Re: postscreen = undesired greylisting ???
2012/2/11 Stan Hoeppner s...@hardwarefreak.com: On 2/10/2012 12:44 PM, Chris wrote: 2012/2/10 Ralf Hildebrandt ralf.hildebra...@charite.de: The deep inspection and postscreen isn't enabled as well (I think) You mean the deep protocol tests? Can I disable these deep protocol tests in postscreen? I find it interesting that you ignored Wietse's response, posted 10 minutes before your reply to Ralf here, in which Wietse told you the deep protocol tests are disabled by default. You replied to the list (Ralf) 3 times after Wietse's post, which clearly demonstrates you simply ignored it. Maybe you simply don't know who Wietse is? Hard to believe but I guess that's possible. Have you ever visited http://www.postfix.org ? Right on the home page you'll find: What is Postfix? It is Wietse Venema's mail server that started life at IBM research as an alternative to the widely-used Sendmail program. Ever read a Postfix man page? Every one contains: AUTHOR(S) Wietse Venema IBM T.J. Watson Research P.O. Box 704 Yorktown Heights, NY 10598, US You may want to pay attention when Wietse replies to you in the future. Hello, I'm so sorry. I didn't know that :) And yes.. I've read the postfix man page ... but I did not notice that. -- Chris
postscreen = undesired greylisting ???
Hello Postfix Users :) I noticed: http://www.postfix.org/POSTSCREEN_README.html#after_220 When a good client passes the deep protocol tests, postscreen(8) adds the client to the temporary whitelist but it cannot hand off the live connection to a Postfix SMTP server process in the middle of the session. Instead, postscreen(8) defers mail delivery attempts with a 4XX status, logs the helo/sender/recipient information, and waits for the client to disconnect. This is greylisting...and i hate greylisting... Is it possible to disable this postscreen greylisting function? In my point of view this is not RFC compliant. Greylisting delays mail traffic. If I have five incoming mx records running postfix with postscreen... and each time the sender receives a 4xx error ... This is unacceptable. Otherwise, I think postscreen has some nice features and I would like to use it. -- Chris
Re: postscreen = undesired greylisting ???
On Fri, Feb 10, 2012 at 07:11:50PM +0100, Chris wrote: I noticed: http://www.postfix.org/POSTSCREEN_README.html#after_220 When a good client passes the deep protocol tests, postscreen(8) adds the client to the temporary whitelist but it cannot hand off the live connection to a Postfix SMTP server process in the middle of the session. Instead, postscreen(8) defers mail delivery attempts with a 4XX status, logs the helo/sender/recipient information, and waits for the client to disconnect. This is greylisting...and i hate greylisting... Is it possible to disable this postscreen greylisting function? Read a bit more. It IS disabled unless you specifically enable it. IME it is not quite as annoying as real greylisting, when a lower priority MX is bound on the same host (see MX Policy Test, a Postfix 2.9 feature.) Some clients will immediately try the lower priority MX, and be accepted. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject:
Re: postscreen = undesired greylisting ???
2012/2/10 Ralf Hildebrandt ralf.hildebra...@charite.de: * Chris xchris...@googlemail.com: Hello Postfix Users :) I noticed: http://www.postfix.org/POSTSCREEN_README.html#after_220 When a good client passes the deep protocol tests, postscreen(8) adds the client to the temporary whitelist but it cannot hand off the live connection to a Postfix SMTP server process in the middle of the session. Instead, postscreen(8) defers mail delivery attempts with a 4XX status, logs the helo/sender/recipient information, and waits for the client to disconnect. This is greylisting...and i hate greylisting... Is it possible to disable this postscreen greylisting function? In my point of view this is not RFC compliant. Greylisting delays mail traffic. Technically not possible. If I have five incoming mx records running postfix with postscreen... and each time the sender receives a 4xx error ... This is unacceptable. If you let the MX share one memcache instance, the second MX to receive a connection will immediately accept it. Works like a charm here. Okay, I see. That would be a solution. How did you realize that? -- Chris
Re: postscreen = undesired greylisting ???
* Chris xchris...@googlemail.com: If you let the MX share one memcache instance, the second MX to receive a connection will immediately accept it. Works like a charm here. Okay, I see. That would be a solution. How did you realize that? On both my boxes I'm using: postscreen_cache_map = memcache:/etc/postfix/memcache-postscreen_cache.cf containing: memcache = inet:mail.charite.de:11211 # Non-shared postscreen cache. backup = proxy:btree:/var/lib/postfix/postscreen_cache and on mail.charite.de I'm starting memcached like this: /usr/bin/memcached -m 64 -p 11211 -u nobody -l 141.42.202.200 -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: postscreen = undesired greylisting ???
Chris: Hello Postfix Users :) I noticed: http://www.postfix.org/POSTSCREEN_README.html#after_220 When a good client passes the deep protocol tests, postscreen(8) adds the client to the temporary whitelist but it cannot hand off the live connection to a Postfix SMTP server process in the middle of the session. Instead, postscreen(8) defers mail delivery attempts with a 4XX status, logs the helo/sender/recipient information, and waits for the client to disconnect. This is greylisting...and i hate greylisting... Is it possible to This is NOT ENABLED by default! Wietse
Re: postscreen = undesired greylisting ???
2012/2/10 /dev/rob0 r...@gmx.co.uk: On Fri, Feb 10, 2012 at 07:11:50PM +0100, Chris wrote: I noticed: http://www.postfix.org/POSTSCREEN_README.html#after_220 When a good client passes the deep protocol tests, postscreen(8) adds the client to the temporary whitelist but it cannot hand off the live connection to a Postfix SMTP server process in the middle of the session. Instead, postscreen(8) defers mail delivery attempts with a 4XX status, logs the helo/sender/recipient information, and waits for the client to disconnect. This is greylisting...and i hate greylisting... Is it possible to disable this postscreen greylisting function? Read a bit more. It IS disabled unless you specifically enable it. Postscreen? Or what do you mean? IME it is not quite as annoying as real greylisting, when a lower priority MX is bound on the same host (see MX Policy Test, a Postfix 2.9 feature.) Some clients will immediately try the lower priority MX, and be accepted. You mean 2 MX records for each host? That does not solve the problem, if you have multiple inbound mx servers. Then doubled the number of MX records. But the problem remains the same. -- Chris
Re: postscreen = undesired greylisting ???
* Chris xchris...@googlemail.com: Read a bit more. It IS disabled unless you specifically enable it. Postscreen? Or what do you mean? The deep inspection and postscreen isn't enabled as well (I think) -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: postscreen = undesired greylisting ???
2012/2/10 Ralf Hildebrandt ralf.hildebra...@charite.de: * Chris xchris...@googlemail.com: If you let the MX share one memcache instance, the second MX to receive a connection will immediately accept it. Works like a charm here. Okay, I see. That would be a solution. How did you realize that? On both my boxes I'm using: postscreen_cache_map = memcache:/etc/postfix/memcache-postscreen_cache.cf containing: memcache = inet:mail.charite.de:11211 # Non-shared postscreen cache. backup = proxy:btree:/var/lib/postfix/postscreen_cache and on mail.charite.de I'm starting memcached like this: /usr/bin/memcached -m 64 -p 11211 -u nobody -l 141.42.202.200 Ralf, that would be an acceptable solution for me. Thank you for that. -- Chris
Re: postscreen = undesired greylisting ???
2012/2/10 Ralf Hildebrandt ralf.hildebra...@charite.de: * Chris xchris...@googlemail.com: Read a bit more. It IS disabled unless you specifically enable it. Postscreen? Or what do you mean? The deep inspection and postscreen isn't enabled as well (I think) You mean the deep protocol tests? Can I disable these deep protocol tests in postscreen? -- Chris
Re: postscreen = undesired greylisting ???
* Chris xchris...@googlemail.com: The deep inspection and postscreen isn't enabled as well (I think) You mean the deep protocol tests? The stuff with the deep in it, yes Can I disable these deep protocol tests in postscreen? By default they're not enabled :) according to http://www.postfix.org/POSTSCREEN_README.html#after_220 which you already quoted. They are being enabled like this: * Command pipelining test postscreen_pipelining_enable = yes * Non-SMTP command test postscreen_non_smtp_command_enable = yes * Bare newline test postscreen_bare_newline_enable = yes The defaults are: mail:~# postconf -d|egrep postscreen_.*_enable postscreen_bare_newline_enable = no postscreen_non_smtp_command_enable = no postscreen_pipelining_enable = no -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: postscreen = undesired greylisting ???
Chris: 2012/2/10 Ralf Hildebrandt ralf.hildebra...@charite.de: * Chris xchris...@googlemail.com: Read a bit more. It IS disabled unless you specifically enable it. Postscreen? Or what do you mean? The deep inspection and postscreen isn't enabled as well (I think) You mean the deep protocol tests? Can I disable these deep protocol tests in postscreen? Deep protocol checks are disabled by default. Wietse
Re: postscreen = undesired greylisting ???
2012/2/10 Ralf Hildebrandt ralf.hildebra...@charite.de: * Chris xchris...@googlemail.com: The deep inspection and postscreen isn't enabled as well (I think) You mean the deep protocol tests? The stuff with the deep in it, yes Can I disable these deep protocol tests in postscreen? By default they're not enabled :) according to http://www.postfix.org/POSTSCREEN_README.html#after_220 which you already quoted. They are being enabled like this: * Command pipelining test postscreen_pipelining_enable = yes * Non-SMTP command test postscreen_non_smtp_command_enable = yes * Bare newline test postscreen_bare_newline_enable = yes The defaults are: mail:~# postconf -d|egrep postscreen_.*_enable postscreen_bare_newline_enable = no postscreen_non_smtp_command_enable = no postscreen_pipelining_enable = no I've disabled these deep protocol tests now... Now everything should be okay. [root@mx04 ~]# postconf -n | grep postscreen postscreen_access_list = permit_mynetworks postscreen_dnsbl_action = enforce postscreen_dnsbl_sites = ix.dnsbl.manitu.net, zen.spamhaus.org, b.barracudacentral.org, list.dnswl.org*-2 postscreen_dnsbl_threshold = 1 postscreen_greet_action = drop With this configuration, it should be no 4xx error for new IPs? Thank you for your help. -- Chris
Re: postscreen = undesired greylisting ???
2012/2/10 Wietse Venema wie...@porcupine.org: Chris: 2012/2/10 Ralf Hildebrandt ralf.hildebra...@charite.de: * Chris xchris...@googlemail.com: Read a bit more. It IS disabled unless you specifically enable it. Postscreen? Or what do you mean? The deep inspection and postscreen isn't enabled as well (I think) You mean the deep protocol tests? Can I disable these deep protocol tests in postscreen? Deep protocol checks are disabled by default. Okay, in other words: By default postscreen is RFC compliant without greylisting? Then there was a configuration error on my part. -- Chris
Re: postscreen = undesired greylisting ???
On 2/10/2012 12:44 PM, Chris wrote: 2012/2/10 Ralf Hildebrandt ralf.hildebra...@charite.de: The deep inspection and postscreen isn't enabled as well (I think) You mean the deep protocol tests? Can I disable these deep protocol tests in postscreen? I find it interesting that you ignored Wietse's response, posted 10 minutes before your reply to Ralf here, in which Wietse told you the deep protocol tests are disabled by default. You replied to the list (Ralf) 3 times after Wietse's post, which clearly demonstrates you simply ignored it. Maybe you simply don't know who Wietse is? Hard to believe but I guess that's possible. Have you ever visited http://www.postfix.org ? Right on the home page you'll find: What is Postfix? It is Wietse Venema's mail server that started life at IBM research as an alternative to the widely-used Sendmail program. Ever read a Postfix man page? Every one contains: AUTHOR(S) Wietse Venema IBM T.J. Watson Research P.O. Box 704 Yorktown Heights, NY 10598, US You may want to pay attention when Wietse replies to you in the future. -- Stan