rbldns

In addition to relying on 3rd-party realtime blackhole lists (RBLs), you can also create your own RBL lists. You can blacklist IP addresses that aren't on other lists and you can also whitelist addresses that want to receive mail from, even if they happen to be on a blacklist.

Instructions here are adapted from http://www.antagonism.org/mail/rbldns-qmail.shtml and http://ladro.com/docs/dns/rblsmtpd.html

Blacklist
Firstly, we'll create a user for our RBL to run under. Probably don't need this step if we ran rbldns as the dnscache user (dnsrun)

Make a directory to contain the rbl service files:

Since this RBL is only going to be used from this mail server, we'll use a local loopback address (127.0.0.x) for it (as only one DNS service can run on an IP address). Not sure about other *nix variants, but Linux allows the use of addresses other than 127.0.0.1 - for this service, we'll use 127.0.0.4.
Set up the service directory using rbldns-conf:

Create a symbolic link in /service to activate the service:

After about 10 seconds, confirm the service is running:

Whitelist
Having a whitelist will allow us to receive mail from IP addresses that might be listed on an RBL. You might find this useful for when ISP mail servers get listed on Spamcop, Spamhaus, etc. but you have legitimate users of those servers who need to send you mail.

For this service, we'll use the loopback address of 127.0.0.5 and also run it using the rbldns user we created previously. Set up the service directory using rbldns-conf:

Create a symbolic link in /service to activate the service:

After about 10 seconds, confirm the service is running:

Define your RBLs as nameservers
To resolve queries for rbl.domain.xyz, the authoritative name server for domain.xyz needs to be configured with the RBL IP addresses as the child name servers for rbl.domain.xyz and white.domain.xyz. To configure this example using tinydns, run the following commands:

For dnscache, use:

Adding Address to your RBLs
In order to add an IP to your list, you simply add the address to the data file for either the blacklist or whitelist. The usual way for rbldns is:

However, because we are using John Simpon's rbldns-patch, we can specify a custom TXT comment.
Public RBLs generally return a descriptive answer, such as "451 http://www.spamhaus.org/query/bl?ip=200.120.119.164" so that the bounce that the original recipient will get (assuming it's not a spambot) will give them an indication as to why there message was rejected. John's patch will allow us to do the same sort of thing:

The $ will return the IP address of the server in the bounce that the original sender should get. Then, when the sender calls you to complain that their message got rejected, you can easily get the IP address that you need to then add to your whitelist.

Restarting dnscache
It's important to restart your dnscache service after adding an address to one of your lists to flush out any cached data for that IP.

A better option is to modifiy the Makefile for the RBLs and add a restart of dnscache to it:

Note that the space in front of the commands is a TAB!

Replication of RBL data
If you want another mail server to use your RBL, you might want to run your RBL services on a different interface than 127.0.0.x. A simpler approach might be to set up the RBL services on the 2nd mail server, but replicate the the data.cdb file from the "main" server. The replication section fo the DNS server instructions tells you how to do it - you should be able to figure out how it applies to the RBLs.
NOTE: One change you might want to make is to have the data file rsync'd to the 2nd server along with data.cdb so that if make is run on the 2nd server, it won't overwrite the data.cdb.

Testing an RBL: http://ladro.com/docs/dns/rblsmtpd.html