chore(Postfix): disable DNSBLs (#3069)

This commit is contained in:
Georg Lauterbach 2023-02-11 00:24:09 +01:00 committed by GitHub
parent 29d8dcafb0
commit ac1df91181
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 20 additions and 35 deletions

View file

@ -75,13 +75,7 @@ Enable or disable Rspamd.
!!! warning "Current State" !!! warning "Current State"
Rspamd-support is under active development. Be aware that breaking changes can happen at any time. Rspamd-support is under active development. Be aware that breaking changes can happen at any time. To get more information, see [the detailed documentation page for Rspamd][docs-rspamd].
Currently, rspamd is integrated into Postfix as a milter. However, there is no official DKIM/DMARC support for rspamd in DMS as of now (WIP). To get more information, see [the detailed documentation page for Rspamd][docs-rspamd].
!!! warning "Rspamd and DNS Block Lists"
When you use Rspamd, you might want to use the [RBL module](https://rspamd.com/doc/modules/rbl.html). If you do, make sure your DNS resolver is set up correctly (i.e. it should be a non-public recursive resolver). Otherwise, you [might not be able](https://www.spamhaus.org/faq/section/DNSBL%20Usage#365) to make use of the block lists.
- **0** => disabled - **0** => disabled
- 1 => enabled - 1 => enabled
@ -104,10 +98,13 @@ Amavis content filter (used for ClamAV & SpamAssassin)
##### ENABLE_DNSBL ##### ENABLE_DNSBL
This enables the [zen.spamhaus.org](https://www.spamhaus.org/zen/) DNS block list in postfix This enables DNS block lists in _Postscreen_. If you want to know which lists we are using, have a look at [the default `main.cf` for Postfix we provide](https://github.com/docker-mailserver/docker-mailserver/blob/master/target/postfix/main.cf) and search for `postscreen_dnsbl_sites`.
and various [lists](https://github.com/docker-mailserver/docker-mailserver/blob/f7465a50888eef909dbfc01aff4202b9c7d8bc00/target/postfix/main.cf#L58-L66) in postscreen.
Note: Emails will be rejected, if they don't pass the block list checks! !!! danger "A Warning On DNS Block Lists"
Make sure your DNS queries are properly resolved, i.e. you will most likely not want to use a public DNS resolver as these queries do not return meaningful results. We try our best to only evaluate proper return codes - this is not a guarantee that all codes are handled fine though.
**Note that emails will be rejected if they don't pass the block list checks!**
- **0** => DNS block lists are disabled - **0** => DNS block lists are disabled
- 1 => DNS block lists are enabled - 1 => DNS block lists are enabled

View file

@ -23,6 +23,14 @@ You can find a list of all Rspamd modules [on their website][modules].
### DMS' Defaults ### DMS' Defaults
!!! danger "Rspamd and DNS Block Lists"
When using Rspamd, the [RBL module](https://rspamd.com/doc/modules/rbl.html) is enabled by default. As a consequence, Rspamd will do a variety of DNS requests. Amongst other things, Rspamd will query DNS block lists (DNSBLs).
There are a variety of issues involved when using DNSBLs. Rspamd will try to mitigate some of them by properly evaluating all return codes. We urge you not to rely on this though.
If you want to use RBLs, **try to use your own DNS resolver** and make sure it is set up correctly, i.e. it should be a non-public & **recursive** resolver. Otherwise, you might not be able ([see this Spamhaus post](https://www.spamhaus.org/faq/section/DNSBL%20Usage#365)) to make use of the block lists.
You can choose to enable ClamAV, and Rspamd will then use it to check for viruses. Just set the environment variable `ENABLE_CLAMAV=1`. You can choose to enable ClamAV, and Rspamd will then use it to check for viruses. Just set the environment variable `ENABLE_CLAMAV=1`.
DMS disables certain modules (clickhouse, elastic, greylist, neural, reputation, spamassassin, url_redirector, metric_exporter) by default. We believe these are not required in a standard setup, and needlessly use resources. You can re-activate them by replacing `/etc/rspamd/local.d/<MODULE>.conf` or overriding DMS' default with `/etc/rspamd/override.d/<MODULE>.conf`. DMS disables certain modules (clickhouse, elastic, greylist, neural, reputation, spamassassin, url_redirector, metric_exporter) by default. We believe these are not required in a standard setup, and needlessly use resources. You can re-activate them by replacing `/etc/rspamd/local.d/<MODULE>.conf` or overriding DMS' default with `/etc/rspamd/override.d/<MODULE>.conf`.

View file

@ -133,8 +133,7 @@ ENABLE_AMAVIS=1
# 3/4/5 => log debug information (very verbose) # 3/4/5 => log debug information (very verbose)
AMAVIS_LOGLEVEL=0 AMAVIS_LOGLEVEL=0
# This enables the [zen.spamhaus.org](https://www.spamhaus.org/zen/) DNS block list in postfix # This enables DNS block lists in Postscreen.
# and various [lists](https://github.com/docker-mailserver/docker-mailserver/blob/f7465a50888eef909dbfc01aff4202b9c7d8bc00/target/postfix/main.cf#L58-L66) in postscreen.
# Note: Emails will be rejected, if they don't pass the block list checks! # Note: Emails will be rejected, if they don't pass the block list checks!
# **0** => DNS block lists are disabled # **0** => DNS block lists are disabled
# 1 => DNS block lists are enabled # 1 => DNS block lists are enabled

View file

@ -48,7 +48,7 @@ smtpd_helo_required = yes
smtpd_delay_reject = yes smtpd_delay_reject = yes
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, permit smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, permit
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policyd-spf, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org=127.0.0.[2..11] smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policyd-spf, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_recipient_domain
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain, reject_unknown_client_hostname smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain, reject_unknown_client_hostname
disable_vrfy_command = yes disable_vrfy_command = yes

View file

@ -307,8 +307,8 @@ function _setup_dovecot_quota
fi fi
# enable quota policy check in postfix # enable quota policy check in postfix
sed -i \ sed -i -E \
"s|reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org|reject_unknown_recipient_domain, check_policy_service inet:localhost:65265, reject_rbl_client zen.spamhaus.org|g" \ "s|(reject_unknown_recipient_domain)|\1, check_policy_service inet:localhost:65265|g" \
/etc/postfix/main.cf /etc/postfix/main.cf
fi fi
} }
@ -1150,12 +1150,6 @@ function _setup_fail2ban
function _setup_dnsbl_disable function _setup_dnsbl_disable
{ {
_log 'debug' 'Disabling postfix DNS block list (zen.spamhaus.org)'
sedfile -i \
'/^smtpd_recipient_restrictions = / s/, reject_rbl_client zen.spamhaus.org=127.0.0.\[2..11\]//' \
/etc/postfix/main.cf
_log 'debug' 'Disabling postscreen DNS block lists' _log 'debug' 'Disabling postscreen DNS block lists'
postconf 'postscreen_dnsbl_action = ignore' postconf 'postscreen_dnsbl_action = ignore'
postconf 'postscreen_dnsbl_sites = ' postconf 'postscreen_dnsbl_sites = '

View file

@ -27,12 +27,6 @@ function teardown_file() {
docker rm -f "${CONTAINER1_NAME}" "${CONTAINER2_NAME}" docker rm -f "${CONTAINER1_NAME}" "${CONTAINER2_NAME}"
} }
# ENABLE_DNSBL=1
@test "(enabled) Postfix DNS block list zen.spamhaus.org" {
_run_in_container_explicit "${CONTAINER1_NAME}" postconf smtpd_recipient_restrictions
assert_output --partial 'reject_rbl_client zen.spamhaus.org'
}
@test "(enabled) Postscreen DNS block lists -> postscreen_dnsbl_action" { @test "(enabled) Postscreen DNS block lists -> postscreen_dnsbl_action" {
_run_in_container_explicit "${CONTAINER1_NAME}" postconf postscreen_dnsbl_action _run_in_container_explicit "${CONTAINER1_NAME}" postconf postscreen_dnsbl_action
assert_output 'postscreen_dnsbl_action = enforce' assert_output 'postscreen_dnsbl_action = enforce'
@ -40,13 +34,7 @@ function teardown_file() {
@test "(enabled) Postscreen DNS block lists -> postscreen_dnsbl_sites" { @test "(enabled) Postscreen DNS block lists -> postscreen_dnsbl_sites" {
_run_in_container_explicit "${CONTAINER1_NAME}" postconf postscreen_dnsbl_sites _run_in_container_explicit "${CONTAINER1_NAME}" postconf postscreen_dnsbl_sites
assert_output 'postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11]*3 bl.mailspike.net=127.0.0.[2;14;13;12;11;10] b.barracudacentral.org*2 bl.spameatingmonkey.net=127.0.0.2 dnsbl.sorbs.net psbl.surriel.com list.dnswl.org=127.0.[0..255].0*-2 list.dnswl.org=127.0.[0..255].1*-3 list.dnswl.org=127.0.[0..255].[2..3]*-4' assert_output --regexp '^postscreen_dnsbl_sites = [a-zA-Z0-9]+'
}
# ENABLE_DNSBL=0
@test "(disabled) Postfix DNS block list zen.spamhaus.org" {
_run_in_container_explicit "${CONTAINER2_NAME}" postconf smtpd_recipient_restrictions
refute_output --partial 'reject_rbl_client zen.spamhaus.org'
} }
@test "(disabled) Postscreen DNS block lists -> postscreen_dnsbl_action" { @test "(disabled) Postscreen DNS block lists -> postscreen_dnsbl_action" {

View file

@ -6,7 +6,6 @@ CONTAINER_NAME='dms-test_postgrey_enabled'
function setup_file() { function setup_file() {
local CUSTOM_SETUP_ARGUMENTS=( local CUSTOM_SETUP_ARGUMENTS=(
--env ENABLE_DNSBL=1
--env ENABLE_POSTGREY=1 --env ENABLE_POSTGREY=1
--env PERMIT_DOCKER=container --env PERMIT_DOCKER=container
--env POSTGREY_AUTO_WHITELIST_CLIENTS=5 --env POSTGREY_AUTO_WHITELIST_CLIENTS=5