From 5e7583c5e622ee264edb188b6259d668b8ad6b85 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20RICCIO?= Date: Tue, 1 Aug 2023 10:49:26 +0200 Subject: [PATCH 1/7] Fix main.cf merging order Now the dnsbl files are merged before extra.cf --- data/Dockerfiles/postfix/postfix.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/data/Dockerfiles/postfix/postfix.sh b/data/Dockerfiles/postfix/postfix.sh index fb408ce9..fd149e5b 100755 --- a/data/Dockerfiles/postfix/postfix.sh +++ b/data/Dockerfiles/postfix/postfix.sh @@ -435,6 +435,10 @@ EOF fi fi +# Append postscreen dnsbl sites to main.cf +cat /opt/postfix/conf/dns_blocklists.cf >> /opt/postfix/conf/main.cf +cat /tmp/spamhaus.cf >> /opt/postfix/conf/main.cf + sed -i '/User overrides/q' /opt/postfix/conf/main.cf echo >> /opt/postfix/conf/main.cf touch /opt/postfix/conf/extra.cf @@ -443,10 +447,6 @@ echo -e "myhostname = ${MAILCOW_HOSTNAME}\n$(cat /opt/postfix/conf/extra.cf)" > cat /opt/postfix/conf/extra.cf >> /opt/postfix/conf/main.cf -# Append postscreen dnsbl sites to main.cf -cat /opt/postfix/conf/dns_blocklists.cf >> /opt/postfix/conf/main.cf -cat /tmp/spamhaus.cf >> /opt/postfix/conf/main.cf - if [ ! -f /opt/postfix/conf/custom_transport.pcre ]; then echo "Creating dummy custom_transport.pcre" touch /opt/postfix/conf/custom_transport.pcre From 7cda9f063f900f216e32785bdbb2ddb7bdc3814b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20RICCIO?= Date: Tue, 1 Aug 2023 13:59:23 +0200 Subject: [PATCH 2/7] Fix for fix I did not paid attention to the "User overrides" sed/q --- data/Dockerfiles/postfix/postfix.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/data/Dockerfiles/postfix/postfix.sh b/data/Dockerfiles/postfix/postfix.sh index fd149e5b..4177682e 100755 --- a/data/Dockerfiles/postfix/postfix.sh +++ b/data/Dockerfiles/postfix/postfix.sh @@ -435,11 +435,13 @@ EOF fi fi +sed -i '/User overrides/q' /opt/postfix/conf/main.cf + # Append postscreen dnsbl sites to main.cf cat /opt/postfix/conf/dns_blocklists.cf >> /opt/postfix/conf/main.cf cat /tmp/spamhaus.cf >> /opt/postfix/conf/main.cf -sed -i '/User overrides/q' /opt/postfix/conf/main.cf +# Append user overrides echo >> /opt/postfix/conf/main.cf touch /opt/postfix/conf/extra.cf sed -i '/myhostname/d' /opt/postfix/conf/extra.cf From 9f39af46aa9952d192cb1aaea47a3785eb088fc7 Mon Sep 17 00:00:00 2001 From: Christian Hailer Date: Tue, 1 Aug 2023 16:12:44 +0200 Subject: [PATCH 3/7] Add postscreen_dnsbl_reply_map to avoid disclosure of DQS key with Spamhaus setup --- data/Dockerfiles/postfix/postfix.sh | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/data/Dockerfiles/postfix/postfix.sh b/data/Dockerfiles/postfix/postfix.sh index fb408ce9..8099301a 100755 --- a/data/Dockerfiles/postfix/postfix.sh +++ b/data/Dockerfiles/postfix/postfix.sh @@ -405,6 +405,17 @@ if [ -n "$SPAMHAUS_DQS_KEY" ]; then ${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net=127.0.0.2*3 ${SPAMHAUS_DQS_KEY}.dbl.dq.spamhaus.net=127.0.0.3*4 ${SPAMHAUS_DQS_KEY}.zrd.dq.spamhaus.net=127.0.0.2*3 +postscreen_dnsbl_reply_map = texthash:/opt/postfix/conf/dnsbl_reply +EOF + + cat < /opt/postfix/conf/dnsbl_reply +# Autogenerated by mailcow, using Spamhaus DQS lists +${SPAMHAUS_DQS_KEY}.sbl.dq.spamhaus.net sbl.spamhaus.org +${SPAMHAUS_DQS_KEY}.xbl.dq.spamhaus.net xbl.spamhaus.org +${SPAMHAUS_DQS_KEY}.pbl.dq.spamhaus.net pbl.spamhaus.org +${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net zen.spamhaus.org +${SPAMHAUS_DQS_KEY}.dbl.dq.spamhaus.net dbl.spamhaus.org +${SPAMHAUS_DQS_KEY}.zrd.dq.spamhaus.net zrd.spamhaus.org EOF else From c45684b986fbe2f11a492ba44a82351acb097fed Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Wed, 2 Aug 2023 16:36:59 +0200 Subject: [PATCH 4/7] [Postfix] rework dns_blocklists.cf generation --- data/Dockerfiles/postfix/postfix.sh | 74 +++++++++++++++++++---------- data/conf/postfix/dns_blocklists.cf | 25 ---------- data/conf/postfix/main.cf | 2 +- 3 files changed, 51 insertions(+), 50 deletions(-) delete mode 100644 data/conf/postfix/dns_blocklists.cf diff --git a/data/Dockerfiles/postfix/postfix.sh b/data/Dockerfiles/postfix/postfix.sh index 4177682e..ce788872 100755 --- a/data/Dockerfiles/postfix/postfix.sh +++ b/data/Dockerfiles/postfix/postfix.sh @@ -393,12 +393,43 @@ query = SELECT goto FROM spamalias AND validity >= UNIX_TIMESTAMP() EOF +if [ ! -f /opt/postfix/conf/dns_blocklists.cf ]; then + cat < /opt/postfix/conf/dns_blocklists.cf +# This file can be edited. +# Delete this file and restart postfix container to revert any changes. +postscreen_dnsbl_sites = wl.mailspike.net=127.0.0.[18;19;20]*-2 + hostkarma.junkemailfilter.com=127.0.0.1*-2 + list.dnswl.org=127.0.[0..255].0*-2 + list.dnswl.org=127.0.[0..255].1*-4 + list.dnswl.org=127.0.[0..255].2*-6 + list.dnswl.org=127.0.[0..255].3*-8 + ix.dnsbl.manitu.net*2 + bl.spamcop.net*2 + bl.suomispam.net*2 + hostkarma.junkemailfilter.com=127.0.0.2*3 + hostkarma.junkemailfilter.com=127.0.0.4*2 + hostkarma.junkemailfilter.com=127.0.1.2*1 + backscatter.spameatingmonkey.net*2 + bl.ipv6.spameatingmonkey.net*2 + bl.spameatingmonkey.net*2 + b.barracudacentral.org=127.0.0.2*7 + bl.mailspike.net=127.0.0.2*5 + bl.mailspike.net=127.0.0.[10;11;12]*4 + dnsbl.sorbs.net=127.0.0.10*8 + dnsbl.sorbs.net=127.0.0.5*6 + dnsbl.sorbs.net=127.0.0.7*3 + dnsbl.sorbs.net=127.0.0.8*2 + dnsbl.sorbs.net=127.0.0.6*2 + dnsbl.sorbs.net=127.0.0.9*2 +EOF +fi +DNSBL_CONFIG=$(grep -v '^#' /opt/postfix/conf/dns_blocklists.cf | grep '\S') + echo -e "\e[33mChecking if ASN for your IP is listed for Spamhaus Bad ASN List...\e[0m" if [ -n "$SPAMHAUS_DQS_KEY" ]; then echo -e "\e[32mDetected SPAMHAUS_DQS_KEY variable from mailcow.conf...\e[0m" echo -e "\e[33mUsing DQS Blocklists from Spamhaus!\e[0m" - cat < /tmp/spamhaus.cf -# Autogenerated by mailcow, using Spamhaus DQS lists + SPAMHAUS_DNSBL_CONFIG=$(cat < /tmp/spamhaus.cf -# Autogenerated by mailcow, using no Spamhaus DNSBL -EOF + echo -e "\e[31mThe AS of your IP is listed as a banned AS from Spamhaus!\e[0m" + echo -e "\e[33mNo SPAMHAUS_DQS_KEY found... Skipping Spamhaus blocklists entirely!\e[0m" + SPAMHAUS_DNSBL_CONFIG="" elif [ "$response" -eq 200 ]; then - echo -e "\e[32mThe AS of your IP is NOT listed as a banned AS from Spamhaus!\e[0m" - echo -e "\e[33mUsing the open Spamhaus blocklists.\e[0m" - cat < /tmp/spamhaus.cf -# Autogenerated by mailcow, using public spamhaus lists + echo -e "\e[32mThe AS of your IP is NOT listed as a banned AS from Spamhaus!\e[0m" + echo -e "\e[33mUsing the open Spamhaus blocklists.\e[0m" + SPAMHAUS_DNSBL_CONFIG=$(cat < /tmp/spamhaus.cf -# Autogenerated by mailcow, using no Spamhaus DNSBL -EOF + echo -e "\e[31mWe couldn't determine your AS... (maybe DNS/Network issue?) Response Code: $response\e[0m" + echo -e "\e[33mDeactivating Spamhaus DNS Blocklists to be on the safe site!\e[0m" + SPAMHAUS_DNSBL_CONFIG="" fi fi -sed -i '/User overrides/q' /opt/postfix/conf/main.cf - -# Append postscreen dnsbl sites to main.cf -cat /opt/postfix/conf/dns_blocklists.cf >> /opt/postfix/conf/main.cf -cat /tmp/spamhaus.cf >> /opt/postfix/conf/main.cf - -# Append user overrides +# Reset main.cf +sed -i '/Overrides/q' /opt/postfix/conf/main.cf echo >> /opt/postfix/conf/main.cf +# Append postscreen dnsbl sites to main.cf +echo -e "${DNSBL_CONFIG}\n${SPAMHAUS_DNSBL_CONFIG}" >> /opt/postfix/conf/main.cf +# Append user overrides +echo -e "\n# User Overrides" >> /opt/postfix/conf/main.cf touch /opt/postfix/conf/extra.cf sed -i '/myhostname/d' /opt/postfix/conf/extra.cf echo -e "myhostname = ${MAILCOW_HOSTNAME}\n$(cat /opt/postfix/conf/extra.cf)" > /opt/postfix/conf/extra.cf - cat /opt/postfix/conf/extra.cf >> /opt/postfix/conf/main.cf if [ ! -f /opt/postfix/conf/custom_transport.pcre ]; then diff --git a/data/conf/postfix/dns_blocklists.cf b/data/conf/postfix/dns_blocklists.cf deleted file mode 100644 index 9fc9e70f..00000000 --- a/data/conf/postfix/dns_blocklists.cf +++ /dev/null @@ -1,25 +0,0 @@ -# Content loaded from dns_blocklists.cf, edit only if really necessary! -postscreen_dnsbl_sites = wl.mailspike.net=127.0.0.[18;19;20]*-2 - hostkarma.junkemailfilter.com=127.0.0.1*-2 - list.dnswl.org=127.0.[0..255].0*-2 - list.dnswl.org=127.0.[0..255].1*-4 - list.dnswl.org=127.0.[0..255].2*-6 - list.dnswl.org=127.0.[0..255].3*-8 - ix.dnsbl.manitu.net*2 - bl.spamcop.net*2 - bl.suomispam.net*2 - hostkarma.junkemailfilter.com=127.0.0.2*3 - hostkarma.junkemailfilter.com=127.0.0.4*2 - hostkarma.junkemailfilter.com=127.0.1.2*1 - backscatter.spameatingmonkey.net*2 - bl.ipv6.spameatingmonkey.net*2 - bl.spameatingmonkey.net*2 - b.barracudacentral.org=127.0.0.2*7 - bl.mailspike.net=127.0.0.2*5 - bl.mailspike.net=127.0.0.[10;11;12]*4 - dnsbl.sorbs.net=127.0.0.10*8 - dnsbl.sorbs.net=127.0.0.5*6 - dnsbl.sorbs.net=127.0.0.7*3 - dnsbl.sorbs.net=127.0.0.8*2 - dnsbl.sorbs.net=127.0.0.6*2 - dnsbl.sorbs.net=127.0.0.9*2 diff --git a/data/conf/postfix/main.cf b/data/conf/postfix/main.cf index a5751c65..237b4263 100644 --- a/data/conf/postfix/main.cf +++ b/data/conf/postfix/main.cf @@ -169,4 +169,4 @@ smtps_smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,qmqpd_authorized_clients # DO NOT EDIT ANYTHING BELOW # -# User overrides # +# Overrides # From 5d3491c80192b14abce7ff71585a0c3b8b786855 Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Wed, 2 Aug 2023 16:48:22 +0200 Subject: [PATCH 5/7] [Postfix] only apply DNSBL if dns_blocklists.cf is not empty --- data/Dockerfiles/postfix/postfix.sh | 49 +++++++++++++++-------------- 1 file changed, 26 insertions(+), 23 deletions(-) diff --git a/data/Dockerfiles/postfix/postfix.sh b/data/Dockerfiles/postfix/postfix.sh index ce788872..c0fb7eb0 100755 --- a/data/Dockerfiles/postfix/postfix.sh +++ b/data/Dockerfiles/postfix/postfix.sh @@ -425,11 +425,12 @@ EOF fi DNSBL_CONFIG=$(grep -v '^#' /opt/postfix/conf/dns_blocklists.cf | grep '\S') -echo -e "\e[33mChecking if ASN for your IP is listed for Spamhaus Bad ASN List...\e[0m" -if [ -n "$SPAMHAUS_DQS_KEY" ]; then - echo -e "\e[32mDetected SPAMHAUS_DQS_KEY variable from mailcow.conf...\e[0m" - echo -e "\e[33mUsing DQS Blocklists from Spamhaus!\e[0m" - SPAMHAUS_DNSBL_CONFIG=$(cat <> /opt/postfix/conf/main.cf # Append postscreen dnsbl sites to main.cf -echo -e "${DNSBL_CONFIG}\n${SPAMHAUS_DNSBL_CONFIG}" >> /opt/postfix/conf/main.cf +if [ ! -z "$DNSBL_CONFIG" ]; then + echo -e "${DNSBL_CONFIG}\n${SPAMHAUS_DNSBL_CONFIG}" >> /opt/postfix/conf/main.cf +fi # Append user overrides echo -e "\n# User Overrides" >> /opt/postfix/conf/main.cf touch /opt/postfix/conf/extra.cf From 003eecf131f15b86f5ace52f7441cbd141dc1ce7 Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Wed, 2 Aug 2023 17:08:55 +0200 Subject: [PATCH 6/7] [Postfix] remove spamhaus dbl and zrd from postscreen_dnsbl_sites --- data/Dockerfiles/postfix/postfix.sh | 2 -- docker-compose.yml | 2 +- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/data/Dockerfiles/postfix/postfix.sh b/data/Dockerfiles/postfix/postfix.sh index c0fb7eb0..731328d3 100755 --- a/data/Dockerfiles/postfix/postfix.sh +++ b/data/Dockerfiles/postfix/postfix.sh @@ -435,8 +435,6 @@ if [ ! -z "$DNSBL_CONFIG" ]; then ${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net=127.0.0.[10;11]*8 ${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net=127.0.0.3*4 ${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net=127.0.0.2*3 - ${SPAMHAUS_DQS_KEY}.dbl.dq.spamhaus.net=127.0.0.3*4 - ${SPAMHAUS_DQS_KEY}.zrd.dq.spamhaus.net=127.0.0.2*3 EOF ) else diff --git a/docker-compose.yml b/docker-compose.yml index 289ed761..ac45857f 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -297,7 +297,7 @@ services: - dovecot postfix-mailcow: - image: mailcow/postfix:1.70 + image: mailcow/postfix:1.71 depends_on: - mysql-mailcow volumes: From b050cb9864c09bb78d747c4e0243f2ba4c144b43 Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Thu, 3 Aug 2023 09:00:08 +0200 Subject: [PATCH 7/7] [Postfix] remove dnsbl_reply.map if not required --- .gitignore | 1 + data/Dockerfiles/postfix/postfix.sh | 9 ++++++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 0169c439..3595ecb1 100644 --- a/.gitignore +++ b/.gitignore @@ -37,6 +37,7 @@ data/conf/postfix/sni.map data/conf/postfix/sni.map.db data/conf/postfix/sql data/conf/postfix/dns_blocklists.cf +data/conf/postfix/dnsbl_reply.map data/conf/rspamd/custom/* data/conf/rspamd/local.d/* data/conf/rspamd/override.d/* diff --git a/data/Dockerfiles/postfix/postfix.sh b/data/Dockerfiles/postfix/postfix.sh index ba87aaa2..f981bff6 100755 --- a/data/Dockerfiles/postfix/postfix.sh +++ b/data/Dockerfiles/postfix/postfix.sh @@ -435,10 +435,10 @@ if [ ! -z "$DNSBL_CONFIG" ]; then ${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net=127.0.0.[10;11]*8 ${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net=127.0.0.3*4 ${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net=127.0.0.2*3 -postscreen_dnsbl_reply_map = texthash:/opt/postfix/conf/dnsbl_reply +postscreen_dnsbl_reply_map = texthash:/opt/postfix/conf/dnsbl_reply.map EOF - cat < /opt/postfix/conf/dnsbl_reply + cat < /opt/postfix/conf/dnsbl_reply.map # Autogenerated by mailcow, using Spamhaus DQS reply domains ${SPAMHAUS_DQS_KEY}.sbl.dq.spamhaus.net sbl.spamhaus.org ${SPAMHAUS_DQS_KEY}.xbl.dq.spamhaus.net xbl.spamhaus.org @@ -449,6 +449,9 @@ ${SPAMHAUS_DQS_KEY}.zrd.dq.spamhaus.net zrd.spamhaus.org EOF ) else + if [ -f "/opt/postfix/conf/dnsbl_reply.map" ]; then + rm /opt/postfix/conf/dnsbl_reply.map + fi response=$(curl --connect-timeout 15 --max-time 30 -s -o /dev/null -w "%{http_code}" "https://asn-check.mailcow.email") if [ "$response" -eq 503 ]; then echo -e "\e[31mThe AS of your IP is listed as a banned AS from Spamhaus!\e[0m" @@ -519,4 +522,4 @@ if [[ $? != 0 ]]; then else postfix -c /opt/postfix/conf start sleep 126144000 -fi \ No newline at end of file +fi