Re: dnsbl postscreen - not blocking

2018-12-20 Thread @lbutlr 
On 20 Dec 2018, at 06:46, Kai Schaetzl  wrote:
> Using Sorbs is dangerous, anyway, we abandoned it years ago. If you want 
> to use it then use it in the way it is intended for weighted RBLs. e.g. do 
> not use it as the sole source of blocking.

I keep parring down my list and am considering going to simply using zen only 
for blocking and dnswl for whitelisting. Something like

 zen.spamhaus.org=127.0.0.[4..11]*5
 zen.spamhaus.org=127.0.0.[2..3]*1
 list.dnswl.org=127.0.[0..255].0*-2
 list.dnswl.org=127.0.[0..255].1*-3
 list.dnswl.org=127.0.[0..255].2*-4
 list.dnswl.org=127.0.[0..255].3*-5

And a threshold of 3.

None the others seem to be particularly effective.


-- 
Truth is seen through keyholes

Re: dnsbl postscreen - not blocking

2018-12-20 Thread Kai Schaetzl 
Stefan Bauer wrote on Wed, 19 Dec 2018 21:10:10 +0100:

> the threshold is at default, so 1.

This may not be part of your problem, but using a threshold of 1 and then 
using this weighting scheme is nonsense:

postscreen_dnsbl_sites = zen.spamhaus.org*2 bl.spamcop.net*1
b.barracudacentral.org*1 dnsbl.sorbs.net*1

Using Sorbs is dangerous, anyway, we abandoned it years ago. If you want 
to use it then use it in the way it is intended for weighted RBLs. e.g. do 
not use it as the sole source of blocking.

> but the dns timeout, Wietse mentioned, might be the real cause.

check if Sorbs is always taking very long compared to others. Then the 
solution should be clear.

Kai

Re: dnsbl postscreen - not blocking

2018-12-19 Thread Wietse Venema 
Stefan Bauer:
> the threshold is at default, so 1.
> 
> but the dns timeout, Wietse mentioned, might be the real cause. gonna check
> manuals, if this is configurable.

postscreen will wait for DNS lookup results until the postscreen_greet_wait
timer expires.

postscreen_greet_wait = ${stress?{2}:{6}}s

I don't think that making this larger is a good idea.

Wietse

Re: dnsbl postscreen - not blocking

2018-12-19 Thread Stefan Bauer 
the threshold is at default, so 1.

but the dns timeout, Wietse mentioned, might be the real cause. gonna check
manuals, if this is configurable.

Thank you.

Am Mittwoch, 19. Dezember 2018 schrieb Viktor Dukhovni <
postfix-us...@dukhovni.org>:
> On Wed, Dec 19, 2018 at 02:00:34PM +0100, Stefan Bauer wrote:
>
>> Dec 19 13:04:36 mx1 postfix/postscreen[4770]: CONNECT from
>> [209.85.166.196]:52168 to [public-ip]:25
>> Dec 19 13:04:42 mx1 postfix/dnsblog[4774]: addr 209.85.166.196 listed by
>> domain dnsbl.sorbs.net as 127.0.0.6
>> Dec 19 13:04:42 mx1 postfix/postscreen[4770]: PASS NEW
>> [209.85.166.196]:52168
>> Dec 19 13:04:42 mx1 postfix/smtpd[4778]: connect from
>> mail-it1-f196.google.com[209.85.166.196]
>>
>> why did google pass postscreen even though its listed in one of the RBL?
>>
>> postscreen_dnsbl_sites = zen.spamhaus.org*2 bl.spamcop.net*1
>> b.barracudacentral.org*1 dnsbl.sorbs.net*1
>> postscreen_blacklist_action = drop
>> postscreen_dnsbl_action = enforce
>>
>> Am i missing something obvious?
>
> What is the minimum weight you require for an RBL block?  The sorbs
> RBL has weight 1, perhaps you require 2 or more.
>
> http://www.postfix.org/postconf.5.html#postscreen_dnsbl_threshold
>
> You've not posted your complete "postconf -n" output, so it is all
> conjectural.
>
> --
> Viktor.
>

Re: dnsbl postscreen - not blocking

2018-12-19 Thread Viktor Dukhovni 
On Wed, Dec 19, 2018 at 02:00:34PM +0100, Stefan Bauer wrote:

> Dec 19 13:04:36 mx1 postfix/postscreen[4770]: CONNECT from
> [209.85.166.196]:52168 to [public-ip]:25
> Dec 19 13:04:42 mx1 postfix/dnsblog[4774]: addr 209.85.166.196 listed by
> domain dnsbl.sorbs.net as 127.0.0.6
> Dec 19 13:04:42 mx1 postfix/postscreen[4770]: PASS NEW
> [209.85.166.196]:52168
> Dec 19 13:04:42 mx1 postfix/smtpd[4778]: connect from
> mail-it1-f196.google.com[209.85.166.196]
> 
> why did google pass postscreen even though its listed in one of the RBL?
> 
> postscreen_dnsbl_sites = zen.spamhaus.org*2 bl.spamcop.net*1
> b.barracudacentral.org*1 dnsbl.sorbs.net*1
> postscreen_blacklist_action = drop
> postscreen_dnsbl_action = enforce
> 
> Am i missing something obvious?

What is the minimum weight you require for an RBL block?  The sorbs
RBL has weight 1, perhaps you require 2 or more.

http://www.postfix.org/postconf.5.html#postscreen_dnsbl_threshold

You've not posted your complete "postconf -n" output, so it is all
conjectural.

-- 
Viktor.

Re: dnsbl postscreen - not blocking

2018-12-19 Thread Viktor Dukhovni 
On Wed, Dec 19, 2018 at 02:58:00PM +, Dominic Raferd wrote:

> This might help OP identify any non-default postscreen settings (kudos:
> Viktor) -
> 
> LC_ALL=C join --check-order <(postconf -n) <(postconf -d | sed
> 's/=/(default:/; s/$/)/')|grep ^postscreen_

Thanks, but may be worth noting that "--check-order" (which I did
not suggest) is a non-portable Linux-specific feature.  Leaving it
out is more portable.

-- 
Viktor.

Re: dnsbl postscreen - not blocking

2018-12-19 Thread Wietse Venema 
Stefan Bauer:
> Hi,
> 
> Dec 19 13:04:36 mx1 postfix/postscreen[4770]: CONNECT from
> [209.85.166.196]:52168 to [public-ip]:25
> Dec 19 13:04:42 mx1 postfix/dnsblog[4774]: addr 209.85.166.196 listed by
> domain dnsbl.sorbs.net as 127.0.0.6

It took 6s for dnsblog to figure out that the client is listed.

Unfortunately the result came too late to have an effect on postscreen,
because postscreen will normally wait only 6s for DNS replies, so
it had already decided to let the client pass (under overload it will
wait only 2s).

I suppose it is OK that postscreen will not wait forever for DNS results...

Wietse

> Dec 19 13:04:42 mx1 postfix/postscreen[4770]: PASS NEW
> [209.85.166.196]:52168
> Dec 19 13:04:42 mx1 postfix/smtpd[4778]: connect from
> mail-it1-f196.google.com[209.85.166.196]
> 
> why did google pass postscreen even though its listed in one of the RBL?
> 
> 
> postscreen_dnsbl_sites = zen.spamhaus.org*2 bl.spamcop.net*1
> b.barracudacentral.org*1 dnsbl.sorbs.net*1
> postscreen_blacklist_action = drop
> postscreen_dnsbl_action = enforce
> 
> Am i missing something obvious?
> 
> Stefan

Re: dnsbl postscreen - not blocking

2018-12-19 Thread Dominic Raferd 
On Wed, 19 Dec 2018 at 14:51, Matus UHLAR - fantomas 
wrote:

> On 19.12.18 14:00, Stefan Bauer wrote:
> >Dec 19 13:04:36 mx1 postfix/postscreen[4770]: CONNECT from
> >[209.85.166.196]:52168 to [public-ip]:25
> >Dec 19 13:04:42 mx1 postfix/dnsblog[4774]: addr 209.85.166.196 listed by
> >domain dnsbl.sorbs.net as 127.0.0.6
> >Dec 19 13:04:42 mx1 postfix/postscreen[4770]: PASS NEW
> >[209.85.166.196]:52168
> >Dec 19 13:04:42 mx1 postfix/smtpd[4778]: connect from
> >mail-it1-f196.google.com[209.85.166.196]
> >
> >why did google pass postscreen even though its listed in one of the RBL?
> >
> >
> >postscreen_dnsbl_sites = zen.spamhaus.org*2 bl.spamcop.net*1
> >b.barracudacentral.org*1 dnsbl.sorbs.net*1
> >postscreen_blacklist_action = drop
> >postscreen_dnsbl_action = enforce
> >
> >Am i missing something obvious?
>
> on some systems I have implemented postscreen with especially to avoid
> refusing
> mail just because of a single dnsbl listing.
>
> on some systems the google ranges are whitelisted.
>

This might help OP identify any non-default postscreen settings (kudos:
Viktor) -

LC_ALL=C join --check-order <(postconf -n) <(postconf -d | sed
's/=/(default:/; s/$/)/')|grep ^postscreen_

Re: dnsbl postscreen - not blocking

2018-12-19 Thread Matus UHLAR - fantomas 

On 19.12.18 14:00, Stefan Bauer wrote:

Dec 19 13:04:36 mx1 postfix/postscreen[4770]: CONNECT from
[209.85.166.196]:52168 to [public-ip]:25
Dec 19 13:04:42 mx1 postfix/dnsblog[4774]: addr 209.85.166.196 listed by
domain dnsbl.sorbs.net as 127.0.0.6
Dec 19 13:04:42 mx1 postfix/postscreen[4770]: PASS NEW
[209.85.166.196]:52168
Dec 19 13:04:42 mx1 postfix/smtpd[4778]: connect from
mail-it1-f196.google.com[209.85.166.196]

why did google pass postscreen even though its listed in one of the RBL?


postscreen_dnsbl_sites = zen.spamhaus.org*2 bl.spamcop.net*1
b.barracudacentral.org*1 dnsbl.sorbs.net*1
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce

Am i missing something obvious?


on some systems I have implemented postscreen with especially to avoid refusing
mail just because of a single dnsbl listing.

on some systems the google ranges are whitelisted.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Have you got anything without Spam in it?
- Well, there's Spam egg sausage and Spam, that's not got much Spam in it.

RE: dnsbl postscreen - not blocking

2018-12-19 Thread Fazzina, Angelo 
Hi, I don’t know the answer to your question but from this site
http://www.sorbs.net/using.shtml
it looks like the IP 209.85.166.196 seems to have tripped one of these :


new.spam.dnsbl.sorbs.net127.0.0.6
   recent.spam.dnsbl.sorbs.net127.0.0.6
  old.spam.dnsbl.sorbs.net127.0.0.6
  spam.dnsbl.sorbs.net127.0.0.6
   escalations.dnsbl.sorbs.net127.0.0.6


Maybe going down that rabbit hole will get you some answers ?
Good Luck.


-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

From: owner-postfix-us...@postfix.org  On 
Behalf Of Stefan Bauer
Sent: Wednesday, December 19, 2018 8:01 AM
To: Postfix users 
Subject: dnsbl postscreen - not blocking

Hi,

Dec 19 13:04:36 mx1 postfix/postscreen[4770]: CONNECT from 
[209.85.166.196]:52168 to [public-ip]:25
Dec 19 13:04:42 mx1 postfix/dnsblog[4774]: addr 209.85.166.196 listed by domain 
dnsbl.sorbs.net
 as 127.0.0.6
Dec 19 13:04:42 mx1 postfix/postscreen[4770]: PASS NEW [209.85.166.196]:52168
Dec 19 13:04:42 mx1 postfix/smtpd[4778]: connect from 
mail-it1-f196.google.com[209.85.166.196]

why did google pass postscreen even though its listed in one of the RBL?


postscreen_dnsbl_sites = 
zen.spamhaus.org*2
 
bl.spamcop.net*1
 
b.barracudacentral.org*1
 
dnsbl.sorbs.net*1
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce

Am i missing something obvious?

Stefan

RE: dnsbl postscreen - not blocking

2018-12-19 Thread L . P . H . van Belle 
Hai, 

recent.spam.dnsbl.sorbs.net = 127.0.0.6 
and you gave it 1 point. 

whats the postscreen_dnsbl_threshold set at ? 
I'll bet thats set higher than 1.


Greetz, 

Louis




Van: cubew...@googlemail.com [mailto:owner-postfix-us...@postfix.org] 
Namens Stefan Bauer
Verzonden: woensdag 19 december 2018 14:01
Aan: Postfix users
Onderwerp: dnsbl postscreen - not blocking


Hi, 

Dec 19 13:04:36 mx1 postfix/postscreen[4770]: CONNECT from 
[209.85.166.196]:52168 to [public-ip]:25
Dec 19 13:04:42 mx1 postfix/dnsblog[4774]: addr 209.85.166.196 listed 
by domain dnsbl.sorbs.net as 127.0.0.6
Dec 19 13:04:42 mx1 postfix/postscreen[4770]: PASS NEW 
[209.85.166.196]:52168
Dec 19 13:04:42 mx1 postfix/smtpd[4778]: connect from 
mail-it1-f196.google.com[209.85.166.196]

why did google pass postscreen even though its listed in one of the RBL?


postscreen_dnsbl_sites = zen.spamhaus.org*2 bl.spamcop.net*1 
b.barracudacentral.org*1 dnsbl.sorbs.net*1
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce

Am i missing something obvious?

Stefan