From d7838cf9ecf88ca7c2e11d6ffcc751e214a32b4a Mon Sep 17 00:00:00 2001
From: KiekerJan <kiekerjan@users.noreply.github.com>
Date: Sun, 18 May 2025 12:43:14 +0200
Subject: [PATCH] add support for spamhaus dqs

---
 setup/mail-postfix.sh | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/setup/mail-postfix.sh b/setup/mail-postfix.sh
index 5131b061..22eb5ebb 100755
--- a/setup/mail-postfix.sh
+++ b/setup/mail-postfix.sh
@@ -265,6 +265,11 @@ CONF_SMTPD_RECIPIENT_RESTRICTIONS=$(cat <<-END
         warn_if_reject reject_rbl_client $ZEN_QUERY=127.255.255.[1..255],        
 END
 )
+
+	# Cleanup dnsbl reply mapping, potentially set when DQS was enabled previously
+	management/editconf.py /etc/postfix/main.cf -e rbl_reply_maps=
+	
+	rm -rf /etc/postfix/dnsbl-reply-map
 else
         # Use Data Query Service for blocklist query URLs
         DBL_QUERY=$SPAMHAUS_DQS_KEY.dbl.dq.spamhaus.net
@@ -282,6 +287,18 @@ CONF_SMTPD_RECIPIENT_RESTRICTIONS=$(cat <<-END
         reject_rbl_client                $ZEN_QUERY=127.0.0.[2..255],
 END
 )
+
+	# Setup dnsbl reply mapping, to avoid leaking your DQS key in reject messages
+	cat > /etc/postfix/dnsbl-reply-map <<- EOF;
+	$ZEN_QUERY=127.0.0.[2.255]      \$rbl_code Service unavailable; \$rbl_class [\$rbl_what] blocked using zen.spamhaus.org\${rbl_reason?; \$rbl_reason}
+	$DBL_QUERY=127.0.1.[2..99]      \$rbl_code Service unavailable; \$rbl_class [\$rbl_what] blocked using dbl.spamhaus.org\${rbl_reason?; \$rbl_reason}
+	$ZRD_QUERY=127.0.2.[2..24]      \$rbl_code Service unavailable; \$rbl_class [\$rbl_what] blocked using zrd.spamhaus.org\${rbl_reason?; \$rbl_reason}
+EOF
+
+	postmap hash:/etc/postfix/dnsbl-reply-map
+
+	management/editconf.py /etc/postfix/main.cf \
+		rbl_reply_maps=hash:/etc/postfix/dnsbl-reply-map
 fi
 
 # Define configuration for smtpd_sender_restrictions