> On 06 Apr 2016, at 13:38, Joerg Jung <m...@umaxx.net> wrote: > > > >> Am 06.04.2016 um 13:08 schrieb Michiel van Es <m...@pragmasec.nl>: >> >> Hello, >> >> I also posted this as an issue to the OpenSMTPD github repo but somebody >> told me that the mailinglist would be more accurate to post this question to >> (I will remove the github issue if preferred). >> >> it seems whenever I use filter-dnbl with several hostnames, the lookups >> always fail. >> I tried using ipv6 lookups (although this is something opensmtpd does >> right?) and have the latest version of the master branch of OpenSMTPD-Extras >> (where this ipv4/ipv6 problem was solved with an earlier similar issue?). > > All v6 addresses are just accepted by filter-dnsbl. > There is no lookup happening for v6 addresses > (just not implemented).
ok, then I won’t use IPv6 for now :) > >> The error I get is: >> smtp-in: New session 81cf3e1a4d9ef916 from host pro-mail-smtp-001.bol.com >> [185.14.168.222] filter-pause[1337]: debug: on_connect: sleeping 5 >> filter-dnsbl-spamhaus[1336]: debug: on_connect: checking >> 222.168.14.185.zen.spamhaus.org. filter-dnsbl-spamhaus[1336]: warn: session >> 81cf3e1a4d9ef916: event_dispatch: REJECT address smtp-in: Failed command on >> session 81cf3e1a4d9ef916: "" => 554 5.7.1 Address in DNSBL smtp-in: Closing >> session 81cf3e1a4d9ef916 debug: smtp: 0x24460a0: deleting session: done > > This looks legit. > Have you tried to lookup/verify the IP manually > at the time this happened, was it listed? No and I know this ip (its the MX for my company and they/we do checks via Nagios on most DNSBL’s) A lookup shows: 185.14.168.222 is not listed in the SBL 185.14.168.222 is not listed in the PBL 185.14.168.222 is not listed in the XBL or PTR 222.168.14.185.zen.spamhaus.org is not listed in the DBL I tried this config with the Google DNS servers and using a caching localhost dns (with forwarders to OpenNIC servers) - no difference > >> My (sniplet of relevant) config is: >> >> # filters >> filter filter-pause pause >> filter filter-regex regex >> #filter filter-dnsbl-sorbs dnsbl >> #filter filter-dnsbl-surriel dnsbl "-dv" "-h psbl.surriel.com" >> #filter filter-dnsbl-spamhaus dnsbl "-h" "zen.spamhaus.org" >> filter filter-spamassassin spamassassin "-s accept" >> filter filter-clamav clamav >> #filter all chain filter-pause filter-regex filter-dnsbl-surriel >> filter-dnsbl-spamhaus filter-spamassassin filter-clamav >> filter all chain filter-pause filter-regex filter-spamassassin filter-clamav >> #filter all chain filter-pause filter-regex filter-dnsbl-spamhaus >> filter-spamassassin filter-clamav >> filter sub chain filter-pause filter-spamassassin filter-clamav >> # pki/ssl/certs >> pki server.pragmasec.nl key >> "/etc/letsencrypt/archive/server.pragmasec.nl/privkey1.pem" >> pki server.pragmasec.nl certificate >> "/etc/letsencrypt/archive/server.pragmasec.nl/fullchain1.pem" >> # listen >> listen on lo >> listen on eth0 port 25 filter all hostname server.pragmasec.nl tls pki >> server.pragmasec.nl >> listen on eth0 port 587 filter sub hostname server.pragmasec.nl tls-require >> pki server.pragmasec.nl auth mask-source >> # queue expiry >> expire 7d >> # virtual domains and users >> table vdomains "/usr/local/etc/vdomains" >> table vusers "/usr/local/etc/vusers" >> # our accepted relays >> accept from any for domain <vdomains> virtual <vusers> deliver to mda >> "/usr/lib/dovecot/dovecot-lda -f %{sender} -a %{rcpt}" >> accept from local for any relay >> >> Using Ubuntu 14.04.3 LTS with git branch of opensmtpd (OpenSMTPD 5.9.1p1) >> >> What can I do to troubleshoot or further investigate this? > > Validate manually with a listed and non-listed IP. > Try to rule-out local resolving problems. It seems everything is listed through the filter rule..even using Gmail or other big mail servers. > >> Are there any other spam filters that I can use or might be handy to follow >> RFC’s? for example I do use some HELO checks but I think there might be more >> then the ones I have: >> >> # reject helo with leading or trailing dot, and without dots (non-FQDN) >> # skipping address literals >> helo ! ^\[ >> helo ^\. >> helo \.$ >> helo ^[^\.]*$ > > In general OpenSMTPD is RFC conform. > This helo check is just an additional hard restriction. > > There are other restrictions possible like enforcing > line lengths or forcing valid reverse lookups, but > these might not help but likely break legit mails. Hmm then I keep it as is, thanks for the feedback! > >> Michiel >> -- >> You received this mail because you are subscribed to misc@opensmtpd.org >> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org >> > -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org