Loading ...
Sorry, an error occurred while loading the content.

Re: postscreen_dnsbl_sites

Expand Messages
  • Robert Lopez
    I had postscreen_dnsbl_sites = zen.dq.spamhaus.org and postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply in main.cf and I had
    Message 1 of 12 , May 3, 2013
    • 0 Attachment

      I had
      postscreen_dnsbl_sites = <the-key-to-hide>zen.dq.spamhaus.org
      and
      postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
      and I had
      <the-authorization-key-was-here>.zen.dq.spamhaus.net  zen.dq.spamhaus.org
      in the /etc/posrfix/dnsbl_reply file.

      One of many email sent from a yahoo test account did happen to use a yahoo server listed by zen.dq.spamhaus.org and I did get back a reply with the key exposed:

      Remote host said: 550 5.7.1 Service unavailable; client [98.136.218.178] blocked using <th-authorization-key-was-here>.zen.dq.spamhaus.org [RCPT_TO]

      I then changed the one line in the main.cf from
      postscreen_dnsbl_sites = <the-key-to-hide>zen.dq.spamhaus.org
      to
      postscreen_dnsbl_sites = zen.dq.spamhaus.org

      and since then none of the test email have been rejected.

      How can I prove to myself the spamhaus list actually being used now as opposed to being not used because of configuration?

      --
      Robert Lopez
      Unix Systems Administrator
      Central New Mexico Community College (CNM)
      525 Buena Vista SE
      Albuquerque, New Mexico 87106
    • /dev/rob0
      Please disable HTML when posting to mailing lists. ... This is right. ... net != org . This would never match. You probably want to rewrite that to
      Message 2 of 12 , May 4, 2013
      • 0 Attachment
        Please disable HTML when posting to mailing lists.

        On Fri, May 03, 2013 at 06:27:15PM -0600, Robert Lopez wrote:
        > I had
        > postscreen_dnsbl_sites = <the-key-to-hide>zen.dq.spamhaus.org

        This is right.

        > and
        > postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
        > in main.cf
        >
        > and I had
        > <the-authorization-key-was-here>.zen.dq.spamhaus.net zen.dq.spamhaus.org

        "net" != "org". This would never match.

        You probably want to rewrite that to "zen.spamhaus.org" without the
        "dq" domain component. That's what non-subscribers use.

        > How can I prove to myself the spamhaus list actually being used
        > now as opposed to being not used because of configuration?

        http://www.crynwr.com/spam/ provides a testing service. Or, maybe
        you're using a home Internet connection which is listed on PBL. If
        your port 25 is not blocked by the ISP, you could test from home.
        --
        http://rob0.nodns4.us/ -- system administration and consulting
        Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
      • Robert Lopez
        Let me try again. I am assuming the link between a line in the dndsbl_reply file and the main.cf file is only a label and it could be anything. Is that a
        Message 3 of 12 , May 6, 2013
        • 0 Attachment
          Let me try again. I am assuming the link between a line in the
          dndsbl_reply file and the main.cf file is only a label and it could be
          anything.
          Is that a wrong assumption?

          I have changed the label to make it more obvious.

          Right now in the dnsbl_reply file I have this line (except for the key
          being hidden):
          <hidden-key>.zen.dq.spamhaus.net h.spamhaus.net

          In the main.cf file I have this line:
          postscreen_dnsbl_sites = h.spamhaus.net*1

          I am assuming the h.spamhaus.net in main.cf is being rewritten to
          <hidden-key>.zen.dq.spamhaus.net when postscreen uses the dnsbl.

          What I am seeing in testing is my gateway is returning a statement
          such as this one:
          554 5.7.1 Service unavailable; Client host [192.203.178.138] blocked
          using <hidden-key>.zen.dq.spamhaus.net;
          http://www.spamhaus.org/query/bl?ip=192.203.178.138

          And the above line does in fact contain the actual key that I am trying to hide.

          The version of Postfix I am using (2.10.0) is my first experience with
          postscreen and I am trying to avoid the exposing of this key.

          Is it possible that the key is being exposed not from the
          postscreen_dnsbl_sites line but from a line also in main.cf which says
          the following?
          smtpd_client_restrictions = reject_rbl_client <hidden-key>.zen.dq.spamhaus.net


          # postconf -n
          alias_database = hash:/etc/aliases
          alias_maps = hash:/etc/aliases
          append_dot_mydomain = yes
          biff = no
          bounce_size_limit = 1
          config_directory = /etc/postfix
          default_process_limit = 400
          header_checks = regexp:/etc/postfix/header_checks
          inet_interfaces = $myhostname, localhost
          inet_protocols = ipv4
          mailbox_size_limit = 0
          masquerade_domains = $mydomain, cnm.edu, nmvc.org, nmvirtualcollege.org
          max_use = 100
          message_size_limit = 26214400
          mydestination = $myhostname, $mydomain, localhost.localdomain,
          cnm.edu, mail.cnm.edu
          mydomain = cnm.edu
          mynetworks = 198.133.178.0/23, 198.133.182.0/24, 198.133.181.0/24,
          198.133.180.0/24, 172.16.0.0/12, 192.168.0.0/16, 10.0.0.0/8,
          127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
          notify_classes = resource, software
          postscreen_access_list = permit_mynetworks,
          cidr:/etc/postfix/postscreen_access.cidr
          postscreen_dnsbl_action = enforce
          postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
          postscreen_dnsbl_sites = h.spamhaus.net*1 b.barracudacentral.org*1
          bl.spamcop.net*1 dnsbl.sorbs.net*1
          postscreen_dnsbl_threshold = 2
          readme_directory = no
          recipient_delimiter = +
          relay_domains =
          relayhost =
          smtp_host_lookup = dns, native
          smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
          smtpd_banner = cnm.edu ESMTP
          smtpd_client_restrictions = reject_unauth_pipelining
          check_client_access hash:/etc/postfix/whitelist check_client_access
          cidr:/etc/postfix/cidr-ip check_client_access hash:/etc/postfix/access
          permit_mynetworks reject_rbl_client
          <hidden-key>.zen.dq.spamhaus.net.zen.dq.spamhaus.net reject_rbl_client
          b.barracudacentral.org reject_rbl_client bl.spamcop.net
          reject_rbl_client dnsbl.sorbs.net
          smtpd_helo_required = yes
          smtpd_helo_restrictions = permit_mynetworks check_helo_access
          hash:/etc/postfix/helo-ip reject_invalid_hostname
          reject_non_fqdn_helo_hostname
          smtpd_recipient_restrictions = permit_mynetworks
          reject_unknown_recipient_domain reject_unlisted_recipient
          reject_non_fqdn_recipient reject_unknown_recipient_domain
          smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination
          smtpd_sender_restrictions = check_sender_access
          hash:/etc/postfix/whitelist check_sender_access
          hash:/etc/postfix/greylist check_sender_access
          hash:/etc/postfix/access permit_mynetworks reject_non_fqdn_sender
          reject_unknown_sender_domain
          smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
          smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
          smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
          smtpd_use_tls = yes
          virtual_alias_maps = hash:/etc/postfix/virtualaliases


          --
          Robert Lopez
          Unix Systems Administrator
          Central New Mexico Community College (CNM)
          525 Buena Vista SE
          Albuquerque, New Mexico 87106
        • Wietse Venema
          ... Please describe what is not clear about the following text: postscreen_dnsbl_reply_map (default: empty) A mapping from actual DNSBL domain name which
          Message 4 of 12 , May 6, 2013
          • 0 Attachment
            Robert Lopez:
            > Let me try again. I am assuming the link between a line in the
            > dndsbl_reply file and the main.cf file is only a label and it could be
            > anything.
            > Is that a wrong assumption?

            Please describe what is not clear about the following text:

            postscreen_dnsbl_reply_map (default: empty)
            A mapping from actual DNSBL domain name which includes a secret pass-
            word, to the DNSBL domain name that postscreen will reply with when it
            rejects mail. When no mapping is found, the actual DNSBL domain will
            be used.

            For maximal stability it is best to use a file that is read into memory
            such as pcre:, regexp: or texthash: (texthash: is similar to hash:,
            except a) there is no need to run postmap(1) before the file can be
            used, and b) texthash: does not detect changes after the file is read).

            Example:

            /etc/postfix/main.cf:
            postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply

            /etc/postfix/dnsbl_reply:
            secret.zen.spamhaus.org zen.spamhaus.org

            This feature is available in Postfix 2.8.

            Once you set up your postscreen_dnsbl_reply_map, you can query it
            to ensure that it works as expected. Using the above example,
            the command

            postmap -q secret.zen.spamhaus.org texthash:/etc/postfix/dnsbl_reply

            should produce "zen.spamhaus.org" as output.

            Thanks for helping to improve Postfix.

            Wietse
          • Jan P. Kessler
            ... Use rbl_reply_maps and a text without $rbl_domain: http://www.postfix.org/postconf.5.html#rbl_reply_maps And... get a new spamhaus key, NOW: # telnet
            Message 5 of 12 , May 6, 2013
            • 0 Attachment
              > Is it possible that the key is being exposed not from the
              > postscreen_dnsbl_sites line but from a line also in main.cf which says
              > the following?
              > smtpd_client_restrictions = reject_rbl_client <hidden-key>.zen.dq.spamhaus.net

              Use rbl_reply_maps and a text without $rbl_domain:
              http://www.postfix.org/postconf.5.html#rbl_reply_maps

              And... get a new spamhaus key, NOW:

              # telnet mg05.cnm.edu 25
              Trying 198.133.182.65...
              Connected to mg05.cnm.edu.
              Escape character is '^]'.
              220 mg05.cnm.edu ESMTP Postfix
              HELO ruv.de
              250 mg05.cnm.edu
              MAIL FROM:jpk@somedomain
              250 2.1.0 Ok
              RCPT TO:hostmaster@...
              554 5.7.1 Service unavailable; Client host [47.66.81.105] blocked using
              <GOTIT>.zen.dq.spamhaus.net;
              http://www.spamhaus.org/query/bl?ip=47.66.81.105
              quit
              221 2.0.0 Bye
            • Wietse Venema
              ... Yes. Postfix logging will tell you which program produces the REJECT message: smtpd or postscreen. Wietse
              Message 6 of 12 , May 6, 2013
              • 0 Attachment
                Jan P. Kessler:
                >
                > > Is it possible that the key is being exposed not from the
                > > postscreen_dnsbl_sites line but from a line also in main.cf which says
                > > the following?
                > > smtpd_client_restrictions = reject_rbl_client <hidden-key>.zen.dq.spamhaus.net

                Yes. Postfix logging will tell you which program produces
                the REJECT message: smtpd or postscreen.

                Wietse
              • /dev/rob0
                ... Let me try again also! I presume your lookup is actually against key.zen.dq.spamhaus.org. That s what I said was right. Hereafter, key will be
                Message 7 of 12 , May 6, 2013
                • 0 Attachment
                  On Sat, May 04, 2013 at 06:48:36AM -0500, I wrote:
                  > On Fri, May 03, 2013 at 06:27:15PM -0600, Robert Lopez wrote:
                  > > I had
                  > > postscreen_dnsbl_sites = <the-key-to-hide>zen.dq.spamhaus.org
                  >
                  > This is right.

                  Let me try again also! I presume your lookup is actually against
                  key.zen.dq.spamhaus.org. That's what I said was right. Hereafter,
                  "key" will be substituted for the actual key.

                  > > and
                  > > postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
                  > > in main.cf
                  > >
                  > > and I had
                  > > <the-authorization-key-was-here>.zen.dq.spamhaus.net zen.dq.spamhaus.org

                  And here you are talking about spamhaus.net. Which is your lookup
                  against, key.zen.dq.spamhaus.org or key.zen.dq.spamhaus.net? Do note
                  that "net" is not "org".

                  > "net" != "org". This would never match.

                  Assuming that you DID mean key.zen.dq.spamhaus.org, your
                  postscreen_dnsbl_reply_map lookup of key.zen.dq.spamhaus.net would
                  never match, because as we have seen, "net" is not "org". :)

                  If "net" was right, your munging was wrong.

                  > You probably want to rewrite that to "zen.spamhaus.org" without
                  > the "dq" domain component. That's what non-subscribers use.
                  >
                  > > How can I prove to myself the spamhaus list actually being used
                  > > now as opposed to being not used because of configuration?
                  >
                  > http://www.crynwr.com/spam/ provides a testing service. Or, maybe
                  > you're using a home Internet connection which is listed on PBL. If
                  > your port 25 is not blocked by the ISP, you could test from home.
                  --
                  http://rob0.nodns4.us/ -- system administration and consulting
                  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
                • Robert Lopez
                  ... What is not clear to me in that description is the reason for my original question Does it matter what the short name returned is; that is could I use
                  Message 8 of 12 , May 7, 2013
                  • 0 Attachment
                    On Mon, May 6, 2013 at 3:10 PM, Wietse Venema <wietse@...> wrote:
                    > Robert Lopez:
                    >> Let me try again. I am assuming the link between a line in the
                    >> dndsbl_reply file and the main.cf file is only a label and it could be
                    >> anything.
                    >> Is that a wrong assumption?
                    >
                    > Please describe what is not clear about the following text:
                    >
                    > postscreen_dnsbl_reply_map (default: empty)
                    > A mapping from actual DNSBL domain name which includes a secret pass-
                    > word, to the DNSBL domain name that postscreen will reply with when it
                    > rejects mail. When no mapping is found, the actual DNSBL domain will
                    > be used.
                    >
                    > For maximal stability it is best to use a file that is read into memory
                    > such as pcre:, regexp: or texthash: (texthash: is similar to hash:,
                    > except a) there is no need to run postmap(1) before the file can be
                    > used, and b) texthash: does not detect changes after the file is read).
                    >
                    > Example:
                    >
                    > /etc/postfix/main.cf:
                    > postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
                    >
                    > /etc/postfix/dnsbl_reply:
                    > secret.zen.spamhaus.org zen.spamhaus.org
                    >
                    > This feature is available in Postfix 2.8.
                    >
                    > Once you set up your postscreen_dnsbl_reply_map, you can query it
                    > to ensure that it works as expected. Using the above example,
                    > the command
                    >
                    > postmap -q secret.zen.spamhaus.org texthash:/etc/postfix/dnsbl_reply
                    >
                    > should produce "zen.spamhaus.org" as output.
                    >
                    > Thanks for helping to improve Postfix.
                    >
                    > Wietse

                    What is not clear to me in that description is the reason for my
                    original question
                    "Does it matter what the short name returned is; that is could I use
                    zen.spamhaus.org just to keep it shorter?"

                    I tried to make that question more clear the second time I posted by
                    " I am assuming the link between a line in the
                    dndsbl_reply file and the main.cf file is only a label and it could be
                    anything.
                    Is that a wrong assumption?
                    I have changed the label to make it more obvious."

                    To me when I read the text you provided I am left with the question
                    "If the real query address, with the key, is being replaced by some
                    other name, does it matter what that name is and can it be shortened
                    up?"

                    Of course, the reason for my post in the first place was my concern that
                    the name with the key was returned in a reply to a test email I sent
                    from a Yahoo test account which just happened to have been delivered
                    from a Yahoo server which was listed by zen.spam.net.

                    Also, I did have a bit of a mix-up in that in your example text you do
                    use zen.spamhaus.org and in my original set-up instructions from the
                    vendor from whom CNM purchases the Spamhaus service, the address
                    I am to query is <key>..zen.dq.spamhaus.net. This is not to say there is
                    any problem in your text. It was simply my dyslexia seeing what I expect
                    to see and not noticing the net v org that /dev/rob has pointed out.

                    Your making clear two other points (using postmap -q and looking for the
                    log lines to distinguish between postscreen and smtpd) were helpful
                    to me.

                    I can see the returned information which did disclose the key came from
                    postscreen:

                    May 3 17:54:01 mg08 postfix/postscreen[10279]: NOQUEUE: reject: RCPT
                    from [98.136.218.178]:45242: 550 5.7.1 Service unavailable; client
                    [98.136.218.178] blocked using <key>.zen.dq.spamhaus.org;
                    from=<rlopezcnm@...>, to=<rlopez@...>, proto=SMTP,
                    helo=<nm5-vm3.bullet.mail.gq1.yahoo.com>

                    Finally, /dev/rob was exactly correct in the two labels used differed
                    (.net v .org)
                    causing the lookup to fail and "When no mapping is found, the actual
                    DNSBL domain will be used."

                    I believe the answer to my question is the text of the label does not matter
                    (but it must be meaningful enough to communicate) but it must be
                    exactly the same in the dnsbl_reply file and the main.cf file.

                    Life as a dyslexic person is often embarrassing.

                    Thank you.
                    --
                    Robert Lopez
                    Unix Systems Administrator
                    Central New Mexico Community College (CNM)
                    525 Buena Vista SE
                    Albuquerque, New Mexico 87106
                  • Wietse Venema
                    ... As documented, the name on the right-hand side of the table is used in the postscreen REPLY. This name is NOT USED for the DNSBL query. This name is NOT
                    Message 9 of 12 , May 7, 2013
                    • 0 Attachment
                      Robert Lopez:
                      > On Mon, May 6, 2013 at 3:10 PM, Wietse Venema <wietse@...> wrote:
                      > > Robert Lopez:
                      > >> Let me try again. I am assuming the link between a line in the
                      > >> dndsbl_reply file and the main.cf file is only a label and it could be
                      > >> anything.
                      > >> Is that a wrong assumption?
                      > >
                      > > Please describe what is not clear about the following text:
                      > >
                      > > postscreen_dnsbl_reply_map (default: empty)
                      > > A mapping from actual DNSBL domain name which includes a secret pass-
                      > > word, to the DNSBL domain name that postscreen will reply with when it
                      > > rejects mail. When no mapping is found, the actual DNSBL domain will
                      > > be used.
                      > >
                      > > For maximal stability it is best to use a file that is read into memory
                      > > such as pcre:, regexp: or texthash: (texthash: is similar to hash:,
                      > > except a) there is no need to run postmap(1) before the file can be
                      > > used, and b) texthash: does not detect changes after the file is read).
                      > >
                      > > Example:
                      > >
                      > > /etc/postfix/main.cf:
                      > > postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
                      > >
                      > > /etc/postfix/dnsbl_reply:
                      > > secret.zen.spamhaus.org zen.spamhaus.org
                      > >
                      > > This feature is available in Postfix 2.8.
                      > >
                      > > Once you set up your postscreen_dnsbl_reply_map, you can query it
                      > > to ensure that it works as expected. Using the above example,
                      > > the command
                      > >
                      > > postmap -q secret.zen.spamhaus.org texthash:/etc/postfix/dnsbl_reply
                      > >
                      > > should produce "zen.spamhaus.org" as output.
                      > >
                      > > Thanks for helping to improve Postfix.
                      > >
                      > > Wietse
                      >
                      > What is not clear to me in that description is the reason for my
                      > original question "Does it matter what the short name returned is;
                      > that is could I use zen.spamhaus.org just to keep it shorter?"

                      As documented, the name on the right-hand side of the table is used
                      in the postscreen REPLY.

                      This name is NOT USED for the DNSBL query.

                      This name is NOT USED for lots of other things.

                      This name is USED ONLY for the purpose as documented.

                      Wietse
                    • /dev/rob0
                      ... In my example: http://rob0.nodns4.us/postscreen.html I use a negated lookup. Basically, if zen.spamhaus.org is not among the DNSBL hits, my senders see
                      Message 10 of 12 , May 7, 2013
                      • 0 Attachment
                        On Tue, May 07, 2013 at 01:03:51PM -0600, Robert Lopez wrote:
                        > What is not clear to me in that description is the reason for
                        > my original question
                        > "Does it matter what the short name returned is; that is could
                        > I use zen.spamhaus.org just to keep it shorter?"

                        In my example:
                        http://rob0.nodns4.us/postscreen.html
                        I use a negated lookup. Basically, if zen.spamhaus.org is not among
                        the DNSBL hits, my senders see that they were blocked by "multiple
                        DNS-based blocklists".

                        So no, there need not be any connection between the lookup key and
                        the result. I think in your case you will want to use
                        "zen.spamhaus.org" as the result.
                        --
                        http://rob0.nodns4.us/ -- system administration and consulting
                        Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
                      Your message has been successfully submitted and would be delivered to recipients shortly.