> On Feb 21, 2019, at 3:26 PM, Wietse Venema <wie...@porcupine.org> wrote: > > Charles Sprickman: >> Hi all, >> >> Looking for some help on troubleshooting postscreen? >> >> I was recently reworking the list of rbls that I use with postscreen and >> realized that quite a bit of spam that was getting through was in fact on >> enough blacklists to hit my postscreen threshold. I?m not seeing anything >> obvious in the logs (checking the dnsblog entries), and I?m not sure where >> to start. >> >> I?d really like to get full logging of postscreen and all dnsblog activity >> for a few minutes - is it possible to see all queries and their results? >> I?m not seeing a way to increase verbosity while perusing the dnsblog or >> postscreen manpages. If I?m hitting some odd resource limit (I have like 18 >> rbls setup), will some piece of postfix complain about that? Maybe some >> internal caching is why I?m seeing things pass (I?m very specifically >> looking at very fresh spamhosts). >> >> More generally, anyone have any tips/advice on troubleshooting beyond >> Postfix? I?m pointing all my rbl queries at an instance of dnscache (which >> is admittedly quite old, probably abandoned)? Recs on a lightweight dnscache >> replacement? >>
> Please post output of: > > postconf -n | grep postscreen (see below) Some notes on this config - the DNSBL list might seem a bit odd, it’s a direct response to the type of spam we’re currently seeing - sent from “clean” IPs (seems like a large snowshoe operation). I looked at what slipped through both postscreen and spamassassin and then looked at which lists were seeing these IPs first, running some stats on numbers of hits, and then weighed those lists the highest. > If you set your greet-wait too small then it will there will not > be enough time for the DNS lookups to arrive. I have not altered this setting. > Otherwise, dnsblog will log all the answers when a host is listed. > If you think that dnsblog misses things, then I would start with > debugging the DNS setup. Dnscache is not above suspicion, and I’ll do some testing with another resolver, but I would like to know if there’s any way to get logs of DNS lookup failures or timeouts… Thanks, Charles > > Wietse > postconf - n: [root@mbox /usr/local/etc/postfix]# postconf -n | grep postscreen postscreen_access_list = permit_mynetworks, cidr:$config_directory/postscreen.white postscreen_blacklist_action = drop postscreen_dnsbl_action = enforce postscreen_dnsbl_sites = cbl.abuseat.org=127.0.0.2*3 b.barracudacentral.org=127.0.0.2*3 bl.spamcop.net=127.0.0.2*2 hostkarma.junkemailfilter.com=127.0.0.2*2 hostkarma.junkemailfilter.com=127.0.0.4*1 bl.mailspike.net*2 ix.dnsbl.manitu.net=127.0.0.2*2 rbl.rbldns.ru=127.0.0.2*3 dnsbl.sorbs.net=127.0.0.[2;3;4;5;9;10;11;12]*2 dnsbl.sorbs.net=127.0.0.6*3 bl.spameatingmonkey.net=127.0.0.2*2 backscatter.spameatingmonkey.net=127.0.0.1*1 dyna.spamrats.com=127.0.0.2*1 noptr.spamrats.com=127.0.0.2*1 psbl.surriel.com=127.0.0.2*7 dnsbl-2.uceprotect.net*5 dnsbl-1.uceprotect.net*4 dnsbl-3.uceprotect.net*3 dnsbl.spfbl.net*4 truncate.gbudb.net*4 bl.0spam.org*3 dnsrbl.org*3 all.s5h.net*5 netblockbl.spamgrouper.to*3 multi.surbl.org*3 dnsbl.zapbl.net*3 spam.spamrats.com*3 bl.nosolicitado.org*3 list.dnswl.org=127.0.[0..255].0*-2 list.dnswl.org=127.0.[0..255].1*-3 list.dnswl.org=127.0.[0..255].2*-5 list.dnswl.org=127.0.[0..255].3*-7 hostkarma.junkemailfilter.com=127.0.0.[1;5]*-5 wl.mailspike.net=127.0.0.[18;19;20]*-3 ips.whitelisted.org=127.0.0.2*-3 postscreen_dnsbl_threshold = 10 postscreen_dnsbl_ttl = 10m postscreen_greet_action = enforce [root@mbox /usr/local/etc/postfix]#
