Remove part of rbl name from response to blocked client

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Remove part of rbl name from response to blocked client

Dominic Raferd
I recently started using an RBL service where we have a 'private key' and this operates very simply by prefixing the key to the RBL address. But I just realised that this appears to mean that for any rejections the whole address - including the key - is passed back to the offending client. Which if true makes a bit of a nonsense of the idea of a 'private' key.

Is there a way to cut out this private key in the response message? It happens both with postscreen and smtpd. Here is a barely-obfuscated example:

550 5.7.1 Service unavailable; client [51.88.120.222] blocked using sp8lefi4grtb7jftpslxxztu3y.zen.dx.spamhous.net
Reply | Threaded
Open this post in threaded view
|

Re: Remove part of rbl name from response to blocked client

Christian Kivalo


On 2020-01-16 09:47, Dominic Raferd wrote:
> I recently started using an RBL service where we have a 'private key'
> and this operates very simply by prefixing the key to the RBL address.
> But I just realised that this appears to mean that for any rejections
> the whole address - including the key - is passed back to the
> offending client. Which if true makes a bit of a nonsense of the idea
> of a 'private' key.
>
rbl_reply_maps and default_rbl_reply_maps is probably what you are
looking for
http://www.postfix.org/postconf.5.html#rbl_reply_maps
http://www.postfix.org/postconf.5.html#default_rbl_reply

and for postscreen there is
http://www.postfix.org/postconf.5.html#postscreen_dnsbl_reply_map

> Is there a way to cut out this private key in the response message? It
> happens both with postscreen and smtpd. Here is a barely-obfuscated
> example:
>
> 550 5.7.1 Service unavailable; client [51.88.120.222] blocked using
> sp8lefi4grtb7jftpslxxztu3y.zen.dx.spamhous.net [1]
>
> Links:
> ------
> [1] http://sp8lefi4grtb7jftpslxxztu3y.zen.dx.spamhous.net

--
  Christian Kivalo
Reply | Threaded
Open this post in threaded view
|

Re: Remove part of rbl name from response to blocked client

Nick-5
In reply to this post by Dominic Raferd
On 2020-01-16 08:48 GMT, Dominic Raferd wrote:
> Is there a way to cut out this private key in the response message? It
> happens both with postscreen and smtpd. Here is a barely-obfuscated example:
>
> 550 5.7.1 Service unavailable; client [51.88.120.222] blocked using
> sp8lefi4grtb7jftpslxxztu3y.zen.dx.spamhous.net

Haven't used it myself but
<http://www.postfix.org/POSTSCREEN_README.html#config> part 7 should help?
--
Nick
Reply | Threaded
Open this post in threaded view
|

Re: Remove part of rbl name from response to blocked client

Dominic Raferd
In reply to this post by Christian Kivalo


On Thu, 16 Jan 2020 at 09:13, Christian Kivalo <[hidden email]> wrote:


On 2020-01-16 09:47, Dominic Raferd wrote:
> I recently started using an RBL service where we have a 'private key'
> and this operates very simply by prefixing the key to the RBL address.
> But I just realised that this appears to mean that for any rejections
> the whole address - including the key - is passed back to the
> offending client. Which if true makes a bit of a nonsense of the idea
> of a 'private' key.
>
rbl_reply_maps and default_rbl_reply_maps is probably what you are
looking for
http://www.postfix.org/postconf.5.html#rbl_reply_maps
http://www.postfix.org/postconf.5.html#default_rbl_reply

and for postscreen there is
http://www.postfix.org/postconf.5.html#postscreen_dnsbl_reply_map
> Is there a way to cut out this private key in the response message? It
> happens both with postscreen and smtpd. Here is a barely-obfuscated
> example:
>
> 550 5.7.1 Service unavailable; client [51.88.120.222] blocked using
> sp8lefi4grtb7jftpslxxztu3y.zen.dx.spamhous.net [1]
>
> Links:
> ------
> [1] http://sp8lefi4grtb7jftpslxxztu3y.zen.dx.spamhous.net

Thanks Christian that was very helpful. I have it working now for postscreen and I think (but am waiting for an incoming instance) for smtpd. Weird that they have such different approaches (postscreen_dnsbl_reply_map and rbl_reply_maps). And I could not find a way to use pcre with rbl_reply_maps because it throws a warning if I reference any variables such as $rbl_code - but such variables do seem to work in a hash file.
Reply | Threaded
Open this post in threaded view
|

Re: Remove part of rbl name from response to blocked client

Wietse Venema
Dominic Raferd:
> Thanks Christian that was very helpful. I have it working now for
> postscreen and I think (but am waiting for an incoming instance) for
> smtpd. Weird
> that they have such different approaches (postscreen_dnsbl_reply_map and
> rbl_reply_maps). And I could not find a way to use pcre with rbl_reply_maps
> because it throws a warning if I reference any variables such as $rbl_code
> - but such variables do seem to work in a hash file.

Use $$name instead of $name.

As documented:

TEXT SUBSTITUTION
       Substitution of substrings (text that  matches  patterns  inside  "()")
       from  the  matched  expression into the result string is requested with
       $1, $2, etc.; specify $$ to produce  a  $  character  as  output.   The
       macros  in  the result string may need to be written as ${n} or $(n) if
       they aren't followed by whitespace.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Remove part of rbl name from response to blocked client

Dominic Raferd


On Thu, 16 Jan 2020 at 14:34, Wietse Venema <[hidden email]> wrote:
Dominic Raferd:
> Thanks Christian that was very helpful. I have it working now for
> postscreen and I think (but am waiting for an incoming instance) for
> smtpd. Weird
> that they have such different approaches (postscreen_dnsbl_reply_map and
> rbl_reply_maps). And I could not find a way to use pcre with rbl_reply_maps
> because it throws a warning if I reference any variables such as $rbl_code
> - but such variables do seem to work in a hash file.

Use $$name instead of $name.

As documented:

TEXT SUBSTITUTION
       Substitution of substrings (text that  matches  patterns  inside  "()")
       from  the  matched  expression into the result string is requested with
       $1, $2, etc.; specify $$ to produce  a  $  character  as  output.   The
       macros  in  the result string may need to be written as ${n} or $(n) if
       they aren't followed by whitespace.

Thanks Wietse. I had read that but I interpreted the text 'specify $$ to produce a $ character as output' as meaning that $$ would produce a hard-coded dollar sign, not a sign that could then be re-interpreted as the start of a variable. Perhaps the text could clarify this?
Reply | Threaded
Open this post in threaded view
|

Re: Remove part of rbl name from response to blocked client

Wietse Venema
Dominic Raferd:

> On Thu, 16 Jan 2020 at 14:34, Wietse Venema <[hidden email]> wrote:
>
> > Dominic Raferd:
> > > Thanks Christian that was very helpful. I have it working now for
> > > postscreen and I think (but am waiting for an incoming instance) for
> > > smtpd. Weird
> > > that they have such different approaches (postscreen_dnsbl_reply_map and
> > > rbl_reply_maps). And I could not find a way to use pcre with
> > rbl_reply_maps
> > > because it throws a warning if I reference any variables such as
> > $rbl_code
> > > - but such variables do seem to work in a hash file.
> >
> > Use $$name instead of $name.
> >
> > As documented:
> >
> > TEXT SUBSTITUTION
> >        Substitution of substrings (text that  matches  patterns  inside
> > "()")
> >        from  the  matched  expression into the result string is requested
> > with
> >        $1, $2, etc.; specify $$ to produce  a  $  character  as  output.
> >  The
> >        macros  in  the result string may need to be written as ${n} or
> > $(n) if
> >        they aren't followed by whitespace.
> >
>
> Thanks Wietse. I had read that but I interpreted the text 'specify $$ to
> produce a $ character as output' as meaning that $$ would produce a
> hard-coded dollar sign, not a sign that could then be re-interpreted as the
> start of a variable. Perhaps the text could clarify this?

Oh ye of little faith. You can test my suggestion with the postmap command.

postmap -q 'search strinng here' pcre:/path/to/file

        Wietse


Reply | Threaded
Open this post in threaded view
|

Re: Remove part of rbl name from response to blocked client

Dominic Raferd


On Thu, 16 Jan 2020 at 15:37, Wietse Venema <[hidden email]> wrote:
Dominic Raferd:
> On Thu, 16 Jan 2020 at 14:34, Wietse Venema <[hidden email]> wrote:
>
> > Dominic Raferd:
> > > Thanks Christian that was very helpful. I have it working now for
> > > postscreen and I think (but am waiting for an incoming instance) for
> > > smtpd. Weird
> > > that they have such different approaches (postscreen_dnsbl_reply_map and
> > > rbl_reply_maps). And I could not find a way to use pcre with
> > rbl_reply_maps
> > > because it throws a warning if I reference any variables such as
> > $rbl_code
> > > - but such variables do seem to work in a hash file.
> >
> > Use $$name instead of $name.
> >
> > As documented:
> >
> > TEXT SUBSTITUTION
> >        Substitution of substrings (text that  matches  patterns  inside
> > "()")
> >        from  the  matched  expression into the result string is requested
> > with
> >        $1, $2, etc.; specify $$ to produce  a  $  character  as  output.
> >  The
> >        macros  in  the result string may need to be written as ${n} or
> > $(n) if
> >        they aren't followed by whitespace.
> >
>
> Thanks Wietse. I had read that but I interpreted the text 'specify $$ to
> produce a $ character as output' as meaning that $$ would produce a
> hard-coded dollar sign, not a sign that could then be re-interpreted as the
> start of a variable. Perhaps the text could clarify this?

Oh ye of little faith. You can test my suggestion with the postmap command.

postmap -q 'search strinng here' pcre:/path/to/file

Before I saw through a glass darkly. Now I'm a believer.
Reply | Threaded
Open this post in threaded view
|

Re: Remove part of rbl name from response to blocked client

Bernardo Reino
In reply to this post by Dominic Raferd
On Thu, 16 Jan 2020, Dominic Raferd wrote:

> I recently started using an RBL service where we have a 'private key' and
> this operates very simply by prefixing the key to the RBL address. But I
> just realised that this appears to mean that for any rejections the whole
> address - including the key - is passed back to the offending client. Which
> if true makes a bit of a nonsense of the idea of a 'private' key.
>
> Is there a way to cut out this private key in the response message? It
> happens both with postscreen and smtpd. Here is a barely-obfuscated example:
>
> 550 5.7.1 Service unavailable; client [51.88.120.222] blocked using
> sp8lefi4grtb7jftpslxxztu3y.zen.dx.spamhous.net

For postscreen, add the following in main.cf
postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply_postscreen

and for smtpd, also in main.cf:
rbl_reply_maps = texthash:/etc/postfix/dnsbl_reply_smtpd

(choose whatever names you wish for the two files).

Then, for dnsbl_reply_postscreen:
# secret DNSBL name                      name in postscreen(8) replies
XXX.zen.dq.spamhaus.net                  zen.spamhaus.org

Similarly, for dnsbl_reply_smtpd:
XXX.zen.dq.spamhaus.net=127.0.0.[2..255] $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked
XXX.dbl.dq.spamhaus.net=127.0.1.[2..99]  $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked
XXX.zrd.dq.spamhaus.net=127.0.2.[2..24]  $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked

(my settings may or may not be suitable for you, so adapt accordingly..
also note I use one or two tabs as separator, probably any whitespace
will do..)

Hope that helps,
Bernardo.