diff --git a/.gitignore b/.gitignore index 0169c439..3595ecb1 100644 --- a/.gitignore +++ b/.gitignore @@ -37,6 +37,7 @@ data/conf/postfix/sni.map data/conf/postfix/sni.map.db data/conf/postfix/sql data/conf/postfix/dns_blocklists.cf +data/conf/postfix/dnsbl_reply.map data/conf/rspamd/custom/* data/conf/rspamd/local.d/* data/conf/rspamd/override.d/* diff --git a/data/Dockerfiles/postfix/postfix.sh b/data/Dockerfiles/postfix/postfix.sh index fb408ce9..f981bff6 100755 --- a/data/Dockerfiles/postfix/postfix.sh +++ b/data/Dockerfiles/postfix/postfix.sh @@ -393,60 +393,103 @@ query = SELECT goto FROM spamalias AND validity >= UNIX_TIMESTAMP() EOF -echo -e "\e[33mChecking if ASN for your IP is listed for Spamhaus Bad ASN List...\e[0m" -if [ -n "$SPAMHAUS_DQS_KEY" ]; then - echo -e "\e[32mDetected SPAMHAUS_DQS_KEY variable from mailcow.conf...\e[0m" - echo -e "\e[33mUsing DQS Blocklists from Spamhaus!\e[0m" - cat < /tmp/spamhaus.cf -# Autogenerated by mailcow, using Spamhaus DQS lists +if [ ! -f /opt/postfix/conf/dns_blocklists.cf ]; then + cat < /opt/postfix/conf/dns_blocklists.cf +# This file can be edited. +# Delete this file and restart postfix container to revert any changes. +postscreen_dnsbl_sites = wl.mailspike.net=127.0.0.[18;19;20]*-2 + hostkarma.junkemailfilter.com=127.0.0.1*-2 + list.dnswl.org=127.0.[0..255].0*-2 + list.dnswl.org=127.0.[0..255].1*-4 + list.dnswl.org=127.0.[0..255].2*-6 + list.dnswl.org=127.0.[0..255].3*-8 + ix.dnsbl.manitu.net*2 + bl.spamcop.net*2 + bl.suomispam.net*2 + hostkarma.junkemailfilter.com=127.0.0.2*3 + hostkarma.junkemailfilter.com=127.0.0.4*2 + hostkarma.junkemailfilter.com=127.0.1.2*1 + backscatter.spameatingmonkey.net*2 + bl.ipv6.spameatingmonkey.net*2 + bl.spameatingmonkey.net*2 + b.barracudacentral.org=127.0.0.2*7 + bl.mailspike.net=127.0.0.2*5 + bl.mailspike.net=127.0.0.[10;11;12]*4 + dnsbl.sorbs.net=127.0.0.10*8 + dnsbl.sorbs.net=127.0.0.5*6 + dnsbl.sorbs.net=127.0.0.7*3 + dnsbl.sorbs.net=127.0.0.8*2 + dnsbl.sorbs.net=127.0.0.6*2 + dnsbl.sorbs.net=127.0.0.9*2 +EOF +fi +DNSBL_CONFIG=$(grep -v '^#' /opt/postfix/conf/dns_blocklists.cf | grep '\S') + +if [ ! -z "$DNSBL_CONFIG" ]; then + echo -e "\e[33mChecking if ASN for your IP is listed for Spamhaus Bad ASN List...\e[0m" + if [ -n "$SPAMHAUS_DQS_KEY" ]; then + echo -e "\e[32mDetected SPAMHAUS_DQS_KEY variable from mailcow.conf...\e[0m" + echo -e "\e[33mUsing DQS Blocklists from Spamhaus!\e[0m" + SPAMHAUS_DNSBL_CONFIG=$(cat < /tmp/spamhaus.cf -# Autogenerated by mailcow, using no Spamhaus DNSBL + cat < /opt/postfix/conf/dnsbl_reply.map +# Autogenerated by mailcow, using Spamhaus DQS reply domains +${SPAMHAUS_DQS_KEY}.sbl.dq.spamhaus.net sbl.spamhaus.org +${SPAMHAUS_DQS_KEY}.xbl.dq.spamhaus.net xbl.spamhaus.org +${SPAMHAUS_DQS_KEY}.pbl.dq.spamhaus.net pbl.spamhaus.org +${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net zen.spamhaus.org +${SPAMHAUS_DQS_KEY}.dbl.dq.spamhaus.net dbl.spamhaus.org +${SPAMHAUS_DQS_KEY}.zrd.dq.spamhaus.net zrd.spamhaus.org EOF - elif [ "$response" -eq 200 ]; then - echo -e "\e[32mThe AS of your IP is NOT listed as a banned AS from Spamhaus!\e[0m" - echo -e "\e[33mUsing the open Spamhaus blocklists.\e[0m" - cat < /tmp/spamhaus.cf -# Autogenerated by mailcow, using public spamhaus lists + ) + else + if [ -f "/opt/postfix/conf/dnsbl_reply.map" ]; then + rm /opt/postfix/conf/dnsbl_reply.map + fi + response=$(curl --connect-timeout 15 --max-time 30 -s -o /dev/null -w "%{http_code}" "https://asn-check.mailcow.email") + if [ "$response" -eq 503 ]; then + echo -e "\e[31mThe AS of your IP is listed as a banned AS from Spamhaus!\e[0m" + echo -e "\e[33mNo SPAMHAUS_DQS_KEY found... Skipping Spamhaus blocklists entirely!\e[0m" + SPAMHAUS_DNSBL_CONFIG="" + elif [ "$response" -eq 200 ]; then + echo -e "\e[32mThe AS of your IP is NOT listed as a banned AS from Spamhaus!\e[0m" + echo -e "\e[33mUsing the open Spamhaus blocklists.\e[0m" + SPAMHAUS_DNSBL_CONFIG=$(cat < /tmp/spamhaus.cf -# Autogenerated by mailcow, using no Spamhaus DNSBL -EOF + else + echo -e "\e[31mWe couldn't determine your AS... (maybe DNS/Network issue?) Response Code: $response\e[0m" + echo -e "\e[33mDeactivating Spamhaus DNS Blocklists to be on the safe site!\e[0m" + SPAMHAUS_DNSBL_CONFIG="" + fi fi fi -sed -i '/User overrides/q' /opt/postfix/conf/main.cf +# Reset main.cf +sed -i '/Overrides/q' /opt/postfix/conf/main.cf echo >> /opt/postfix/conf/main.cf +# Append postscreen dnsbl sites to main.cf +if [ ! -z "$DNSBL_CONFIG" ]; then + echo -e "${DNSBL_CONFIG}\n${SPAMHAUS_DNSBL_CONFIG}" >> /opt/postfix/conf/main.cf +fi +# Append user overrides +echo -e "\n# User Overrides" >> /opt/postfix/conf/main.cf touch /opt/postfix/conf/extra.cf sed -i '/myhostname/d' /opt/postfix/conf/extra.cf echo -e "myhostname = ${MAILCOW_HOSTNAME}\n$(cat /opt/postfix/conf/extra.cf)" > /opt/postfix/conf/extra.cf - cat /opt/postfix/conf/extra.cf >> /opt/postfix/conf/main.cf -# Append postscreen dnsbl sites to main.cf -cat /opt/postfix/conf/dns_blocklists.cf >> /opt/postfix/conf/main.cf -cat /tmp/spamhaus.cf >> /opt/postfix/conf/main.cf - if [ ! -f /opt/postfix/conf/custom_transport.pcre ]; then echo "Creating dummy custom_transport.pcre" touch /opt/postfix/conf/custom_transport.pcre diff --git a/data/conf/postfix/dns_blocklists.cf b/data/conf/postfix/dns_blocklists.cf deleted file mode 100644 index 9fc9e70f..00000000 --- a/data/conf/postfix/dns_blocklists.cf +++ /dev/null @@ -1,25 +0,0 @@ -# Content loaded from dns_blocklists.cf, edit only if really necessary! -postscreen_dnsbl_sites = wl.mailspike.net=127.0.0.[18;19;20]*-2 - hostkarma.junkemailfilter.com=127.0.0.1*-2 - list.dnswl.org=127.0.[0..255].0*-2 - list.dnswl.org=127.0.[0..255].1*-4 - list.dnswl.org=127.0.[0..255].2*-6 - list.dnswl.org=127.0.[0..255].3*-8 - ix.dnsbl.manitu.net*2 - bl.spamcop.net*2 - bl.suomispam.net*2 - hostkarma.junkemailfilter.com=127.0.0.2*3 - hostkarma.junkemailfilter.com=127.0.0.4*2 - hostkarma.junkemailfilter.com=127.0.1.2*1 - backscatter.spameatingmonkey.net*2 - bl.ipv6.spameatingmonkey.net*2 - bl.spameatingmonkey.net*2 - b.barracudacentral.org=127.0.0.2*7 - bl.mailspike.net=127.0.0.2*5 - bl.mailspike.net=127.0.0.[10;11;12]*4 - dnsbl.sorbs.net=127.0.0.10*8 - dnsbl.sorbs.net=127.0.0.5*6 - dnsbl.sorbs.net=127.0.0.7*3 - dnsbl.sorbs.net=127.0.0.8*2 - dnsbl.sorbs.net=127.0.0.6*2 - dnsbl.sorbs.net=127.0.0.9*2 diff --git a/data/conf/postfix/main.cf b/data/conf/postfix/main.cf index a5751c65..237b4263 100644 --- a/data/conf/postfix/main.cf +++ b/data/conf/postfix/main.cf @@ -169,4 +169,4 @@ smtps_smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,qmqpd_authorized_clients # DO NOT EDIT ANYTHING BELOW # -# User overrides # +# Overrides # diff --git a/docker-compose.yml b/docker-compose.yml index 289ed761..ac45857f 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -297,7 +297,7 @@ services: - dovecot postfix-mailcow: - image: mailcow/postfix:1.70 + image: mailcow/postfix:1.71 depends_on: - mysql-mailcow volumes: