Loading ...
Sorry, an error occurred while loading the content.

Re: postscreen_dnsbl_sites

Expand Messages
  • /dev/rob0
    Please disable HTML when posting to mailing lists. ... This is right. ... net != org . This would never match. You probably want to rewrite that to
    Message 1 of 12 , May 4, 2013
    • 0 Attachment
      Please disable HTML when posting to mailing lists.

      On Fri, May 03, 2013 at 06:27:15PM -0600, Robert Lopez wrote:
      > I had
      > postscreen_dnsbl_sites = <the-key-to-hide>zen.dq.spamhaus.org

      This is right.

      > and
      > postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
      > in main.cf
      >
      > and I had
      > <the-authorization-key-was-here>.zen.dq.spamhaus.net zen.dq.spamhaus.org

      "net" != "org". This would never match.

      You probably want to rewrite that to "zen.spamhaus.org" without the
      "dq" domain component. That's what non-subscribers use.

      > How can I prove to myself the spamhaus list actually being used
      > now as opposed to being not used because of configuration?

      http://www.crynwr.com/spam/ provides a testing service. Or, maybe
      you're using a home Internet connection which is listed on PBL. If
      your port 25 is not blocked by the ISP, you could test from home.
      --
      http://rob0.nodns4.us/ -- system administration and consulting
      Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
    • Robert Lopez
      Let me try again. I am assuming the link between a line in the dndsbl_reply file and the main.cf file is only a label and it could be anything. Is that a
      Message 2 of 12 , May 6, 2013
      • 0 Attachment
        Let me try again. I am assuming the link between a line in the
        dndsbl_reply file and the main.cf file is only a label and it could be
        anything.
        Is that a wrong assumption?

        I have changed the label to make it more obvious.

        Right now in the dnsbl_reply file I have this line (except for the key
        being hidden):
        <hidden-key>.zen.dq.spamhaus.net h.spamhaus.net

        In the main.cf file I have this line:
        postscreen_dnsbl_sites = h.spamhaus.net*1

        I am assuming the h.spamhaus.net in main.cf is being rewritten to
        <hidden-key>.zen.dq.spamhaus.net when postscreen uses the dnsbl.

        What I am seeing in testing is my gateway is returning a statement
        such as this one:
        554 5.7.1 Service unavailable; Client host [192.203.178.138] blocked
        using <hidden-key>.zen.dq.spamhaus.net;
        http://www.spamhaus.org/query/bl?ip=192.203.178.138

        And the above line does in fact contain the actual key that I am trying to hide.

        The version of Postfix I am using (2.10.0) is my first experience with
        postscreen and I am trying to avoid the exposing of this key.

        Is it possible that the key is being exposed not from the
        postscreen_dnsbl_sites line but from a line also in main.cf which says
        the following?
        smtpd_client_restrictions = reject_rbl_client <hidden-key>.zen.dq.spamhaus.net


        # postconf -n
        alias_database = hash:/etc/aliases
        alias_maps = hash:/etc/aliases
        append_dot_mydomain = yes
        biff = no
        bounce_size_limit = 1
        config_directory = /etc/postfix
        default_process_limit = 400
        header_checks = regexp:/etc/postfix/header_checks
        inet_interfaces = $myhostname, localhost
        inet_protocols = ipv4
        mailbox_size_limit = 0
        masquerade_domains = $mydomain, cnm.edu, nmvc.org, nmvirtualcollege.org
        max_use = 100
        message_size_limit = 26214400
        mydestination = $myhostname, $mydomain, localhost.localdomain,
        cnm.edu, mail.cnm.edu
        mydomain = cnm.edu
        mynetworks = 198.133.178.0/23, 198.133.182.0/24, 198.133.181.0/24,
        198.133.180.0/24, 172.16.0.0/12, 192.168.0.0/16, 10.0.0.0/8,
        127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
        notify_classes = resource, software
        postscreen_access_list = permit_mynetworks,
        cidr:/etc/postfix/postscreen_access.cidr
        postscreen_dnsbl_action = enforce
        postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
        postscreen_dnsbl_sites = h.spamhaus.net*1 b.barracudacentral.org*1
        bl.spamcop.net*1 dnsbl.sorbs.net*1
        postscreen_dnsbl_threshold = 2
        readme_directory = no
        recipient_delimiter = +
        relay_domains =
        relayhost =
        smtp_host_lookup = dns, native
        smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
        smtpd_banner = cnm.edu ESMTP
        smtpd_client_restrictions = reject_unauth_pipelining
        check_client_access hash:/etc/postfix/whitelist check_client_access
        cidr:/etc/postfix/cidr-ip check_client_access hash:/etc/postfix/access
        permit_mynetworks reject_rbl_client
        <hidden-key>.zen.dq.spamhaus.net.zen.dq.spamhaus.net reject_rbl_client
        b.barracudacentral.org reject_rbl_client bl.spamcop.net
        reject_rbl_client dnsbl.sorbs.net
        smtpd_helo_required = yes
        smtpd_helo_restrictions = permit_mynetworks check_helo_access
        hash:/etc/postfix/helo-ip reject_invalid_hostname
        reject_non_fqdn_helo_hostname
        smtpd_recipient_restrictions = permit_mynetworks
        reject_unknown_recipient_domain reject_unlisted_recipient
        reject_non_fqdn_recipient reject_unknown_recipient_domain
        smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination
        smtpd_sender_restrictions = check_sender_access
        hash:/etc/postfix/whitelist check_sender_access
        hash:/etc/postfix/greylist check_sender_access
        hash:/etc/postfix/access permit_mynetworks reject_non_fqdn_sender
        reject_unknown_sender_domain
        smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
        smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
        smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
        smtpd_use_tls = yes
        virtual_alias_maps = hash:/etc/postfix/virtualaliases


        --
        Robert Lopez
        Unix Systems Administrator
        Central New Mexico Community College (CNM)
        525 Buena Vista SE
        Albuquerque, New Mexico 87106
      • Wietse Venema
        ... Please describe what is not clear about the following text: postscreen_dnsbl_reply_map (default: empty) A mapping from actual DNSBL domain name which
        Message 3 of 12 , May 6, 2013
        • 0 Attachment
          Robert Lopez:
          > Let me try again. I am assuming the link between a line in the
          > dndsbl_reply file and the main.cf file is only a label and it could be
          > anything.
          > Is that a wrong assumption?

          Please describe what is not clear about the following text:

          postscreen_dnsbl_reply_map (default: empty)
          A mapping from actual DNSBL domain name which includes a secret pass-
          word, to the DNSBL domain name that postscreen will reply with when it
          rejects mail. When no mapping is found, the actual DNSBL domain will
          be used.

          For maximal stability it is best to use a file that is read into memory
          such as pcre:, regexp: or texthash: (texthash: is similar to hash:,
          except a) there is no need to run postmap(1) before the file can be
          used, and b) texthash: does not detect changes after the file is read).

          Example:

          /etc/postfix/main.cf:
          postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply

          /etc/postfix/dnsbl_reply:
          secret.zen.spamhaus.org zen.spamhaus.org

          This feature is available in Postfix 2.8.

          Once you set up your postscreen_dnsbl_reply_map, you can query it
          to ensure that it works as expected. Using the above example,
          the command

          postmap -q secret.zen.spamhaus.org texthash:/etc/postfix/dnsbl_reply

          should produce "zen.spamhaus.org" as output.

          Thanks for helping to improve Postfix.

          Wietse
        • Jan P. Kessler
          ... Use rbl_reply_maps and a text without $rbl_domain: http://www.postfix.org/postconf.5.html#rbl_reply_maps And... get a new spamhaus key, NOW: # telnet
          Message 4 of 12 , May 6, 2013
          • 0 Attachment
            > Is it possible that the key is being exposed not from the
            > postscreen_dnsbl_sites line but from a line also in main.cf which says
            > the following?
            > smtpd_client_restrictions = reject_rbl_client <hidden-key>.zen.dq.spamhaus.net

            Use rbl_reply_maps and a text without $rbl_domain:
            http://www.postfix.org/postconf.5.html#rbl_reply_maps

            And... get a new spamhaus key, NOW:

            # telnet mg05.cnm.edu 25
            Trying 198.133.182.65...
            Connected to mg05.cnm.edu.
            Escape character is '^]'.
            220 mg05.cnm.edu ESMTP Postfix
            HELO ruv.de
            250 mg05.cnm.edu
            MAIL FROM:jpk@somedomain
            250 2.1.0 Ok
            RCPT TO:hostmaster@...
            554 5.7.1 Service unavailable; Client host [47.66.81.105] blocked using
            <GOTIT>.zen.dq.spamhaus.net;
            http://www.spamhaus.org/query/bl?ip=47.66.81.105
            quit
            221 2.0.0 Bye
          • Wietse Venema
            ... Yes. Postfix logging will tell you which program produces the REJECT message: smtpd or postscreen. Wietse
            Message 5 of 12 , May 6, 2013
            • 0 Attachment
              Jan P. Kessler:
              >
              > > Is it possible that the key is being exposed not from the
              > > postscreen_dnsbl_sites line but from a line also in main.cf which says
              > > the following?
              > > smtpd_client_restrictions = reject_rbl_client <hidden-key>.zen.dq.spamhaus.net

              Yes. Postfix logging will tell you which program produces
              the REJECT message: smtpd or postscreen.

              Wietse
            • /dev/rob0
              ... Let me try again also! I presume your lookup is actually against key.zen.dq.spamhaus.org. That s what I said was right. Hereafter, key will be
              Message 6 of 12 , May 6, 2013
              • 0 Attachment
                On Sat, May 04, 2013 at 06:48:36AM -0500, I wrote:
                > On Fri, May 03, 2013 at 06:27:15PM -0600, Robert Lopez wrote:
                > > I had
                > > postscreen_dnsbl_sites = <the-key-to-hide>zen.dq.spamhaus.org
                >
                > This is right.

                Let me try again also! I presume your lookup is actually against
                key.zen.dq.spamhaus.org. That's what I said was right. Hereafter,
                "key" will be substituted for the actual key.

                > > and
                > > postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
                > > in main.cf
                > >
                > > and I had
                > > <the-authorization-key-was-here>.zen.dq.spamhaus.net zen.dq.spamhaus.org

                And here you are talking about spamhaus.net. Which is your lookup
                against, key.zen.dq.spamhaus.org or key.zen.dq.spamhaus.net? Do note
                that "net" is not "org".

                > "net" != "org". This would never match.

                Assuming that you DID mean key.zen.dq.spamhaus.org, your
                postscreen_dnsbl_reply_map lookup of key.zen.dq.spamhaus.net would
                never match, because as we have seen, "net" is not "org". :)

                If "net" was right, your munging was wrong.

                > You probably want to rewrite that to "zen.spamhaus.org" without
                > the "dq" domain component. That's what non-subscribers use.
                >
                > > How can I prove to myself the spamhaus list actually being used
                > > now as opposed to being not used because of configuration?
                >
                > http://www.crynwr.com/spam/ provides a testing service. Or, maybe
                > you're using a home Internet connection which is listed on PBL. If
                > your port 25 is not blocked by the ISP, you could test from home.
                --
                http://rob0.nodns4.us/ -- system administration and consulting
                Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
              • Robert Lopez
                ... What is not clear to me in that description is the reason for my original question Does it matter what the short name returned is; that is could I use
                Message 7 of 12 , May 7, 2013
                • 0 Attachment
                  On Mon, May 6, 2013 at 3:10 PM, Wietse Venema <wietse@...> wrote:
                  > Robert Lopez:
                  >> Let me try again. I am assuming the link between a line in the
                  >> dndsbl_reply file and the main.cf file is only a label and it could be
                  >> anything.
                  >> Is that a wrong assumption?
                  >
                  > Please describe what is not clear about the following text:
                  >
                  > postscreen_dnsbl_reply_map (default: empty)
                  > A mapping from actual DNSBL domain name which includes a secret pass-
                  > word, to the DNSBL domain name that postscreen will reply with when it
                  > rejects mail. When no mapping is found, the actual DNSBL domain will
                  > be used.
                  >
                  > For maximal stability it is best to use a file that is read into memory
                  > such as pcre:, regexp: or texthash: (texthash: is similar to hash:,
                  > except a) there is no need to run postmap(1) before the file can be
                  > used, and b) texthash: does not detect changes after the file is read).
                  >
                  > Example:
                  >
                  > /etc/postfix/main.cf:
                  > postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
                  >
                  > /etc/postfix/dnsbl_reply:
                  > secret.zen.spamhaus.org zen.spamhaus.org
                  >
                  > This feature is available in Postfix 2.8.
                  >
                  > Once you set up your postscreen_dnsbl_reply_map, you can query it
                  > to ensure that it works as expected. Using the above example,
                  > the command
                  >
                  > postmap -q secret.zen.spamhaus.org texthash:/etc/postfix/dnsbl_reply
                  >
                  > should produce "zen.spamhaus.org" as output.
                  >
                  > Thanks for helping to improve Postfix.
                  >
                  > Wietse

                  What is not clear to me in that description is the reason for my
                  original question
                  "Does it matter what the short name returned is; that is could I use
                  zen.spamhaus.org just to keep it shorter?"

                  I tried to make that question more clear the second time I posted by
                  " I am assuming the link between a line in the
                  dndsbl_reply file and the main.cf file is only a label and it could be
                  anything.
                  Is that a wrong assumption?
                  I have changed the label to make it more obvious."

                  To me when I read the text you provided I am left with the question
                  "If the real query address, with the key, is being replaced by some
                  other name, does it matter what that name is and can it be shortened
                  up?"

                  Of course, the reason for my post in the first place was my concern that
                  the name with the key was returned in a reply to a test email I sent
                  from a Yahoo test account which just happened to have been delivered
                  from a Yahoo server which was listed by zen.spam.net.

                  Also, I did have a bit of a mix-up in that in your example text you do
                  use zen.spamhaus.org and in my original set-up instructions from the
                  vendor from whom CNM purchases the Spamhaus service, the address
                  I am to query is <key>..zen.dq.spamhaus.net. This is not to say there is
                  any problem in your text. It was simply my dyslexia seeing what I expect
                  to see and not noticing the net v org that /dev/rob has pointed out.

                  Your making clear two other points (using postmap -q and looking for the
                  log lines to distinguish between postscreen and smtpd) were helpful
                  to me.

                  I can see the returned information which did disclose the key came from
                  postscreen:

                  May 3 17:54:01 mg08 postfix/postscreen[10279]: NOQUEUE: reject: RCPT
                  from [98.136.218.178]:45242: 550 5.7.1 Service unavailable; client
                  [98.136.218.178] blocked using <key>.zen.dq.spamhaus.org;
                  from=<rlopezcnm@...>, to=<rlopez@...>, proto=SMTP,
                  helo=<nm5-vm3.bullet.mail.gq1.yahoo.com>

                  Finally, /dev/rob was exactly correct in the two labels used differed
                  (.net v .org)
                  causing the lookup to fail and "When no mapping is found, the actual
                  DNSBL domain will be used."

                  I believe the answer to my question is the text of the label does not matter
                  (but it must be meaningful enough to communicate) but it must be
                  exactly the same in the dnsbl_reply file and the main.cf file.

                  Life as a dyslexic person is often embarrassing.

                  Thank you.
                  --
                  Robert Lopez
                  Unix Systems Administrator
                  Central New Mexico Community College (CNM)
                  525 Buena Vista SE
                  Albuquerque, New Mexico 87106
                • Wietse Venema
                  ... As documented, the name on the right-hand side of the table is used in the postscreen REPLY. This name is NOT USED for the DNSBL query. This name is NOT
                  Message 8 of 12 , May 7, 2013
                  • 0 Attachment
                    Robert Lopez:
                    > On Mon, May 6, 2013 at 3:10 PM, Wietse Venema <wietse@...> wrote:
                    > > Robert Lopez:
                    > >> Let me try again. I am assuming the link between a line in the
                    > >> dndsbl_reply file and the main.cf file is only a label and it could be
                    > >> anything.
                    > >> Is that a wrong assumption?
                    > >
                    > > Please describe what is not clear about the following text:
                    > >
                    > > postscreen_dnsbl_reply_map (default: empty)
                    > > A mapping from actual DNSBL domain name which includes a secret pass-
                    > > word, to the DNSBL domain name that postscreen will reply with when it
                    > > rejects mail. When no mapping is found, the actual DNSBL domain will
                    > > be used.
                    > >
                    > > For maximal stability it is best to use a file that is read into memory
                    > > such as pcre:, regexp: or texthash: (texthash: is similar to hash:,
                    > > except a) there is no need to run postmap(1) before the file can be
                    > > used, and b) texthash: does not detect changes after the file is read).
                    > >
                    > > Example:
                    > >
                    > > /etc/postfix/main.cf:
                    > > postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
                    > >
                    > > /etc/postfix/dnsbl_reply:
                    > > secret.zen.spamhaus.org zen.spamhaus.org
                    > >
                    > > This feature is available in Postfix 2.8.
                    > >
                    > > Once you set up your postscreen_dnsbl_reply_map, you can query it
                    > > to ensure that it works as expected. Using the above example,
                    > > the command
                    > >
                    > > postmap -q secret.zen.spamhaus.org texthash:/etc/postfix/dnsbl_reply
                    > >
                    > > should produce "zen.spamhaus.org" as output.
                    > >
                    > > Thanks for helping to improve Postfix.
                    > >
                    > > Wietse
                    >
                    > What is not clear to me in that description is the reason for my
                    > original question "Does it matter what the short name returned is;
                    > that is could I use zen.spamhaus.org just to keep it shorter?"

                    As documented, the name on the right-hand side of the table is used
                    in the postscreen REPLY.

                    This name is NOT USED for the DNSBL query.

                    This name is NOT USED for lots of other things.

                    This name is USED ONLY for the purpose as documented.

                    Wietse
                  • /dev/rob0
                    ... In my example: http://rob0.nodns4.us/postscreen.html I use a negated lookup. Basically, if zen.spamhaus.org is not among the DNSBL hits, my senders see
                    Message 9 of 12 , May 7, 2013
                    • 0 Attachment
                      On Tue, May 07, 2013 at 01:03:51PM -0600, Robert Lopez wrote:
                      > What is not clear to me in that description is the reason for
                      > my original question
                      > "Does it matter what the short name returned is; that is could
                      > I use zen.spamhaus.org just to keep it shorter?"

                      In my example:
                      http://rob0.nodns4.us/postscreen.html
                      I use a negated lookup. Basically, if zen.spamhaus.org is not among
                      the DNSBL hits, my senders see that they were blocked by "multiple
                      DNS-based blocklists".

                      So no, there need not be any connection between the lookup key and
                      the result. I think in your case you will want to use
                      "zen.spamhaus.org" as the result.
                      --
                      http://rob0.nodns4.us/ -- system administration and consulting
                      Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
                    Your message has been successfully submitted and would be delivered to recipients shortly.