This article explains how to configure SecurityGateway's DNS blacklisting settings, if you wish to change which DNS-BL servers are checked, and how SecurityGateway handles messages that fail a query.
From the Dashboard, after logging in:
- Click on Security in the bottom-left corner
- Locate the Anti-Spam section
- Click on DNS Blacklists (DNSBL)
From there, you should see the following options:
-
Enable DNSBL queries
This option determines if SecurityGateway will query the DNSBL servers listed under the DNSBL Hosts section and see if the message's connecting IP address has been listed on the sites for being a possible source of spam. This option is enabled by default.
-
If the sending server of a message is listed...
This option lets you determine what to do with any message that is being sent from a server whose address is listed on one of the DNSBL sites that SecurityGateway queries. You may refuse the message completely, quarantine the message for later review by the administrator or user, or accept the message for further processing. By default, messages sent from blacklisted servers are accepted for later processing.
-
... tag subject with ...
This option will allow you to add a certain phrase to the start of a blacklisted message's subject, by default '*** SPAM ***'. This option is disabled by default. -
... Add x.x points to message score
This option will add the provided number of points, by default 3.0, to the message's score, indicating SecurityGateway thinks it may be spam. This is useful if you plan to accept the message for further processing. By default, this is enabled.
-
Exclude messages from whitelisted senders
If the sending email address, domain, or IP address is on the server's whitelist, or on the recipient's personal whitelist, then SecurityGateway will not do a DNSBL query. By default, this is enabled.
-
Exclude messages from authenticated sessions
If the connecting user authenticates their session using a username and password on the SecurityGateway server before sending the message, SecurityGateway will not do a DNSBL query. By default, this is enabled.
-
DNSBL Hosts
This section is where you can review the DNSBL services that SecurityGateway checks, and either add a new service, or remove an existing one, if you so choose. By default, SecurityGateway has an entry for the SpamHaus and SpamCop DNSBL services. You may add your own, but we suggest using the default two services.
To add a new host, specify its domain or IP address in the New Host field, optionally add a message that you wish to send to the connecting host about why the connection was rejected in the Message field, then click Add. Note you may use the $IP$ macro to include the connecting host's IP address, if you wish.
To remove an existing service, highlight it in the list and click Remove.
-
Stop DNSBL queries on first host which lists the connecting IP
If the DNSBL service returns a 'failed' result for any IP address it checks, it will immediately stop further checks and return the result, and SecurityGateway will follow the procedure listed under 'If the sending server of a message is listed' above. By default, this is enabled.
-
When rejecting a message return 'Message' rather than 'user unknown'
By default, SecurityGateway will return the sending host the message associated with the DNSBL service, which usually states that their address is listed on the specific service and how to contact them. If you wish to return a generic 'user unknown' error, uncheck this box.
-
Check 'Received' headers within collected messages
You can choose to have SecurityGateway review the IP addresses of the hosts that the message passed through before being sent to the server, as opposed to the currently connecting address. You can choose how many connections in general to check, and how many at the start of the message's path, and at the end of its path, to check. By default, this is disabled.
Additional Comments
These options can be configured for individual domains, or for the entire server. Note that, however, all domains will use the same DNSBL services.