Closed MAGICCC closed 1 year ago
Regarding
This also includes maybe a check in the install script to check if the server is using an OVH IP and enables some options
The Spamhaus blog article says: "The Spamhaus Project’s Terms of Use state that it doesn’t allow users to query via DNS resolvers where there is no attributable reverse DNS"
According to this tweet, this also affects people using AWS and Cloudflare for DNS, so just checking for OVH IPs is not enough.
The current Spamhaus Blocklists are configured inside postscreen (Postfix) so we should use them there too!
I would like to dynamically generate the postscreen_dnsbl_sites wheter it detects a AWS/Cloudflare/OVH IP.
That detection however will be the trickiest i guess as we have to detect the AS for the IP and check if it is a Amazon one and so on.
Just build a script which gets the latest AS from the 3 Providers.
Will publish a asn_list.txt on our fuzzy.mailcow.email server to let mailcow check the host IP AS against this list. if it detects a AS from those 3 mailcow will warn the user (if not already done) to setup a DQS Account and paste in the Key inside the mailcow.conf. If he did not want that or the key is not set mailcow will not use spamhaus at all if the IP is from a "bad" AS
According to this tweet, this also affects people using AWS and Cloudflare for DNS, so just checking for OVH IPs is not enough.
Oh interesting, didnt see it.
Will publish a asn_list.txt on our fuzzy.mailcow.email server to let mailcow check the host IP AS against this list. if it detects a AS from those 3 mailcow will warn the user (if not already done) to setup a DQS Account and paste in the Key inside the mailcow.conf. If he did not want that or the key is not set mailcow will not use spamhaus at all if the IP is from a "bad" AS
Hm yes nice idea, a somewhat nice tool would be https://github.com/ipinfo/cli. The main issue is that the free tier doesn't really allow to get the AS by IP. You could do a grep when using ipinfo myip -j
though. Not sure if it breaks with certains AS
{
"ip": "188.165.12.136",
"hostname": "iperf.ovh.net",
"city": "Roubaix",
"region": "Hauts-de-France",
"country": "FR",
"country_name": "France",
"country_flag": {
"emoji": "🇫🇷",
"unicode": "U+1F1EB U+1F1F7"
},
"country_currency": {
"code": "EUR",
"symbol": "€"
},
"isEU": true,
"loc": "50.6942,3.1746",
"org": "AS16276 OVH SAS",
"postal": "59051 CEDEX 1",
"timezone": "Europe/Paris"
}
Hm yes nice idea, a somewhat nice tool would be https://github.com/ipinfo/cli. The main issue is that the free tier doesn't really allow to get the AS by IP. You could do a grep when using ipinfo myip -j though. Not sure if it breaks with certains AS
Already did some check using the Whois package and simple Linux grep and cut and stuff.
So no need for that ☺️
I'm on OVH and it seems like deadline is today. Will this affect my server somehow? Spamhaus info tells horror stories that mails can start to bounce back to sender. It would be quite shitty thing if that happens.
@JiiPee74 You can try to apply this PR using a patch for example https://patch-diff.githubusercontent.com/raw/mailcow/mailcow-dockerized/pull/5295.patch
Hello. I just signed up for a spamhaus account (key) and added it to mailcow.conf. Then, I used Spamhaus tool to test the setup (the tool is available at: https://blt.spamhaus.com/test). The test shows some tests as blocked but some are still delivered (not blocked as they should).
Below is a screenshot of the test result.
In mailcow's postfix settings, postscreen_dnsbl_threshold is set to 6 while most documents recommend 2 or 3... Could that be the issue?
Any other suggestion?
Thank you!
@mikestp27, I've also noticed that Mailcow does not pass the Spamhaus test. Note that, as far as I know, Mailcow is not configured for DBL or ZRD because we only query IP addresses, not domains. (See also #5352.) So all failures you are seeing except for sbl-dqs-ip are okay.
Would you please open a separate issue regarding sbl-dqs-ip instead of posting it on this old issue? We do set weights 6 and 8 via postscreen_dnsbl_sites
for XBL/CBL/PBL, but 3-4 for SBL, which does not cross the threshold. So SBL alone does not cause a connection to be rejected, but only if another blacklist also lists this IP address.
Summary
Hello,
Since Spamhaus blocks OVHCloud IPs querying their DNSBL lists now, we have to implent DQS. This also includes maybe a check in the install script to check if the server is using an OVH IP and enables some options such an
echo hey you need to signup for a spamhaus key
and/or activating DQS Rspamd plugin https://github.com/spamhaus/rspamd-dqsMore info here with an install guide: https://www.spamhaus.com/resource-center/if-you-query-spamhaus-projects-dnsbls-via-ovhclouds-dns-move-to-the-free-data-query-service Also postfix docs for postscreen setup: https://www.postfix.org/postconf.5.html#postscreen_dnsbl_reply_map
Motivation
Allow users using OVHCloud IPs to query Spamhaus DNBLs
Additional context
No response