subject:"Re\: re\-route mails on demand during block of ip address"

Re: re-route mails on demand during block of ip address

2020-03-10 Thread Viktor Dukhovni

On Tue, Mar 10, 2020 at 05:18:01PM -0500, Noel Jones wrote:

> On 3/10/2020 4:55 PM, Stefan Bauer wrote:
> > 
> > i know this is quite old, but
> > smtp_fallback_relay should only get triggered on 
> > undeliverable-events and not when remote replies with a 4xx or 5xx - 
> > right?

Not quite.  When a delivery via the primary nexthop tempfails, the
fallback relay is used:

smtp_mx_session_limit (default: 2)
The maximal number of SMTP sessions per delivery request before the
Postfix SMTP client gives up or delivers to a fall-back relay host, or
zero (no limit). This restriction ignores sessions that fail to
complete the SMTP initial handshake (Postfix version 2.2 and earlier)
or that fail to complete the EHLO and TLS handshake (Postfix version
2.3 and later).

With 5xx, of course, the message the message is normally immediately
bounced (modulo soft_bounce and all that).

-- 
Viktor.

Re: re-route mails on demand during block of ip address

2020-03-10 Thread Noel Jones


On 3/10/2020 4:55 PM, Stefan Bauer wrote:

Hi Noel,

i know this is quite old, but
smtp_fallback_relay should only get triggered on 
undeliverable-events and not when remote replies with a 4xx or 5xx - 
right?






That's what the docs say, which implies my off-the-cuff crappy 
workaround is misguided.

http://www.postfix.org/postconf.5.html#smtp_fallback_relay

So the solution is to use a better ISP.



  -- Noel Jones




Am Freitag, 31. Mai 2019 schrieb Noel Jones >:

 > On 5/31/2019 1:48 AM, Stefan Bauer wrote:
 >>
 >> Hi,
 >>
 >> I'm running a pair of postfix-servers in different data-centers 
(different ip networks) for outgoing-only delivery. once in a while 
my providers /22 appear on public blacklists, so mails from my nodes 
also gets rejected.

 >>
 >> For this, i have now a third backup-instance in another data 
center that is not visible to my users and only fairly with dummy 
mails used to keep reputation up and good. Howto re-route traffic on 
demand with postfix in case, ip-networks get blocked again?

 >>
 >> How do others handle this?
 >>
 >> Thank you.
 >>
 >> Stefan
 >
 >
 > Much better to send all your mail via the ISP that doesn't get 
their whole space blocked, rather than a crappy workaround.

 >
 > For a crappy workaround, you can use smtp_reply_filter to turn 
5xx rejects due to blacklists into 4xx temp failures, then use 
smtp_fallback_relay to send the temp failures to your backup 
server.  This will send other mail to the backup server, such as 
greylisted mail or mail that temp fails for unrelated reasons. Try 
to make your reply filter narrow enough that it doesn't transform 
rejects for non-rbl reasons, such as unknown recipient.

 >
 > http://www.postfix.org/postconf.5.html#smtp_reply_filter
 > http://www.postfix.org/postconf.5.html#smtp_fallback_relay
 >
 >
 >
 >   -- Noel Jones
 >

Re: re-route mails on demand during block of ip address

2019-05-31 Thread @lbutlr

On 31 May 2019, at 11:12, Stefan Bauer  wrote:
> thank you for your reply. You know, in real world, ips/ranges get blocked 
> from time to time 

Not be legitimate RBLs they don't unless you are actually sending spam. If more 
IPs than just you mail server are getting blocked, then you probably need to 
get a new NSP that doesn't tolerate spammers.

If you want to send mail to others you pretty much need to meet these criteria.

Fixed IP with valid rDNS
NSP that does not allow spammers
A valid secure configuration on your server (no open relay)
Not be sending spam yourself

If you can't meet all of those, then you need to rely on someone else who does 
meet those minimums to send mail on your behalf.

I've been through several IP changes over the years and the only RBL that haas 
ever listed me was barracuda, which was coincidently after I replied to one of 
their marketing emails 
with "fuck off" but even that was more than a decade ago.

-- 
'Detectoring is like gambling,' said Vimes, putting down the clove. 'The
secret is to know the winner in advance.'

Re: re-route mails on demand during block of ip address

2019-05-31 Thread Blake Hudson

The majority of blacklists work on the individual host level (IPv4 /32 
or IPv6 /64). If your provider's entire /22 is being listed by public 
blacklists then I suspect you either have a very disreputable provider 
or the provider has indicated that the /22 is intended for use by 
residential/dynamic subscribers only (not for mail servers). Most of the 
folks with the "bigger" setups you asked about tend to use reputable 
providers, use internet connections intended for servers, or obtain 
their own IP space. If you intend to operate an email server, you might 
want to find a provider whose policies allow you to do so reliably.

Stefan Bauer wrote on 5/31/2019 12:12 PM:

Hi Noel,

thank you for your reply. You know, in real world, ips/ranges get 
blocked from time to time and i would like to be ready for this and 
not rely on others :)
The workaround looks indeed crappy - i wonder how others handle this 
situation in "bigger" setups? I'm currently having 7000-8000 mails / day.

Stefan

Am Fr., 31. Mai 2019 um 18:37 Uhr schrieb Noel Jones 
mailto:njo...@megan.vbhcs.org>>:

On 5/31/2019 1:48 AM, Stefan Bauer wrote:
> Hi,
>
> I'm running a pair of postfix-servers in different data-centers
> (different ip networks) for outgoing-only delivery. once in a while
> my providers /22 appear on public blacklists, so mails from my
nodes
> also gets rejected.
>
> For this, i have now a third backup-instance in another data center
> that is not visible to my users and only fairly with dummy mails
> used to keep reputation up and good. Howto re-route traffic on
> demand with postfix in case, ip-networks get blocked again?
>
> How do others handle this?
>
> Thank you.
>
> Stefan

Re: re-route mails on demand during block of ip address

2019-05-31 Thread Stefan Bauer

Hi Noel,

thank you for your reply. You know, in real world, ips/ranges get blocked
from time to time and i would like to be ready for this and not rely on
others :)
The workaround looks indeed crappy - i wonder how others handle this
situation in "bigger" setups? I'm currently having 7000-8000 mails / day.

Stefan

Am Fr., 31. Mai 2019 um 18:37 Uhr schrieb Noel Jones :

> On 5/31/2019 1:48 AM, Stefan Bauer wrote:
> > Hi,
> >
> > I'm running a pair of postfix-servers in different data-centers
> > (different ip networks) for outgoing-only delivery. once in a while
> > my providers /22 appear on public blacklists, so mails from my nodes
> > also gets rejected.
> >
> > For this, i have now a third backup-instance in another data center
> > that is not visible to my users and only fairly with dummy mails
> > used to keep reputation up and good. Howto re-route traffic on
> > demand with postfix in case, ip-networks get blocked again?
> >
> > How do others handle this?
> >
> > Thank you.
> >
> > Stefan
>
>
> Much better to send all your mail via the ISP that doesn't get their
> whole space blocked, rather than a crappy workaround.
>
> For a crappy workaround, you can use smtp_reply_filter to turn 5xx
> rejects due to blacklists into 4xx temp failures, then use
> smtp_fallback_relay to send the temp failures to your backup server.
>   This will send other mail to the backup server, such as greylisted
> mail or mail that temp fails for unrelated reasons. Try to make your
> reply filter narrow enough that it doesn't transform rejects for
> non-rbl reasons, such as unknown recipient.
>
> http://www.postfix.org/postconf.5.html#smtp_reply_filter
> http://www.postfix.org/postconf.5.html#smtp_fallback_relay
>
>
>
>-- Noel Jones
>

Re: re-route mails on demand during block of ip address

2019-05-31 Thread Noel Jones


On 5/31/2019 1:48 AM, Stefan Bauer wrote:

Hi,

I'm running a pair of postfix-servers in different data-centers 
(different ip networks) for outgoing-only delivery. once in a while 
my providers /22 appear on public blacklists, so mails from my nodes 
also gets rejected.


For this, i have now a third backup-instance in another data center 
that is not visible to my users and only fairly with dummy mails 
used to keep reputation up and good. Howto re-route traffic on 
demand with postfix in case, ip-networks get blocked again?


How do others handle this?

Thank you.

Stefan



Much better to send all your mail via the ISP that doesn't get their 
whole space blocked, rather than a crappy workaround.


For a crappy workaround, you can use smtp_reply_filter to turn 5xx 
rejects due to blacklists into 4xx temp failures, then use 
smtp_fallback_relay to send the temp failures to your backup server. 
 This will send other mail to the backup server, such as greylisted 
mail or mail that temp fails for unrelated reasons. Try to make your 
reply filter narrow enough that it doesn't transform rejects for 
non-rbl reasons, such as unknown recipient.


http://www.postfix.org/postconf.5.html#smtp_reply_filter
http://www.postfix.org/postconf.5.html#smtp_fallback_relay



  -- Noel Jones

Re: re-route mails on demand during block of ip address

Re: re-route mails on demand during block of ip address

Re: re-route mails on demand during block of ip address

Re: re-route mails on demand during block of ip address

Re: re-route mails on demand during block of ip address

Re: re-route mails on demand during block of ip address

6 matches

Site Navigation

Mail list logo

Footer information