Re: Bypass postscreen

On 14/07/2021 23:56, Doug Hardie wrote: I have both of those set to enforce. Here is the complete postscreen section of main.cf: # postscreen spam filtering postscreen_greet_action = enforce postscreen_dnsbl_action = enforce postscreen_dnsbl_sites = bl.spamcop.net zen.spamhaus.org b.ba

Re: How can I build a reliable distribution list?

Given that you also have distribution-ow...@myhost.com as an alias, is there an easy way of making it a "closed" list, such that only the list-members can write to it? I am thinking of the committee of a small club (ten addresses at most). Allen C On 29/01/2022 14:43, Wietse Venema wrote:

Re: About smtp_fallback_relay parameter

On 07/04/2022 17:55, Pedro David Marco wrote: Probably i am misunderstanding Postfix documentation but... What is exactly the Postfix criteria about using smtp_fallback_relay I also had an issue with this some time ago, which I didn't understand. At the time I had set the fallback r

Re: password security

On 25/04/2022 05:26, ミユナ (alice) wrote: do you know how to stop passwords from being brute-forced for a mailserver? do you have any practical guide? thank you. You could use an Access Control List to include all your "customers", and banning everybody else. In my case, any submission or

Re: IPv6 DNSRBLs

On 30/05/2022 06:44, Peter wrote: We're now starting to see some IPv6 DNSRBLs (eg: bl.ipv6.spameatingmonkey.net). It occurs to me that postscreen and postfix should only be sending IPv4 requests to IPv4-specific DNSRBLs and IPv6 requests to IPv6-specific lists. I brooded about this some ye

Re: Protect access to submission services

On 14/08/2022 19:51, Matus UHLAR - fantomas wrote: but which lists?  using spamhaus PBL is not viable because it lists dynamic IP address which can be commonly used by clients. Could you try "permit_dnswl_client dnswl_domain=d.d.d.d", with the Spamhaus PBL and a selective return code?

Re: run script on new connection?

On 27/12/2022 00:15, mats wrote: > Using DNS is not a way forward for us. > Maintaining cidr lists a number of times a minute with 10:s of thousands of > ip's instead of a simple query for the ip I'm interested in, well not > interested in that either > Invert the problem:- Test ONLY for the ip(s

Re: Replacing initial "Received:" line on submission?

On 11/01/2023 00:04, Benny Pedersen wrote: > Charles Sprickman skrev den 2023-01-11 00:43: > >> Any pointers on what direction to go with this? > > start postconf -e "smtpd_sasl_authenticated_header = no" or remove it in > main.cf or master.cf overrides, its not > needed to add your sasl auth u

Re: [SOLVED] Re: Submission runs very slowly

On 13/02/2023 22:43, raf wrote: > And for diceware style passphrases to be meaningful, > it's important that none of the words are "picked" by a > human. They must be random. Then, it doesn't matter if > they are common words or not. A human can throw in a misspelt or foreign-language word.  Pro

Re: What are these types trying to do?

On 30/12/2019 22:32, Gerben Wierda wrote: > Now that Finally have a postfix back with actual logging, I noticed this in > my log: > > Dec 30 23:26:09 mail postfix/postscreen[16020]: CONNECT from > [182.99.42.88]:49546 to [192.168.2.66]:25 > Dec 30 23:26:10 mail postfix/postscreen[16020]: PREG

Re: postfix for IoT

On 20/01/2020 02:31, Viktor Dukhovni wrote: > On Mon, Jan 20, 2020 at 08:38:46AM +0800, Wesley Peng wrote: > >> How to compile postfix into the Embedded operating system (such as the >> home router) and make it as a mail gateway for Smart home appliances? > > Most embedded systems are not su

Re: How to restrict imposters

On 20/02/2020 03:39, Bob Proulx wrote: > I do a slight variation on this that I think is slightly better. > Instead of pcre tables I use hash tables. Which should be slightly more > efficient. And won't suffer from common substring matches such as > hitting by accident on goodkreme.com or othe

Re: Disabling TLSv1

Virtually all my TLSv1 connections come from this mailing list... Would there be any mileage in disabling OUTBOUND TLSv1 connections while accepting inbound for a little while longer? Allen C On 05/03/2020 20:08, ratatouille wrote: > Hello! > > Don't know why TLSv1 is still offered on our serve

Re: Rejecting emails based on address extension?

On 09/04/2020 00:01, @lbutlr wrote: > Given an email address of user+ama...@example.com how can I reject all emails > to that address that do not come from amazon.com? > > I think I did something like this once but if I did, I didn’t keep notes. :/ > > Funny you should mention that - within

Re: Rejecting emails based on address extension?

On 09/04/2020 00:29, @lbutlr wrote: > On 08 Apr 2020, at 17:16, Allen Coates wrote: >> On 09/04/2020 00:01, @lbutlr wrote: >>> Given an email address of user+ama...@example.com how can I reject all >>> emails to that address that do not come from amazon.com? >

Re: Possible header_check solution?

On 14/04/2020 18:42, Rick King wrote: > Hello List! > > We have a customer that occasionally receives messages like this... > > Return-Path: > From: "Free iPad " > To: > Subject:Free iPad > Any suggestions welcome! Thank you! > > I am no expert on pattern matching, but could you pick

Re: Postfix "IPv6-only" - experience/recommendation question

On 08/05/2020 17:38, michae...@rocketmail.com wrote: > Hi all, > > > I've a generic question to all more experienced than me postfix users here: > Is it nowadays (reasonable) possible to run postfix with IPv6 only? E.g > "mail.example.com" and "smtp.example.com" with only ipv6 records i

Re: Postfix "IPv6-only" - experience/recommendation question

On 08/05/2020 21:58, Wietse Venema wrote: > Bob Proulx: >> How are working and available IPv6 DNSBLs progressing? That's a >> critical component which I would love to hear is no longer a missing >> component. > > zen.spamhaus.org blocks some 15% of IPv6 spam for me. The other 85% > comes from

Re: Preferred/maintained greylisting options?

On 24/05/2020 23:22, micah anderson wrote: > We paid for access to spamhaus for a while, but they jacked up the > prices and now its far too expensive even for their non-profit rate. > > What RBLs do people find to be effective now days? I was looking at > SpamRats, which I did not know about b

Re: Dropping email purporting to be from my domain received from the Internet

On 30/05/2020 00:58, Scott A. Wozny wrote: > In my hypothetical environment, I have an external and an internal relay on > either sides of a firewall. I want to configure the external system to relay > both 1) email received from the internal relay to the Internet and 2) email > received from th

Re: Postfix restrictions

On 07/06/2020 10:51, Nicolas Kovacs wrote: > Before committing this configuration to my main server, I thought I'd share > this configuration on the list. Maybe the Postfix gurus among you have the odd > comment to make. > > My aim is simply to eliminate as much spam as possible (that is, before

Re: spam uses my email address as sender in "header from"

It has been suggested in the past that if the "From" header does not contain both the email address AND the name of its owner (see my address above) then it may be rejected - or at least flagged as suspect. Allen C On 14/09/2020 11:35, Fourhundred Thecat wrote: > Hello, > > I am receiving spam,

Re: Rejecting messages based on recipient MTA''s IP address

On 30/09/2020 15:58, @lbutlr wrote: > On 29 Sep 2020, at 11:46, J David wrote: >> domains that have no email service, i.e., those domains >> have A records in that range but no MX records at all. Question at a tangent:- Does the SMTP daemon resolve a destination if there is no MX record? All

Re: Rejecting messages based on recipient MTA''s IP address

On 01/10/2020 08:01, Ansgar Wiechers wrote: > On 2020-09-30 Allen Coates wrote: >> >> Does the SMTP daemon resolve a destination if there is no MX record? > > Normally Postfix will check for an MX first, and if that is absent check > for an A record for the doma

Re: Fwd: Verify Proper method for sender restrictions

On 26/10/2020 20:44, Joey J wrote: > And within that file have both white & blacklist like so: > youareok.com    OK > youarebad.com   REJCT > 1.2.3.4  550 Block-I dont like you > 1.5.6.0/24 550 Block I dont like any of you. > Some

Re: Fwd: Verify Proper method for sender restrictions

On 28/10/2020 15:24, Viktor Dukhovni wrote: > On Wed, Oct 28, 2020 at 09:05:40AM +0000, Allen Coates wrote: > >> Some time ago (5 years maybe) I discovered that "OK" was not being >> universally >> recognised in every access list; I cultivated the habit

Re: Rootless postfix

On 25/02/2021 09:43, Emond Papegaaij wrote: > Hi all, > > We are hardening our services and would like to run postfix as a > non-root user. All our primary services, including postfix run as > docker containers. We use postfix as a forwarding agent only: mail is > delivered from the other servi

Re: Rootless postfix

On 26/02/2021 02:55, Viktor Dukhovni wrote: > On Thu, Feb 25, 2021 at 11:39:19PM +0000, Allen Coates wrote: > >> It is an *ANCIENT* reference, but the but the O'Reilly book "Building >> Internet >> Firewalls" describes a simple program called smap. &g

Re: Couple of questions re: IPBLs & DNSBLs

On 18/03/2021 22:34, Antonio Leding wrote: > Hello all, > > > 1. Where to place IPBL\DNSBL rules > > * Because the result of a hit against an IPBL\DNSBL is to REJECT, does it > make > sense to place these kind of rules earlier in the SMTPD_RESTRICTIONS eval > chain (i.e. CLI

Re: Certificate Postfix.org missing?

On 23/04/2021 07:36, Nicky Thomassen wrote: > With the risk of going off-topic, I do not see the reason for encrypting > everything on the internet from a more practical point of view, as it just > gives > overhead: It takes time to set up and maintain, takes processing power on both > ends, and

Re: Any way to edit postscreen_cache.db?

I have very similar problems. I was however, thinking along the lines of a command-line executable (or script), specifically to rescind a temporary white-list entry. I am not very good at the "big picture" :-) Allen C On 10/02/16 17:35, Mike Coddington wrote: > I had a problem with an IP add

Re: Any way to edit postscreen_cache.db?

st entries die after a couple of days or so. Allen C On 11/02/16 05:25, Noel Jones wrote: > On 2/10/2016 3:41 PM, Allen Coates wrote: >> I have very similar problems. >> >> I was however, thinking along the lines of a command-line executable (or >> script), specifical

Re: Security: How to limit authentication attempts?

Do smtpd_hard_error_limit and smtpd_soft_error_limit count authentication failures as "errors"? I don't receive enough emails (or attacks) to have a definitive answer.

Re: rate limiting bad-bot HANGUPs in postscreen?

I use a script which greps for repeated HANGUPS (and non-SNMP commands, etc) and adds them to a postscreen access file (a separate blacklist file chat can be re-compiled as and when). The black-list entry is retracted after a day or so. A second script looks for repeated black-list refusals and

Re: RBLs in postscreen AND smtpd_*_restrictions

On 02/06/16 17:45, Michael Fox wrote: > If a DNSBL in postscreen_dnsbl_sites has a weight >= > postscreen_dnsbl_threshold, then is there any advantage to also > listing it in smtpd_*_restrictions? For example, is there some failure > mode that having the DNSBL listed in both places would protect

Re: RBLs in postscreen AND smtpd_*_restrictions

On 02/06/16 19:21, Michael Fox wrote: >> On 02/06/16 17:45, Michael Fox wrote: >>> If a DNSBL in postscreen_dnsbl_sites has a weight >= >>> postscreen_dnsbl_threshold, then is there any advantage to also >>> listing it in smtpd_*_restrictions? For example, is there some failure >>> mode that havi

Re: simple greylisting by geoip? milter or policy server?

On 14/06/16 23:31, list...@tutanota.com wrote: > > 14. Jun 2016 15:01 by njo...@megan.vbhcs.org > : > > Is there some way to integrate the GeoIP dbs with postscreen? > > > No, at least not easily. > > > > Ok. That would be a nice function to have, in

Re: Is not honoring bounces-to violation of RFC?

Mail-server refusals (as in NOQUEUE) are generated before the email body is received - and will also be sent to the envelope sender. On 28/06/16 18:51, Noel Jones wrote: > On 6/28/2016 12:12 PM, Chip wrote: >> Meaning there are no standards for the way >> emailers should respond to bounces? > boun

Re: Brutal attacks

Limiting the number of simultaneous connections will fend off an attacker until fail2ban kicks in. For my (domestic) server, I have in main.cf :- smtpd_client_connection_count_limit = 2 This is inherited by postscreen, which does a good job of throwing out surplus connections. Again - appropr

Re: Brutal attacks

I found this in "man iptables-extensions" Examples: # allow 2 telnet connections per client host iptables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT It could be adapted to offer basic DoS protection for postfix. Unfortunately my MXhost

Is it me, or is there a problem elsewhere?

For over a week now, I have been seeing DNS look-up failures - always with mailspike, both whitelist and blacklist. It is affecting about ten percent of my non-whitelisted connections. Jul 21 15:10:28 geronimo postfix/dnsblog[27737]: warning: dnsblog_query: lookup

Re: Is it me, or is there a problem elsewhere?

Many thanks - it's reassuring to know. Allen C On 22/07/16 05:18, Robert Schetterer wrote: > Am 22.07.2016 um 02:54 schrieb Michael J Wise: >> This isn't an ops list, but ... >> >>> For over a week now, I have been seeing DNS look-up failures - always >>> with mailspike, both whitelist and black

Re: [OT] Re: Can source and IP in email header be spoofed and how to mitigate

It can also be done with access lists in smtpd_mumble_restrictions: aAccept (by remote host IP address) ALL your legitimate servers; bReject everything else claiming to be one of your servers EXAMPLE main.cf: smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenti

Re: Problems with IPv6

I have thought long and hard about IPv6 spam. Fortunately I have only had a couple of messages - so far... Within postscreen, I have whitelisted all my regular ipv6 correspondents, and am using bl.ipv6.spameatingmonkey.net, and the cymru.com bogon lists in the rbls Within smtpd, I use all the RH

Re: Problems with IPv6 - spin-off question

It seems rather pointless to offer an IPv6 address to an IPv4 RBL - and vice versa. Is there a way of segregating IPv4 and IPv6 tests in postfix? Allen C

Re: Problems with IPv6 - spin-off question

On 09/09/16 11:47, Wietse Venema wrote: > > Is there a way of segregating IPv4 and IPv6 tests in postfix? > Not at this time. What would a segregated user interface look like > in smtpd? In postscreen? > > Wietse > I was thinking along the lines of using reject_unknown_reverse_client_hostna

Re: Problems with IPv6 - spin-off question

And I didn't say "Thank You" for your comments. Allen

Re: Problems with IPv6 - spin-off question

On 09/09/16 15:08, Blake Hudson wrote: > Couldn't one just use a separate smtpd listener in master.cf for IP4 > and IP6 if one wanted to implement different policies for each protocol? > > Personally, I want to have parity between IP4 and IP6, not additional > differences that are going to increas

Re: Problems with IPv6 - spin-off question

On 09/09/16 19:57, Benny Pedersen wrote: > On 2016-09-09 18:37, Allen Coates wrote: > >> Also, the Spamhaus DROP listings now have a file of compromised IPv6 >> netblocks. (I have a multi-list / IPv6 version of Julien Vehent's >> lasso-update.sh - which processe

Re: postscreen-policy

On 13/09/16 20:01, Wietse Venema wrote: > Wietse Venema: >> Unlike DNS lookups, the access map lookup is a blocking operation, >> and if your tcp map takes 80ms to complete (a typical trans-atlantic >> query), then you can handle only 12 connections per second, and >> make postsceen the largest pe

Re: Concurrency limit for port 25

I am a little guy; one connection an hour and I am *BUSY* Three concurrent connections is more than I will ever need. The limit is set low to fend off D-o-S attacks like the one I described. By-and-large, default values are set to a reasonable value for a wide range of circumstances. However,

Re: TLD blocking revisited

On 21/09/16 02:35, Jim Reid wrote: > Spammers generally don’t pay that level of attention to SMTP responses, far > less fine-tune their address lists and tools. These morons just find a victim > host or botnet to blast out crap to a bazillion email addresses, not caring > if any of them work o

Re: WoSign/StartCom CA in the news

On 28/09/16 09:51, Boris Behrens wrote: >> Am 28.09.2016 um 10:25 schrieb li...@lazygranch.com: >> >> I don't want take this thread off course, but suggestions for low cost certs >> would be appreciated. I don't like how Let's Encrypt works, else that would >> be the obvious solution. >> >> Do

Re: Blocking "unknown"

On 30/09/16 11:26, Postfix User wrote: > Lately, I have been finding the following entries in the maillog: > > 13643:Sep 30 02:00:40 scorpio postfix/smtpd[83056]: warning: hostname > ip-address-pool-xxx.fpt.vn does not resolve to address 118.71.251.67: > hostname nor servname provided, or not k

Re: Blocking "unknown"

On 01/10/16 10:37, Postfix User wrote: > On Fri, 30 Sep 2016 17:08:05 -0700, li...@lazygranch.com stated: > >> This will pull these hackers off your maillog. >> bzgrep -e auth=0/1 maillog* | sed 's/.*\[\([^]]*\)\].*/\1/g' >iplist >> sort iplist | uniq > Great idea. I modified it slightly since th

Re: Open relay

On 22/10/16 17:27, /dev/rob0 wrote: > On Sat, Oct 22, 2016 at 11:19:36AM -0500, Paul Schmehl wrote: >> --On October 22, 2016 at 12:16:33 PM +0200 Paul van der Vlis >> wrote: >>> Op 22-10-16 om 04:32 schreef Bill Cole: /127\.0\.0\.1/REJECT you are not me >>> Thanks, a great idea to hav

OT: "X-PHP-Script" header

Over the weekend I had three spam messages get through to my in-box. Two contained an "X-PHP-Script" header one was X-PHP-Script: folar.org/wp-content/plugins/the-events-calendar/src/Tribe/Aggregator/uploader.php for 110.83.63.152 and the other X-PHP-Script: 118k.org/wp-content/plugins/formidabl

Re: OT: "X-PHP-Script" header

On 24/10/16 17:37, Jan Ceuleers wrote: > On 24/10/16 18:29, Allen Coates wrote: >> Over the weekend I had three spam messages get through to my in-box. Two >> contained an "X-PHP-Script" header >> >> one was >> X-PHP-Script: >> folar.org

Re: OT: "X-PHP-Script" header

Many thanks for your explanation. And here was I, thinking I had found a new spam-killer. :-( Allen C On 25/10/16 00:35, Bill Cole wrote: > On 24 Oct 2016, at 12:29, Allen Coates wrote: > >> >> Over the weekend I had three spam messages get through to my in-box. Two >

Re: SV: block emails which pretend to originate from my domain

I also receive a fair amount of spam where the HELO is either my domain name or my public-facing IP address. I block this as an additional precaution. smtpd_helo_restrictions = permit_mynetworks, check_helo_access hash:/volume1/Config/postfix/helo_access, . . . /volume1/Config/postfix/he

Re: Postfix and IPV6

An fe80:: IP address is not formally attached to any particular interface. It "just happens" as part of the autoconfigure regime. To use one in a listen or bind type statement, you would have to expressly state which interface you wish to use. For example, you need to use the argument "-I eth0" (

Strange log entry

Hello all >From time to time I see a strange log entry: 2016-11-30T10:40:43+00:00 geronimo postfix/postscreen[20844]: warning: getpeername: Transport endpoint is not connected -- dropping this connection Can someone explain what this means, please. Is there anything I could/should do about it?

Re: Strange log entry

On 30/11/16 11:45, Wietse Venema wrote: > Allen Coates: >> Hello all >> >> From time to time I see a strange log entry: >> >> 2016-11-30T10:40:43+00:00 geronimo postfix/postscreen[20844]: warning: >> getpeername: Transport endpoint is not connected -- dr

Re: Stopping compromised accounts

On 06/12/16 01:52, Alex wrote: > Hi, > > I have a postfix-3.0.5 system with a few hundred users. They have > access to submission, webmail, and dovecot to send and receive mail. > > On occasion, user's local desktop are compromised, and with it their > account on this system. This leads to their

Re: Autoresponder?

> On 2017-01-16 13:49, @lbutlr wrote: >> I have an email account that belonged to someone who died recently. >> Rather than simply shutdown the account and bounce all future emails, >> the family would like some sort of automated messages for at least a >> few months saying something like “ died i

Re: Fallback to IPV4 in case of IPV6 is not available

On 25/03/17 14:43, Wietse Venema wrote: > Postfix can be configured to try IPv6 before IPv4 (with > smtp_address_preference), but that feature is independent from > routing features such as transport_maps, smtp_fallback_relay, and > so on. That is, there are no ipv6_transport_maps or > ipv4_smtp_

Re: Recent upsurge of spam messages rate

I have also noticed an increase of "bad connections" to my server. Fortunately, very few get past postscreen - I heartily recommend its use. Allen C On 28/03/17 22:00, Daniele Nicolodi wrote: > Hello, > > this is not strictly Postfix related, but I don't know how to get in > contact with a simil

Re: Recent upsurge of spam messages rate

I have a script that does a simple "head-count" over the last 1500 maillog entries. Just now it showed the following results: Nuisance hosts blocked by firewall:97 Connections handled by Postscreen:134 Black-listed Locally:10 Black-listed by DNSBL:94 Pre

Re: Alert Trend Micro reputation LIST QIL

If you check your IP address on THEIR look-up page - https://www.ers.trendmicro.com/reputations - it will tell you WHY you are black-listed. For example, my own IP4 address is in their "Dynamic User List" - not surprising, as I am a domestic user with a personal mail server. Hope this helps Al

Re: Optimising new system and postscreen questions

On 01/05/17 13:17, Simon Wilson wrote: > > 3. Any other ways to speed it up, or should I accept the trade-off > between speed and accuracy of result? > If you can create a postscreen white-list of your "regular" remote hosts, they will be almost instantly passed on to the mail server. Hope this

Re: Forged FROM Adresses deny based on actual user?

On 07/05/17 17:12, BlackIce_ wrote: > Lately I have been getting SPAM mails that mimic our typical adress > (i.e. user@domain) Ideally, the postfix server should only accept mail > from ACTUAL users (or aliases to users) on the server. > > Is there a config change that can accomplish this easily? S

Re: Limit the damage of a hacked sender acount

On 24/06/17 00:37, Daniel Miller wrote: > I had a couple of accounts with too simple passwords hacked. And > obviously my mail server is entirely too efficient - I think about 50k > spams got blasted out before I caught it (because we got in the DNSBL's). > > Separate from improving the password

Re: Block forged addresses

On 14/07/17 10:28, Abi Askushi wrote: > Hi all, > > I was wondering what choices are there to block forged sender email > addresses. > > I was thinking SPF could assist. > The other option I saw is reject_sender_login_mismatch in postfix. * > * > Do you have any other suggestion? > > Many thanx >

Re: postscreen fail2ban filter

On 17/07/17 16:43, Scott Techlist wrote: > As I watch the bots and spammers hammer my server with connection attempts, > I figured I might as well stop them even closer to the front door when they > try repeatedly. > > I have fail2ban running already and once I enabled postscreen it didn't seem >

Re: postscreen fail2ban filter

On 17/07/17 21:04, Scott Techlist wrote: >> Postcreen logs DISCONNECT for clients that PASS the "after 220 greeting" >> tests (bare newline, non-SMTP command, pipelining). > Exactly what I was afraid of, thanks for the confirmation. > >> I don't think there is much to gain from parsing postscreen

Re: Why there is no `reject_rbl_sender` restriction?

For a while I tried a local black-list based on the senders of bounced emails. It was deployed using "check_sender_access ". Using the whole email address didn't work - I never sawthe same sender twice; and using just the domain part gave me more false positives than true. A more targeted list, c

Re: Why there is no `reject_rbl_sender` restriction?

On 03/08/17 11:55, Matus UHLAR - fantomas wrote: > You apparently mean something like check_sender_mx_access (reject when MX > server of sending domain points to blacklisted IP) or maybe > check_sender_a_access (similar), but with dnsbl lookups. > > Doing it on MX would require dnsbl lookups for ea

Re: Strategies for using backup MX records

On 17/08/17 13:38, Chris Green wrote: > I run Postfix on a home server which is on all the time of course but, > as it's connected via a 'domestic' broadband service it's not a 100% > reliable connection. There are also times when I reconfigure things > (e.g. upgrade the server) that cause downti

Re: Strategies for using backup MX records

The thing I liked about my pop-3 solution was, if my server blew up and I had to rebuild from scratch with new hardware, I could still read my emails via my (almost redundant) ISP account Allen C On 17/08/17 16:10, Chris Green wrote: > On Thu, Aug 17, 2017 at 02:24:45PM +0100, Allen Coates wr

Postscreen temporary whitelist

Is there any way of reducing the TTL of the postscreen temporary whitelist? I am having problems with spammers repeatedly getting through postscreen with a "PASS OLD" result. While I can't stop them trying, at least I can cost them time by making them run the full postscreen gauntlet more frequen

Re: Postscreen temporary whitelist

ietse Venema wrote: > Allen Coates: >> Is there any way of reducing the TTL of the postscreen temporary whitelist? > > As of Postfix 3.1, these are the defaults: > > postscreen_bare_newline_ttl = 30d > postscreen_dnsbl_max_ttl = > ${postscreen_dnsbl_t

Postscreen Feature Request

GIVEN THAT, when the Postscreen internal SMTP engine is invoked, the decision to reject the message has already been made; It seems to me that this is an opportunity to tar-pit the (bad) remote host, diminishing spam throughput, and eroding the host's useful life-span. I SUGGEST, therefore, that a

Re: Postscreen Feature Request

On 02/09/17 22:03, Wietse Venema wrote: > > Surprise: I already solved that problem: postscreen would hand off > the _decrypted_ session to the tarpitting daemon :-) > How would you optionally hand off to the tarpit daemon, instead of to postfix? Allen C

Re: Postscreen Feature Request

On 03/09/17 00:43, Wietse Venema wrote: > On 02/09/17 22:03, Wietse Venema wrote: >> Surprise: I already solved that problem: postscreen would hand off >> the _decrypted_ session to the tarpitting daemon :-) > > Allen Coates: >> How would you optionally hand off to th

Re: Postscreen exceptions and blacklisting

In your exceptions list, use ACCEPT or REJECT; DUNNO means "let something else decide" ... Allen C On 08/09/17 09:36, Nikolaos Milas wrote: > Hello, > > I have tried to whitelist some servers for postscreen, but I notice that > they continue to get blocked if they are blacklisted. > > What I a

Re: Ban IP or Host

To limit repeating offenders, you might like to try playing with smtpd_client_connection_count_limit, smtpd_client_connection_rate_limit, and anvil_rate_time_unit For my quiet (domestic) server, I have set limits of two simultaneous connections, and twelve connections per hour. If a remote host

Re: Regarding ciphers

On 23/11/17 09:30, Jonathan Sélea wrote: > My question is, can I improve  this futher or do you guys/girls have any > opinion regarding this? > I am grateful for all comments, tips or other suggestions :) > > / Jonathan > If the remote host does not support the cyphers you deploy, then you ha

Re: Regarding ciphers

On 23/11/17 09:30, Jonathan Sélea wrote: > > My question is, can I improve  this futher or do you guys/girls have any > opinion regarding this? > I am grateful for all comments, tips or other suggestions :) > > / Jonathan > Thinking at a tangent, if your messages are particularly sensitive, y

Message Rejection

Is there any way of making a bad email address (eg a spam-trap) reject an entire multi-destination transaction? If one RCPT TO command is to a spamtrap address, then that message will be spam; you do not want it being delivered to any other (genuine) RCPT TO destinations. Allen C

Re: PSA University of Michigan research IP space

On 08/12/17 03:59, Viktor Dukhovni wrote: > > >> On Dec 7, 2017, at 9:14 PM, li...@lazygranch.com wrote: >> >> http://researchscan288.eecs.umich.edu/ >> I never could find the research IP space and my email went unanswered. >> I just blocked the whole university. Link has the IP space as listed

Re: Best practice when setting up a mail relay

On 06/01/18 18:27, Jonathan Sélea wrote: > For example: > www.siteA.xyz on ServerY is hacked and someone is using mail() in order > to send hundreds of thousands email via localhost - that is relayed to > the smtp relay (that only accepts mail from internal servers). And > instead of relaying th

Re: Question regarding smtpd DNS resolution

On 05/02/18 00:12, Viktor Dukhovni wrote: > > >> On Feb 4, 2018, at 5:46 PM, J Doe wrote: >> >> Feb 4 15:05:46 server postfix/smptd[718]: warning: hostname >> 1-2-3-4.dyn.isp.net does not resolve to address 1.2.3.4: Name or service not >> known >> >> Does this mean that: >> >> 1. smtpd recei

Re: Greylisting?

Late last year I tried the Postscreen "deep protocol tests" as a primitive form of greylisting; It was a high-maintenance exercise for minimal benefit and I have since stopped using it. Google and the like, use a different mail server for each connect attempt. You need an actively maintained whit

Re: How to white list

On 23/07/18 21:17, dur...@mgtsciences.com wrote: > I have whitelisted the ip in postscreen_access.cidr. I can see the > 'whitelisted' for postscreen in log. > But it does not get past smtpd. > > I do not want to remove reject_invalid_helo_hostname as this really opens > up more spam. So how

Re: What is postscreen_dnsbl_reply_map use for?

On 23/09/18 15:46, Bill Cole wrote: > On 23 Sep 2018, at 10:13 (-0400), John anderson wrote: > >> What is the meaning of `postscreen_dnsbl_reply_map` in postscreen (postfix) ? >> I've read from documentation: >> >>> if your DNSBL queries have a "secret" in the domain name, you must censor >>> t

Could you please explain a warning message

Yesterday I saw the following warning message in my logs:- 2018-10-06T14:11:19+01:00 geronimo postfix/postscreen[8194]: warning: psc_cache_update: btree:/var/lib/postfix/postscreen_cache update average delay is 151 ms A tenth of a second is an ENORMOUS delay for an SSD, and my immediate thought

Re: Could you please explain a warning message

Allen C On 08/10/18 12:03, Ralf Hildebrandt wrote: > * Allen Coates : >> Yesterday I saw the following warning message in my logs:- >> >> 2018-10-06T14:11:19+01:00 geronimo postfix/postscreen[8194]: warning: >> psc_cache_update: btree:/var/lib/postfix/postscreen_cac

Re: how set postfix server as non-functional

On 25/10/18 07:33, Viktor Dukhovni wrote: > On Thu, Oct 25, 2018 at 08:11:35AM +0200, Poliman - Serwis wrote: > >> Hi. I heard that having a non-functional server as the primary MX is a >> well-known trick to reduce the amount of incoming spam, as most software >> used by spammers will only eve

Re: how set postfix server as non-functional

On 25/10/18 11:12, Viktor Dukhovni wrote: >> On Oct 25, 2018, at 5:55 AM, Allen Coates wrote: >> >> There are some anti-spam projects which offer MXes for your use. >> You set one up with the LOWEST prioity (your "MX of last resort"); If a >> messa

Re: Postscreen concurrency limits

On 14/12/2018 06:13, Viktor Dukhovni wrote: > > >> On Dec 13, 2018, at 8:25 PM, Alex wrote: >> >> We had a Mimecast user report today that their mail was being rejected >> with a 4.7.0 "too many connections" error. This is a "soft" error, in >> that the mail client will later attempt to resen

  1   2   >