Merge 065f2c4845c86db483694dcb93f6f8344c187e95 into 4e7adacda9643f5c91dd64350e4f4a6a0573afef

.gitignore

@@ -39,6 +39,8 @@ data/conf/postfix/sni.map
 data/conf/postfix/sni.map.db
 data/conf/postfix/sql
 data/conf/postfix/dns_blocklists.cf
+data/conf/postfix/dns_blocklists_spamhaus.cf
+data/conf/postfix/spamhaus_dqs.key
 data/conf/postfix/dnsbl_reply.map
 data/conf/rspamd/custom/*
 data/conf/rspamd/local.d/*

data/Dockerfiles/postfix/postfix.sh

@@ -393,6 +393,62 @@ query = SELECT goto FROM spamalias
     AND validity >= UNIX_TIMESTAMP()
 EOF
 
+gen_spamhaus_dnsbl_config() {
+  local config=""
+
+  if [ -n "$SPAMHAUS_DQS_KEY" ]; then
+    echo -e "\e[32mDetected SPAMHAUS_DQS_KEY variable from mailcow.conf...\e[0m"
+    echo -e "\e[33mUsing DQS Blocklists from Spamhaus!\e[0m"
+
+    echo "$SPAMHAUS_DQS_KEY" > /opt/postfix/conf/spamhaus_dqs.key
+
+    config=$(cat <<EOF
+  ${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net=127.0.0.[4..7]*6
+  ${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net=127.0.0.[10;11]*8
+  ${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net=127.0.0.3*4
+  ${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net=127.0.0.2*3
+postscreen_dnsbl_reply_map = texthash:/opt/postfix/conf/dnsbl_reply.map
+EOF
+    )
+
+    cat <<EOF > /opt/postfix/conf/dnsbl_reply.map
+# Autogenerated by mailcow, using Spamhaus DQS reply domains
+${SPAMHAUS_DQS_KEY}.sbl.dq.spamhaus.net     sbl.spamhaus.org
+${SPAMHAUS_DQS_KEY}.xbl.dq.spamhaus.net     xbl.spamhaus.org
+${SPAMHAUS_DQS_KEY}.pbl.dq.spamhaus.net     pbl.spamhaus.org
+${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net     zen.spamhaus.org
+${SPAMHAUS_DQS_KEY}.dbl.dq.spamhaus.net     dbl.spamhaus.org
+${SPAMHAUS_DQS_KEY}.zrd.dq.spamhaus.net     zrd.spamhaus.org
+EOF
+
+  else
+    [ -f "/opt/postfix/conf/dnsbl_reply.map" ] && rm /opt/postfix/conf/dnsbl_reply.map
+
+    response=$(curl --connect-timeout 15 --max-time 30 -s -o /dev/null -w "%{http_code}" "https://asn-check.mailcow.email")
+
+    if [ "$response" -eq 503 ]; then
+      echo -e "\e[31mThe AS of your IP is listed as a banned AS from Spamhaus!\e[0m"
+      echo -e "\e[33mNo SPAMHAUS_DQS_KEY found... Skipping Spamhaus blocklists entirely!\e[0m"
+      config=""
+    elif [ "$response" -eq 200 ]; then
+      echo -e "\e[32mYour ASN is not banned. Using public Spamhaus blocklists.\e[0m"
+      config=$(cat <<EOF
+  zen.spamhaus.org=127.0.0.[10;11]*8
+  zen.spamhaus.org=127.0.0.[4..7]*6
+  zen.spamhaus.org=127.0.0.3*4
+  zen.spamhaus.org=127.0.0.2*3
+EOF
+      )
+    else
+      echo -e "\e[31mCouldn't determine your ASN. Response Code: $response\e[0m"
+      echo -e "\e[33mDisabling Spamhaus DNSBLs to be safe.\e[0m"
+      config=""
+    fi
+  fi
+
+  echo "$config" > /opt/postfix/conf/dns_blocklists_spamhaus.cf
+}
+
 if [ ! -f /opt/postfix/conf/dns_blocklists.cf ]; then
   cat <<EOF > /opt/postfix/conf/dns_blocklists.cf
 # This file can be edited.
@@ -417,68 +473,30 @@ postscreen_dnsbl_sites = wl.mailspike.net=127.0.0.[18;19;20]*-2
 EOF
 fi
 
+if [ ! -f /opt/postfix/conf/dns_blocklists_spamhaus.cf ]; then
+  gen_spamhaus_dnsbl_config
+else
+  CURRENT_SPAMHAUS_DQS_KEY=""
+  if [ -f /opt/postfix/conf/spamhaus_dqs.key ]; then
+    CURRENT_SPAMHAUS_DQS_KEY=$(< /opt/postfix/conf/spamhaus_dqs.key)
+  fi
+  if [ "$SPAMHAUS_DQS_KEY" != "$CURRENT_SPAMHAUS_DQS_KEY" ]; then
+    gen_spamhaus_dnsbl_config
+    echo "$SPAMHAUS_DQS_KEY" > /opt/postfix/conf/spamhaus_dqs.key
+  fi
+fi
+
 # Remove discontinued DNSBLs from existing dns_blocklists.cf
 sed -i '/ix\.dnsbl\.manitu\.net\*2/d' /opt/postfix/conf/dns_blocklists.cf # Nixspam
-
 DNSBL_CONFIG=$(grep -v '^#' /opt/postfix/conf/dns_blocklists.cf | grep '\S')
-
+DNSBL_SPAMHAUS_CONFIG=$(grep -v '^#' /opt/postfix/conf/dns_blocklists_spamhaus.cf | grep '\S')
-if [ ! -z "$DNSBL_CONFIG" ]; then
-  echo -e "\e[33mChecking if ASN for your IP is listed for Spamhaus Bad ASN List...\e[0m"
-  if [ -n "$SPAMHAUS_DQS_KEY" ]; then
-    echo -e "\e[32mDetected SPAMHAUS_DQS_KEY variable from mailcow.conf...\e[0m"
-    echo -e "\e[33mUsing DQS Blocklists from Spamhaus!\e[0m"
-    SPAMHAUS_DNSBL_CONFIG=$(cat <<EOF
-  ${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net=127.0.0.[4..7]*6
-  ${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net=127.0.0.[10;11]*8
-  ${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net=127.0.0.3*4
-  ${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net=127.0.0.2*3
-postscreen_dnsbl_reply_map = texthash:/opt/postfix/conf/dnsbl_reply.map
-EOF
-
-  cat <<EOF > /opt/postfix/conf/dnsbl_reply.map
-# Autogenerated by mailcow, using Spamhaus DQS reply domains
-${SPAMHAUS_DQS_KEY}.sbl.dq.spamhaus.net     sbl.spamhaus.org
-${SPAMHAUS_DQS_KEY}.xbl.dq.spamhaus.net     xbl.spamhaus.org
-${SPAMHAUS_DQS_KEY}.pbl.dq.spamhaus.net     pbl.spamhaus.org
-${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net     zen.spamhaus.org
-${SPAMHAUS_DQS_KEY}.dbl.dq.spamhaus.net     dbl.spamhaus.org
-${SPAMHAUS_DQS_KEY}.zrd.dq.spamhaus.net     zrd.spamhaus.org
-EOF
-    )
-  else
-    if [ -f "/opt/postfix/conf/dnsbl_reply.map" ]; then
-      rm /opt/postfix/conf/dnsbl_reply.map
-    fi
-    response=$(curl --connect-timeout 15 --max-time 30 -s -o /dev/null -w "%{http_code}" "https://asn-check.mailcow.email")
-    if [ "$response" -eq 503 ]; then
-      echo -e "\e[31mThe AS of your IP is listed as a banned AS from Spamhaus!\e[0m"
-      echo -e "\e[33mNo SPAMHAUS_DQS_KEY found... Skipping Spamhaus blocklists entirely!\e[0m"
-      SPAMHAUS_DNSBL_CONFIG=""
-    elif [ "$response" -eq 200 ]; then
-      echo -e "\e[32mThe AS of your IP is NOT listed as a banned AS from Spamhaus!\e[0m"
-      echo -e "\e[33mUsing the open Spamhaus blocklists.\e[0m"
-      SPAMHAUS_DNSBL_CONFIG=$(cat <<EOF
-  zen.spamhaus.org=127.0.0.[10;11]*8
-  zen.spamhaus.org=127.0.0.[4..7]*6
-  zen.spamhaus.org=127.0.0.3*4
-  zen.spamhaus.org=127.0.0.2*3
-EOF
-      )
-
-    else
-      echo -e "\e[31mWe couldn't determine your AS... (maybe DNS/Network issue?) Response Code: $response\e[0m"
-      echo -e "\e[33mDeactivating Spamhaus DNS Blocklists to be on the safe site!\e[0m"
-      SPAMHAUS_DNSBL_CONFIG=""
-    fi
-  fi
-fi
 
 # Reset main.cf
 sed -i '/Overrides/q' /opt/postfix/conf/main.cf
 echo >> /opt/postfix/conf/main.cf
 # Append postscreen dnsbl sites to main.cf
 if [ ! -z "$DNSBL_CONFIG" ]; then
-  echo -e "${DNSBL_CONFIG}\n${SPAMHAUS_DNSBL_CONFIG}" >> /opt/postfix/conf/main.cf
+  echo -e "${DNSBL_CONFIG}\n${DNSBL_SPAMHAUS_CONFIG}" >> /opt/postfix/conf/main.cf
 fi
 # Append user overrides
 echo -e "\n# User Overrides" >> /opt/postfix/conf/main.cf

docker-compose.yml

@@ -338,7 +338,7 @@ services:
             - dovecot
 
     postfix-mailcow:
-      image: ghcr.io/mailcow/postfix:1.80
+      image: ghcr.io/mailcow/postfix:1.81
       depends_on:
         mysql-mailcow:
           condition: service_started