Hello, I am working on upgrading an old and pretty broken Postfix setup I inherited.
I managed to get it cleaned up, and running on Postfix v3.9. The server's using Spamhaus DQS dnsbls @ postscreen, and the policy it uses is reject on match. They're working like they should for postscreen, rejecting when there's a match. But it appears to be leaking the DQS password in the response. I read the Postfix docs a few times, and thought I got it right. But clearly, I'm missing something :-/ For example, with cat master.cf [mx.example.com]:25 inet n - n - 1 postscreen -o smtpd_service_name=ps-int ... ps-int pass - - n - - smtpd -o syslog_name=postfix/ps-int ... cat main.cf var_SHDQS=xxxxxxxxxxx postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply_map rbl_reply_maps = ${stress?lmdb:/etc/postfix/smtpd_dnsbl_reply_maps} default_rbl_reply = $rbl_code Service unavailable; REJECT: ( $rbl_class [$rbl_what] ) listed at $rbl_domain${rbl_reason?; $rbl_reason} cat /etc/postfix/postscreen_dnsbl_reply_map ${var_SHDQS}.zen.dq.spamhaus.net=127.0.0.[2..11] 554 $rbl_class $rbl_what blocked using ZEN - see https://www.spamhaus.org/query/ip/$client_address for details ${var_SHDQS}.dbl.dq.spamhaus.net=127.0.1.[2..99] 554 $rbl_class $rbl_what blocked using DBL - see $rbl_txt for details ${var_SHDQS}.zrd.dq.spamhaus.net=127.0.2.[2..24] 554 $rbl_class $rbl_what blocked using ZRD - domain too young ${var_SHDQS}.zen.dq.spamhaus.net 554 $rbl_class $rbl_what blocked using ZEN - see https://www.spamhaus.org/query/ip/$client_address for details ${var_SHDQS}.dbl.dq.spamhaus.net 554 $rbl_class $rbl_what blocked using DBL - see $rbl_txt for details ${var_SHDQS}.zrd.dq.spamhaus.net 554 $rbl_class $rbl_what blocked using ZRD - domain too young ${var_SHDQS}.sbl.dq.spamhaus.net 554 $rbl_class $rbl_what blocked using SBL - see $rbl_txt for details ${var_SHDQS}.xbl.dq.spamhaus.net 554 $rbl_class $rbl_what blocked using XBL - see $rbl_txt for details ${var_SHDQS}.pbl.dq.spamhaus.net 554 $rbl_class $rbl_what blocked using PBL - see $rbl_txt for details ${var_SHDQS}.sbl-xbl.dq.spamhaus.net 554 $rbl_class $rbl_what blocked using SBL+XBL - see $rbl_txt for details Running tests from Spamhaus I get a 2024-08-02T07:30:14.710397-04:00 arizona postfix/ps-int/smtpd[52267]: NOQUEUE: reject: RCPT from unlisted.blt.spamhaus.net[199.168.89.101]: 554 5.7.1 Service unavailable; REJECT: ( Helo command [zrd-dqs.blt.spamhaus.net] ) listed at xxxxxxxxxxx.zrd.dq.spamhaus.net; zrd-dqs.blt.spamhaus.net first seen around 01-Aug-2024 15:00 UTC; from=<t...@unlisted.blt.spamhaus.net> to=<a...@example.com> proto=ESMTP helo=<zrd-dqs.blt.spamhaus.net> Where you see xxxxxxxxxxx.zrd.dq.spamhaus.net being leaked in the 554 reply. It looks like it's using the "default_rbl_reply" instead of the match from "postscreen_dnsbl_reply_map". I think maybe that's the actual problem -- using the wrong match? Or is my texthash: file used incorrectly? I'd appreciate any hints here! Thanks. -- Arnie _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org