From 0ef8d5ae2b360567e3a9891dd76b03da083904ef Mon Sep 17 00:00:00 2001
From: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
Date: Mon, 7 Nov 2022 09:28:47 +0100
Subject: [PATCH] fix: adjust DNSBL return code interpretation (#2890)

---
 target/postfix/main.cf                | 9 +++++----
 target/scripts/startup/setup-stack.sh | 6 +++---
 test/mail_dnsbl.bats                  | 2 +-
 test/mail_with_postgrey.bats          | 2 +-
 4 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/target/postfix/main.cf b/target/postfix/main.cf
index f64aefa3..9484ed4b 100644
--- a/target/postfix/main.cf
+++ b/target/postfix/main.cf
@@ -48,17 +48,18 @@ smtpd_helo_required = yes
 smtpd_delay_reject = yes
 smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, permit
 smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
-smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policyd-spf, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org
+smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policyd-spf, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org=127.0.0.[2..11]
 smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining
 smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain, reject_unknown_client_hostname
 disable_vrfy_command = yes
 
 # Postscreen settings to drop zombies/open relays/spam early
 postscreen_dnsbl_action = enforce
-postscreen_dnsbl_sites = zen.spamhaus.org*3
-    bl.mailspike.net
+postscreen_dnsbl_sites =
+    zen.spamhaus.org=127.0.0.[2..11]*3
+    bl.mailspike.net=127.0.0.[2;14;13;12;11;10]
     b.barracudacentral.org*2
-    bl.spameatingmonkey.net
+    bl.spameatingmonkey.net=127.0.0.2
     dnsbl.sorbs.net
     psbl.surriel.com
     list.dnswl.org=127.0.[0..255].0*-2
diff --git a/target/scripts/startup/setup-stack.sh b/target/scripts/startup/setup-stack.sh
index 5ac703fc..31cf49a3 100644
--- a/target/scripts/startup/setup-stack.sh
+++ b/target/scripts/startup/setup-stack.sh
@@ -398,8 +398,8 @@ function _setup_postgrey
 {
   _log 'debug' 'Configuring Postgrey'
 
-  sed -i -E \
-    's|, reject_rbl_client zen.spamhaus.org$|, reject_rbl_client zen.spamhaus.org, check_policy_service inet:127.0.0.1:10023|' \
+  sedfile -i -E \
+    's|(^smtpd_recipient_restrictions =.*)|\1, check_policy_service inet:127.0.0.1:10023|' \
     /etc/postfix/main.cf
 
   sed -i -e \
@@ -1078,7 +1078,7 @@ function _setup_dnsbl_disable
   _log 'debug' 'Disabling postfix DNS block list (zen.spamhaus.org)'
 
   sedfile -i \
-    '/^smtpd_recipient_restrictions = / s/, reject_rbl_client zen.spamhaus.org//' \
+    '/^smtpd_recipient_restrictions = / s/, reject_rbl_client zen.spamhaus.org=127.0.0.\[2..11\]//' \
     /etc/postfix/main.cf
 
   _log 'debug' 'Disabling postscreen DNS block lists'
diff --git a/test/mail_dnsbl.bats b/test/mail_dnsbl.bats
index 9612f79e..1df1d4e3 100644
--- a/test/mail_dnsbl.bats
+++ b/test/mail_dnsbl.bats
@@ -36,7 +36,7 @@ function setup_file() {
 
 @test "checking enabled postscreen DNS block lists --> postscreen_dnsbl_sites" {
   run docker exec "${CONTAINER}" postconf postscreen_dnsbl_sites
-  assert_output 'postscreen_dnsbl_sites = zen.spamhaus.org*3 bl.mailspike.net b.barracudacentral.org*2 bl.spameatingmonkey.net dnsbl.sorbs.net psbl.surriel.com list.dnswl.org=127.0.[0..255].0*-2 list.dnswl.org=127.0.[0..255].1*-3 list.dnswl.org=127.0.[0..255].[2..3]*-4'
+  assert_output 'postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11]*3 bl.mailspike.net=127.0.0.[2;14;13;12;11;10] b.barracudacentral.org*2 bl.spameatingmonkey.net=127.0.0.2 dnsbl.sorbs.net psbl.surriel.com list.dnswl.org=127.0.[0..255].0*-2 list.dnswl.org=127.0.[0..255].1*-3 list.dnswl.org=127.0.[0..255].[2..3]*-4'
 }
 
 # ENABLE_DNSBL=0
diff --git a/test/mail_with_postgrey.bats b/test/mail_with_postgrey.bats
index 36dd2711..8a5e79d8 100644
--- a/test/mail_with_postgrey.bats
+++ b/test/mail_with_postgrey.bats
@@ -25,7 +25,7 @@ function teardown_file() {
 }
 
 @test "checking postgrey: /etc/postfix/main.cf correctly edited" {
-  run docker exec mail_with_postgrey /bin/bash -c "grep 'zen.spamhaus.org, check_policy_service inet:127.0.0.1:10023' /etc/postfix/main.cf | wc -l"
+  run docker exec mail_with_postgrey /bin/bash -c "grep -F 'zen.spamhaus.org=127.0.0.[2..11], check_policy_service inet:127.0.0.1:10023' /etc/postfix/main.cf | wc -l"
   assert_success
   assert_output 1
 }