Add support for Spamhaus DQS (https://docs.spamhaus.com/datasets/docs/source/40-real-world-usage/index.html)

management/status_checks.py

@@ -283,7 +283,7 @@ def run_network_checks(env, output):
 	# by a spammer, or the user may be deploying on a residential network. We
 	# will not be able to reliably send mail in these cases.
 	rev_ip4 = ".".join(reversed(env['PUBLIC_IP'].split('.')))
-	zen = query_dns(rev_ip4+'.zen.spamhaus.org', 'A', nxdomain=None)
+	zen = query_dns(rev_ip4+get_spamhaus_query_url(env, 'zen'), 'A', nxdomain=None)
 	evaluate_spamhaus_lookup(env['PUBLIC_IP'], 'IPv4', rev_ip4, output, zen)
 
 	if not env['PUBLIC_IPV6']:
@@ -292,10 +292,28 @@ def run_network_checks(env, output):
 	from ipaddress import IPv6Address
 
 	rev_ip6 = ".".join(reversed(IPv6Address(env['PUBLIC_IPV6']).exploded.split(':')))
-	zen = query_dns(rev_ip6+'.zen.spamhaus.org', 'A', nxdomain=None)
+	zen = query_dns(rev_ip6+get_spamhaus_query_url(env, 'zen'), 'A', nxdomain=None)
 	evaluate_spamhaus_lookup(env['PUBLIC_IPV6'], 'IPv6', rev_ip6, output, zen)
 	
 
+def get_spamhaus_query_url(env, selector):
+	# Filter on valid selectors
+	if not selector in ('zen', 'dbl'):
+		# Set default so at least something is returned
+		selector = 'zen'
+
+	# Default public block list
+	spamhaus_url = '.'+selector+'.spamhaus.org'
+	
+	# Check if system makes use of Spamhaus Data Query Service, see https://portal.spamhaus.com/dqs/?ft=1#3.1
+	env_key = 'SPAMHAUS_DQS_KEY'
+	if env_key in env and len(env[env_key]) > 0:
+		dqs_key = env[env_key]
+		spamhaus_url = '.'+dqs_key+'.'+selector+'.dq.spamhaus.net'
+	
+	return spamhaus_url
+
+
 def evaluate_spamhaus_lookup(lookupaddress, lookuptype, lookupdomain, output, zen):
 	# See https://www.spamhaus.org/news/article/807/using-our-public-mirrors-check-your-return-codes-now. for
 	# information on spamhaus return codes
@@ -766,7 +784,8 @@ def check_mail_domain(domain, env, output):
 	
 	# See https://www.spamhaus.org/news/article/807/using-our-public-mirrors-check-your-return-codes-now. for
 	# information on spamhaus return codes
-	dbl = query_dns(domain+'.dbl.spamhaus.org', "A", nxdomain=None)
+	dbl = query_dns(domain+get_spamhaus_query_url(env, 'dbl'), "A", nxdomain=None)
+	
 	if dbl is None:
 		output.print_ok("Domain is not blacklisted by dbl.spamhaus.org.")
 	elif dbl == "[timeout]":

setup/mail-postfix.sh

@@ -223,10 +223,12 @@ tools/editconf.py /etc/postfix/main.cf  -e lmtp_destination_recipient_limit=
 # * `reject_non_fqdn_sender`: Reject not-nice-looking return paths.
 # * `reject_unknown_sender_domain`: Reject return paths with invalid domains.
 # * `reject_authenticated_sender_login_mismatch`: Reject if mail FROM address does not match the client SASL login
-# * `reject_rhsbl_sender`: Reject return paths that use blacklisted domains.
 # * `permit_sasl_authenticated`: Authenticated users (i.e. on port 587) can skip further checks.
 # * `permit_mynetworks`: Mail that originates locally can skip further checks.
 # * `reject_rbl_client`: Reject connections from IP addresses blacklisted in zen.spamhaus.org
+# * `reject_rhsbl_sender`: Reject the request when the MAIL FROM domain is listed in spamhaus.org
+# * `reject_rhsbl_helo`: Reject the request when the HELO or EHLO hostname is listed in spamhaus.org
+# * `reject_rhsbl_reverse_client`: Reject the request when the unverified reverse client hostname is listed in spamhaus.org
 # * `reject_unlisted_recipient`: Although Postfix will reject mail to unknown recipients, it's nicer to reject such mail ahead of greylisting rather than after.
 # * `check_policy_service`: Apply greylisting using postgrey.
 #
@@ -236,9 +238,74 @@ tools/editconf.py /etc/postfix/main.cf  -e lmtp_destination_recipient_limit=
 # so these IPs get mail delivered quickly. But when an IP is not listed in the permit_dnswl_client list (i.e. it is not #NODOC
 # whitelisted) then postfix does a DEFER_IF_REJECT, which results in all "unknown user" sorts of messages turning into #NODOC
 # "450 4.7.1 Client host rejected: Service unavailable". This is a retry code, so the mail doesn't properly bounce. #NODOC
-tools/editconf.py /etc/postfix/main.cf \
-	smtpd_sender_restrictions="reject_non_fqdn_sender,reject_unknown_sender_domain,reject_authenticated_sender_login_mismatch,reject_rhsbl_sender dbl.spamhaus.org=127.0.1.[2..99]" \
-	smtpd_recipient_restrictions="permit_sasl_authenticated,permit_mynetworks,reject_rbl_client zen.spamhaus.org=127.0.0.[2..11],reject_unlisted_recipient,check_policy_service inet:127.0.0.1:10023,check_policy_service inet:127.0.0.1:12340"
+# In case the Spamhaus Data Query Service is used, slightly different configuration is needed. Source: https://portal.spamhaus.com/dqs/?ft=1#3.1.2
+# Zero Reputation Domain (ZRD) blocklist is limited to two hour old domains, not 24 like suggested by Spamhaus.
+
+# smtpd_recipient_restrictions is different whether Spamhaus DQS is used or not.
+# Start definition of the configuration here
+CONF_SMTPD_RECIPIENT_RESTRICTIONS=$(cat <<-END
+	permit_sasl_authenticated,
+        permit_mynetworks,
+        check_sender_access              hash:/etc/postfix/sender_access,
+        check_recipient_access           hash:/etc/postfix/recipient_access,
+END
+)
+
+if [ -z "${SPAMHAUS_DQS_KEY:-}" ]; then
+        # Public spamhaus blocklist servers queried
+        DBL_QUERY=dbl.spamhaus.org
+        ZEN_QUERY=zen.spamhaus.org
+
+CONF_SMTPD_RECIPIENT_RESTRICTIONS=$(cat <<-END
+	$CONF_SMTPD_RECIPIENT_RESTRICTIONS
+        reject_rbl_client                $ZEN_QUERY=127.0.0.[2..11],
+        reject_rhsbl_sender              $DBL_QUERY=127.0.1.[2..99],
+        reject_rhsbl_helo                $DBL_QUERY=127.0.1.[2..99],
+        reject_rhsbl_reverse_client      $DBL_QUERY=127.0.1.[2..99],
+        warn_if_reject reject_rbl_client $ZEN_QUERY=127.255.255.[1..255],        
+END
+)
+else
+        # Use Data Query Service for blocklist query URLs
+        DBL_QUERY=$SPAMHAUS_DQS_KEY.dbl.dq.spamhaus.net
+        ZEN_QUERY=$SPAMHAUS_DQS_KEY.zen.dq.spamhaus.net
+        ZRD_QUERY=$SPAMHAUS_DQS_KEY.zrd.dq.spamhaus.net
+
+CONF_SMTPD_RECIPIENT_RESTRICTIONS=$(cat <<-END
+	$CONF_SMTPD_RECIPIENT_RESTRICTIONS
+        reject_rhsbl_sender              $DBL_QUERY=127.0.1.[2..99],
+        reject_rhsbl_helo                $DBL_QUERY=127.0.1.[2..99],
+        reject_rhsbl_reverse_client      $DBL_QUERY=127.0.1.[2..99],
+        reject_rhsbl_sender              $ZRD_QUERY=127.0.2.2,
+        reject_rhsbl_helo                $ZRD_QUERY=127.0.2.2,
+        reject_rhsbl_reverse_client      $ZRD_QUERY=127.0.2.2,
+        reject_rbl_client                $ZEN_QUERY=127.0.0.[2..255],
+END
+)
+fi
+
+# Define configuration for smtpd_sender_restrictions
+CONF_SMTPD_SENDER_RESTRICTIONS=$(cat <<-END
+	reject_non_fqdn_sender,
+        reject_unknown_sender_domain,
+        reject_authenticated_sender_login_mismatch,
+        reject_rhsbl_sender $DBL_QUERY=127.0.1.[2..99]
+END
+)
+
+# Finalize configuration for smtpd_recipient_restrictions
+CONF_SMTPD_RECIPIENT_RESTRICTIONS=$(cat <<-END
+	$CONF_SMTPD_RECIPIENT_RESTRICTIONS
+        reject_unlisted_recipient,
+        check_policy_service             inet:127.0.0.1:10023,
+        check_policy_service             inet:127.0.0.1:12340
+END
+)
+
+# Apply configuration
+management/editconf.py /etc/postfix/main.cf -w \
+        smtpd_sender_restrictions="$CONF_SMTPD_SENDER_RESTRICTIONS" \
+        smtpd_recipient_restrictions="$CONF_SMTPD_RECIPIENT_RESTRICTIONS"
 
 # Postfix connects to Postgrey on the 127.0.0.1 interface specifically. Ensure that
 # Postgrey listens on the same interface (and not IPv6, for instance).