bundles/postfix: add SPAM BLOCKLIST check for every non-private IP attached to the server

2021-03-22 20:24:14 +01:00 · 2021-03-22 20:24:14 +01:00 · fdcec012f3
commit fdcec012f3
parent b99176be49
3 changed files with 109 additions and 0 deletions
--- a/bundles/postfix/files/check_spam_blocklist
+++ b/bundles/postfix/files/check_spam_blocklist
@ -0,0 +1,80 @@
+#!/usr/bin/env python3
+
+from ipaddress import ip_address, IPv6Address
+from sys import argv, exit
+
+from dns.exception import Timeout
+from dns.resolver import Resolver, NoAnswer, NXDOMAIN, NoNameservers
+
+
+BLOCKLISTS = [
+    '0spam.fusionzero.com',
+    'bl.mailspike.Dorg',
+    'bl.spamcop.net',
+    'blackholes.brainerd.net',
+    'dnsbl-1.uceprotect.net',
+    'dnsbl-2.uceprotect.net',
+    'dnsbl-3.uceprotect.net',
+    'l2.spews.dnsbl.sorbs.net',
+    'list.dsbl.org',
+    'map.spam-rbl.com',
+    'multihop.dsbl.org',
+    'ns1.unsubscore.com',
+    'opm.blitzed.org',
+    'psbl.surriel.com',
+    'rbl.efnet.org',
+    'rbl.schulte.org',
+    'spamguard.leadmon.net',
+    'ubl.unsubscore.com',
+    'unconfirmed.dsbl.org',
+    'virbl.dnsbl.bit.nl',
+    'virbl.dnsbl.bit.nl',
+    'zen.spamhaus.org',
+]
+
+try:
+    ip = ip_address(argv[1])
+except Exception:
+    print('usage: {} <ip>'.format(argv[0]))
+    exit(3)
+
+found = False
+
+resolver = Resolver()
+resolver.timeout = 5
+resolver.lifetime = 5
+
+if isinstance(ip, IPv6Address):
+    ip_list = list(ip.exploded.replace(':', ''))
+else:
+    ip_list = ip.exploded.split('.')
+
+ip_list.reverse()
+
+for blocklist in BLOCKLISTS:
+    dns_name = '{}.{}'.format(
+        '.'.join(ip_list),
+        blocklist,
+    )
+
+    try:
+        result = resolver.query(dns_name)
+        for item in result:
+            print('{} listed in {} as {}'.format(
+                ip,
+                blocklist,
+                item,
+            ))
+            found = True
+    except (NoAnswer, NXDOMAIN, NoNameservers, Timeout):
+        # Probably fine
+        pass
+    except Exception as e:
+        print(repr(e))
+        exit(3)
+
+if found:
+    exit(2)
+else:
+    print('OK')
+    exit(0)
--- a/bundles/postfix/items.py
+++ b/bundles/postfix/items.py
@ -34,6 +34,9 @@ files = {
    '/usr/local/share/icinga/plugins/check_postfix_queue': {
        'mode': '0755',
    },
+    '/usr/local/share/icinga/plugins/check_spam_blocklist': {
+        'mode': '0755',
+    },
 }

 actions = {
--- a/bundles/postfix/metadata.py
+++ b/bundles/postfix/metadata.py
@ -4,6 +4,7 @@ defaults = {
    'apt': {
        'packages': {
            'postfix': {},
+            'python3-dnsq': {},
        },
    },
    'icinga2_api': {
@ -91,3 +92,28 @@ def iptables(metadata):
            'port_rules': rules,
        },
    }
+
+
+@metadata_reactor.provides(
+    'icinga2_api/postfix/services',
+)
+def icinga2(metadata):
+    services = {}
+
+    for ip_type in repo.libs.tools.resolve_identifier(repo, node.name).values():
+        for ip in ip_type:
+            if not ip.is_private:
+                services[f'SPAM BLOCKLIST {ip}'] = {
+                    'command_on_monitored_host': f'/usr/local/share/icinga/plugins/check_spam_blocklist {ip}',
+                    'vars.sshmon_timeout': 60,
+                    'check_interval': '15m',
+                    'retry_interval': '5m',
+                }
+
+    return {
+        'icinga2_api': {
+            'postfix': {
+                'services': services,
+            },
+        },
+    }