Re: Hiding Spamhaus key from replies

Mon, 18 Nov 2019 01:35:36 -0800 

On 18.11.19 08:42, Bernardo Reino wrote:
I currently use postscreen with postscreen_dbl_sites pointing to my instance of spamhaus.net. With postscreen_dnsbl_reply_map I hide the secret key from the server responses. 


Now, I also have/had "reject_rbl_client zen.spamhaus.org" a part 
of my smtpd_recipient_restrictions. I want to change that to use 
my secret key, but I can't seem to find a way to map the server 
name to something else (to hide the key).



On Mon, 18 Nov 2019, Matus UHLAR - fantomas wrote:

What's the point of using spamhaus in smtpd_recipient_restrictions
when you have already done so in postscreen?


On 18.11.19 10:12, Bernardo Reino wrote:

My plan is/was to use only one blacklist (zen, IP-based) during 
postscreen but then have the option of using other blacklists (dbl, 
zrd) at smtpd time.


I moved all blacklist filtering from smtpd to postscreen, because postscreen
can weigh blacklists, so I considered it more safe.

e.g. if something is whitelisted in dnswl, and blacklisted in zen, it's
allowed, but if it's blacklisted in zen and in other BL, it's denied even if
in dnswl...

Thus I avoid many false-positives.

Now I only run rhsbl checks in smtpd (postscreen can't do that).


Even if at some point I will only leave the postscreen filter active, 
I wanted to nevertheless know how I would use it during smtpd.


I recommend moving dnsbls to postscreen and keep them off smtpd.


I have now done it with:
rbl_reply_maps = texthash:/etc/postfix/dnsbl_reply_smtpd

where that file has lines like:
$KEY.zrd.dq.spamhaus.net=127.0.2.[2..24] $rbl_code Service unavailable; 
$rbl_class [$rbl_what] blocked


where $KEY is my key, and the LHS of that line is exactly as it looks 
in reject_rhsbl_reverse_client (to give an example).



Seems to work (meaning: postfix hasn't complained, and I continue to 
receive mail :), but given the little traffic I have I wanted an 
"offline verification" that this is the right way to do this.


I think key should be separated from value by tab, not '='.
anything in the logs yet?

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
99 percent of lawyers give the rest a bad name.






















					Reply via email to