On 30/05/2021 12:47, Laura Smith wrote:
It is a fairly recent change, perhaps a year ago, that they return the .254 and
.255
codes rather than just ignoring the request, as a hint that you need to fix your
configuration.
Seems the change is dated 11/2/2021
(https://www.spamhaus.org/news/article/807/using-our-public-mirrors-check-your-return-codes-now)
In defence of my earlier comment, I'm a paid Spamhaus customer so I don't use
the public mirrors anyway. ;-)
Hello,
non-professional (amateur?) postfixer here. May i suggest updating the
http://www.postfix.org/SMTPD_ACCESS_README.html
to reflect the most recent handling of codes by spamhaus?
While postfix' reject_rbl_client restriction clearly is documented that
by default any found A record is considered rejected, and as Wietse
pointed out in Message-Id: <4fslfb2xxmzj...@spike.porcupine.org> this is
due to postfix not implementing provider-specific parsing (note: which
seems sensible to me),
the Spamhaus DNSBL Usage FAQ
https://www.spamhaus.org/faq/section/DNSBL%20Usage#200 documents that
certain codes (returned A records) decidedly do not confer reputation
information.
Since the aforementioned SMTPD-ACCESS-README includes an example for
spamhaus, i think this example should include the provider-specific
settings.
A quick google found this HowTo, which seems somehow associated with the
Spamhaus Project
https://docs.spamhaustech.com/datasets/docs/source/40-real-world-usage/PublicMirrors/MTAs/020-Postfix.html
and which recommends the following reject_rbl_client restriction:
smtpd_recipient_restrictions =
...
reject_rbl_client zen.spamhaus.org=127.0.0.[2..11]
...
However, the aforementioned DNSBL Usage FAQ would indicate that any A
record from the 127.0.0.0/24 range should be considered rejected, not
only 2..11. Therefore i propose to update the relevant section in
SMTPD-ACCESS-README as follows (only new version shown):
.. BEGIN
# Spam control: exclude local clients and authenticated clients
# from DNSBL lookups.
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,
# reject_unauth_destination is not needed here if the mail
# relay policy is specified under smtpd_relay_restrictions
# (available with Postfix 2.10 and later).
reject_unauth_destination
reject_rbl_client zen.spamhaus.org=127.0.0.[0..255],
reject_rhsbl_reverse_client dbl.spamhaus.org=127.0.1.[0..255],
reject_rhsbl_helo dbl.spamhaus.org=127.0.1.[0..255],
reject_rhsbl_sender dbl.spamhaus.org=127.0.1.[0..255]
.. END
* please double-check for any typos.
* I think the example should be sensible for most postfix users from the
"newbie" sub-group of users. I am unsure if the ZRD domain list should
also be queried for this example. If yes, the respective patterns would
need change from "=127.0.1.[0..255]" to "=127.0.[12].[0..255]". Faced
with doubt, i didn't include ZRD (Spamhaus Zero Reputation Domains list).
with best regards,
Max
