Add support for Spamhaus DQS (https://docs.spamhaus.com/datasets/docs/source/40-real-world-usage/index.html)

2025-05-31 17:40:54 +00:00 · 2025-05-18 12:21:35 +02:00 · 2025-05-18 12:21:35 +02:00 · f6fcfe2cc8
commit f6fcfe2cc8
parent 05c2f3c9a2
2 changed files with 93 additions and 7 deletions
--- a/management/status_checks.py
+++ b/management/status_checks.py
@ -283,7 +283,7 @@ def run_network_checks(env, output):
 	# by a spammer, or the user may be deploying on a residential network. We
 	# will not be able to reliably send mail in these cases.
 	rev_ip4 = ".".join(reversed(env['PUBLIC_IP'].split('.')))
-	zen = query_dns(rev_ip4+'.zen.spamhaus.org', 'A', nxdomain=None)
+	zen = query_dns(rev_ip4+get_spamhaus_query_url(env, 'zen'), 'A', nxdomain=None)
 	evaluate_spamhaus_lookup(env['PUBLIC_IP'], 'IPv4', rev_ip4, output, zen)
 	if not env['PUBLIC_IPV6']:
@ -292,8 +292,26 @@ def run_network_checks(env, output):
 	from ipaddress import IPv6Address
 	rev_ip6 = ".".join(reversed(IPv6Address(env['PUBLIC_IPV6']).exploded.split(':')))
-	zen = query_dns(rev_ip6+'.zen.spamhaus.org', 'A', nxdomain=None)
+	zen = query_dns(rev_ip6+get_spamhaus_query_url(env, 'zen'), 'A', nxdomain=None)
 	evaluate_spamhaus_lookup(env['PUBLIC_IPV6'], 'IPv6', rev_ip6, output, zen)
 def get_spamhaus_query_url(env, selector):
 	# Filter on valid selectors
 	if not selector in ('zen', 'dbl'):
 		# Set default so at least something is returned
 		selector = 'zen'
 	# Default public block list
 	spamhaus_url = '.'+selector+'.spamhaus.org'
 	# Check if system makes use of Spamhaus Data Query Service, see https://portal.spamhaus.com/dqs/?ft=1#3.1
 	env_key = 'SPAMHAUS_DQS_KEY'
 	if env_key in env and len(env[env_key]) > 0:
 		dqs_key = env[env_key]
 		spamhaus_url = '.'+dqs_key+'.'+selector+'.dq.spamhaus.net'
 	return spamhaus_url
 def evaluate_spamhaus_lookup(lookupaddress, lookuptype, lookupdomain, output, zen):
@ -766,7 +784,8 @@ def check_mail_domain(domain, env, output):
 	# See https://www.spamhaus.org/news/article/807/using-our-public-mirrors-check-your-return-codes-now. for
 	# information on spamhaus return codes
-	dbl = query_dns(domain+'.dbl.spamhaus.org', "A", nxdomain=None)
+	dbl = query_dns(domain+get_spamhaus_query_url(env, 'dbl'), "A", nxdomain=None)
 	if dbl is None:
 		output.print_ok("Domain is not blacklisted by dbl.spamhaus.org.")
 	elif dbl == "[timeout]":
--- a/setup/mail-postfix.sh
+++ b/setup/mail-postfix.sh
@ -223,10 +223,12 @@ tools/editconf.py /etc/postfix/main.cf  -e lmtp_destination_recipient_limit=
 # * `reject_non_fqdn_sender`: Reject not-nice-looking return paths.
 # * `reject_unknown_sender_domain`: Reject return paths with invalid domains.
 # * `reject_authenticated_sender_login_mismatch`: Reject if mail FROM address does not match the client SASL login
 # * `reject_rhsbl_sender`: Reject return paths that use blacklisted domains.
 # * `permit_sasl_authenticated`: Authenticated users (i.e. on port 587) can skip further checks.
 # * `permit_mynetworks`: Mail that originates locally can skip further checks.
 # * `reject_rbl_client`: Reject connections from IP addresses blacklisted in zen.spamhaus.org
 # * `reject_rhsbl_sender`: Reject the request when the MAIL FROM domain is listed in spamhaus.org
 # * `reject_rhsbl_helo`: Reject the request when the HELO or EHLO hostname is listed in spamhaus.org
 # * `reject_rhsbl_reverse_client`: Reject the request when the unverified reverse client hostname is listed in spamhaus.org
 # * `reject_unlisted_recipient`: Although Postfix will reject mail to unknown recipients, it's nicer to reject such mail ahead of greylisting rather than after.
 # * `check_policy_service`: Apply greylisting using postgrey.
 #
@ -236,9 +238,74 @@ tools/editconf.py /etc/postfix/main.cf  -e lmtp_destination_recipient_limit=
 # so these IPs get mail delivered quickly. But when an IP is not listed in the permit_dnswl_client list (i.e. it is not #NODOC
 # whitelisted) then postfix does a DEFER_IF_REJECT, which results in all "unknown user" sorts of messages turning into #NODOC
 # "450 4.7.1 Client host rejected: Service unavailable". This is a retry code, so the mail doesn't properly bounce. #NODOC
-tools/editconf.py /etc/postfix/main.cf \
+# In case the Spamhaus Data Query Service is used, slightly different configuration is needed. Source: https://portal.spamhaus.com/dqs/?ft=1#3.1.2
-	smtpd_sender_restrictions="reject_non_fqdn_sender,reject_unknown_sender_domain,reject_authenticated_sender_login_mismatch,reject_rhsbl_sender dbl.spamhaus.org=127.0.1.[2..99]" \
+# Zero Reputation Domain (ZRD) blocklist is limited to two hour old domains, not 24 like suggested by Spamhaus.
-	smtpd_recipient_restrictions="permit_sasl_authenticated,permit_mynetworks,reject_rbl_client zen.spamhaus.org=127.0.0.[2..11],reject_unlisted_recipient,check_policy_service inet:127.0.0.1:10023,check_policy_service inet:127.0.0.1:12340"
+
 # smtpd_recipient_restrictions is different whether Spamhaus DQS is used or not.
 # Start definition of the configuration here
 CONF_SMTPD_RECIPIENT_RESTRICTIONS=$(cat <<-END
 	permit_sasl_authenticated,
        permit_mynetworks,
        check_sender_access              hash:/etc/postfix/sender_access,
        check_recipient_access           hash:/etc/postfix/recipient_access,
 END
 )
 if [ -z "${SPAMHAUS_DQS_KEY:-}" ]; then
        # Public spamhaus blocklist servers queried
        DBL_QUERY=dbl.spamhaus.org
        ZEN_QUERY=zen.spamhaus.org
 CONF_SMTPD_RECIPIENT_RESTRICTIONS=$(cat <<-END
 	$CONF_SMTPD_RECIPIENT_RESTRICTIONS
        reject_rbl_client                $ZEN_QUERY=127.0.0.[2..11],
        reject_rhsbl_sender              $DBL_QUERY=127.0.1.[2..99],
        reject_rhsbl_helo                $DBL_QUERY=127.0.1.[2..99],
        reject_rhsbl_reverse_client      $DBL_QUERY=127.0.1.[2..99],
        warn_if_reject reject_rbl_client $ZEN_QUERY=127.255.255.[1..255],        
 END
 )
 else
        # Use Data Query Service for blocklist query URLs
        DBL_QUERY=$SPAMHAUS_DQS_KEY.dbl.dq.spamhaus.net
        ZEN_QUERY=$SPAMHAUS_DQS_KEY.zen.dq.spamhaus.net
        ZRD_QUERY=$SPAMHAUS_DQS_KEY.zrd.dq.spamhaus.net
 CONF_SMTPD_RECIPIENT_RESTRICTIONS=$(cat <<-END
 	$CONF_SMTPD_RECIPIENT_RESTRICTIONS
        reject_rhsbl_sender              $DBL_QUERY=127.0.1.[2..99],
        reject_rhsbl_helo                $DBL_QUERY=127.0.1.[2..99],
        reject_rhsbl_reverse_client      $DBL_QUERY=127.0.1.[2..99],
        reject_rhsbl_sender              $ZRD_QUERY=127.0.2.2,
        reject_rhsbl_helo                $ZRD_QUERY=127.0.2.2,
        reject_rhsbl_reverse_client      $ZRD_QUERY=127.0.2.2,
        reject_rbl_client                $ZEN_QUERY=127.0.0.[2..255],
 END
 )
 fi
 # Define configuration for smtpd_sender_restrictions
 CONF_SMTPD_SENDER_RESTRICTIONS=$(cat <<-END
 	reject_non_fqdn_sender,
        reject_unknown_sender_domain,
        reject_authenticated_sender_login_mismatch,
        reject_rhsbl_sender $DBL_QUERY=127.0.1.[2..99]
 END
 )
 # Finalize configuration for smtpd_recipient_restrictions
 CONF_SMTPD_RECIPIENT_RESTRICTIONS=$(cat <<-END
 	$CONF_SMTPD_RECIPIENT_RESTRICTIONS
        reject_unlisted_recipient,
        check_policy_service             inet:127.0.0.1:10023,
        check_policy_service             inet:127.0.0.1:12340
 END
 )
 # Apply configuration
 management/editconf.py /etc/postfix/main.cf -w \
        smtpd_sender_restrictions="$CONF_SMTPD_SENDER_RESTRICTIONS" \
        smtpd_recipient_restrictions="$CONF_SMTPD_RECIPIENT_RESTRICTIONS"
 # Postfix connects to Postgrey on the 127.0.0.1 interface specifically. Ensure that
 # Postgrey listens on the same interface (and not IPv6, for instance).