Hi,
>> I haven't been able to find much available on the proper use for
>> smtpd_mumble_restrictions. It doesn't seem to be documented with
>> postscreen or the postconf page or even my postconf output.
>
> smtpd_mumble_restrictions is shorthand for "use any of
> smtpd_{client, helo, sender, recipient, data,
> end_of_data}_restrictions."
Okay, duh. Maybe it never occurred to me because I thought postscreen
was well before any of the smtpd restrictions.
> I'm curious what postscreen rules you're using that are rejecting
> mail from an ISP. (I'm not familiar with the two you mention, and
> assume they aren't spammer-haven worthy of global blocking.)
Perhaps many of the rejects from users at those domains are really
just spoofed. Here's one reject actually from them, however:
Dec 24 04:23:11 mail02 postfix/postscreen[1468]: NOQUEUE: reject: RCPT
from [212.52.84.101]:54948: 550 5.7.1 Service unavailable; client
[212.52.84.101] blocked using bl.spamcop.net;
from=<rossopompei...@libero.it>, to=<mi...@example.com>, proto=ESMTP,
helo=<outrelay01.libero.it>
My postscreen config contains:
postscreen_access_list = permit_mynetworks,
cidr:/etc/postfix/postscreen_access.cidr
postscreen_dnsbl_threshold = 1
postscreen_dnsbl_action = enforce
postscreen_greet_action = enforce
postscreen_blacklist_action = enforce
postscreen_dnsbl_sites = mykey.zen.dq.spamhaus.net*2
bl.spamcop.net*1 b.barracudacentral.org*1 psbl.surriel.com*1
I have a series of IPs in the postscreen_access.cidr file that need to
be permitted, and add to it after we learn mail is being rejected due
to the IP being blacklisted by one of the RBLs.
>> I also understand that organizations use separate IPs from those
>> listed in their MX records -- that was my point. I have no way of
>> knowing what those IPs are, except through trial and error, looking
>> through logs and correlating them with addresses, etc.
>
> Perhaps they publish SPF records, which were invented for this purpose.
> $ host -t txt libero.it
> libero.it descriptive text "v=spf1 ip4:212.52.84.101/32
> ip4:212.52.84.102/31 ip4:212.52.84.104/29 ip4:212.52.84.112/29
> ip4:212.52.84.192/32 ip4:212.52.84.43/32 include:blackberry.com ?all"
Ah, yes. That's still something like 20 IPs. I would assume none of
the blackberry.com IPs would ever be rejected by postscreen, so they
don't need to be added.
I can then just add the single email address to the whitelist_from_spf
in spamassassin.
For alice.it, they don't appear to publish an SPF record, but instead
some kind of google key?
alice.it. 19028 IN TXT
"google-site-verification=fmPX0ewWZ5WfhZ80tP8h-cQb2p0L_KCixRm_UHyK-bw"
Dec 24 08:00:46 mail01 postfix/postscreen[24923]: NOQUEUE: reject:
RCPT from [82.57.200.119]:48396: 550 5.7.1 Service unavailable; client
[82.57.200.119] blocked using bl.spamcop.net; from=<u...@alice.it>,
to=<massimo.ari...@example.com>, proto=ESMTP, helo=<smtp303.alice.it>
We have several IPs from the alice.it domain that appear to be not
blacklisted, including 82.57.200.104.
Thanks,
Alex
