rblsmtpd 1 user commands djbwares rblsmtpd UCSPI-TCP SMTP server wrapper that blocks mail from RBL-listed sites. rblsmtpd opts prog rblsmtpd normally just chains to prog, which is the command name and arguments of a UCSPI-TCP server program that is expected to carry out an SMTP conversation to receive incoming mail messages. However, rblsmtpd does not invoke prog if it is told to block mail from this client. Instead it carries out its own limited SMTP conversation, rejecting all attempts to send a message with a temporary or a permanent failure response. Meanwhile it prints one line on its standard error to log its activity. It drops the limited SMTP conversation after 60 seconds, even if the client has not quit by then. Whether clients are blocked is determined by environment variables. Normally rblsmtpd runs under tcpserver1; you can use tcprules1 to set RBLSMTPD for selected clients. tcpserver1 also sets up TCPREMOTEIP as the IP address of the remote host. If the RBLSMTPD environment variable is set and is nonempty, rblsmtpd blocks mail. It uses RBLSMTPD as an error message to send to the client. If RBLSMTPD is set and is empty, rblsmtpd does not block mail. If RBLSMTPD is not set, rblsmtpd looks up TCPREMOTEIP in the RBL, and blocks mail if TCPREMOTEIP is deny-listed. You may supply any number of -r and -a options to control RBL lookup. rblsmtpd tries each list in turn until it finds one that deny-lists or allow-lists TCPREMOTEIP. Prior versions of rblsmtpd would default to using the RBL source rbl.maps.vix.com if you did not supply any deny-lists. This list has been defunct for many years and is no longer a built-in default in this program. Learning from this experience, there is no replacement built-in default; no deny-lists supplied means no deny-listing done. If you want to run your own RBL deny-list or allow-list for rblsmtpd, you can use rbldns1. Normally, if RBLSMTPD is set, rblsmtpd uses a 451 error code in its limited SMTP conversation. This tells legitimate clients to try again later. It gives innocent relay operators a chance to see the problem, prohibit relaying, get off the RBL, and get the mail delivered. However, if the value of RBLSMTPD begins with a hyphen, rblsmtpd removes the hyphen and uses a 553 error code. This tells legitimate clients to bounce the message immediately. Command line options further alter this behaviour. -r base Use base as an RBL source, a deny-list. An IP address a.b.c.d is listed by that source if the domain name d.c.b.a.base has a TXT record in the Domain Name System. rblsmtpd uses the contents of the TXT record as an error message to send to the client. -a base Use base as an anti-RBL source, an allow-list. An IP address a.b.c.d is listed by that source if the domain name d.c.b.a.base has an A record in the Domain Name System. rblsmtpd does not block mail for allow-listed IP addresses. -B (Default.) Use a 451 error code for IP addresses deny-listed in the RBL. -b Use a 553 error code for IP addresses deny-listed in the RBL. -C (Default.) Handle RBL lookups in a "fail-open" mode. If an RBL deny-list lookup fails temporarily, assume that the address is not listed; if an RBL allow-list lookup fails temporarily, assume that the address is listed. Unfortunately, a knowledgeable attacker can force an RBL lookup to fail temporarily, so that his mail is not blocked. -c Handle RBL lookups in a "fail-closed" mode. If an RBL deny-list lookup fails temporarily, assume that the address is listed (but use a 451 error code even with -b). If an RBL allow-list lookup fails temporarily, assume that the address is not listed (but use a 451 error code even if a subsequent RBL deny-list lookup succeeds and -b is used). Unfortunately, this sometimes delays legitimate mail. rblsmtpd was originally part of Daniel J. Bernstein's ucspi-tcp toolset in 1999. Original code and documentation by Daniel J. Bernstein. Documentation modernizations by Jonathan de Boyne Pollard.