From 9f39af46aa9952d192cb1aaea47a3785eb088fc7 Mon Sep 17 00:00:00 2001
From: Christian Hailer <christian@hailer.eu>
Date: Tue, 1 Aug 2023 16:12:44 +0200
Subject: [PATCH] Add postscreen_dnsbl_reply_map to avoid disclosure of DQS key
 with Spamhaus setup

---
 data/Dockerfiles/postfix/postfix.sh | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/data/Dockerfiles/postfix/postfix.sh b/data/Dockerfiles/postfix/postfix.sh
index fb408ce9..8099301a 100755
--- a/data/Dockerfiles/postfix/postfix.sh
+++ b/data/Dockerfiles/postfix/postfix.sh
@@ -405,6 +405,17 @@ if [ -n "$SPAMHAUS_DQS_KEY" ]; then
   ${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net=127.0.0.2*3
   ${SPAMHAUS_DQS_KEY}.dbl.dq.spamhaus.net=127.0.0.3*4
   ${SPAMHAUS_DQS_KEY}.zrd.dq.spamhaus.net=127.0.0.2*3
+postscreen_dnsbl_reply_map = texthash:/opt/postfix/conf/dnsbl_reply
+EOF
+
+  cat <<EOF > /opt/postfix/conf/dnsbl_reply
+# Autogenerated by mailcow, using Spamhaus DQS lists
+${SPAMHAUS_DQS_KEY}.sbl.dq.spamhaus.net     sbl.spamhaus.org
+${SPAMHAUS_DQS_KEY}.xbl.dq.spamhaus.net     xbl.spamhaus.org
+${SPAMHAUS_DQS_KEY}.pbl.dq.spamhaus.net     pbl.spamhaus.org
+${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net     zen.spamhaus.org
+${SPAMHAUS_DQS_KEY}.dbl.dq.spamhaus.net     dbl.spamhaus.org
+${SPAMHAUS_DQS_KEY}.zrd.dq.spamhaus.net     zrd.spamhaus.org
 EOF
 
 else