On 2025-08-31 08:06, Viktor Dukhovni via mailop wrote:
On Sun, Aug 31, 2025 at 02:44:48PM +0200, Antonin Verrier via mailop wrote:
I have a customer that has their email hosted by Gandi (French domain
registrar/hosting company) and can't send out emails because Gandi are using
a subset of Spamhaus' RBL (XBL/SBL it seems) to filter access to mail
submission (SMTPSA on port 465).
Actually, this is reasonable, I do the same on my submission server.
The XBL and SBL are not the PBL. While vast swaths of dynamic consumer
IP space are PBL listed, they are rarely XBL or SBL listed.
So my Postfix MSA rejects XBL-listed clients:
submission inet n - n - - smtpd
-o smtpd_delay_reject=no
-o {smtpd_client_restrictions=reject_rbl_client
zen.spamhaus.org=127.0.0.4}
...
Somewhat reducing the log noise due to futile SASL brute-forcing
attempts.
Highly recommend using RBL's for port 587/465 submission, there are
special RBLs' 'just' for authentication out there as well, including
SpamRats RATS-AUTH.
And of course, you can use DROP lists from various RBL's to protect your
whole server, or on a port by port basis.
Those lists are not intended to ever have 'access points', or CGNAT
addresses which can be dynamic or shared.
And given the amount of actors using open proxies, your might like to
include those in your ACL's (eg RATS-PROXY).
For dynamic/NAT addresses, of course other methods should be
implemented, but you will greatly reduce 'hacking' and BEC compromise,
and lower noise in the logs.
NOTE: You can find open proxies on home style connections as well, which
certain actors prefer.. and this is becoming more of a threat again for
bot activity. Compromised personal browsers that steal credentials, and
insert malware, are the hardest to address, and can even bypass certain
2FA's, but when you reduce the 'noise' it is easier to create alerts to
detect unexpected behavior. And yes, it's hard to do global auth rate
limiting per IP or IP/EHLO combinations or 'fail2ban', especially for
CGNAT or large shared IP sources (think airports and coffee shops)
without collatoral damage, but volumes are a lot less.
While extremely inconvenient to users, single use pass codes is also an
option.
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Reg. TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
