Closed DocFraggle closed 1 year ago
If you put the content of dns_blocklists.cf to extra.cf and restart the container postscreen_dnsbl_sites is set looking at the 'postconf -n' output
https://github.com/mailcow/mailcow-dockerized/pull/5342/files should fix this issue
https://github.com/mailcow/mailcow-dockerized/pull/5342/files should fix this issue
Hello,
Nice one, thanks :)
However shouldn't this be somehow optional. I mean if some admin doesn't want to use DNSBLs to block things at SMTP level, or at least not use all of these ?
Kind regards
Oh, I think there's an issue with the generated dns_blocklists.cf
.
postscreen_dnsbl_sites
has white spaces in front of it.
AFAIK, in postfix configs, it means the line is a continuation of previous line and therefore will cause trouble.
@sriccio you are right, I fixed this yesterday during debugging but forgot to add the change to my PR...
Next is the wrong domain in some of the Spamhaus lines, it's .net, not .org
Unfortunately the whole postscreen setup works only partially on my server... Using the blocklist test of Spamhaus only two of the test emails are actually blocked. After I used the setup proposed by Spamhaus
reject_rhsbl_sender XXXXXXXXXX.dbl.dq.spamhaus.net=127.0.1.[2..99],
reject_rhsbl_helo XXXXXXXXXX.dbl.dq.spamhaus.net=127.0.1.[2..99],
reject_rhsbl_reverse_client XXXXXXXXXX.dbl.dq.spamhaus.net=127.0.1.[2..99],
reject_rhsbl_sender XXXXXXXXXX.dbl.dq.spamhaus.net=127.0.2.[2..24],
reject_rhsbl_helo XXXXXXXXXX.zrd.dq.spamhaus.net=127.0.2.[2..24],
reject_rhsbl_reverse_client XXXXXXXXXX.zrd.dq.spamhaus.net=127.0.2.[2..24],
reject_rbl_client XXXXXXXXXX.zen.dq.spamhaus.net=127.0.0.[2..255]
in the list of smtpd_recipient_restriction all of the test mails were blocked successfully
Ok, the latter may be due to the postscreen cache, while not working properly the test mails may have been added to the allow cache, I have to test this as soon as I'm home
Update. I tested this by setting the cache to 2 seconds. Didn't help only the extra config above worked to block all test mails.
Ok @DocFraggle :)
Hmm what about to have this as an option and not be forced into the postfix config ? I mean how could I disable it, when I don't want postfix to block this at SMTP level but let it reach rspamd.
Actually, my own opinion though, I think it's better to let rspamd handle this. If you set enough score so rspamd issue a reject for these, it is kinda like having it rejected directly by postfix but with more flexibility ...
There is acutally all what is needed to integrate it with rspamd: https://github.com/spamhaus/rspamd-dqs
Contribution guidelines
I've found a bug and checked that ...
Description
Logs:
Steps to reproduce:
Which branch are you using?
master
Operating System:
Rocky 8
Server/VM specifications:
16G, 4 cores
Is Apparmor, SELinux or similar active?
No
Virtualization technology:
Hetzner Cloud VM
Docker version:
24.0.2
docker-compose version or docker compose version:
v2.6.1
mailcow version:
2023-07
Reverse proxy:
N/A
Logs of git diff:
Logs of iptables -L -vn:
Logs of ip6tables -L -vn:
Logs of iptables -L -vn -t nat:
Logs of ip6tables -L -vn -t nat:
DNS check: