Merge b8a3f5066f into e931e103fe

2025-04-01 23:57:05 +00:00 · 2024-01-10 10:20:37 -08:00 · 2024-01-10 10:20:37 -08:00 · c42cd4d898
commit c42cd4d898
parent e931e103fe b8a3f5066f
2 changed files with 20 additions and 4 deletions
--- a/setup/mail-postfix.sh
+++ b/setup/mail-postfix.sh
@ -217,10 +217,8 @@ tools/editconf.py /etc/postfix/main.cf  -e lmtp_destination_recipient_limit=
 # * `reject_non_fqdn_sender`: Reject not-nice-looking return paths.
 # * `reject_unknown_sender_domain`: Reject return paths with invalid domains.
 # * `reject_authenticated_sender_login_mismatch`: Reject if mail FROM address does not match the client SASL login
-# * `reject_rhsbl_sender`: Reject return paths that use blacklisted domains.
 # * `permit_sasl_authenticated`: Authenticated users (i.e. on port 587) can skip further checks.
 # * `permit_mynetworks`: Mail that originates locally can skip further checks.
-# * `reject_rbl_client`: Reject connections from IP addresses blacklisted in zen.spamhaus.org
 # * `reject_unlisted_recipient`: Although Postfix will reject mail to unknown recipients, it's nicer to reject such mail ahead of greylisting rather than after.
 # * `check_policy_service`: Apply greylisting using postgrey.
 #
@ -230,8 +228,8 @@ tools/editconf.py /etc/postfix/main.cf  -e lmtp_destination_recipient_limit=
 # whitelisted) then postfix does a DEFER_IF_REJECT, which results in all "unknown user" sorts of messages turning into #NODOC
 # "450 4.7.1 Client host rejected: Service unavailable". This is a retry code, so the mail doesn't properly bounce. #NODOC
 tools/editconf.py /etc/postfix/main.cf \
-	smtpd_sender_restrictions="reject_non_fqdn_sender,reject_unknown_sender_domain,reject_authenticated_sender_login_mismatch,reject_rhsbl_sender dbl.spamhaus.org" \
-	smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,"reject_rbl_client zen.spamhaus.org",reject_unlisted_recipient,"check_policy_service inet:127.0.0.1:10023"
+	smtpd_sender_restrictions="reject_non_fqdn_sender,reject_unknown_sender_domain,reject_authenticated_sender_login_mismatch" \
+	smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,reject_unlisted_recipient,"check_policy_service inet:127.0.0.1:10023"

 # Postfix connects to Postgrey on the 127.0.0.1 interface specifically. Ensure that
 # Postgrey listens on the same interface (and not IPv6, for instance).
--- a/setup/spamassassin.sh
+++ b/setup/spamassassin.sh
@ -117,6 +117,24 @@ describe SPF_FAIL SPF check failed
 score SPF_FAIL 5.0
 EOF

+# SpamAssassin Spamhaus Zen blacklist scores
+# ------------------------------------------
+# MiaB installs spamassassin configured to check against Spamhaus Zen
+# blacklists, but the default score is too low to guarantee blacklisted
+# email as spam. The below score is intended to send all Spamhaus Zen blacklist
+# email received to the spam folder.
+
+cat > /etc/spamassassin/miab_spamhaus_zen_scores.cf << EOF
+score RCVD_IN_PBL 10.0
+score RCVD_IN_SBL 10.0
+score RCVD_IN_SBL_CSS 10.0
+score RCVD_IN_XBL 10.0
+score URIBL_CSS 10.0
+score URIBL_CSS_A 10.0
+score URIBL_SBL 10.0
+score URIBL_SBL_A 10.0
+EOF
+
 # Bayesean learning
 # -----------------
 #