> Am 06.04.2016 um 13:08 schrieb Michiel van Es <m...@pragmasec.nl>:
>
> Hello,
>
> I also posted this as an issue to the OpenSMTPD github repo but somebody told
> me that the mailinglist would be more accurate to post this question to (I
> will remove the github issue if preferred).
>
> it seems whenever I use filter-dnbl with several hostnames, the lookups
> always fail.
> I tried using ipv6 lookups (although this is something opensmtpd does right?)
> and have the latest version of the master branch of OpenSMTPD-Extras (where
> this ipv4/ipv6 problem was solved with an earlier similar issue?).
All v6 addresses are just accepted by filter-dnsbl.
There is no lookup happening for v6 addresses
(just not implemented).
> The error I get is:
> smtp-in: New session 81cf3e1a4d9ef916 from host pro-mail-smtp-001.bol.com
> [185.14.168.222] filter-pause[1337]: debug: on_connect: sleeping 5
> filter-dnsbl-spamhaus[1336]: debug: on_connect: checking
> 222.168.14.185.zen.spamhaus.org. filter-dnsbl-spamhaus[1336]: warn: session
> 81cf3e1a4d9ef916: event_dispatch: REJECT address smtp-in: Failed command on
> session 81cf3e1a4d9ef916: "" => 554 5.7.1 Address in DNSBL smtp-in: Closing
> session 81cf3e1a4d9ef916 debug: smtp: 0x24460a0: deleting session: done
This looks legit.
Have you tried to lookup/verify the IP manually
at the time this happened, was it listed?
> My (sniplet of relevant) config is:
>
> # filters
> filter filter-pause pause
> filter filter-regex regex
> #filter filter-dnsbl-sorbs dnsbl
> #filter filter-dnsbl-surriel dnsbl "-dv" "-h psbl.surriel.com"
> #filter filter-dnsbl-spamhaus dnsbl "-h" "zen.spamhaus.org"
> filter filter-spamassassin spamassassin "-s accept"
> filter filter-clamav clamav
> #filter all chain filter-pause filter-regex filter-dnsbl-surriel
> filter-dnsbl-spamhaus filter-spamassassin filter-clamav
> filter all chain filter-pause filter-regex filter-spamassassin filter-clamav
> #filter all chain filter-pause filter-regex filter-dnsbl-spamhaus
> filter-spamassassin filter-clamav
> filter sub chain filter-pause filter-spamassassin filter-clamav
> # pki/ssl/certs
> pki server.pragmasec.nl key
> "/etc/letsencrypt/archive/server.pragmasec.nl/privkey1.pem"
> pki server.pragmasec.nl certificate
> "/etc/letsencrypt/archive/server.pragmasec.nl/fullchain1.pem"
> # listen
> listen on lo
> listen on eth0 port 25 filter all hostname server.pragmasec.nl tls pki
> server.pragmasec.nl
> listen on eth0 port 587 filter sub hostname server.pragmasec.nl tls-require
> pki server.pragmasec.nl auth mask-source
> # queue expiry
> expire 7d
> # virtual domains and users
> table vdomains "/usr/local/etc/vdomains"
> table vusers "/usr/local/etc/vusers"
> # our accepted relays
> accept from any for domain <vdomains> virtual <vusers> deliver to mda
> "/usr/lib/dovecot/dovecot-lda -f %{sender} -a %{rcpt}"
> accept from local for any relay
>
> Using Ubuntu 14.04.3 LTS with git branch of opensmtpd (OpenSMTPD 5.9.1p1)
>
> What can I do to troubleshoot or further investigate this?
Validate manually with a listed and non-listed IP.
Try to rule-out local resolving problems.
> Are there any other spam filters that I can use or might be handy to follow
> RFC’s? for example I do use some HELO checks but I think there might be more
> then the ones I have:
>
> # reject helo with leading or trailing dot, and without dots (non-FQDN)
> # skipping address literals
> helo ! ^\[
> helo ^\.
> helo \.$
> helo ^[^\.]*$
In general OpenSMTPD is RFC conform.
This helo check is just an additional hard restriction.
There are other restrictions possible like enforcing
line lengths or forcing valid reverse lookups, but
these might not help but likely break legit mails.
> Michiel
> --
> You received this mail because you are subscribed to misc@opensmtpd.org
> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
>
--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
