Spamhaus DQS - Rejected email reveal DQS key

Contribution guidelines

[X] I've read the contribution guidelines and wholeheartedly agree

I've found a bug and checked that ...

[X] ... I understand that not following the below instructions will result in immediate closure and/or deletion of my issue.
[X] ... I have understood that this bug report is dedicated for bugs, and not for support-related inquiries.
[X] ... I have understood that answers are voluntary and community-driven, and not commercial support.
[X] ... I have verified that my issue has not been already answered in the past. I also checked previous issues.

Description

I installed the new update. All setup fixed if main.cf ok but after testing server configuration with SpamHaus tester the verify log reveal in the rejected message the service name:

550 5.7.1 Service unavailable; client [199.168.89.90] blocked using xxxxxxxxxxxxx.zen.dq.spamhaus.net 

In the SpamHaus Manual about postfix server configuration require more instruction for hiding the DQS key in the response message.

I suggest to disable DQS usage until new update.

Moooohooo
Regards
Alessandro

Logs:

N/A

Steps to reproduce:

N/A

Which branch are you using?

master

Operating System:

N/A

Server/VM specifications:

N/A

Is Apparmor, SELinux or similar active?

N/A

Virtualization technology:

N/A

Docker version:

N/A

docker-compose version or docker compose version:

N/A

mailcow version:

2023-07a

Reverse proxy:

N/A

Logs of git diff:

N/A

Logs of iptables -L -vn:

N/A

Logs of ip6tables -L -vn:

N/A

Logs of iptables -L -vn -t nat:

N/A

Logs of ip6tables -L -vn -t nat:

N/A

DNS check:

N/A

Yes, this is a huge issue as your secret key can then be used by anyone.

That is because the postfix config is missing the postscreen reply map to hide the key.

This should ideally be added to `data/conf/postfix/main.cf` (or `extra.cf` as a temp. workaround until it gets fixed)

postscreen_dnsbl_reply_map = texthash:$config_directory/postscreen_dnsbl_reply_map

You should then create a file `data/conf/postfix/postscreen_dnsbl_reply_map with:

YOUR_KEY.sbl.dq.spamhaus.net     sbl.spamhaus.org
YOUR_KEY.xbl.dq.spamhaus.net     xbl.spamhaus.org
YOUR_KEY.pbl.dq.spamhaus.net     pbl.spamhaus.org
YOUR_KEY.zen.dq.spamhaus.net     zen.spamhaus.org
YOUR_KEY.dbl.dq.spamhaus.net     dbl.spamhaus.org
YOUR_KEY.zrd.dq.spamhaus.net     zrd.spamhaus.org

Of course replace YOUR_KEY with ... your secret key.

Now restart the postfix container.

docker compose restart postfix-mailcow

Check that the config entry was really added

docker compose exec postfix-mailcow postconf postscreen_dnsbl_reply_map

Should return:

postscreen_dnsbl_reply_map = texthash:$config_directory/postscreen_dnsbl_reply_map

The key should then stop leaking in the wild now !

mailcow / mailcow-dockerized

Spamhaus DQS - Rejected email reveal DQS key #5353

Contribution guidelines

I've found a bug and checked that ...

Description

Logs:

Steps to reproduce:

Which branch are you using?

Operating System:

Server/VM specifications:

Is Apparmor, SELinux or similar active?

Virtualization technology:

Docker version:

docker-compose version or docker compose version:

mailcow version:

Reverse proxy:

Logs of git diff:

Logs of iptables -L -vn:

Logs of ip6tables -L -vn:

Logs of iptables -L -vn -t nat:

Logs of ip6tables -L -vn -t nat:

DNS check:

This should ideally be added to `data/conf/postfix/main.cf` (or `extra.cf` as a temp. workaround until it gets fixed)

You should then create a file `data/conf/postfix/postscreen_dnsbl_reply_map with:

Now restart the postfix container.

Check that the config entry was really added

mailcow / mailcow-dockerized

Spamhaus DQS - Rejected email reveal DQS key #5353

Contribution guidelines

I've found a bug and checked that ...

Description

Logs:

Steps to reproduce:

Which branch are you using?

Operating System:

Server/VM specifications:

Is Apparmor, SELinux or similar active?

Virtualization technology:

Docker version:

docker-compose version or docker compose version:

mailcow version:

Reverse proxy:

Logs of git diff:

Logs of iptables -L -vn:

Logs of ip6tables -L -vn:

Logs of iptables -L -vn -t nat:

Logs of ip6tables -L -vn -t nat:

DNS check:

This should ideally be added to data/conf/postfix/main.cf (or extra.cf as a temp. workaround until it gets fixed)

You should then create a file `data/conf/postfix/postscreen_dnsbl_reply_map with:

Now restart the postfix container.

Check that the config entry was really added

This should ideally be added to `data/conf/postfix/main.cf` (or `extra.cf` as a temp. workaround until it gets fixed)