Loading ...
Sorry, an error occurred while loading the content.

Re: postscreen_dnsbl_sites

Expand Messages
  • Jan P. Kessler
    ... Use rbl_reply_maps and a text without $rbl_domain: http://www.postfix.org/postconf.5.html#rbl_reply_maps And... get a new spamhaus key, NOW: # telnet
    Message 1 of 12 , May 6 2:24 PM
    • 0 Attachment
      > Is it possible that the key is being exposed not from the
      > postscreen_dnsbl_sites line but from a line also in main.cf which says
      > the following?
      > smtpd_client_restrictions = reject_rbl_client <hidden-key>.zen.dq.spamhaus.net

      Use rbl_reply_maps and a text without $rbl_domain:
      http://www.postfix.org/postconf.5.html#rbl_reply_maps

      And... get a new spamhaus key, NOW:

      # telnet mg05.cnm.edu 25
      Trying 198.133.182.65...
      Connected to mg05.cnm.edu.
      Escape character is '^]'.
      220 mg05.cnm.edu ESMTP Postfix
      HELO ruv.de
      250 mg05.cnm.edu
      MAIL FROM:jpk@somedomain
      250 2.1.0 Ok
      RCPT TO:hostmaster@...
      554 5.7.1 Service unavailable; Client host [47.66.81.105] blocked using
      <GOTIT>.zen.dq.spamhaus.net;
      http://www.spamhaus.org/query/bl?ip=47.66.81.105
      quit
      221 2.0.0 Bye
    • Wietse Venema
      ... Yes. Postfix logging will tell you which program produces the REJECT message: smtpd or postscreen. Wietse
      Message 2 of 12 , May 6 4:08 PM
      • 0 Attachment
        Jan P. Kessler:
        >
        > > Is it possible that the key is being exposed not from the
        > > postscreen_dnsbl_sites line but from a line also in main.cf which says
        > > the following?
        > > smtpd_client_restrictions = reject_rbl_client <hidden-key>.zen.dq.spamhaus.net

        Yes. Postfix logging will tell you which program produces
        the REJECT message: smtpd or postscreen.

        Wietse
      • /dev/rob0
        ... Let me try again also! I presume your lookup is actually against key.zen.dq.spamhaus.org. That s what I said was right. Hereafter, key will be
        Message 3 of 12 , May 6 5:37 PM
        • 0 Attachment
          On Sat, May 04, 2013 at 06:48:36AM -0500, I wrote:
          > On Fri, May 03, 2013 at 06:27:15PM -0600, Robert Lopez wrote:
          > > I had
          > > postscreen_dnsbl_sites = <the-key-to-hide>zen.dq.spamhaus.org
          >
          > This is right.

          Let me try again also! I presume your lookup is actually against
          key.zen.dq.spamhaus.org. That's what I said was right. Hereafter,
          "key" will be substituted for the actual key.

          > > and
          > > postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
          > > in main.cf
          > >
          > > and I had
          > > <the-authorization-key-was-here>.zen.dq.spamhaus.net zen.dq.spamhaus.org

          And here you are talking about spamhaus.net. Which is your lookup
          against, key.zen.dq.spamhaus.org or key.zen.dq.spamhaus.net? Do note
          that "net" is not "org".

          > "net" != "org". This would never match.

          Assuming that you DID mean key.zen.dq.spamhaus.org, your
          postscreen_dnsbl_reply_map lookup of key.zen.dq.spamhaus.net would
          never match, because as we have seen, "net" is not "org". :)

          If "net" was right, your munging was wrong.

          > You probably want to rewrite that to "zen.spamhaus.org" without
          > the "dq" domain component. That's what non-subscribers use.
          >
          > > How can I prove to myself the spamhaus list actually being used
          > > now as opposed to being not used because of configuration?
          >
          > http://www.crynwr.com/spam/ provides a testing service. Or, maybe
          > you're using a home Internet connection which is listed on PBL. If
          > your port 25 is not blocked by the ISP, you could test from home.
          --
          http://rob0.nodns4.us/ -- system administration and consulting
          Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
        • Robert Lopez
          ... What is not clear to me in that description is the reason for my original question Does it matter what the short name returned is; that is could I use
          Message 4 of 12 , May 7 12:03 PM
          • 0 Attachment
            On Mon, May 6, 2013 at 3:10 PM, Wietse Venema <wietse@...> wrote:
            > Robert Lopez:
            >> Let me try again. I am assuming the link between a line in the
            >> dndsbl_reply file and the main.cf file is only a label and it could be
            >> anything.
            >> Is that a wrong assumption?
            >
            > Please describe what is not clear about the following text:
            >
            > postscreen_dnsbl_reply_map (default: empty)
            > A mapping from actual DNSBL domain name which includes a secret pass-
            > word, to the DNSBL domain name that postscreen will reply with when it
            > rejects mail. When no mapping is found, the actual DNSBL domain will
            > be used.
            >
            > For maximal stability it is best to use a file that is read into memory
            > such as pcre:, regexp: or texthash: (texthash: is similar to hash:,
            > except a) there is no need to run postmap(1) before the file can be
            > used, and b) texthash: does not detect changes after the file is read).
            >
            > Example:
            >
            > /etc/postfix/main.cf:
            > postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
            >
            > /etc/postfix/dnsbl_reply:
            > secret.zen.spamhaus.org zen.spamhaus.org
            >
            > This feature is available in Postfix 2.8.
            >
            > Once you set up your postscreen_dnsbl_reply_map, you can query it
            > to ensure that it works as expected. Using the above example,
            > the command
            >
            > postmap -q secret.zen.spamhaus.org texthash:/etc/postfix/dnsbl_reply
            >
            > should produce "zen.spamhaus.org" as output.
            >
            > Thanks for helping to improve Postfix.
            >
            > Wietse

            What is not clear to me in that description is the reason for my
            original question
            "Does it matter what the short name returned is; that is could I use
            zen.spamhaus.org just to keep it shorter?"

            I tried to make that question more clear the second time I posted by
            " I am assuming the link between a line in the
            dndsbl_reply file and the main.cf file is only a label and it could be
            anything.
            Is that a wrong assumption?
            I have changed the label to make it more obvious."

            To me when I read the text you provided I am left with the question
            "If the real query address, with the key, is being replaced by some
            other name, does it matter what that name is and can it be shortened
            up?"

            Of course, the reason for my post in the first place was my concern that
            the name with the key was returned in a reply to a test email I sent
            from a Yahoo test account which just happened to have been delivered
            from a Yahoo server which was listed by zen.spam.net.

            Also, I did have a bit of a mix-up in that in your example text you do
            use zen.spamhaus.org and in my original set-up instructions from the
            vendor from whom CNM purchases the Spamhaus service, the address
            I am to query is <key>..zen.dq.spamhaus.net. This is not to say there is
            any problem in your text. It was simply my dyslexia seeing what I expect
            to see and not noticing the net v org that /dev/rob has pointed out.

            Your making clear two other points (using postmap -q and looking for the
            log lines to distinguish between postscreen and smtpd) were helpful
            to me.

            I can see the returned information which did disclose the key came from
            postscreen:

            May 3 17:54:01 mg08 postfix/postscreen[10279]: NOQUEUE: reject: RCPT
            from [98.136.218.178]:45242: 550 5.7.1 Service unavailable; client
            [98.136.218.178] blocked using <key>.zen.dq.spamhaus.org;
            from=<rlopezcnm@...>, to=<rlopez@...>, proto=SMTP,
            helo=<nm5-vm3.bullet.mail.gq1.yahoo.com>

            Finally, /dev/rob was exactly correct in the two labels used differed
            (.net v .org)
            causing the lookup to fail and "When no mapping is found, the actual
            DNSBL domain will be used."

            I believe the answer to my question is the text of the label does not matter
            (but it must be meaningful enough to communicate) but it must be
            exactly the same in the dnsbl_reply file and the main.cf file.

            Life as a dyslexic person is often embarrassing.

            Thank you.
            --
            Robert Lopez
            Unix Systems Administrator
            Central New Mexico Community College (CNM)
            525 Buena Vista SE
            Albuquerque, New Mexico 87106
          • Wietse Venema
            ... As documented, the name on the right-hand side of the table is used in the postscreen REPLY. This name is NOT USED for the DNSBL query. This name is NOT
            Message 5 of 12 , May 7 12:21 PM
            • 0 Attachment
              Robert Lopez:
              > On Mon, May 6, 2013 at 3:10 PM, Wietse Venema <wietse@...> wrote:
              > > Robert Lopez:
              > >> Let me try again. I am assuming the link between a line in the
              > >> dndsbl_reply file and the main.cf file is only a label and it could be
              > >> anything.
              > >> Is that a wrong assumption?
              > >
              > > Please describe what is not clear about the following text:
              > >
              > > postscreen_dnsbl_reply_map (default: empty)
              > > A mapping from actual DNSBL domain name which includes a secret pass-
              > > word, to the DNSBL domain name that postscreen will reply with when it
              > > rejects mail. When no mapping is found, the actual DNSBL domain will
              > > be used.
              > >
              > > For maximal stability it is best to use a file that is read into memory
              > > such as pcre:, regexp: or texthash: (texthash: is similar to hash:,
              > > except a) there is no need to run postmap(1) before the file can be
              > > used, and b) texthash: does not detect changes after the file is read).
              > >
              > > Example:
              > >
              > > /etc/postfix/main.cf:
              > > postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
              > >
              > > /etc/postfix/dnsbl_reply:
              > > secret.zen.spamhaus.org zen.spamhaus.org
              > >
              > > This feature is available in Postfix 2.8.
              > >
              > > Once you set up your postscreen_dnsbl_reply_map, you can query it
              > > to ensure that it works as expected. Using the above example,
              > > the command
              > >
              > > postmap -q secret.zen.spamhaus.org texthash:/etc/postfix/dnsbl_reply
              > >
              > > should produce "zen.spamhaus.org" as output.
              > >
              > > Thanks for helping to improve Postfix.
              > >
              > > Wietse
              >
              > What is not clear to me in that description is the reason for my
              > original question "Does it matter what the short name returned is;
              > that is could I use zen.spamhaus.org just to keep it shorter?"

              As documented, the name on the right-hand side of the table is used
              in the postscreen REPLY.

              This name is NOT USED for the DNSBL query.

              This name is NOT USED for lots of other things.

              This name is USED ONLY for the purpose as documented.

              Wietse
            • /dev/rob0
              ... In my example: http://rob0.nodns4.us/postscreen.html I use a negated lookup. Basically, if zen.spamhaus.org is not among the DNSBL hits, my senders see
              Message 6 of 12 , May 7 4:28 PM
              • 0 Attachment
                On Tue, May 07, 2013 at 01:03:51PM -0600, Robert Lopez wrote:
                > What is not clear to me in that description is the reason for
                > my original question
                > "Does it matter what the short name returned is; that is could
                > I use zen.spamhaus.org just to keep it shorter?"

                In my example:
                http://rob0.nodns4.us/postscreen.html
                I use a negated lookup. Basically, if zen.spamhaus.org is not among
                the DNSBL hits, my senders see that they were blocked by "multiple
                DNS-based blocklists".

                So no, there need not be any connection between the lookup key and
                the result. I think in your case you will want to use
                "zen.spamhaus.org" as the result.
                --
                http://rob0.nodns4.us/ -- system administration and consulting
                Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
              Your message has been successfully submitted and would be delivered to recipients shortly.