[pfx] Incoming mail server blocks outlook / microsoft servers

[Nikolaos Milas via Postfix-users]

Hello,

Our postfix v3.8.3 mail gateway server (for incoming mail) filters 
clients using postscreen as follows:

   postscreen_dnsbl_sites =
            zen.spamhaus.org*3
            b.barracudacentral.org*2
            bl.spameatingmonkey.net*2
            bl.spamcop.net
            dnsbl.sorbs.net
            psbl.surriel.com
            bl.mailspike.net
            list.dnswl.org=127.0.[0..255].0*-2
            list.dnswl.org=127.0.[0..255].1*-3
            list.dnswl.org=127.0.[0..255].[2..3]*-4

and:

   smtpd_recipient_restrictions =
            ...
            reject_rbl_client b.barracudacentral.org
            reject_rbl_client zen.spamhaus.org
            reject_rbl_client psbl.surriel.com
            reject_rbl_client bl.spamcop.net
            reject_rhsbl_client dbl.spamhaus.org
            reject_rhsbl_sender dbl.spamhaus.org
            reject_rhsbl_helo dbl.spamhaus.org
            permit

It seems that the blacklisting services sometimes block some of 
microsoft/outlook servers. Example:

Jan 08 10:02:17 mailgw1 postfix/postscreen[925211]: CONNECT from 
[40.107.20.56]:12832 to [83.212.5.27]:25
Jan 08 10:02:17 mailgw1 postfix/dnsblog[930573]: addr 40.107.20.56 
listed by domain bl.spamcop.net as 127.0.0.2
Jan 08 10:02:17 mailgw1 postfix/dnsblog[928879]: addr 40.107.20.56 
listed by domain list.dnswl.org as 127.0.3.0
Jan 08 10:02:18 mailgw1 postfix/postscreen[925211]: PASS OLD 
[40.107.20.56]:12832
Jan 08 10:02:18 mailgw1 postfix/smtpd[930587]: connect from 
mail-db8eur05on2056.outbound.protection.outlook.com[40.107.20.56]
Jan 08 10:02:18 mailgw1 postfix/smtpd[930587]: Anonymous TLS connection 
established from 
mail-db8eur05on2056.outbound.protection.outlook.com[40.107.20.56]: 
TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jan 08 10:02:18 mailgw1 postfix/smtpd[930587]: NOQUEUE: reject: RCPT 
from mail-db8eur05on2056.outbound.protection.outlook.com[40.107.20.56]: 
554 5.7.1 Service unavailable; Client host [40.107.20.56] blocked using 
bl.spamcop.net; Blocked - see 
https://www.spamcop.net/bl.shtml?40.107.20.56; 
from=<legitimate.u...@example.com> to=<our.u...@noa.gr> proto=ESMTP 
helo=<EUR05-DB8-obe.outbound.protection.outlook.com>

and this causes legitimate mail to be discarded (actual mail addresses 
modified above).

My question in this case: If I understand right, it seems that 
postscreen allows the client connection even though it is listed because 
it uses a cache which serves as a useful buffer; however the client is 
subsequently blocked by reject_rbl_client restrictions.

So, it seems I should I entirely remove the reject_rbl_client filters 
(from smtpd_recipient_restrictions) as they are already listed with 
postscreen.

It appears to me that using rbl services both with postscreen and 
smtpd_recipient_restrictions is actually pointless and causes double 
lookups which in the end make things worse. Postscreen is sufficient and 
better in filtering with rbl services. Am I right?

Thanks a lot,
Nick
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org