Re: advice on postscreen setup / exception / dnsbls

2018-05-28 Thread @lbutlr 
On 26 May 2018, at 23:27, Voytek  wrote:
> On Sun, May 27, 2018 3:22 am, /dev/rob0 wrote:
> 
>> The obvious solution, if dnsbl.spfbl.net is blocking real mail, is to
>> stop using that list, or possibly to lower its score below your [unstated]
>> threshold score.
> 
> Thanks for all replies and comments!
> 
> I guess my starting point should be that, lower the score ?

No, your starting point should be to not use an RBL if you don’t know what it 
is doing. Blacklisting a domain for not having a valid rDNS is something you 
can do right in postfix, without needing to reach out to an RBL.

reject_unknown_reverse_client_hostname or reject_unknown_client_hostname, but 
these have significant impact on some server for legitimate mail. You can 
search the archives (or google) for various discussions on these two settings, 
how they differ, and which you might want to use, if either.

> postscreen_dnsbl_sites = zen.spamhaus.org*5, psbl.surriel.com*2,
> bl.spamcop.net*2, dnsbl.spfbl.net*2,
> db.wpbl.info, dnsbl.dronebl.org, pofon.foobar.hu,
> bl.ipv6.spameatingmonkey.net*2,dnsbl6.anticaptcha.net,
> bl.spameatingmonkey.net*2, bl.mailspike.net, b.barracudacentral.org*2,
> dnsbl.sorbs.net, ubl.unsubscore.com, truncate.gbudb.net,
> list.dnswl.org*-3, zz.countries.nerd.dk=127.0.3.58*-1

Treating all replies from the RBLs as the same is, IMHO, a mistake.

This is what I have:

postscreen_dnsbl_threshold = 9
postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[4..11]*9
hostkarma.junkemailfilter.com=127.0.0.2*5
zen.spamhaus.org=127.0.0.[2..3]*4
hostkarma.junkemailfilter.com=127.0.0.3*2
hostkarma.junkemailfilter.com=127.0.2.1*4
hostkarma.junkemailfilter.com=127.0.2.2*2
hostkarma.junkemailfilter.com=127.0.0.2*4
hostkarma.junkemailfilter.com=127.0.1.2*4
hostkarma.junkemailfilter.com=127.0.0.1*-4
hostkarma.junkemailfilter.com=127.0.0.5*-2
hostkarma.junkemailfilter.com=127.0.2.3*-2


For example, I score zen differently for 127.0.0.2-3 (much lower) than for 
4-11. (.2 is the SBL which hits more ‘false’ positives than the other for my 
mailstream and .3 is similar) while 4-11 are server that should never be 
sending mail (DHCP ISP machines, exploited servers, etc). 

I *do not* recommend you copy/paste these into your setup. For one thing, I 
haven’t evaluated them in quite a while since zen hits nearly everything that 
gets blocked, so I’m not really sure how the downstream ones are performing 
right now, but mostly because every server is a bit different.

-- 
Like the moment when the brakes lock/And you slide towards the big
truck/You stretch the frozen moments with your fear

Re: advice on postscreen setup / exception / dnsbls

2018-05-26 Thread Voytek 
On Sun, May 27, 2018 3:22 am, /dev/rob0 wrote:

> The obvious solution, if dnsbl.spfbl.net is blocking real mail, is to
> stop using that list, or possibly to lower its score below your [unstated]
> threshold score.

Thanks for all replies and comments!

I guess my starting point should be that, lower the score ?

sorry, the actual setup is, advice/suggestion appreciated:

# grep postscreen  main.cf
postscreen_command_count_limit = 8
postscreen_command_time_limit = 30
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_whitelist_threshold = -1
postscreen_blacklist_action = DROP
postscreen_dnsbl_action = ENFORCE
postscreen_greet_action = ENFORCE
postscreen_access_list = permit_mynetworks,
 cidr:/etc/postfix/postscreen_access.cidr
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_whitelist_threshold = -1
postscreen_dnsbl_sites = zen.spamhaus.org*5, psbl.surriel.com*2,
bl.spamcop.net*2, dnsbl.spfbl.net*2,
 db.wpbl.info, dnsbl.dronebl.org, pofon.foobar.hu,
bl.ipv6.spameatingmonkey.net*2,dnsbl6.anticaptcha.net,
 bl.spameatingmonkey.net*2, bl.mailspike.net, b.barracudacentral.org*2,
dnsbl.sorbs.net, ubl.unsubscore.com, truncate.gbudb.net,
 list.dnswl.org*-3, zz.countries.nerd.dk=127.0.3.58*-1


> Another choice is DNS whitelisting:
> 145.65.91.152.list.dnswl.org. 10800 IN  TXT "sge.net
> https://dnswl.org/s/?s=36576;
> 145.65.91.152.list.dnswl.org. 10800 IN  A   127.0.9.2

I think I'd rather avoid this path, if I can


> For more information I would refer you to my page on postscreen;
> please see the link below, in the .sig .

thanks, I'll read it today (and try to understand)


> While the helo/ehlo is logged, that's not usable either, because
> once postscreen decides to talk to a client, that client is already
> blocked.
>
> If you're not going to take the advice above, your only other option
> would be to whitelist the IP address[es].  Oh, also, you could talk to the
> DNSBL operator about theit listing criteria, and/or to the
> sending site about getting delisted.

I guess 'health' outsources their email to verizon - whilst I'll try to
contact them, I don't like my chances at getting too far - but never know.

I've struck probs with health/verizon a while back, I think, last time i
came across it, by the time I;ve looked, they were already delisted

thanks again,

Voytek

Re: advice on postscreen setup / exception / dnsbls

2018-05-26 Thread @lbutlr 
On 2018-05-26 (11:22 MDT), /dev/rob0  wrote:
> 
> If you're not going to take the advice above, your only other option 
> would be to whitelist the IP address[es].  Oh, also, you could talk 
> to the DNSBL operator about theit listing criteria, and/or to the 
> sending site about getting delisted.


There is nothing wrong with the listing criteria. the domain is listed because 
there is an issue with its rDNS, and the is what the RBL lists.


Delegation not found at parent.

No delegation could be found at the parent, making your zone unreachable from 
the Internet.

Not enough nameserver information was found to test the zone orland.sge.net, 
but an IP address lookup succeeded in spite of that.

-- 
'Yes, but humans are more important than animals,' said Brutha. 'This
is a point of view often expressed by humans,' said Om. (Small Gods)

Re: advice on postscreen setup / exception / dnsbls

2018-05-26 Thread /dev/rob0 
On Sat, May 26, 2018 at 01:22:01PM +1000, Voytek wrote:
> I've recently updated Postfix from 2.1, and, enabled postscreen, 
> all's working well, though, just picked up a false positive:
> 
> several users inbound mail blocked with dnsbl.spfbl.net
> 
> I have like:
> 
> # grep spfbl.net main.cf
> postscreen_dnsbl_sites = zen.spamhaus.org*5, psbl.surriel.com*2,
> bl.spamcop.net*2, dnsbl.spfbl.net*2,
> 
> as this is a gov.au server, should I whitelist health.gov.au ? or 
> sge.net ? how/where ?
> 
> what's the best way to prevent emails from health.gov.au/sge.net 
> being blocked?

Bubba: "Doc, it hurts when I do this."
Doc: "So don't do that."

The obvious solution, if dnsbl.spfbl.net is blocking real mail, is to 
stop using that list, or possibly to lower its score below your 
[unstated] threshold score.

Postscreen is unable to do whitelisting by hostname.  In fact the 
reverse DNS is not looked up at all, so only the IP address is known 
in postscreen.

Another choice is DNS whitelisting:

145.65.91.152.list.dnswl.org. 10800 IN  TXT "sge.net 
https://dnswl.org/s/?s=36576;
145.65.91.152.list.dnswl.org. 10800 IN  A   127.0.9.2

For more information I would refer you to my page on postscreen; 
please see the link below, in the .sig .

> # grep health.gov.au /var/log/maillog | grep block
> May 21 08:49:16 geko postfix/postscreen[23877]: NOQUEUE: reject: 
> RCPT from [152.91.65.145]:57512: 550 5.7.1 Service unavailable; 
> client [152.91.65.145] blocked using dnsbl.spfbl.net; 
> from=, to=, 
> proto=ESMTP, helo=

While the helo/ehlo is logged, that's not usable either, because 
once postscreen decides to talk to a client, that client is already 
blocked.

If you're not going to take the advice above, your only other option 
would be to whitelist the IP address[es].  Oh, also, you could talk 
to the DNSBL operator about theit listing criteria, and/or to the 
sending site about getting delisted.
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

Re: advice on postscreen setup / exception / dnsbls

2018-05-26 Thread Wietse Venema 
@lbutlr:
> On 2018-05-25 (21:22 MDT), "Voytek"  wrote:
> > # grep health.gov.au /var/log/maillog | grep block
> > May 21 08:49:16 geko postfix/postscreen[23877]: NOQUEUE: reject: RCPT from
> > [152.91.65.145]:57512: 550 5.7.1 Service unavailable; client
> > [152.91.65.145] blocked using dnsbl.spfbl.net;
> > from=, to=,
> > proto=ESMTP, helo=
> 
> This mail did not come from a gov.au site, it came from orland.sge.net

Indeed: orland.sge.net = 152.91.65.145, consistent with the client
IP adress that postscreen reports.

Wietse

Re: advice on postscreen setup / exception / dnsbls

2018-05-26 Thread @lbutlr 
On 2018-05-25 (21:22 MDT), "Voytek"  wrote:
> # grep health.gov.au /var/log/maillog | grep block
> May 21 08:49:16 geko postfix/postscreen[23877]: NOQUEUE: reject: RCPT from
> [152.91.65.145]:57512: 550 5.7.1 Service unavailable; client
> [152.91.65.145] blocked using dnsbl.spfbl.net;
> from=, to=,
> proto=ESMTP, helo=

This mail did not come from a gov.au site, it came from orland.sge.net

-- 
The Salvation Army Band played and the children drunk lemonade and the
morning lasted all day, all day. And through an open window came like
Sinatra in a younger day pushing the town away

advice on postscreen setup / exception / dnsbls

2018-05-25 Thread Voytek 
I've recently updated Postfix from 2.1, and, enabled postscreen, all's
working well, though, just picked up a false positive:

several users inbound mail blocked with dnsbl.spfbl.net

I have like:

# grep spfbl.net main.cf
postscreen_dnsbl_sites = zen.spamhaus.org*5, psbl.surriel.com*2,
bl.spamcop.net*2, dnsbl.spfbl.net*2,

as this is a gov.au server, should I whitelist health.gov.au ? or sge.net
? how/where ?

what's the best way to prevent emails from health.gov.au/sge.net being
blocked?


# grep health.gov.au /var/log/maillog | grep block
May 21 08:49:16 geko postfix/postscreen[23877]: NOQUEUE: reject: RCPT from
[152.91.65.145]:57512: 550 5.7.1 Service unavailable; client
[152.91.65.145] blocked using dnsbl.spfbl.net;
from=, to=,
proto=ESMTP, helo=
May 21 16:55:53 geko postfix/postscreen[5875]: NOQUEUE: reject: RCPT from
[152.91.65.145]:42388: 550 5.7.1 Service unavailable; client
[152.91.65.145] blocked using dnsbl.spfbl.net;
from=, to=, proto=ESMTP,
helo=
May 22 15:54:50 geko postfix/postscreen[22598]: NOQUEUE: reject: RCPT from
[152.91.65.145]:54437: 550 5.7.1 Service unavailable; client
[152.91.65.145] blocked using dnsbl.spfbl.net;
from=, to=, proto=ESMTP,
helo=
May 24 09:25:55 geko postfix/postscreen[803]: NOQUEUE: reject: RCPT from
[152.91.65.146]:58463: 550 5.7.1 Service unavailable; client
[152.91.65.146] blocked using dnsbl.spfbl.net;
from=, to=, proto=ESMTP,
helo=