Loading ...
Sorry, an error occurred while loading the content.

[Help] Postscreen let zombies to pass through

Expand Messages
  • Marco
    Hello, I would ask help about a problem with my postscreen. I have four MX servers using postscreen with one shared memcached server. Sometimes, a zombi
    Message 1 of 5 , Jul 30 2:44 AM
    • 0 Attachment
      Hello,

      I would ask help about a problem with my postscreen.
      I have four MX servers using postscreen with one shared memcached server.

      Sometimes, a zombi already blocked by dnsbl receive a PASS NEW instead of a
      reject. I can't understand why, maybe there is something wrong in my
      configuration. Cound you help me?

      Here it follows an example.

      Look at this:

      2012-07-26T14:26:35.049762+02:00 01as postfix/dnsblog[1109]: addr 84.15.191.254
      listed by domain psbl.surriel.com as 127.0.0.2
      2012-07-26T14:26:35.096771+02:00 01as postfix/dnsblog[1112]: addr 84.15.191.254
      listed by domain ubl.unsubscore.com as 127.0.0.2
      2012-07-26T14:26:35.271720+02:00 01as postfix/dnsblog[1111]: addr 84.15.191.254
      listed by domain dnsbl.sorbs.net as 127.0.0.7
      2012-07-26T16:05:10.807425+02:00 01as postfix/dnsblog[6435]: addr 84.15.191.254
      listed by domain zen.dnsbl as 127.0.0.4
      2012-07-26T16:05:10.854882+02:00 01as postfix/dnsblog[6433]: addr 84.15.191.254
      listed by domain dnsbl.sorbs.net as 127.0.0.7
      2012-07-26T16:05:10.866129+02:00 01as postfix/dnsblog[6440]: addr 84.15.191.254
      listed by domain bl.spamcop.net as 127.0.0.2


      For a reason I can't know at 14h26.35 postscreen starts to "pass new" a zombi
      that have a rank 7 of dnsbl:


      2012-07-26T14:26:30.587633+02:00 02as postfix/dnsblog[22895]: addr 84.15.191.254
      listed by domain ubl.unsubscore.com as 127.0.0.2
      2012-07-26T14:26:30.588483+02:00 02as postfix/dnsblog[22903]: addr 84.15.191.254
      listed by domain psbl.surriel.com as 127.0.0.2
      2012-07-26T14:26:32.681261+02:00 04as postfix/postscreen[27121]: CONNECT from
      [84.15.191.254]:46110 to [158.102.109.70]:25
      2012-07-26T14:26:32.682406+02:00 04as postfix/dnsblog[967]: addr 84.15.191.254
      listed by domain dnsbl-1.uceprotect.net as 127.0.0.2
      2012-07-26T14:26:32.683251+02:00 04as postfix/dnsblog[969]: addr 84.15.191.254
      listed by domain bl.spamcop.net as 127.0.0.2
      2012-07-26T14:26:32.684259+02:00 04as postfix/dnsblog[965]: addr 84.15.191.254
      listed by domain zen.dnsbl as 127.0.0.4
      2012-07-26T14:26:32.684635+02:00 04as postfix/dnsblog[969]: addr 84.15.191.254
      listed by domain dnsbl.sorbs.net as 127.0.0.7
      2012-07-26T14:26:32.685046+02:00 04as postfix/dnsblog[967]: addr 84.15.191.254
      listed by domain ubl.unsubscore.com as 127.0.0.2
      2012-07-26T14:26:32.685602+02:00 04as postfix/dnsblog[966]: addr 84.15.191.254
      listed by domain psbl.surriel.com as 127.0.0.2
      2012-07-26T14:26:34.965295+02:00 01as postfix/dnsblog[1127]: addr 84.15.191.254
      listed by domain dnsbl-1.uceprotect.net as 127.0.0.2
      2012-07-26T14:26:35.025988+02:00 01as postfix/dnsblog[1122]: addr 84.15.191.254
      listed by domain bl.spamcop.net as 127.0.0.2
      2012-07-26T14:26:35.049762+02:00 01as postfix/dnsblog[1109]: addr 84.15.191.254
      listed by domain psbl.surriel.com as 127.0.0.2
      2012-07-26T14:26:35.096771+02:00 01as postfix/dnsblog[1112]: addr 84.15.191.254
      listed by domain ubl.unsubscore.com as 127.0.0.2
      2012-07-26T14:26:35.271720+02:00 01as postfix/dnsblog[1111]: addr 84.15.191.254
      listed by domain dnsbl.sorbs.net as 127.0.0.7
      2012-07-26T14:26:35.460592+02:00 01as postfix/postscreen[15252]: NOQUEUE:
      reject: RCPT from [84.15.191.254]:21751: 450 4.3.2 Service current
      ly unavailable; from=<briskedi0@...>, to=<cafone.esposito@...>,
      proto=ESMTP, helo=<[84.15.191.254]>
      2012-07-26T14:26:35.614905+02:00 01as postfix/postscreen[15252]: HANGUP after
      0.59 from [84.15.191.254]:21751 in tests after SMTP handshake
      2012-07-26T14:26:35.614917+02:00 01as postfix/postscreen[15252]: PASS NEW
      [84.15.191.254]:21751
      2012-07-26T14:26:35.616633+02:00 01as postfix/postscreen[15252]: DISCONNECT
      [84.15.191.254]:21751
      2012-07-26T14:26:36.013039+02:00 02as postfix/postscreen[678]: DNSBL rank 7 for
      [84.15.191.254]:21516
      2012-07-26T14:26:36.456085+02:00 02as postfix/postscreen[678]: NOQUEUE: reject:
      RCPT from [84.15.191.254]:21516: 550 5.7.1 Service unavailab
      le; client [84.15.191.254] blocked using dnsbl-1.uceprotect.net;
      from=<savoywk5@...>, to=<erminio.ottone@...>, pro
      to=ESMTP, helo=<[84.15.191.254]>
      2012-07-26T14:26:36.596920+02:00 02as postfix/postscreen[678]: HANGUP after 0.58
      from [84.15.191.254]:21516 in tests after SMTP handshake
      2012-07-26T14:26:36.596932+02:00 02as postfix/postscreen[678]: DISCONNECT
      [84.15.191.254]:21516
      2012-07-26T14:26:38.033424+02:00 04as postfix/postscreen[27121]: DNSBL rank 7
      for [84.15.191.254]:46110
      2012-07-26T14:26:38.449749+02:00 04as postfix/postscreen[27121]: NOQUEUE:
      reject: RCPT from [84.15.191.254]:46110: 550 5.7.1 Service unavail
      able; client [84.15.191.254] blocked using dnsbl.sorbs.net;
      from=<entrancesyo2@...>, to=<apollonio@...>, proto=ESMTP, hel
      o=<[84.15.191.254]>
      2012-07-26T14:26:38.609379+02:00 04as postfix/postscreen[27121]: HANGUP after
      0.58 from [84.15.191.254]:46110 in tests after SMTP handshake
      2012-07-26T14:26:38.609390+02:00 04as postfix/postscreen[27121]: DISCONNECT
      [84.15.191.254]:46110
      2012-07-26T14:26:51.459052+02:00 03as postfix/postscreen[31870]: CONNECT from
      [84.15.191.254]:21836 to [158.102.109.69]:25
      2012-07-26T14:26:51.459249+02:00 03as postfix/postscreen[31870]: PASS OLD
      [84.15.191.254]:21836
      2012-07-26T14:26:51.641323+02:00 03as postfix/smtpd[16634]: connect from
      unknown[84.15.191.254]
      2012-07-26T14:26:51.972631+02:00 03as postfix/smtpd[16634]: ED6BA596F3A:
      client=unknown[84.15.191.254]
      2012-07-26T14:26:52.408466+02:00 03as amavis[18028]: (18028-08) Checking:
      MFeWLMK8XN0s [84.15.191.254] <peritoneumsob86@...> ->
      <ziopino@...>
      2012-07-26T14:26:52.489638+02:00 03as postfix/smtpd[16634]: disconnect from
      unknown[84.15.191.254]
      2012-07-26T14:26:53.018148+02:00 03as amavis[18028]: (18028-08) Blocked SPAM,
      [84.15.191.254] [84.15.191.254] <peritoneumsob86@...
      -> <ziopino@...>, quarantine: MFeWLMK8XN0s[30], Message-ID:
      <FUMM6H-Q9Z2GZ-X6@...>, ma
      il_id: MFeWLMK8XN0s, Hits: 10.429, size: 3464, pt: 30, 662 ms [...]

      Why did this happens?

      The postscreen conf is the same on all MX servers:

      [root@01as ]# postconf -n | grep postscreen
      postscreen_access_list = permit_mynetworks, cidr:/etc/postfix
      /postscreen_access.cidr
      postscreen_bare_newline_action = enforce
      postscreen_bare_newline_enable = yes
      postscreen_blacklist_action = drop
      postscreen_cache_map = memcache:/etc/postfix/memcache-postscreen.cf
      postscreen_dnsbl_action = enforce
      postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen-dnsbl-reply-map
      postscreen_dnsbl_sites = zen.dnsbl*2 bl.spamcop.net*1 b.barracudacentral.org*1
      dnsbl.sorbs.net*1 psbl.surriel.com*1 ubl.unsubscore.com*1
      dnsbl-1.uceprotect.net*1 dnsbl-2.uceprotect.net*1 dnsbl-3.uceprotect.net*2
      postscreen_dnsbl_threshold = 2
      postscreen_greet_action = enforce
      postscreen_greet_banner = ucas.csi.it ESMTP $mail_name. I don't remember of you,
      I'll check your mind!
      postscreen_greet_ttl = 7d
      postscreen_non_smtp_command_enable = yes
      postscreen_pipelining_enable = yes
      mail_version = 2.9.1


      This is the content of memcache-postscreen.cf, identical on all MX servers:

      [root@01as ]# cat /etc/postfix/memcache-postscreen.cf
      memcache = inet:01as:11211
      backup = btree:/var/lib/postfix/postscreen_cache

      # TTL if you don't use backup
      ttl = 2592000

      # Remember
      # postscreen_cache_cleanup_interval = 0



      # on ALL instances if you DON'T use backup.



      Thank you very much for every hints.
      Regards
      Marco
    • Wietse Venema
      ... You are mixing the logging from two different servers and then you word-wrap the long lines. I don t have time to unwrap the lines and then delete the
      Message 2 of 5 , Jul 30 3:41 AM
      • 0 Attachment
        Marco:
        > Hello,
        >
        > I would ask help about a problem with my postscreen.
        > I have four MX servers using postscreen with one shared memcached server.
        >

        You are mixing the logging from two different servers and then you
        word-wrap the long lines. I don't have time to unwrap the lines and
        then delete the lines from the wrong server.

        Please show the problem without logs from other servers.

        Wietse
      • Marco
        ... I m sorry for word wrap and mix. This is an example: https://docs.google.com/open?id=0B-09bt7bbY_0MHU4bGduZTFWeGc Thanks again Marco
        Message 3 of 5 , Jul 30 5:46 AM
        • 0 Attachment
          Wietse Venema <wietse <at> porcupine.org> writes:

          > Please show the problem without logs from other servers.

          I'm sorry for word wrap and mix. This is an example:

          https://docs.google.com/open?id=0B-09bt7bbY_0MHU4bGduZTFWeGc

          Thanks again
          Marco
        • Wietse Venema
          ... The log below is for a connection from that started 03:46:32. 2012-07-30T03:46:32.620614+02:00 02as postfix/postscreen[1276]: CONNECT from
          Message 4 of 5 , Jul 30 8:44 AM
          • 0 Attachment
            Marco:
            > Wietse Venema <wietse <at> porcupine.org> writes:
            >
            > > Please show the problem without logs from other servers.
            >
            > I'm sorry for word wrap and mix. This is an example:
            >
            > https://docs.google.com/open?id=0B-09bt7bbY_0MHU4bGduZTFWeGc

            The log below is for a connection from that started 03:46:32.

            2012-07-30T03:46:32.620614+02:00 02as postfix/postscreen[1276]: CONNECT from [61.247.33.244]:2163 to [158.102.109.68]:25

            postscreen waits for five seconds, and receives no DNSBL result.
            It therefore puts the client on the whitelist (PASS NEW).

            2012-07-30T03:46:41.570129+02:00 02as postfix/postscreen[1276]: NOQUEUE: reject: RCPT from [61.247.33.244]:2163: 450 4.3.2 Service currently unavailable; from=<alexandre@...>, to=<aliberti@...>, proto=ESMTP, helo=<fm-dyn-61-247-33-244.fast.net.id>
            2012-07-30T03:46:42.091967+02:00 02as postfix/postscreen[1276]: HANGUP after 4.1 from [61.247.33.244]:2163 in tests after SMTP handshake
            2012-07-30T03:46:42.091975+02:00 02as postfix/postscreen[1276]: PASS NEW [61.247.33.244]:2163
            2012-07-30T03:46:42.102415+02:00 02as postfix/postscreen[1276]: DISCONNECT [61.247.33.244]:2163

            The DNSBL results arrive after postscreen has decided that the
            client is not blacklisted.

            2012-07-30T03:46:42.624905+02:00 02as postfix/dnsblog[19959]: addr 61.247.33.244 listed by domain dnsbl-1.uceprotect.net as 127.0.0.2
            2012-07-30T03:46:42.628037+02:00 02as postfix/dnsblog[19960]: addr 61.247.33.244 listed by domain b.barracudacentral.org as 127.0.0.2
            2012-07-30T03:46:42.629974+02:00 02as postfix/dnsblog[19961]: addr 61.247.33.244 listed by domain bl.spamcop.net as 127.0.0.2
            2012-07-30T03:46:42.642526+02:00 02as postfix/dnsblog[19965]: addr 61.247.33.244 listed by domain dnsbl.sorbs.net as 127.0.0.10
            2012-07-30T03:46:42.642998+02:00 02as postfix/dnsblog[19964]: addr 61.247.33.244 listed by domain zen.dnsbl as 127.0.0.4
            2012-07-30T03:46:42.643044+02:00 02as postfix/dnsblog[19964]: addr 61.247.33.244 listed by domain zen.dnsbl as 127.0.0.11
            2012-07-30T03:46:42.644916+02:00 02as postfix/dnsblog[19966]: addr 61.247.33.244 listed by domain ubl.unsubscore.com as 127.0.0.2
            2012-07-30T03:46:42.648056+02:00 02as postfix/dnsblog[19967]: addr 61.247.33.244 listed by domain psbl.surriel.com as 127.0.0.2

            You need to fix your DNS, run a local DNS server, or increase the
            postscreen greet-wait delay.

            Wietse
          • Charles Marcus
            ... An rtf file hosted on google??? Please help us help you. Just post the requested info in the email BODY as plaintext. -- Best regards, Charles
            Message 5 of 5 , Aug 2, 2012
            • 0 Attachment
              On 2012-07-30 8:46 AM, Marco <falon@...> wrote:
              > Wietse Venema<wietse<at> porcupine.org> writes:
              >> Please show the problem without logs from other servers.

              > I'm sorry for word wrap and mix. This is an example:
              >
              > https://docs.google.com/open?id=0B-09bt7bbY_0MHU4bGduZTFWeGc

              An rtf file hosted on google???

              Please help us help you.

              Just post the requested info in the email BODY as plaintext.

              --

              Best regards,

              Charles
            Your message has been successfully submitted and would be delivered to recipients shortly.