On 10.01.24 17:12, Nikolaos Milas via Postfix-users wrote:
Our postfix v3.8.3 mail gateway server (for incoming mail) filters
clients using postscreen as follows:
postscreen_dnsbl_sites =
zen.spamhaus.org*3
b.barracudacentral.org*2
bl.spameatingmonkey.net*2
bl.spamcop.net
dnsbl.sorbs.net
psbl.surriel.com
bl.mailspike.net
list.dnswl.org=127.0.[0..255].0*-2
list.dnswl.org=127.0.[0..255].1*-3
list.dnswl.org=127.0.[0..255].[2..3]*-4
Here you configured 40.107.20.56 to be allowed
and:
smtpd_recipient_restrictions =
...
reject_rbl_client b.barracudacentral.org
reject_rbl_client zen.spamhaus.org
reject_rbl_client psbl.surriel.com
reject_rbl_client bl.spamcop.net
and yet here you block it here.
reject_rhsbl_client dbl.spamhaus.org
reject_rhsbl_sender dbl.spamhaus.org
reject_rhsbl_helo dbl.spamhaus.org
permit
It seems that the blacklisting services sometimes block some of
microsoft/outlook servers. Example:
Jan 08 10:02:17 mailgw1 postfix/dnsblog[930573]: addr 40.107.20.56
listed by domain bl.spamcop.net as 127.0.0.2
Jan 08 10:02:17 mailgw1 postfix/dnsblog[928879]: addr 40.107.20.56
listed by domain list.dnswl.org as 127.0.3.0
Jan 08 10:02:18 mailgw1 postfix/postscreen[925211]: PASS OLD
[40.107.20.56]:12832
Jan 08 10:02:18 mailgw1 postfix/smtpd[930587]: connect from
mail-db8eur05on2056.outbound.protection.outlook.com[40.107.20.56]
Jan 08 10:02:18 mailgw1 postfix/smtpd[930587]: Anonymous TLS
connection established from
mail-db8eur05on2056.outbound.protection.outlook.com[40.107.20.56]:
TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jan 08 10:02:18 mailgw1 postfix/smtpd[930587]: NOQUEUE: reject: RCPT
from
mail-db8eur05on2056.outbound.protection.outlook.com[40.107.20.56]: 554
5.7.1 Service unavailable; Client host [40.107.20.56] blocked using
bl.spamcop.net; Blocked - see
https://www.spamcop.net/bl.shtml?40.107.20.56;
from=<legitimate.u...@example.com> to=<our.u...@noa.gr> proto=ESMTP
helo=<EUR05-DB8-obe.outbound.protection.outlook.com>
and this causes legitimate mail to be discarded (actual mail addresses
modified above).
My question in this case: If I understand right, it seems that
postscreen allows the client connection even though it is listed
because it uses a cache which serves as a useful buffer; however the
client is subsequently blocked by reject_rbl_client restrictions.
precisely.
So, it seems I should I entirely remove the reject_rbl_client filters
(from smtpd_recipient_restrictions) as they are already listed with
postscreen.
If you use postscreen, remove reject_rbl_client from *_restrictions.
reject_rhsbl_client, reject_rhsbl_sender and reject_rhsbl_helo are fine to
stay since they use something postscreen does not.
It appears to me that using rbl services both with postscreen and
smtpd_recipient_restrictions is actually pointless
yes.
and causes double lookups which in the end make things worse.
they will most likely be cached so this should not happen.
It's still pointless however.
Postscreen is sufficient
and better in filtering with rbl services. Am I right?
yes.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Spam = (S)tupid (P)eople's (A)dvertising (M)ethod
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
