Wednesday, October 5, 2016

How do I white list certain IP’s so that they pass my DNSBL checks?

Answer

Yes.
In order to do this, you will need set up your own DNSBL server and use this as an exception list, set this server as the first server in the list and set the action to allow the mail through.
To do this, follow these steps:
  1. Create a new zone on your DNS server (like whitelist.your.domain)
  2. Create an A record for the new zone to point at your DNS server: Whitelist.your.domain IN A x.x.x.x
    This is required as the mail server will use this name to connect to the DNS server.
  3. Add host records in reverse lookup format with an address of 127.0.0.2, for example: 1.25.8.10.whitelist.your.domain IN A 127.0.0.2
    which would cause 10.8.25.1 to pass through the DNSBL check as long as this is the first server checked and the action was set to allow the server through.
  4. Define the DNSBL list under GMS Anti-Spam > Connect > RBL Check and ensure it is at the top of the list. Set the action to Accept.
  5. Define any other DNSBL lists that you wish to use.
If you are using Microsoft’s Win2K DNS server the setup is not quite so straightforward. The following information, supplied by a customer should assist in this situation.
Create a standard primary zone (not AD-integrated, and call it say reject.comcept.net). Then, within that zone, create a new host but do not add a host name and give it the IP of the DNS server (2k will whine that it’s an invalid host IP but it works fine, my DNS Servers and GMS Server are behind a PIX thus have private IPs, in this case 10.0.0.11).
Now modify the zone.dns file in C:WINNTsystem32dns with the IPs you want to block (or accept if you’re creating a whitelist) as
A 127.0.0.2.
My current file looks like this:


;

;  Database file 1reject.comcept.net.dns for 1reject.comcept.net zone.

;      Zone version:  6

;



@                       IN  SOA ml370.colo.comcept.net.  admin.colo.comcept.net. (

                                6            ; serial number

                                900          ; refresh

                                600          ; retry

                                86400        ; expire

                                3600       ) ; minimum TTL



;

;  Zone NS records

;



@                       NS      ml370.colo.comcept.net.

@                       NS      ns.colo.comcept.net.

ns.colo.comcept.net.    A       10.0.0.10

@                       NS      ns1.colo.comcept.net.

ns1.colo.comcept.net.   A       10.0.0.104



;

;  Zone records

;



@                       A       127.0.0.2

10.136.110.193          A       127.0.0.2

4.76.61.200             A       127.0.0.2

45.36.50.206            A       127.0.0.2

254.49.154.207          A       127.0.0.2

162.249.166.208         A       127.0.0.2

34.94.37.208            A       127.0.0.2

15.89.39.209            A       127.0.0.2

224.138.58.210          A       127.0.0.2

210.243.250.216         A       127.0.0.2

104.11.240.63           A       127.0.0.2

193.143.225.64          A       127.0.0.2

146.188.66.68           A       127.0.0.2

Then you save the file and go back to the DNS MMC and right click on the zone and then click Reload.
NOTE: The IPs are reversed in the zone. For example, the first IP is really "193.110.138.10". This file works for both black and white lists.
Put "127.0.0.3" for white list and then tell GMS to Accept for "127.0.0.3" and Deny for "127.0.0.2".
You need to do modifications in notepad and not in W2k’s DNS MMC. Be sure to reload the zone when your changes are done. 

http://www.gordano.com/knowledge-base/how-do-i-white-list-certain-ips-so-that-they-pass-my-dnsbl-checks/ 

to cross the firewall the email pipe, the child process inherited the parent process file descriptors, because on this case the execvr passes the barrier, whitout they shutting off the process...which is the opposite here, so dont take the forking

Man in the Rain