Re: Postscreen exceptions and blacklisting
On 8/9/2017 4:17 μμ, /dev/rob0 wrote: ... Thanks a lot for your detailed and valuable advice! It helped me a lot to understand things better! I will surely work on my configuration based on your recommendations. I think I'll start by using your initial recommended changes and see how it goes. Unfortunately, I have to work on many other areas so I don't have much time for experimentation. Cheers, Nick
Re: Postscreen exceptions and blacklisting
On Fri, Sep 08, 2017 at 03:03:49PM +0300, Nikolaos Milas wrote: > On 8/9/2017 2:42 μμ, Wietse Venema wrote: > > Just as with smtpd access maps, permit/reject are a final > > decision, and dunno means 'let something else make the decision'. > > Please let my ask for a clarification here. The problem is that > the rejection seems to have happened by postscreen itself. > > I would expect that by using dunno for a client in > postscript_exceptions (as follows): > >postscreen_access_list = > permit_mynetworks, > cidr:/etc/postfix/postscreen_exceptions.cidr > > all the following postscreen directives would by bypassed for > this client: > >postscreen_dnsbl_threshold = 2 >postscreen_dnsbl_sites = > b.barracudacentral.org*2, > zen.spamhaus.org*2, > psbl.surriel.com*2 >postscreen_dnsbl_action = enforce >postscreen_greet_action = enforce >postscreen_blacklist_action = enforce > > Isn't this true? No, and I thought that was already answered. > In particular, why the postscreen_access_list did not affect the > postscreen_dnsbl_action, which I would expect to be bypassed? Your DUNNO result only terminated the postscreen_access_list test. > Can you please explain? Which postscreen actions are affected by > postscreen_access_list? A permit/OK result causes all postscreen tests to be bypassed. > Sorry if my question is dumb. It's really the wrong question. The fundamental problem is that you're trusting unsafe DNSBL services for outright rejection. This typically is the case for those who need whitelisting. >postscreen_dnsbl_threshold = 2 Default there is 1, and the way you are scoring things, you didn't need this. >postscreen_dnsbl_sites = > b.barracudacentral.org*2, A very good list, but fully automated from Barracuda devices' input; I have tried using it for rejection and had some complaints about blocking real mail. > zen.spamhaus.org*2, This is the only one I'd trust fully. > psbl.surriel.com*2 Also mostly automated, with a removal tool provided to end users, whether spammers or not. I'd replace your config with: >postscreen_dnsbl_threshold = 2 >postscreen_dnsbl_sites = > b.barracudacentral.org, > zen.spamhaus.org*2, > psbl.surriel.com >postscreen_dnsbl_action = enforce This changes BRBL and PSBL to the default score of 1. More spam would get through postscreen this way, but it's unlikely that you would need to do much whitelisting. Note, I would not stop there; I'd go the rest of the way to my postscreen sample config as can be found at the site in .sig. Upgrade to at least Postfix 2.11 if you're not there yet. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Re: Postscreen exceptions and blacklisting
On 8/9/2017 2:42 μμ, Wietse Venema wrote: Just as with smtpd access maps, permit/reject are a final decision, and dunno means 'let something else make the decision'. On 08.09.17 15:03, Nikolaos Milas wrote: Please let my ask for a clarification here. The problem is that the rejection seems to have happened by postscreen itself. I would expect that by using dunno for a client in postscript_exceptions (as follows): postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_exceptions.cidr all the following postscreen directives would by bypassed for this client: postscreen_dnsbl_threshold = 2 postscreen_dnsbl_sites = b.barracudacentral.org*2, zen.spamhaus.org*2, psbl.surriel.com*2 postscreen_dnsbl_action = enforce postscreen_greet_action = enforce postscreen_blacklist_action = enforce Isn't this true? no. use permit in postscreen_exceptions.cidr to avoid remaining tests or reject to reject immediately. dunno is not even documented to work with postfix. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Honk if you love peace and quiet.
Re: Postscreen exceptions and blacklisting
On 8/9/2017 2:42 μμ, Wietse Venema wrote: Just as with smtpd access maps, permit/reject are a final decision, and dunno means 'let something else make the decision'. Thank you Wietse, Please let my ask for a clarification here. The problem is that the rejection seems to have happened by postscreen itself. I would expect that by using dunno for a client in postscript_exceptions (as follows): postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_exceptions.cidr all the following postscreen directives would by bypassed for this client: postscreen_dnsbl_threshold = 2 postscreen_dnsbl_sites = b.barracudacentral.org*2, zen.spamhaus.org*2, psbl.surriel.com*2 postscreen_dnsbl_action = enforce postscreen_greet_action = enforce postscreen_blacklist_action = enforce Isn't this true? In particular, why the postscreen_access_list did not affect the postscreen_dnsbl_action, which I would expect to be bypassed? Can you please explain? Which postscreen actions are affected by postscreen_access_list? Sorry if my question is dumb. Thanks a lot, Nick
Re: Postscreen exceptions and blacklisting
On 8/9/2017 1:56 μμ, Allen Coates wrote: In your exceptions list, use ACCEPT or REJECT; By the way, can we interchangeably use any of the values ACCEPT / PERMIT / OK ? If so, can you please reference any associated documentation? I ask because at http://www.postfix.org/POSTSCREEN_README.html the values described (for acceptance) are "PERMIT", while in the CIDR table documentation (http://www.postfix.org/cidr_table.5.html) the respective example shows: "OK". Thanks a lot, Nick
Re: Postscreen exceptions and blacklisting
Nikolaos Milas: > On 8/9/2017 1:56 ??, Allen Coates wrote: > > > DUNNO means "let something else decide" ... > > Hi Allen, > > I understand that, but shouldn't this also mean "Bypass ALL > postscreen-related checks & filtering", which should avoid blocking by > RBLs used within postscreen? It means this: dunno All postscreen(8) access lists implicitly have this command at the end. When dunno is executed inside a lookup table, return from the lookup table and evaluate the next command. When dunno is executed outside a lookup table, terminate the search, and subject the client to the configured before/after 220 greeting tests. Just as with smtpd access maps, permit/reject are a final decision, and dunno means 'let something else make the decision'. Wietse
Re: Postscreen exceptions and blacklisting
On 8/9/2017 1:56 μμ, Allen Coates wrote: DUNNO means "let something else decide" ... Hi Allen, I understand that, but shouldn't this also mean "Bypass ALL postscreen-related checks & filtering", which should avoid blocking by RBLs used within postscreen? Cheers, Nick
Re: Postscreen exceptions and blacklisting
In your exceptions list, use ACCEPT or REJECT; DUNNO means "let something else decide" ... Allen C On 08/09/17 09:36, Nikolaos Milas wrote: > Hello, > > I have tried to whitelist some servers for postscreen, but I notice that > they continue to get blocked if they are blacklisted. > > What I am doing wrong in whitelisting them? > > How can I successfully whitelist them so that they are not blocked even > if they are blacklisted in a RBL/RSBL? > > Here is a session with remote server 195.134.100.81 (ours is 62.217.124.2): > > Aug 31 11:14:01 mailgw3 postfix/postscreen[6476]: CONNECT from > [195.134.100.81]:50520 to [62.217.124.2]:25 > Aug 31 11:14:02 mailgw3 postfix/dnsblog[6328]: addr 195.134.100.81 > listed by domain b.barracudacentral.org as 127.0.0.2 > Aug 31 11:14:07 mailgw3 postfix/postscreen[6476]: DNSBL rank 2 for > [195.134.100.81]:50520 > Aug 31 11:14:07 mailgw3 postfix/postscreen[6476]: NOQUEUE: reject: RCPT > from [195.134.100.81]:50520: 550 5.7.1 Service unavailable; client > [195.134.100.81] blocked using b.barracudacentral.org; from=<>, > to=, proto=SMTP, helo= > Aug 31 11:14:07 mailgw3 postfix/postscreen[6476]: NOQUEUE: reject: RCPT > from [195.134.100.81]:50520: 550 5.7.1 Service unavailable; client > [195.134.100.81] blocked using b.barracudacentral.org; > from= , to= , proto=SMTP, > helo= > Aug 31 11:14:07 mailgw3 postfix/postscreen[6476]: DISCONNECT > [195.134.100.81]:50520 > > My setup (on Postfix 2.11.0): > > # postconf -n > allowed_list1 = check_client_access cidr:/etc/postfix/vmail.cidr,reject > allowed_list2 = check_client_access > cidr:/etc/postfix/internalnetworks.cidr,reject > command_directory = /usr/sbin > config_directory = /etc/postfix > content_filter = smtp-amavis:[127.0.0.1]:10024 > daemon_directory = /usr/libexec/postfix > data_directory = /var/lib/postfix > debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin > xxgdb $daemon_directory/$process_name $process_id & sleep 5 > default_process_limit = 50 > disable_vrfy_command = yes > enable_long_queue_ids = yes > header_checks = pcre:/etc/postfix/blacklisted_maillists > html_directory = no > inet_interfaces = all > inet_protocols = ipv4, ipv6 > local_recipient_maps = > local_transport = error:local mail delivery is disabled > mail_name = NOA Mail Srv XAPITI XPICTOY > mail_owner = postfix > mailq_path = /usr/bin/mailq.postfix > manpage_directory = /usr/share/man > message_size_limit = 15728640 > mydestination = > mynetworks = 127.0.0.1/32 [::1]/128 > myorigin = $mydomain > newaliases_path = /usr/bin/newaliases.postfix > postscreen_access_list = permit_mynetworks, > cidr:/etc/postfix/postscreen_exceptions.cidr > postscreen_blacklist_action = enforce > postscreen_dnsbl_action = enforce > postscreen_dnsbl_sites = b.barracudacentral.org*2, zen.spamhaus.org*2, > psbl.surriel.com*2 > postscreen_dnsbl_threshold = 2 > postscreen_greet_action = enforce > queue_directory = /var/spool/postfix > relay_domains = noa.gr, astro.noa.gr, admin.noa.gr, nestor.noa.gr, > space.noa.gr, meteo.noa.gr, gein.noa.gr, technet.noa.gr, hesperia-space.eu > relay_recipient_maps = > sendmail_path = /usr/sbin/sendmail.postfix > setgid_group = postdrop > smtp_tls_security_level = may > smtpd_helo_required = yes > smtpd_recipient_restrictions = check_client_access > hash:/etc/postfix/amavis_bypass check_sender_access > hash:/etc/postfix/blacklisted_senders check_sender_access > pcre:/etc/postfix/blacklisted_maillists reject_unverified_recipient > reject_unauth_destination check_recipient_access > hash:/etc/postfix/protected_destinations permit_mynetworks > reject_invalid_hostname reject_unauth_pipelining reject_non_fqdn_sender > reject_unknown_sender_domain reject_non_fqdn_recipient > reject_unknown_recipient_domain reject_rbl_client b.barracudacentral.org > reject_rbl_client zen.spamhaus.org reject_rbl_client psbl.surriel.com > reject_rbl_client bl.spamcop.net reject_rbl_client dnsbl.sorbs.net > reject_rhsbl_client dbl.spamhaus.org reject_rhsbl_sender > dbl.spamhaus.org reject_rhsbl_helo dbl.spamhaus.org check_policy_service > unix:postgrey/socket permit > smtpd_restriction_classes = allowed_list1,allowed_list2 > smtpd_tls_CAfile = /etc/pki/tls/certs/DigiCertCA.crt > smtpd_tls_cert_file = /etc/pki/tls/certs/star_noa_gr-1365536.crt > smtpd_tls_exclude_ciphers = DES,3DES,MD5,aNULL,AES128,CAMELLIA128 > smtpd_tls_key_file = /etc/pki/tls/private/star_noa_gr-1365536.key > smtpd_tls_loglevel = 1 > smtpd_tls_mandatory_ciphers = high > smtpd_tls_security_level = may > smtpd_tls_session_cache_timeout = 3600s > transport_maps = hash:/etc/postfix/transportmap > unknown_local_recipient_reject_code = 550 > unverified_sender_reject_code = 550 > virtual_alias_maps = hash:/etc/postfix/virtualmap > > and cidr:/etc/postfix/postscreen_exceptions.cidr is: > >195.134.100.72 dunno >195.134.100.69 dunno >195.134.100.81 dunno >195.134.100.119 dunno > > Please advise!
Re: Postscreen exceptions and blacklisting
On 8/9/2017 11:36 πμ, Nikolaos Milas wrote: What I am doing wrong in whitelisting them? Let me try to guess: should I use "permit" rather than "dunno" (in postscreen_exceptions.cidr)? If so, why "dunno" doesn't work? Shouldn't it whitelist a client from any and all postscreen tests? Please advise! Thanks, Nick
Postscreen exceptions and blacklisting
Hello, I have tried to whitelist some servers for postscreen, but I notice that they continue to get blocked if they are blacklisted. What I am doing wrong in whitelisting them? How can I successfully whitelist them so that they are not blocked even if they are blacklisted in a RBL/RSBL? Here is a session with remote server 195.134.100.81 (ours is 62.217.124.2): Aug 31 11:14:01 mailgw3 postfix/postscreen[6476]: CONNECT from [195.134.100.81]:50520 to [62.217.124.2]:25 Aug 31 11:14:02 mailgw3 postfix/dnsblog[6328]: addr 195.134.100.81 listed by domain b.barracudacentral.org as 127.0.0.2 Aug 31 11:14:07 mailgw3 postfix/postscreen[6476]: DNSBL rank 2 for [195.134.100.81]:50520 Aug 31 11:14:07 mailgw3 postfix/postscreen[6476]: NOQUEUE: reject: RCPT from [195.134.100.81]:50520: 550 5.7.1 Service unavailable; client [195.134.100.81] blocked using b.barracudacentral.org; from=<>, to=, proto=SMTP, helo= Aug 31 11:14:07 mailgw3 postfix/postscreen[6476]: NOQUEUE: reject: RCPT from [195.134.100.81]:50520: 550 5.7.1 Service unavailable; client [195.134.100.81] blocked using b.barracudacentral.org; from= , to= , proto=SMTP, helo= Aug 31 11:14:07 mailgw3 postfix/postscreen[6476]: DISCONNECT [195.134.100.81]:50520 My setup (on Postfix 2.11.0): # postconf -n allowed_list1 = check_client_access cidr:/etc/postfix/vmail.cidr,reject allowed_list2 = check_client_access cidr:/etc/postfix/internalnetworks.cidr,reject command_directory = /usr/sbin config_directory = /etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id & sleep 5 default_process_limit = 50 disable_vrfy_command = yes enable_long_queue_ids = yes header_checks = pcre:/etc/postfix/blacklisted_maillists html_directory = no inet_interfaces = all inet_protocols = ipv4, ipv6 local_recipient_maps = local_transport = error:local mail delivery is disabled mail_name = NOA Mail Srv XAPITI XPICTOY mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man message_size_limit = 15728640 mydestination = mynetworks = 127.0.0.1/32 [::1]/128 myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_exceptions.cidr postscreen_blacklist_action = enforce postscreen_dnsbl_action = enforce postscreen_dnsbl_sites = b.barracudacentral.org*2, zen.spamhaus.org*2, psbl.surriel.com*2 postscreen_dnsbl_threshold = 2 postscreen_greet_action = enforce queue_directory = /var/spool/postfix relay_domains = noa.gr, astro.noa.gr, admin.noa.gr, nestor.noa.gr, space.noa.gr, meteo.noa.gr, gein.noa.gr, technet.noa.gr, hesperia-space.eu relay_recipient_maps = sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_tls_security_level = may smtpd_helo_required = yes smtpd_recipient_restrictions = check_client_access hash:/etc/postfix/amavis_bypass check_sender_access hash:/etc/postfix/blacklisted_senders check_sender_access pcre:/etc/postfix/blacklisted_maillists reject_unverified_recipient reject_unauth_destination check_recipient_access hash:/etc/postfix/protected_destinations permit_mynetworks reject_invalid_hostname reject_unauth_pipelining reject_non_fqdn_sender reject_unknown_sender_domain reject_non_fqdn_recipient reject_unknown_recipient_domain reject_rbl_client b.barracudacentral.org reject_rbl_client zen.spamhaus.org reject_rbl_client psbl.surriel.com reject_rbl_client bl.spamcop.net reject_rbl_client dnsbl.sorbs.net reject_rhsbl_client dbl.spamhaus.org reject_rhsbl_sender dbl.spamhaus.org reject_rhsbl_helo dbl.spamhaus.org check_policy_service unix:postgrey/socket permit smtpd_restriction_classes = allowed_list1,allowed_list2 smtpd_tls_CAfile = /etc/pki/tls/certs/DigiCertCA.crt smtpd_tls_cert_file = /etc/pki/tls/certs/star_noa_gr-1365536.crt smtpd_tls_exclude_ciphers = DES,3DES,MD5,aNULL,AES128,CAMELLIA128 smtpd_tls_key_file = /etc/pki/tls/private/star_noa_gr-1365536.key smtpd_tls_loglevel = 1 smtpd_tls_mandatory_ciphers = high smtpd_tls_security_level = may smtpd_tls_session_cache_timeout = 3600s transport_maps = hash:/etc/postfix/transportmap unknown_local_recipient_reject_code = 550 unverified_sender_reject_code = 550 virtual_alias_maps = hash:/etc/postfix/virtualmap and cidr:/etc/postfix/postscreen_exceptions.cidr is: 195.134.100.72 dunno 195.134.100.69 dunno 195.134.100.81 dunno 195.134.100.119 dunno Please advise! Thanks a lot, Nick