Hiding Spamhaus key from replies

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Hiding Spamhaus key from replies

Bernardo Reino
Hello,

I currently use postscreen with postscreen_dbl_sites pointing to my
instance of spamhaus.net. With postscreen_dnsbl_reply_map I hide the
secret key from the server responses.

Now, I also have/had "reject_rbl_client zen.spamhaus.org" a part of my
smtpd_recipient_restrictions. I want to change that to use my secret key,
but I can't seem to find a way to map the server name to something else
(to hide the key).

I've read about default_rbl_reply, and I believe that what I need is
rbl_reply_maps but -- at least as of now -- I can't seem to be able to
make sense of it :-?

How can I configure postfix to do like postscreen_dnsbl_reply_map but for
smtpd?

Thanks in advance!
Reply | Threaded
Open this post in threaded view
|

Re: Hiding Spamhaus key from replies

Merrick
hello

On 2019/11/18 3:42 下午, Bernardo Reino wrote:
> How can I configure postfix to do like postscreen_dnsbl_reply_map but
> for smtpd?

can spamassassin do that as well?

regards.
Reply | Threaded
Open this post in threaded view
|

Re: Hiding Spamhaus key from replies

Bernardo Reino
On Mon, 18 Nov 2019, Merrick wrote:

> hello
>
> On 2019/11/18 3:42 下午, Bernardo Reino wrote:
>> How can I configure postfix to do like postscreen_dnsbl_reply_map but for
>> smtpd?
>
> can spamassassin do that as well?

I don't know, that was not my question :)

(I use rspamd for spam filtering, where I also intend to use the various
Spamhaus lists, but this is another topic, and for another mailing list :)

Cheers.
Reply | Threaded
Open this post in threaded view
|

Re: Hiding Spamhaus key from replies

Matus UHLAR - fantomas
In reply to this post by Bernardo Reino
On 18.11.19 08:42, Bernardo Reino wrote:

>I currently use postscreen with postscreen_dbl_sites pointing to my
>instance of spamhaus.net. With postscreen_dnsbl_reply_map I hide the
>secret key from the server responses.
>
>Now, I also have/had "reject_rbl_client zen.spamhaus.org" a part of my
>smtpd_recipient_restrictions. I want to change that to use my secret
>key, but I can't seem to find a way to map the server name to
>something else (to hide the key).
>
>I've read about default_rbl_reply, and I believe that what I need is
>rbl_reply_maps but -- at least as of now -- I can't seem to be able to
>make sense of it :-?
>
>How can I configure postfix to do like postscreen_dnsbl_reply_map but
>for smtpd?

What's the point of using spamhaus in smtpd_recipient_restrictions
when you have already done so in postscreen?

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
You have the right to remain silent. Anything you say will be misquoted,
then used against you.
Reply | Threaded
Open this post in threaded view
|

Re: Hiding Spamhaus key from replies

Bernardo Reino
On Mon, 18 Nov 2019, Matus UHLAR - fantomas wrote:

> On 18.11.19 08:42, Bernardo Reino wrote:
>> I currently use postscreen with postscreen_dbl_sites pointing to my
>> instance of spamhaus.net. With postscreen_dnsbl_reply_map I hide the secret
>> key from the server responses.
>>
>> Now, I also have/had "reject_rbl_client zen.spamhaus.org" a part of my
>> smtpd_recipient_restrictions. I want to change that to use my secret key,
>> but I can't seem to find a way to map the server name to something else (to
>> hide the key).
>>
>> I've read about default_rbl_reply, and I believe that what I need is
>> rbl_reply_maps but -- at least as of now -- I can't seem to be able to make
>> sense of it :-?
>>
>> How can I configure postfix to do like postscreen_dnsbl_reply_map but for
>> smtpd?
>
> What's the point of using spamhaus in smtpd_recipient_restrictions
> when you have already done so in postscreen?

My plan is/was to use only one blacklist (zen, IP-based) during postscreen
but then have the option of using other blacklists (dbl, zrd) at smtpd
time.

Even if at some point I will only leave the postscreen filter active, I
wanted to nevertheless know how I would use it during smtpd.

I have now done it with:
rbl_reply_maps = texthash:/etc/postfix/dnsbl_reply_smtpd

where that file has lines like:
$KEY.zrd.dq.spamhaus.net=127.0.2.[2..24] $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked

where $KEY is my key, and the LHS of that line is exactly as it looks in
reject_rhsbl_reverse_client (to give an example).

Seems to work (meaning: postfix hasn't complained, and I continue to
receive mail :), but given the little traffic I have I wanted an "offline
verification" that this is the right way to do this.

Hence my question.
Thanks.

Reply | Threaded
Open this post in threaded view
|

Re: Hiding Spamhaus key from replies

Matus UHLAR - fantomas
>>On 18.11.19 08:42, Bernardo Reino wrote:
>>>I currently use postscreen with postscreen_dbl_sites pointing to
>>>my instance of spamhaus.net. With postscreen_dnsbl_reply_map I
>>>hide the secret key from the server responses.
>>>
>>>Now, I also have/had "reject_rbl_client zen.spamhaus.org" a part
>>>of my smtpd_recipient_restrictions. I want to change that to use
>>>my secret key, but I can't seem to find a way to map the server
>>>name to something else (to hide the key).

>On Mon, 18 Nov 2019, Matus UHLAR - fantomas wrote:
>>What's the point of using spamhaus in smtpd_recipient_restrictions
>>when you have already done so in postscreen?

On 18.11.19 10:12, Bernardo Reino wrote:
>My plan is/was to use only one blacklist (zen, IP-based) during
>postscreen but then have the option of using other blacklists (dbl,
>zrd) at smtpd time.

I moved all blacklist filtering from smtpd to postscreen, because postscreen
can weigh blacklists, so I considered it more safe.

e.g. if something is whitelisted in dnswl, and blacklisted in zen, it's
allowed, but if it's blacklisted in zen and in other BL, it's denied even if
in dnswl...

Thus I avoid many false-positives.

Now I only run rhsbl checks in smtpd (postscreen can't do that).

>Even if at some point I will only leave the postscreen filter active,
>I wanted to nevertheless know how I would use it during smtpd.

I recommend moving dnsbls to postscreen and keep them off smtpd.

>I have now done it with:
>rbl_reply_maps = texthash:/etc/postfix/dnsbl_reply_smtpd
>
>where that file has lines like:
>$KEY.zrd.dq.spamhaus.net=127.0.2.[2..24] $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked
>
>where $KEY is my key, and the LHS of that line is exactly as it looks
>in reject_rhsbl_reverse_client (to give an example).
>
>Seems to work (meaning: postfix hasn't complained, and I continue to
>receive mail :), but given the little traffic I have I wanted an
>"offline verification" that this is the right way to do this.

I think key should be separated from value by tab, not '='.
anything in the logs yet?

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
99 percent of lawyers give the rest a bad name.
Reply | Threaded
Open this post in threaded view
|

Re: Hiding Spamhaus key from replies

Bernardo Reino
On Mon, 18 Nov 2019, Matus UHLAR - fantomas wrote:

> On 18.11.19 10:12, Bernardo Reino wrote:
>> My plan is/was to use only one blacklist (zen, IP-based) during postscreen
>> but then have the option of using other blacklists (dbl, zrd) at smtpd
>> time.
>
> I moved all blacklist filtering from smtpd to postscreen, because postscreen
> can weigh blacklists, so I considered it more safe.
>
> e.g. if something is whitelisted in dnswl, and blacklisted in zen, it's
> allowed, but if it's blacklisted in zen and in other BL, it's denied even if
> in dnswl...
>
> Thus I avoid many false-positives.
>
> Now I only run rhsbl checks in smtpd (postscreen can't do that).

My plan is also to use ip-based bl[ao]cklists with postscreen, and RHSBL
in smtpd, once I know things are working OK (but I'm 99% this is the case
:)

>> I have now done it with:
>> rbl_reply_maps = texthash:/etc/postfix/dnsbl_reply_smtpd
>>
>> where that file has lines like:
>> $KEY.zrd.dq.spamhaus.net=127.0.2.[2..24] $rbl_code Service unavailable;
>> $rbl_class [$rbl_what] blocked
>>
>> where $KEY is my key, and the LHS of that line is exactly as it looks in
>> reject_rhsbl_reverse_client (to give an example).
>>
>> Seems to work (meaning: postfix hasn't complained, and I continue to
>> receive mail :), but given the little traffic I have I wanted an "offline
>> verification" that this is the right way to do this.
>
> I think key should be separated from value by tab, not '='.
> anything in the logs yet?

The "=" is part of the blacklist definition, i.e.

smtpd_recipient_restrictions =
  permit_sasl_authenticated,
  permit_mynetworks,
  reject_rbl_client $KEY.zen.dq.spamhaus.net=127.0.0.[2..255],
  check_client_access pcre:/etc/postfix/client_access.pcre

(I'm aware that this, (which is what I currently have in main.cf) doesn't
match with the example I quoted above of my reply map, which contains
other entries (dbl, zrd) in case I add them to my recipient restrictions
later).

AFAIK the domain, including (if present) the IP regex should be present on
the left hand side of the rbl_reply_maps.

Cheers and thanks again for you reply.
Reply | Threaded
Open this post in threaded view
|

Re: Hiding Spamhaus key from replies

Bernardo Reino
> On Mon, 18 Nov 2019, Matus UHLAR - fantomas wrote:
>
>> anything in the logs yet?

I just got a hit, and it worked as expected :)

Nov 18 11:47:17 regenbogen postfix/smtpd[17564]: NOQUEUE: \
reject: RCPT from 71-10-166-63.dhcp.stls.mo.charter.com[71.10.166.63]: \
554 5.7.1 Service unavailable; Client host [71.10.166.63] blocked; \
from=<[hidden email]> to=<[hidden email]> proto=ESMTP \
helo=<efa4.home.lucasit.com>

(Oddly enough, it was apparently a DMARC report, but the server is indeed
blacklisted in zen.spamhaus.net)

Thanks for your input Matus!
I guess my issue is solved :)
Reply | Threaded
Open this post in threaded view
|

Re: Hiding Spamhaus key from replies

Benny Pedersen-2
In reply to this post by Merrick
Merrick skrev den 2019-11-18 08:48:
> On 2019/11/18 3:42 下午, Bernardo Reino wrote:
>> How can I configure postfix to do like postscreen_dnsbl_reply_map but
>> for smtpd?
> can spamassassin do that as well?

https://github.com/spamhaus/spamassassin-dqs/blob/master/sh.cf

with meta its solved, but its really not possible in spamassassin yet to
hide seensitive info
Reply | Threaded
Open this post in threaded view
|

Re: Hiding Spamhaus key from replies

Benny Pedersen-2
In reply to this post by Bernardo Reino
Bernardo Reino skrev den 2019-11-18 10:12:
> I have now done it with:
> rbl_reply_maps = texthash:/etc/postfix/dnsbl_reply_smtpd
>
> where that file has lines like:
> $KEY.zrd.dq.spamhaus.net=127.0.2.[2..24] $rbl_code Service
> unavailable; $rbl_class [$rbl_what] blocked
>
> where $KEY is my key, and the LHS of that line is exactly as it looks
> in reject_rhsbl_reverse_client (to give an example).

add it to github ?

> Seems to work (meaning: postfix hasn't complained, and I continue to
> receive mail :), but given the little traffic I have I wanted an
> "offline verification" that this is the right way to do this.

its still postfix postscreen that logs dnsbllog with key it could be
mapped before syslog so postfix-logwatch does not reveal keys
Reply | Threaded
Open this post in threaded view
|

Re: Hiding Spamhaus key from replies

Bernardo Reino
On Mon, 18 Nov 2019, Benny Pedersen wrote:

> Bernardo Reino skrev den 2019-11-18 10:12:
>> I have now done it with:
>> rbl_reply_maps = texthash:/etc/postfix/dnsbl_reply_smtpd
>>
>> where that file has lines like:
>> $KEY.zrd.dq.spamhaus.net=127.0.2.[2..24] $rbl_code Service
>> unavailable; $rbl_class [$rbl_what] blocked
>>
>> where $KEY is my key, and the LHS of that line is exactly as it looks
>> in reject_rhsbl_reverse_client (to give an example).
>
> add it to github ?

Of postfix? :)

(If you mean of spamassassin-dqs, I'm not using it. I do use rspamd-dqs --
see below -- but there would still be nothing to add to that project, as
my question is/was about postfix configuration).

>> Seems to work (meaning: postfix hasn't complained, and I continue to
>> receive mail :), but given the little traffic I have I wanted an
>> "offline verification" that this is the right way to do this.
>
> its still postfix postscreen that logs dnsbllog with key it could be mapped
> before syslog so postfix-logwatch does not reveal keys

I had the masking/censoring of the key already implemented for postscreen,
using postscreen_dnsbl_reply_map.

My question was about doing the same with smptd, i.e. if postscreen (for
whatever reason) hasn't rejected the attempt.

I also have spamhaus filtering with rspamd (so postscreen -> smtpd ->
rspamd), so that even if both postscreen *and* smtpd do not reject the
message (again, for whatever reason, e.g. misconfiguration), rspamd will
deal with it (according to scoring rules, etc.)

Logging (and logwatch) is not an issue, as I actually want to be able to
see (for whatever reason) which blacklist was triggered and which response
it gave, but thanks for the idea, which I'll keep mind, of filtering it
out with rsyslog if/as necessary.

Cheers.