> On Nov 23, 2022, at 4:49 AM, Matus UHLAR - fantomas <uh...@fantomas.sk> wrote:
>
> On 23.11.22 01:58, Doug Hardie wrote:
>> I originally had incoming_smtpd_restrictions set to:
>>
>> reject_unverified_recipient
>> reject_rbl_client bl.spamcop.net,
>> reject_rbl_client dnsbl.sorbs.net,
>> reject_rbl_client zen.spamhaus.org,
>> permit
>>
>> Later I added postscreen and commented out the reject_rbl_... entries. I
>> included in main.cf:
>>
>> postscreen_dnsbl_action = enforce
>> postscreen_dnsbl_sites = bl.spamcop.net zen.spamhaus.org=127.0.0.[2..11]
>> b.barracudacentral.org
>
>> This works as expected. However, I believe that postscreen is processed
>> prior to smtpd. I am experiencing a lot of emails that are being sent to
>> non-existent users. I don't have accurate counts, but the vast majority of
>> email is that. Postscreen is doing a DNS lookup for every one of those. It
>> seems it might be better to remove the dnsrbl from postscreen and reinstate
>> the reject_rbl statements into incoming_smtpd_restrictions. I believe that
>> way, only the mail that has a valid recipient will have the dns rbls
>> checked. Am I understanding this correctly? Thanks,
>
> If you want to spare yourself from DNS lookups, you can do that.
>
> Note that you may be careful and not to reject mail unless it appears in more
> than one DNSBL, or if it appears in e.g. DNSWL, in which case postcreen is
> better.
>
> Also, postscreen is great at rejecting bots that talk prior to ESMTP banner
> is sent to them.
>
> so I personally risk a few DNS lookups but benefit of weighing DNSBLs and use
> lookups at postscreen level.
>
I am trying with the postscreen dns lookup disabled. Here is the main.cf
section:
# postscreen spam filtering
postscreen_greet_action = enforce
#postscreen_dnsbl_action = enforce
#postscreen_dnsbl_sites = bl.spamcop.net zen.spamhaus.org=127.0.0.[2..11] b.barr
acudacentral.org
postscreen_access_list = permit_mynetworks,
cidr:/usr/local/etc/postfix/access.cidr
#
# Use long queue ids for uniqueness
enable_long_queue_ids = yes
#
# Incoming restrictions and Implement postfwd
incoming_smtpd_restrictions =
check_policy_service inet:127.0.0.1:10040,
reject_invalid_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_pipelining,
permit_mynetworks,
check_recipient_access hash:/usr/local/etc/postfix/tempfail,
reject_unauth_destination,
reject_unverified_recipient
reject_rbl_client bl.spamcop.net,
reject_rbl_client b.barracudacentral.org,
reject_rbl_client zen.spamhaus.org,
permit
#
Here is main.cf for smtpd:
smtpd pass - - n - 50 smtpd
-o smtpd_recipient_restrictions=$incoming_smtpd_restrictions
However, I seem to be doing the dns for all received emails. I see the log
message for user User unknown in virtual alias table, and dns requests with
that same timestamp for spamcop, barracudacentral and spamhaus. I am
suspecting I am missing a reject statement that will reject the email when the
user is not in the virtual alias table that needs to be before the rbl rejects.
I thought that reject_unverified_recipient would do that, but apparently not.'
-- Doug
