From fdcec012f3bc0d7c8afffbe6d7a2bd14127a3505 Mon Sep 17 00:00:00 2001
From: Franziska Kunsmann <hi@kunsmann.eu>
Date: Mon, 22 Mar 2021 20:24:14 +0100
Subject: [PATCH] bundles/postfix: add SPAM BLOCKLIST check for every
 non-private IP attached to the server

---
 bundles/postfix/files/check_spam_blocklist | 80 ++++++++++++++++++++++
 bundles/postfix/items.py                   |  3 +
 bundles/postfix/metadata.py                | 26 +++++++
 3 files changed, 109 insertions(+)
 create mode 100644 bundles/postfix/files/check_spam_blocklist

diff --git a/bundles/postfix/files/check_spam_blocklist b/bundles/postfix/files/check_spam_blocklist
new file mode 100644
index 0000000..a2fe993
--- /dev/null
+++ b/bundles/postfix/files/check_spam_blocklist
@@ -0,0 +1,80 @@
+#!/usr/bin/env python3
+
+from ipaddress import ip_address, IPv6Address
+from sys import argv, exit
+
+from dns.exception import Timeout
+from dns.resolver import Resolver, NoAnswer, NXDOMAIN, NoNameservers
+
+
+BLOCKLISTS = [
+    '0spam.fusionzero.com',
+    'bl.mailspike.Dorg',
+    'bl.spamcop.net',
+    'blackholes.brainerd.net',
+    'dnsbl-1.uceprotect.net',
+    'dnsbl-2.uceprotect.net',
+    'dnsbl-3.uceprotect.net',
+    'l2.spews.dnsbl.sorbs.net',
+    'list.dsbl.org',
+    'map.spam-rbl.com',
+    'multihop.dsbl.org',
+    'ns1.unsubscore.com',
+    'opm.blitzed.org',
+    'psbl.surriel.com',
+    'rbl.efnet.org',
+    'rbl.schulte.org',
+    'spamguard.leadmon.net',
+    'ubl.unsubscore.com',
+    'unconfirmed.dsbl.org',
+    'virbl.dnsbl.bit.nl',
+    'virbl.dnsbl.bit.nl',
+    'zen.spamhaus.org',
+]
+
+try:
+    ip = ip_address(argv[1])
+except Exception:
+    print('usage: {} <ip>'.format(argv[0]))
+    exit(3)
+
+found = False
+
+resolver = Resolver()
+resolver.timeout = 5
+resolver.lifetime = 5
+
+if isinstance(ip, IPv6Address):
+    ip_list = list(ip.exploded.replace(':', ''))
+else:
+    ip_list = ip.exploded.split('.')
+
+ip_list.reverse()
+
+for blocklist in BLOCKLISTS:
+    dns_name = '{}.{}'.format(
+        '.'.join(ip_list),
+        blocklist,
+    )
+
+    try:
+        result = resolver.query(dns_name)
+        for item in result:
+            print('{} listed in {} as {}'.format(
+                ip,
+                blocklist,
+                item,
+            ))
+            found = True
+    except (NoAnswer, NXDOMAIN, NoNameservers, Timeout):
+        # Probably fine
+        pass
+    except Exception as e:
+        print(repr(e))
+        exit(3)
+
+if found:
+    exit(2)
+else:
+    print('OK')
+    exit(0)
diff --git a/bundles/postfix/items.py b/bundles/postfix/items.py
index 69215dd..15ee32d 100644
--- a/bundles/postfix/items.py
+++ b/bundles/postfix/items.py
@@ -34,6 +34,9 @@ files = {
     '/usr/local/share/icinga/plugins/check_postfix_queue': {
         'mode': '0755',
     },
+    '/usr/local/share/icinga/plugins/check_spam_blocklist': {
+        'mode': '0755',
+    },
 }
 
 actions = {
diff --git a/bundles/postfix/metadata.py b/bundles/postfix/metadata.py
index be2bd24..59baf6b 100644
--- a/bundles/postfix/metadata.py
+++ b/bundles/postfix/metadata.py
@@ -4,6 +4,7 @@ defaults = {
     'apt': {
         'packages': {
             'postfix': {},
+            'python3-dnsq': {},
         },
     },
     'icinga2_api': {
@@ -91,3 +92,28 @@ def iptables(metadata):
             'port_rules': rules,
         },
     }
+
+
+@metadata_reactor.provides(
+    'icinga2_api/postfix/services',
+)
+def icinga2(metadata):
+    services = {}
+
+    for ip_type in repo.libs.tools.resolve_identifier(repo, node.name).values():
+        for ip in ip_type:
+            if not ip.is_private:
+                services[f'SPAM BLOCKLIST {ip}'] = {
+                    'command_on_monitored_host': f'/usr/local/share/icinga/plugins/check_spam_blocklist {ip}',
+                    'vars.sshmon_timeout': 60,
+                    'check_interval': '15m',
+                    'retry_interval': '5m',
+                }
+
+    return {
+        'icinga2_api': {
+            'postfix': {
+                'services': services,
+            },
+        },
+    }