Loading ...
Sorry, an error occurred while loading the content.

Re: postscreen_dnsbl_sites

Expand Messages
  • Jeroen Geilman
    ... The one that produces a valid response; if you have a spamhaus subscription, that would be the long one, with your authorization. ... It s text, in a text
    Message 1 of 12 , May 3 3:05 PM
    • 0 Attachment
      On 5/3/2013 9:33 PM, Robert Lopez wrote:
      If in /etc/postfix/dnsbl_reply file there is a line:

      the-authorization-key-was-here.zen.dq.spamhaus.net  zen.dq.spamhaus.org

      And in main.cf there is the line:

      postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply


      Should the line in main.cf for "postscreen_dnsbl_siter = "
      use the long name with the key in it or the short reply name?

      The one that produces a valid response; if you have a spamhaus subscription, that would be the long one, with your authorization.

      Does it matter what the short name returned is; that is could I use
      zen.spamhaus.org just to keep it shorter?

      It's text, in a text response.
      It can be whatever makes you happy.

      --
      J.

    • Robert Lopez
      I had postscreen_dnsbl_sites = zen.dq.spamhaus.org and postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply in main.cf and I had
      Message 2 of 12 , May 3 5:27 PM
      • 0 Attachment

        I had
        postscreen_dnsbl_sites = <the-key-to-hide>zen.dq.spamhaus.org
        and
        postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
        and I had
        <the-authorization-key-was-here>.zen.dq.spamhaus.net  zen.dq.spamhaus.org
        in the /etc/posrfix/dnsbl_reply file.

        One of many email sent from a yahoo test account did happen to use a yahoo server listed by zen.dq.spamhaus.org and I did get back a reply with the key exposed:

        Remote host said: 550 5.7.1 Service unavailable; client [98.136.218.178] blocked using <th-authorization-key-was-here>.zen.dq.spamhaus.org [RCPT_TO]

        I then changed the one line in the main.cf from
        postscreen_dnsbl_sites = <the-key-to-hide>zen.dq.spamhaus.org
        to
        postscreen_dnsbl_sites = zen.dq.spamhaus.org

        and since then none of the test email have been rejected.

        How can I prove to myself the spamhaus list actually being used now as opposed to being not used because of configuration?

        --
        Robert Lopez
        Unix Systems Administrator
        Central New Mexico Community College (CNM)
        525 Buena Vista SE
        Albuquerque, New Mexico 87106
      • /dev/rob0
        Please disable HTML when posting to mailing lists. ... This is right. ... net != org . This would never match. You probably want to rewrite that to
        Message 3 of 12 , May 4 4:48 AM
        • 0 Attachment
          Please disable HTML when posting to mailing lists.

          On Fri, May 03, 2013 at 06:27:15PM -0600, Robert Lopez wrote:
          > I had
          > postscreen_dnsbl_sites = <the-key-to-hide>zen.dq.spamhaus.org

          This is right.

          > and
          > postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
          > in main.cf
          >
          > and I had
          > <the-authorization-key-was-here>.zen.dq.spamhaus.net zen.dq.spamhaus.org

          "net" != "org". This would never match.

          You probably want to rewrite that to "zen.spamhaus.org" without the
          "dq" domain component. That's what non-subscribers use.

          > How can I prove to myself the spamhaus list actually being used
          > now as opposed to being not used because of configuration?

          http://www.crynwr.com/spam/ provides a testing service. Or, maybe
          you're using a home Internet connection which is listed on PBL. If
          your port 25 is not blocked by the ISP, you could test from home.
          --
          http://rob0.nodns4.us/ -- system administration and consulting
          Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
        • Robert Lopez
          Let me try again. I am assuming the link between a line in the dndsbl_reply file and the main.cf file is only a label and it could be anything. Is that a
          Message 4 of 12 , May 6 1:53 PM
          • 0 Attachment
            Let me try again. I am assuming the link between a line in the
            dndsbl_reply file and the main.cf file is only a label and it could be
            anything.
            Is that a wrong assumption?

            I have changed the label to make it more obvious.

            Right now in the dnsbl_reply file I have this line (except for the key
            being hidden):
            <hidden-key>.zen.dq.spamhaus.net h.spamhaus.net

            In the main.cf file I have this line:
            postscreen_dnsbl_sites = h.spamhaus.net*1

            I am assuming the h.spamhaus.net in main.cf is being rewritten to
            <hidden-key>.zen.dq.spamhaus.net when postscreen uses the dnsbl.

            What I am seeing in testing is my gateway is returning a statement
            such as this one:
            554 5.7.1 Service unavailable; Client host [192.203.178.138] blocked
            using <hidden-key>.zen.dq.spamhaus.net;
            http://www.spamhaus.org/query/bl?ip=192.203.178.138

            And the above line does in fact contain the actual key that I am trying to hide.

            The version of Postfix I am using (2.10.0) is my first experience with
            postscreen and I am trying to avoid the exposing of this key.

            Is it possible that the key is being exposed not from the
            postscreen_dnsbl_sites line but from a line also in main.cf which says
            the following?
            smtpd_client_restrictions = reject_rbl_client <hidden-key>.zen.dq.spamhaus.net


            # postconf -n
            alias_database = hash:/etc/aliases
            alias_maps = hash:/etc/aliases
            append_dot_mydomain = yes
            biff = no
            bounce_size_limit = 1
            config_directory = /etc/postfix
            default_process_limit = 400
            header_checks = regexp:/etc/postfix/header_checks
            inet_interfaces = $myhostname, localhost
            inet_protocols = ipv4
            mailbox_size_limit = 0
            masquerade_domains = $mydomain, cnm.edu, nmvc.org, nmvirtualcollege.org
            max_use = 100
            message_size_limit = 26214400
            mydestination = $myhostname, $mydomain, localhost.localdomain,
            cnm.edu, mail.cnm.edu
            mydomain = cnm.edu
            mynetworks = 198.133.178.0/23, 198.133.182.0/24, 198.133.181.0/24,
            198.133.180.0/24, 172.16.0.0/12, 192.168.0.0/16, 10.0.0.0/8,
            127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
            notify_classes = resource, software
            postscreen_access_list = permit_mynetworks,
            cidr:/etc/postfix/postscreen_access.cidr
            postscreen_dnsbl_action = enforce
            postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
            postscreen_dnsbl_sites = h.spamhaus.net*1 b.barracudacentral.org*1
            bl.spamcop.net*1 dnsbl.sorbs.net*1
            postscreen_dnsbl_threshold = 2
            readme_directory = no
            recipient_delimiter = +
            relay_domains =
            relayhost =
            smtp_host_lookup = dns, native
            smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
            smtpd_banner = cnm.edu ESMTP
            smtpd_client_restrictions = reject_unauth_pipelining
            check_client_access hash:/etc/postfix/whitelist check_client_access
            cidr:/etc/postfix/cidr-ip check_client_access hash:/etc/postfix/access
            permit_mynetworks reject_rbl_client
            <hidden-key>.zen.dq.spamhaus.net.zen.dq.spamhaus.net reject_rbl_client
            b.barracudacentral.org reject_rbl_client bl.spamcop.net
            reject_rbl_client dnsbl.sorbs.net
            smtpd_helo_required = yes
            smtpd_helo_restrictions = permit_mynetworks check_helo_access
            hash:/etc/postfix/helo-ip reject_invalid_hostname
            reject_non_fqdn_helo_hostname
            smtpd_recipient_restrictions = permit_mynetworks
            reject_unknown_recipient_domain reject_unlisted_recipient
            reject_non_fqdn_recipient reject_unknown_recipient_domain
            smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination
            smtpd_sender_restrictions = check_sender_access
            hash:/etc/postfix/whitelist check_sender_access
            hash:/etc/postfix/greylist check_sender_access
            hash:/etc/postfix/access permit_mynetworks reject_non_fqdn_sender
            reject_unknown_sender_domain
            smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
            smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
            smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
            smtpd_use_tls = yes
            virtual_alias_maps = hash:/etc/postfix/virtualaliases


            --
            Robert Lopez
            Unix Systems Administrator
            Central New Mexico Community College (CNM)
            525 Buena Vista SE
            Albuquerque, New Mexico 87106
          • Wietse Venema
            ... Please describe what is not clear about the following text: postscreen_dnsbl_reply_map (default: empty) A mapping from actual DNSBL domain name which
            Message 5 of 12 , May 6 2:10 PM
            • 0 Attachment
              Robert Lopez:
              > Let me try again. I am assuming the link between a line in the
              > dndsbl_reply file and the main.cf file is only a label and it could be
              > anything.
              > Is that a wrong assumption?

              Please describe what is not clear about the following text:

              postscreen_dnsbl_reply_map (default: empty)
              A mapping from actual DNSBL domain name which includes a secret pass-
              word, to the DNSBL domain name that postscreen will reply with when it
              rejects mail. When no mapping is found, the actual DNSBL domain will
              be used.

              For maximal stability it is best to use a file that is read into memory
              such as pcre:, regexp: or texthash: (texthash: is similar to hash:,
              except a) there is no need to run postmap(1) before the file can be
              used, and b) texthash: does not detect changes after the file is read).

              Example:

              /etc/postfix/main.cf:
              postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply

              /etc/postfix/dnsbl_reply:
              secret.zen.spamhaus.org zen.spamhaus.org

              This feature is available in Postfix 2.8.

              Once you set up your postscreen_dnsbl_reply_map, you can query it
              to ensure that it works as expected. Using the above example,
              the command

              postmap -q secret.zen.spamhaus.org texthash:/etc/postfix/dnsbl_reply

              should produce "zen.spamhaus.org" as output.

              Thanks for helping to improve Postfix.

              Wietse
            • Jan P. Kessler
              ... Use rbl_reply_maps and a text without $rbl_domain: http://www.postfix.org/postconf.5.html#rbl_reply_maps And... get a new spamhaus key, NOW: # telnet
              Message 6 of 12 , May 6 2:24 PM
              • 0 Attachment
                > Is it possible that the key is being exposed not from the
                > postscreen_dnsbl_sites line but from a line also in main.cf which says
                > the following?
                > smtpd_client_restrictions = reject_rbl_client <hidden-key>.zen.dq.spamhaus.net

                Use rbl_reply_maps and a text without $rbl_domain:
                http://www.postfix.org/postconf.5.html#rbl_reply_maps

                And... get a new spamhaus key, NOW:

                # telnet mg05.cnm.edu 25
                Trying 198.133.182.65...
                Connected to mg05.cnm.edu.
                Escape character is '^]'.
                220 mg05.cnm.edu ESMTP Postfix
                HELO ruv.de
                250 mg05.cnm.edu
                MAIL FROM:jpk@somedomain
                250 2.1.0 Ok
                RCPT TO:hostmaster@...
                554 5.7.1 Service unavailable; Client host [47.66.81.105] blocked using
                <GOTIT>.zen.dq.spamhaus.net;
                http://www.spamhaus.org/query/bl?ip=47.66.81.105
                quit
                221 2.0.0 Bye
              • Wietse Venema
                ... Yes. Postfix logging will tell you which program produces the REJECT message: smtpd or postscreen. Wietse
                Message 7 of 12 , May 6 4:08 PM
                • 0 Attachment
                  Jan P. Kessler:
                  >
                  > > Is it possible that the key is being exposed not from the
                  > > postscreen_dnsbl_sites line but from a line also in main.cf which says
                  > > the following?
                  > > smtpd_client_restrictions = reject_rbl_client <hidden-key>.zen.dq.spamhaus.net

                  Yes. Postfix logging will tell you which program produces
                  the REJECT message: smtpd or postscreen.

                  Wietse
                • /dev/rob0
                  ... Let me try again also! I presume your lookup is actually against key.zen.dq.spamhaus.org. That s what I said was right. Hereafter, key will be
                  Message 8 of 12 , May 6 5:37 PM
                  • 0 Attachment
                    On Sat, May 04, 2013 at 06:48:36AM -0500, I wrote:
                    > On Fri, May 03, 2013 at 06:27:15PM -0600, Robert Lopez wrote:
                    > > I had
                    > > postscreen_dnsbl_sites = <the-key-to-hide>zen.dq.spamhaus.org
                    >
                    > This is right.

                    Let me try again also! I presume your lookup is actually against
                    key.zen.dq.spamhaus.org. That's what I said was right. Hereafter,
                    "key" will be substituted for the actual key.

                    > > and
                    > > postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
                    > > in main.cf
                    > >
                    > > and I had
                    > > <the-authorization-key-was-here>.zen.dq.spamhaus.net zen.dq.spamhaus.org

                    And here you are talking about spamhaus.net. Which is your lookup
                    against, key.zen.dq.spamhaus.org or key.zen.dq.spamhaus.net? Do note
                    that "net" is not "org".

                    > "net" != "org". This would never match.

                    Assuming that you DID mean key.zen.dq.spamhaus.org, your
                    postscreen_dnsbl_reply_map lookup of key.zen.dq.spamhaus.net would
                    never match, because as we have seen, "net" is not "org". :)

                    If "net" was right, your munging was wrong.

                    > You probably want to rewrite that to "zen.spamhaus.org" without
                    > the "dq" domain component. That's what non-subscribers use.
                    >
                    > > How can I prove to myself the spamhaus list actually being used
                    > > now as opposed to being not used because of configuration?
                    >
                    > http://www.crynwr.com/spam/ provides a testing service. Or, maybe
                    > you're using a home Internet connection which is listed on PBL. If
                    > your port 25 is not blocked by the ISP, you could test from home.
                    --
                    http://rob0.nodns4.us/ -- system administration and consulting
                    Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
                  • Robert Lopez
                    ... What is not clear to me in that description is the reason for my original question Does it matter what the short name returned is; that is could I use
                    Message 9 of 12 , May 7 12:03 PM
                    • 0 Attachment
                      On Mon, May 6, 2013 at 3:10 PM, Wietse Venema <wietse@...> wrote:
                      > Robert Lopez:
                      >> Let me try again. I am assuming the link between a line in the
                      >> dndsbl_reply file and the main.cf file is only a label and it could be
                      >> anything.
                      >> Is that a wrong assumption?
                      >
                      > Please describe what is not clear about the following text:
                      >
                      > postscreen_dnsbl_reply_map (default: empty)
                      > A mapping from actual DNSBL domain name which includes a secret pass-
                      > word, to the DNSBL domain name that postscreen will reply with when it
                      > rejects mail. When no mapping is found, the actual DNSBL domain will
                      > be used.
                      >
                      > For maximal stability it is best to use a file that is read into memory
                      > such as pcre:, regexp: or texthash: (texthash: is similar to hash:,
                      > except a) there is no need to run postmap(1) before the file can be
                      > used, and b) texthash: does not detect changes after the file is read).
                      >
                      > Example:
                      >
                      > /etc/postfix/main.cf:
                      > postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
                      >
                      > /etc/postfix/dnsbl_reply:
                      > secret.zen.spamhaus.org zen.spamhaus.org
                      >
                      > This feature is available in Postfix 2.8.
                      >
                      > Once you set up your postscreen_dnsbl_reply_map, you can query it
                      > to ensure that it works as expected. Using the above example,
                      > the command
                      >
                      > postmap -q secret.zen.spamhaus.org texthash:/etc/postfix/dnsbl_reply
                      >
                      > should produce "zen.spamhaus.org" as output.
                      >
                      > Thanks for helping to improve Postfix.
                      >
                      > Wietse

                      What is not clear to me in that description is the reason for my
                      original question
                      "Does it matter what the short name returned is; that is could I use
                      zen.spamhaus.org just to keep it shorter?"

                      I tried to make that question more clear the second time I posted by
                      " I am assuming the link between a line in the
                      dndsbl_reply file and the main.cf file is only a label and it could be
                      anything.
                      Is that a wrong assumption?
                      I have changed the label to make it more obvious."

                      To me when I read the text you provided I am left with the question
                      "If the real query address, with the key, is being replaced by some
                      other name, does it matter what that name is and can it be shortened
                      up?"

                      Of course, the reason for my post in the first place was my concern that
                      the name with the key was returned in a reply to a test email I sent
                      from a Yahoo test account which just happened to have been delivered
                      from a Yahoo server which was listed by zen.spam.net.

                      Also, I did have a bit of a mix-up in that in your example text you do
                      use zen.spamhaus.org and in my original set-up instructions from the
                      vendor from whom CNM purchases the Spamhaus service, the address
                      I am to query is <key>..zen.dq.spamhaus.net. This is not to say there is
                      any problem in your text. It was simply my dyslexia seeing what I expect
                      to see and not noticing the net v org that /dev/rob has pointed out.

                      Your making clear two other points (using postmap -q and looking for the
                      log lines to distinguish between postscreen and smtpd) were helpful
                      to me.

                      I can see the returned information which did disclose the key came from
                      postscreen:

                      May 3 17:54:01 mg08 postfix/postscreen[10279]: NOQUEUE: reject: RCPT
                      from [98.136.218.178]:45242: 550 5.7.1 Service unavailable; client
                      [98.136.218.178] blocked using <key>.zen.dq.spamhaus.org;
                      from=<rlopezcnm@...>, to=<rlopez@...>, proto=SMTP,
                      helo=<nm5-vm3.bullet.mail.gq1.yahoo.com>

                      Finally, /dev/rob was exactly correct in the two labels used differed
                      (.net v .org)
                      causing the lookup to fail and "When no mapping is found, the actual
                      DNSBL domain will be used."

                      I believe the answer to my question is the text of the label does not matter
                      (but it must be meaningful enough to communicate) but it must be
                      exactly the same in the dnsbl_reply file and the main.cf file.

                      Life as a dyslexic person is often embarrassing.

                      Thank you.
                      --
                      Robert Lopez
                      Unix Systems Administrator
                      Central New Mexico Community College (CNM)
                      525 Buena Vista SE
                      Albuquerque, New Mexico 87106
                    • Wietse Venema
                      ... As documented, the name on the right-hand side of the table is used in the postscreen REPLY. This name is NOT USED for the DNSBL query. This name is NOT
                      Message 10 of 12 , May 7 12:21 PM
                      • 0 Attachment
                        Robert Lopez:
                        > On Mon, May 6, 2013 at 3:10 PM, Wietse Venema <wietse@...> wrote:
                        > > Robert Lopez:
                        > >> Let me try again. I am assuming the link between a line in the
                        > >> dndsbl_reply file and the main.cf file is only a label and it could be
                        > >> anything.
                        > >> Is that a wrong assumption?
                        > >
                        > > Please describe what is not clear about the following text:
                        > >
                        > > postscreen_dnsbl_reply_map (default: empty)
                        > > A mapping from actual DNSBL domain name which includes a secret pass-
                        > > word, to the DNSBL domain name that postscreen will reply with when it
                        > > rejects mail. When no mapping is found, the actual DNSBL domain will
                        > > be used.
                        > >
                        > > For maximal stability it is best to use a file that is read into memory
                        > > such as pcre:, regexp: or texthash: (texthash: is similar to hash:,
                        > > except a) there is no need to run postmap(1) before the file can be
                        > > used, and b) texthash: does not detect changes after the file is read).
                        > >
                        > > Example:
                        > >
                        > > /etc/postfix/main.cf:
                        > > postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
                        > >
                        > > /etc/postfix/dnsbl_reply:
                        > > secret.zen.spamhaus.org zen.spamhaus.org
                        > >
                        > > This feature is available in Postfix 2.8.
                        > >
                        > > Once you set up your postscreen_dnsbl_reply_map, you can query it
                        > > to ensure that it works as expected. Using the above example,
                        > > the command
                        > >
                        > > postmap -q secret.zen.spamhaus.org texthash:/etc/postfix/dnsbl_reply
                        > >
                        > > should produce "zen.spamhaus.org" as output.
                        > >
                        > > Thanks for helping to improve Postfix.
                        > >
                        > > Wietse
                        >
                        > What is not clear to me in that description is the reason for my
                        > original question "Does it matter what the short name returned is;
                        > that is could I use zen.spamhaus.org just to keep it shorter?"

                        As documented, the name on the right-hand side of the table is used
                        in the postscreen REPLY.

                        This name is NOT USED for the DNSBL query.

                        This name is NOT USED for lots of other things.

                        This name is USED ONLY for the purpose as documented.

                        Wietse
                      • /dev/rob0
                        ... In my example: http://rob0.nodns4.us/postscreen.html I use a negated lookup. Basically, if zen.spamhaus.org is not among the DNSBL hits, my senders see
                        Message 11 of 12 , May 7 4:28 PM
                        • 0 Attachment
                          On Tue, May 07, 2013 at 01:03:51PM -0600, Robert Lopez wrote:
                          > What is not clear to me in that description is the reason for
                          > my original question
                          > "Does it matter what the short name returned is; that is could
                          > I use zen.spamhaus.org just to keep it shorter?"

                          In my example:
                          http://rob0.nodns4.us/postscreen.html
                          I use a negated lookup. Basically, if zen.spamhaus.org is not among
                          the DNSBL hits, my senders see that they were blocked by "multiple
                          DNS-based blocklists".

                          So no, there need not be any connection between the lookup key and
                          the result. I think in your case you will want to use
                          "zen.spamhaus.org" as the result.
                          --
                          http://rob0.nodns4.us/ -- system administration and consulting
                          Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
                        Your message has been successfully submitted and would be delivered to recipients shortly.