On Sun, May 12, 2013 at 08:11:14PM -0500, /dev/rob0 wrote: > On Sun, May 12, 2013 at 08:47:38PM -0400, Wietse Venema wrote: > > A lightly-tested version is available as postfix-2.11-20130512. > > Woohoo! Thanks! > > I installed it, set postscreen_dnsbl_whitelist_threshold=-1 > followed by a reload. Two seconds later I think it is working. > > May 13 00:59:50 harrier postfix/postfix-script[12251]: starting the Postfix > mail system > May 13 00:59:50 harrier postfix/master[12253]: daemon started -- version > 2.11-20130512, configuration /etc/postfix > May 13 01:02:23 harrier postfix/postfix-script[12502]: refreshing the Postfix > mail system > May 13 01:02:23 harrier postfix/master[12253]: reload -- version > 2.11-20130512, configuration /etc/postfix > May 13 01:02:25 harrier postfix/postscreen[12508]: CONNECT from > [66.220.144.151]:57808 to [207.223.116.211]:25 > May 13 01:02:25 harrier postfix/dnsblog[12509]: addr 66.220.144.151 listed by > domain list.dnswl.org as 127.0.9.1 > May 13 01:02:25 harrier postfix/smtpd[12518]: connect from > outmail017.snc4.facebook.com[66.220.144.151] > May 13 01:02:26 harrier postfix/smtpd[12518]: 3b83fB2KJ4z3B92: > client=outmail017.snc4.facebook.com[66.220.144.151] > > I don't see any PASS OLD in there, so I guess the whitelist did the > trick? Would anything else be logged?
Hmm, I'm not sure what that was; maybe 66.220.144.151 was due for retesting in some tests? Here are some from a bit later, which get "PASS NEW" without any after-220 tests: May 13 01:15:09 harrier postfix/postscreen[13360]: CONNECT from [98.136.219.129]:36682 to [207.223.116.211]:25 May 13 01:15:09 harrier postfix/dnsblog[13365]: addr 98.136.219.129 listed by domain list.dnswl.org as 127.0.5.0 May 13 01:15:09 harrier postfix/postscreen[13360]: PASS NEW [98.136.219.129]:36682 May 13 01:15:10 harrier postfix/smtpd[13371]: connect from ng10-vm12.bullet.mail.gq1.yahoo.com[98.136.219.129] May 13 01:15:10 harrier postfix/smtpd[13371]: 3b83wt3SgQz3B99: client=ng10-vm12.bullet.mail.gq1.yahoo.com[98.136.219.129] May 13 02:22:50 harrier postfix/postscreen[18837]: CONNECT from [98.138.214.175]:46014 to [207.223.116.211]:25 May 13 02:22:50 harrier postfix/dnsblog[18943]: addr 98.138.214.175 listed by domain list.dnswl.org as 127.0.5.0 May 13 02:22:50 harrier postfix/postscreen[18837]: PASS NEW [98.138.214.175]:46014 May 13 02:22:50 harrier postfix/smtpd[18952]: connect from ng19-vm1.bullet.mail.ne1.yahoo.com[98.138.214.175] May 13 02:22:51 harrier postfix/smtpd[18952]: 3b85Qz1WQfz3BMc: client=ng19-vm1.bullet.mail.ne1.yahoo.com[98.138.214.175] May 13 07:45:06 harrier postfix/postscreen[9497]: CONNECT from [144.160.128.166]:38244 to [207.223.116.211]:25 May 13 07:45:06 harrier postfix/dnsblog[9502]: addr 144.160.128.166 listed by domain list.dnswl.org as 127.0.5.0 May 13 07:45:06 harrier postfix/postscreen[9497]: PASS NEW [144.160.128.166]:38244 May 13 07:45:07 harrier postfix/smtpd[9507]: connect from egssmtp02.att.com[144.160.128.166] May 13 07:45:07 harrier postfix/smtpd[9507]: 3b8DZq6bcpz38Bm: client=egssmtp02.att.com[144.160.128.166] May 13 07:48:54 harrier postfix/postscreen[9811]: CONNECT from [54.240.15.13]:45225 to [207.223.116.211]:25 May 13 07:48:54 harrier postfix/dnsblog[9812]: addr 54.240.15.13 listed by domain list.dnswl.org as 127.0.5.1 May 13 07:48:54 harrier postfix/postscreen[9811]: PASS NEW [54.240.15.13]:45225 May 13 07:48:54 harrier postfix/smtpd[9821]: connect from a15-13.smtp-out.amazonses.com[54.240.15.13] May 13 07:48:55 harrier postfix/smtpd[9821]: 3b8DgC17cnz38D6: client=a15-13.smtp-out.amazonses.com[54.240.15.13] This next one is very interesting. Whitelisted and blacklisted, coming in with a score of +1, so not reaching either of the thresholds. This host hits the lower priority MX .214 before the DISCONNECT on the main address of .211, and gets a WHITELIST VETO. May 13 11:53:27 harrier postfix/postscreen[28908]: CONNECT from [200.11.173.11]:46875 to [207.223.116.211]:25 May 13 11:53:27 harrier postfix/dnsblog[28910]: addr 200.11.173.11 listed by domain b.barracudacentral.org as 127.0.0.2 May 13 11:53:27 harrier postfix/dnsblog[28913]: addr 200.11.173.11 listed by domain list.dnswl.org as 127.0.5.0 May 13 11:53:27 harrier postfix/dnsblog[28909]: addr 200.11.173.11 listed by domain dnsbl.sorbs.net as 127.0.0.6 May 13 11:53:33 harrier postfix/tlsproxy[28928]: CONNECT from [200.11.173.11]:46875 May 13 11:53:33 harrier postfix/tlsproxy[28928]: Anonymous TLS connection established from [200.11.173.11]:46875: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) May 13 11:53:33 harrier postfix/postscreen[28908]: NOQUEUE: reject: RCPT from [200.11.173.11]:46875: 450 4.3.2 Service currently unavailable; from=<officefile8...@cantv.net>, to=<1...@slackbuilds.org>, proto=ESMTP, helo=<10ibl20ser04.datacenter.cha.cantv.net> May 13 11:53:34 harrier postfix/postscreen[28908]: CONNECT from [200.11.173.11]:54443 to [207.223.116.214]:25 May 13 11:53:34 harrier postfix/postscreen[28908]: WHITELIST VETO [200.11.173.11]:54443 May 13 11:53:34 harrier postfix/dnsblog[28913]: addr 200.11.173.11 listed by domain list.dnswl.org as 127.0.5.0 May 13 11:53:34 harrier postfix/dnsblog[28912]: addr 200.11.173.11 listed by domain b.barracudacentral.org as 127.0.0.2 May 13 11:53:34 harrier postfix/dnsblog[28911]: addr 200.11.173.11 listed by domain dnsbl.sorbs.net as 127.0.0.6 May 13 11:53:40 harrier postfix/tlsproxy[28928]: CONNECT from [200.11.173.11]:54443 May 13 11:53:40 harrier postfix/tlsproxy[28928]: Anonymous TLS connection established from [200.11.173.11]:54443: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) May 13 11:53:41 harrier postfix/postscreen[28908]: NOQUEUE: reject: RCPT from [200.11.173.11]:54443: 450 4.3.2 Service currently unavailable; from=<officefile8...@cantv.net>, to=<1...@slackbuilds.org>, proto=ESMTP, helo=<10ibl20ser04.datacenter.cha.cantv.net> May 13 11:54:25 harrier postfix/postscreen[28908]: PASS NEW [200.11.173.11]:46875 May 13 11:54:25 harrier postfix/postscreen[28908]: DISCONNECT [200.11.173.11]:46875 May 13 11:54:25 harrier postfix/tlsproxy[28928]: DISCONNECT [200.11.173.11]:46875 May 13 11:54:27 harrier postfix/postscreen[28908]: DISCONNECT [200.11.173.11]:54443 May 13 11:54:27 harrier postfix/tlsproxy[28928]: DISCONNECT [200.11.173.11]:54443 Sadly, this host which was definitely carrying spam got a PASS NEW. But this is not the sort of spam which postscreen can safely block. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
