On 5/13/2013 4:04 PM, Wietse Venema wrote:
> /dev/rob0:
>> On Sun, May 12, 2013 at 08:11:14PM -0500, /dev/rob0 wrote:
>>> On Sun, May 12, 2013 at 08:47:38PM -0400, Wietse Venema wrote:
>>>> A lightly-tested version is available as postfix-2.11-20130512.
>>>
>>> Woohoo! Thanks!
>>>
>>> I installed it, set postscreen_dnsbl_whitelist_threshold=-1
>>> followed by a reload. Two seconds later I think it is working.
>>>
>>> May 13 00:59:50 harrier postfix/postfix-script[12251]: starting the Postfix
>>> mail system
>>> May 13 00:59:50 harrier postfix/master[12253]: daemon started -- version
>>> 2.11-20130512, configuration /etc/postfix
>>> May 13 01:02:23 harrier postfix/postfix-script[12502]: refreshing the
>>> Postfix mail system
>>> May 13 01:02:23 harrier postfix/master[12253]: reload -- version
>>> 2.11-20130512, configuration /etc/postfix
>>> May 13 01:02:25 harrier postfix/postscreen[12508]: CONNECT from
>>> [66.220.144.151]:57808 to [207.223.116.211]:25
>>> May 13 01:02:25 harrier postfix/dnsblog[12509]: addr 66.220.144.151 listed
>>> by domain list.dnswl.org as 127.0.9.1
>>> May 13 01:02:25 harrier postfix/smtpd[12518]: connect from
>>> outmail017.snc4.facebook.com[66.220.144.151]
>>> May 13 01:02:26 harrier postfix/smtpd[12518]: 3b83fB2KJ4z3B92:
>>> client=outmail017.snc4.facebook.com[66.220.144.151]
>>>
>>> I don't see any PASS OLD in there, so I guess the whitelist did the
>>> trick? Would anything else be logged?
>
> Found it. With postscreen_dnsbl_whitelist_threshold turned on,
> postscreen raised the "pregreet test is passed" flag even when that
> test was disabled. This led to a mis-match between what tests were
> required versus what tests were passed, resulting in no "PASS NEW"
> logging.
>
> The error is only cosmetic and has no effect on mail deliveries.
>
> Wietse
>
Just installed the 20130512 snapshot...
getting a "panic: psc_dnsbl_retrieve: no blocklist score", /seems
to/ happen after a PREGREET from a dnsbl listed client. Anyway,
valid mail is sill arriving with both PASS NEW and PASS OLD, dnsbl
listed clients that don't pregreet are being rejected without error.
The following was logged after a postfix restart with an empty
postscreen_cache database.
May 13 16:12:11 mgate3 postfix/master[9707]: daemon started --
version 2.11-20130512, configuration /etc/postfix
May 13 16:12:12 mgate3 postfix/postscreen[9711]: cache
btree:/var/lib/postfix/postscreen_cache full cleanup: retained=0
dropped=0 entries
May 13 16:12:12 mgate3 postfix/postscreen[9711]: CONNECT from
[186.83.226.229]:1480 to [192.168.70.43]:25
May 13 16:12:12 mgate3 postfix/dnsblog[9714]: addr 186.83.226.229
listed by domain zen.spamhaus.org as 127.0.0.4
May 13 16:12:12 mgate3 postfix/dnsblog[9714]: addr 186.83.226.229
listed by domain zen.spamhaus.org as 127.0.0.11
May 13 16:12:13 mgate3 postfix/postscreen[9711]: PREGREET 42 after
0.72 from [186.83.226.229]:1480: HELO
Dynamic-IP-18683226229.cable.net.co\r\n
May 13 16:12:13 mgate3 postfix/postscreen[9711]: panic:
psc_dnsbl_retrieve: no blocklist score for 186.83.226.229
May 13 16:12:14 mgate3 postfix/master[9707]: warning: process
/usr/libexec/postfix/postscreen pid 9711 killed by signal 6
May 13 16:12:16 mgate3 postfix/postscreen[9715]: CONNECT from
[173.44.230.38]:15114 to [192.168.70.43]:25
May 13 16:12:17 mgate3 postfix/postscreen[9715]: CONNECT from
[61.70.82.57]:2124 to [192.168.70.43]:25
May 13 16:12:17 mgate3 postfix/dnsblog[9712]: addr 61.70.82.57
listed by domain zen.spamhaus.org as 127.0.0.4
May 13 16:12:18 mgate3 postfix/postscreen[9715]: PREGREET 44 after
0.82 from [61.70.82.57]:2124: HELO
host-61-70-82-57.static.kbtelecom.net\r\n
May 13 16:12:18 mgate3 postfix/postscreen[9715]: panic:
psc_dnsbl_retrieve: no blocklist score for 61.70.82.57
May 13 16:12:19 mgate3 postfix/master[9707]: warning: process
/usr/libexec/postfix/postscreen pid 9715 killed by signal 6
May 13 16:12:19 mgate3 postfix/postscreen[9716]: CONNECT from
[178.125.147.190]:4660 to [192.168.70.43]:25
May 13 16:12:19 mgate3 postfix/dnsblog[9713]: addr 178.125.147.190
listed by domain zen.spamhaus.org as 127.0.0.4
May 13 16:12:19 mgate3 postfix/dnsblog[9713]: addr 178.125.147.190
listed by domain zen.spamhaus.org as 127.0.0.11
May 13 16:12:19 mgate3 postfix/postscreen[9716]: CONNECT from
[89.114.17.136]:3427 to [192.168.70.43]:25
May 13 16:12:19 mgate3 postfix/postscreen[9716]: PREGREET 22 after
0.65 from [178.125.147.190]:4660: HELO 178.125.147.190\r\n
May 13 16:12:19 mgate3 postfix/postscreen[9716]: panic:
psc_dnsbl_retrieve: no blocklist score for 178.125.147.190
May 13 16:12:19 mgate3 postfix/dnsblog[9713]: addr 89.114.17.136
listed by domain zen.spamhaus.org as 127.0.0.10
May 13 16:12:19 mgate3 postfix/dnsblog[9713]: addr 89.114.17.136
listed by domain zen.spamhaus.org as 127.0.0.4
May 13 16:12:20 mgate3 postfix/master[9707]: warning: process
/usr/libexec/postfix/postscreen pid 9716 killed by signal 6
May 13 16:12:20 mgate3 postfix/postscreen[9719]: CONNECT from
[173.14.106.45]:4693 to [192.168.70.43]:25
May 13 16:12:21 mgate3 postfix/postscreen[9719]: CONNECT from
[220.134.174.161]:62439 to [192.168.70.43]:25
May 13 16:12:21 mgate3 postfix/dnsblog[9713]: addr 220.134.174.161
listed by domain zen.spamhaus.org as 127.0.0.4
May 13 16:12:22 mgate3 postfix/postscreen[9719]: PREGREET 41 after
0.82 from [220.134.174.161]:62439: HELO
220-134-174-161.HINET-IP.hinet.net\r\n
May 13 16:12:22 mgate3 postfix/postscreen[9719]: panic:
psc_dnsbl_retrieve: no blocklist score for 220.134.174.161
May 13 16:12:23 mgate3 postfix/master[9707]: warning: process
/usr/libexec/postfix/postscreen pid 9719 killed by signal 6
May 13 16:12:24 mgate3 postfix/postscreen[9720]: CONNECT from
[93.158.11.233]:56107 to [192.168.70.43]:25
May 13 16:12:25 mgate3 postfix/dnsblog[9712]: addr 93.158.11.233
listed by domain zen.spamhaus.org as 127.0.0.11
May 13 16:12:25 mgate3 postfix/dnsblog[9712]: addr 93.158.11.233
listed by domain zen.spamhaus.org as 127.0.0.4
May 13 16:12:25 mgate3 postfix/postscreen[9720]: PREGREET 23 after
0.39 from [93.158.11.233]:56107: HELO concordances.com\r\n
May 13 16:12:25 mgate3 postfix/postscreen[9720]: panic:
psc_dnsbl_retrieve: no blocklist score for 93.158.11.233
# postconf | grep postscreen
postscreen_access_list = permit_mynetworks,
cidr:$mapdir/postscreen_access.cidr
postscreen_bare_newline_action = enforce
postscreen_bare_newline_enable = no
postscreen_bare_newline_ttl = 30d
postscreen_blacklist_action = drop
postscreen_cache_cleanup_interval = 12h
postscreen_cache_map = btree:$data_directory/postscreen_cache
postscreen_cache_retention_time = 7d
postscreen_client_connection_count_limit = 2
postscreen_command_count_limit = 20
postscreen_command_filter =
postscreen_command_time_limit = ${stress?10}${stress:300}s
postscreen_disable_vrfy_command = $disable_vrfy_command
postscreen_discard_ehlo_keyword_address_maps =
$smtpd_discard_ehlo_keyword_address_maps
postscreen_discard_ehlo_keywords = $smtpd_discard_ehlo_keywords
postscreen_dnsbl_action = enforce
postscreen_dnsbl_reply_map =
postscreen_dnsbl_sites = zen.spamhaus.org*1 list.dnswl.org*-1
swl.spamhaus.org*-1
postscreen_dnsbl_threshold = 1
postscreen_dnsbl_ttl = 1h
postscreen_dnsbl_whitelist_threshold = -1
postscreen_enforce_tls = $smtpd_enforce_tls
postscreen_expansion_filter = $smtpd_expansion_filter
postscreen_forbidden_commands = $smtpd_forbidden_commands
postscreen_greet_action = drop
postscreen_greet_banner = mgate3.vbhcs.org ESTMP -- validating
connection
postscreen_greet_ttl = 1d
postscreen_greet_wait = 6s
postscreen_helo_required = $smtpd_helo_required
postscreen_non_smtp_command_action = drop
postscreen_non_smtp_command_enable = no
postscreen_non_smtp_command_ttl = 30d
postscreen_pipelining_action = enforce
postscreen_pipelining_enable = no
postscreen_pipelining_ttl = 30d
postscreen_post_queue_limit = $default_process_limit
postscreen_pre_queue_limit = $default_process_limit
postscreen_reject_footer = \c; Contact postmas...@vbhcs.org for
assistance. Include this data: servertime=($localtime)
client=([$client_address]:$client_port) server=($server_name)
(postscreen)
postscreen_tls_security_level = $smtpd_tls_security_level
postscreen_upstream_proxy_protocol =
postscreen_upstream_proxy_timeout = 5s
postscreen_use_tls = $smtpd_use_tls
postscreen_watchdog_timeout = 10s
postscreen_whitelist_interfaces = !192.168.70.44 !12.107.221.44
static:all
-- Noel Jones
