists are differenciated through the status field in every table (we will see examples later):

mod-bwl How to block SASL users

To block an account, use the following SQL to update valvula database:

INSERT INTO bwl_global_sasl (is_active, sasl_user) VALUES ('1', 'certain.user@domain.com');

mod-bwl Rules examples

To block a certain user from receiving any traffic (outgoing) globally run use the following SQL:

-- Block * -> certain.user@domain.com
INSERT INTO bwl_global (is_active, destination, status) VALUES ('1', 'certain.user@domain.com', 'reject')

To block a certain user from receiving traffic from a particular user globally run use the following SQL:

-- Block anotheruser@anotherdomanin.com -> certain.user@domain.com
INSERT INTO bwl_global (is_active, source, destination, status) VALUES ('1', 'anotheruser@anotherdomain.com', 'certain.user@domain.com', 'reject')

To block globally generic accounts webmaster@ without considering destination domain use:

-- Block * -> webmaster@*
INSERT INTO bwl_global (is_active, destination, status) VALUES ('1', 'webmaster@', 'reject')

You can also block globally, or domain or account level generic top level domains like:

-- Block all .top domains *.top -> *
-- Block all .top domains *.us -> *
INSERT INTO bwl_global (is_active, source, status) VALUES ('1', 'top', 'reject')
INSERT INTO bwl_global (is_active, source, status) VALUES ('1', 'us', 'reject')

mod-bwl Support to deny unknown accounts attempting to deliver to known local accounts (deny-unknown-local-mail-from)

mod-bwl includes by default enabled, a protection to deny spoofed mail from accounts for valid local domains, targeting valid local addresses.

A typical example are forged accounts like:

Sep 6 04:41:19 mailserver02 valvulad[21581]: info: DUNNO: VoiceMessage@asplhosting.com -> info@asplhosting.com (sasl_user=), port 3579, rcpt count=0, queue-id , from 11X.Y.Z.W1, no-tls

In this case, info@.nosp@m.aspl.nosp@m.hosti.nosp@m.ng.c.nosp@m.om exists, but Voice.nosp@m.Mess.nosp@m.age@a.nosp@m.splh.nosp@m.ostin.nosp@m.g.co.nosp@m.m doesn't.

For such situations, if you enable mod-bwl, it will activate by default deny-unknown-local-mail-from protection, rejecting this account.

Of course, you still have choice to configure an exception using regular bwl rules (with this module) or make remote software to use a valid mail account as mail-from, or to create such account.

Protection provided by deny-unknown-local-mail-from do no apply to authenticated users. In such situations you must use mod-bwl rules, or mod-slm to track and control send operations.