diff --git a/docs/content/config/environment.md b/docs/content/config/environment.md index f7187ccc..2c619621 100644 --- a/docs/content/config/environment.md +++ b/docs/content/config/environment.md @@ -75,13 +75,7 @@ Enable or disable Rspamd. !!! warning "Current State" - Rspamd-support is under active development. Be aware that breaking changes can happen at any time. - - Currently, rspamd is integrated into Postfix as a milter. However, there is no official DKIM/DMARC support for rspamd in DMS as of now (WIP). To get more information, see [the detailed documentation page for Rspamd][docs-rspamd]. - -!!! warning "Rspamd and DNS Block Lists" - - When you use Rspamd, you might want to use the [RBL module](https://rspamd.com/doc/modules/rbl.html). If you do, make sure your DNS resolver is set up correctly (i.e. it should be a non-public recursive resolver). Otherwise, you [might not be able](https://www.spamhaus.org/faq/section/DNSBL%20Usage#365) to make use of the block lists. + Rspamd-support is under active development. Be aware that breaking changes can happen at any time. To get more information, see [the detailed documentation page for Rspamd][docs-rspamd]. - **0** => disabled - 1 => enabled @@ -104,10 +98,13 @@ Amavis content filter (used for ClamAV & SpamAssassin) ##### ENABLE_DNSBL -This enables the [zen.spamhaus.org](https://www.spamhaus.org/zen/) DNS block list in postfix -and various [lists](https://github.com/docker-mailserver/docker-mailserver/blob/f7465a50888eef909dbfc01aff4202b9c7d8bc00/target/postfix/main.cf#L58-L66) in postscreen. +This enables DNS block lists in _Postscreen_. If you want to know which lists we are using, have a look at [the default `main.cf` for Postfix we provide](https://github.com/docker-mailserver/docker-mailserver/blob/master/target/postfix/main.cf) and search for `postscreen_dnsbl_sites`. -Note: Emails will be rejected, if they don't pass the block list checks! +!!! danger "A Warning On DNS Block Lists" + + Make sure your DNS queries are properly resolved, i.e. you will most likely not want to use a public DNS resolver as these queries do not return meaningful results. We try our best to only evaluate proper return codes - this is not a guarantee that all codes are handled fine though. + + **Note that emails will be rejected if they don't pass the block list checks!** - **0** => DNS block lists are disabled - 1 => DNS block lists are enabled diff --git a/docs/content/config/security/rspamd.md b/docs/content/config/security/rspamd.md index c5ff3359..f617ac8c 100644 --- a/docs/content/config/security/rspamd.md +++ b/docs/content/config/security/rspamd.md @@ -23,6 +23,14 @@ You can find a list of all Rspamd modules [on their website][modules]. ### DMS' Defaults +!!! danger "Rspamd and DNS Block Lists" + + When using Rspamd, the [RBL module](https://rspamd.com/doc/modules/rbl.html) is enabled by default. As a consequence, Rspamd will do a variety of DNS requests. Amongst other things, Rspamd will query DNS block lists (DNSBLs). + + There are a variety of issues involved when using DNSBLs. Rspamd will try to mitigate some of them by properly evaluating all return codes. We urge you not to rely on this though. + + If you want to use RBLs, **try to use your own DNS resolver** and make sure it is set up correctly, i.e. it should be a non-public & **recursive** resolver. Otherwise, you might not be able ([see this Spamhaus post](https://www.spamhaus.org/faq/section/DNSBL%20Usage#365)) to make use of the block lists. + You can choose to enable ClamAV, and Rspamd will then use it to check for viruses. Just set the environment variable `ENABLE_CLAMAV=1`. DMS disables certain modules (clickhouse, elastic, greylist, neural, reputation, spamassassin, url_redirector, metric_exporter) by default. We believe these are not required in a standard setup, and needlessly use resources. You can re-activate them by replacing `/etc/rspamd/local.d/.conf` or overriding DMS' default with `/etc/rspamd/override.d/.conf`. diff --git a/mailserver.env b/mailserver.env index 4e6c7d65..fdb6caa2 100644 --- a/mailserver.env +++ b/mailserver.env @@ -133,8 +133,7 @@ ENABLE_AMAVIS=1 # 3/4/5 => log debug information (very verbose) AMAVIS_LOGLEVEL=0 -# This enables the [zen.spamhaus.org](https://www.spamhaus.org/zen/) DNS block list in postfix -# and various [lists](https://github.com/docker-mailserver/docker-mailserver/blob/f7465a50888eef909dbfc01aff4202b9c7d8bc00/target/postfix/main.cf#L58-L66) in postscreen. +# This enables DNS block lists in Postscreen. # Note: Emails will be rejected, if they don't pass the block list checks! # **0** => DNS block lists are disabled # 1 => DNS block lists are enabled diff --git a/target/postfix/main.cf b/target/postfix/main.cf index c42bd980..a8dff257 100644 --- a/target/postfix/main.cf +++ b/target/postfix/main.cf @@ -48,7 +48,7 @@ smtpd_helo_required = yes smtpd_delay_reject = yes smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, permit smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination -smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policyd-spf, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org=127.0.0.[2..11] +smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policyd-spf, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_recipient_domain smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain, reject_unknown_client_hostname disable_vrfy_command = yes diff --git a/target/scripts/startup/setup-stack.sh b/target/scripts/startup/setup-stack.sh index b0089cad..25294cc3 100644 --- a/target/scripts/startup/setup-stack.sh +++ b/target/scripts/startup/setup-stack.sh @@ -307,8 +307,8 @@ function _setup_dovecot_quota fi # enable quota policy check in postfix - sed -i \ - "s|reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org|reject_unknown_recipient_domain, check_policy_service inet:localhost:65265, reject_rbl_client zen.spamhaus.org|g" \ + sed -i -E \ + "s|(reject_unknown_recipient_domain)|\1, check_policy_service inet:localhost:65265|g" \ /etc/postfix/main.cf fi } @@ -1150,12 +1150,6 @@ function _setup_fail2ban function _setup_dnsbl_disable { - _log 'debug' 'Disabling postfix DNS block list (zen.spamhaus.org)' - - sedfile -i \ - '/^smtpd_recipient_restrictions = / s/, reject_rbl_client zen.spamhaus.org=127.0.0.\[2..11\]//' \ - /etc/postfix/main.cf - _log 'debug' 'Disabling postscreen DNS block lists' postconf 'postscreen_dnsbl_action = ignore' postconf 'postscreen_dnsbl_sites = ' diff --git a/test/tests/parallel/set1/spam_virus/dnsbl.bats b/test/tests/parallel/set1/spam_virus/dnsbl.bats index eed547e7..010c6fa8 100644 --- a/test/tests/parallel/set1/spam_virus/dnsbl.bats +++ b/test/tests/parallel/set1/spam_virus/dnsbl.bats @@ -27,12 +27,6 @@ function teardown_file() { docker rm -f "${CONTAINER1_NAME}" "${CONTAINER2_NAME}" } -# ENABLE_DNSBL=1 -@test "(enabled) Postfix DNS block list zen.spamhaus.org" { - _run_in_container_explicit "${CONTAINER1_NAME}" postconf smtpd_recipient_restrictions - assert_output --partial 'reject_rbl_client zen.spamhaus.org' -} - @test "(enabled) Postscreen DNS block lists -> postscreen_dnsbl_action" { _run_in_container_explicit "${CONTAINER1_NAME}" postconf postscreen_dnsbl_action assert_output 'postscreen_dnsbl_action = enforce' @@ -40,13 +34,7 @@ function teardown_file() { @test "(enabled) Postscreen DNS block lists -> postscreen_dnsbl_sites" { _run_in_container_explicit "${CONTAINER1_NAME}" postconf postscreen_dnsbl_sites - assert_output 'postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11]*3 bl.mailspike.net=127.0.0.[2;14;13;12;11;10] b.barracudacentral.org*2 bl.spameatingmonkey.net=127.0.0.2 dnsbl.sorbs.net psbl.surriel.com list.dnswl.org=127.0.[0..255].0*-2 list.dnswl.org=127.0.[0..255].1*-3 list.dnswl.org=127.0.[0..255].[2..3]*-4' -} - -# ENABLE_DNSBL=0 -@test "(disabled) Postfix DNS block list zen.spamhaus.org" { - _run_in_container_explicit "${CONTAINER2_NAME}" postconf smtpd_recipient_restrictions - refute_output --partial 'reject_rbl_client zen.spamhaus.org' + assert_output --regexp '^postscreen_dnsbl_sites = [a-zA-Z0-9]+' } @test "(disabled) Postscreen DNS block lists -> postscreen_dnsbl_action" { diff --git a/test/tests/parallel/set1/spam_virus/postgrey_enabled.bats b/test/tests/parallel/set1/spam_virus/postgrey_enabled.bats index bbd2b707..3eaaca9d 100644 --- a/test/tests/parallel/set1/spam_virus/postgrey_enabled.bats +++ b/test/tests/parallel/set1/spam_virus/postgrey_enabled.bats @@ -6,7 +6,6 @@ CONTAINER_NAME='dms-test_postgrey_enabled' function setup_file() { local CUSTOM_SETUP_ARGUMENTS=( - --env ENABLE_DNSBL=1 --env ENABLE_POSTGREY=1 --env PERMIT_DOCKER=container --env POSTGREY_AUTO_WHITELIST_CLIENTS=5