• Home
• About
• Usage
• Removal
• Stats
• Registration

Configuring SpamRATS (RATS-AUTH) on Dovecot

How to configure SpamRATS RBL on Dovecot

One of the most under rated values of IP reputation is to help prevent BEC (Business Email Compromise) and authentication attacks. And SpamRats RATS-AUTH reputation is a list of IPs known to be involved in email compromise attacks.

However, Dovecot does NOT have native ways to implement RBL's. You CAN do this using either `checkpassword` or `postlogin` hooks. For post-login, you can look at Docs: https://doc.dovecot.org/configuration_manual/post_login_scripting/

You can also use RBL's in your fail2ban scripts for simplicity on ports 110, 143, 993, 995, 465, 587 etc

And you might even like to protect the whole server using RATS-NULL at the network level, however that is dependant.

You can create a small bash script. eg. /usr/local/bin/rbl-check-auth.sh You should really check the return value to ensure matches the specific IP for the list, eg 127.0.0.43 for RATS-AUTH However, this should give you the idea.

#!/bin/bash
USER=$1
PASS=$2
IP=$REMOTE_IP   # Dovecot sets this env var for auth

# Check RBL
if host $(echo $IP | awk -F. '{print $4"."$3"."$2"."$1}').[YOUR_API_KEY].auth.spamrats.com. >/dev/null 2>&1; then
    exit 1  # deny
fi

# Fall through to real auth
exec /usr/lib/dovecot/auth plain-login
  

And then you can modify your dovecot.conf

auth default {
  mechanisms = plain login
  passdb checkpassword {
    args = /usr/local/bin/rbl-check-auth.sh
  }
}
  

Warning: Please remember that you MAY not be able to query from some DNS servers, especially without an API key. You should use a DNS servers that clearly identifies who is making the query (PTR Record). Consider using your own local resolver if you have troubles. With a subscription, there are alternative ways to get data.

Caveats and Testing that it Works

RBL's work using DNS, and you should ALWAYS look for the correct IP Address being returned. Simply getting a "result" doesn't always mean the IP is listed. It should return the specific IP address, anything else might mean an error, and should be ignored and NOT rejected. Also, your DNS needs to be able to correctly query our mirrors. Bad firewall rules that prevent you from reaching our mirrors, means that you are not protected. You can always test at the command line first. A simple..

  host 36.0.0.127.[YOUR_API_KEY].dyna.spamrats.com
  host 1.0.0.127.[YOUR_API_KEY].dyna.spamrats.com
  

.. the first example should work and return 127.0.0.36, while the second example should return NXDOMAIN. (IP Not found). If that doesn't work, check your firewalls first, and check which DNS servers you are using, and finally test/check your API key is correct, and active before reaching out to us for support.

Blocked Users

You may find that your ability to query the SpamRATS DNSBL Public Mirrors has been restricted. This could be due to the usage not falling within our Terms of Service. Before restricting any queries we try to reach out via email. Please check to see if you received an email from sales@mthreat.com at your public email address. If you have received the message, please reply to it.

If you would like to continue using the SpamRATS RBLs, please contact us and include the IP(s) that you used to query in your email.

Go back to Usage page

Many thanks to our Sponsors, Subscription Holders, Users and Contributors.