mirror of
https://github.com/docker-mailserver/docker-mailserver.git
synced 2024-01-19 02:48:50 +00:00
chore(Postfix): disable DNSBLs (#3069)
This commit is contained in:
parent
29d8dcafb0
commit
ac1df91181
|
@ -75,13 +75,7 @@ Enable or disable Rspamd.
|
||||||
|
|
||||||
!!! warning "Current State"
|
!!! warning "Current State"
|
||||||
|
|
||||||
Rspamd-support is under active development. Be aware that breaking changes can happen at any time.
|
Rspamd-support is under active development. Be aware that breaking changes can happen at any time. To get more information, see [the detailed documentation page for Rspamd][docs-rspamd].
|
||||||
|
|
||||||
Currently, rspamd is integrated into Postfix as a milter. However, there is no official DKIM/DMARC support for rspamd in DMS as of now (WIP). To get more information, see [the detailed documentation page for Rspamd][docs-rspamd].
|
|
||||||
|
|
||||||
!!! warning "Rspamd and DNS Block Lists"
|
|
||||||
|
|
||||||
When you use Rspamd, you might want to use the [RBL module](https://rspamd.com/doc/modules/rbl.html). If you do, make sure your DNS resolver is set up correctly (i.e. it should be a non-public recursive resolver). Otherwise, you [might not be able](https://www.spamhaus.org/faq/section/DNSBL%20Usage#365) to make use of the block lists.
|
|
||||||
|
|
||||||
- **0** => disabled
|
- **0** => disabled
|
||||||
- 1 => enabled
|
- 1 => enabled
|
||||||
|
@ -104,10 +98,13 @@ Amavis content filter (used for ClamAV & SpamAssassin)
|
||||||
|
|
||||||
##### ENABLE_DNSBL
|
##### ENABLE_DNSBL
|
||||||
|
|
||||||
This enables the [zen.spamhaus.org](https://www.spamhaus.org/zen/) DNS block list in postfix
|
This enables DNS block lists in _Postscreen_. If you want to know which lists we are using, have a look at [the default `main.cf` for Postfix we provide](https://github.com/docker-mailserver/docker-mailserver/blob/master/target/postfix/main.cf) and search for `postscreen_dnsbl_sites`.
|
||||||
and various [lists](https://github.com/docker-mailserver/docker-mailserver/blob/f7465a50888eef909dbfc01aff4202b9c7d8bc00/target/postfix/main.cf#L58-L66) in postscreen.
|
|
||||||
|
|
||||||
Note: Emails will be rejected, if they don't pass the block list checks!
|
!!! danger "A Warning On DNS Block Lists"
|
||||||
|
|
||||||
|
Make sure your DNS queries are properly resolved, i.e. you will most likely not want to use a public DNS resolver as these queries do not return meaningful results. We try our best to only evaluate proper return codes - this is not a guarantee that all codes are handled fine though.
|
||||||
|
|
||||||
|
**Note that emails will be rejected if they don't pass the block list checks!**
|
||||||
|
|
||||||
- **0** => DNS block lists are disabled
|
- **0** => DNS block lists are disabled
|
||||||
- 1 => DNS block lists are enabled
|
- 1 => DNS block lists are enabled
|
||||||
|
|
|
@ -23,6 +23,14 @@ You can find a list of all Rspamd modules [on their website][modules].
|
||||||
|
|
||||||
### DMS' Defaults
|
### DMS' Defaults
|
||||||
|
|
||||||
|
!!! danger "Rspamd and DNS Block Lists"
|
||||||
|
|
||||||
|
When using Rspamd, the [RBL module](https://rspamd.com/doc/modules/rbl.html) is enabled by default. As a consequence, Rspamd will do a variety of DNS requests. Amongst other things, Rspamd will query DNS block lists (DNSBLs).
|
||||||
|
|
||||||
|
There are a variety of issues involved when using DNSBLs. Rspamd will try to mitigate some of them by properly evaluating all return codes. We urge you not to rely on this though.
|
||||||
|
|
||||||
|
If you want to use RBLs, **try to use your own DNS resolver** and make sure it is set up correctly, i.e. it should be a non-public & **recursive** resolver. Otherwise, you might not be able ([see this Spamhaus post](https://www.spamhaus.org/faq/section/DNSBL%20Usage#365)) to make use of the block lists.
|
||||||
|
|
||||||
You can choose to enable ClamAV, and Rspamd will then use it to check for viruses. Just set the environment variable `ENABLE_CLAMAV=1`.
|
You can choose to enable ClamAV, and Rspamd will then use it to check for viruses. Just set the environment variable `ENABLE_CLAMAV=1`.
|
||||||
|
|
||||||
DMS disables certain modules (clickhouse, elastic, greylist, neural, reputation, spamassassin, url_redirector, metric_exporter) by default. We believe these are not required in a standard setup, and needlessly use resources. You can re-activate them by replacing `/etc/rspamd/local.d/<MODULE>.conf` or overriding DMS' default with `/etc/rspamd/override.d/<MODULE>.conf`.
|
DMS disables certain modules (clickhouse, elastic, greylist, neural, reputation, spamassassin, url_redirector, metric_exporter) by default. We believe these are not required in a standard setup, and needlessly use resources. You can re-activate them by replacing `/etc/rspamd/local.d/<MODULE>.conf` or overriding DMS' default with `/etc/rspamd/override.d/<MODULE>.conf`.
|
||||||
|
|
|
@ -133,8 +133,7 @@ ENABLE_AMAVIS=1
|
||||||
# 3/4/5 => log debug information (very verbose)
|
# 3/4/5 => log debug information (very verbose)
|
||||||
AMAVIS_LOGLEVEL=0
|
AMAVIS_LOGLEVEL=0
|
||||||
|
|
||||||
# This enables the [zen.spamhaus.org](https://www.spamhaus.org/zen/) DNS block list in postfix
|
# This enables DNS block lists in Postscreen.
|
||||||
# and various [lists](https://github.com/docker-mailserver/docker-mailserver/blob/f7465a50888eef909dbfc01aff4202b9c7d8bc00/target/postfix/main.cf#L58-L66) in postscreen.
|
|
||||||
# Note: Emails will be rejected, if they don't pass the block list checks!
|
# Note: Emails will be rejected, if they don't pass the block list checks!
|
||||||
# **0** => DNS block lists are disabled
|
# **0** => DNS block lists are disabled
|
||||||
# 1 => DNS block lists are enabled
|
# 1 => DNS block lists are enabled
|
||||||
|
|
|
@ -48,7 +48,7 @@ smtpd_helo_required = yes
|
||||||
smtpd_delay_reject = yes
|
smtpd_delay_reject = yes
|
||||||
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, permit
|
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, permit
|
||||||
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
|
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
|
||||||
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policyd-spf, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org=127.0.0.[2..11]
|
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policyd-spf, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_recipient_domain
|
||||||
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining
|
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining
|
||||||
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain, reject_unknown_client_hostname
|
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain, reject_unknown_client_hostname
|
||||||
disable_vrfy_command = yes
|
disable_vrfy_command = yes
|
||||||
|
|
|
@ -307,8 +307,8 @@ function _setup_dovecot_quota
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# enable quota policy check in postfix
|
# enable quota policy check in postfix
|
||||||
sed -i \
|
sed -i -E \
|
||||||
"s|reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org|reject_unknown_recipient_domain, check_policy_service inet:localhost:65265, reject_rbl_client zen.spamhaus.org|g" \
|
"s|(reject_unknown_recipient_domain)|\1, check_policy_service inet:localhost:65265|g" \
|
||||||
/etc/postfix/main.cf
|
/etc/postfix/main.cf
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
@ -1150,12 +1150,6 @@ function _setup_fail2ban
|
||||||
|
|
||||||
function _setup_dnsbl_disable
|
function _setup_dnsbl_disable
|
||||||
{
|
{
|
||||||
_log 'debug' 'Disabling postfix DNS block list (zen.spamhaus.org)'
|
|
||||||
|
|
||||||
sedfile -i \
|
|
||||||
'/^smtpd_recipient_restrictions = / s/, reject_rbl_client zen.spamhaus.org=127.0.0.\[2..11\]//' \
|
|
||||||
/etc/postfix/main.cf
|
|
||||||
|
|
||||||
_log 'debug' 'Disabling postscreen DNS block lists'
|
_log 'debug' 'Disabling postscreen DNS block lists'
|
||||||
postconf 'postscreen_dnsbl_action = ignore'
|
postconf 'postscreen_dnsbl_action = ignore'
|
||||||
postconf 'postscreen_dnsbl_sites = '
|
postconf 'postscreen_dnsbl_sites = '
|
||||||
|
|
|
@ -27,12 +27,6 @@ function teardown_file() {
|
||||||
docker rm -f "${CONTAINER1_NAME}" "${CONTAINER2_NAME}"
|
docker rm -f "${CONTAINER1_NAME}" "${CONTAINER2_NAME}"
|
||||||
}
|
}
|
||||||
|
|
||||||
# ENABLE_DNSBL=1
|
|
||||||
@test "(enabled) Postfix DNS block list zen.spamhaus.org" {
|
|
||||||
_run_in_container_explicit "${CONTAINER1_NAME}" postconf smtpd_recipient_restrictions
|
|
||||||
assert_output --partial 'reject_rbl_client zen.spamhaus.org'
|
|
||||||
}
|
|
||||||
|
|
||||||
@test "(enabled) Postscreen DNS block lists -> postscreen_dnsbl_action" {
|
@test "(enabled) Postscreen DNS block lists -> postscreen_dnsbl_action" {
|
||||||
_run_in_container_explicit "${CONTAINER1_NAME}" postconf postscreen_dnsbl_action
|
_run_in_container_explicit "${CONTAINER1_NAME}" postconf postscreen_dnsbl_action
|
||||||
assert_output 'postscreen_dnsbl_action = enforce'
|
assert_output 'postscreen_dnsbl_action = enforce'
|
||||||
|
@ -40,13 +34,7 @@ function teardown_file() {
|
||||||
|
|
||||||
@test "(enabled) Postscreen DNS block lists -> postscreen_dnsbl_sites" {
|
@test "(enabled) Postscreen DNS block lists -> postscreen_dnsbl_sites" {
|
||||||
_run_in_container_explicit "${CONTAINER1_NAME}" postconf postscreen_dnsbl_sites
|
_run_in_container_explicit "${CONTAINER1_NAME}" postconf postscreen_dnsbl_sites
|
||||||
assert_output 'postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11]*3 bl.mailspike.net=127.0.0.[2;14;13;12;11;10] b.barracudacentral.org*2 bl.spameatingmonkey.net=127.0.0.2 dnsbl.sorbs.net psbl.surriel.com list.dnswl.org=127.0.[0..255].0*-2 list.dnswl.org=127.0.[0..255].1*-3 list.dnswl.org=127.0.[0..255].[2..3]*-4'
|
assert_output --regexp '^postscreen_dnsbl_sites = [a-zA-Z0-9]+'
|
||||||
}
|
|
||||||
|
|
||||||
# ENABLE_DNSBL=0
|
|
||||||
@test "(disabled) Postfix DNS block list zen.spamhaus.org" {
|
|
||||||
_run_in_container_explicit "${CONTAINER2_NAME}" postconf smtpd_recipient_restrictions
|
|
||||||
refute_output --partial 'reject_rbl_client zen.spamhaus.org'
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@test "(disabled) Postscreen DNS block lists -> postscreen_dnsbl_action" {
|
@test "(disabled) Postscreen DNS block lists -> postscreen_dnsbl_action" {
|
||||||
|
|
|
@ -6,7 +6,6 @@ CONTAINER_NAME='dms-test_postgrey_enabled'
|
||||||
|
|
||||||
function setup_file() {
|
function setup_file() {
|
||||||
local CUSTOM_SETUP_ARGUMENTS=(
|
local CUSTOM_SETUP_ARGUMENTS=(
|
||||||
--env ENABLE_DNSBL=1
|
|
||||||
--env ENABLE_POSTGREY=1
|
--env ENABLE_POSTGREY=1
|
||||||
--env PERMIT_DOCKER=container
|
--env PERMIT_DOCKER=container
|
||||||
--env POSTGREY_AUTO_WHITELIST_CLIENTS=5
|
--env POSTGREY_AUTO_WHITELIST_CLIENTS=5
|
||||||
|
|
Loading…
Reference in a new issue