[pfx] Re: Question about postscreen_dnsbl_sites
Ivan Ionut: > Thx, but I noticed that there is only for cidr...and i want for > hosts/domains too. If you want client name/domain based policies, don't use postscreen, use smtpd_mumble_restrictions instead. An smtpd process can do complex things such as verifying fully-confirmed forward/reverse DNS for clients in arbitrary domains, and making nuanced decisions based on the combination of client, sender, and recipient information. postscreen is designed to answer only one question: "is this a spambot". That is completely orthogonal to the question of whether or not you like a client hostname. postscreen cannot afford doing complex things. It must be able to handle many more (like 10 times more) clients than hundreds of smtpd processes combined can handle. postscreen has to make a quick decision based on the client IP address which is guaranteed to be available, and queries only the domains listed in postscreen_dnsbl_sites, which are guaranteed to respond quickly. postscreen WILL NOT query other domains because there are no response time guarantees. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Question about postscreen_dnsbl_sites
Ivan Ionut via Postfix-users: > > Hi, I'm using postscreen_dnsbl_sites to block some spam and I want some > domain/hosts/ip to bypass this option, like an whitelist. > > Does postscreen/postfix has this option? > Yes. Near the top of https://www.postfix.org/POSTSCREEN_README.html#quick Quick tests before everything else Before engaging in SMTP-level tests. postscreen(8) queries a number of local deny and allowlists. These tests speed up the handling of known clients. * Permanent allow/denylist test * Temporary allowlist test * MX Policy test See website for more. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Question about postscreen_dnsbl_sites
Hi, I'm using postscreen_dnsbl_sites to block some spam and I want some domain/hosts/ip to bypass this option, like an whitelist. Does postscreen/postfix has this option? p.s. my postfix version: 3.6.4 -- Ivan Ionuț Str. Mircea cel Bătrân nr 1, Galati 800023 Tel/Fax: +40236 493277 Email: ivan.io...@tehnopol-gl.ro _The content of this email is confidential and intended for the recipient specified in message only. It is strictly forbidden to share any part of this message with any third party, without a written consent of the sender. If you are not the intended recipient of this message, please notify the sender immediately, and delete the message and any attachments. Any disclosure, reproduction, distribution or other use of this message or any attachments by an individual or entity other than the intended recipient is prohibited. Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
Re: postscreen_dnsbl_sites precedence
Matt Saladna: > Hello, > > When specifying a range of responses to ignore in postscreen_dnsbl_sites > it appears that if a weight is zero it is ignored in favor of a non-zero > weight. Coming back to this thread, please ignore my previuous responses about order dependence. They were wrong. Simply, postscreen will add up the weights from all matching patterns in postscreen_dnsbl_sites. I think that the documentation never promised that postscreen would evaluate only a subset of patterms. Since addition is a commutative operation, the order of patterns in postscreen_dnsbl_sites does not matter, that is, there simply is no precedence. Instead of using a pattern with zero weight, you can specify a negative weight to prevent a site from being blocked. This is how I exclude clients with list.dnswl.org: postscreen_dnsbl_sites = ... list.dnswl.org=127.0.[0..255].[1..3]*-2 Just like postscreeen has postscreen_dnsbl_threshold for blocking clients (default: 1), it has postscreen_dnsbl_allowlist_threshold for allowing clients (default: 0). Wietse
Re: postscreen_dnsbl_sites questions about multiple matches.
On 30.05.22 14:02, Peter wrote: Next question: What happens if zen returns multiple responses: 127.0.0.10 127.0.0.3 postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[1..2]*3 zen.spamhaus.org=127.0.0.3*2 zen.spamhaus.org=127.0.0.[4..255]*3 On 30.05.22 10:06, Matus UHLAR - fantomas wrote: this should produce score 6 for the example above sorry, 5 = 2 points for 127.0.0.3 + 3 for 127.0.0.10 -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 2B|!2B, that's a question!
Re: postscreen_dnsbl_sites questions about multiple matches.
On 30.05.22 14:02, Peter wrote: First off my goal is that I want all zen.spamhaus.org entries to have a score of 3 except for CSS entries which should have a score of 2. zen returns 127.0.0.n for all entries and CSS specifically returns 127.0.0.3. What I think I can do is this: postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[1..255]*3 zen.spamhaus.org=127.0.0.3*-1 So presumably if 127.0.0.3 is returned it will initially get a score of 3 but then decrement it by 1 so it ends up with a score of 2, so first question: Will this work the way I want it to? yes, it should. Next question: What happens if zen returns multiple responses: 127.0.0.10 127.0.0.3 Will it score 2, 3, 5 or something else? I think it gets score of 2 and if you want different scores for different listings, you must expand them. What if I did this instead: postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[1..2]*3 zen.spamhaus.org=127.0.0.3*2 zen.spamhaus.org=127.0.0.[4..255]*3 How would that affect the answer to the above two questions? this should produce score 6 for the example above -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I intend to live forever - so far so good.
Re: postscreen_dnsbl_sites questions about multiple matches.
On 30/05/22 3:49 pm, Bill Cole wrote: I have no idea, but assigning scores to DNSBL return values that are not currently in use is quite optimistic and dangerous. Also, 127.0.0.1 specifically is an indicator of likely DNSBL malfunction. Well, spamhaus documents that 127.0.0.0/24 are for current and future IP blocklists. Errors are in the 127.255.255.0/24 range. That said, their current usage is 2-11 with 5-7 documented for future XBL use and 8 for future SBL use: https://www.spamhaus.org/faq/section/DNSBL%20Usage#200 All of that said, you make a good point. I will change it to 2-11 (I'm not overly concerned about the documented future usage of 5-8). Still hoping for an answer to my previous questions, though. Peter
Re: postscreen_dnsbl_sites questions about multiple matches.
On 2022-05-29 at 22:02:54 UTC-0400 (Mon, 30 May 2022 14:02:54 +1200) Peter is rumored to have said: First off my goal is that I want all zen.spamhaus.org entries to have a score of 3 except for CSS entries which should have a score of 2. zen returns 127.0.0.n for all entries and CSS specifically returns 127.0.0.3. What I think I can do is this: postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[1..255]*3 zen.spamhaus.org=127.0.0.3*-1 So presumably if 127.0.0.3 is returned it will initially get a score of 3 but then decrement it by 1 so it ends up with a score of 2, so first question: Will this work the way I want it to? I have no idea, but assigning scores to DNSBL return values that are not currently in use is quite optimistic and dangerous. Also, 127.0.0.1 specifically is an indicator of likely DNSBL malfunction. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
postscreen_dnsbl_sites questions about multiple matches.
First off my goal is that I want all zen.spamhaus.org entries to have a score of 3 except for CSS entries which should have a score of 2. zen returns 127.0.0.n for all entries and CSS specifically returns 127.0.0.3. What I think I can do is this: postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[1..255]*3 zen.spamhaus.org=127.0.0.3*-1 So presumably if 127.0.0.3 is returned it will initially get a score of 3 but then decrement it by 1 so it ends up with a score of 2, so first question: Will this work the way I want it to? Next question: What happens if zen returns multiple responses: 127.0.0.10 127.0.0.3 Will it score 2, 3, 5 or something else? What if I did this instead: postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[1..2]*3 zen.spamhaus.org=127.0.0.3*2 zen.spamhaus.org=127.0.0.[4..255]*3 How would that affect the answer to the above two questions? Thanks, Peter
Re: postscreen_dnsbl_sites precedence
Matt Saladna: > Is there any difference other than cognitive load between the two forms? > > postscreen_dnsbl_sites = > zen.spamhaus.org=127.[0..255].[0..254].[0..255]*2 > zen.spamhaus.org=127.255.255.[252;254;255]*0 This explicitly assigns weights. > versus > > postscreen_dnsbl_sites = > zen.spamhaus.org=127.[0..255].[0..254].[0..255]*2 Should also work, because if a result is not matched, then the weight does not matter. Wietse
Re: postscreen_dnsbl_sites precedence
/> The implemenation is order-dependent./ On 12.03.22 11:56, Wietse Venema wrote: It does store the configuration in reverse order. However upon closer reading of code that I haven't touched in 10+ years... You are correct in that it applies all patterns that match. The implementation simply assumes that patterns don't overlap. I think that a reasonable solution is to use only the first match in postscreen_dnsbl_sites. That code was not designed to handle overlapping patterns, and I see no value in trying to make it do such things. FYI knowing this I configured it like this: ... list.dnswl.org=127.0.[0..255].[0..255]*-1 list.dnswl.org=127.0.[0..255].3*-1 so for *.3 responses (high) I expect -2 points this way. I can change it if needed, although it won't be so nice this way -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. How does cat play with mouse? cat /dev/mouse
Re: postscreen_dnsbl_sites precedence
On 12.03.22 11:50, Matt Saladna wrote: Is there any difference other than cognitive load between the two forms? postscreen_dnsbl_sites = zen.spamhaus.org=127.[0..255].[0..254].[0..255]*2 zen.spamhaus.org=127.255.255.[252;254;255]*0 versus postscreen_dnsbl_sites = zen.spamhaus.org=127.[0..255].[0..254].[0..255]*2 afaik no. But, if you know you are forwarding DNS requests to any open DNS service, it's better not to use spamhaus and other dnsbls at all. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. WinError #9: Out of error messages.
Re: postscreen_dnsbl_sites precedence
Matt Saladna: > For Wieste, That is WieTSe, if you don't mind. > > /> The implemenation is order-dependent./ It does store the configuration in reverse order. However upon closer reading of code that I haven't touched in 10+ years... You are correct in that it applies all patterns that match. The implementation simply assumes that patterns don't overlap. If you want a working solution now, I suggest using non-overlapping patterns: postscreen_dnsbl_sites = zen.spamhaus.org=127.[0..255].[0..254].[0..255]*2 zen.spamhaus.org=127.255.255.[252;254;255]*0 I think that a reasonable solution is to use only the first match in postscreen_dnsbl_sites. That code was not designed to handle overlapping patterns, and I see no value in trying to make it do such things. Then we'd end up with: postscreen_dnsbl_sites = # Spamhaus error responses. zen.spamhaus.org=127.255.255.[252;254;255]*0 # All other Spamhaus responses. zen.spamhaus.org*2 This provides simple weight-map functionality inside main.cf. Wietse
Re: postscreen_dnsbl_sites precedence
On 2022-03-11 at 22:34:14 UTC-0500 (Fri, 11 Mar 2022 21:34:14 -0600) Matt Saladna is rumored to have said: Spamhaus began flagging Cloudflare's servers, 1.0.0.1/1.1.1.1 as public resolver resulting in the error message. Other DNSBLs pick up responsibility, so the judgment shouldn't rely squarely on a bad response like 127.255.255.255, "excessive number of queries". One would hope a 900 second TTL offloaded to one of the largest resolvers would reduce their DNS load. Which in no way justifies people who misunderstand documentation shooting themselves in the foot by rejecting all mail as self-flagellation. One absolutely should not score DNSBL responses that are completely unrelated to the specific value being queried for. For a multiplexed DNSBL like Zen, it makes no sense to configure on a default+exceptions model. The information a Zen listing provides is entirely different depending on the value of the response and Spamhaus could add new responses at any time if they want to convey some other discrete fact about listed IPs. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
Re: postscreen_dnsbl_sites precedence
On 2022-03-11 at 17:20:41 UTC-0500 (Sat, 12 Mar 2022 09:20:41 +1100) Phil Biggs is rumored to have said: Should the 127.255.255.[0..255] return codes really be weighted zero, given that they indicate an error? Absolutely. With .254 being use of a public/open resolver: https://www.spamhaus.org/faq/section/DNSBL%20Usage#200 The errors resulting in those returns are errors by the party doing the DNS query. It doesn't matter what value you are looking up in the DNSBL, because you are asking in a bad way. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
Re: postscreen_dnsbl_sites precedence
Title: Re: postscreen_dnsbl_sites precedence Saturday, March 12, 2022, 2:37:15 AM, Matt Saladna wrote: Hello, When specifying a range of responses to ignore in postscreen_dnsbl_sites it appears that if a weight is zero it is ignored in favor of a non-zero weight. mail_version=3.5.9 mail_release_date = 20210117 postscreen_dnsbl_sites=zen.spamhaus.org=127.255.255.[252;254;255]*0 zen.spamhaus.org*2 This produces a result as follows, Mar 11 10:22:37 epsilon postfix/postscreen[2766]: CONNECT from [38.107.100.92]:52538 to [64.22.68.41]:25 Mar 11 10:22:37 epsilon postfix/dnsblog[2767]: addr 38.107.100.92 listed by domain zen.spamhaus.org as 127.255.255.254 Mar 11 10:22:43 epsilon postfix/postscreen[2766]: DNSBL rank 2 for [38.107.100.92]:52538 Mar 11 10:22:43 epsilon postfix/tlsproxy[2775]: CONNECT from [38.107.100.92]:52538 Mar 11 10:22:43 epsilon postfix/postscreen[2766]: NOQUEUE: reject: RCPT from [38.107.100.92]:52538: 550 5.7.1 Service unavailable; client [38.107.100.92] blocked using zen.spamhaus.org; from=, to=, proto=ESMTP, helo= Mar 11 10:22:43 epsilon postfix/postscreen[2766]: DISCONNECT [38.107.100.92]:52538 Mar 11 10:22:43 epsilon postfix/tlsproxy[2775]: DISCONNECT [38.107.100.92]:52538 From the documentation, - When one postscreen_dnsbl_sites entry produces multiple DNSBL responses, postscreen(8) applies the weight at most once. Following this behavior, I would expect postscreen_dnsbl_sites to match once either left-to-right or from most specific to least specific if a DNSBL site is listed multiple times such that zen.spamhaus.org=127.255.255.1 has precedence over zen.spamhaus.org=127.255.255.[0..255] has precedence over zen.spamhaus.org. - Matt Should the 127.255.255.[0..255] return codes really be weightedzero, given that they indicate an error? With .254 being use ofa public/open resolver: https://www.spamhaus.org/faq/section/DNSBL%20Usage#200 -- Cheers, Phil
Re: postscreen_dnsbl_sites precedence
Matt Saladna: > postscreen_dnsbl_sites=zen.spamhaus.org=127.255.255.[252;254;255]*0 > zen.spamhaus.org*2 The implemenation is order-dependent. Postscreen maintains a list for zen.spamhaus.org, where the last entry appears first: zen.spamhaus.org: pattern=empty, weight=2 pattern=127.255.255.[252;254;255], weight=0 The result is that the entry with the empty pattern takes precedence over the entry that has a non-empty pattern. Bah. I picked the implementation that was easiest, because I did not expect that people would specify different weights for the same reputation provider. I guess this will require a compatibility_level feature. Wietse
Re: postscreen_dnsbl_sites precedence
On Fri, Mar 11, 2022 at 09:37:15AM -0600, Matt Saladna wrote: > When specifying a range of responses to ignore in postscreen_dnsbl_sites > it appears that if a weight is zero it is ignored in favor of a non-zero > weight. No. Rather, when the same source is listed twice, the weights are added, I believe. Keep the reply address filter lists disjoint! > postscreen_dnsbl_sites=zen.spamhaus.org=127.255.255.[252;254;255]*0 > zen.spamhaus.org*2 > > From the documentation, > > /- When one postscreen_dnsbl_sites entry produces multiple DNSBL >responses, postscreen(8) applies the weight at most once./ - That's *one* listed entry, and multiple A records in the DNS reply. -- Viktor.
Re: whitelist scoring in postscreen_dnsbl_sites=?
On Fri, Apr 01, 2016 at 08:13:14AM -0700, jaso...@mail-central.com wrote: > I'm learning about whitelist scoring in postscreen_dnsbl_sites= > > /dev/rob0 mentioned using these > > postscreen_dnsbl_sites= >... BLACKLISTS ... >swl.spamhaus.org*-4 You can pretty much guarantee that anything in SWL is not spamming. But, as Noel points out, not much is in SWL. >list.dnswl.org=127.[0..255].[0..255].0*-2 DNSWL trust level "none", many of these are email marketers. >list.dnswl.org=127.[0..255].[0..255].1*-3 These are usually bulk senders also, but less likely to be spamming. >list.dnswl.org=127.[0..255].[0..255].[2..255]*-4 These are usually NON-bulk senders. > in the post at http://rob0.nodns4.us/postscreen.html. > > One of the servers that's been shown to me has, instead > > postscreen_dnsbl_sites= >... BLACKLISTS ... >dwl.spamhaus.org=127.0.2.[2;3]*-3 oops >swl.spamhaus.org=127.0.2.[12;13]*-3 >list.dnswl.org=127.[0..255].[0..255].0*-2 >list.dnswl.org=127.[0..255].[0..255].1*-3 >list.dnswl.org=127.[0..255].[0..255].2*-4 >list.dnswl.org=127.[0..255].[0..255].3*-5 Different scores, same basic idea. > Right now, two questions > > (1) Does order matter in these? I.e., is postscreen's behavior > different whether WHITELISTS are before/after BLACKLISTS? > (2) If using Spamhaus for Blacklisting already, why not use 'dwl' > too? I guess what I'm really asking is about the "*UNDERSTAND* it > *BEFORE* you enable" advice ... how/why to choose 'this' whitelist > over 'that'? There are other DNS whitelists. In particular I believe that junkemailfilter has one. I recommend DNSWL.org because I use it (and have signed up for it.) It seems to be widely adopted, where most major senders of all kinds are listed. When the whitelist threshold feature was introduced (Postfix 2.11), all the pain of after-220 tests went away, -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Re: whitelist scoring in postscreen_dnsbl_sites=?
On Fri, Apr 1, 2016, at 12:21 PM, Noel Jones wrote: > dwl.spamhaus.org lists domain names and is not compatible with > postscreen, which only knows the IP. I needed to be reminded of that :-/ > dwl can be used in one of the > smtpd_*_restrictions sections. > http://www.postfix.org/postconf.5.html#permit_rhswl_client > http://www.spamhauswhitelist.com Knowing to look elsewhere got me to Implement a general purpose Plugin::AskDNS, makes Spamhaus DWL possible https://bz.apache.org/SpamAssassin/show_bug.cgi?id=6518 Since I use amavis + spamassassin anyway, it looks like its already 'in there' . And should be kept out of postscreen config. Thanks. Jason
Re: whitelist scoring in postscreen_dnsbl_sites=?
On 4/1/2016 10:13 AM, jaso...@mail-central.com wrote: > I'm learning about whitelist scoring in postscreen_dnsbl_sites= ... > > One of the servers that's been shown to me has, instead > > postscreen_dnsbl_sites= >... BLACKLISTS ... >dwl.spamhaus.org=127.0.2.[2;3]*-3 >swl.spamhaus.org=127.0.2.[12;13]*-3 ... > (2) If using Spamhaus for Blacklisting already, why not use 'dwl' too? I > guess what I'm really asking is about the "*UNDERSTAND* it *BEFORE* you > enable" advice ... how/why to choose 'this' whitelist over 'that'? > dwl.spamhaus.org lists domain names and is not compatible with postscreen, which only knows the IP. dwl can be used in one of the smtpd_*_restrictions sections. http://www.postfix.org/postconf.5.html#permit_rhswl_client http://www.spamhauswhitelist.com It's my understanding that the Spamhaus whitelists are essentially empty, and have been for quite a while, so they aren't particularly useful at this time. -- Noel Jones
Re: whitelist scoring in postscreen_dnsbl_sites=?
jaso...@mail-central.com: > (1) Does order matter in [postscreen_dnsbl_sites]? There is no "order": the lookups happen in parallel. The result is computed when all replies are received, or when the greet_wait time limit is reached. Wietse
whitelist scoring in postscreen_dnsbl_sites=?
I'm learning about whitelist scoring in postscreen_dnsbl_sites= /dev/rob0 mentioned using these postscreen_dnsbl_sites= ... BLACKLISTS ... swl.spamhaus.org*-4 list.dnswl.org=127.[0..255].[0..255].0*-2 list.dnswl.org=127.[0..255].[0..255].1*-3 list.dnswl.org=127.[0..255].[0..255].[2..255]*-4 in the post at http://rob0.nodns4.us/postscreen.html. One of the servers that's been shown to me has, instead postscreen_dnsbl_sites= ... BLACKLISTS ... dwl.spamhaus.org=127.0.2.[2;3]*-3 swl.spamhaus.org=127.0.2.[12;13]*-3 list.dnswl.org=127.[0..255].[0..255].0*-2 list.dnswl.org=127.[0..255].[0..255].1*-3 list.dnswl.org=127.[0..255].[0..255].2*-4 list.dnswl.org=127.[0..255].[0..255].3*-5 Right now, two questions (1) Does order matter in these? I.e., is postscreen's behavior different whether WHITELISTS are before/after BLACKLISTS? (2) If using Spamhaus for Blacklisting already, why not use 'dwl' too? I guess what I'm really asking is about the "*UNDERSTAND* it *BEFORE* you enable" advice ... how/why to choose 'this' whitelist over 'that'? Jasom
postscreen_dnsbl_sites load list to memory from external file
Hi, Feature request: It would be nice if the postscreen_dnsbl_sites list could be loaded into memory (once - upon start/reload) from an external file - that doesn't seem to be possible right now - or am I wrong ? /Uffe
Re: postscreen_dnsbl_sites load list to memory from external file
On Tue, Jun 24, 2014 at 05:55:47PM +0200, Uffe Jakobsen wrote: Feature request: It would be nice if the postscreen_dnsbl_sites list could be loaded into memory (once - upon start/reload) from an external file - that doesn't seem to be possible right now - or am I wrong ? # cd /etc/postfix; make; postfix reload The make(1) command updates main.cf from an external file. -- Viktor.
Re: postscreen_dnsbl_sites load list to memory from external file
On 2014-06-24 18:06, Viktor Dukhovni wrote: On Tue, Jun 24, 2014 at 05:55:47PM +0200, Uffe Jakobsen wrote: Feature request: It would be nice if the postscreen_dnsbl_sites list could be loaded into memory (once - upon start/reload) from an external file - that doesn't seem to be possible right now - or am I wrong ? # cd /etc/postfix; make; postfix reload The make(1) command updates main.cf from an external file. Your installation or platform must be differeent from mine (FreeBSD) - I have no Makefile, GNUmakefile or BSDmakefile in /usr/local/etc/postfix/ config dir. But it was not was I was looking for - because for various reasons the userid that writes the dnsbl sites file has no permissions to write main.cf nor realod postfix. /Uffe
Re: postscreen_dnsbl_sites load list to memory from external file
Uffe Jakobsen: Your installation or platform must be differeent from mine (FreeBSD) - I have no Makefile, GNUmakefile or BSDmakefile in /usr/local/etc/postfix/ config dir. The idea is that you to create that Makefile. But it was not was I was looking for - because for various reasons the userid that writes the dnsbl sites file has no permissions to write main.cf nor realod postfix. Including data from an non-root account into main.cf is not supported. Anyone who can change main.cf can also elevate privileges to root. Wietse
Re: postscreen_dnsbl_sites load list to memory from external file
On Tue, Jun 24, 2014 at 12:35:15PM -0400, Wietse Venema wrote: Uffe Jakobsen: Your installation or platform must be differeent from mine (FreeBSD) - I have no Makefile, GNUmakefile or BSDmakefile in /usr/local/etc/postfix/ config dir. The idea is that you to create that Makefile. That Makefile can validate the safety of the externally sourced data, and update main.cf. But it was not was I was looking for - because for various reasons the userid that writes the dnsbl sites file has no permissions to write main.cf nor realod postfix. But root (the account that actually performs the reload) can update main.cf. -- Viktor.
Re: postscreen_dnsbl_sites load list to memory from external file
Am 24.06.2014 18:41, schrieb Viktor Dukhovni: On Tue, Jun 24, 2014 at 12:35:15PM -0400, Wietse Venema wrote: Uffe Jakobsen: Your installation or platform must be differeent from mine (FreeBSD) - I have no Makefile, GNUmakefile or BSDmakefile in /usr/local/etc/postfix/ config dir. The idea is that you to create that Makefile. That Makefile can validate the safety of the externally sourced data, and update main.cf. But it was not was I was looking for - because for various reasons the userid that writes the dnsbl sites file has no permissions to write main.cf nor realod postfix. But root (the account that actually performs the reload) can update main.cf. IMHO all answers bypass the question which was not to list the configured blacklists in an external file - some blacklists offer to download / rsync the complete list data into a local file and so no DNS requests needed
Re: postscreen_dnsbl_sites load list to memory from external file
On 2014-06-24 18:35, Wietse Venema wrote: But it was not was I was looking for - because for various reasons the userid that writes the dnsbl sites file has no permissions to write main.cf nor realod postfix. Including data from an non-root account into main.cf is not supported. Anyone who can change main.cf can also elevate privileges to root. Agree - I did never mean to suggest to include any file (externally owned, potentially unsafe or not) into main.cf. What I was suggesting was that main.cf should instruct postfix to fetch the dnsbl list from an external file - in my mind this is not the same as to include anothoer file into main.cf Disclaimer - I have very little knowledge (read: ~0) of the inner working details of postfix and its configuration file and safety mechanisms. /Uffe
Re: postscreen_dnsbl_sites load list to memory from external file
Uffe Jakobsen: On 2014-06-24 18:35, Wietse Venema wrote: But it was not was I was looking for - because for various reasons the userid that writes the dnsbl sites file has no permissions to write main.cf nor realod postfix. Including data from an non-root account into main.cf is not supported. Anyone who can change main.cf can also elevate privileges to root. Agree - I did never mean to suggest to include any file (externally owned, potentially unsafe or not) into main.cf. What I was suggesting was that main.cf should instruct postfix to fetch the dnsbl list from an external file - in my mind this is not the same as to include anothoer file into main.cf The lists of DNSBL/DNSWL sites in postscreen_dsbl_sites is not supposed to change all the time. It is supposed to be a limited number of sites that you trust. Postscreen performance depends on the slowest DNSBL service. Wietse
Re: postscreen postscreen_dnsbl_sites order
Hi Wietse, Am 2013-09-04 23:45, schrieb wie...@porcupine.org: Marko Weber | ZBF: hello postfix list, maybe an easy quest for you. when i use multiple rbls in 'postscreen_dnsbl_sites' Yes... postscreen_dnsbl_sites = 1.list.org anotherlist.org nsafools.org obamaisadrama.org at example. are the entries of 'postscreen_dnsbl_sites' used in order like listed? or is postscreen using them randomly? They are searched in parallel. You can mix DNSWLs (with negative weights) and DNSBLs (with positive weights) and override later checks with postscreen_dnsbl_whitelist_threshold (Postfix 2.11). 'postscreen_dnsbl_whitelist_threshold' sounds interesting. Wietse
postscreen postscreen_dnsbl_sites order
hello postfix list, maybe an easy quest for you. when i use multiple rbls in 'postscreen_dnsbl_sites' postscreen_dnsbl_sites = 1.list.org anotherlist.org nsafools.org obamaisadrama.org at example. are the entries of 'postscreen_dnsbl_sites' used in order like listed? or is postscreen using them randomly? marko
Re: postscreen postscreen_dnsbl_sites order
Marko Weber | ZBF: hello postfix list, maybe an easy quest for you. when i use multiple rbls in 'postscreen_dnsbl_sites' Yes... postscreen_dnsbl_sites = 1.list.org anotherlist.org nsafools.org obamaisadrama.org at example. are the entries of 'postscreen_dnsbl_sites' used in order like listed? or is postscreen using them randomly? They are searched in parallel. You can mix DNSWLs (with negative weights) and DNSBLs (with positive weights) and override later checks with postscreen_dnsbl_whitelist_threshold (Postfix 2.11). Wietse
Re: postscreen_dnsbl_sites
On Mon, May 6, 2013 at 3:10 PM, Wietse Venema wie...@porcupine.org wrote: Robert Lopez: Let me try again. I am assuming the link between a line in the dndsbl_reply file and the main.cf file is only a label and it could be anything. Is that a wrong assumption? Please describe what is not clear about the following text: postscreen_dnsbl_reply_map (default: empty) A mapping from actual DNSBL domain name which includes a secret pass- word, to the DNSBL domain name that postscreen will reply with when it rejects mail. When no mapping is found, the actual DNSBL domain will be used. For maximal stability it is best to use a file that is read into memory such as pcre:, regexp: or texthash: (texthash: is similar to hash:, except a) there is no need to run postmap(1) before the file can be used, and b) texthash: does not detect changes after the file is read). Example: /etc/postfix/main.cf: postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply /etc/postfix/dnsbl_reply: secret.zen.spamhaus.orgzen.spamhaus.org This feature is available in Postfix 2.8. Once you set up your postscreen_dnsbl_reply_map, you can query it to ensure that it works as expected. Using the above example, the command postmap -q secret.zen.spamhaus.org texthash:/etc/postfix/dnsbl_reply should produce zen.spamhaus.org as output. Thanks for helping to improve Postfix. Wietse What is not clear to me in that description is the reason for my original question Does it matter what the short name returned is; that is could I use zen.spamhaus.org just to keep it shorter? I tried to make that question more clear the second time I posted by I am assuming the link between a line in the dndsbl_reply file and the main.cf file is only a label and it could be anything. Is that a wrong assumption? I have changed the label to make it more obvious. To me when I read the text you provided I am left with the question If the real query address, with the key, is being replaced by some other name, does it matter what that name is and can it be shortened up? Of course, the reason for my post in the first place was my concern that the name with the key was returned in a reply to a test email I sent from a Yahoo test account which just happened to have been delivered from a Yahoo server which was listed by zen.spam.net. Also, I did have a bit of a mix-up in that in your example text you do use zen.spamhaus.org and in my original set-up instructions from the vendor from whom CNM purchases the Spamhaus service, the address I am to query is key..zen.dq.spamhaus.net. This is not to say there is any problem in your text. It was simply my dyslexia seeing what I expect to see and not noticing the net v org that /dev/rob has pointed out. Your making clear two other points (using postmap -q and looking for the log lines to distinguish between postscreen and smtpd) were helpful to me. I can see the returned information which did disclose the key came from postscreen: May 3 17:54:01 mg08 postfix/postscreen[10279]: NOQUEUE: reject: RCPT from [98.136.218.178]:45242: 550 5.7.1 Service unavailable; client [98.136.218.178] blocked using key.zen.dq.spamhaus.org; from=rlopez...@yahoo.com, to=rlo...@mg08.cnm.edu, proto=SMTP, helo=nm5-vm3.bullet.mail.gq1.yahoo.com Finally, /dev/rob was exactly correct in the two labels used differed (.net v .org) causing the lookup to fail and When no mapping is found, the actual DNSBL domain will be used. I believe the answer to my question is the text of the label does not matter (but it must be meaningful enough to communicate) but it must be exactly the same in the dnsbl_reply file and the main.cf file. Life as a dyslexic person is often embarrassing. Thank you. -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106
Re: postscreen_dnsbl_sites
On Tue, May 07, 2013 at 01:03:51PM -0600, Robert Lopez wrote: What is not clear to me in that description is the reason for my original question Does it matter what the short name returned is; that is could I use zen.spamhaus.org just to keep it shorter? In my example: http://rob0.nodns4.us/postscreen.html I use a negated lookup. Basically, if zen.spamhaus.org is not among the DNSBL hits, my senders see that they were blocked by multiple DNS-based blocklists. So no, there need not be any connection between the lookup key and the result. I think in your case you will want to use zen.spamhaus.org as the result. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject:
Re: postscreen_dnsbl_sites
Let me try again. I am assuming the link between a line in the dndsbl_reply file and the main.cf file is only a label and it could be anything. Is that a wrong assumption? I have changed the label to make it more obvious. Right now in the dnsbl_reply file I have this line (except for the key being hidden): hidden-key.zen.dq.spamhaus.net h.spamhaus.net In the main.cf file I have this line: postscreen_dnsbl_sites = h.spamhaus.net*1 I am assuming the h.spamhaus.net in main.cf is being rewritten to hidden-key.zen.dq.spamhaus.net when postscreen uses the dnsbl. What I am seeing in testing is my gateway is returning a statement such as this one: 554 5.7.1 Service unavailable; Client host [192.203.178.138] blocked using hidden-key.zen.dq.spamhaus.net; http://www.spamhaus.org/query/bl?ip=192.203.178.138 And the above line does in fact contain the actual key that I am trying to hide. The version of Postfix I am using (2.10.0) is my first experience with postscreen and I am trying to avoid the exposing of this key. Is it possible that the key is being exposed not from the postscreen_dnsbl_sites line but from a line also in main.cf which says the following? smtpd_client_restrictions = reject_rbl_client hidden-key.zen.dq.spamhaus.net # postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = yes biff = no bounce_size_limit = 1 config_directory = /etc/postfix default_process_limit = 400 header_checks = regexp:/etc/postfix/header_checks inet_interfaces = $myhostname, localhost inet_protocols = ipv4 mailbox_size_limit = 0 masquerade_domains = $mydomain, cnm.edu, nmvc.org, nmvirtualcollege.org max_use = 100 message_size_limit = 26214400 mydestination = $myhostname, $mydomain, localhost.localdomain, cnm.edu, mail.cnm.edu mydomain = cnm.edu mynetworks = 198.133.178.0/23, 198.133.182.0/24, 198.133.181.0/24, 198.133.180.0/24, 172.16.0.0/12, 192.168.0.0/16, 10.0.0.0/8, 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 notify_classes = resource, software postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_access.cidr postscreen_dnsbl_action = enforce postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply postscreen_dnsbl_sites = h.spamhaus.net*1 b.barracudacentral.org*1 bl.spamcop.net*1 dnsbl.sorbs.net*1 postscreen_dnsbl_threshold = 2 readme_directory = no recipient_delimiter = + relay_domains = relayhost = smtp_host_lookup = dns, native smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = cnm.edu ESMTP smtpd_client_restrictions = reject_unauth_pipelining check_client_access hash:/etc/postfix/whitelist check_client_access cidr:/etc/postfix/cidr-ip check_client_access hash:/etc/postfix/access permit_mynetworks reject_rbl_client hidden-key.zen.dq.spamhaus.net.zen.dq.spamhaus.net reject_rbl_client b.barracudacentral.org reject_rbl_client bl.spamcop.net reject_rbl_client dnsbl.sorbs.net smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks check_helo_access hash:/etc/postfix/helo-ip reject_invalid_hostname reject_non_fqdn_helo_hostname smtpd_recipient_restrictions = permit_mynetworks reject_unknown_recipient_domain reject_unlisted_recipient reject_non_fqdn_recipient reject_unknown_recipient_domain smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/whitelist check_sender_access hash:/etc/postfix/greylist check_sender_access hash:/etc/postfix/access permit_mynetworks reject_non_fqdn_sender reject_unknown_sender_domain smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_use_tls = yes virtual_alias_maps = hash:/etc/postfix/virtualaliases -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106
Re: postscreen_dnsbl_sites
Robert Lopez: Let me try again. I am assuming the link between a line in the dndsbl_reply file and the main.cf file is only a label and it could be anything. Is that a wrong assumption? Please describe what is not clear about the following text: postscreen_dnsbl_reply_map (default: empty) A mapping from actual DNSBL domain name which includes a secret pass- word, to the DNSBL domain name that postscreen will reply with when it rejects mail. When no mapping is found, the actual DNSBL domain will be used. For maximal stability it is best to use a file that is read into memory such as pcre:, regexp: or texthash: (texthash: is similar to hash:, except a) there is no need to run postmap(1) before the file can be used, and b) texthash: does not detect changes after the file is read). Example: /etc/postfix/main.cf: postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply /etc/postfix/dnsbl_reply: secret.zen.spamhaus.orgzen.spamhaus.org This feature is available in Postfix 2.8. Once you set up your postscreen_dnsbl_reply_map, you can query it to ensure that it works as expected. Using the above example, the command postmap -q secret.zen.spamhaus.org texthash:/etc/postfix/dnsbl_reply should produce zen.spamhaus.org as output. Thanks for helping to improve Postfix. Wietse
Re: postscreen_dnsbl_sites
Is it possible that the key is being exposed not from the postscreen_dnsbl_sites line but from a line also in main.cf which says the following? smtpd_client_restrictions = reject_rbl_client hidden-key.zen.dq.spamhaus.net Use rbl_reply_maps and a text without $rbl_domain: http://www.postfix.org/postconf.5.html#rbl_reply_maps And... get a new spamhaus key, NOW: # telnet mg05.cnm.edu 25 Trying 198.133.182.65... Connected to mg05.cnm.edu. Escape character is '^]'. 220 mg05.cnm.edu ESMTP Postfix HELO ruv.de 250 mg05.cnm.edu MAIL FROM:jpk@somedomain 250 2.1.0 Ok RCPT TO:hostmas...@cnm.edu 554 5.7.1 Service unavailable; Client host [47.66.81.105] blocked using GOTIT.zen.dq.spamhaus.net; http://www.spamhaus.org/query/bl?ip=47.66.81.105 quit 221 2.0.0 Bye
Re: postscreen_dnsbl_sites
Jan P. Kessler: Is it possible that the key is being exposed not from the postscreen_dnsbl_sites line but from a line also in main.cf which says the following? smtpd_client_restrictions = reject_rbl_client hidden-key.zen.dq.spamhaus.net Yes. Postfix logging will tell you which program produces the REJECT message: smtpd or postscreen. Wietse
Re: postscreen_dnsbl_sites
On Sat, May 04, 2013 at 06:48:36AM -0500, I wrote: On Fri, May 03, 2013 at 06:27:15PM -0600, Robert Lopez wrote: I had postscreen_dnsbl_sites = the-key-to-hidezen.dq.spamhaus.org This is right. Let me try again also! I presume your lookup is actually against key.zen.dq.spamhaus.org. That's what I said was right. Hereafter, key will be substituted for the actual key. and postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply in main.cf and I had the-authorization-key-was-here.zen.dq.spamhaus.net zen.dq.spamhaus.org And here you are talking about spamhaus.net. Which is your lookup against, key.zen.dq.spamhaus.org or key.zen.dq.spamhaus.net? Do note that net is not org. net != org. This would never match. Assuming that you DID mean key.zen.dq.spamhaus.org, your postscreen_dnsbl_reply_map lookup of key.zen.dq.spamhaus.net would never match, because as we have seen, net is not org. :) If net was right, your munging was wrong. You probably want to rewrite that to zen.spamhaus.org without the dq domain component. That's what non-subscribers use. How can I prove to myself the spamhaus list actually being used now as opposed to being not used because of configuration? http://www.crynwr.com/spam/ provides a testing service. Or, maybe you're using a home Internet connection which is listed on PBL. If your port 25 is not blocked by the ISP, you could test from home. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject:
Re: postscreen_dnsbl_sites
Please disable HTML when posting to mailing lists. On Fri, May 03, 2013 at 06:27:15PM -0600, Robert Lopez wrote: I had postscreen_dnsbl_sites = the-key-to-hidezen.dq.spamhaus.org This is right. and postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply in main.cf and I had the-authorization-key-was-here.zen.dq.spamhaus.net zen.dq.spamhaus.org net != org. This would never match. You probably want to rewrite that to zen.spamhaus.org without the dq domain component. That's what non-subscribers use. How can I prove to myself the spamhaus list actually being used now as opposed to being not used because of configuration? http://www.crynwr.com/spam/ provides a testing service. Or, maybe you're using a home Internet connection which is listed on PBL. If your port 25 is not blocked by the ISP, you could test from home. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject:
postscreen_dnsbl_sites
If in /etc/postfix/dnsbl_reply file there is a line: the-authorization-key-was-here.zen.dq.spamhaus.net zen.dq.spamhaus.org And in main.cf there is the line: postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply Should the line in main.cf for postscreen_dnsbl_siter = use the long name with the key in it or the short reply name? Does it matter what the short name returned is; that is could I use zen.spamhaus.org just to keep it shorter? -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106
Re: postscreen_dnsbl_sites
On 5/3/2013 9:33 PM, Robert Lopez wrote: If in /etc/postfix/dnsbl_reply file there is a line: the-authorization-key-was-here.zen.dq.spamhaus.net http://the-authorization-key-was-here.zen.dq.spamhaus.net zen.dq.spamhaus.org http://zen.dq.spamhaus.org And in main.cf http://main.cf there is the line: postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply Should the line in main.cf http://main.cf for postscreen_dnsbl_siter = use the long name with the key in it or the short reply name? The one that produces a valid response; if you have a spamhaus subscription, that would be the long one, with your authorization. Does it matter what the short name returned is; that is could I use zen.spamhaus.org http://zen.spamhaus.org just to keep it shorter? It's text, in a text response. It can be whatever makes you happy. -- J.
Re: postscreen_dnsbl_sites
I had postscreen_dnsbl_sites = the-key-to-hidezen.dq.spamhaus.org and postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply in main.cf and I had the-authorization-key-was-here.zen.dq.spamhaus.nethttp://the-authorization-key-was-here.zen.dq.spamhaus.net zen.dq.spamhaus.org in the /etc/posrfix/dnsbl_reply file. One of many email sent from a yahoo test account did happen to use a yahoo server listed by zen.dq.spamhaus.org and I did get back a reply with the key exposed: Remote host said: 550 5.7.1 Service unavailable; client [98.136.218.178] blocked using th-authorization-key-was-here.zen.dq.spamhaus.org [RCPT_TO] I then changed the one line in the main.cf from postscreen_dnsbl_sites = the-key-to-hidezen.dq.spamhaus.org to postscreen_dnsbl_sites = zen.dq.spamhaus.org and since then none of the test email have been rejected. How can I prove to myself the spamhaus list actually being used now as opposed to being not used because of configuration? -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106
Re: postscreen_dnsbl_sites vs. reject_rbl_client
Another thing I think I see about postscreen is that it apparently will only look up IP addresses. There doesn't seem to be any postscreen_rhsbl_sites feature (which might allow me to move my current reject_rhsbl_client and permit_rhswl_client checks into postscreen). Is such a thing planned, not planned, or perhaps intrinsically evil for some reason I'm not thinking of? Rich Wales ri...@richw.org
Re: postscreen_dnsbl_sites vs. reject_rbl_client
On 6/8/2011 12:05 PM, Rich Wales wrote: Another thing I think I see about postscreen is that it apparently will only look up IP addresses. There doesn't seem to be any postscreen_rhsbl_sites feature (which might allow me to move my current reject_rhsbl_client and permit_rhswl_client checks into postscreen). Is such a thing planned, not planned, or perhaps intrinsically evil for some reason I'm not thinking of? Rich Wales ri...@richw.org The postscreen program doesn't do reverse DNS lookups in the interest of speed and simplicity. As a consequence, it is not possible to do any hostname-based filtering in postscreen. There are no current plans to change this. -- Noel Jones
Re: postscreen_dnsbl_sites vs. reject_rbl_client
On Wed, Jun 08, 2011 at 10:05:05AM -0700, Rich Wales wrote: Another thing I think I see about postscreen is that it apparently will only look up IP addresses. There doesn't seem to be any postscreen_rhsbl_sites feature (which might allow me to move my current reject_rhsbl_client and permit_rhswl_client checks into postscreen). Why move any checks into postscreen? I basically left my smtpd restrictions alone. I figure they can't hurt and might help. Sure, they are lonely and mostly unused, but they were a good policy in pre-postscreen days, so they're still good. I can give an example of when/why they might help. Under stress, postscreen reduces the greet pause to 2 seconds. Under stress, the possibility that DNSBL responses might be delayed is greater. Why would you not avail yourself of that second chance to query zen.spamhaus.org? It's cached now at your nameserver, whether positive or negative, so it hurts nothing. Is such a thing planned, not planned, or perhaps intrinsically evil for some reason I'm not thinking of? I think postscreen needs to stay lightweight and fast. It does not need to replace all the antispam functionality of smtpd. -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Re: postscreen_dnsbl_sites vs. reject_rbl_client
Rich Wales: Another thing I think I see about postscreen is that it apparently will only look up IP addresses. There doesn't seem to be any postscreen_rhsbl_sites feature (which might allow me to move my current reject_rhsbl_client and permit_rhswl_client checks into postscreen). Is such a thing planned, not planned, or perhaps intrinsically evil for some reason I'm not thinking of? I concur with what others wrote, and would like to emphasize again that postscreen is not a REPLACEMENT for existing smtpd features. It is a filter that blocks the most suspicious clients with the smallest possible effort. The existing postfix features can take care of the rest of the problem. Wietse
Re: postscreen_dnsbl_sites vs. reject_rbl_client
* Rich Wales ri...@richw.org: If I enable postscreen and specify my choice of blocklists and whitelists in postscreen_dnsbl_sites, am I correct in assuming that I might as well remove any reject_rbl_client and permit_dnswl_client clauses from my smtpd_*_restrictions, since they will now be redundant? Since postscreen uses caching extensively, it might make sense to query the RBLs another time, since a host may be blacklisted in the meantime. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: postscreen_dnsbl_sites vs. reject_rbl_client
* Rich Wales ri...@richw.org: value from a given list. (I won't go into the details, they would be off-topic here, but it's nice to have this capability.) It will probably start a flamewar, but I personally am interested in your particular weights on the different RBLs -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: postscreen_dnsbl_sites vs. reject_rbl_client
Rich Wales: Note that postscreen caches the results of successful tests, so that it does not repeat every test for every connection. This is controlled by the postscreen_mumble_ttl parameters. Some caching may also be done by my DNS server too, right? This would, of course, be transparent to Postfix and would depend on the TTL info from the whitelist / blocklist. Note the following difference. postscreen caches that the client IS NOT listed in DNSBL. It doesn't cache clients that are listed. DNS servers cache that the client IS listed in DNSBL. They don't cache non-existent DNSBL records. So, the two really cache opposite things, if we focus on good SMTP clients. And that is where Postfix tries to minimize the performance hit. Wietse
Re: postscreen_dnsbl_sites vs. reject_rbl_client
On Tue, Jun 07, 2011 at 07:03:34AM -0400, Wietse Venema wrote: Note the following difference. postscreen caches that the client IS NOT listed in DNSBL. It doesn't cache clients that are listed. DNS servers cache that the client IS listed in DNSBL. They don't cache non-existent DNSBL records. This depends on the negative TTL of the RBL zone. Generally, RBL zones have comparable positive and negative TTLs. For example Zen seems to have a 3 minute negative TTL: $ dig +noall +ans +auth -t a 127.2.0.192.zen.spamhaus.org zen.spamhaus.org. 150 IN SOA need.to.know.only. hostmaster.spamhaus.org. 1106071530 3600 600 432000 150 And a 15 minute positive TTL: $ dig +noall +ans -t a 126.145.66.190.zen.spamhaus.org 126.145.66.190.zen.spamhaus.org. 900 IN A 127.0.0.4 126.145.66.190.zen.spamhaus.org. 900 IN A 127.0.0.11 -- Viktor.
postscreen_dnsbl_sites vs. reject_rbl_client
If I enable postscreen and specify my choice of blocklists and whitelists in postscreen_dnsbl_sites, am I correct in assuming that I might as well remove any reject_rbl_client and permit_dnswl_client clauses from my smtpd_*_restrictions, since they will now be redundant? Rich Wales ri...@richw.org
Re: postscreen_dnsbl_sites vs. reject_rbl_client
On 06/06/2011 10:45 PM, Rich Wales wrote: If I enable postscreen and specify my choice of blocklists and whitelists in postscreen_dnsbl_sites, am I correct in assuming that I might as well remove any reject_rbl_client and permit_dnswl_client clauses from my smtpd_*_restrictions, since they will now be redundant? On the interfaces and ports that postscreen(8) passes mail to, yes. If you have a dedicated submission port, this is not affected by postscreen running on port 25. Do note that the behaviour is different; you will be able to directly transplant your reject_rbl_client RBLs to postscreen, but postscreen has many more options available, such as checking for exact return values, and scoring different RBLs with separate weight values. -- J.
Re: postscreen_dnsbl_sites vs. reject_rbl_client
On 6/6/2011 5:34 PM, Jeroen Geilman wrote: On 06/06/2011 10:45 PM, Rich Wales wrote: If I enable postscreen and specify my choice of blocklists and whitelists in postscreen_dnsbl_sites, am I correct in assuming that I might as well remove any reject_rbl_client and permit_dnswl_client clauses from my smtpd_*_restrictions, since they will now be redundant? On the interfaces and ports that postscreen(8) passes mail to, yes. If you have a dedicated submission port, this is not affected by postscreen running on port 25. Do note that the behaviour is different; you will be able to directly transplant your reject_rbl_client RBLs to postscreen, but postscreen has many more options available, such as checking for exact return values, and scoring different RBLs with separate weight values. The reject_rbl_client (and various relations) smtpd restrictions can also check for exact values (postfix 2.1 and newer), or for ranges (postfix 2.8 and newer, same range syntax as postscreen). The weighted scores are unique to postscreen. http://www.postfix.org/postconf.5.html#reject_rbl_client The other difference is that postscreen caches a pass dnsbl result for $postscreen_dnsbl_ttl (default 1h). Some sites may prefer to lower the cache TTL or do the tests in smtpd to quickly catch previously good clients gone bad, or to increase the TTL to reduce DNS lookups and latency. http://www.postfix.org/postconf.5.html#postscreen_dnsbl_ttl -- Noel Jones
Re: postscreen_dnsbl_sites vs. reject_rbl_client
On the interfaces and ports that postscreen(8) passes mail to, yes. Do note that the behaviour is different; you will be able to directly transplant your reject_rbl_client RBLs to postscreen, but postscreen has many more options available, such as checking for exact return values, and scoring different RBLs with separate weight values. Yes, I see that, and I like it. As one important step in my postscreen conversion, I reviewed the documentation for numerous blocklists (some of which I had passed over earlier because I wasn't willing to trust them completely) and assigned different scores depending on the returned value from a given list. (I won't go into the details, they would be off-topic here, but it's nice to have this capability.) Rich Wales ri...@richw.org
Re: postscreen_dnsbl_sites vs. reject_rbl_client
Rich Wales: If I enable postscreen and specify my choice of blocklists and whitelists in postscreen_dnsbl_sites, am I correct in assuming that I might as well remove any reject_rbl_client and permit_dnswl_client clauses from my smtpd_*_restrictions, since they will now be redundant? Almost. Note that postscreen caches the results of successful tests, so that it does not repeat every test for every connection. This is controlled by the postscreen_mumble_ttl parameters. postconf | grep 'postscreen_.*_ttl' Wietse
Re: postscreen_dnsbl_sites vs. reject_rbl_client
Note that postscreen caches the results of successful tests, so that it does not repeat every test for every connection. This is controlled by the postscreen_mumble_ttl parameters. Some caching may also be done by my DNS server too, right? This would, of course, be transparent to Postfix and would depend on the TTL info from the whitelist / blocklist. It appears, based on my server's logs, that postscreen always queries every site I name in postscreen_dnsbl_sites -- subject, of course, to caching by my DNS server and by postscreen's own TTL settings. I'd think it would be possible, in some cases, to avoid some queries once enough information is obtained to make a threshold decision -- e.g., by checking lists in descending order by absolute value of weight, a point may be reached where no further results can make a difference in the decision to permit or reject. Do you think there would be any point in doing this? Or would it just be a meaningless exercise, and you might as well query everything every time? Rich Wales ri...@richw.org
Re: postscreen_dnsbl_sites vs. reject_rbl_client
Rich Wales: Note that postscreen caches the results of successful tests, so that it does not repeat every test for every connection. This is controlled by the postscreen_mumble_ttl parameters. Some caching may also be done by my DNS server too, right? This would, of course, be transparent to Postfix and would depend on the TTL info from the whitelist / blocklist. It appears, based on my server's logs, that postscreen always queries every site I name in postscreen_dnsbl_sites -- subject, of course, to caching by my DNS server and by postscreen's own TTL settings. I'd think it would be possible, in some cases, to avoid some queries once enough information is obtained to make a threshold decision -- e.g., by checking lists in descending order by absolute value of weight, a point may be reached where no further results can make a difference in the decision to permit or reject. Do you think there would be any point in doing this? Or would it just be a meaningless exercise, and you might as well query everything every time? Just like postscreen examines multiple clients in parallel, postscreen sends DNSBL queries in parallel. Everything is done in parallel, to minimize the delay for good clients. Wietse
postscreen_dnsbl_sites filter syntax?
I must be doing something silly, but I can't see my mistake. $ postconf postscreen_dnsbl_sites postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2,3,4..8,10..11] postfix/postscreen[26161]: fatal: bad DNSBL filter syntax: need , or ] at 127.0.0.[2 Or to simplify the matter: $ postconf postscreen_dnsbl_sites postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[3,4] postfix/postscreen[25207]: fatal: bad DNSBL filter syntax: need , or ] at 127.0.0.[3 Without a filter or with just a plain dotted-quad it works normally. This is postfix-2.8.0-RC2, FreeBSD, installed from ports mail/postfix-current after adjusting the version of a filename and a checksum. Mark
Re: postscreen_dnsbl_sites filter syntax?
On Tue, Jan 18, 2011 at 09:19:50PM +0100, Mark Martinec wrote: $ postconf postscreen_dnsbl_sites postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2,3,4..8,10..11] postfix/postscreen[26161]: fatal: bad DNSBL filter syntax: need , or ] at 127.0.0.[2 There is a parser issue here, since , is both a valid separator between list elements and a separator in the filter notation. -- Viktor.
Re: postscreen_dnsbl_sites filter syntax?
Mark Martinec: I must be doing something silly, but I can't see my mistake. $ postconf postscreen_dnsbl_sites postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2,3,4..8,10..11] postfix/postscreen[26161]: fatal: bad DNSBL filter syntax: need , or ] at 127.0.0.[2 The problem is that the string ends in [2. As originally implemented in 2009, postscreen_dnsbl_sites uses the comma as separator character. This was more than a year before the pattern syntax was added, which uses comma as the set delimiter. Of course I can't have an incompatible syntax change in a stable release candidate, so this is going to require some workaround (don't split on comma after open '['). At least my effort to produce very precise syntax error reports are paying off. Wietse
Re: postscreen_dnsbl_sites filter syntax?
On 1/18/2011 2:46 PM, Wietse Venema wrote: Mark Martinec: I must be doing something silly, but I can't see my mistake. $ postconf postscreen_dnsbl_sites postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2,3,4..8,10..11] postfix/postscreen[26161]: fatal: bad DNSBL filter syntax: need , or ] at 127.0.0.[2 The problem is that the string ends in [2. As originally implemented in 2009, postscreen_dnsbl_sites uses the comma as separator character. This was more than a year before the pattern syntax was added, which uses comma as the set delimiter. Of course I can't have an incompatible syntax change in a stable release candidate, so this is going to require some workaround (don't split on comma after open '['). At least my effort to produce very precise syntax error reports are paying off. Wietse Same error in the smtpd restrictions. mail_version = 2.9-20110116 main.cf: ... smtpd_client_restrictions = reject_rbl_client zen.spamhaus.org=127.0.0.[2,3] maillog: ... postfix/smtpd[66721]: fatal: RBL reply error: need , or ] at 127.0.0.[2 -- Noel Jones
Re: postscreen_dnsbl_sites filter syntax?
On Tue, Jan 18, 2011 at 03:36:12PM -0500, Victor Duchovni wrote: On Tue, Jan 18, 2011 at 09:19:50PM +0100, Mark Martinec wrote: $ postconf postscreen_dnsbl_sites postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2,3,4..8,10..11] postfix/postscreen[26161]: fatal: bad DNSBL filter syntax: need , or ] at 127.0.0.[2 There is a parser issue here, since , is both a valid separator between list elements and a separator in the filter notation. This is likely also a problem in smtpd(8) when parsing similar expressions with reject_rbl_client domain=filter. -- Viktor.
Re: postscreen_dnsbl_sites filter syntax?
Victor Duchovni: On Tue, Jan 18, 2011 at 03:36:12PM -0500, Victor Duchovni wrote: On Tue, Jan 18, 2011 at 09:19:50PM +0100, Mark Martinec wrote: $ postconf postscreen_dnsbl_sites postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2,3,4..8,10..11] postfix/postscreen[26161]: fatal: bad DNSBL filter syntax: need , or ] at 127.0.0.[2 There is a parser issue here, since , is both a valid separator between list elements and a separator in the filter notation. This is likely also a problem in smtpd(8) when parsing similar expressions with reject_rbl_client domain=filter. A bit of context-sensitive parsing wil handle this without breaking existing configurations. Wietse Something along the lines of: /* * Workaround. The , was already in use as dnsbl list separator. */ for (keep = 0, cp = var_psc_dnsbl_sites; *cp; cp++) { if (*cp == '[') { keep++; } else if (*cp == ']' keep 0) { keep--; } else if (*cp == ',' keep = 0) { *cp = ' '; } } dnsbl_site = argv_split(var_psc_dnsbl_sites, , \t\r\n);
Re: postscreen_dnsbl_sites filter syntax?
On Tue, Jan 18, 2011 at 03:56:45PM -0500, Wietse Venema wrote: Something along the lines of: /* * Workaround. The , was already in use as dnsbl list separator. */ for (keep = 0, cp = var_psc_dnsbl_sites; *cp; cp++) { if (*cp == '[') { keep++; } else if (*cp == ']' keep 0) { keep--; } else if (*cp == ',' keep = 0) { *cp = ' '; } } dnsbl_site = argv_split(var_psc_dnsbl_sites, , \t\r\n); Right, reasonably elegant, but with the split now on just \t\r\n. -- Viktor.
Re: postscreen_dnsbl_sites filter syntax?
Victor Duchovni: On Tue, Jan 18, 2011 at 03:56:45PM -0500, Wietse Venema wrote: Something along the lines of: /* * Workaround. The , was already in use as dnsbl list separator. */ for (keep = 0, cp = var_psc_dnsbl_sites; *cp; cp++) { if (*cp == '[') { keep++; } else if (*cp == ']' keep 0) { keep--; } else if (*cp == ',' keep = 0) { *cp = ' '; } } dnsbl_site = argv_split(var_psc_dnsbl_sites, , \t\r\n); Right, reasonably elegant, but with the split now on just \t\r\n. But having , inside an access control feature it is likely to break third-party tools that maintain Postfix configuration files. The alternative is to change the address filter syntax, and to replace , by a different set separator such as ;. Wietse
Re: postscreen_dnsbl_sites filter syntax?
* Wietse Venema postfix-users@postfix.org: Victor Duchovni: On Tue, Jan 18, 2011 at 03:56:45PM -0500, Wietse Venema wrote: Something along the lines of: /* * Workaround. The , was already in use as dnsbl list separator. */ for (keep = 0, cp = var_psc_dnsbl_sites; *cp; cp++) { if (*cp == '[') { keep++; } else if (*cp == ']' keep 0) { keep--; } else if (*cp == ',' keep = 0) { *cp = ' '; } } dnsbl_site = argv_split(var_psc_dnsbl_sites, , \t\r\n); Right, reasonably elegant, but with the split now on just \t\r\n. But having , inside an access control feature it is likely to break third-party tools that maintain Postfix configuration files. The alternative is to change the address filter syntax, and to replace , by a different set separator such as ;. 2.9 is still release candidate. You could do that or does it break your rules? p@rick -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/
Re: postscreen_dnsbl_sites filter syntax?
On Tue, Jan 18, 2011 at 04:08:12PM -0500, Wietse Venema wrote: But having , inside an access control feature it is likely to break third-party tools that maintain Postfix configuration files. The alternative is to [modify] the address filter syntax, and to replace , by a different set separator such as ;. This is safer, if incompatible with the snapshots, but clearly not too many folks have relied on the (non-working) syntax. -- Viktor.
Re: postscreen_dnsbl_sites filter syntax?
* Patrick Ben Koetter p...@state-of-mind.de: * Wietse Venema postfix-users@postfix.org: Victor Duchovni: On Tue, Jan 18, 2011 at 03:56:45PM -0500, Wietse Venema wrote: Something along the lines of: /* * Workaround. The , was already in use as dnsbl list separator. */ for (keep = 0, cp = var_psc_dnsbl_sites; *cp; cp++) { if (*cp == '[') { keep++; } else if (*cp == ']' keep 0) { keep--; } else if (*cp == ',' keep = 0) { *cp = ' '; } } dnsbl_site = argv_split(var_psc_dnsbl_sites, , \t\r\n); Right, reasonably elegant, but with the split now on just \t\r\n. But having , inside an access control feature it is likely to break third-party tools that maintain Postfix configuration files. The alternative is to change the address filter syntax, and to replace , by a different set separator such as ;. 2.9 is still release candidate. You could do that or does it break your rules? I meant 2.8. p@rick -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/
Re: postscreen_dnsbl_sites filter syntax?
Patrick Ben Koetter: * Wietse Venema postfix-users@postfix.org: Victor Duchovni: On Tue, Jan 18, 2011 at 03:56:45PM -0500, Wietse Venema wrote: Something along the lines of: /* * Workaround. The , was already in use as dnsbl list separator. */ for (keep = 0, cp = var_psc_dnsbl_sites; *cp; cp++) { if (*cp == '[') { keep++; } else if (*cp == ']' keep 0) { keep--; } else if (*cp == ',' keep = 0) { *cp = ' '; } } dnsbl_site = argv_split(var_psc_dnsbl_sites, , \t\r\n); Right, reasonably elegant, but with the split now on just \t\r\n. But having , inside an access control feature it is likely to break third-party tools that maintain Postfix configuration files. The alternative is to change the address filter syntax, and to replace , by a different set separator such as ;. 2.9 is still release candidate. You could do that or does it break your rules? The [x,x] syntax never worked in main.cf, so I can't break configuration file compatibility by changing to [x;x]. But I would have to update a dozen regression tests that I wrote for the code module that implements the address filter. Wietse
Re: postscreen_dnsbl_sites filter syntax?
Wietse Venema: * Wietse Venema postfix-users@postfix.org: Victor Duchovni: On Tue, Jan 18, 2011 at 03:56:45PM -0500, Wietse Venema wrote: Something along the lines of: /* * Workaround. The , was already in use as dnsbl list separator. */ for (keep = 0, cp = var_psc_dnsbl_sites; *cp; cp++) { if (*cp == '[') { keep++; } else if (*cp == ']' keep 0) { keep--; } else if (*cp == ',' keep = 0) { *cp = ' '; } } dnsbl_site = argv_split(var_psc_dnsbl_sites, , \t\r\n); Right, reasonably elegant, but with the split now on just \t\r\n. But having , inside an access control feature it is likely to break third-party tools that maintain Postfix configuration files. The alternative is to change the address filter syntax, and to replace , by a different set separator such as ;. The [x,x] syntax never worked in main.cf, so I can't break configuration file compatibility by changing to [x;x]. But I would have to update a dozen regression tests that I wrote for the code module that implements the address filter. This changes the syntax to: potscreen_dnsbl_sites: Specify a list of domain=filter*weight entries, separated by comma or whitespace. o When no =filter is specified, postscreen(8) will use any non- error DNSBL reply. Otherwise, postscreen(8) uses only DNSBL replies that match the filter. The filter has the form d.d.d.d, where each d is a number, or a pattern inside [] that contains one or more ;-separated numbers or number..number ranges. ... reject_rbl_client rbl_domain=d.d.d.d Reject the request when the reversed client network address is listed with the A record d.d.d.d under rbl_domain (Postfix version 2.1 and later only). Each d is a number, or a pattern inside [] that contains one or more ;-separated numbers or number..number ranges (Postfix version 2.8 and later). ... And likewise for all reject_*bl_* features. Wietse