Using Spamhaus DNSL feed
in [Postfix]
|
Prev: customized relocated bounces
Next: smtpd_recipient_restrictions = check_recipient_access &sendmail
From: Ralf Hildebrandt on 6 Apr 2010 11:34 The spamhaus DBL can be used to query sender domains and hostnames (no IPs). So generally, one could use: reject_rhsbl_sender dbl.spamhaus.org reject_rhsbl_reverse_client dbl.spamhaus.org but when one subscribes to Spamhaus's DNSBL feed (which we have to), one gets a special domain to query: reject_rhsbl_sender secretkey.dbl.dq.spamhaus.net reject_rhsbl_reverse_client secretkey.dbl.dq.spamhaus.net This works wonderful, except for the fact that Postfixs default_rbl_reply = $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using $rbl_domain${rbl_reason?; $rbl_reason} gives away the secret key. This is easily fixed in so many ways, e.g.: default_rbl_reply = $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using dbl.spamhaus.org${rbl_reason?; $rbl_reason} Maybe the default should not contain $rbl_domain. I cannot tell if the scheme Spamhaus uses is commonplace. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt(a)charite.de | http://www.charite.de
From: Ralf Hildebrandt on 6 Apr 2010 11:45 * Ralf Hildebrandt <Ralf.Hildebrandt(a)charite.de>: > default_rbl_reply = $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using dbl.spamhaus.org${rbl_reason?; $rbl_reason} This assumes it's the only RBL being queried. Otherwise one would use rbl_reply_maps -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt(a)charite.de | http://www.charite.de
From: Noel Jones on 6 Apr 2010 12:01 On 4/6/2010 10:34 AM, Ralf Hildebrandt wrote: > The spamhaus DBL can be used to query sender domains and hostnames (no > IPs). > > So generally, one could use: > reject_rhsbl_sender dbl.spamhaus.org > reject_rhsbl_reverse_client dbl.spamhaus.org > > but when one subscribes to Spamhaus's DNSBL feed (which we have to), > one gets a special domain to query: > > reject_rhsbl_sender secretkey.dbl.dq.spamhaus.net > reject_rhsbl_reverse_client secretkey.dbl.dq.spamhaus.net > > This works wonderful, except for the fact that Postfixs > > default_rbl_reply = $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using $rbl_domain${rbl_reason?; $rbl_reason} > > gives away the secret key. This is easily fixed in so many ways, e.g.: > > default_rbl_reply = $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using dbl.spamhaus.org${rbl_reason?; $rbl_reason} > (Use rbl_reply_maps if you query other rbls.) > Maybe the default should not contain $rbl_domain. I cannot tell if the > scheme Spamhaus uses is commonplace. > No, the rbl reply is the only place that postfix logs which rbl caused the rejection, which might not always be clear from $rbl_reason. I think removing the rbl name would cause much confusion. Handling it locally with rbl_reply_maps is the best solution. -- Noel Jones
From: mouss on 6 Apr 2010 16:15 Ralf Hildebrandt a écrit : > The spamhaus DBL can be used to query sender domains and hostnames (no > IPs). > > So generally, one could use: > reject_rhsbl_sender dbl.spamhaus.org > reject_rhsbl_reverse_client dbl.spamhaus.org > > but when one subscribes to Spamhaus's DNSBL feed (which we have to), > one gets a special domain to query: > > reject_rhsbl_sender secretkey.dbl.dq.spamhaus.net > reject_rhsbl_reverse_client secretkey.dbl.dq.spamhaus.net > This is a (spamhaus) design flaw. it means you can't share you configuration without exposing your "secret" key. bI'm not going to say that it is stupid to rely on secret keys. This has already been worked on :) > This works wonderful, except for the fact that Postfixs > > default_rbl_reply = $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using $rbl_domain${rbl_reason?; $rbl_reason} > if you need it, use rbl_reply_maps. otherwise, leave it to spamhaus to fix the problem. > gives away the secret key. This is easily fixed in so many ways, e.g.: > > default_rbl_reply = $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using dbl.spamhaus.org${rbl_reason?; $rbl_reason} > > Maybe the default should not contain $rbl_domain. I cannot tell if the > scheme Spamhaus uses is commonplace. >
|
Pages: 1 Prev: customized relocated bounces Next: smtpd_recipient_restrictions = check_recipient_access &sendmail |