From 71d241197e781f0f72da66fc6743531b417b9985 Mon Sep 17 00:00:00 2001 From: myfirstnameispaul Date: Sat, 10 Apr 2021 08:32:15 -0700 Subject: [PATCH 1/2] Remove Spamhaus Zen blacklist rejecting --- setup/mail-postfix.sh | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/setup/mail-postfix.sh b/setup/mail-postfix.sh index 0a66cb0f1..25e598feb 100755 --- a/setup/mail-postfix.sh +++ b/setup/mail-postfix.sh @@ -202,10 +202,8 @@ tools/editconf.py /etc/postfix/main.cf lmtp_destination_recipient_limit=1 # * `reject_non_fqdn_sender`: Reject not-nice-looking return paths. # * `reject_unknown_sender_domain`: Reject return paths with invalid domains. # * `reject_authenticated_sender_login_mismatch`: Reject if mail FROM address does not match the client SASL login -# * `reject_rhsbl_sender`: Reject return paths that use blacklisted domains. # * `permit_sasl_authenticated`: Authenticated users (i.e. on port 587) can skip further checks. # * `permit_mynetworks`: Mail that originates locally can skip further checks. -# * `reject_rbl_client`: Reject connections from IP addresses blacklisted in zen.spamhaus.org # * `reject_unlisted_recipient`: Although Postfix will reject mail to unknown recipients, it's nicer to reject such mail ahead of greylisting rather than after. # * `check_policy_service`: Apply greylisting using postgrey. # @@ -215,8 +213,8 @@ tools/editconf.py /etc/postfix/main.cf lmtp_destination_recipient_limit=1 # whitelisted) then postfix does a DEFER_IF_REJECT, which results in all "unknown user" sorts of messages turning into #NODOC # "450 4.7.1 Client host rejected: Service unavailable". This is a retry code, so the mail doesn't properly bounce. #NODOC tools/editconf.py /etc/postfix/main.cf \ - smtpd_sender_restrictions="reject_non_fqdn_sender,reject_unknown_sender_domain,reject_authenticated_sender_login_mismatch,reject_rhsbl_sender dbl.spamhaus.org" \ - smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,"reject_rbl_client zen.spamhaus.org",reject_unlisted_recipient,"check_policy_service inet:127.0.0.1:10023" + smtpd_sender_restrictions="reject_non_fqdn_sender,reject_unknown_sender_domain,reject_authenticated_sender_login_mismatch" \ + smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,reject_unlisted_recipient,"check_policy_service inet:127.0.0.1:10023" # Postfix connects to Postgrey on the 127.0.0.1 interface specifically. Ensure that # Postgrey listens on the same interface (and not IPv6, for instance). From 19a47fc5d42c219af0ca5bcd9fd06dec6b445bbc Mon Sep 17 00:00:00 2001 From: myfirstnameispaul Date: Sat, 10 Apr 2021 09:24:26 -0700 Subject: [PATCH 2/2] Add SpamAssassin Spamhaus Zen blacklist score file Improves from default the score assigned to Spamhaus Zen blacklisted emails by creating miab_spamhaus_zen_scores.cf file with higher score values. --- setup/spamassassin.sh | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/setup/spamassassin.sh b/setup/spamassassin.sh index 989bbff4d..8828fd8e5 100755 --- a/setup/spamassassin.sh +++ b/setup/spamassassin.sh @@ -117,6 +117,24 @@ describe SPF_FAIL SPF check failed score SPF_FAIL 5.0 EOF +# SpamAssassin Spamhaus Zen blacklist scores +# ------------------------------------------ +# MiaB installs spamassassin configured to check against Spamhaus Zen +# blacklists, but the default score is too low to guarantee blacklisted +# email as spam. The below score is intended to send all Spamhaus Zen blacklist +# email received to the spam folder. + +cat > /etc/spamassassin/miab_spamhaus_zen_scores.cf << EOF +score RCVD_IN_PBL 10.0 +score RCVD_IN_SBL 10.0 +score RCVD_IN_SBL_CSS 10.0 +score RCVD_IN_XBL 10.0 +score URIBL_CSS 10.0 +score URIBL_CSS_A 10.0 +score URIBL_SBL 10.0 +score URIBL_SBL_A 10.0 +EOF + # Bayesean learning # ----------------- #