Re: gmail servers on blacklists?
On 2017-03-17 22:47, David Mehler wrote: Hello, Thank you. Hi Please reply to the list I have postwhite running, not sure if it's updating? Do you run postwhite and if so do you have an update procedure so you always have the updated postwhite? I use it but doing updates manually. Doing it automatically is on a todo list ;) Thanks. Dave. On 3/17/17, Christian Kivalowrote: On 2017-03-17 22:12, David Mehler wrote: Hello, I'm starting to see blocks on my messages to my mail server. For some reason postscreen is not letting any gmail servers send mail, it's blocking them. Has anyone got an idea or have you seen this? You could use postwhite https://github.com/stevejenkins/postwhite to whitelist gmail. The map is created by postwhite from gmails spf records. -- Christian Kivalo -- Christian Kivalo
Re: gmail servers on blacklists?
Hi, Much thanks. Lost ahbl, and glad to see it go. Thanks. Dave. On 3/17/17, /dev/rob0wrote: > On Fri, Mar 17, 2017 at 05:12:07PM -0400, David Mehler wrote: >> I'm starting to see blocks on my messages to my mail server. For some >> reason postscreen is not letting any gmail servers send mail, it's >> blocking them. >> >> Has anyone got an idea or have you seen this? > > Typically you would SHOW LOGS of the blocking when asking for help, > but in your case it's pretty obvious. > >> Here's my postscreen setup: >> >> # postscreen(8) settings >> ### Before-220 tests >> postscreen_greet_action = enforce >> postscreen_blacklist_action = enforce >> postscreen_dnsbl_action = enforce >> postscreen_access_list = permit_mynetworks >> cidr:/usr/local/etc/postfix/postscreen_access.cidr >> postscreen_dnsbl_reply_map = >> pcre:/usr/local/etc/postfix/postscreen_dnsbl_reply_map.pcre >> postscreen_dnsbl_sites = zen.spamhaus.org*3 >> b.barracudacentral.org*2 >> bl.spameatingmonkey.net*2 >> dnsbl.ahbl.org*2 > > Closed as of 2015-01-01 when it began flagging EVERYTHING by means of > a DNS wildcard. > > Read: > http://www.ahbl.org/ (click through to the main page) and > http://rob0.nodns4.us/postscreen.html > > In the latter start with the BIG FAT WARNING and then take special > note of what it says about AHBL in the "Last Changes" section. > >>bl.spamcop.net >> dnsbl.sorbs.net >> psbl.surriel.com >> bl.mailspike.net >> swl.spamhaus.org*-4 >> list.dnswl.org=127.[0..255].[0..255].0*-2 >> list.dnswl.org=127.[0..255].[0..255].1*-3 >> list.dnswl.org=127.[0..255].[0..255].[2..255]*-4 > > These are as I published them but they are wrong. Better: >list.dnswl.org=127.0.[2..15].0*-2 >list.dnswl.org=127.0.[2..15].1*-3 >list.dnswl.org=127.0.[2..15].[2..3]*-4 > This corresponds to DNSWL.org's own usage instructions. > >> postscreen_dnsbl_threshold = 2 >> postscreen_dnsbl_whitelist_threshold = -2 > > Looks familiar except you changed these two threshold values. Just > stick with what I have: > postscreen_dnsbl_threshold = 3 > postscreen_dnsbl_whitelist_threshold = -1 > > Your lower postscreen_dnsbl_threshold value caused every single AHBL > listing (which, in case you didn't understand, now includes the > entirety of the Internet) to be a rejection unless offset by a > whitelist entry. > > Your higher whitelist threshold makes it more difficult to avoid the > after-220 tests ... > >> ### End of before-220 tests >> ### After-220 tests >> ### WARNING -- See "Tests after the 220 SMTP server greeting" in the >> ### Postscreen Howto and *UNDERSTAND* it *BEFORE* you enable the >> ### following tests! >> #postscreen_bare_newline_action = drop >> #postscreen_bare_newline_enable = yes >> #postscreen_non_smtp_command_action = drop >> #postscreen_non_smtp_command_enable = yes >> #postscreen_pipelining_enable = yes >> #postscreen_pipelining_action = drop >> ### ADDENDUM: Any one of the foregoing three *_enable settings may cause >> ### significant and annoying mail delays. > > ... which in your case doesn't matter because you didn't enable them. > >> Any assistance appreciated. > > Lose AHBL. > -- > http://rob0.nodns4.us/ > Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: >
Re: gmail servers on blacklists?
On Fri, Mar 17, 2017 at 05:12:07PM -0400, David Mehler wrote: > I'm starting to see blocks on my messages to my mail server. For some > reason postscreen is not letting any gmail servers send mail, it's > blocking them. > > Has anyone got an idea or have you seen this? Typically you would SHOW LOGS of the blocking when asking for help, but in your case it's pretty obvious. > Here's my postscreen setup: > > # postscreen(8) settings > ### Before-220 tests > postscreen_greet_action = enforce > postscreen_blacklist_action = enforce > postscreen_dnsbl_action = enforce > postscreen_access_list = permit_mynetworks > cidr:/usr/local/etc/postfix/postscreen_access.cidr > postscreen_dnsbl_reply_map = > pcre:/usr/local/etc/postfix/postscreen_dnsbl_reply_map.pcre > postscreen_dnsbl_sites = zen.spamhaus.org*3 > b.barracudacentral.org*2 > bl.spameatingmonkey.net*2 > dnsbl.ahbl.org*2 Closed as of 2015-01-01 when it began flagging EVERYTHING by means of a DNS wildcard. Read: http://www.ahbl.org/ (click through to the main page) and http://rob0.nodns4.us/postscreen.html In the latter start with the BIG FAT WARNING and then take special note of what it says about AHBL in the "Last Changes" section. >bl.spamcop.net > dnsbl.sorbs.net > psbl.surriel.com > bl.mailspike.net > swl.spamhaus.org*-4 > list.dnswl.org=127.[0..255].[0..255].0*-2 > list.dnswl.org=127.[0..255].[0..255].1*-3 > list.dnswl.org=127.[0..255].[0..255].[2..255]*-4 These are as I published them but they are wrong. Better: list.dnswl.org=127.0.[2..15].0*-2 list.dnswl.org=127.0.[2..15].1*-3 list.dnswl.org=127.0.[2..15].[2..3]*-4 This corresponds to DNSWL.org's own usage instructions. > postscreen_dnsbl_threshold = 2 > postscreen_dnsbl_whitelist_threshold = -2 Looks familiar except you changed these two threshold values. Just stick with what I have: postscreen_dnsbl_threshold = 3 postscreen_dnsbl_whitelist_threshold = -1 Your lower postscreen_dnsbl_threshold value caused every single AHBL listing (which, in case you didn't understand, now includes the entirety of the Internet) to be a rejection unless offset by a whitelist entry. Your higher whitelist threshold makes it more difficult to avoid the after-220 tests ... > ### End of before-220 tests > ### After-220 tests > ### WARNING -- See "Tests after the 220 SMTP server greeting" in the > ### Postscreen Howto and *UNDERSTAND* it *BEFORE* you enable the > ### following tests! > #postscreen_bare_newline_action = drop > #postscreen_bare_newline_enable = yes > #postscreen_non_smtp_command_action = drop > #postscreen_non_smtp_command_enable = yes > #postscreen_pipelining_enable = yes > #postscreen_pipelining_action = drop > ### ADDENDUM: Any one of the foregoing three *_enable settings may cause > ### significant and annoying mail delays. ... which in your case doesn't matter because you didn't enable them. > Any assistance appreciated. Lose AHBL. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Re: gmail servers on blacklists?
On 2017-03-17 22:12, David Mehler wrote: Hello, I'm starting to see blocks on my messages to my mail server. For some reason postscreen is not letting any gmail servers send mail, it's blocking them. Has anyone got an idea or have you seen this? You could use postwhite https://github.com/stevejenkins/postwhite to whitelist gmail. The map is created by postwhite from gmails spf records. -- Christian Kivalo
gmail servers on blacklists?
Hello, I'm starting to see blocks on my messages to my mail server. For some reason postscreen is not letting any gmail servers send mail, it's blocking them. Has anyone got an idea or have you seen this? Here's my postscreen setup: # postscreen(8) settings ### Before-220 tests postscreen_greet_action = enforce postscreen_blacklist_action = enforce postscreen_dnsbl_action = enforce postscreen_access_list = permit_mynetworks cidr:/usr/local/etc/postfix/postscreen_access.cidr postscreen_dnsbl_reply_map = pcre:/usr/local/etc/postfix/postscreen_dnsbl_reply_map.pcre postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2 bl.spameatingmonkey.net*2 dnsbl.ahbl.org*2 bl.spamcop.net dnsbl.sorbs.net psbl.surriel.com bl.mailspike.net swl.spamhaus.org*-4 list.dnswl.org=127.[0..255].[0..255].0*-2 list.dnswl.org=127.[0..255].[0..255].1*-3 list.dnswl.org=127.[0..255].[0..255].[2..255]*-4 postscreen_dnsbl_threshold = 2 postscreen_dnsbl_whitelist_threshold = -2 ### End of before-220 tests ### After-220 tests ### WARNING -- See "Tests after the 220 SMTP server greeting" in the ### Postscreen Howto and *UNDERSTAND* it *BEFORE* you enable the ### following tests! #postscreen_bare_newline_action = drop #postscreen_bare_newline_enable = yes #postscreen_non_smtp_command_action = drop #postscreen_non_smtp_command_enable = yes #postscreen_pipelining_enable = yes #postscreen_pipelining_action = drop ### ADDENDUM: Any one of the foregoing three *_enable settings may cause ### significant and annoying mail delays. # For sharing a tempoary whitelist of addresses postscreen_cache_map = proxy:btree:${data_directory}/postscreen_cache postscreen_cache_cleanup_interval = 0 # Rules are evaluated in the order as specified. # Blacklist 192.168.* except 192.168.0.1. # /usr/local/etc/postfix/postscreen_access.cidr 2011-02-27 # A simple combined white/blacklist # Only "permit", "reject" and "dunno" work on the RHS # This is a CIDR table, so see cidr_table(5) for LHS syntax # Permit local clients 127.0.0.0/8 permit # 2011-05-17 brute force attack # May 17 05:35:14 cardinal postfix/anvil[3667]: statistics: max # connection count 47 for (smtpd:66.23.228.27) at May 17 05:31:38 66.23.228.27reject # a lot from here including some DBL hits 108.62.112.160/29 reject # 2011-08-09 eWayDirect whitelisted, but hitting spamtraps # was having PREGREET protocol errors before today 207.45.161.0/24 reject ## # 2011-11-22 brute force mail attacks, smtp and imap 61.175.253.59 reject # 2012-09-23 spammer not in DNSBLs 66.7.197.45 reject # 2012-11-19 hillapex.com spammer 184.173.107.11 reject # Allow gmail server through 74.125.82.43permit Any assistance appreciated. Thanks. Dave.