On Mon, 18 Nov 2019, Benny Pedersen wrote:
Bernardo Reino skrev den 2019-11-18 10:12:
I have now done it with:
rbl_reply_maps = texthash:/etc/postfix/dnsbl_reply_smtpd
where that file has lines like:
$KEY.zrd.dq.spamhaus.net=127.0.2.[2..24] $rbl_code Service
unavailable; $rbl_class [$rbl_what] blocked
where $KEY is my key, and the LHS of that line is exactly as it looks
in reject_rhsbl_reverse_client (to give an example).
add it to github ?
Of postfix? :)
(If you mean of spamassassin-dqs, I'm not using it. I do use rspamd-dqs --
see below -- but there would still be nothing to add to that project, as
my question is/was about postfix configuration).
Seems to work (meaning: postfix hasn't complained, and I continue to
receive mail :), but given the little traffic I have I wanted an
"offline verification" that this is the right way to do this.
its still postfix postscreen that logs dnsbllog with key it could be mapped
before syslog so postfix-logwatch does not reveal keys
I had the masking/censoring of the key already implemented for postscreen,
using postscreen_dnsbl_reply_map.
My question was about doing the same with smptd, i.e. if postscreen (for
whatever reason) hasn't rejected the attempt.
I also have spamhaus filtering with rspamd (so postscreen -> smtpd ->
rspamd), so that even if both postscreen *and* smtpd do not reject the
message (again, for whatever reason, e.g. misconfiguration), rspamd will
deal with it (according to scoring rules, etc.)
Logging (and logwatch) is not an issue, as I actually want to be able to
see (for whatever reason) which blacklist was triggered and which response
it gave, but thanks for the idea, which I'll keep mind, of filtering it
out with rsyslog if/as necessary.
Cheers.
