With a DQS Key Configured, Spamhaus Tests Fail

theprez1980

Hey All,

I did some searching and found this thread:

https://community.mailcow.email/d/1921-rspamd-rbls-configure-for-mailcow-differ-from-rspamd-defaults

It looks like at least in 2024 there was discussion around possibly having this applied to rspamd - from @DerLinkman any idea if this occurred or are the steps provided in the above thread still good to use?

EDIT: I did some more searching and reading of Spamhaus and at least now have 5 of the 7 the tests now passing. I simply edited my /opt/mailcow-dockerized/data/conf/postfix/extra.cf file for postfix and added:

#Added Postfix DNSBL Sites with Spamhaus Key:
postscreen_dnsbl_sites = DQSKEY.zen.dq.spamhaus.net*2
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_action = enforce
#Avoid Leaking DQS Key - create a new dnsbl-reply-map file also and reference here:
rbl_reply_maps = hash:$config_directory/dnsbl-reply-map
#Adding Actual DBL/ZRD checks at EHLO and From:
smtpd_helo_restrictions =
    permit_mynetworks,
    reject_non_fqdn_helo_hostname,
    reject_invalid_helo_hostname,
    reject_rhsbl_helo   DQSKEY.dbl.dq.spamhaus.net=127.0.1.[2..99],
    reject_rhsbl_helo   DQSKEY.zrd.dq.spamhaus.net=127.0.2.[2..24]

smtpd_sender_restrictions =
    permit_mynetworks,
    reject_rhsbl_sender DQSKEY.dbl.dq.spamhaus.net=127.0.1.[2..99],
    reject_rhsbl_sender DQSKEY.zrd.dq.spamhaus.net=127.0.2.[2..24]

Then create the referenced dnsbl-reply-map in the same directory as extra.cf as referenced in the extra.cf changes above with this content:

#Manually Created and referenced from extra.cf
DQSKEY.zen.dq.spamhaus.net=127.0.0.[2..11]  554 $rbl_class $rbl_what blocked using ZEN - see https://www.spamhaus.org/query/ip/$client_address for details
DQSKEY.dbl.dq.spamhaus.net=127.0.1.[2..99]  554 $rbl_class $rbl_what blocked using DBL - see $rbl_txt for details
DQSKEY.zrd.dq.spamhaus.net=127.0.2.[2..24]  554 $rbl_class $rbl_what blocked using ZRD - domain too new
DQSKEY.zen.dq.spamhaus.net                  554 $rbl_class $rbl_what blocked using ZEN - see https://www.spamhaus.org/query/ip/$client_address for details
DQSKEY.dq.spamhaus.net                  554 $rbl_class $rbl_what blocked using DBL - see $rbl_txt for details
DQSKEY.zrd.dq.spamhaus.net                  554 $rbl_class $rbl_what blocked using ZRD - domain too new

Note: Where it says DQSKEY enter your private key.

Saved my changes, restarted docker postfix and voila. So it seems now that ZEN (IP Based Checks) postscreen is working as are most of the domain RBL blocks except two… Any ideas?

The two that continue to fail the check are: zrd-dqs-ehlo and zrd-dqs-from

Thanks