On 2025-03-09 at 03:39:30 UTC-0400 (Sun, 9 Mar 2025 09:39:30 +0200) Petko Manolov via Postfix-users <pet...@nucleusys.com> is rumored to have said:
> I've recently signed up for Spamhaus' free service. They were helpful enough > to > provide postfix setup guide to minimize the pain. Which you failed to follow. > I've modified > postscreen_dnsbl_sites accordingly and this morning was greeted by the > following > BS... > > Mar 09 01:49:12 lan postfix/postscreen[182934]: CONNECT from > [45.90.5.195]:45727 to [192.168.234.2]:25 > Mar 09 01:49:12 lan postfix/dnsblog[182936]: addr 45.90.5.195 listed by > domain <REDACT>.zrd.dq.spamhaus.net as 127.0.2.255 > Mar 09 01:49:12 lan postfix/dnsblog[182937]: addr 45.90.5.195 listed by > domain <REDACT>.dbl.dq.spamhaus.net as 127.0.1.255 You're using those wrong. DBL and ZRD are not used for IP addresses, they are used for domain names. They cannot be used in postscreen. The last octet is the signal. You should not be rejecting based on a .255 result. [...] > And what is 45.90.5.195 doing in Spamhaus' ZDR and DBL lists? It's not. ZRD and DBL only list domain names. Review https://docs.spamhaus.com/datasets/docs/source/40-real-world-usage/PublicMirrors/MTAs/020-Postfix.html#configuration. It provides the correct Postfix config, which does not include checking ZRD and DBL in postscreen. The only things you need to change are: 1. Where they have unkeyed spamhaus.org names, you should use the <key>.<zone>.dq.spamhaus.net forms. 2. They don't have ZRD config. For those you should have lines like these in one of your smtpd_*_restrictions lists: reject_rhsbl_sender <REDACT>.zrd.dq.spamhaus.net=127.0.2.[2..24], reject_rhsbl_helo <REDACT>.zrd.dq.spamhaus.net=127.0.2.[2..24], reject_rhsbl_reverse_client <REDACT>.zrd.dq.spamhaus.net=127.0.2.[2..24], -- Bill Cole _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
