Check for public resolver to avoid possible spamhaus blocking

[PatTheMav]

Impacted versions

• Distribution: Debian
• Codename: Bullseye
• Arch: 64 Bits
• Database: PostgreSQL

Steps to reproduce

When a public resolver is configured in the DNS chain (e.g. Google's 8.8.8.8 or CloudFlare's 1.1.1.1) Spamhaus and other services will not accept DNS requests from postscreen's RBL checks (the services block requests from these resolvers to avoid abuse).

For the time being, these services will not fully block access yet, but this might come in the future.

The obvious fix is to run a local forwarding resolver that will not forward DNS requests for the spamhaus.org (or other) zones, but that is not part of the scope of the installer (nor should it be as it is a pretty involved change to a server's local setup).

IMO a check for the current resolver and a warning/error might suffice, disabling spamhaus.org in postfix' main.cf in that case would be nice-to-have.

[Spitfireap]

Hi,
The issue was corrected by specifying which response to take into account. For spamhaus and pretty much all other they all respond kind of the same thing. You can check this

[PatTheMav]

That is correct insofar as postscreen will not detect false positives anymore.

However, users will still inadvertently "spam" Spamhaus and others with DNS requests made via these open resolvers and for the ecosystem on the whole it would be beneficial if administrators are made aware of this issue - we are all benefitting from Spamhaus' free services and I think it only fair if people follow best practices as outlined by them.

[Spitfireap]

Well, it is easy to check which dns resolver a user currently uses, but not for changing it AFAIK since there are a lot of different DNS managers on Linux (systemd-resolved, cloud-init, etc.).

From my POV, hosting a mail server is not for everybody and should be attempted by those who know what they are doing. Even if they don't know about the public resolver, looking at the log ounce open a time can be easy to detect issues with spamhaus responding with 127.255.255.254 and postfix complaining about it. With the change that was made, Postfix won't tag it, but they do lose the ability to filter with DNSBL.

To sum up, I believe it is up to the user to deploy their private DNS resolver rather than modoboa-installer.

[PatTheMav]

Yeah agree, hence why I thought a warning during setup should suffice.

[Spitfireap]

Do you want to work on it ?