I personally would not trust many other external DNSBLs but my own, not cause of speed which I consider just as critical, but mainly of the blocking. You have no control of it.
On 15 Jan 2026, at 08:43, Kirill Miazine via dovecot <dovecot@dovecot.org> wrote:
• Aki Tuomi via dovecot [2026-01-09 12:40]:
YOu can also implement simple RBL auth policy server, the auth policy feature sends JSON blob of fields and excepts a JSON blob in response. Upside is that the policy check is done before any authentication happens. You can ignore all the other stuff and just check the remote IP.
See https://doc.dovecot.org/2.4.2/core/config/auth/policy.html#authentication-po...
if there's interest, I made a PoC some yearso ago, it uses asyncio and sets up auth policy server on 127.0.0.1:13380:
https://www.zerobin.no/?a5b52b2539d7912c#4sYaC5WeT9LHzYKN4XxCgUWr8uPdfCi4WsF...
This particular version was a WIP and checks Spamhaus DQS in DNS (and I think I had some idea to use web-service, too, perhaps, but hadn't come that far), and also sets up an auth policy server on 127.0.0.1:13370 using line-oriented protocol which I used in Exim.
you could use "ai" to clean/tweak it further, if needed.
auth policy server is a great facility, but I ended up just blocking repeated offenders on the networking level.
Aki
On 09/01/2026 13:19 EET Lefteris Tsintjelis via dovecot <dovecot@dovecot.org> wrote:
On 9 Jan 2026, at 12:31, Aki Tuomi <aki.tuomi@open-xchange.com> wrote:
On 09/01/2026 12:08 EET Lefteris Tsintjelis via dovecot <dovecot@dovecot.org> wrote:
Hi,
Is there a way to block with RBLs? I already have a really good and very trustworthy and accurate internal one that works extremely well and fast with my SMTP servers for years now. Is there a way to apply the same RBL to dovecot? Logs are really going crazy as they stopped with SMTP and started with IMAP for a while now since dovecot is wide open to these attacks. Anvil does not seem to do much here. I am looking for solutions other than fail2ban or anything similar to this.
Lefteris You can use auth_policy_server settings to configure an external service for this, please see e.g. https://github.com/PowerDNS/weakforced/ as an example of such service.
Aki Thank you. Looks very flexible and powerful but in this case seems like a huge overkill for such a simple thing just for checking one local DNSBL. I was thinking more like the code below. I think AI gave me a fast and acceptable solution
#!/usr/bin/env python3 import sys import socket
data = sys.stdin.buffer.read(1024).split(b'\n') if len(data) < 3: sys.exit(1)
username = data[0].decode() password = data[1].decode() # we don't care rip = data[2].decode() # remote IP
DNSBL(s) here
DNSBLS = [ “my.own.dnsbl.gr", ]
def is_blacklisted(ip): try: rev = '.'.join(reversed(ip.split('.'))) for zone in DNSBLS: try: socket.gethostbyname(f"{rev}.{zone}") return True except socket.gaierror: pass return False except: return False # be fail-open on DNS failure
if is_blacklisted(rip): sys.stderr.write(f"DNSBL blocked IP {rip}\n") sys.exit(1)
Otherwise pass to next auth (PAM, passwd-file, sql, etc)
sys.exit(0)
Lefteris
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org <mailto:dovecot@dovecot.org> To unsubscribe send an email to dovecot-leave@dovecot.org <mailto:dovecot-leave@dovecot.org>
dovecot mailing list -- dovecot@dovecot.org <mailto:dovecot@dovecot.org> To unsubscribe send an email to dovecot-leave@dovecot.org <mailto:dovecot-leave@dovecot.org>
I personally would not trust many other external DNSBLs but my own, not cause of speed which I consider just as critical, but mainly of the blocking. You have no control of it.
On 15 Jan 2026, at 08:43, Kirill Miazine via dovecot
<dovecot@dovecot.org> wrote:
o Aki Tuomi via dovecot [2026-01-09 12:40]:
YOu can also implement simple RBL auth policy server, the auth policy
feature sends JSON blob of fields and excepts a JSON blob in response.
Upside is that the policy check is done before any authentication
happens. You can ignore all the other stuff and just check the remote
IP.
See [1]https://doc.dovecot.org/2.4.2/core/config/auth/policy.html#authentication-policy
if there's interest, I made a PoC some yearso ago, it uses asyncio and
sets up auth policy server on 127.0.0.1:13380:
[2]https://www.zerobin.no/?a5b52b2539d7912c#4sYaC5WeT9LHzYKN4XxCgUWr8uPdfCi4WsFdXSuzQDXU
This particular version was a WIP and checks Spamhaus DQS in DNS (and I
think I had some idea to use web-service, too, perhaps, but hadn't come
that far), and also sets up an auth policy server on 127.0.0.1:13370
using line-oriented protocol which I used in Exim.
you could use "ai" to clean/tweak it further, if needed.
auth policy server is a great facility, but I ended up just blocking
repeated offenders on the networking level.
Aki
On 09/01/2026 13:19 EET Lefteris Tsintjelis via dovecot
<dovecot@dovecot.org> wrote:
On 9 Jan 2026, at 12:31, Aki Tuomi <aki.tuomi@open-xchange.com>
wrote:
On 09/01/2026 12:08 EET Lefteris Tsintjelis via dovecot
<dovecot@dovecot.org> wrote:
Hi,
Is there a way to block with RBLs? I already have a really good
and very trustworthy and accurate internal one that works
extremely well and fast with my SMTP servers for years now. Is
there a way to apply the same RBL to dovecot? Logs are really
going crazy as they stopped with SMTP and started with IMAP for
a while now since dovecot is wide open to these attacks. Anvil
does not seem to do much here. I am looking for solutions other
than fail2ban or anything similar to this.
Lefteris
You can use auth_policy_server settings to configure an external
service for this, please see e.g.
https://github.com/PowerDNS/weakforced/ as an example of such
service.
Aki
Thank you. Looks very flexible and powerful but in this case seems
like a huge overkill for such a simple thing just for checking one
local DNSBL. I was thinking more like the code below. I think AI
gave me a fast and acceptable solution
#!/usr/bin/env python3
import sys
import socket
data = sys.stdin.buffer.read(1024).split(b'\n')
if len(data) < 3:
sys.exit(1)
username = data[0].decode()
password = data[1].decode() # we don't care
rip = data[2].decode() # remote IP
# DNSBL(s) here
DNSBLS = [
"my.own.dnsbl.gr",
]
def is_blacklisted(ip):
try:
rev = '.'.join(reversed(ip.split('.')))
for zone in DNSBLS:
try:
socket.gethostbyname(f"{rev}.{zone}")
return True
except socket.gaierror:
pass
return False
except:
return False # be fail-open on DNS failure
if is_blacklisted(rip):
sys.stderr.write(f"DNSBL blocked IP {rip}\n")
sys.exit(1)
# Otherwise pass to next auth (PAM, passwd-file, sql, etc)
sys.exit(0)
Lefteris
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-leave@dovecot.org
_______________________________________________
dovecot mailing list -- [3]dovecot@dovecot.org
To unsubscribe send an email to [4]dovecot-leave@dovecot.org
_______________________________________________
dovecot mailing list -- [5]dovecot@dovecot.org
To unsubscribe send an email to [6]dovecot-leave@dovecot.orgReferences
Visible links
- https://doc.dovecot.org/2.4.2/core/config/auth/policy.html#authentication-po...
- https://www.zerobin.no/?a5b52b2539d7912c#4sYaC5WeT9LHzYKN4XxCgUWr8uPdfCi4WsF...
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org