> On 06 Apr 2016, at 13:38, Joerg Jung <m...@umaxx.net> wrote:
>
>
>
>> Am 06.04.2016 um 13:08 schrieb Michiel van Es <m...@pragmasec.nl>:
>>
>> Hello,
>>
>> I also posted this as an issue to the OpenSMTPD github repo but somebody
>> told me that the mailinglist would be more accurate to post this question to
>> (I will remove the github issue if preferred).
>>
>> it seems whenever I use filter-dnbl with several hostnames, the lookups
>> always fail.
>> I tried using ipv6 lookups (although this is something opensmtpd does
>> right?) and have the latest version of the master branch of OpenSMTPD-Extras
>> (where this ipv4/ipv6 problem was solved with an earlier similar issue?).
>
> All v6 addresses are just accepted by filter-dnsbl.
> There is no lookup happening for v6 addresses
> (just not implemented).
ok, then I won’t use IPv6 for now :)
>
>> The error I get is:
>> smtp-in: New session 81cf3e1a4d9ef916 from host pro-mail-smtp-001.bol.com
>> [185.14.168.222] filter-pause[1337]: debug: on_connect: sleeping 5
>> filter-dnsbl-spamhaus[1336]: debug: on_connect: checking
>> 222.168.14.185.zen.spamhaus.org. filter-dnsbl-spamhaus[1336]: warn: session
>> 81cf3e1a4d9ef916: event_dispatch: REJECT address smtp-in: Failed command on
>> session 81cf3e1a4d9ef916: "" => 554 5.7.1 Address in DNSBL smtp-in: Closing
>> session 81cf3e1a4d9ef916 debug: smtp: 0x24460a0: deleting session: done
>
> This looks legit.
> Have you tried to lookup/verify the IP manually
> at the time this happened, was it listed?
No and I know this ip (its the MX for my company and they/we do checks via
Nagios on most DNSBL’s)
A lookup shows:
185.14.168.222 is not listed in the SBL
185.14.168.222 is not listed in the PBL
185.14.168.222 is not listed in the XBL
or PTR
222.168.14.185.zen.spamhaus.org is not listed in the DBL
I tried this config with the Google DNS servers and using a caching localhost
dns (with forwarders to OpenNIC servers) - no difference
>
>> My (sniplet of relevant) config is:
>>
>> # filters
>> filter filter-pause pause
>> filter filter-regex regex
>> #filter filter-dnsbl-sorbs dnsbl
>> #filter filter-dnsbl-surriel dnsbl "-dv" "-h psbl.surriel.com"
>> #filter filter-dnsbl-spamhaus dnsbl "-h" "zen.spamhaus.org"
>> filter filter-spamassassin spamassassin "-s accept"
>> filter filter-clamav clamav
>> #filter all chain filter-pause filter-regex filter-dnsbl-surriel
>> filter-dnsbl-spamhaus filter-spamassassin filter-clamav
>> filter all chain filter-pause filter-regex filter-spamassassin filter-clamav
>> #filter all chain filter-pause filter-regex filter-dnsbl-spamhaus
>> filter-spamassassin filter-clamav
>> filter sub chain filter-pause filter-spamassassin filter-clamav
>> # pki/ssl/certs
>> pki server.pragmasec.nl key
>> "/etc/letsencrypt/archive/server.pragmasec.nl/privkey1.pem"
>> pki server.pragmasec.nl certificate
>> "/etc/letsencrypt/archive/server.pragmasec.nl/fullchain1.pem"
>> # listen
>> listen on lo
>> listen on eth0 port 25 filter all hostname server.pragmasec.nl tls pki
>> server.pragmasec.nl
>> listen on eth0 port 587 filter sub hostname server.pragmasec.nl tls-require
>> pki server.pragmasec.nl auth mask-source
>> # queue expiry
>> expire 7d
>> # virtual domains and users
>> table vdomains "/usr/local/etc/vdomains"
>> table vusers "/usr/local/etc/vusers"
>> # our accepted relays
>> accept from any for domain <vdomains> virtual <vusers> deliver to mda
>> "/usr/lib/dovecot/dovecot-lda -f %{sender} -a %{rcpt}"
>> accept from local for any relay
>>
>> Using Ubuntu 14.04.3 LTS with git branch of opensmtpd (OpenSMTPD 5.9.1p1)
>>
>> What can I do to troubleshoot or further investigate this?
>
> Validate manually with a listed and non-listed IP.
> Try to rule-out local resolving problems.
It seems everything is listed through the filter rule..even using Gmail or
other big mail servers.
>
>> Are there any other spam filters that I can use or might be handy to follow
>> RFC’s? for example I do use some HELO checks but I think there might be more
>> then the ones I have:
>>
>> # reject helo with leading or trailing dot, and without dots (non-FQDN)
>> # skipping address literals
>> helo ! ^\[
>> helo ^\.
>> helo \.$
>> helo ^[^\.]*$
>
> In general OpenSMTPD is RFC conform.
> This helo check is just an additional hard restriction.
>
> There are other restrictions possible like enforcing
> line lengths or forcing valid reverse lookups, but
> these might not help but likely break legit mails.
Hmm then I keep it as is, thanks for the feedback!
>
>> Michiel
>> --
>> You received this mail because you are subscribed to misc@opensmtpd.org
>> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
>>
>
--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
