I just added the DQS key to my config but when I test using https://blt.spamhaus.com/ it has 5 fails Can anyone help me fix these errors, please? I would really appreciate it. ### Message: ```txt This email was delivered, but it should have been rejected during the SMTP session. Your MX is not configured to use SMTP-level block listing for the block list for this test. ``` ### Image: [upl-image-preview url=https://community.mailcow.email/assets/files/2023-10-13/1697163737-957808-msedge-2023-10-12-22-21-38.png]

Hi, I had the same problem, have a look at my workaround here: https://community.mailcow.email/d/2675-spamhaus-config/36

the change is still sitting in nightly not in stable branch? would have thought they publish the change with the (moo)october update. where the update probably still has a few problems, will wait

> @"DocFraggle"#p10896 Hi, I had the same problem, have a look at my workaround here: > [![](https://community.mailcow.email/assets/favicon-odrdntdp.png) Spamhaus Config](https://community.mailcow.email/d/2675-spamhaus-config/36) XD sorry my German isn't that good yet what does this mean `Das müsste man jetzt halt auch noch mal ins postfix.sh einbauen…` and I do understand the rest of the process just can't figure out that part > @"KaiserN"#p10898 the change is still sitting in nightly not in stable branch? > would have thought they publish the change with the (moo)october update. > > where the update probably still has a few problems, will wait So this meant to be fixed I was like I messed up something in my configs any idea how long the fix will take

That means that somehow this workaround should be implemented properly into the postfix.sh script... but afaik that didn't happen yet

@"DocFraggle"#1599 Oh tyvm that config works like a charm and I was wondering if this is normal for the public mirror [upl-image-preview url=https://community.mailcow.email/assets/files/2023-10-13/1697196389-198763-msedge-2023-10-13-07-25-37.png] Also it looks like the .map file gets regenerated on reboot is there a way to prevent that?

@"poqdavid"#p10902 there seems to be seomething wrong, it should look like this: [upl-image-preview url=https://community.mailcow.email/assets/files/2023-10-13/1697197228-729045-image.png] Did you replace the XXXXXXXXXXXXXXXXXXX with your DQS key?

@"esackbauer"#2109 @"DocFraggle"#1599 any hint for me? would be nice

Need help setting up Spamhaus

poqdavid

DocFraggle Oh yes it looks like that for the Data Query Service Test with the key but it’s all red for Public Mirrors Test
and I am not sure if that’s normal or not

Seji64

I have the same issue as poqdavid. I think there is a misunterstading cause there a two Test you can run. One is named “Data Query Service Test” and the other “Public Mirrors Test”.

With the manual changes which DocFraggle mentions the “Data Query Service Test” indeed flips to green. But the result of the “Public Mirrors Test” does not change. I think here is another postfix config needed.

I think i found a soultion.

i added this block to my extra.cf:

reject_rbl_client zen.spamhaus.org=127.0.0.[2..11],
reject_rhsbl_sender dbl.spamhaus.org=127.0.1.[2..99],
reject_rhsbl_helo dbl.spamhaus.org=127.0.1.[2..99],
reject_rhsbl_reverse_client dbl.spamhaus.org=127.0.1.[2..99],
warn_if_reject reject_rbl_client zen.spamhaus.org=127.255.255.[1..255],

So my full extra.cf looks like this:

myhostname = myhostname
smtpd_recipient_restrictions = check_recipient_mx_access proxy:mysql:/opt/postfix/conf/sql/mysql_mbr_access_maps.cf,
  permit_sasl_authenticated,
  permit_mynetworks,
  check_recipient_access proxy:mysql:/opt/postfix/conf/sql/mysql_tls_enforce_in_policy.cf,
  reject_invalid_helo_hostname,
  reject_unauth_destination,
  reject_rbl_client zen.spamhaus.org=127.0.0.[2..11],
  reject_rhsbl_sender dbl.spamhaus.org=127.0.1.[2..99],
  reject_rhsbl_helo dbl.spamhaus.org=127.0.1.[2..99],
  reject_rhsbl_reverse_client dbl.spamhaus.org=127.0.1.[2..99],
  warn_if_reject reject_rbl_client zen.spamhaus.org=127.255.255.[1..255],
  reject_rhsbl_sender         XXXXXXXXXXXXXXX.dbl.dq.spamhaus.net=127.0.1.[2..99],
  reject_rhsbl_helo           XXXXXXXXXXXXXXX.dbl.dq.spamhaus.net=127.0.1.[2..99],
  reject_rhsbl_reverse_client XXXXXXXXXXXXXXX.dbl.dq.spamhaus.net=127.0.1.[2..99],
  reject_rhsbl_sender         XXXXXXXXXXXXXXX.zrd.dq.spamhaus.net=127.0.2.[2..24],
  reject_rhsbl_helo           XXXXXXXXXXXXXXX.zrd.dq.spamhaus.net=127.0.2.[2..24],
  reject_rhsbl_reverse_client XXXXXXXXXXXXXXX.zrd.dq.spamhaus.net=127.0.2.[2..24],
  reject_rbl_client           XXXXXXXXXXXXXXX.zen.dq.spamhaus.net=127.0.0.[2..255]

rbl_reply_maps = hash:/opt/postfix/conf/dnsbl-reply-map

@[deleted] Hope it helps
@[deleted] is this okay or this the “wrong” approach and should be configured somewhere else?

KaiserN

is this still a thing?

im on version 2023-11a, il added my dqs key (mailcow.conf) and run the test

dnsbl_reply.map
xxx.sbl.dq.spamhaus.net sbl.spamhaus.org xxx.xbl.dq.spamhaus.net xbl.spamhaus.org xxx.pbl.dq.spamhaus.net pbl.spamhaus.org xxx.zen.dq.spamhaus.net zen.spamhaus.org xxx.dbl.dq.spamhaus.net dbl.spamhaus.org xxx.zrd.dq.spamhaus.net zrd.spamhaus.org

did i missed/forgot something?

KaiserN

@esackbauer @DocFraggle any hint for me? would be nice <3

DocFraggle

Did you have a look at my workaround? https://community.mailcow.email/d/2675-spamhaus-config/36

It’s in German, but you’ll get what I’m doing there

KaiserN

yes, hmm still necessary i guess? :/

so simply copy/paste this part (add personal key instead of xxx) in extra.cf and restart

okay, this fixed it. the dnsbl reply map file name changed to dnsbl_reply.map
if someone also wants to adjust the current version, please pay attention. you can also see the logs (error) if you check them 😉

@[deleted] danke dir! ❤️

btw. is the bug known to the mailcow team (must confess, I haven’t searched the bugtracker)

KaiserN

fyi:
log was showing

error: open database /opt/postfix/conf/dnsbl_reply.map.db: No such file or directory

postmap /opt/postfix/conf/dnsbl_reply.map (in Container)

need to run afterwards to create the db

DocFraggle

KaiserN yes, I wrote that in my workaround 😉

KaiserN

looks like since postfix restarted by itself the following showed up in the log file, just a warning so no problem.

warning: database /opt/postfix/conf/dnsbl_reply.map.db is older than source file /opt/postfix/conf/dnsbl_reply.map

did u fixed it somehow? or just ignore and hope it will be fixed if mailcow fixed the spamhaus setup routine?

DocFraggle

KaiserN did u fixed it somehow?

No, I didn’t even notice that yet 😃
I’m confused, it seems I myself added the dnsbl_reply file to Mailcow with this Commit 😕
mailcow/mailcow-dockerized9f39af4

So the only thing missing is creating the postmap file while/after deploying the container

KaiserN

ohh shiiiiit. il fucked up the file name in postmap guess… il added the .map to the end somehow

recreated, now i got

dnsbl_reply dnsbl_reply.db dnsbl_reply.map

DocFraggle

KaiserN OK, there is a slight misunderstanding concerning the files 😃

the dns_reply.map file is created while starting the Postfix container:

mailcow/mailcow-dockerizedblob/master/data/Dockerfiles/postfix/postfix.sh#L441-L449

It just contains the “normal” DQS config, which leads to not all tests being green.

In my workaround, I created an extra file named “dnsbl-reply-map ” (should use another name…) which contains the extra config:

XXXXXXXXXXXXXXXXXXXXX.sbl.dq.spamhaus.net=127.0.0.[2..255]      $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using sbl.spamhaus.org${rbl_reason?; $rbl_reason}
XXXXXXXXXXXXXXXXXXXXX.xbl.dq.spamhaus.net=127.0.0.[2..255]      $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using xbl.spamhaus.org${rbl_reason?; $rbl_reason}
XXXXXXXXXXXXXXXXXXXXX.pbl.dq.spamhaus.net=127.0.0.[2..255]      $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using pbl.spamhaus.org${rbl_reason?; $rbl_reason}
XXXXXXXXXXXXXXXXXXXXX.sbl-xbl.dq.spamhaus.net=127.0.0.[2..255]  $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using sbl-xbl.spamhaus.org${rbl_reason?; $rbl_reason}
XXXXXXXXXXXXXXXXXXXXX.zen.dq.spamhaus.net=127.0.0.[2..255]      $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using zen.spamhaus.org${rbl_reason?; $rbl_reason}
XXXXXXXXXXXXXXXXXXXXX.dbl.dq.spamhaus.net=127.0.1.[2..99]       $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using dbl.spamhaus.org${rbl_reason?; $rbl_reason}
XXXXXXXXXXXXXXXXXXXXX.zrd.dq.spamhaus.net=127.0.2.[2..24]      $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using zrd.spamhaus.org${rbl_reason?; $rbl_reason}

This file has to be hashed with the posthash command before starting postfix AND it has to be referenced in the config via

rbl_reply_maps = hash:/opt/postfix/conf/dnsbl-reply-map

I just don’t have the time currently to implement it properly

DocFraggle

I added the .map file extension in my workaround above before I created the PR, so I guess you copied it from there 😄

Potty

The solution is: add the DQOS key to mailcow.conf, then create an extra.cf under /data/conf/postfix and add the following content there:
smtpd_recipient_restrictions =
reject_rhsbl_sender xxxxxxx.dbl.dq.spamhaus.net=127.0.1.[2..99],
reject_rhsbl_helo xxxxxxx.dbl.dq.spamhaus.net=127.0.1.[2..99],
reject_rhsbl_reverse_client xxxxxxx.dbl.dq.spamhaus.net=127.0.1.[2..99],
reject_rhsbl_sender xxxxxxx.zrd.dq.spamhaus.net=127.0.2.[2..24],
reject_rhsbl_helo xxxxxxx.zrd.dq.spamhaus.net=127.0.2.[2..24],
reject_rhsbl_reverse_client xxxxxxx.zrd.dq.spamhaus.net=127.0.2.[2..24],
reject_rbl_client xxxxxxx.zen.dq.spamhaus.net=127.0.0.[2..255]

Sorry for my bad English 😃

StuxR

Do we have an official solution to this problem?
Are there any plans?
I find it strange that you have to add something to /extra.conf which does not contain the same names as those shown in the image.
Do you have any solutions?