On Thu, 16 Jan 2020, Dominic Raferd wrote:
I recently started using an RBL service where we have a 'private key' and
this operates very simply by prefixing the key to the RBL address. But I
just realised that this appears to mean that for any rejections the whole
address - including the key - is passed back to the offending client. Which
if true makes a bit of a nonsense of the idea of a 'private' key.
Is there a way to cut out this private key in the response message? It
happens both with postscreen and smtpd. Here is a barely-obfuscated example:
550 5.7.1 Service unavailable; client [51.88.120.222] blocked using
sp8lefi4grtb7jftpslxxztu3y.zen.dx.spamhous.net
For postscreen, add the following in main.cf
postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply_postscreen
and for smtpd, also in main.cf:
rbl_reply_maps = texthash:/etc/postfix/dnsbl_reply_smtpd
(choose whatever names you wish for the two files).
Then, for dnsbl_reply_postscreen:
# secret DNSBL name name in postscreen(8) replies
XXX.zen.dq.spamhaus.net zen.spamhaus.org
Similarly, for dnsbl_reply_smtpd:
XXX.zen.dq.spamhaus.net=127.0.0.[2..255] $rbl_code Service unavailable;
$rbl_class [$rbl_what] blocked
XXX.dbl.dq.spamhaus.net=127.0.1.[2..99] $rbl_code Service unavailable;
$rbl_class [$rbl_what] blocked
XXX.zrd.dq.spamhaus.net=127.0.2.[2..24] $rbl_code Service unavailable;
$rbl_class [$rbl_what] blocked
(my settings may or may not be suitable for you, so adapt accordingly..
also note I use one or two tabs as separator, probably any whitespace
will do..)
Hope that helps,
Bernardo.
