and queries only the
domains listed in postscreen_dnsbl_sites, which are guaranteed to
respond quickly. postscreen WILL NOT query other domains because
there are no response time guarantees.
Wietse
___
Postfix-users mailing list -- postfix-u
Ivan Ionut via Postfix-users:
>
> Hi, I'm using postscreen_dnsbl_sites to block some spam and I want some
> domain/hosts/ip to bypass this option, like an whitelist.
>
> Does postscreen/postfix has this option?
>
Yes. Near the top of https://www.postfix.org/POSTSCREEN_README
Hi, I'm using postscreen_dnsbl_sites to block some spam and I want some
domain/hosts/ip to bypass this option, like an whitelist.
Does postscreen/postfix has this option?
p.s. my postfix version: 3.6.4
--
Ivan Ionuț
Str. Mircea cel Bătrân nr 1, Galati 800023
Tel/Fax: +40236 493277
Email
Matt Saladna:
> Hello,
>
> When specifying a range of responses to ignore in postscreen_dnsbl_sites
> it appears that if a weight is zero it is ignored in favor of a non-zero
> weight.
Coming back to this thread, please ignore my previuous responses
about order dependence.
On 30.05.22 14:02, Peter wrote:
Next question: What happens if zen returns multiple responses:
127.0.0.10
127.0.0.3
postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[1..2]*3
zen.spamhaus.org=127.0.0.3*2
zen.spamhaus.org=127.0.0.[4..255]*3
On 30.05.22 10:06, Matus UHLAR - fantomas wrote
is this:
postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[1..255]*3
zen.spamhaus.org=127.0.0.3*-1
So presumably if 127.0.0.3 is returned it will initially get a score
of 3 but then decrement it by 1 so it ends up with a score of 2, so
first question: Will this work the way I want it to?
yes, it should.
Next
On 30/05/22 3:49 pm, Bill Cole wrote:
I have no idea, but assigning scores to DNSBL return values that are not
currently in use is quite optimistic and dangerous.
Also, 127.0.0.1 specifically is an indicator of likely DNSBL malfunction.
Well, spamhaus documents that 127.0.0.0/24 are for
specifically returns
127.0.0.3.
What I think I can do is this:
postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[1..255]*3
zen.spamhaus.org=127.0.0.3*-1
So presumably if 127.0.0.3 is returned it will initially get a score
of 3 but then decrement it by 1 so it ends up with a score of 2, so
first
First off my goal is that I want all zen.spamhaus.org entries to have a
score of 3 except for CSS entries which should have a score of 2. zen
returns 127.0.0.n for all entries and CSS specifically returns 127.0.0.3.
What I think I can do is this:
postscreen_dnsbl_sites = zen.spamhaus.org
Matt Saladna:
> Is there any difference other than cognitive load between the two forms?
>
> postscreen_dnsbl_sites =
> zen.spamhaus.org=127.[0..255].[0..254].[0..255]*2
> zen.spamhaus.org=127.255.255.[252;254;255]*0
This explicitly assigns wei
ply assumes that patterns don't overlap.
I think that a reasonable solution is to use only the first match
in postscreen_dnsbl_sites. That code was not designed to handle
overlapping patterns, and I see no value in trying to make it do
such things.
FYI knowing this I configured it l
On 12.03.22 11:50, Matt Saladna wrote:
Is there any difference other than cognitive load between the two forms?
postscreen_dnsbl_sites =
zen.spamhaus.org=127.[0..255].[0..254].[0..255]*2
zen.spamhaus.org=127.255.255.[252;254;255]*0
versus
postscreen_dnsbl_sites
s that match. The
implementation simply assumes that patterns don't overlap.
If you want a working solution now, I suggest using non-overlapping
patterns:
postscreen_dnsbl_sites =
zen.spamhaus.org=127.[0..255].[0..254].[0..255]*2
zen.spamhaus.org=127.255.255.[252;254;255
On 2022-03-11 at 22:34:14 UTC-0500 (Fri, 11 Mar 2022 21:34:14 -0600)
Matt Saladna
is rumored to have said:
Spamhaus began flagging Cloudflare's servers, 1.0.0.1/1.1.1.1 as
public resolver resulting in the error message. Other DNSBLs pick up
responsibility, so the judgment shouldn't rely
On 2022-03-11 at 17:20:41 UTC-0500 (Sat, 12 Mar 2022 09:20:41 +1100)
Phil Biggs
is rumored to have said:
Should the 127.255.255.[0..255] return codes really be weighted
zero, given that they indicate an error?
Absolutely.
With .254 being use of
a public/open resolver:
Title: Re: postscreen_dnsbl_sites precedence
Saturday, March 12, 2022, 2:37:15 AM, Matt Saladna wrote:
Hello,
When specifying a range of responses to ignore in postscreen_dnsbl_sites it appears that if a weight is zero it is ignored in favor of a non-zero weight.
mail_version=3.5.9
Matt Saladna:
> postscreen_dnsbl_sites=zen.spamhaus.org=127.255.255.[252;254;255]*0
> zen.spamhaus.org*2
The implemenation is order-dependent. Postscreen maintains a
list for zen.spamhaus.org, where the last entry appears first:
zen.spamhaus.org:
pattern=empty, we
On Fri, Mar 11, 2022 at 09:37:15AM -0600, Matt Saladna wrote:
> When specifying a range of responses to ignore in postscreen_dnsbl_sites
> it appears that if a weight is zero it is ignored in favor of a non-zero
> weight.
No. Rather, when the same source is listed twice, the weights
On Fri, Apr 01, 2016 at 08:13:14AM -0700, jaso...@mail-central.com wrote:
> I'm learning about whitelist scoring in postscreen_dnsbl_sites=
>
> /dev/rob0 mentioned using these
>
> postscreen_dnsbl_sites=
>... BLACKLISTS ...
>swl.spamhaus.org*-4
On Fri, Apr 1, 2016, at 12:21 PM, Noel Jones wrote:
> dwl.spamhaus.org lists domain names and is not compatible with
> postscreen, which only knows the IP.
I needed to be reminded of that :-/
> dwl can be used in one of the
> smtpd_*_restrictions sections.
>
On 4/1/2016 10:13 AM, jaso...@mail-central.com wrote:
> I'm learning about whitelist scoring in postscreen_dnsbl_sites=
...
>
> One of the servers that's been shown to me has, instead
>
> postscreen_dnsbl_sites=
>... BLACKLISTS ...
>dwl.spamhaus
jaso...@mail-central.com:
> (1) Does order matter in [postscreen_dnsbl_sites]?
There is no "order": the lookups happen in parallel. The result is
computed when all replies are received, or when the greet_wait time
limit is reached.
Wietse
I'm learning about whitelist scoring in postscreen_dnsbl_sites=
/dev/rob0 mentioned using these
postscreen_dnsbl_sites=
... BLACKLISTS ...
swl.spamhaus.org*-4
list.dnswl.org=127.[0..255].[0..255].0*-2
list.dnswl.org=127.[0..255].[0..255].1*-3
Hi,
Feature request:
It would be nice if the postscreen_dnsbl_sites list could be loaded
into memory (once - upon start/reload) from an external file - that
doesn't seem to be possible right now - or am I wrong ?
/Uffe
On Tue, Jun 24, 2014 at 05:55:47PM +0200, Uffe Jakobsen wrote:
Feature request:
It would be nice if the postscreen_dnsbl_sites list could be loaded into
memory (once - upon start/reload) from an external file - that doesn't seem
to be possible right now - or am I wrong ?
# cd /etc
On 2014-06-24 18:06, Viktor Dukhovni wrote:
On Tue, Jun 24, 2014 at 05:55:47PM +0200, Uffe Jakobsen wrote:
Feature request:
It would be nice if the postscreen_dnsbl_sites list could be loaded into
memory (once - upon start/reload) from an external file - that doesn't seem
to be possible
Uffe Jakobsen:
Your installation or platform must be differeent from mine (FreeBSD) - I
have no Makefile, GNUmakefile or BSDmakefile in /usr/local/etc/postfix/
config dir.
The idea is that you to create that Makefile.
But it was not was I was looking for - because for various reasons the
On Tue, Jun 24, 2014 at 12:35:15PM -0400, Wietse Venema wrote:
Uffe Jakobsen:
Your installation or platform must be differeent from mine (FreeBSD) - I
have no Makefile, GNUmakefile or BSDmakefile in /usr/local/etc/postfix/
config dir.
The idea is that you to create that Makefile.
That
Am 24.06.2014 18:41, schrieb Viktor Dukhovni:
On Tue, Jun 24, 2014 at 12:35:15PM -0400, Wietse Venema wrote:
Uffe Jakobsen:
Your installation or platform must be differeent from mine (FreeBSD) - I
have no Makefile, GNUmakefile or BSDmakefile in /usr/local/etc/postfix/
config dir.
The
On 2014-06-24 18:35, Wietse Venema wrote:
But it was not was I was looking for - because for various reasons the
userid that writes the dnsbl sites file has no permissions to write
main.cf nor realod postfix.
Including data from an non-root account into main.cf is not supported.
Anyone who
Uffe Jakobsen:
On 2014-06-24 18:35, Wietse Venema wrote:
But it was not was I was looking for - because for various reasons the
userid that writes the dnsbl sites file has no permissions to write
main.cf nor realod postfix.
Including data from an non-root account into main.cf is not
Hi Wietse,
Am 2013-09-04 23:45, schrieb wie...@porcupine.org:
Marko Weber | ZBF:
hello postfix list,
maybe an easy quest for you.
when i use multiple rbls in 'postscreen_dnsbl_sites'
Yes...
postscreen_dnsbl_sites =
1.list.org
anotherlist.org
nsafools.org
obamaisadrama.org
hello postfix list,
maybe an easy quest for you.
when i use multiple rbls in 'postscreen_dnsbl_sites'
postscreen_dnsbl_sites =
1.list.org
anotherlist.org
nsafools.org
obamaisadrama.org
at example.
are the entries of 'postscreen_dnsbl_sites' used in order like listed?
or is postscreen
Marko Weber | ZBF:
hello postfix list,
maybe an easy quest for you.
when i use multiple rbls in 'postscreen_dnsbl_sites'
Yes...
postscreen_dnsbl_sites =
1.list.org
anotherlist.org
nsafools.org
obamaisadrama.org
at example. are the entries of 'postscreen_dnsbl_sites
On Mon, May 6, 2013 at 3:10 PM, Wietse Venema wie...@porcupine.org wrote:
Robert Lopez:
Let me try again. I am assuming the link between a line in the
dndsbl_reply file and the main.cf file is only a label and it could be
anything.
Is that a wrong assumption?
Please describe what is not
On Tue, May 07, 2013 at 01:03:51PM -0600, Robert Lopez wrote:
What is not clear to me in that description is the reason for
my original question
Does it matter what the short name returned is; that is could
I use zen.spamhaus.org just to keep it shorter?
In my example:
being hidden):
hidden-key.zen.dq.spamhaus.net h.spamhaus.net
In the main.cf file I have this line:
postscreen_dnsbl_sites = h.spamhaus.net*1
I am assuming the h.spamhaus.net in main.cf is being rewritten to
hidden-key.zen.dq.spamhaus.net when postscreen uses the dnsbl.
What I am seeing in testing
Robert Lopez:
Let me try again. I am assuming the link between a line in the
dndsbl_reply file and the main.cf file is only a label and it could be
anything.
Is that a wrong assumption?
Please describe what is not clear about the following text:
postscreen_dnsbl_reply_map (default: empty)
Is it possible that the key is being exposed not from the
postscreen_dnsbl_sites line but from a line also in main.cf which says
the following?
smtpd_client_restrictions = reject_rbl_client hidden-key.zen.dq.spamhaus.net
Use rbl_reply_maps and a text without $rbl_domain:
http
Jan P. Kessler:
Is it possible that the key is being exposed not from the
postscreen_dnsbl_sites line but from a line also in main.cf which says
the following?
smtpd_client_restrictions = reject_rbl_client
hidden-key.zen.dq.spamhaus.net
Yes. Postfix logging will tell you which
On Sat, May 04, 2013 at 06:48:36AM -0500, I wrote:
On Fri, May 03, 2013 at 06:27:15PM -0600, Robert Lopez wrote:
I had
postscreen_dnsbl_sites = the-key-to-hidezen.dq.spamhaus.org
This is right.
Let me try again also! I presume your lookup is actually against
key.zen.dq.spamhaus.org
Please disable HTML when posting to mailing lists.
On Fri, May 03, 2013 at 06:27:15PM -0600, Robert Lopez wrote:
I had
postscreen_dnsbl_sites = the-key-to-hidezen.dq.spamhaus.org
This is right.
and
postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
in main.cf
and I had
If in /etc/postfix/dnsbl_reply file there is a line:
the-authorization-key-was-here.zen.dq.spamhaus.net zen.dq.spamhaus.org
And in main.cf there is the line:
postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
Should the line in main.cf for postscreen_dnsbl_siter =
use the long
On 5/3/2013 9:33 PM, Robert Lopez wrote:
If in /etc/postfix/dnsbl_reply file there is a line:
the-authorization-key-was-here.zen.dq.spamhaus.net
http://the-authorization-key-was-here.zen.dq.spamhaus.net
zen.dq.spamhaus.org http://zen.dq.spamhaus.org
And in main.cf http://main.cf there is
I had
postscreen_dnsbl_sites = the-key-to-hidezen.dq.spamhaus.org
and
postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
in main.cf
and I had
the-authorization-key-was-here.zen.dq.spamhaus.nethttp://the-authorization-key-was-here.zen.dq.spamhaus.net
zen.dq.spamhaus.org
in the /etc
Another thing I think I see about postscreen is that it apparently will only
look up IP addresses. There doesn't seem to be any postscreen_rhsbl_sites
feature (which might allow me to move my current reject_rhsbl_client and
permit_rhswl_client checks into postscreen). Is such a thing planned,
On 6/8/2011 12:05 PM, Rich Wales wrote:
Another thing I think I see about postscreen is that it apparently will only
look up IP addresses. There doesn't seem to be any postscreen_rhsbl_sites
feature (which might allow me to move my current reject_rhsbl_client and
permit_rhswl_client checks into
On Wed, Jun 08, 2011 at 10:05:05AM -0700, Rich Wales wrote:
Another thing I think I see about postscreen is that it apparently
will only look up IP addresses. There doesn't seem to be any
postscreen_rhsbl_sites feature (which might allow me to move my
current reject_rhsbl_client and
Rich Wales:
Another thing I think I see about postscreen is that it apparently will only
look up IP addresses. There doesn't seem to be any postscreen_rhsbl_sites
feature (which might allow me to move my current reject_rhsbl_client and
permit_rhswl_client checks into postscreen). Is such a
* Rich Wales ri...@richw.org:
If I enable postscreen and specify my choice of blocklists and whitelists
in postscreen_dnsbl_sites, am I correct in assuming that I might as well
remove any reject_rbl_client and permit_dnswl_client clauses from my
smtpd_*_restrictions, since they will now
* Rich Wales ri...@richw.org:
value from a given list. (I won't go into the details, they would be
off-topic here, but it's nice to have this capability.)
It will probably start a flamewar, but I personally am interested in
your particular weights on the different RBLs
--
Ralf Hildebrandt
Rich Wales:
Note that postscreen caches the results of successful tests,
so that it does not repeat every test for every connection.
This is controlled by the postscreen_mumble_ttl parameters.
Some caching may also be done by my DNS server too, right? This would,
of course, be
On Tue, Jun 07, 2011 at 07:03:34AM -0400, Wietse Venema wrote:
Note the following difference.
postscreen caches that the client IS NOT listed in DNSBL.
It doesn't cache clients that are listed.
DNS servers cache that the client IS listed in DNSBL.
They don't cache non-existent DNSBL
If I enable postscreen and specify my choice of blocklists and whitelists
in postscreen_dnsbl_sites, am I correct in assuming that I might as well
remove any reject_rbl_client and permit_dnswl_client clauses from my
smtpd_*_restrictions, since they will now be redundant?
Rich Wales
ri
On 06/06/2011 10:45 PM, Rich Wales wrote:
If I enable postscreen and specify my choice of blocklists and whitelists
in postscreen_dnsbl_sites, am I correct in assuming that I might as well
remove any reject_rbl_client and permit_dnswl_client clauses from my
smtpd_*_restrictions, since
On 6/6/2011 5:34 PM, Jeroen Geilman wrote:
On 06/06/2011 10:45 PM, Rich Wales wrote:
If I enable postscreen and specify my choice of blocklists
and whitelists
in postscreen_dnsbl_sites, am I correct in assuming that I
might as well
remove any reject_rbl_client and permit_dnswl_client clauses
On the interfaces and ports that postscreen(8) passes mail to, yes.
Do note that the behaviour is different; you will be able to directly
transplant your reject_rbl_client RBLs to postscreen, but postscreen
has many more options available, such as checking for exact return
values, and scoring
Rich Wales:
If I enable postscreen and specify my choice of blocklists and whitelists
in postscreen_dnsbl_sites, am I correct in assuming that I might as well
remove any reject_rbl_client and permit_dnswl_client clauses from my
smtpd_*_restrictions, since they will now be redundant?
Almost
and would depend on the TTL info
from the whitelist / blocklist.
It appears, based on my server's logs, that postscreen always queries
every site I name in postscreen_dnsbl_sites -- subject, of course, to
caching by my DNS server and by postscreen's own TTL settings. I'd
think it would be possible
, be transparent to Postfix and would depend on the TTL info
from the whitelist / blocklist.
It appears, based on my server's logs, that postscreen always queries
every site I name in postscreen_dnsbl_sites -- subject, of course, to
caching by my DNS server and by postscreen's own TTL settings. I'd
think
I must be doing something silly, but I can't see my mistake.
$ postconf postscreen_dnsbl_sites
postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2,3,4..8,10..11]
postfix/postscreen[26161]: fatal: bad DNSBL filter syntax: need , or ] at
127.0.0.[2
Or to simplify the matter:
$ postconf
On Tue, Jan 18, 2011 at 09:19:50PM +0100, Mark Martinec wrote:
$ postconf postscreen_dnsbl_sites
postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2,3,4..8,10..11]
postfix/postscreen[26161]: fatal: bad DNSBL filter syntax: need , or ] at
127.0.0.[2
There is a parser issue here, since
Mark Martinec:
I must be doing something silly, but I can't see my mistake.
$ postconf postscreen_dnsbl_sites
postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2,3,4..8,10..11]
postfix/postscreen[26161]: fatal: bad DNSBL filter syntax: need , or ] at
127.0.0.[2
The problem
On 1/18/2011 2:46 PM, Wietse Venema wrote:
Mark Martinec:
I must be doing something silly, but I can't see my mistake.
$ postconf postscreen_dnsbl_sites
postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2,3,4..8,10..11]
postfix/postscreen[26161]: fatal: bad DNSBL filter syntax: need
On Tue, Jan 18, 2011 at 03:36:12PM -0500, Victor Duchovni wrote:
On Tue, Jan 18, 2011 at 09:19:50PM +0100, Mark Martinec wrote:
$ postconf postscreen_dnsbl_sites
postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2,3,4..8,10..11]
postfix/postscreen[26161]: fatal: bad DNSBL filter
Victor Duchovni:
On Tue, Jan 18, 2011 at 03:36:12PM -0500, Victor Duchovni wrote:
On Tue, Jan 18, 2011 at 09:19:50PM +0100, Mark Martinec wrote:
$ postconf postscreen_dnsbl_sites
postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2,3,4..8,10..11]
postfix/postscreen[26161
On Tue, Jan 18, 2011 at 03:56:45PM -0500, Wietse Venema wrote:
Something along the lines of:
/*
* Workaround. The , was already in use as dnsbl list separator.
*/
for (keep = 0, cp = var_psc_dnsbl_sites; *cp; cp++) {
if (*cp == '[') {
keep++;
Victor Duchovni:
On Tue, Jan 18, 2011 at 03:56:45PM -0500, Wietse Venema wrote:
Something along the lines of:
/*
* Workaround. The , was already in use as dnsbl list separator.
*/
for (keep = 0, cp = var_psc_dnsbl_sites; *cp; cp++) {
if (*cp == '[') {
* Wietse Venema postfix-users@postfix.org:
Victor Duchovni:
On Tue, Jan 18, 2011 at 03:56:45PM -0500, Wietse Venema wrote:
Something along the lines of:
/*
* Workaround. The , was already in use as dnsbl list separator.
*/
for (keep = 0, cp =
On Tue, Jan 18, 2011 at 04:08:12PM -0500, Wietse Venema wrote:
But having , inside an access control feature it is likely to
break third-party tools that maintain Postfix configuration files.
The alternative is to [modify] the address filter syntax, and to
replace , by a different set
* Patrick Ben Koetter p...@state-of-mind.de:
* Wietse Venema postfix-users@postfix.org:
Victor Duchovni:
On Tue, Jan 18, 2011 at 03:56:45PM -0500, Wietse Venema wrote:
Something along the lines of:
/*
* Workaround. The , was already in use as dnsbl list
Patrick Ben Koetter:
* Wietse Venema postfix-users@postfix.org:
Victor Duchovni:
On Tue, Jan 18, 2011 at 03:56:45PM -0500, Wietse Venema wrote:
Something along the lines of:
/*
* Workaround. The , was already in use as dnsbl list separator.
*/
Wietse Venema:
* Wietse Venema postfix-users@postfix.org:
Victor Duchovni:
On Tue, Jan 18, 2011 at 03:56:45PM -0500, Wietse Venema wrote:
Something along the lines of:
/*
* Workaround. The , was already in use as dnsbl list separator.
*/
73 matches
Mail list logo