Re: Postscreen blacklist - Service currently unavailable
On 8 Mar 2018, at 0:59 (-0500), Maurizio Caloro wrote: [Main.cf] postscreen_blacklist_action = drop postscreen_access_list = permit_mynetworks, hash:/etc/postfix/access postscreen_bare_newline_enable = yes Remove this. See http://www.postfix.org/POSTSCREEN_README.html#after_220 for the details. postscreen_dnsbl_action = enforce postscreen_dnsbl_sites = zen.spamhaus.org*3 bl.mailspike.net*3 b.barracudacentral.org*2 bl.spameatingmonkey.net bl.spamcop.net spamtrap.trblspam.com Remove this. That DNSBL has been dead for many years and using it is actively harmful. See https://www.dnsbl.com/2013/04/status-of-spamtraptrblspamcom-dead.html. [...] [Mail.log] Mar 4 21:59:40 Dovecot/imap(mca@domain): Info: Disconnected: Logged out in=1443 out=219620 Mar 4 22:00:13 mail postfix/postscreen[1050]: CONNECT from [IP]:45143 to [IP]:25 Mar 4 22:00:13 mail postfix/dnsblog[1060]: addr [IP] listed by domain list.dnswl.org as 127.0.3.0 Mar 4 22:00:13 mail postfix/dnsblog[1076]: addr IP listed by domain spamtrap.trblspam.com as 185.53.179.6 There's the damage: spamtrap.trblspam.com is "listing everything" because the domain vultures who now own trblspam.com have a wildcard A record under the zone. Because your configuration doesn't specify a reply code for spamtrap.trblspam.com listings or a score, you are giving everything a DNSBL point for no reason. [...] Mar 4 22:00:19 mail postfix/postscreen[1050]: NOQUEUE: reject: RCPT from [40.92.69.70]:45143: 450 4.3.2 Service currently unavailable; from=, to:, proto=ESMTP, helo= "450" is a transient error, telling the sender to retry the message. This is necessary because postscreen cannot pass the connection to smtpd after it has sent the greeting banner and examined the EHLO command from the client. If the client reconnects within a reasonable period, it will bypass postscreen testing because it has already passed once and that fact is cached. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Currently Seeking Steady Work: https://linkedin.com/in/billcole
Postscreen blacklist - Service currently unavailable
Hello Together i will download the Banned Blacklist IP from Internet and add to me Postfix with Postscreen after i check the config from Postscreen i have the following configurations. strange thing are i will become this message von Mail.log Equal from where i send the email to my domain this error will be appair - 450 4.3.2 Service currently unavailable Postmap /etc/postfix/access [Main.cf] postscreen_blacklist_action = drop postscreen_access_list = permit_mynetworks, hash:/etc/postfix/access postscreen_bare_newline_enable = yes postscreen_dnsbl_action = enforce postscreen_dnsbl_sites = zen.spamhaus.org*3 bl.mailspike.net*3 b.barracudacentral.org*2 bl.spameatingmonkey.net bl.spamcop.net spamtrap.trblspam.com ## dnsbl.sorbs.net=127.0.0.[2;3;6;7;10] ix.dnsbl.manitu.net bl.blocklist.de list.dnswl.org=127.0.[0..255].0*-1 list.dnswl.org=127.0.[0..255].1*-2 list.dnswl.org=127.0.[0..255].[2..3]*-3 list.dnswl.org=127.0.[0..255].3*-8 zen.spamhaus.org=127.0.0.9*25 zen.spamhaus.org=127.0.0.3*10 zen.spamhaus.org=127.0.0.2*5 zen.spamhaus.org=127.0.0.[4..7]*3 zen.spamhaus.org=127.0.0.[10..11]*3 swl.spamhaus.org*-10 iadb.isipp.com=127.0.[0..255].[0..255]*-2 iadb.isipp.com=127.3.100.[6..200]*-2 bl.mailspike.net=127.0.0.2*10 bl.mailspike.net=127.0.0.10*5 bl.mailspike.net=127.0.0.11*4 bl.mailspike.net=127.0.0.12*3 bl.mailspike.net=127.0.0.13*2 bl.mailspike.net=127.0.0.14*1 wl.mailspike.net=127.0.0.16*-2 wl.mailspike.net=127.0.0.17*-4 wl.mailspike.net=127.0.0.18*-6 wl.mailspike.net=127.0.0.19*-8 wl.mailspike.net=127.0.0.20*-10 backscatter.spameatingmonkey.net*2 bl.ipv6.spameatingmonkey.net*2 bl.spameatingmonkey.net*2 ix.dnsbl.manitu.net*2 bl.spamcop.net*2 db.wpbl.info*2 psbl.surriel.com*2 torexit.dan.me.uk*2 [Master.cf] #smtp inet n - n - - smtpd -o content_filter=spamassassin smtp inet n - - - 1 postscreen -o content_filter=spamassassin smtpd pass - - - - - smtpd dnsblog unix - - - - 0 dnsblog tlsproxy unix - - - - 0 tlsproxy submission inet n - - - - smtpd -o content_filter=spamassassin [Mail.log] Mar 4 21:59:40 Dovecot/imap(mca@domain): Info: Disconnected: Logged out in=1443 out=219620 Mar 4 22:00:13 mail postfix/postscreen[1050]: CONNECT from [IP]:45143 to [IP]:25 Mar 4 22:00:13 mail postfix/dnsblog[1060]: addr [IP] listed by domain list.dnswl.org as 127.0.3.0 Mar 4 22:00:13 mail postfix/dnsblog[1076]: addr IP listed by domain spamtrap.trblspam.com as 185.53.179.6 Mar 4 22:00:13 mail postfix/dnsblog[1077]: addr IP listed by domain wl.mailspike.net as 127.0.0.20 Mar 4 22:00:19 mail postfix/tlsproxy[1061]: CONNECT from [IP]:45143 Mar 4 22:00:19 mail postfix/tlsproxy[1061]: Anonymous TLS connection established from [IP]:45143: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits) Mar 4 22:00:19 mail postfix/postscreen[1050]: NOQUEUE: reject: RCPT from [40.92.69.70]:45143: 450 4.3.2 Service currently unavailable; from=, to:, proto=ESMTP, helo= Mar 4 22:00:19 mail postfix/tlsproxy[1061]: DISCONNECT [IP]:45143 Mar 4 22:00:19 mail postfix/postscreen[1050]: HANGUP after 0.16 from [IP]:45143 in tests after SMTP handshake Mar 4 22:00:19 mail postfix/postscreen[1050]: PASS NEW [IP]:45143 Mar 4 22:00:19 mail postfix/postscreen[1050]: DISCONNECT [IP]:45143 Postfix Version mail_version = 2.11.3
Re: Service currently unavailable
siefke_lis...@web.de: > Hello, > > i have the problem that all mails hang by postscreen. I think I be not > sure. I can not find a mistake in configuration. But local and from > outside hang all mails in postscreen and goes not through. > > [root@de-fra ~]# cat /var/log/mail.log | grep "74.125.82.44" > Jul 5 15:21:25 de-fra.silviosiefke.com postfix/postscreen[3244]: CONNECT > from [74.125.82.44]:37019 to [178.254.26.48]:25 > Jul 5 15:21:31 de-fra.silviosiefke.com postfix/tlsproxy[3251]: CONNECT from > [74.125.82.44]:37019 > Jul 5 15:21:31 de-fra.silviosiefke.com postfix/tlsproxy[3251]: Anonymous TLS > connection established from [74.125.82.44]:37019: TLSv1.2 with cipher > ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) > Jul 5 15:21:31 de-fra.silviosiefke.com postfix/postscreen[3244]: NOQUEUE: > reject: RCPT from [74.125.82.44]:37019: 450 4.3.2 Service currently > unavailable; from=<siefkesil...@gmail.com>, to=<webmas...@silviosiefke.de>, > proto=ESMTP, helo= > Jul 5 15:21:31 de-fra.silviosiefke.com postfix/postscreen[3244]: HANGUP > after 0.14 from [74.125.82.44]:37019 in tests after SMTP handshake > Jul 5 15:21:31 de-fra.silviosiefke.com postfix/tlsproxy[3251]: DISCONNECT > [74.125.82.44]:37019 > Jul 5 15:21:31 de-fra.silviosiefke.com postfix/postscreen[3244]: PASS NEW > [74.125.82.44]:37019 > Jul 5 15:21:31 de-fra.silviosiefke.com postfix/postscreen[3244]: DISCONNECT > [74.125.82.44]:37019 the next 30 days. You have "postscreen_bare_newline_enable = yes". With this, postscreen will require that the client passes a 'bare newline' test once every 30 days. The logging above has no "BARE NEWLINE" violation record, and postscreen logs 'PASS NEW' which confirms that the client passed all tests. postscreen then replies with "450 4.3.2 Service currently unavailable" for reasons documented in the postscreen manpage. Normally, postscreen saves the test result to the postscreen whitelist cache (configured with postscreen_cache_map) so that the client can skip the test for the next 30 days. This is not working. The reason that the test keeps being repeated is that the test result is not properly written to the postscreen whitelist cache. This may be caused by a corrupted database file. I suggest that you remove the postscreen_cache_map file and do 'postfix reload'. Minor nit, unrelated to the broken whitelist problem: > smtp inet n - n - 1 postscreen > -o smtpd_proxy_filter=localhost:10025 > -o smtpd_client_connection_count_limit=10 > -o smtpd_proxy_options=speed_adjust smtpd_proxy_filter is not a postscreen feature. It belongs with the smtpd that follows postscreen, as shown below. > smtpd pass - - n - - smtpd > -o smtpd_proxy_filter=localhost:10025 > -o smtpd_sasl_auth_enable=no You could also take the lame option and disable the bare newline test. But that would still require the client to pass all tests on every connection, resulting in unnecessary delays. Wietse
Re: Service currently unavailable
On Wed, Jul 05, 2017 at 03:44:19PM +0200, siefke_lis...@web.de wrote: > i have the problem that all mails hang by postscreen. I think I be > not sure. I can not find a mistake in configuration. But local and > from outside hang all mails in postscreen and goes not through. > > [root@de-fra ~]# cat /var/log/mail.log | grep "74.125.82.44" Sometimes grep will miss important messages which concern a mail transaction. In this case it's probably fine, but for future reference, you might want to use a pager like less(1) and its own internal search feature. Also, UUOC, "grep 'expression' filename". :) > Jul 5 15:21:25 de-fra.silviosiefke.com postfix/postscreen[3244]: CONNECT > from [74.125.82.44]:37019 to [178.254.26.48]:25 > Jul 5 15:21:31 de-fra.silviosiefke.com postfix/tlsproxy[3251]: CONNECT from > [74.125.82.44]:37019 > Jul 5 15:21:31 de-fra.silviosiefke.com postfix/tlsproxy[3251]: Anonymous TLS > connection established from [74.125.82.44]:37019: TLSv1.2 with cipher > ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) > Jul 5 15:21:31 de-fra.silviosiefke.com postfix/postscreen[3244]: NOQUEUE: > reject: RCPT from [74.125.82.44]:37019: 450 4.3.2 Service currently > unavailable; from=<siefkesil...@gmail.com>, to=<webmas...@silviosiefke.de>, > proto=ESMTP, helo= > Jul 5 15:21:31 de-fra.silviosiefke.com postfix/postscreen[3244]: HANGUP > after 0.14 from [74.125.82.44]:37019 in tests after SMTP handshake > Jul 5 15:21:31 de-fra.silviosiefke.com postfix/tlsproxy[3251]: DISCONNECT > [74.125.82.44]:37019 > Jul 5 15:21:31 de-fra.silviosiefke.com postfix/postscreen[3244]: PASS NEW > [74.125.82.44]:37019 > Jul 5 15:21:31 de-fra.silviosiefke.com postfix/postscreen[3244]: DISCONNECT > [74.125.82.44]:37019 Did you read the POSTSCREEN_README section about the after-220 tests? Don't activate those if you are not prepared to deal with the consequences. > I use fuglu as "amavisd-new". The emails self now after 20 minuts > is not in box. Content filtering is not relevant to postscreen rejections and deferrals. I can point you to my own postscreen configuration, which avoids the problem you're having with reception from gmail: http://rob0.nodns4.us/postscreen.html Specifically you want to use list.dnswl.org and postscreen_dnsbl_whitelist_threshold. All Google and most legitimate senders of all kinds are listed in DNSWL. Note that postscreen_dnsbl_whitelist_threshold requires at least Postfix version 2.11. If your version is less than that, upgrade. I'd recommend the latest 3.2 release. > [root@de-fra ~]# postconf -n > alias_database = $alias_maps > alias_maps = hash:/etc/postfix/tables/aliases > anvil_rate_time_unit = 60s > bounce_size_limit = 8192 > command_directory = /usr/bin > compatibility_level = 2 > daemon_directory = /usr/lib/postfix/bin > data_directory = /var/lib/postfix > disable_vrfy_command = yes > header_checks = regexp:/etc/postfix/tables/header_checks > home_mailbox = Maildir/ > html_directory = no > inet_interfaces = 127.0.0.1, 178.254.26.48 > inet_protocols = ipv4 > mail_owner = postfix > mailbox_size_limit = 0 > mailq_path = /usr/bin/mailq > manpage_directory = /usr/share/man > message_size_limit = 2048 > meta_directory = /etc/postfix > mydestination = $myhostname, localhost.$mydomain, localhost > mydomain = silviosiefke.com > myhostname = de-fra.silviosiefke.com > mynetworks = 127.0.0.0/8 > mynetworks_style = host > myorigin = $myhostname > newaliases_path = /usr/bin/newaliases > non_smtpd_milters = inet:127.0.0.1:12345 > postscreen_access_list = permit_mynetworks > cidr:/etc/postfix/tables/postscreen_access.cidr > postscreen_bare_newline_action = drop > postscreen_bare_newline_enable = yes That's an after-220 test. > postscreen_blacklist_action = drop > postscreen_dnsbl_action = enforce > postscreen_dnsbl_sites = zen.spamhaus.org*2, bl.mailspike.net, > bl.spamcop.net, b.barracudacentral.org, swl.spamhaus.org*-2 > postscreen_dnsbl_threshold = 2 > postscreen_greet_action = enforce > postscreen_non_smtp_command_enable = yes > postscreen_pipelining_enable = yes These two also. If any single after-220 test is enabled, postscreen will talk to (and defer mail from) any not-yet-whitelisted client. That's the main thing I hoped for you to get from the Postfix POSTSCREEN_README. > queue_directory = /var/spool/postfix > readme_directory = /usr/share/doc/postfix > recipient_delimiter = + > sample_directory = /etc/postfix > sendmail_path = /usr/bin/sendmail > setgid_group = postdrop > shlib_directory = /usr/lib/postfix > smtp_tls_cert_file = > /etc/letsencrypt/live/de-fra.silviosiefke.com/fullchain.pem (Not relevant to this issue, but who are you sending mail to that is asking for client certificat
Service currently unavailable
Hello, i have the problem that all mails hang by postscreen. I think I be not sure. I can not find a mistake in configuration. But local and from outside hang all mails in postscreen and goes not through. [root@de-fra ~]# cat /var/log/mail.log | grep "74.125.82.44" Jul 5 15:21:25 de-fra.silviosiefke.com postfix/postscreen[3244]: CONNECT from [74.125.82.44]:37019 to [178.254.26.48]:25 Jul 5 15:21:31 de-fra.silviosiefke.com postfix/tlsproxy[3251]: CONNECT from [74.125.82.44]:37019 Jul 5 15:21:31 de-fra.silviosiefke.com postfix/tlsproxy[3251]: Anonymous TLS connection established from [74.125.82.44]:37019: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Jul 5 15:21:31 de-fra.silviosiefke.com postfix/postscreen[3244]: NOQUEUE: reject: RCPT from [74.125.82.44]:37019: 450 4.3.2 Service currently unavailable; from=<siefkesil...@gmail.com>, to=<webmas...@silviosiefke.de>, proto=ESMTP, helo= Jul 5 15:21:31 de-fra.silviosiefke.com postfix/postscreen[3244]: HANGUP after 0.14 from [74.125.82.44]:37019 in tests after SMTP handshake Jul 5 15:21:31 de-fra.silviosiefke.com postfix/tlsproxy[3251]: DISCONNECT [74.125.82.44]:37019 Jul 5 15:21:31 de-fra.silviosiefke.com postfix/postscreen[3244]: PASS NEW [74.125.82.44]:37019 Jul 5 15:21:31 de-fra.silviosiefke.com postfix/postscreen[3244]: DISCONNECT [74.125.82.44]:37019 I use fuglu as "amavisd-new". The emails self now after 20 minuts is not in box. Thank you for help. Silvio [root@de-fra ~]# postconf -n alias_database = $alias_maps alias_maps = hash:/etc/postfix/tables/aliases anvil_rate_time_unit = 60s bounce_size_limit = 8192 command_directory = /usr/bin compatibility_level = 2 daemon_directory = /usr/lib/postfix/bin data_directory = /var/lib/postfix disable_vrfy_command = yes header_checks = regexp:/etc/postfix/tables/header_checks home_mailbox = Maildir/ html_directory = no inet_interfaces = 127.0.0.1, 178.254.26.48 inet_protocols = ipv4 mail_owner = postfix mailbox_size_limit = 0 mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man message_size_limit = 2048 meta_directory = /etc/postfix mydestination = $myhostname, localhost.$mydomain, localhost mydomain = silviosiefke.com myhostname = de-fra.silviosiefke.com mynetworks = 127.0.0.0/8 mynetworks_style = host myorigin = $myhostname newaliases_path = /usr/bin/newaliases non_smtpd_milters = inet:127.0.0.1:12345 postscreen_access_list = permit_mynetworks cidr:/etc/postfix/tables/postscreen_access.cidr postscreen_bare_newline_action = drop postscreen_bare_newline_enable = yes postscreen_blacklist_action = drop postscreen_dnsbl_action = enforce postscreen_dnsbl_sites = zen.spamhaus.org*2, bl.mailspike.net, bl.spamcop.net, b.barracudacentral.org, swl.spamhaus.org*-2 postscreen_dnsbl_threshold = 2 postscreen_greet_action = enforce postscreen_non_smtp_command_enable = yes postscreen_pipelining_enable = yes queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix recipient_delimiter = + sample_directory = /etc/postfix sendmail_path = /usr/bin/sendmail setgid_group = postdrop shlib_directory = /usr/lib/postfix smtp_tls_cert_file = /etc/letsencrypt/live/de-fra.silviosiefke.com/fullchain.pem smtp_tls_ciphers = high smtp_tls_key_file = /etc/letsencrypt/live/de-fra.silviosiefke.com/privkey.pem smtp_tls_loglevel = 1 smtp_tls_mandatory_ciphers = high smtp_tls_mandatory_protocols = !SSLv2,!SSLv3 smtp_tls_protocols = !SSLv2,!SSLv3 smtp_tls_security_level = may smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache smtpd_banner = $myhostname ESMTP smtpd_client_connection_count_limit = 20 smtpd_client_connection_rate_limit = 20 smtpd_client_message_rate_limit = 50 smtpd_client_recipient_rate_limit = 50 smtpd_client_restrictions = permit_mynetworks, reject_invalid_hostname, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_unknown_client, check_client_access regexp:/etc/postfix/tables/client_restrictions permit smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce, permit smtpd_delay_reject = yes smtpd_etrn_restrictions = permit_mynetworks, reject smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, check_helo_access hash:/etc/postfix/tables/helo_access, reject_unauth_pipelining, reject_non_fqdn_hostname, reject_invalid_hostname, warn_if_reject reject_unknown_hostname, permit smtpd_milters = inet:127.0.0.1:12345 smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:10030, check_policy_service inet:127.0.0.1:12525, check_client_access hash:/etc/postfix/tables/blacklist, check_sender_access hash:/etc/postfix/tables/senderaccess, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_non_fqdn_hostname, reject_invalid_hostname, permit_mynetworks, reject_unauth_pipelining, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_destination, reject_unknown_client, permit smtpd_reject_unlisted_sen