For a long time now, I've been heavily reliant on the charity of other people to provide me with DNS (primary & secondary), e-mail (secondary MX and also IMAP service) and web service. I know a lot of people who've got their own machines hosted in various datacenters around London. Whilst, hopefully, the load that my sites and e-mail exert on these machines shouldn't be too high, I've always felt a little cheeky as I didn't feel able to contribute anything back to them - obviously, hosting many of these machines is a cost to these people. There's also the requirement for them to invest significant amounts of their own personal time on the upkeep of the machines in terms of security, and also the occasional "Can you do " e-mails from me. Not regular e-mails, just zonefile updates, stuff like that.

After a recent discussion on one of the tech lists I'm on, I decided to take out a VPS (Virtual Private Server) with a company called Bitfolk. The company came well recommended, with one of the guys behind it (at least) being on said tech list. Since most of my personal (development) machines already run Debian Etch, I elected to have this as the base for the VPS. Putting everything on to the new VPS means that I've got everything in one place - this means that I'm not having to rack my brains (or run queries) to work out where a website is, where the DNS is run from, etc. I've decided to farm the actual management of the DNS out to Portfast, which is run by a friend of mine. You can't argue with the prices, and DNS isn't something I'm particularly good at.

I've spent the weekend installing software on the machine, testing out configurations and so on, and then pointing the DNS for websites at it. Obviously, leaving the website on the old host running in parallel with the new one on the VPS whilst the changes propagated. I'll leave the old sites running for a few weeks, monitoring the log files before taking stuff out. After that, I then did Exim, Dovecot and Squirrelmail installations, before starting to move over MX services to the new VPS. One of the tricks of spammers is to hit the lowest priority MX as an attempt to inject spam - their theory being that this part of the chain will have the least protection. I'll admit to being surprised at the amount of attempts that the new VPS was getting within half an hour of the MX changes starting to propogate. When I installed Exim, I also installed SpamAssassin, but in its vanilla state, this was doing pretty much nothing to stop the increasing deluge. I elected to use the zen.spamhaus.org DNSBL. It was stopping probably 25% of the hits I was seeing. As I say, it was in a vanilla state, so undoubtedly, with tuning and addition of extra rulesets, this would've been fine. The addition of the zen.spamhaus.org DNSBL, though, is far simpler.

Exim4 under Debian makes this relatively easy to do. I'm running a split configuration, so it's simply a matter of inserting this into /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt just after the accept hosts = : line

# RBL List Begin
# Always accept mail to postmaster & abuse
accept domains = +local_domains
local_parts = postmaster:abuse
#
# Check sending hosts against DNS black lists.
# Reject message if address listed in blacklist.
deny message = ${sender_host_address} is listed at ${dnslist_domain}; See ${dnslist_text}
dnslists = zen.spamhaus.org
# RBL List End

Once you've done this, you'll need to update the config by running update-exim4.conf and ensuring the service has restarted.

This bit of code sees mail being referred to zen.spamhaus.org. If it's listed there, then a message is returned (as detailed above) in response. This sees us rejecting the e-mail at SMTP time, so it exerts far less load on the machine overall, and gives the sender an immediate response.

Having left the machine overnight, I'm pleasantly surprised at the amount of spam that didn't get through - just a small number, which will need some more fiddling to get right.