Hi, I'm still struggling with this, and now wondering if it's even a problem. Are dnsblog entries like this supposed to be mapped, or just the rejection that the client sees?
Dec 10 20:09:39 mail03 postfix/dnsblog[54775]: addr 5.170.224.57 listed by domain mykey.zen.dq.spamhaus.net as 127.0.0.11 Dec 10 20:09:39 mail03 postfix/dnsblog[54775]: addr 5.170.224.57 listed by domain mykey.zen.dq.spamhaus.net as 127.0.0.3 Dec 10 20:09:39 mail03 postfix/dnsblog[54775]: addr 5.170.224.57 listed by domain mykey.zen.dq.spamhaus.net as 127.0.0.4 Thanks, Alex On Sat, Dec 10, 2022 at 8:24 PM Alex <mysqlstud...@gmail.com> wrote: > Hi, I hoped someone could help me clear up some confusion. I > understand postscreen_dnsbl_reply_map is for postscreen_dnsbl_sites, but I > have dnsblog entries revealing my spamhaus key from entries in the > postscreen_dnsbl_sites section, not smtp_recipient_restrictions. > > postscreen_dnsbl_sites = > mykey.zen.dq.spamhaus.net=127.0.0.[10;11]*8 > ... > > postscreen_dnsbl_reply_map = > texthash:/etc/postfix/postscreen_dnsbl_reply_map > postscreen_blacklist_action = drop > postscreen_dnsbl_action = enforce > rbl_reply_maps = hash:/etc/postfix/dnsbl_reply_map > > /etc/postfix/postscreen_dnsbl_reply_map: > mykey.zen.dq.spamhaus.net DNS Blocklist (spamhaus) > > I've also tried including variations, including these: > mykey.zen.dq.spamhaus.net=127.0.0.[10;11]*8 DNS Blocklist > (spamhaus8) > mykey.zen.dq.spamhaus.net=127.0.0.[10;11] DNS Blocklist > (spamhaus8) > > Entries in my logs appear like: > Dec 10 20:09:39 mail03 postfix/dnsblog[54775]: addr 5.170.224.57 listed by > domain mykey.zen.dq.spamhaus.net as 127.0.0.11 > Dec 10 20:09:39 mail03 postfix/dnsblog[54775]: addr 5.170.224.57 listed by > domain mykey.zen.dq.spamhaus.net as 127.0.0.3 > Dec 10 20:09:39 mail03 postfix/dnsblog[54775]: addr 5.170.224.57 listed by > domain mykey.zen.dq.spamhaus.net as 127.0.0.4 > > I've even commented out all the spamhaus entries in > smtpd_recipient_restrictions to be sure it wasn't coming from there. There > are also postscreen entries which appear to be mapping the key properly: > > Dec 10 20:12:42 mail03 postfix/postscreen[52702]: NOQUEUE: reject: RCPT > from [89.155.61.127]:40377: 550 5.7.1 Service unavailable; client > [89.155.61.127] blocked using D > NS Blocklist (spamhaus); from=<hina.s...@example.com>, to=< > hina.s...@example.com>, proto=ESMTP, helo=<a89-155-61-127.cpe.netcabo.pt> > > It seems like for every postscreen entry that is mapped, there is also at > least one dnsblog entry that is not properly mapped. > > I'm assuming it's okay to use DNSBLs in both postscreen and recipient > restrictions because recipient restrictions is able to check other things > not available to postscreen at that time, correct? > > > >
