Spamhaus DNSBL AS Detection

[DerLinkman]

This PR will solve issue: #5293

It implements a check of the public IPv4 AS and reports if it is from AWS, Cloudflare or OVH as Spamhaus is blocking them to access the zen.spamhaus.org lists.

Therefore the DQS System of Spamhaus has been implemented within Postfix which uses a new variable called SPAMHAUS_DQS_KEY.

If the key is set it will use the DQS Lists for Postscreen if not it it will check if the IP is listed as a bad asn using curl to get a list from fuzzy.mailcow.email which is generated against bgpview.io API and deactivates (if necessary) the spamhaus.org list for postfix.

[milkmaker]

Thanks for contributing!

I noticed that you didn't select staging as your base branch. Please change the base branch to staging.
See the attached picture on how to change the base branch to staging:

[MAGICCC]

I dont't have an OVH VPS, would need to get one for testing, but it looks okish

[FingerlessGlov3s]

PBL is missing when using DQS. Is there a reason for this?

[DerLinkman]

PBL is missing when using DQS. Is there a reason for this?

Don't understand exactly what you mean by that? Could you please be a bit more prercise?

[FingerlessGlov3s]

PBL is missing when using DQS. Is there a reason for this?

Don't understand exactly what you mean by that? Could you please be a bit more prercise?

You've added the following lists

• https://www.spamhaus.org/zen/
• https://www.spamhaus.org/dbl/
• https://www.spamhaus.org/zrd/

I just had another read of the PBL https://www.spamhaus.org/pbl/ and on review, I'm not 100% sure if we should add this.

[DerLinkman]

I just had another read of the PBL https://www.spamhaus.org/pbl/ and on review, I'm not 100% sure if we should add this.

Just readded the PBL if DQS is enabled.

Can you test it? New Postfix image version has been uploaded to docker hub!

[FingerlessGlov3s]

I haven't moved to the new way of doing the DQS yet, I manually changed my config file 😅.

I guess I'd have to move from stable to nightly too right to test? Which I don't really want to do.

my main.cf has the following enteries and it's working fine.

  redacted.zen.dq.spamhaus.net=127.0.0.[10;11]*8
  redacted.zen.dq.spamhaus.net=127.0.0.[4..7]*6
  redacted.zen.dq.spamhaus.net=127.0.0.3*4
  redacted.zen.dq.spamhaus.net=127.0.0.2*3

[DerLinkman]

Yeah looks pretty much the same as i readded now :)

But good call on moving it to nightly!

[milkmaker]

Thanks for contributing!

I noticed that you didn't select staging as your base branch. Please change the base branch to staging.
See the attached picture on how to change the base branch to staging:

[FingerlessGlov3s]

When this does hit stable, I'll have to have a look what changes I need to make to my main.cf so I can go back to supported config 😃