> On 06 Apr 2016, at 13:52, Michiel van Es <m...@pragmasec.nl> wrote: > > >> On 06 Apr 2016, at 13:38, Joerg Jung <m...@umaxx.net> wrote: >> >> >> >>> Am 06.04.2016 um 13:08 schrieb Michiel van Es <m...@pragmasec.nl>: >>> >>> Hello, >>> >>> I also posted this as an issue to the OpenSMTPD github repo but somebody >>> told me that the mailinglist would be more accurate to post this question >>> to (I will remove the github issue if preferred). >>> >>> it seems whenever I use filter-dnbl with several hostnames, the lookups >>> always fail. >>> I tried using ipv6 lookups (although this is something opensmtpd does >>> right?) and have the latest version of the master branch of >>> OpenSMTPD-Extras (where this ipv4/ipv6 problem was solved with an earlier >>> similar issue?). >> >> All v6 addresses are just accepted by filter-dnsbl. >> There is no lookup happening for v6 addresses >> (just not implemented). > > ok, then I won’t use IPv6 for now :) > >> >>> The error I get is: >>> smtp-in: New session 81cf3e1a4d9ef916 from host pro-mail-smtp-001.bol.com >>> [185.14.168.222] filter-pause[1337]: debug: on_connect: sleeping 5 >>> filter-dnsbl-spamhaus[1336]: debug: on_connect: checking >>> 222.168.14.185.zen.spamhaus.org. filter-dnsbl-spamhaus[1336]: warn: session >>> 81cf3e1a4d9ef916: event_dispatch: REJECT address smtp-in: Failed command on >>> session 81cf3e1a4d9ef916: "" => 554 5.7.1 Address in DNSBL smtp-in: Closing >>> session 81cf3e1a4d9ef916 debug: smtp: 0x24460a0: deleting session: done >> >> This looks legit. >> Have you tried to lookup/verify the IP manually >> at the time this happened, was it listed? > > No and I know this ip (its the MX for my company and they/we do checks via > Nagios on most DNSBL’s) > A lookup shows: > > 185.14.168.222 is not listed in the SBL > 185.14.168.222 is not listed in the PBL > 185.14.168.222 is not listed in the XBL > > or PTR > > 222.168.14.185.zen.spamhaus.org is not listed in the DBL > > I tried this config with the Google DNS servers and using a caching localhost > dns (with forwarders to OpenNIC servers) - no difference
Also tried with some more debugging and now tried the default SORBS dnsbl, the result (with strace and smtpctl trace all): r_session@0x1fc28a0[datalen=0,eom=(nil),ofile=(nil)]] mproc: pony -> filter-proc : 100 IMSG_CTL_FAIL filter: waiting for running query 511e5d1fe40dcd9c[QUERY_CONNECT=178.21.114.197 <-> 185.14.169.222(pro-mail-smtp-002.bol.com),filter_session@0x1fc28a0[datalen=0,eom=(nil),ofile=(nil)]] filter-pause[9835]: debug: on_connect: sleeping 5 filter: imsg IMSG_FILTER_RESPONSE from procfilter filter-pause[hooks=0xffffffff,flags=0x0000] filter: filter_drain_query 511e5d1fe40dcd9c[QUERY_CONNECT=178.21.114.197 <-> 185.14.169.222(pro-mail-smtp-002.bol.com),filter_session@0x1fc28a0[datalen=0,eom=(nil),ofile=(nil)]] filter: running filter filter:filter-regex[hooks=0xffffffff,flags=0x0000] for query 511e5d1fe40dcd9c[QUERY_CONNECT=178.21.114.197 <-> 185.14.169.222(pro-mail-smtp-002.bol.com),filter_session@0x1fc28a0[datalen=0,eom=(nil),ofile=(nil)]] mproc: pony -> filter-proc : 100 IMSG_CTL_FAIL filter: waiting for running query 511e5d1fe40dcd9c[QUERY_CONNECT=178.21.114.197 <-> 185.14.169.222(pro-mail-smtp-002.bol.com),filter_session@0x1fc28a0[datalen=0,eom=(nil),ofile=(nil)]] filter: imsg IMSG_FILTER_RESPONSE from procfilter filter-regex[hooks=0xffffffff,flags=0x0000] filter: filter_drain_query 511e5d1fe40dcd9c[QUERY_CONNECT=178.21.114.197 <-> 185.14.169.222(pro-mail-smtp-002.bol.com),filter_session@0x1fc28a0[datalen=0,eom=(nil),ofile=(nil)]] filter: running filter filter:filter-dnsbl-sorbs[hooks=0xffffffff,flags=0x0000] for query 511e5d1fe40dcd9c[QUERY_CONNECT=178.21.114.197 <-> 185.14.169.222(pro-mail-smtp-002.bol.com),filter_session@0x1fc28a0[datalen=0,eom=(nil),ofile=(nil)]] mproc: pony -> filter-proc : 100 IMSG_CTL_FAIL filter: waiting for running query 511e5d1fe40dcd9c[QUERY_CONNECT=178.21.114.197 <-> 185.14.169.222(pro-mail-smtp-002.bol.com),filter_session@0x1fc28a0[datalen=0,eom=(nil),ofile=(nil)]] filter-dnsbl-sorbs[9834]: debug: on_connect: checking 222.169.14.185.dnsbl.sorbs.net. filter-dnsbl-sorbs[9834]: warn: session 511e5d1ea5ee10d1: event_dispatch: REJECT address filter: imsg IMSG_FILTER_RESPONSE from procfilter filter-dnsbl-sorbs[hooks=0xffffffff,flags=0x0000] filter: filter_drain_query 511e5d1fe40dcd9c[QUERY_CONNECT=178.21.114.197 <-> 185.14.169.222(pro-mail-smtp-002.bol.com),filter_session@0x1fc28a0[datalen=0,eom=(nil),ofile=(nil)]] filter: filter_end_query 511e5d1fe40dcd9c[QUERY_CONNECT=178.21.114.197 <-> 185.14.169.222(pro-mail-smtp-002.bol.com),filter_session@0x1fc28a0[datalen=0,eom=(nil),ofile=(nil)]] filter: query 511e5d1fe40dcd9c done: status=FILTER_CLOSE code=554 response="5.7.1 Address in DNSBL" smtp: 0x20ae090: >>> 554 5.7.1 Address in DNSBL smtp-in: Failed command on session 511e5d1ea5ee10d1: "" => 554 5.7.1 Address in DNSBL smtp: 0x20ae090: STATE_CONNECTED -> STATE_QUIT smtp: 0x20ae090: IO_LOWAT <io:0x20ae0d8 fd=4 to=300000 fl=W ib=0 ob=0> smtp-in: Closing session 511e5d1ea5ee10d1 debug: smtp: 0x20ae090: deleting session: done The hostname is interesting, it seems to do a lookup of 222.169.14.185.dnsbl.sorbs.net. => on_connect: checking 222.169.14.185.dnsbl.sorbs.net. Off course the . at the end makes it an invalid hostname and a check on SORBS tells me the same: Bad host/domain 222.169.14.185.dnsbl.sorbs.net. Using without the . at then end I get: [222.169.14.185.dnsbl.sorbs.net] Not found in the database Trying the ip and the hostname of the MX: [185.14.169.222/32] Not found in the database & [pro-mail-smtp-002.bol.com] Not found in the database So I am a little bit lost here what is going wrong with the lookups.. Can I have more debugging of the filter-dnsbl option? > >> >>> My (sniplet of relevant) config is: >>> >>> # filters >>> filter filter-pause pause >>> filter filter-regex regex >>> #filter filter-dnsbl-sorbs dnsbl >>> #filter filter-dnsbl-surriel dnsbl "-dv" "-h psbl.surriel.com" >>> #filter filter-dnsbl-spamhaus dnsbl "-h" "zen.spamhaus.org" >>> filter filter-spamassassin spamassassin "-s accept" >>> filter filter-clamav clamav >>> #filter all chain filter-pause filter-regex filter-dnsbl-surriel >>> filter-dnsbl-spamhaus filter-spamassassin filter-clamav >>> filter all chain filter-pause filter-regex filter-spamassassin filter-clamav >>> #filter all chain filter-pause filter-regex filter-dnsbl-spamhaus >>> filter-spamassassin filter-clamav >>> filter sub chain filter-pause filter-spamassassin filter-clamav >>> # pki/ssl/certs >>> pki server.pragmasec.nl key >>> "/etc/letsencrypt/archive/server.pragmasec.nl/privkey1.pem" >>> pki server.pragmasec.nl certificate >>> "/etc/letsencrypt/archive/server.pragmasec.nl/fullchain1.pem" >>> # listen >>> listen on lo >>> listen on eth0 port 25 filter all hostname server.pragmasec.nl tls pki >>> server.pragmasec.nl >>> listen on eth0 port 587 filter sub hostname server.pragmasec.nl tls-require >>> pki server.pragmasec.nl auth mask-source >>> # queue expiry >>> expire 7d >>> # virtual domains and users >>> table vdomains "/usr/local/etc/vdomains" >>> table vusers "/usr/local/etc/vusers" >>> # our accepted relays >>> accept from any for domain <vdomains> virtual <vusers> deliver to mda >>> "/usr/lib/dovecot/dovecot-lda -f %{sender} -a %{rcpt}" >>> accept from local for any relay >>> >>> Using Ubuntu 14.04.3 LTS with git branch of opensmtpd (OpenSMTPD 5.9.1p1) >>> >>> What can I do to troubleshoot or further investigate this? >> >> Validate manually with a listed and non-listed IP. >> Try to rule-out local resolving problems. > > It seems everything is listed through the filter rule..even using Gmail or > other big mail servers. > >> >>> Are there any other spam filters that I can use or might be handy to follow >>> RFC’s? for example I do use some HELO checks but I think there might be >>> more then the ones I have: >>> >>> # reject helo with leading or trailing dot, and without dots (non-FQDN) >>> # skipping address literals >>> helo ! ^\[ >>> helo ^\. >>> helo \.$ >>> helo ^[^\.]*$ >> >> In general OpenSMTPD is RFC conform. >> This helo check is just an additional hard restriction. >> >> There are other restrictions possible like enforcing >> line lengths or forcing valid reverse lookups, but >> these might not help but likely break legit mails. > > Hmm then I keep it as is, thanks for the feedback! > >> >>> Michiel >>> -- >>> You received this mail because you are subscribed to misc@opensmtpd.org >>> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org >>> >> > > > -- > You received this mail because you are subscribed to misc@opensmtpd.org > To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org > -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org