Hello,

I am working on upgrading an old and pretty broken Postfix setup I inherited.

I managed to get it cleaned up, and running on Postfix v3.9.

The server's using Spamhaus DQS dnsbls @ postscreen, and the policy it uses is 
reject on match.
They're working like they should for postscreen, rejecting when there's a match.

But it appears to be leaking the DQS password in the response.

I read the Postfix docs a few times, and thought I got it right.
But clearly, I'm missing something :-/

For example, with

        cat master.cf

                [mx.example.com]:25  inet  n  -  n  -  1  postscreen
                  -o smtpd_service_name=ps-int
                  ...

                ps-int  pass  -  -  n  -  -  smtpd
                 -o syslog_name=postfix/ps-int
                 ...

        cat main.cf

                var_SHDQS=xxxxxxxxxxx
                postscreen_dnsbl_reply_map = 
texthash:/etc/postfix/postscreen_dnsbl_reply_map
                rbl_reply_maps = 
${stress?lmdb:/etc/postfix/smtpd_dnsbl_reply_maps}
                default_rbl_reply = $rbl_code Service unavailable; REJECT: ( 
$rbl_class [$rbl_what] ) listed at $rbl_domain${rbl_reason?; $rbl_reason}

        cat /etc/postfix/postscreen_dnsbl_reply_map

                ${var_SHDQS}.zen.dq.spamhaus.net=127.0.0.[2..11]  554 
$rbl_class $rbl_what blocked using ZEN - see 
https://www.spamhaus.org/query/ip/$client_address for details
                ${var_SHDQS}.dbl.dq.spamhaus.net=127.0.1.[2..99]  554 
$rbl_class $rbl_what blocked using DBL - see $rbl_txt for details
                ${var_SHDQS}.zrd.dq.spamhaus.net=127.0.2.[2..24]  554 
$rbl_class $rbl_what blocked using ZRD - domain too young
                ${var_SHDQS}.zen.dq.spamhaus.net                  554 
$rbl_class $rbl_what blocked using ZEN - see 
https://www.spamhaus.org/query/ip/$client_address for details
                ${var_SHDQS}.dbl.dq.spamhaus.net                  554 
$rbl_class $rbl_what blocked using DBL - see $rbl_txt for details
                ${var_SHDQS}.zrd.dq.spamhaus.net                  554 
$rbl_class $rbl_what blocked using ZRD - domain too young

                ${var_SHDQS}.sbl.dq.spamhaus.net                  554 
$rbl_class $rbl_what blocked using SBL - see $rbl_txt for details
                ${var_SHDQS}.xbl.dq.spamhaus.net                  554 
$rbl_class $rbl_what blocked using XBL - see $rbl_txt for details
                ${var_SHDQS}.pbl.dq.spamhaus.net                  554 
$rbl_class $rbl_what blocked using PBL - see $rbl_txt for details
                ${var_SHDQS}.sbl-xbl.dq.spamhaus.net              554 
$rbl_class $rbl_what blocked using SBL+XBL - see $rbl_txt for details

Running tests from Spamhaus I get a 

        2024-08-02T07:30:14.710397-04:00 arizona postfix/ps-int/smtpd[52267]: 
NOQUEUE: reject: RCPT from unlisted.blt.spamhaus.net[199.168.89.101]: 554 5.7.1 
Service unavailable; REJECT: ( Helo command [zrd-dqs.blt.spamhaus.net] ) listed 
at xxxxxxxxxxx.zrd.dq.spamhaus.net; zrd-dqs.blt.spamhaus.net first seen around 
01-Aug-2024 15:00 UTC; from=<t...@unlisted.blt.spamhaus.net> 
to=<a...@example.com> proto=ESMTP helo=<zrd-dqs.blt.spamhaus.net>

Where you see 

        xxxxxxxxxxx.zrd.dq.spamhaus.net

being leaked in the 554 reply.

It looks like it's using the "default_rbl_reply" instead of the match from 
"postscreen_dnsbl_reply_map".

I think maybe that's the actual problem -- using the wrong match?
Or is my texthash: file used incorrectly?

I'd appreciate any hints here!

Thanks.

--
 Arnie

_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to