Loading ...
Sorry, an error occurred while loading the content.

293014Re: postscreen_dnsbl_sites

Expand Messages
  • Robert Lopez
    May 7, 2013
    • 0 Attachment
      On Mon, May 6, 2013 at 3:10 PM, Wietse Venema <wietse@...> wrote:
      > Robert Lopez:
      >> Let me try again. I am assuming the link between a line in the
      >> dndsbl_reply file and the main.cf file is only a label and it could be
      >> anything.
      >> Is that a wrong assumption?
      >
      > Please describe what is not clear about the following text:
      >
      > postscreen_dnsbl_reply_map (default: empty)
      > A mapping from actual DNSBL domain name which includes a secret pass-
      > word, to the DNSBL domain name that postscreen will reply with when it
      > rejects mail. When no mapping is found, the actual DNSBL domain will
      > be used.
      >
      > For maximal stability it is best to use a file that is read into memory
      > such as pcre:, regexp: or texthash: (texthash: is similar to hash:,
      > except a) there is no need to run postmap(1) before the file can be
      > used, and b) texthash: does not detect changes after the file is read).
      >
      > Example:
      >
      > /etc/postfix/main.cf:
      > postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
      >
      > /etc/postfix/dnsbl_reply:
      > secret.zen.spamhaus.org zen.spamhaus.org
      >
      > This feature is available in Postfix 2.8.
      >
      > Once you set up your postscreen_dnsbl_reply_map, you can query it
      > to ensure that it works as expected. Using the above example,
      > the command
      >
      > postmap -q secret.zen.spamhaus.org texthash:/etc/postfix/dnsbl_reply
      >
      > should produce "zen.spamhaus.org" as output.
      >
      > Thanks for helping to improve Postfix.
      >
      > Wietse

      What is not clear to me in that description is the reason for my
      original question
      "Does it matter what the short name returned is; that is could I use
      zen.spamhaus.org just to keep it shorter?"

      I tried to make that question more clear the second time I posted by
      " I am assuming the link between a line in the
      dndsbl_reply file and the main.cf file is only a label and it could be
      anything.
      Is that a wrong assumption?
      I have changed the label to make it more obvious."

      To me when I read the text you provided I am left with the question
      "If the real query address, with the key, is being replaced by some
      other name, does it matter what that name is and can it be shortened
      up?"

      Of course, the reason for my post in the first place was my concern that
      the name with the key was returned in a reply to a test email I sent
      from a Yahoo test account which just happened to have been delivered
      from a Yahoo server which was listed by zen.spam.net.

      Also, I did have a bit of a mix-up in that in your example text you do
      use zen.spamhaus.org and in my original set-up instructions from the
      vendor from whom CNM purchases the Spamhaus service, the address
      I am to query is <key>..zen.dq.spamhaus.net. This is not to say there is
      any problem in your text. It was simply my dyslexia seeing what I expect
      to see and not noticing the net v org that /dev/rob has pointed out.

      Your making clear two other points (using postmap -q and looking for the
      log lines to distinguish between postscreen and smtpd) were helpful
      to me.

      I can see the returned information which did disclose the key came from
      postscreen:

      May 3 17:54:01 mg08 postfix/postscreen[10279]: NOQUEUE: reject: RCPT
      from [98.136.218.178]:45242: 550 5.7.1 Service unavailable; client
      [98.136.218.178] blocked using <key>.zen.dq.spamhaus.org;
      from=<rlopezcnm@...>, to=<rlopez@...>, proto=SMTP,
      helo=<nm5-vm3.bullet.mail.gq1.yahoo.com>

      Finally, /dev/rob was exactly correct in the two labels used differed
      (.net v .org)
      causing the lookup to fail and "When no mapping is found, the actual
      DNSBL domain will be used."

      I believe the answer to my question is the text of the label does not matter
      (but it must be meaningful enough to communicate) but it must be
      exactly the same in the dnsbl_reply file and the main.cf file.

      Life as a dyslexic person is often embarrassing.

      Thank you.
      --
      Robert Lopez
      Unix Systems Administrator
      Central New Mexico Community College (CNM)
      525 Buena Vista SE
      Albuquerque, New Mexico 87106
    • Show all 12 messages in this topic