Use spamhaus DQS-key when provided, otherwise disable spamhaus

.env.example

@@ -12,6 +12,13 @@ POSTGRES_DB=simplelogin
 POSTGRES_USER=paste-user-here
 POSTGRES_PASSWORD=paste-password-here
 
+## Postfix
+## =======
+
+## Obtain this key here: https://www.spamhaus.com/free-trial/sign-up-for-a-free-data-query-service-account/
+## Why? https://check.spamhaus.org/returnc/pub
+#SPAMHAUS_DQS_KEY=
+
 ## SimpleLogin App
 ## ===============
 

README.md

@@ -383,7 +383,18 @@ by setting `LE_DNS_PROVIDER`, and provide further details (i.e. credentials/API-
 
 You can find all supported DNS providers and corresponding instructions here: <https://go-acme.github.io/lego/dns/>
 
-### Postfix configuration
+### Postfix configuration - Spamhaus
+
+Since Spamhaus blocks requests from public (open) DNS-Resolvers (see: https://check.spamhaus.org/returnc/pub) and your postfix container may use 
+an public resolver by default, it is recommended to sign up for the free 
+[Spamhaus Data Query Service](https://www.spamhaus.com/free-trial/sign-up-for-a-free-data-query-service-account/)
+and obtain a Spamhaus DQS key.
+
+Paste this key as `SPAMHAUS_DQS_KEY` in your `.env`
+
+As long as no DQS-key is provided, spamhaus filtering will be disabled.
+
+### Postfix configuration - Virtual aliases
 
 The postfix configuration supports virtual aliases using the `postfix/conf.d/virtual` and `postfix/conf.d/virtual-regexp` files.
 Those files are automatically created on startup based upon the corresponding [`postfix/templates/virtual.tpl`](./postfix/templates/virtual.tpl)

postfix/docker-entrypoint.sh

@@ -10,6 +10,8 @@ PG_PASSWORD="${POSTGRES_PASSWORD:?Need POSTGRES_PASSWORD}"
 TEMPLATE_DIR="/templates"
 MAIL_CONFIG="/etc/postfix/conf.d"
 
+SPAMHAUS_DQS_KEY="${SPAMHAUS_DQS_KEY:-}"
+
 CERT_SUB="/certs/${SUBDOMAIN}.${DOMAIN}"
 CERT_DOMAIN="/certs/${DOMAIN}"
 
@@ -26,6 +28,32 @@ has_wildcard_san() {
   openssl x509 -in "$cert" -noout -text 2>/dev/null | grep -E -q 'DNS:[[:space:]]*\*\.'"$domain"'(,|$)' >/dev/null
 }
 
+check_spamhaus_dns() {
+  TEST_IP="$(wget -qO- https://api.ipify.org 2>/dev/null || true)"
+  [ ! -z "$TEST_IP" ] || TEST_IP="8.8.8.8"
+
+  REV="$(echo "$TEST_IP" | awk -F. '{print $4"."$3"."$2"."$1}')"
+  OUT="$(dig +time=3 +tries=1 A "$REV.zen.spamhaus.org" 2>&1 || true)"
+
+  # hard error => not usable
+  echo "$OUT" | grep -qiE 'SERVFAIL|REFUSED|timed out|connection timed out' && return 1
+
+  # Spamhaus policy / query refused
+  echo "$OUT" | grep -q '127.255.255.254' && return 1
+
+  # NXDOMAIN -> okay (not listet, or lookup answered)
+  echo "$OUT" | grep -q 'status: NXDOMAIN' && return 0
+
+  # NOERROR and 127.0.0.x -> lookup works
+  echo "$OUT" | grep -qE '127\.0\.0\.[0-9]+' && return 0
+
+  # NOERROR without answer (NODATA) -> ok for us
+  echo "$OUT" | grep -q 'status: NOERROR' && return 0
+
+  # all other response types: stay conservative, do not use spamhaus
+  return 1
+}
+
 # generate main.cf from template
 sed \
   -e "s/app.domain.tld/${SUBDOMAIN}.${DOMAIN}/g" \
@@ -76,5 +104,23 @@ sed \
 [ -f "$MAIL_CONFIG/aliases" ] && postalias $MAIL_CONFIG/aliases
 [ -f "$MAIL_CONFIG/virtual" ] && postmap $MAIL_CONFIG/virtual
 
+if [ -n "$SPAMHAUS_DQS_KEY" ]; then
+  # use provided DQS_KEY, disable public mirror
+  sed -i -e '/spamhaus.org/d' "$MAIL_CONFIG/main.cf"
+  sed -i "s/your_DQS_key/${SPAMHAUS_DQS_KEY}/g" "$MAIL_CONFIG/main.cf"
+
+  if [ -f "$TEMPLATE_DIR/dnsbl-reply-map.tpl" ]; then
+    sed "s/your_DQS_key/${SPAMHAUS_DQS_KEY}/g" \
+      "$TEMPLATE_DIR/dnsbl-reply-map.tpl" > "$MAIL_CONFIG/dnsbl-reply-map"
+    postmap "$MAIL_CONFIG/dnsbl-reply-map"
+  fi
+elif check_spamhaus_dns; then
+  # use public mirror
+  sed -i -e '/your_DQS_key/d' -e '/dnsbl-reply-map/d' "$MAIL_CONFIG/main.cf"
+else
+  # disable spamhaus completely
+  sed -i -e '/spamhaus/d' -e '/dnsbl-reply-map/d' "$MAIL_CONFIG/main.cf"
+fi
+
 # hand over to container CMD (postfix start-fg)
 exec "$@"

postfix/templates/dnsbl-reply-map.tpl

@@ -0,0 +1,6 @@
+your_DQS_key.zen.dq.spamhaus.net=127.0.0.[2..11]        554 $rbl_class $rbl_what blocked using ZEN - see https://www.spamhaus.org/query/ip/$client_address for details
+your_DQS_key.dbl.dq.spamhaus.net=127.0.1.[2..99]        554 $rbl_class $rbl_what blocked using DBL - see $rbl_txt for details
+your_DQS_key.zrd.dq.spamhaus.net=127.0.2.[2..24]        554 $rbl_class $rbl_what blocked using ZRD - domain too young
+your_DQS_key.zen.dq.spamhaus.net                        554 $rbl_class $rbl_what blocked using ZEN - see https://www.spamhaus.org/query/ip/$client_address for details
+your_DQS_key.dbl.dq.spamhaus.net                        554 $rbl_class $rbl_what blocked using DBL - see $rbl_txt for details
+your_DQS_key.zrd.dq.spamhaus.net                        554 $rbl_class $rbl_what blocked using ZRD - domain too young

postfix/templates/main.cf.tpl

@@ -74,6 +74,8 @@ myorigin = domain.tld
 relay_domains = pgsql:/etc/postfix/conf.d/pgsql-relay-domains.cf
 transport_maps = pgsql:/etc/postfix/conf.d/pgsql-transport-maps.cf
 
+rbl_reply_maps = lmdb:/etc/postfix/conf.d/dnsbl-reply-map
+
 disable_vrfy_command = yes
 
 # HELO restrictions
@@ -99,7 +101,18 @@ smtpd_recipient_restrictions =
    reject_unknown_recipient_domain,
    permit_mynetworks,
    reject_unauth_destination,
-   reject_rbl_client zen.spamhaus.org,
+   reject_rbl_client zen.spamhaus.org=127.0.0.[2..11],
+   reject_rhsbl_sender dbl.spamhaus.org=127.0.1.[2..99],
+   reject_rhsbl_helo dbl.spamhaus.org=127.0.1.[2..99],
+   reject_rhsbl_reverse_client dbl.spamhaus.org=127.0.1.[2..99],
+   warn_if_reject reject_rbl_client zen.spamhaus.org=127.255.255.[1..255],
+   reject_rbl_client your_DQS_key.zen.dq.spamhaus.net=127.0.0.[2..11],
+   reject_rhsbl_sender your_DQS_key.dbl.dq.spamhaus.net=127.0.1.[2..99],
+   reject_rhsbl_helo your_DQS_key.dbl.dq.spamhaus.net=127.0.1.[2..99],
+   reject_rhsbl_reverse_client your_DQS_key.dbl.dq.spamhaus.net=127.0.1.[2..99],
+   reject_rhsbl_sender your_DQS_key.zrd.dq.spamhaus.net=127.0.2.[2..24],
+   reject_rhsbl_helo your_DQS_key.zrd.dq.spamhaus.net=127.0.2.[2..24],
+   reject_rhsbl_reverse_client your_DQS_key.zrd.dq.spamhaus.net=127.0.2.[2..24],
    reject_rbl_client bl.spamcop.net,
    permit