[pfx] Re: Incoming mail server blocks outlook / microsoft servers
On Wed, 10 Jan 2024 at 16:45, Viktor Dukhovni via Postfix-users < postfix-users@postfix.org> wrote: > > Keeping in mind > that of course in smtpd(8) there's no scoring, so the whitelists with > negative scores aren't available. If you absolutely want to ensure > that the whitelists are honoured, then you need to stick to just > postscreen. > > He can use permit_dnswl_client in smtpd_*_restrictions to use whitelists without postscreen. -- bye, Marki ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Incoming mail server blocks outlook / microsoft servers
On 10.01.24 20:18, Nikolaos Milas via Postfix-users wrote: Unfortunately at this time I don't have the luxury to invest time in more complex configuration scenarios as mail server management is only a small fraction of our tiny department... I guess I have to trust Postscreen and avoid false positives in smtpd restrictions as Matus advised. I believe your dnsbls are quite sane and reliable, I just recommend verifying return values so you won't reject any mail if they start blocking you (and return "blocked" value for all lookups) or they get discontinues and start returning positive values for all lookups (already happened): zen.spamhaus.org=127.0.0.[0..255] dnsbl.sorbs.net=127.0.0.[0..255] bl.spamcop.net=127.0.0.2 list.dnswl.org=127.0.[0..255].[0..255]*-1 list.dnswl.org=127.0.[0..255].3*-1 I guess other bl's also provide list of correct values -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. (R)etry, (A)bort, (C)ancer ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Incoming mail server blocks outlook / microsoft servers
On 10/1/2024 6:30 μ.μ., Bill Cole via Postfix-users wrote:
You should be more selective about your long lists of DNSBLs. They are
not all the same thing, and so are not all suitable for use at
postscreen time. It seems like you are ignoring the fact that the
underlying cause of this rejection is your decision to trust the
Spamcop 'bl' list as an absolute blocker, which for most people who
value their email is not a good idea. If you want to consistently
receive mail from the giant mailbox providers, you need to use more
nuanced mechanisms.
...
Using reject_rbl_client with DNSBLs which occasionally list IPs which
send a mix of spam and ham can be made feasible by putting the
reject_rbl_client restriction late in the restriction list and having
exemption mechanisms ahead of it. For example, I use reject_rbl_client
extensively, but with check_*_access maps ahead of those directives.
If you like everything about the Spamcop DNSBL except for it listing
Microsoft outbounds, you could have a check_client_access directive
with a map that permits *.outbound.protection.outlook.com clients
before any DNSBL checks (in the same restriction list.)
Thank you Bill, and all others for your feedback.
Unfortunately at this time I don't have the luxury to invest time in
more complex configuration scenarios as mail server management is only a
small fraction of our tiny department... I guess I have to trust
Postscreen and avoid false positives in smtpd restrictions as Matus
advised.
To optimize behavior I would need to constantly monitor BL trust status
and experiment with configuration changes (supported/offered abundantly
by postfix) which is not feasible in my case I am afraid. I have to be
modest in my aspirations.
However, I do admit that all suggestions do have their place if used
knowledgeably in the right context.
If there are any complete and working configuration suggestions I could
probably try them, but it would be very difficult to work on preparing a
new one starting from our current config.
If anyone would like to provide or point to any publicly available
*complete* config suggestion(s) for testing in our production
environment, please let me know.
{Note: Our gateway servers are working with postfix - amavis (with
spamassassin, clamav) on Rocky Linux 8.}
All the best,
Nick
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Incoming mail server blocks outlook / microsoft servers
On 2024-01-10 at 10:12:26 UTC-0500 (Wed, 10 Jan 2024 17:12:26 +0200) Nikolaos Milas via Postfix-users is rumored to have said: [...] and this causes legitimate mail to be discarded (actual mail addresses modified above). My question in this case: If I understand right, it seems that postscreen allows the client connection even though it is listed because it uses a cache which serves as a useful buffer; however the client is subsequently blocked by reject_rbl_client restrictions. So, it seems I should I entirely remove the reject_rbl_client filters (from smtpd_recipient_restrictions) as they are already listed with postscreen. No, that's the wrong lesson. You should be more selective about your long lists of DNSBLs. They are not all the same thing, and so are not all suitable for use at postscreen time. It seems like you are ignoring the fact that the underlying cause of this rejection is your decision to trust the Spamcop 'bl' list as an absolute blocker, which for most people who value their email is not a good idea. If you want to consistently receive mail from the giant mailbox providers, you need to use more nuanced mechanisms. It appears to me that using rbl services both with postscreen and smtpd_recipient_restrictions is actually pointless and causes double lookups which in the end make things worse. Postscreen is sufficient and better in filtering with rbl services. Am I right? Not sufficient and not better. Different. Postscreen is intended and designed to catch "bots": automated senders of nothing but garbage. It exists to spare systems from running full smtpd processes for what are ultimately no-op sessions. Unless you enable its extended checks, postscreen is very lightweight and fast. That's partly because it has no time-consuming exemption mechanisms (only fast ones.) Using reject_rbl_client with DNSBLs which occasionally list IPs which send a mix of spam and ham can be made feasible by putting the reject_rbl_client restriction late in the restriction list and having exemption mechanisms ahead of it. For example, I use reject_rbl_client extensively, but with check_*_access maps ahead of those directives. If you like everything about the Spamcop DNSBL except for it listing Microsoft outbounds, you could have a check_client_access directive with a map that permits *.outbound.protection.outlook.com clients before any DNSBL checks (in the same restriction list.) -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Downloadlinks for postfix-3.9-20240109 seem to be broken
Ralf Hildebrandt via Postfix-users: > http://ftp.porcupine.org/mirrors/postfix-release/index.html Forgot to push these. It's uploadin now, but I am on public WIFI. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Downloadlinks for postfix-3.9-20240109 seem to be broken
On Wed, Jan 10, 2024 at 04:47:43PM +0100, Ralf Hildebrandt via Postfix-users wrote: > http://ftp.porcupine.org/mirrors/postfix-release/index.html > > lists: > > http://ftp.porcupine.org/mirrors/postfix-release/experimental/postfix-3.9-20240109.tar.gz > http://ftp.porcupine.org/mirrors/postfix-release/experimental/postfix-3.9-20240109.HISTORY The most recent snapshot on Wietse's FTP server is at the moment: -r--r--r-- 1 wietse wheel 4908912 Jan 6 19:57 postfix-3.9-20240106.tar.gz -r--r--r-- 1 wietse wheel 280 Jan 6 19:57 postfix-3.9-20240106.tar.gz.sig -r--r--r-- 1 wietse wheel 480 Jan 6 19:57 postfix-3.9-20240106.tar.gz.gpg1 -r--r--r-- 1 wietse wheel 220 Jan 6 19:57 postfix-3.9-20240106.tar.gz.gpg2 -r--r--r-- 1 wietse wheel 9468 Jan 6 19:50 postfix-3.9-20240106.RELEASE_NOTES -r--r--r-- 1 wietse wheel991448 Jan 6 19:39 postfix-3.9-20240106.HISTORY ... older files ... The index was indeed modified on 2024-01-09: -r--r--r-- 1 wietse wheel 11 Jan 10 10:04 time -r--r--r-- 1 wietse wheel 72297 Jan 9 18:47 index.html drwxr-xr-x 3 wietse wheel 82432 Jan 6 20:07 experimental drwxr-xr-x 2 wietse wheel 89088 Dec 22 15:02 official ... older files/directories ... but neither of the distribution directories have been updated since 2024-01-06. So it looks like the tarball upload has not happened yet. I expect the index and tarballs will be back in sync before long... -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Incoming mail server blocks outlook / microsoft servers
Viktor Dukhovni via Postfix-users: > On Wed, Jan 10, 2024 at 05:38:37PM +0200, Nikolaos Milas via Postfix-users > wrote: > > > On 10/1/2024 5:24 ?.?., Matus UHLAR - fantomas via Postfix-users wrote: > > > > > If you use postscreen, remove reject_rbl_client from *_restrictions. > > > > > > reject_rhsbl_client, reject_rhsbl_sender and reject_rhsbl_helo are fine > > > to stay since they use something postscreen does not. > > > > Thanks Matus for your prompt reply. I appreciate it a lot. > > My advice is slightly different, I'd still use zen.spamhaus.org in > smtpd(8), without any of the other (more prone to be false positive) > lists. The postscreen cached verdict can be outdated. Keeping in mind > that of course in smtpd(8) there's no scoring, so the whitelists with > negative scores aren't available. If you absolutely want to ensure > that the whitelists are honoured, then you need to stick to just > postscreen. postscreen versions after 2015 respect the TTL from SOA or positive lookup result, bounded between postscreen_dnsbl_min_ttl and postscreen_dnsbl_max_ttl inclusive. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Downloadlinks for postfix-3.9-20240109 seem to be broken
http://ftp.porcupine.org/mirrors/postfix-release/index.html lists: http://ftp.porcupine.org/mirrors/postfix-release/experimental/postfix-3.9-20240109.tar.gz http://ftp.porcupine.org/mirrors/postfix-release/experimental/postfix-3.9-20240109.HISTORY both of which report: The requested URL /mirrors/postfix-release/experimental/postfix-3.9-20240109.tar.gz was not found on this server. The requested URL /mirrors/postfix-release/experimental/postfix-3.9-20240109.HISTORY was not found on this server. Apache/1.3.29 Ben-SSL/1.53 Server at ftp.porcupine.org Port 80 -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netz | Netzwerk-Administration Invalidenstraße 120/121 | D-10115 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | https://www.charite.de ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Incoming mail server blocks outlook / microsoft servers
On Wed, Jan 10, 2024 at 05:38:37PM +0200, Nikolaos Milas via Postfix-users wrote: > On 10/1/2024 5:24 μ.μ., Matus UHLAR - fantomas via Postfix-users wrote: > > > If you use postscreen, remove reject_rbl_client from *_restrictions. > > > > reject_rhsbl_client, reject_rhsbl_sender and reject_rhsbl_helo are fine > > to stay since they use something postscreen does not. > > Thanks Matus for your prompt reply. I appreciate it a lot. My advice is slightly different, I'd still use zen.spamhaus.org in smtpd(8), without any of the other (more prone to be false positive) lists. The postscreen cached verdict can be outdated. Keeping in mind that of course in smtpd(8) there's no scoring, so the whitelists with negative scores aren't available. If you absolutely want to ensure that the whitelists are honoured, then you need to stick to just postscreen. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Incoming mail server blocks outlook / microsoft servers
On 10/1/2024 5:24 μ.μ., Matus UHLAR - fantomas via Postfix-users wrote: If you use postscreen, remove reject_rbl_client from *_restrictions. reject_rhsbl_client, reject_rhsbl_sender and reject_rhsbl_helo are fine to stay since they use something postscreen does not. Thanks Matus for your prompt reply. I appreciate it a lot. Cheers, Nick ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Incoming mail server blocks outlook / microsoft servers
On 10.01.24 17:12, Nikolaos Milas via Postfix-users wrote: Our postfix v3.8.3 mail gateway server (for incoming mail) filters clients using postscreen as follows: postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2 bl.spameatingmonkey.net*2 bl.spamcop.net dnsbl.sorbs.net psbl.surriel.com bl.mailspike.net list.dnswl.org=127.0.[0..255].0*-2 list.dnswl.org=127.0.[0..255].1*-3 list.dnswl.org=127.0.[0..255].[2..3]*-4 Here you configured 40.107.20.56 to be allowed and: smtpd_recipient_restrictions = ... reject_rbl_client b.barracudacentral.org reject_rbl_client zen.spamhaus.org reject_rbl_client psbl.surriel.com reject_rbl_client bl.spamcop.net and yet here you block it here. reject_rhsbl_client dbl.spamhaus.org reject_rhsbl_sender dbl.spamhaus.org reject_rhsbl_helo dbl.spamhaus.org permit It seems that the blacklisting services sometimes block some of microsoft/outlook servers. Example: Jan 08 10:02:17 mailgw1 postfix/dnsblog[930573]: addr 40.107.20.56 listed by domain bl.spamcop.net as 127.0.0.2 Jan 08 10:02:17 mailgw1 postfix/dnsblog[928879]: addr 40.107.20.56 listed by domain list.dnswl.org as 127.0.3.0 Jan 08 10:02:18 mailgw1 postfix/postscreen[925211]: PASS OLD [40.107.20.56]:12832 Jan 08 10:02:18 mailgw1 postfix/smtpd[930587]: connect from mail-db8eur05on2056.outbound.protection.outlook.com[40.107.20.56] Jan 08 10:02:18 mailgw1 postfix/smtpd[930587]: Anonymous TLS connection established from mail-db8eur05on2056.outbound.protection.outlook.com[40.107.20.56]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Jan 08 10:02:18 mailgw1 postfix/smtpd[930587]: NOQUEUE: reject: RCPT from mail-db8eur05on2056.outbound.protection.outlook.com[40.107.20.56]: 554 5.7.1 Service unavailable; Client host [40.107.20.56] blocked using bl.spamcop.net; Blocked - see https://www.spamcop.net/bl.shtml?40.107.20.56; from= to= proto=ESMTP helo= and this causes legitimate mail to be discarded (actual mail addresses modified above). My question in this case: If I understand right, it seems that postscreen allows the client connection even though it is listed because it uses a cache which serves as a useful buffer; however the client is subsequently blocked by reject_rbl_client restrictions. precisely. So, it seems I should I entirely remove the reject_rbl_client filters (from smtpd_recipient_restrictions) as they are already listed with postscreen. If you use postscreen, remove reject_rbl_client from *_restrictions. reject_rhsbl_client, reject_rhsbl_sender and reject_rhsbl_helo are fine to stay since they use something postscreen does not. It appears to me that using rbl services both with postscreen and smtpd_recipient_restrictions is actually pointless yes. and causes double lookups which in the end make things worse. they will most likely be cached so this should not happen. It's still pointless however. Postscreen is sufficient and better in filtering with rbl services. Am I right? yes. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Spam = (S)tupid (P)eople's (A)dvertising (M)ethod ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Incoming mail server blocks outlook / microsoft servers
Hello, Our postfix v3.8.3 mail gateway server (for incoming mail) filters clients using postscreen as follows: postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2 bl.spameatingmonkey.net*2 bl.spamcop.net dnsbl.sorbs.net psbl.surriel.com bl.mailspike.net list.dnswl.org=127.0.[0..255].0*-2 list.dnswl.org=127.0.[0..255].1*-3 list.dnswl.org=127.0.[0..255].[2..3]*-4 and: smtpd_recipient_restrictions = ... reject_rbl_client b.barracudacentral.org reject_rbl_client zen.spamhaus.org reject_rbl_client psbl.surriel.com reject_rbl_client bl.spamcop.net reject_rhsbl_client dbl.spamhaus.org reject_rhsbl_sender dbl.spamhaus.org reject_rhsbl_helo dbl.spamhaus.org permit It seems that the blacklisting services sometimes block some of microsoft/outlook servers. Example: Jan 08 10:02:17 mailgw1 postfix/postscreen[925211]: CONNECT from [40.107.20.56]:12832 to [83.212.5.27]:25 Jan 08 10:02:17 mailgw1 postfix/dnsblog[930573]: addr 40.107.20.56 listed by domain bl.spamcop.net as 127.0.0.2 Jan 08 10:02:17 mailgw1 postfix/dnsblog[928879]: addr 40.107.20.56 listed by domain list.dnswl.org as 127.0.3.0 Jan 08 10:02:18 mailgw1 postfix/postscreen[925211]: PASS OLD [40.107.20.56]:12832 Jan 08 10:02:18 mailgw1 postfix/smtpd[930587]: connect from mail-db8eur05on2056.outbound.protection.outlook.com[40.107.20.56] Jan 08 10:02:18 mailgw1 postfix/smtpd[930587]: Anonymous TLS connection established from mail-db8eur05on2056.outbound.protection.outlook.com[40.107.20.56]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Jan 08 10:02:18 mailgw1 postfix/smtpd[930587]: NOQUEUE: reject: RCPT from mail-db8eur05on2056.outbound.protection.outlook.com[40.107.20.56]: 554 5.7.1 Service unavailable; Client host [40.107.20.56] blocked using bl.spamcop.net; Blocked - see https://www.spamcop.net/bl.shtml?40.107.20.56; from= to= proto=ESMTP helo= and this causes legitimate mail to be discarded (actual mail addresses modified above). My question in this case: If I understand right, it seems that postscreen allows the client connection even though it is listed because it uses a cache which serves as a useful buffer; however the client is subsequently blocked by reject_rbl_client restrictions. So, it seems I should I entirely remove the reject_rbl_client filters (from smtpd_recipient_restrictions) as they are already listed with postscreen. It appears to me that using rbl services both with postscreen and smtpd_recipient_restrictions is actually pointless and causes double lookups which in the end make things worse. Postscreen is sufficient and better in filtering with rbl services. Am I right? Thanks a lot, Nick ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
