Hello,
Our postfix v3.8.3 mail gateway server (for incoming mail) filters
clients using postscreen as follows:
postscreen_dnsbl_sites =
zen.spamhaus.org*3
b.barracudacentral.org*2
bl.spameatingmonkey.net*2
bl.spamcop.net
dnsbl.sorbs.net
psbl.surriel.com
bl.mailspike.net
list.dnswl.org=127.0.[0..255].0*-2
list.dnswl.org=127.0.[0..255].1*-3
list.dnswl.org=127.0.[0..255].[2..3]*-4
and:
smtpd_recipient_restrictions =
...
reject_rbl_client b.barracudacentral.org
reject_rbl_client zen.spamhaus.org
reject_rbl_client psbl.surriel.com
reject_rbl_client bl.spamcop.net
reject_rhsbl_client dbl.spamhaus.org
reject_rhsbl_sender dbl.spamhaus.org
reject_rhsbl_helo dbl.spamhaus.org
permit
It seems that the blacklisting services sometimes block some of
microsoft/outlook servers. Example:
Jan 08 10:02:17 mailgw1 postfix/postscreen[925211]: CONNECT from
[40.107.20.56]:12832 to [83.212.5.27]:25
Jan 08 10:02:17 mailgw1 postfix/dnsblog[930573]: addr 40.107.20.56
listed by domain bl.spamcop.net as 127.0.0.2
Jan 08 10:02:17 mailgw1 postfix/dnsblog[928879]: addr 40.107.20.56
listed by domain list.dnswl.org as 127.0.3.0
Jan 08 10:02:18 mailgw1 postfix/postscreen[925211]: PASS OLD
[40.107.20.56]:12832
Jan 08 10:02:18 mailgw1 postfix/smtpd[930587]: connect from
mail-db8eur05on2056.outbound.protection.outlook.com[40.107.20.56]
Jan 08 10:02:18 mailgw1 postfix/smtpd[930587]: Anonymous TLS connection
established from
mail-db8eur05on2056.outbound.protection.outlook.com[40.107.20.56]:
TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jan 08 10:02:18 mailgw1 postfix/smtpd[930587]: NOQUEUE: reject: RCPT
from mail-db8eur05on2056.outbound.protection.outlook.com[40.107.20.56]:
554 5.7.1 Service unavailable; Client host [40.107.20.56] blocked using
bl.spamcop.net; Blocked - see
https://www.spamcop.net/bl.shtml?40.107.20.56;
from=<legitimate.u...@example.com> to=<our.u...@noa.gr> proto=ESMTP
helo=<EUR05-DB8-obe.outbound.protection.outlook.com>
and this causes legitimate mail to be discarded (actual mail addresses
modified above).
My question in this case: If I understand right, it seems that
postscreen allows the client connection even though it is listed because
it uses a cache which serves as a useful buffer; however the client is
subsequently blocked by reject_rbl_client restrictions.
So, it seems I should I entirely remove the reject_rbl_client filters
(from smtpd_recipient_restrictions) as they are already listed with
postscreen.
It appears to me that using rbl services both with postscreen and
smtpd_recipient_restrictions is actually pointless and causes double
lookups which in the end make things worse. Postscreen is sufficient and
better in filtering with rbl services. Am I right?
Thanks a lot,
Nick
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org