Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check for public resolver to avoid possible spamhaus blocking #467

Open
PatTheMav opened this issue Jan 3, 2023 · 5 comments
Open

Check for public resolver to avoid possible spamhaus blocking #467

PatTheMav opened this issue Jan 3, 2023 · 5 comments
Labels
enhancement

Comments

@PatTheMav
Copy link

Impacted versions

  • Distribution: Debian
  • Codename: Bullseye
  • Arch: 64 Bits
  • Database: PostgreSQL

Steps to reproduce

When a public resolver is configured in the DNS chain (e.g. Google's 8.8.8.8 or CloudFlare's 1.1.1.1) Spamhaus and other services will not accept DNS requests from postscreen's RBL checks (the services block requests from these resolvers to avoid abuse).

For the time being, these services will not fully block access yet, but this might come in the future.

The obvious fix is to run a local forwarding resolver that will not forward DNS requests for the spamhaus.org (or other) zones, but that is not part of the scope of the installer (nor should it be as it is a pretty involved change to a server's local setup).

IMO a check for the current resolver and a warning/error might suffice, disabling spamhaus.org in postfix' main.cf in that case would be nice-to-have.
@Spitfireap
Copy link
Member

Hi,
The issue was corrected by specifying which response to take into account. For spamhaus and pretty much all other they all respond kind of the same thing. You can check this

@PatTheMav
Copy link
Author

That is correct insofar as postscreen will not detect false positives anymore.

However, users will still inadvertently "spam" Spamhaus and others with DNS requests made via these open resolvers and for the ecosystem on the whole it would be beneficial if administrators are made aware of this issue - we are all benefitting from Spamhaus' free services and I think it only fair if people follow best practices as outlined by them.

@Spitfireap
Copy link
Member

Well, it is easy to check which dns resolver a user currently uses, but not for changing it AFAIK since there are a lot of different DNS managers on Linux (systemd-resolved, cloud-init, etc.).

From my POV, hosting a mail server is not for everybody and should be attempted by those who know what they are doing. Even if they don't know about the public resolver, looking at the log ounce open a time can be easy to detect issues with spamhaus responding with 127.255.255.254 and postfix complaining about it. With the change that was made, Postfix won't tag it, but they do lose the ability to filter with DNSBL.

To sum up, I believe it is up to the user to deploy their private DNS resolver rather than modoboa-installer.

@PatTheMav
Copy link
Author

Yeah agree, hence why I thought a warning during setup should suffice.

@Spitfireap
Copy link
Member

Do you want to work on it ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@PatTheMav @Spitfireap