spamhaus dbl implementation
in [Postfix]
|
Prev: postfix as "dispatcher"
Next: outbound sender
From: Noel Jones on 3 Mar 2010 20:16 On 3/3/2010 6:40 PM, Noel Jones wrote: > On 3/3/2010 6:13 PM, Stan Hoeppner wrote: >> What's the best way to integrate the Spamhaus DBL for folks not already >> using SA et al? >> >> Will the following work, or does it check only the entire hostname, >> and not >> the domain portion in isolation as well? >> >> smtpd_recipient_restrictions = >> reject_rhsbl_client dbl.spamhaus.org >> > > (note for the archives: that's not a complete > smtpd_recipient_restrictions statement.) > > With reject_rhsbl_client, the query is for the full client name, not > substrings. Spamhaus DBL may be more useful with reject_rhsbl_sender, > which checks the Right Hand Side of the email address; everything after > the "@", or maybe reject_rhsbl_helo, which checks the full HELO name. > > -- Noel Jones additionally, it appears that dbl.spamhaus.org lists wildcard subdomains. So for example if dbl lists "spammer.tld" and the HELO name is random.foo.spammer.tld it should still be caught by reject_rhsbl_helo. This is good; looking forward to seeing results. As with any new (or newly added to your config) RBL, it's prudent to try it out for a while with warn_if_reject to prevent accidents. -- Noel Jones
From: Stan Hoeppner on 3 Mar 2010 22:21 Noel Jones put forth on 3/3/2010 7:16 PM: > additionally, it appears that dbl.spamhaus.org lists wildcard > subdomains. So for example if dbl lists "spammer.tld" and the HELO name > is random.foo.spammer.tld it should still be caught by reject_rhsbl_helo. Checking the HELO name against the DBL is an ok start, but I'd really like to be able to check rDNS domain name and/or A record domain name against the DBL as well. Is there no Postfix check available for this? > This is good; looking forward to seeing results. Me too. > As with any new (or newly added to your config) RBL, it's prudent to try > it out for a while with warn_if_reject to prevent accidents. Yep. -- Stan
From: Stan Hoeppner on 3 Mar 2010 22:29 Noel Jones put forth on 3/3/2010 7:16 PM: >>> smtpd_recipient_restrictions = >>> reject_rhsbl_client dbl.spamhaus.org >> (note for the archives: that's not a complete >> smtpd_recipient_restrictions statement.) BTW, what is incomplete WRT the above restriction example I gave? reject_rhsbl_client rbl_domain=d.d.d.d Reject the request when the client hostname is listed with the A record "d.d.d.d" under rbl_domain (Postfix version 2.1 and later only). If no "=d.d.d.d" is specified, reject the request when the client hostname is listed with any A record under rbl_domain. See the reject_rbl_client description above for additional RBL related configuration parameters. This feature is available in Postfix 2.0 and later. -- Stan
From: /dev/rob0 on 3 Mar 2010 23:31 On Wed, Mar 03, 2010 at 09:29:50PM -0600, Stan Hoeppner wrote: > Noel Jones put forth on 3/3/2010 7:16 PM: > > >>> smtpd_recipient_restrictions = > >>> reject_rhsbl_client dbl.spamhaus.org > > >> (note for the archives: that's not a complete > >> smtpd_recipient_restrictions statement.) > > BTW, what is incomplete WRT the above restriction example I gave? I think you know; smtpd_recipient_restrictions must include a restriction which will prevent open relaying. A "complete" way to show a partial smtpd_recipient_restrictions example is with ellipses: smtpd_recipient_restrictions = [ ... ] reject_rhsbl_client dbl.spamhaus.org[, ... ] Thus implying to the reader that more is needed here, and s/he would be well advised to look it up in postconf(5) documentation. It's no big deal, but someone who Googles your post could end up frustrated. -- Offlist mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header
From: Stan Hoeppner on 4 Mar 2010 00:47
/dev/rob0 put forth on 3/3/2010 10:31 PM: > On Wed, Mar 03, 2010 at 09:29:50PM -0600, Stan Hoeppner wrote: >> Noel Jones put forth on 3/3/2010 7:16 PM: >> >>>>> smtpd_recipient_restrictions = >>>>> reject_rhsbl_client dbl.spamhaus.org >> >>>> (note for the archives: that's not a complete >>>> smtpd_recipient_restrictions statement.) >> >> BTW, what is incomplete WRT the above restriction example I gave? > > I think you know; smtpd_recipient_restrictions must include a > restriction which will prevent open relaying. A "complete" way to > show a partial smtpd_recipient_restrictions example is with ellipses: > smtpd_recipient_restrictions = [ ... ] > reject_rhsbl_client dbl.spamhaus.org[, ... ] > Thus implying to the reader that more is needed here, and s/he would > be well advised to look it up in postconf(5) documentation. > > It's no big deal, but someone who Googles your post could end up > frustrated. Got it now. I thought I was being called out for incorrect syntax whilst using a client restriction in the recipient restriction section. Spent 15 minutes in docs trying to figure out what I had wrong...nothing. I'll try to be mindful and add section filler in the future to avoid this possible problem for Googlers. -- Stan |