search

mailcow / mailcow-dockerized

mailcow: dockerized - 🐮 + 🐋 = 💕
https://mailcow.email
GNU General Public License v3.0
8.58k stars 1.15k forks source link

Spamhaus implement DQS #5293

Closed MAGICCC closed 1 year ago

MAGICCC commented 1 year ago

Summary

Hello,

Since Spamhaus blocks OVHCloud IPs querying their DNSBL lists now, we have to implent DQS. This also includes maybe a check in the install script to check if the server is using an OVH IP and enables some options such an echo hey you need to signup for a spamhaus key and/or activating DQS Rspamd plugin https://github.com/spamhaus/rspamd-dqs

More info here with an install guide: https://www.spamhaus.com/resource-center/if-you-query-spamhaus-projects-dnsbls-via-ovhclouds-dns-move-to-the-free-data-query-service Also postfix docs for postscreen setup: https://www.postfix.org/postconf.5.html#postscreen_dnsbl_reply_map

Motivation

Allow users using OVHCloud IPs to query Spamhaus DNBLs

Additional context

No response

accolon commented 1 year ago

Regarding

This also includes maybe a check in the install script to check if the server is using an OVH IP and enables some options

The Spamhaus blog article says: "The Spamhaus Project’s Terms of Use state that it doesn’t allow users to query via DNS resolvers where there is no attributable reverse DNS"

According to this tweet, this also affects people using AWS and Cloudflare for DNS, so just checking for OVH IPs is not enough.

DerLinkman commented 1 year ago

The current Spamhaus Blocklists are configured inside postscreen (Postfix) so we should use them there too!

I would like to dynamically generate the postscreen_dnsbl_sites wheter it detects a AWS/Cloudflare/OVH IP.

That detection however will be the trickiest i guess as we have to detect the AS for the IP and check if it is a Amazon one and so on.

DerLinkman commented 1 year ago

Just build a script which gets the latest AS from the 3 Providers.

Will publish a asn_list.txt on our fuzzy.mailcow.email server to let mailcow check the host IP AS against this list. if it detects a AS from those 3 mailcow will warn the user (if not already done) to setup a DQS Account and paste in the Key inside the mailcow.conf. If he did not want that or the key is not set mailcow will not use spamhaus at all if the IP is from a "bad" AS

MAGICCC commented 1 year ago

According to this tweet, this also affects people using AWS and Cloudflare for DNS, so just checking for OVH IPs is not enough.

Oh interesting, didnt see it.

Will publish a asn_list.txt on our fuzzy.mailcow.email server to let mailcow check the host IP AS against this list. if it detects a AS from those 3 mailcow will warn the user (if not already done) to setup a DQS Account and paste in the Key inside the mailcow.conf. If he did not want that or the key is not set mailcow will not use spamhaus at all if the IP is from a "bad" AS

Hm yes nice idea, a somewhat nice tool would be https://github.com/ipinfo/cli. The main issue is that the free tier doesn't really allow to get the AS by IP. You could do a grep when using ipinfo myip -j though. Not sure if it breaks with certains AS

{
  "ip": "188.165.12.136",
  "hostname": "iperf.ovh.net",
  "city": "Roubaix",
  "region": "Hauts-de-France",
  "country": "FR",
  "country_name": "France",
  "country_flag": {
    "emoji": "🇫🇷",
    "unicode": "U+1F1EB U+1F1F7"
  },
  "country_currency": {
    "code": "EUR",
    "symbol": "€"
  },
  "isEU": true,
  "loc": "50.6942,3.1746",
  "org": "AS16276 OVH SAS",
  "postal": "59051 CEDEX 1",
  "timezone": "Europe/Paris"
}
DerLinkman commented 1 year ago

Hm yes nice idea, a somewhat nice tool would be https://github.com/ipinfo/cli. The main issue is that the free tier doesn't really allow to get the AS by IP. You could do a grep when using ipinfo myip -j though. Not sure if it breaks with certains AS

Already did some check using the Whois package and simple Linux grep and cut and stuff.

So no need for that ☺️

JiiPee74 commented 1 year ago

I'm on OVH and it seems like deadline is today. Will this affect my server somehow? Spamhaus info tells horror stories that mails can start to bounce back to sender. It would be quite shitty thing if that happens.

MAGICCC commented 1 year ago

@JiiPee74 You can try to apply this PR using a patch for example https://patch-diff.githubusercontent.com/raw/mailcow/mailcow-dockerized/pull/5295.patch

mikestp27 commented 11 months ago

Hello. I just signed up for a spamhaus account (key) and added it to mailcow.conf. Then, I used Spamhaus tool to test the setup (the tool is available at: https://blt.spamhaus.com/test). The test shows some tests as blocked but some are still delivered (not blocked as they should).
Below is a screenshot of the test result.

In mailcow's postfix settings, postscreen_dnsbl_threshold is set to 6 while most documents recommend 2 or 3... Could that be the issue?

Any other suggestion?

Thank you!

spamhaus-test-with-key
mkuron commented 11 months ago

@mikestp27, I've also noticed that Mailcow does not pass the Spamhaus test. Note that, as far as I know, Mailcow is not configured for DBL or ZRD because we only query IP addresses, not domains. (See also #5352.) So all failures you are seeing except for sbl-dqs-ip are okay.

Would you please open a separate issue regarding sbl-dqs-ip instead of posting it on this old issue? We do set weights 6 and 8 via postscreen_dnsbl_sites for XBL/CBL/PBL, but 3-4 for SBL, which does not cross the threshold. So SBL alone does not cause a connection to be rejected, but only if another blacklist also lists this IP address.