Re: Using postscreen_dnsbl_reply_map
Hi, On Fri, Oct 23, 2015 at 6:31 PM, Viktor Dukhovni wrote: > On Fri, Oct 23, 2015 at 03:45:25PM -0400, Alex wrote: > >> I see for the postconf(5) entry for reject_rhsbl_client is: >> >> reject_rhsbl_client rbl_domain=d.d.d.d > > That "=d.d.d.d" is your choice of optional filter on the RBL's > reply. > >> In my smtpd_recipient_restrictions I'm doing the following: >> >> reject_rhsbl_reverse_client mykey.dbl.dq.spamhaus.net, >> reject_rhsbl_sender mykey.dbl.dq.spamhaus.net, >> reject_rhsbl_helo mykey.dbl.dq.spamhaus.net >> >> without the "d.d.d.d". > > You're not specifying an optional filter. Therefore, your lookup > keys are just the RBL domains with no "=d.d.d.d". > >> Does the "d.d.d.d" represent the A record of the response code from >> the DBL? Or the A record of the IP of which we are checking? > > Neither. > >> I don't understand how to map the restricts to their entry in the >> rbl_reply_maps file. > > Copy the verbatim in "reject_...bl_... " as the > lookup key. Thanks so much for your help. I know I did this, and was surprised when it didn't work. I think it was just one of those times I somehow forgot to run postmap, but it is working properly now. Thanks again, Alex
Re: Using postscreen_dnsbl_reply_map
On Fri, Oct 23, 2015 at 03:45:25PM -0400, Alex wrote: > I see for the postconf(5) entry for reject_rhsbl_client is: > > reject_rhsbl_client rbl_domain=d.d.d.d That "=d.d.d.d" is your choice of optional filter on the RBL's reply. > In my smtpd_recipient_restrictions I'm doing the following: > > reject_rhsbl_reverse_client mykey.dbl.dq.spamhaus.net, > reject_rhsbl_sender mykey.dbl.dq.spamhaus.net, > reject_rhsbl_helo mykey.dbl.dq.spamhaus.net > > without the "d.d.d.d". You're not specifying an optional filter. Therefore, your lookup keys are just the RBL domains with no "=d.d.d.d". > Does the "d.d.d.d" represent the A record of the response code from > the DBL? Or the A record of the IP of which we are checking? Neither. > I don't understand how to map the restricts to their entry in the > rbl_reply_maps file. Copy the verbatim in "reject_...bl_... " as the lookup key. -- Viktor.
Re: Using postscreen_dnsbl_reply_map
Hi, On Thu, Oct 22, 2015 at 3:56 PM, Alex wrote: > Hi, > > On Thu, Oct 22, 2015 at 12:45 AM, Viktor Dukhovni > wrote: >> On Wed, Oct 21, 2015 at 07:59:29PM -0400, Alex wrote: >> >>> Oct 21 19:56:10 mail01 postfix/smtpd[20778]: NOQUEUE: reject: RCPT >>> from bx1.c4xf.com[66.150.190.74]: 554 5.7.1 Service unavailable; >>> Unverified Client host [bx1.c4xf.com] blocked using >>> mykey.dbl.dq.spamhaus.net; >>> http://www.spamhaus.org/query/dbl?domain=c4xf.com; >>> from= to= proto=ESMTP >>> helo= >> >> This was blocked by smtpd(8) NOT postscreen. Perhaps surprisingly, >> The smtpd(8) service has a different mechanism for obfuscating the >> DNSBL service name. >> >> http://www.postfix.org/postconf.5.html#rbl_reply_maps I think I figured out what I'm doing wrong but I don't know how to fix it. I see for the postconf(5) entry for reject_rhsbl_client is: reject_rhsbl_client rbl_domain=d.d.d.d In my smtpd_recipient_restrictions I'm doing the following: reject_rhsbl_reverse_client mykey.dbl.dq.spamhaus.net, reject_rhsbl_sender mykey.dbl.dq.spamhaus.net, reject_rhsbl_helo mykey.dbl.dq.spamhaus.net without the "d.d.d.d". Does the "d.d.d.d" represent the A record of the response code from the DBL? Or the A record of the IP of which we are checking? I don't understand how to map the restricts to their entry in the rbl_reply_maps file. Do I need to change how the restrictions are listed? Thanks, Alex
Re: Using postscreen_dnsbl_reply_map
On Thu, Oct 22, 2015 at 03:56:30PM -0400, Alex wrote: > >> Oct 21 19:56:10 mail01 postfix/smtpd[20778]: NOQUEUE: reject: RCPT > >> from bx1.c4xf.com[66.150.190.74]: 554 5.7.1 Service unavailable; > >> Unverified Client host [bx1.c4xf.com] blocked using > >> mykey.dbl.dq.spamhaus.net; > >> http://www.spamhaus.org/query/dbl?domain=c4xf.com; > >> from= to= proto=ESMTP > >> helo= > > > > This was blocked by smtpd(8) NOT postscreen. Perhaps surprisingly, > > The smtpd(8) service has a different mechanism for obfuscating the > > DNSBL service name. > > > > http://www.postfix.org/postconf.5.html#rbl_reply_maps > > Okay, I think I'm still a little confused. The above is from the DBL. > Do I need to create an entry in the rbl_reply_maps file for every > possible DBL return code? No, only the "rblzone=addr" forms you use in your configuration file. If you treat all replies alike, by not using the optional "=addr" suffix, then the lookup key is just the base RBL domain. -- Viktor.
Re: Using postscreen_dnsbl_reply_map
Hi, On Thu, Oct 22, 2015 at 12:45 AM, Viktor Dukhovni wrote: > On Wed, Oct 21, 2015 at 07:59:29PM -0400, Alex wrote: > >> Oct 21 19:56:10 mail01 postfix/smtpd[20778]: NOQUEUE: reject: RCPT >> from bx1.c4xf.com[66.150.190.74]: 554 5.7.1 Service unavailable; >> Unverified Client host [bx1.c4xf.com] blocked using >> mykey.dbl.dq.spamhaus.net; >> http://www.spamhaus.org/query/dbl?domain=c4xf.com; >> from= to= proto=ESMTP >> helo= > > This was blocked by smtpd(8) NOT postscreen. Perhaps surprisingly, > The smtpd(8) service has a different mechanism for obfuscating the > DNSBL service name. > > http://www.postfix.org/postconf.5.html#rbl_reply_maps Okay, I think I'm still a little confused. The above is from the DBL. Do I need to create an entry in the rbl_reply_maps file for every possible DBL return code? I've done the following for zen: mykey.zen.dq.spamhaus.net=127.0.0.10 521 4.7.1 Service unavailable; $rbl_class [$rbl_what] should not be delivering unauthenticated SMTP email (10)${rbl_reason?; $rbl_reason} mykey.zen.dq.spamhaus.net=127.0.0.11 554 5.7.1 Service unavailable; $rbl_class [$rbl_what] blocked using zen.spamhaus.net ${rbl_reason?; $rbl_reason} This seems to apply to most, but I don't understand how to extract the corresponding error code from the log entry to the necessary rbl_reply_maps file.
Re: Using postscreen_dnsbl_reply_map
Hi, On Thu, Oct 22, 2015 at 12:45 AM, Viktor Dukhovni wrote: > On Wed, Oct 21, 2015 at 07:59:29PM -0400, Alex wrote: > >> Oct 21 19:56:10 mail01 postfix/smtpd[20778]: NOQUEUE: reject: RCPT >> from bx1.c4xf.com[66.150.190.74]: 554 5.7.1 Service unavailable; >> Unverified Client host [bx1.c4xf.com] blocked using >> mykey.dbl.dq.spamhaus.net; >> http://www.spamhaus.org/query/dbl?domain=c4xf.com; >> from= to= proto=ESMTP >> helo= > > This was blocked by smtpd(8) NOT postscreen. Perhaps surprisingly, > The smtpd(8) service has a different mechanism for obfuscating the > DNSBL service name. > > http://www.postfix.org/postconf.5.html#rbl_reply_maps Thanks so much for catching this. >> # cat /etc/postfix/postscreen_dnsbl_reply_map.pcre >> mykey.dbl.dq.spamhaus.net multiple DNS-based blocklists >> mykey.zen.dq.spamhaus.net zen.spamhaus.org > > Unwise (misleading) to use a ".pcre" suffix for a texthash table. Ah yes, I failed to follow through with the change from when I was previously using pcre, thanks. Thanks also to L.P.H. van Belle for his ideas.
Re: Using postscreen_dnsbl_reply_map
On Wed, Oct 21, 2015 at 07:59:29PM -0400, Alex wrote: > Oct 21 19:56:10 mail01 postfix/smtpd[20778]: NOQUEUE: reject: RCPT > from bx1.c4xf.com[66.150.190.74]: 554 5.7.1 Service unavailable; > Unverified Client host [bx1.c4xf.com] blocked using > mykey.dbl.dq.spamhaus.net; > http://www.spamhaus.org/query/dbl?domain=c4xf.com; > from= to= proto=ESMTP > helo= This was blocked by smtpd(8) NOT postscreen. Perhaps surprisingly, The smtpd(8) service has a different mechanism for obfuscating the DNSBL service name. http://www.postfix.org/postconf.5.html#rbl_reply_maps > # cat /etc/postfix/postscreen_dnsbl_reply_map.pcre > mykey.dbl.dq.spamhaus.net multiple DNS-based blocklists > mykey.zen.dq.spamhaus.net zen.spamhaus.org Unwise (misleading) to use a ".pcre" suffix for a texthash table. -- Viktor.
Re: Using postscreen_dnsbl_reply_map
Hi, On Wed, Oct 21, 2015 at 7:26 PM, Benny Pedersen wrote: > On October 22, 2015 12:39:52 AM Alex wrote: > >> http://rob0.nodns4.us/postscreen.html >> >> I'm unsure what else to do from here. > > http://www.postfix.org/POSTSCREEN_README.html > > point 7 Yes, that's exactly what I'm doing, and as outlined in the beginning of this thread, it only works for seemingly some of the responses. I've changed to using texthash, as per Wietse. For some, it still prints: Oct 21 19:56:10 mail01 postfix/smtpd[20778]: NOQUEUE: reject: RCPT from bx1.c4xf.com[66.150.190.74]: 554 5.7.1 Service unavailable; Unverified Client host [bx1.c4xf.com] blocked using mykey.dbl.dq.spamhaus.net; http://www.spamhaus.org/query/dbl?domain=c4xf.com; from= to= proto=ESMTP helo= instead of printing "multiple DNS-based blocklists" or "zen.spamhaus.org" # cat /etc/postfix/postscreen_dnsbl_reply_map.pcre mykey.dbl.dq.spamhaus.net multiple DNS-based blocklists mykey.zen.dq.spamhaus.net zen.spamhaus.org postscreen_dnsbl_reply_map = texthash:$config_directory/postscreen_dnsbl_reply_map.pcre
Re: Using postscreen_dnsbl_reply_map
On October 22, 2015 12:39:52 AM Alex wrote: http://rob0.nodns4.us/postscreen.html I'm unsure what else to do from here. http://www.postfix.org/POSTSCREEN_README.html point 7
Re: Using postscreen_dnsbl_reply_map
Hi, On Wed, Oct 21, 2015 at 10:38 AM, L.P.H. van Belle wrote: > I just point everything to http://multirbl.valli.org so they can see if they > are listed on multiple rbl servers. That's a great idea. How did you configure your system to do that? > And imo thats better, then, mailing, getting rejected, by for example > spamhaus. Going to that site, checking, > removing. Mailing again, and now again blocked, other rbl server etc. Absolutely. Thanks, Alex
Re: Using postscreen_dnsbl_reply_map
Hi, On Wed, Oct 21, 2015 at 6:53 AM, Wietse Venema wrote: > Alex: >> Hi, >> >> I'd like to obscure the names of the DNSBLs that we use in response to >> emails that are rejected. I've set up postscreen_dnsbl_reply_map and >> it's working properly for most: >> >> Oct 20 21:41:36 mail02 postfix/postscreen[17651]: NOQUEUE: reject: >> RCPT from [46.102.117.88]:43226: 550 5.7.1 Service unavailable; client >> [46.102.117.88] blocked using multiple DNS-based blocklists; >> from=, to=, proto=ESMTP, >> helo= >> >> However, there are others where it doesn't seem to apply. Perhaps >> because of the '554 5.7.1' response compared with the '550 5.7.1' from >> above? >> >> Oct 20 21:38:07 mail02 postfix/smtpd[9200]: NOQUEUE: reject: RCPT from >> 14-233-245-104-static.reverse.queryfoundry.net[104.245.233.14]: 554 >> 5.7.1 Service unavailable; Sender address [tr...@spaceinfi.com] >> blocked using mykey.dbl.dq.spamhaus.net; >> http://www.spamhaus.org/query/dbl?domain=spaceinfi.com; >> from= to= proto=ESMTP >> helo= >> >> postscreen_dnsbl_reply_map = >> pcre:$config_directory/postscreen_dnsbl_reply_map.pcre >> >> postscreen_dnsbl_reply_map.pcre: >> !/^mykey\.dbl\.dq\.spamhaus\.net$/ multiple DNS-based blocklists > > Why in heavens name are you using as PCRE map? Would hash be more appropriate? I believe I got this configuration from rob0's system some time ago, where he used pcre: http://rob0.nodns4.us/postscreen.html I'm unsure what else to do from here. Thanks, Alex
RE: Using postscreen_dnsbl_reply_map
I just point everything to http://multirbl.valli.org so they can see if they are listed on multiple rbl servers. And imo thats better, then, mailing, getting rejected, by for example spamhaus. Going to that site, checking, removing. Mailing again, and now again blocked, other rbl server etc. So 1 point to 1 site, customers check there. Greetz, Louis > -Oorspronkelijk bericht- > Van: krem...@kreme.com [mailto:owner-postfix-us...@postfix.org] Namens > @lbutlr > Verzonden: woensdag 21 oktober 2015 16:28 > Aan: Postfix users > Onderwerp: Re: Using postscreen_dnsbl_reply_map > > On Oct 20, 2015, at 7:44 PM, Alex wrote: > > I'd like to obscure the names of the DNSBLs that we use in response to > > emails that are rejected. > > Why would you do that? If someone hits your blocks and doesn’t know why > they were blocked you may find yourself on blocklists yourself. > > > -- > she [Esk] was already learning that if you ignore the rules people will, > half the time, quietly rewrite them so they don't apply to you. --Equal > Rites
Re: Using postscreen_dnsbl_reply_map
On Oct 20, 2015, at 7:44 PM, Alex wrote: > I'd like to obscure the names of the DNSBLs that we use in response to > emails that are rejected. Why would you do that? If someone hits your blocks and doesn’t know why they were blocked you may find yourself on blocklists yourself. -- she [Esk] was already learning that if you ignore the rules people will, half the time, quietly rewrite them so they don't apply to you. --Equal Rites
Re: Using postscreen_dnsbl_reply_map
Alex: > Hi, > > I'd like to obscure the names of the DNSBLs that we use in response to > emails that are rejected. I've set up postscreen_dnsbl_reply_map and > it's working properly for most: > > Oct 20 21:41:36 mail02 postfix/postscreen[17651]: NOQUEUE: reject: > RCPT from [46.102.117.88]:43226: 550 5.7.1 Service unavailable; client > [46.102.117.88] blocked using multiple DNS-based blocklists; > from=, to=, proto=ESMTP, > helo= > > However, there are others where it doesn't seem to apply. Perhaps > because of the '554 5.7.1' response compared with the '550 5.7.1' from > above? > > Oct 20 21:38:07 mail02 postfix/smtpd[9200]: NOQUEUE: reject: RCPT from > 14-233-245-104-static.reverse.queryfoundry.net[104.245.233.14]: 554 > 5.7.1 Service unavailable; Sender address [tr...@spaceinfi.com] > blocked using mykey.dbl.dq.spamhaus.net; > http://www.spamhaus.org/query/dbl?domain=spaceinfi.com; > from= to= proto=ESMTP > helo= > > postscreen_dnsbl_reply_map = > pcre:$config_directory/postscreen_dnsbl_reply_map.pcre > > postscreen_dnsbl_reply_map.pcre: > !/^mykey\.dbl\.dq\.spamhaus\.net$/ multiple DNS-based blocklists Why in heavens name are you using as PCRE map? Wietse