Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Replace Spamhaus Zen Postfix blacklisting with stronger SpamAssassin scoring #1958

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
6 changes: 2 additions & 4 deletions setup/mail-postfix.sh
Original file line number Diff line number Diff line change
Expand Up @@ -210,10 +210,8 @@ tools/editconf.py /etc/postfix/main.cf lmtp_destination_recipient_limit=1
# * `reject_non_fqdn_sender`: Reject not-nice-looking return paths.
# * `reject_unknown_sender_domain`: Reject return paths with invalid domains.
# * `reject_authenticated_sender_login_mismatch`: Reject if mail FROM address does not match the client SASL login
# * `reject_rhsbl_sender`: Reject return paths that use blacklisted domains.
# * `permit_sasl_authenticated`: Authenticated users (i.e. on port 587) can skip further checks.
# * `permit_mynetworks`: Mail that originates locally can skip further checks.
# * `reject_rbl_client`: Reject connections from IP addresses blacklisted in zen.spamhaus.org
# * `reject_unlisted_recipient`: Although Postfix will reject mail to unknown recipients, it's nicer to reject such mail ahead of greylisting rather than after.
# * `check_policy_service`: Apply greylisting using postgrey.
#
Expand All @@ -223,8 +221,8 @@ tools/editconf.py /etc/postfix/main.cf lmtp_destination_recipient_limit=1
# whitelisted) then postfix does a DEFER_IF_REJECT, which results in all "unknown user" sorts of messages turning into #NODOC
# "450 4.7.1 Client host rejected: Service unavailable". This is a retry code, so the mail doesn't properly bounce. #NODOC
tools/editconf.py /etc/postfix/main.cf \
smtpd_sender_restrictions="reject_non_fqdn_sender,reject_unknown_sender_domain,reject_authenticated_sender_login_mismatch,reject_rhsbl_sender dbl.spamhaus.org" \
smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,"reject_rbl_client zen.spamhaus.org",reject_unlisted_recipient,"check_policy_service inet:127.0.0.1:10023"
smtpd_sender_restrictions="reject_non_fqdn_sender,reject_unknown_sender_domain,reject_authenticated_sender_login_mismatch" \
smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,reject_unlisted_recipient,"check_policy_service inet:127.0.0.1:10023"

# Postfix connects to Postgrey on the 127.0.0.1 interface specifically. Ensure that
# Postgrey listens on the same interface (and not IPv6, for instance).
Expand Down
18 changes: 18 additions & 0 deletions setup/spamassassin.sh
Original file line number Diff line number Diff line change
Expand Up @@ -117,6 +117,24 @@ describe SPF_FAIL SPF check failed
score SPF_FAIL 5.0
EOF

# SpamAssassin Spamhaus Zen blacklist scores
# ------------------------------------------
# MiaB installs spamassassin configured to check against Spamhaus Zen
# blacklists, but the default score is too low to guarantee blacklisted
# email as spam. The below score is intended to send all Spamhaus Zen blacklist
# email received to the spam folder.

cat > /etc/spamassassin/miab_spamhaus_zen_scores.cf << EOF
score RCVD_IN_PBL 10.0
score RCVD_IN_SBL 10.0
score RCVD_IN_SBL_CSS 10.0
score RCVD_IN_XBL 10.0
score URIBL_CSS 10.0
score URIBL_CSS_A 10.0
score URIBL_SBL 10.0
score URIBL_SBL_A 10.0
EOF

# Bayesean learning
# -----------------
#
Expand Down