Introduce ENABLE_DNSBL env

docs/content/config/environment.md

@@ -62,6 +62,16 @@ Amavis content filter (used for ClamAV & SpamAssassin)
 - 1/2      => Show default informational output
 - 3/4/5    => log debug information (very verbose)
 
+##### ENABLE_DNSBL
+
+This enables the [zen.spamhaus.org](https://www.spamhaus.org/zen/) DNS block list in postfix
+and various [lists](https://github.com/docker-mailserver/docker-mailserver/blob/f7465a50888eef909dbfc01aff4202b9c7d8bc00/target/postfix/main.cf#L58-L66) in postscreen.
+
+Note: Emails will be rejected, if they don't pass the block list checks!
+
+- **0** => DNS block lists are disabled
+- 1     => DNS block lists are enabled
+
 ##### ENABLE_CLAMAV
 
 - **0** => Clamav is disabled
@@ -106,8 +116,8 @@ In the majority of cases, you want `letsencrypt` or `manual`.
 - **empty** => SSL disabled.
 - letsencrypt => Support for using certificates with _Let's Encrypt_ provisioners. (Docs: [_Let's Encrypt_ Setup][docs-tls-letsencrypt])
 - manual => Provide your own certificate via separate key and cert files. (Docs: [Bring Your Own Certificates][docs-tls-manual])
-    - Requires: `SSL_CERT_PATH` and `SSL_KEY_PATH` ENV vars to be set to the location of the files within the container.
-    - Optional: `SSL_ALT_CERT_PATH` and `SSL_ALT_KEY_PATH` allow providing a 2nd certificate as a fallback for dual (aka hybrid) certificate support. Useful for ECDSA with an RSA fallback. _Presently only `manual` mode supports this feature_.
+  - Requires: `SSL_CERT_PATH` and `SSL_KEY_PATH` ENV vars to be set to the location of the files within the container.
+  - Optional: `SSL_ALT_CERT_PATH` and `SSL_ALT_KEY_PATH` allow providing a 2nd certificate as a fallback for dual (aka hybrid) certificate support. Useful for ECDSA with an RSA fallback. _Presently only `manual` mode supports this feature_.
 - custom => Provide your own certificate as a single file containing both the private key and full certificate chain. (Docs: `None`)
 - self-signed => Provide your own self-signed certificate files. Expects a self-signed CA cert for verification. **Use only for local testing of your setup**. (Docs: [Self-Signed Certificates][docs-tls-selfsigned])
 
@@ -352,7 +362,7 @@ Note: this SpamAssassin setting needs `ENABLE_SPAMASSASSIN=1`
 !!! note "This SpamAssassin setting needs `ENABLE_SPAMASSASSIN=1`"
 
     By default, `docker-mailserver` is configured to quarantine spam emails.
-    
+
     If emails are quarantined, they are compressed and stored in a location dependent on the `ONE_DIR` setting above. To inhibit this behaviour and deliver spam emails, set this to a very high value e.g. `100.0`.
 
     If `ONE_DIR=1` (default) the location is `/var/mail-state/lib-amavis/virusmails/`, or if `ONE_DIR=0`: `/var/lib/amavis/virusmails/`. These paths are inside the docker container.
@@ -483,6 +493,7 @@ The following variables overwrite the default values for ```/etc/dovecot/dovecot
 - => Bind dn for LDAP connection. (e.g. `cn=admin,dc=domain,dc=com`)
 
 ##### DOVECOT_DNPASS
+
 - **empty** => same as `LDAP_BIND_PW`
 - => Password for LDAP dn sepecifified in `DOVECOT_DN`.
 

mailserver.env

@@ -92,6 +92,13 @@ ENABLE_AMAVIS=1
 # 3/4/5    => log debug information (very verbose)
 AMAVIS_LOGLEVEL=0
 
+# This enables the [zen.spamhaus.org](https://www.spamhaus.org/zen/) DNS block list in postfix
+# and various [lists](https://github.com/docker-mailserver/docker-mailserver/blob/f7465a50888eef909dbfc01aff4202b9c7d8bc00/target/postfix/main.cf#L58-L66) in postscreen.
+# Note: Emails will be rejected, if they don't pass the block list checks!
+# **0** => DNS block lists are disabled
+# 1     => DNS block lists are enabled
+ENABLE_DNSBL=0
+
 # If you enable Fail2Ban, don't forget to add the following lines to your `docker-compose.yml`:
 #    cap_add:
 #      - NET_ADMIN

target/scripts/start-mailserver.sh

@@ -23,6 +23,7 @@ VARS[DOVECOT_MAILBOX_FORMAT]="${DOVECOT_MAILBOX_FORMAT:=maildir}"
 VARS[DOVECOT_TLS]="${DOVECOT_TLS:=no}"
 VARS[ENABLE_AMAVIS]="${ENABLE_AMAVIS:=1}"
 VARS[ENABLE_CLAMAV]="${ENABLE_CLAMAV:=0}"
+VARS[ENABLE_DNSBL]="${ENABLE_DNSBL:=0}"
 VARS[ENABLE_FAIL2BAN]="${ENABLE_FAIL2BAN:=0}"
 VARS[ENABLE_FETCHMAIL]="${ENABLE_FETCHMAIL:=0}"
 VARS[ENABLE_LDAP]="${ENABLE_LDAP:=0}"
@@ -109,6 +110,7 @@ function register_functions
   [[ ${ENABLE_SASLAUTHD} -eq 1 ]] && _register_setup_function '_setup_saslauthd'
   [[ ${POSTFIX_INET_PROTOCOLS} != 'all' ]] && _register_setup_function '_setup_inet_protocols'
   [[ ${ENABLE_FAIL2BAN} -eq 1 ]] && _register_setup_function '_setup_fail2ban'
+  [[ ${ENABLE_DNSBL} -eq 0 ]] && _register_setup_function '_setup_dnsbl_disable'
 
   _register_setup_function '_setup_dkim'
   _register_setup_function '_setup_ssl'

target/scripts/startup/setup-stack.sh

@@ -1512,3 +1512,13 @@ function _setup_fail2ban
     echo -e "[Init]\nblocktype = DROP" > /etc/fail2ban/action.d/iptables-common.local
   fi
 }
+
+function _setup_dnsbl_disable
+{
+  _notify 'task' 'Disabling postfix DNS block list (zen.spamhaus.org)'
+  sedfile -i '/^smtpd_recipient_restrictions = / s/, reject_rbl_client zen.spamhaus.org//' /etc/postfix/main.cf
+
+  _notify 'task' 'Disabling postscreen DNS block lists'
+  postconf -e "postscreen_dnsbl_action = ignore"
+  postconf -e "postscreen_dnsbl_sites = "
+}

test/mail_dnsbl.bats

@@ -0,0 +1,78 @@
+load 'test_helper/common'
+
+function setup() {
+    run_setup_file_if_necessary
+}
+
+function setup_file() {
+  local PRIVATE_CONFIG CONTAINER CONTAINER2
+  PRIVATE_CONFIG="$(duplicate_config_for_container . "${CONTAINER}")"
+  CONTAINER="mail_dnsbl_enabled"
+  CONTAINER2="mail_dnsbl_disabled"
+
+	docker run --rm -d --name "${CONTAINER}" \
+		-v "${PRIVATE_CONFIG}":/tmp/docker-mailserver \
+		-e ENABLE_DNSBL=1 \
+		-h mail.my-domain.com \
+		-t "${NAME}"
+
+	docker run --rm -d --name "${CONTAINER2}" \
+		-v "${PRIVATE_CONFIG}":/tmp/docker-mailserver \
+		-e ENABLE_DNSBL=0 \
+		-h mail.my-domain.com \
+		-t "${NAME}"
+
+    wait_for_smtp_port_in_container "${CONTAINER}"
+    wait_for_smtp_port_in_container "${CONTAINER2}"
+}
+
+@test "first" {
+  skip 'only used to call setup_file from setup'
+}
+
+# ENABLE_DNSBL=1
+@test "checking enabled postfix DNS block list zen.spamhaus.org" {
+  run docker exec mail_dnsbl_enabled postconf smtpd_recipient_restrictions
+  assert_output --partial 'reject_rbl_client zen.spamhaus.org'
+}
+
+@test "checking enabled postscreen DNS block lists --> postscreen_dnsbl_action" {
+  run docker exec mail_dnsbl_enabled postconf postscreen_dnsbl_action
+  assert_output 'postscreen_dnsbl_action = enforce'
+}
+
+@test "checking enabled postscreen DNS block lists --> postscreen_dnsbl_sites" {
+  run docker exec mail_dnsbl_enabled postconf postscreen_dnsbl_sites
+  assert_output 'postscreen_dnsbl_sites = zen.spamhaus.org*3 bl.mailspike.net b.barracudacentral.org*2 bl.spameatingmonkey.net dnsbl.sorbs.net psbl.surriel.com list.dnswl.org=127.0.[0..255].0*-2 list.dnswl.org=127.0.[0..255].1*-3 list.dnswl.org=127.0.[0..255].[2..3]*-4'
+}
+
+# ENABLE_DNSBL=0
+@test "checking disabled postfix DNS block list zen.spamhaus.org" {
+  run docker exec mail_dnsbl_disabled postconf smtpd_recipient_restrictions
+  refute_output --partial 'reject_rbl_client zen.spamhaus.org'
+}
+
+@test "checking disabled postscreen DNS block lists --> postscreen_dnsbl_action" {
+  run docker exec mail_dnsbl_disabled postconf postscreen_dnsbl_action
+  assert_output 'postscreen_dnsbl_action = ignore'
+}
+
+@test "checking disabled postscreen DNS block lists --> postscreen_dnsbl_sites" {
+  run docker exec mail_dnsbl_disabled postconf postscreen_dnsbl_sites
+  assert_output 'postscreen_dnsbl_sites ='
+}
+
+# cleanup
+@test "checking that the container stops cleanly: mail_dnsbl_enabled" {
+  run docker stop -t 0 mail_dnsbl_enabled
+  assert_success
+}
+
+@test "checking that the container stops cleanly: mail_dnsbl_disabled" {
+  run docker stop -t 0 mail_dnsbl_disabled
+  assert_success
+}
+
+@test "last" {
+    skip 'only used to call teardown_file from teardown'
+}

test/mail_with_postgrey.bats

@@ -19,6 +19,7 @@ function setup_file() {
               -e POSTGREY_MAX_AGE=35 \
               -e POSTGREY_AUTO_WHITELIST_CLIENTS=5 \
               -e POSTGREY_TEXT="Delayed by Postgrey" \
+              -e ENABLE_DNSBL=1 \
               -e DMS_DEBUG=0 \
               -h mail.my-domain.com -t "${NAME}"
     # using postfix availability as start indicator, this might be insufficient for postgrey