postscreen_dnsbl_sites

[Robert Lopez]

If in /etc/postfix/dnsbl_reply file there is a line:

the-authorization-key-was-here.zen.dq.spamhaus.net  zen.dq.spamhaus.org

And in main.cf there is the line:

postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply

Should the line in main.cf for "postscreen_dnsbl_siter = "

use the long name with the key in it or the short reply name?

Does it matter what the short name returned is; that is could I use

zen.spamhaus.org just to keep it shorter?

--
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106

[Jeroen Geilman]

On 5/3/2013 9:33 PM, Robert Lopez wrote:

If in /etc/postfix/dnsbl_reply file there is a line:

the-authorization-key-was-here.zen.dq.spamhaus.net  zen.dq.spamhaus.org

And in main.cf there is the line:

postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply

Should the line in main.cf for "postscreen_dnsbl_siter = "

use the long name with the key in it or the short reply name?

The one that produces a valid response; if you have a spamhaus subscription, that would be the long one, with your authorization.

Does it matter what the short name returned is; that is could I use

zen.spamhaus.org just to keep it shorter?

It's text, in a text response.
It can be whatever makes you happy.

--
J.

[Robert Lopez]

I had
postscreen_dnsbl_sites = <the-key-to-hide>zen.dq.spamhaus.org

and
postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply

in main.cf

and I had

<the-authorization-key-was-here>.zen.dq.spamhaus.net  zen.dq.spamhaus.org

in the /etc/posrfix/dnsbl_reply file.

One of many email sent from a yahoo test account did happen to use a yahoo server listed by zen.dq.spamhaus.org and I did get back a reply with the key exposed:

Remote host said: 550 5.7.1 Service unavailable; client [98.136.218.178] blocked using <th-authorization-key-was-here>.zen.dq.spamhaus.org [RCPT_TO]

I then changed the one line in the main.cf from
postscreen_dnsbl_sites = <the-key-to-hide>zen.dq.spamhaus.org

to
postscreen_dnsbl_sites = zen.dq.spamhaus.org

and since then none of the test email have been rejected.

How can I prove to myself the spamhaus list actually being used now as opposed to being not used because of configuration?

[/dev/rob0]

Please disable HTML when posting to mailing lists.

On Fri, May 03, 2013 at 06:27:15PM -0600, Robert Lopez wrote:
> I had
> postscreen_dnsbl_sites = <the-key-to-hide>zen.dq.spamhaus.org

This is right.

> and
> postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
> in main.cf
>
> and I had
> <the-authorization-key-was-here>.zen.dq.spamhaus.net zen.dq.spamhaus.org

"net" != "org". This would never match.

You probably want to rewrite that to "zen.spamhaus.org" without the
"dq" domain component. That's what non-subscribers use.

> How can I prove to myself the spamhaus list actually being used
> now as opposed to being not used because of configuration?

http://www.crynwr.com/spam/ provides a testing service. Or, maybe
you're using a home Internet connection which is listed on PBL. If
your port 25 is not blocked by the ISP, you could test from home.
--
http://rob0.nodns4.us/ -- system administration and consulting
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

[Robert Lopez]

Let me try again. I am assuming the link between a line in the
dndsbl_reply file and the main.cf file is only a label and it could be
anything.
Is that a wrong assumption?

I have changed the label to make it more obvious.

Right now in the dnsbl_reply file I have this line (except for the key
being hidden):
<hidden-key>.zen.dq.spamhaus.net h.spamhaus.net

In the main.cf file I have this line:
postscreen_dnsbl_sites = h.spamhaus.net*1

I am assuming the h.spamhaus.net in main.cf is being rewritten to
<hidden-key>.zen.dq.spamhaus.net when postscreen uses the dnsbl.

What I am seeing in testing is my gateway is returning a statement
such as this one:
554 5.7.1 Service unavailable; Client host [192.203.178.138] blocked
using <hidden-key>.zen.dq.spamhaus.net;
http://www.spamhaus.org/query/bl?ip=192.203.178.138

And the above line does in fact contain the actual key that I am trying to hide.

The version of Postfix I am using (2.10.0) is my first experience with
postscreen and I am trying to avoid the exposing of this key.

Is it possible that the key is being exposed not from the
postscreen_dnsbl_sites line but from a line also in main.cf which says
the following?
smtpd_client_restrictions = reject_rbl_client <hidden-key>.zen.dq.spamhaus.net


# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = yes
biff = no
bounce_size_limit = 1
config_directory = /etc/postfix
default_process_limit = 400
header_checks = regexp:/etc/postfix/header_checks
inet_interfaces = $myhostname, localhost
inet_protocols = ipv4
mailbox_size_limit = 0
masquerade_domains = $mydomain, cnm.edu, nmvc.org, nmvirtualcollege.org
max_use = 100
message_size_limit = 26214400
mydestination = $myhostname, $mydomain, localhost.localdomain,
cnm.edu, mail.cnm.edu
mydomain = cnm.edu
mynetworks = 198.133.178.0/23, 198.133.182.0/24, 198.133.181.0/24,
198.133.180.0/24, 172.16.0.0/12, 192.168.0.0/16, 10.0.0.0/8,
127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
notify_classes = resource, software
postscreen_access_list = permit_mynetworks,
cidr:/etc/postfix/postscreen_access.cidr
postscreen_dnsbl_action = enforce
postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
postscreen_dnsbl_sites = h.spamhaus.net*1 b.barracudacentral.org*1
bl.spamcop.net*1 dnsbl.sorbs.net*1
postscreen_dnsbl_threshold = 2
readme_directory = no
recipient_delimiter = +
relay_domains =
relayhost =
smtp_host_lookup = dns, native
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = cnm.edu ESMTP
smtpd_client_restrictions = reject_unauth_pipelining
check_client_access hash:/etc/postfix/whitelist check_client_access
cidr:/etc/postfix/cidr-ip check_client_access hash:/etc/postfix/access
permit_mynetworks reject_rbl_client
<hidden-key>.zen.dq.spamhaus.net.zen.dq.spamhaus.net reject_rbl_client
b.barracudacentral.org reject_rbl_client bl.spamcop.net
reject_rbl_client dnsbl.sorbs.net
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks check_helo_access
hash:/etc/postfix/helo-ip reject_invalid_hostname
reject_non_fqdn_helo_hostname
smtpd_recipient_restrictions = permit_mynetworks
reject_unknown_recipient_domain reject_unlisted_recipient
reject_non_fqdn_recipient reject_unknown_recipient_domain
smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination
smtpd_sender_restrictions = check_sender_access
hash:/etc/postfix/whitelist check_sender_access
hash:/etc/postfix/greylist check_sender_access
hash:/etc/postfix/access permit_mynetworks reject_non_fqdn_sender
reject_unknown_sender_domain
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps = hash:/etc/postfix/virtualaliases

[Wietse Venema]

Robert Lopez:

> Let me try again. I am assuming the link between a line in the
> dndsbl_reply file and the main.cf file is only a label and it could be
> anything.
> Is that a wrong assumption?

Please describe what is not clear about the following text:

postscreen_dnsbl_reply_map (default: empty)
A mapping from actual DNSBL domain name which includes a secret pass-
word, to the DNSBL domain name that postscreen will reply with when it
rejects mail. When no mapping is found, the actual DNSBL domain will
be used.

For maximal stability it is best to use a file that is read into memory
such as pcre:, regexp: or texthash: (texthash: is similar to hash:,
except a) there is no need to run postmap(1) before the file can be
used, and b) texthash: does not detect changes after the file is read).

Example:

/etc/postfix/main.cf:
postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply

/etc/postfix/dnsbl_reply:
secret.zen.spamhaus.org zen.spamhaus.org

This feature is available in Postfix 2.8.

Once you set up your postscreen_dnsbl_reply_map, you can query it
to ensure that it works as expected. Using the above example,
the command

postmap -q secret.zen.spamhaus.org texthash:/etc/postfix/dnsbl_reply

should produce "zen.spamhaus.org" as output.

Thanks for helping to improve Postfix.

Wietse

[Jan P. Kessler]

> Is it possible that the key is being exposed not from the
> postscreen_dnsbl_sites line but from a line also in main.cf which says
> the following?
> smtpd_client_restrictions = reject_rbl_client <hidden-key>.zen.dq.spamhaus.net

Use rbl_reply_maps and a text without $rbl_domain:
http://www.postfix.org/postconf.5.html#rbl_reply_maps

And... get a new spamhaus key, NOW:

# telnet mg05.cnm.edu 25
Trying 198.133.182.65...
Connected to mg05.cnm.edu.
Escape character is '^]'.
220 mg05.cnm.edu ESMTP Postfix
HELO ruv.de
250 mg05.cnm.edu
MAIL FROM:jpk@somedomain
250 2.1.0 Ok
RCPT TO:hostm...@cnm.edu
554 5.7.1 Service unavailable; Client host [47.66.81.105] blocked using
<GOTIT>.zen.dq.spamhaus.net;
http://www.spamhaus.org/query/bl?ip=47.66.81.105
quit
221 2.0.0 Bye

[Wietse Venema]

Jan P. Kessler:

>
> > Is it possible that the key is being exposed not from the
> > postscreen_dnsbl_sites line but from a line also in main.cf which says
> > the following?
> > smtpd_client_restrictions = reject_rbl_client <hidden-key>.zen.dq.spamhaus.net

Yes. Postfix logging will tell you which program produces
the REJECT message: smtpd or postscreen.

Wietse

[/dev/rob0]

On Sat, May 04, 2013 at 06:48:36AM -0500, I wrote:
> On Fri, May 03, 2013 at 06:27:15PM -0600, Robert Lopez wrote:
> > I had
> > postscreen_dnsbl_sites = <the-key-to-hide>zen.dq.spamhaus.org
>
> This is right.

Let me try again also! I presume your lookup is actually against
key.zen.dq.spamhaus.org. That's what I said was right. Hereafter,
"key" will be substituted for the actual key.

> > and
> > postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
> > in main.cf
> >
> > and I had
> > <the-authorization-key-was-here>.zen.dq.spamhaus.net zen.dq.spamhaus.org

And here you are talking about spamhaus.net. Which is your lookup
against, key.zen.dq.spamhaus.org or key.zen.dq.spamhaus.net? Do note
that "net" is not "org".

> "net" != "org". This would never match.

Assuming that you DID mean key.zen.dq.spamhaus.org, your
postscreen_dnsbl_reply_map lookup of key.zen.dq.spamhaus.net would
never match, because as we have seen, "net" is not "org". :)

If "net" was right, your munging was wrong.

[Robert Lopez]

What is not clear to me in that description is the reason for my
original question

"Does it matter what the short name returned is; that is could I use
zen.spamhaus.org just to keep it shorter?"

I tried to make that question more clear the second time I posted by

" I am assuming the link between a line in the
dndsbl_reply file and the main.cf file is only a label and it could be
anything.
Is that a wrong assumption?

I have changed the label to make it more obvious."

To me when I read the text you provided I am left with the question
"If the real query address, with the key, is being replaced by some
other name, does it matter what that name is and can it be shortened
up?"

Of course, the reason for my post in the first place was my concern that
the name with the key was returned in a reply to a test email I sent
from a Yahoo test account which just happened to have been delivered
from a Yahoo server which was listed by zen.spam.net.

Also, I did have a bit of a mix-up in that in your example text you do
use zen.spamhaus.org and in my original set-up instructions from the
vendor from whom CNM purchases the Spamhaus service, the address
I am to query is <key>..zen.dq.spamhaus.net. This is not to say there is
any problem in your text. It was simply my dyslexia seeing what I expect
to see and not noticing the net v org that /dev/rob has pointed out.

Your making clear two other points (using postmap -q and looking for the
log lines to distinguish between postscreen and smtpd) were helpful
to me.

I can see the returned information which did disclose the key came from
postscreen:

May 3 17:54:01 mg08 postfix/postscreen[10279]: NOQUEUE: reject: RCPT
from [98.136.218.178]:45242: 550 5.7.1 Service unavailable; client
[98.136.218.178] blocked using <key>.zen.dq.spamhaus.org;
from=<rlop...@yahoo.com>, to=<rlo...@mg08.cnm.edu>, proto=SMTP,
helo=<nm5-vm3.bullet.mail.gq1.yahoo.com>

Finally, /dev/rob was exactly correct in the two labels used differed
(.net v .org)
causing the lookup to fail and "When no mapping is found, the actual

DNSBL domain will be used."

I believe the answer to my question is the text of the label does not matter
(but it must be meaningful enough to communicate) but it must be
exactly the same in the dnsbl_reply file and the main.cf file.

Life as a dyslexic person is often embarrassing.

Thank you.

[Wietse Venema]

Robert Lopez:

As documented, the name on the right-hand side of the table is used
in the postscreen REPLY.

This name is NOT USED for the DNSBL query.

This name is NOT USED for lots of other things.

This name is USED ONLY for the purpose as documented.

Wietse

[/dev/rob0]

On Tue, May 07, 2013 at 01:03:51PM -0600, Robert Lopez wrote:
> What is not clear to me in that description is the reason for
> my original question
> "Does it matter what the short name returned is; that is could
> I use zen.spamhaus.org just to keep it shorter?"

In my example:
http://rob0.nodns4.us/postscreen.html
I use a negated lookup. Basically, if zen.spamhaus.org is not among
the DNSBL hits, my senders see that they were blocked by "multiple
DNS-based blocklists".

So no, there need not be any connection between the lookup key and
the result. I think in your case you will want to use
"zen.spamhaus.org" as the result.