From: Ralf Hildebrandt on
The spamhaus DBL can be used to query sender domains and hostnames (no
IPs).

So generally, one could use:
reject_rhsbl_sender dbl.spamhaus.org
reject_rhsbl_reverse_client dbl.spamhaus.org

but when one subscribes to Spamhaus's DNSBL feed (which we have to),
one gets a special domain to query:

reject_rhsbl_sender secretkey.dbl.dq.spamhaus.net
reject_rhsbl_reverse_client secretkey.dbl.dq.spamhaus.net

This works wonderful, except for the fact that Postfixs

default_rbl_reply = $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using $rbl_domain${rbl_reason?; $rbl_reason}

gives away the secret key. This is easily fixed in so many ways, e.g.:

default_rbl_reply = $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using dbl.spamhaus.org${rbl_reason?; $rbl_reason}

Maybe the default should not contain $rbl_domain. I cannot tell if the
scheme Spamhaus uses is commonplace.

--
Ralf Hildebrandt
Geschäftsbereich IT | Abteilung Netzwerk
Charité - Universitätsmedizin Berlin
Campus Benjamin Franklin
Hindenburgdamm 30 | D-12203 Berlin
Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
ralf.hildebrandt(a)charite.de | http://www.charite.de


From: Ralf Hildebrandt on
* Ralf Hildebrandt <Ralf.Hildebrandt(a)charite.de>:

> default_rbl_reply = $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using dbl.spamhaus.org${rbl_reason?; $rbl_reason}

This assumes it's the only RBL being queried. Otherwise one would use
rbl_reply_maps

--
Ralf Hildebrandt
Geschäftsbereich IT | Abteilung Netzwerk
Charité - Universitätsmedizin Berlin
Campus Benjamin Franklin
Hindenburgdamm 30 | D-12203 Berlin
Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
ralf.hildebrandt(a)charite.de | http://www.charite.de


From: Noel Jones on
On 4/6/2010 10:34 AM, Ralf Hildebrandt wrote:
> The spamhaus DBL can be used to query sender domains and hostnames (no
> IPs).
>
> So generally, one could use:
> reject_rhsbl_sender dbl.spamhaus.org
> reject_rhsbl_reverse_client dbl.spamhaus.org
>
> but when one subscribes to Spamhaus's DNSBL feed (which we have to),
> one gets a special domain to query:
>
> reject_rhsbl_sender secretkey.dbl.dq.spamhaus.net
> reject_rhsbl_reverse_client secretkey.dbl.dq.spamhaus.net
>
> This works wonderful, except for the fact that Postfixs
>
> default_rbl_reply = $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using $rbl_domain${rbl_reason?; $rbl_reason}
>
> gives away the secret key. This is easily fixed in so many ways, e.g.:
>
> default_rbl_reply = $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using dbl.spamhaus.org${rbl_reason?; $rbl_reason}
>

(Use rbl_reply_maps if you query other rbls.)

> Maybe the default should not contain $rbl_domain. I cannot tell if the
> scheme Spamhaus uses is commonplace.
>

No, the rbl reply is the only place that postfix logs which
rbl caused the rejection, which might not always be clear from
$rbl_reason. I think removing the rbl name would cause much
confusion. Handling it locally with rbl_reply_maps is the
best solution.

-- Noel Jones

From: mouss on
Ralf Hildebrandt a écrit :
> The spamhaus DBL can be used to query sender domains and hostnames (no
> IPs).
>
> So generally, one could use:
> reject_rhsbl_sender dbl.spamhaus.org
> reject_rhsbl_reverse_client dbl.spamhaus.org
>
> but when one subscribes to Spamhaus's DNSBL feed (which we have to),
> one gets a special domain to query:
>
> reject_rhsbl_sender secretkey.dbl.dq.spamhaus.net
> reject_rhsbl_reverse_client secretkey.dbl.dq.spamhaus.net
>

This is a (spamhaus) design flaw. it means you can't share you
configuration without exposing your "secret" key. bI'm not going to say
that it is stupid to rely on secret keys. This has already been worked on :)


> This works wonderful, except for the fact that Postfixs
>
> default_rbl_reply = $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using $rbl_domain${rbl_reason?; $rbl_reason}
>

if you need it, use rbl_reply_maps. otherwise, leave it to spamhaus to
fix the problem.

> gives away the secret key. This is easily fixed in so many ways, e.g.:
>
> default_rbl_reply = $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using dbl.spamhaus.org${rbl_reason?; $rbl_reason}
>
> Maybe the default should not contain $rbl_domain. I cannot tell if the
> scheme Spamhaus uses is commonplace.
>