We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
How to install dnsmasq/other caching nameserver for Spamassassin when server host DNS gets "query to URIBL was blocked"
How to install dnsmasq/other caching nameserver for Spamassassin when server host DNS gets "query to URIBL was blocked"
Greetings,
I have been running a Vesta CP install for many years and I'm very happy with it, thank you for this great software. My issue is actually with my server's host – since I use OVH, Spamassassin usually returns the result "ADMINISTRATOR NOTICE: The query to URIBL was blocked" because Vesta's DNS has to use OVH's DNS server (or another high-volume DNS server such as Google's) and these overload the URIBL servers and get blocked after a certain amount of queries:
https://wiki.apache.org/spamassassin/Dn ... nsbl-block
As a result of this I have a terrible amount of spam because Spamassassin can never query the blacklist servers and the email addresses used have been around for a while. At the link above, Spamassassin recommends using a caching DNS server to get around this problem of having queries refused. I have tried a couple of times to install dnsmasq, but both installs have ended up with my server ending up with no DNS at all, so I thought I should come here and just ask for help with it.
The last steps I followed to attempt to install DNSMasq today are these ones:
https://www.techrepublic.com/article/ho ... nd-server/
The very brief version of these instructions for CentOS:
in /etc/dnsmasq.conf:
in /etc/resolv.dnsmasq:
in /etc/resolv.conf:
This ended up with being able to run successfully but when I eventually ran I always received the result
When I ran it was named that had an existing binding to 127.0.0.1:53. I have the feeling I may be running up against something important about Vesta's DNS service and/or the way it combines with OVH or CentOS 6.9, so I'm not sure how to proceed. I have reverted to Vesta's default behavior (everything works normally again and I have a clean slate to try new fixes, but my spam issue remains unaddressed) and I'd be very appreciative for some guidance on how to set up a caching DNS service so I can resume making successful connections to Spamassassin blacklist servers. I am using CentOS 6.9.
Based on the following posts which all report being blocked from using the Spamassassin blacklists due to the use of a host DNS or Google's DNS, and which are all unsolved:
viewtopic.php?f=12&t=14674
viewtopic.php?f=12&t=10713
viewtopic.php?f=12&t=15109
I think that this is not an uncommon administrative issue for a Vesta install with Spamassassin, CentOS 6.x, and large server host (or a desire to use Google's DNS, which should be possible as a choice if the host DNS doesn't perform well or has other issues). Being able to run a local caching DNS server is also useful for other applications. Thank you for your help!
I have been running a Vesta CP install for many years and I'm very happy with it, thank you for this great software. My issue is actually with my server's host – since I use OVH, Spamassassin usually returns the result "ADMINISTRATOR NOTICE: The query to URIBL was blocked" because Vesta's DNS has to use OVH's DNS server (or another high-volume DNS server such as Google's) and these overload the URIBL servers and get blocked after a certain amount of queries:
https://wiki.apache.org/spamassassin/Dn ... nsbl-block
As a result of this I have a terrible amount of spam because Spamassassin can never query the blacklist servers and the email addresses used have been around for a while. At the link above, Spamassassin recommends using a caching DNS server to get around this problem of having queries refused. I have tried a couple of times to install dnsmasq, but both installs have ended up with my server ending up with no DNS at all, so I thought I should come here and just ask for help with it.
The last steps I followed to attempt to install DNSMasq today are these ones:
https://www.techrepublic.com/article/ho ... nd-server/
The very brief version of these instructions for CentOS:
Code: Select all
sudo yum install dnsmasq
sudo groupadd -r dnsmasq
sudo useradd -r -g dnsmasq dnsmasq
Code: Select all
listen-address=127.0.0.1
port=53
bind-interfaces
user=dnsmasq
group=dnsmasq
pid-file=/var/run/dnsmasq.pid
domain-needed
bogus-priv
no-hosts
dns-forward-max=150
cache-size=1000
no-negcache
neg-ttl=3600
resolv-file=/etc/resolv.dnsmasq
no-poll
Code: Select all
nameserver (the IP address of the real external DNS server)
Code: Select all
nameserver 127.0.0.1
Code: Select all
dnsmasq --test
Code: Select all
service dnsmasq restart
Code: Select all
dnsmasq: failed to create listening socket for port 53: Address already in use [fail]
Code: Select all
netstat -anlp | grep -w LISTEN
Based on the following posts which all report being blocked from using the Spamassassin blacklists due to the use of a host DNS or Google's DNS, and which are all unsolved:
viewtopic.php?f=12&t=14674
viewtopic.php?f=12&t=10713
viewtopic.php?f=12&t=15109
I think that this is not an uncommon administrative issue for a Vesta install with Spamassassin, CentOS 6.x, and large server host (or a desire to use Google's DNS, which should be possible as a choice if the host DNS doesn't perform well or has other issues). Being able to run a local caching DNS server is also useful for other applications. Thank you for your help!
Last edited by hwname on Sat Dec 16, 2017 10:56 am, edited 1 time in total.
Re: How to install dnsmasq/other caching nameserver for Spamassassin when server host DNS gets "query to URIBL was block
On closer reading, I see that Spamassassin doesn't recommend dnsmasq but they do recommend BIND, which I believe is actually already installed and working in Vesta on port 53. How do I configure BIND to work as a non-forwarding caching nameserver that will allow me to query Spamassassin blacklists without getting blocked due to the query coming from OVH's DNS server, but still perform DNS services as it has been?
My /etc/resolv.conf looks like this, where 111.111.111.111 is actually the OVH DNS server (I think this is set by OVH when the servers are first provisioned, but commenting out that line or the two lines referring to OVH and just leaving the reference to localhost results in no DNS at all, i.e. outgoing email stops working and domains can no longer be pinged by the server):
Thanks for your assistance!
My /etc/resolv.conf looks like this, where 111.111.111.111 is actually the OVH DNS server (I think this is set by OVH when the servers are first provisioned, but commenting out that line or the two lines referring to OVH and just leaving the reference to localhost results in no DNS at all, i.e. outgoing email stops working and domains can no longer be pinged by the server):
Code: Select all
nameserver 127.0.0.1
nameserver 111.111.111.111
search ovh.net
Re: How to install dnsmasq/other caching nameserver for Spamassassin when server host DNS gets "query to URIBL was block
Here is how I ended up solving this myself, with luck without any dangerous side-effects (please let me know if you see any).
Step 1 is to make sure that /etc/resolv.conf only points to 127.0.0.1 and not the external DNS server.
Step 2 is to set /etc/named.conf with the following items inside of the options block so that localhost is the DNS server (leaving whatever is outside your options block in place):
Step 3 is to fix a different issue with Vesta's Spamassassin install, which is that it runs as nobody which causes an inability to write out any bayes info:
mkdir /etc/mail/spamassassin/bayes
/etc/mail/spamassassin/local.cf:
That is not a typo that the bayes path has 'bayes/bayes' at the end but the mkdir line only has one level of 'bayes'. The last step is to recursively set /etc/mail/spamassassin/bayes to a permission level on your server that will allow it to be written to by the Spamassassin instance. You can see failure or success of this in /var/log/maillog, but ignore these errors because they are unfixable due to Spamassassin running as nobody:
Since these changes, all spam is being successfully identified, and non-spam email is getting to users. These steps may point to some issues in the default Spamassassin install for Vesta, or perhaps just its interaction in this case where I am using OVH and Centos 6.9. I hope this helps someone.
Step 1 is to make sure that /etc/resolv.conf only points to 127.0.0.1 and not the external DNS server.
Step 2 is to set /etc/named.conf with the following items inside of the options block so that localhost is the DNS server (leaving whatever is outside your options block in place):
Code: Select all
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
pid-file "/var/run/named/named.pid";
statistics-file "/var/named/data/named_stats.txt";
version "get lost";
allow-transfer {"none";};
recursion yes;
allow-query { localhost; };
dnssec-enable yes;
dnssec-validation yes;
auth-nxdomain no;
listen-on-v6 { any; };
};
mkdir /etc/mail/spamassassin/bayes
/etc/mail/spamassassin/local.cf:
Code: Select all
required_hits 5
report_safe 0
rewrite_header Subject [SPAM]
#dns_available yes
bayes_path /etc/mail/spamassassin/bayes/bayes
Code: Select all
spamd: creating default_prefs: //.spamassassin/user_prefs
config: cannot create user preferences file //.spamassassin/user_prefs: No such file or directory
spamd: failed to create readable default_prefs: //.spamassassin/user_prefs