Loading ...
Sorry, an error occurred while loading the content.

Postscreen and exceptions

Expand Messages
  • Alex
    Hi, I ve implemented postscreen with postfix-2.9.4 on fc17 and it is rejecting mail from alice.it and libero.it, which are apparently two ISPs in Italy. We
    Message 1 of 28 , Dec 23, 2012
    • 0 Attachment
      Hi,

      I've implemented postscreen with postfix-2.9.4 on fc17 and it is
      rejecting mail from alice.it and libero.it, which are apparently two
      ISPs in Italy. We receive a large number of messages that are rejected
      due to postscreen, but now we have one email address from each domain
      that we need to allow the ability to send to us.

      Is there no alternative to creating a postscreen access list that
      permits mail from the /24 for these domains just for these two users,
      then let spamassassin filter the junk? I'd also then have to whitelist
      the users in spamassassin as well.

      It also looks like mail originates from IPs other than those listed as
      an MX record for alice.it, so I'm not even sure what the range would
      be for the postscreen permit rules.

      Thanks for any ideas.
      Alex
    • Reindl Harald
      ... MX record has nothing to do with sending IP s it is only the incoming server in nearly any larger setup they are different because you have incoming
      Message 2 of 28 , Dec 23, 2012
      • 0 Attachment
        Am 24.12.2012 02:38, schrieb Alex:
        > It also looks like mail originates from IPs other than those listed as
        > an MX record for alice.it

        MX record has nothing to do with sending IP's
        it is only the incoming server

        in nearly any larger setup they are different
        because you have incoming servers with spam
        firewalls in front of and submissions servers
        for your users sent messages
      • Wietse Venema
        ... The purpose of postscreen is to block spambots regardless of what email they send. You can exclude an entire IP address range with postscreen_access_list,
        Message 3 of 28 , Dec 23, 2012
        • 0 Attachment
          Alex:
          > Hi,
          >
          > I've implemented postscreen with postfix-2.9.4 on fc17 and it is
          > rejecting mail from alice.it and libero.it, which are apparently two
          > ISPs in Italy. We receive a large number of messages that are rejected
          > due to postscreen, but now we have one email address from each domain
          > that we need to allow the ability to send to us.
          >
          > Is there no alternative to creating a postscreen access list that
          > permits mail from the /24 for these domains just for these two users,
          > then let spamassassin filter the junk? I'd also then have to whitelist
          > the users in spamassassin as well.

          The purpose of postscreen is to block spambots regardless of what
          email they send.

          You can exclude an entire IP address range with postscreen_access_list,
          again, regardless of what email they send.

          For per-recipient exceptions use smtpd_mumble_restrictions or
          postfwd.

          Wietse
        • Alex
          Hi, ... I haven t been able to find much available on the proper use for smtpd_mumble_restrictions. It doesn t seem to be documented with postscreen or the
          Message 4 of 28 , Dec 23, 2012
          • 0 Attachment
            Hi,

            >> I've implemented postscreen with postfix-2.9.4 on fc17 and it is
            >> rejecting mail from alice.it and libero.it, which are apparently two
            >> ISPs in Italy. We receive a large number of messages that are rejected
            >> due to postscreen, but now we have one email address from each domain
            >> that we need to allow the ability to send to us.
            >>
            >> Is there no alternative to creating a postscreen access list that
            >> permits mail from the /24 for these domains just for these two users,
            >> then let spamassassin filter the junk? I'd also then have to whitelist
            >> the users in spamassassin as well.
            >
            > The purpose of postscreen is to block spambots regardless of what
            > email they send.
            >
            > You can exclude an entire IP address range with postscreen_access_list,
            > again, regardless of what email they send.
            >
            > For per-recipient exceptions use smtpd_mumble_restrictions or
            > postfwd.

            I haven't been able to find much available on the proper use for
            smtpd_mumble_restrictions. It doesn't seem to be documented with
            postscreen or the postconf page or even my postconf output.

            I'm already excluding entire ranges with a postscreen access list, but
            as I mentioned, I was hoping to avoid that, because there are only two
            legitimate users I'm concerned with, and dozens or more messages that
            would otherwise be spam rejected per day. I'd like to continue to be
            able to reject outright the spam and only permit messages from these
            two users.

            I also understand that organizations use separate IPs from those
            listed in their MX records -- that was my point. I have no way of
            knowing what those IPs are, except through trial and error, looking
            through logs and correlating them with addresses, etc.

            I realize postscreen is more of a "sender" restriction and I'm really
            looking for it to do "client" restrictions.

            Thanks,
            Alex
          • Noel Jones
            ... smtpd_mumble_restrictions is shorthand for use any of smtpd_{client, helo, sender, recipient, data, end_of_data}_restrictions. I m curious what
            Message 5 of 28 , Dec 23, 2012
            • 0 Attachment
              On 12/23/2012 9:57 PM, Alex wrote:
              > Hi,
              >
              >>> I've implemented postscreen with postfix-2.9.4 on fc17 and it is
              >>> rejecting mail from alice.it and libero.it, which are apparently two
              >>> ISPs in Italy. We receive a large number of messages that are rejected
              >>> due to postscreen, but now we have one email address from each domain
              >>> that we need to allow the ability to send to us.
              >>>
              >>> Is there no alternative to creating a postscreen access list that
              >>> permits mail from the /24 for these domains just for these two users,
              >>> then let spamassassin filter the junk? I'd also then have to whitelist
              >>> the users in spamassassin as well.
              >>
              >> The purpose of postscreen is to block spambots regardless of what
              >> email they send.
              >>
              >> You can exclude an entire IP address range with postscreen_access_list,
              >> again, regardless of what email they send.
              >>
              >> For per-recipient exceptions use smtpd_mumble_restrictions or
              >> postfwd.
              >
              > I haven't been able to find much available on the proper use for
              > smtpd_mumble_restrictions. It doesn't seem to be documented with
              > postscreen or the postconf page or even my postconf output.

              smtpd_mumble_restrictions is shorthand for "use any of
              smtpd_{client, helo, sender, recipient, data,
              end_of_data}_restrictions."


              I'm curious what postscreen rules you're using that are rejecting
              mail from an ISP. (I'm not familiar with the two you mention, and
              assume they aren't spammer-haven worthy of global blocking.)


              >
              > I'm already excluding entire ranges with a postscreen access list, but
              > as I mentioned, I was hoping to avoid that, because there are only two
              > legitimate users I'm concerned with, and dozens or more messages that
              > would otherwise be spam rejected per day. I'd like to continue to be
              > able to reject outright the spam and only permit messages from these
              > two users.
              >
              > I also understand that organizations use separate IPs from those
              > listed in their MX records -- that was my point. I have no way of
              > knowing what those IPs are, except through trial and error, looking
              > through logs and correlating them with addresses, etc.

              Perhaps they publish SPF records, which were invented for this purpose.
              $ host -t txt libero.it
              libero.it descriptive text "v=spf1 ip4:212.52.84.101/32
              ip4:212.52.84.102/31 ip4:212.52.84.104/29 ip4:212.52.84.112/29
              ip4:212.52.84.192/32 ip4:212.52.84.43/32 include:blackberry.com ?all"




              -- Noel Jones
            • Stan Hoeppner
              ... As always it would be helpful if you provided Postfix logging of these rejections so we can see what is actually happening. At this point we don t know if
              Message 6 of 28 , Dec 24, 2012
              • 0 Attachment
                On 12/23/2012 7:38 PM, Alex wrote:
                > Hi,
                >
                > I've implemented postscreen with postfix-2.9.4 on fc17 and it is
                > rejecting mail from alice.it and libero.it, which are apparently two
                > ISPs in Italy. We receive a large number of messages that are rejected
                > due to postscreen, but now we have one email address from each domain
                > that we need to allow the ability to send to us.
                >
                > Is there no alternative to creating a postscreen access list that
                > permits mail from the /24 for these domains just for these two users,
                > then let spamassassin filter the junk? I'd also then have to whitelist
                > the users in spamassassin as well.
                >
                > It also looks like mail originates from IPs other than those listed as
                > an MX record for alice.it, so I'm not even sure what the range would
                > be for the postscreen permit rules.

                As always it would be helpful if you provided Postfix logging of these
                rejections so we can see what is actually happening. At this point we
                don't know if it's the postscreen bot detection that's causing the
                rejections, or the dnsbls you have configured in postscreen that are
                causing the rejections. The proper fix to your problem may be different
                depending on the which is causing the rejections.

                --
                Stan
              • Alex
                Hi, ... Okay, duh. Maybe it never occurred to me because I thought postscreen was well before any of the smtpd restrictions. ... Perhaps many of the rejects
                Message 7 of 28 , Dec 24, 2012
                • 0 Attachment
                  Hi,

                  >> I haven't been able to find much available on the proper use for
                  >> smtpd_mumble_restrictions. It doesn't seem to be documented with
                  >> postscreen or the postconf page or even my postconf output.
                  >
                  > smtpd_mumble_restrictions is shorthand for "use any of
                  > smtpd_{client, helo, sender, recipient, data,
                  > end_of_data}_restrictions."

                  Okay, duh. Maybe it never occurred to me because I thought postscreen
                  was well before any of the smtpd restrictions.

                  > I'm curious what postscreen rules you're using that are rejecting
                  > mail from an ISP. (I'm not familiar with the two you mention, and
                  > assume they aren't spammer-haven worthy of global blocking.)

                  Perhaps many of the rejects from users at those domains are really
                  just spoofed. Here's one reject actually from them, however:

                  Dec 24 04:23:11 mail02 postfix/postscreen[1468]: NOQUEUE: reject: RCPT
                  from [212.52.84.101]:54948: 550 5.7.1 Service unavailable; client
                  [212.52.84.101] blocked using bl.spamcop.net;
                  from=<rossopompeiano@...>, to=<milcs@...>, proto=ESMTP,
                  helo=<outrelay01.libero.it>

                  My postscreen config contains:
                  postscreen_access_list = permit_mynetworks,
                  cidr:/etc/postfix/postscreen_access.cidr
                  postscreen_dnsbl_threshold = 1
                  postscreen_dnsbl_action = enforce
                  postscreen_greet_action = enforce
                  postscreen_blacklist_action = enforce
                  postscreen_dnsbl_sites = mykey.zen.dq.spamhaus.net*2
                  bl.spamcop.net*1 b.barracudacentral.org*1 psbl.surriel.com*1

                  I have a series of IPs in the postscreen_access.cidr file that need to
                  be permitted, and add to it after we learn mail is being rejected due
                  to the IP being blacklisted by one of the RBLs.

                  >> I also understand that organizations use separate IPs from those
                  >> listed in their MX records -- that was my point. I have no way of
                  >> knowing what those IPs are, except through trial and error, looking
                  >> through logs and correlating them with addresses, etc.
                  >
                  > Perhaps they publish SPF records, which were invented for this purpose.
                  > $ host -t txt libero.it
                  > libero.it descriptive text "v=spf1 ip4:212.52.84.101/32
                  > ip4:212.52.84.102/31 ip4:212.52.84.104/29 ip4:212.52.84.112/29
                  > ip4:212.52.84.192/32 ip4:212.52.84.43/32 include:blackberry.com ?all"

                  Ah, yes. That's still something like 20 IPs. I would assume none of
                  the blackberry.com IPs would ever be rejected by postscreen, so they
                  don't need to be added.

                  I can then just add the single email address to the whitelist_from_spf
                  in spamassassin.

                  For alice.it, they don't appear to publish an SPF record, but instead
                  some kind of google key?

                  alice.it. 19028 IN TXT
                  "google-site-verification=fmPX0ewWZ5WfhZ80tP8h-cQb2p0L_KCixRm_UHyK-bw"

                  Dec 24 08:00:46 mail01 postfix/postscreen[24923]: NOQUEUE: reject:
                  RCPT from [82.57.200.119]:48396: 550 5.7.1 Service unavailable; client
                  [82.57.200.119] blocked using bl.spamcop.net; from=<user@...>,
                  to=<massimo.arioli@...>, proto=ESMTP, helo=<smtp303.alice.it>

                  We have several IPs from the alice.it domain that appear to be not
                  blacklisted, including 82.57.200.104.

                  Thanks,
                  Alex
                • Alex
                  Hi, ... It looks like some from alice.it make it through successfully: Dec 24 07:51:15 mail01 postfix/smtpd[22059]: connect from smtp304.alice.it[82.57.200.93]
                  Message 8 of 28 , Dec 24, 2012
                  • 0 Attachment
                    Hi,

                    >> It also looks like mail originates from IPs other than those listed as
                    >> an MX record for alice.it, so I'm not even sure what the range would
                    >> be for the postscreen permit rules.
                    >
                    > As always it would be helpful if you provided Postfix logging of these
                    > rejections so we can see what is actually happening. At this point we
                    > don't know if it's the postscreen bot detection that's causing the
                    > rejections, or the dnsbls you have configured in postscreen that are
                    > causing the rejections. The proper fix to your problem may be different
                    > depending on the which is causing the rejections.

                    It looks like some from alice.it make it through successfully:

                    Dec 24 07:51:15 mail01 postfix/smtpd[22059]: connect from
                    smtp304.alice.it[82.57.200.93]

                    While others are rejected:

                    Dec 24 08:00:46 mail01 postfix/postscreen[24923]: NOQUEUE: reject:
                    RCPT from [82.57.200.119]:48396: 550 5.7.1 Service unavailable; client
                    [82.57.200.119] blocked using bl.spamcop.net; from=<user@...>,
                    to=<massimo.arioli@...>, proto=ESMTP, helo=<smtp303.alice.it>

                    For libero.it, there are far more rejections, and I don't know if the
                    IPs are actual libero.it IPs or just spoofed emails from that domain,
                    or customers of the ISP:

                    Dec 24 00:28:50 mail02 postfix/postscreen[1468]: NOQUEUE: reject: RCPT
                    from [195.81.140.87]:32798: 550 5.7.1 Service unavailable; client
                    [195.81.140.87] blocked using bl.spamcop.net; from=<user@...>,
                    to=<fm3@...>, proto=SMTP,
                    helo=<static-195-81-140-87.irtnet.net>

                    I know now this one is listed in their SPF records:

                    Dec 24 10:03:07 mail01 postfix/postscreen[24923]: NOQUEUE: reject:
                    RCPT from [212.52.84.101]:49951: 550 5.7.1 Service unavailable; client
                    [212.52.84.101] blocked using bl.spamcop.net; from=<user@...>,
                    to=<user@...>, proto=ESMTP, helo=<outrelay01.libero.it>

                    Thanks,
                    Alex
                  • Stan Hoeppner
                    ... Here s your problem Alex. You re using spamcop to outright block on hit. This is not advised and is well known to cause FPs. Spamcop hits are best
                    Message 9 of 28 , Dec 24, 2012
                    • 0 Attachment
                      On 12/24/2012 2:26 PM, Alex wrote:

                      > Dec 24 00:28:50 mail02 postfix/postscreen[1468]: NOQUEUE: reject: RCPT
                      > from [195.81.140.87]:32798: 550 5.7.1 Service unavailable; client
                      > [195.81.140.87] blocked using bl.spamcop.net; from=<user@...>,
                      > to=<fm3@...>, proto=SMTP,
                      > helo=<static-195-81-140-87.irtnet.net>

                      Here's your problem Alex. You're using spamcop to outright block on
                      hit. This is not advised and is well known to cause FPs. Spamcop hits
                      are best scored with other DNSBL hits inside SA, which does so
                      automatically in a default config. Remove spamcop from your postscreen
                      configuration and that will fix this problem.

                      Happy holidays to Alex, and to everyone.

                      --
                      Stan
                    • Alex
                      Hi, ... Awesome, thanks. So psbl.surriel.com is okay to keep? ... Happy holidays to you as well! Thanks for helping out on this late holiday eve... btw, Stan,
                      Message 10 of 28 , Dec 24, 2012
                      • 0 Attachment
                        Hi,

                        >> Dec 24 00:28:50 mail02 postfix/postscreen[1468]: NOQUEUE: reject: RCPT
                        >> from [195.81.140.87]:32798: 550 5.7.1 Service unavailable; client
                        >> [195.81.140.87] blocked using bl.spamcop.net; from=<user@...>,
                        >> to=<fm3@...>, proto=SMTP,
                        >> helo=<static-195-81-140-87.irtnet.net>
                        >
                        > Here's your problem Alex. You're using spamcop to outright block on
                        > hit. This is not advised and is well known to cause FPs. Spamcop hits
                        > are best scored with other DNSBL hits inside SA, which does so
                        > automatically in a default config. Remove spamcop from your postscreen
                        > configuration and that will fix this problem.

                        Awesome, thanks. So psbl.surriel.com is okay to keep?

                        > Happy holidays to Alex, and to everyone.

                        Happy holidays to you as well! Thanks for helping out on this late
                        holiday eve...

                        btw, Stan, I eventually ordered the proper supermicro trays for the
                        SSD disks and migrated two servers already. Performance is much
                        improved, although I'm sure there's still room for improvement.
                        Project for another day.

                        Thanks,
                        Alex
                      • Noel Jones
                        ... I see. Perhaps you intended postscreen_dnsbl_threshold = 2 with the above RBLs and weights. Spamcop in particular is not safe and not recommended for
                        Message 11 of 28 , Dec 24, 2012
                        • 0 Attachment
                          On 12/24/2012 2:16 PM, Alex wrote:
                          > Hi,
                          >
                          >>> I haven't been able to find much available on the proper use for
                          >>> smtpd_mumble_restrictions. It doesn't seem to be documented with
                          >>> postscreen or the postconf page or even my postconf output.
                          >>
                          >> smtpd_mumble_restrictions is shorthand for "use any of
                          >> smtpd_{client, helo, sender, recipient, data,
                          >> end_of_data}_restrictions."
                          >
                          > Okay, duh. Maybe it never occurred to me because I thought postscreen
                          > was well before any of the smtpd restrictions.
                          >
                          >> I'm curious what postscreen rules you're using that are rejecting
                          >> mail from an ISP. (I'm not familiar with the two you mention, and
                          >> assume they aren't spammer-haven worthy of global blocking.)
                          >
                          > Perhaps many of the rejects from users at those domains are really
                          > just spoofed. Here's one reject actually from them, however:
                          >
                          > Dec 24 04:23:11 mail02 postfix/postscreen[1468]: NOQUEUE: reject: RCPT
                          > from [212.52.84.101]:54948: 550 5.7.1 Service unavailable; client
                          > [212.52.84.101] blocked using bl.spamcop.net;
                          > from=<rossopompeiano@...>, to=<milcs@...>, proto=ESMTP,
                          > helo=<outrelay01.libero.it>
                          >
                          > My postscreen config contains:
                          > postscreen_access_list = permit_mynetworks,
                          > cidr:/etc/postfix/postscreen_access.cidr
                          > postscreen_dnsbl_threshold = 1
                          > postscreen_dnsbl_action = enforce
                          > postscreen_greet_action = enforce
                          > postscreen_blacklist_action = enforce
                          > postscreen_dnsbl_sites = mykey.zen.dq.spamhaus.net*2
                          > bl.spamcop.net*1 b.barracudacentral.org*1 psbl.surriel.com*1


                          I see. Perhaps you intended postscreen_dnsbl_threshold = 2 with the
                          above RBLs and weights.

                          Spamcop in particular is not safe and not recommended for outright
                          rejection. Opinions differ on psbl.surriel and barracudacentral,
                          but they are frequently used in scoring rather than outright. A
                          site listed on two of these three is likely spam, a site listed on
                          only one of them is questionable.

                          The spamhaus zen list is widely considered safe for outright rejection.

                          You also might benefit from using dns whitelists with postscreen.
                          The idea is to "rescue" mostly-good IPs from postscreen and pass
                          them to SpamAssassin for deeper inspection. Some to consider
                          list.dnswl.org*-1
                          hostkarma.junkemailfilter.com=127.0.0.1*-1
                          swl.spamhaus.org*-2



                          -- Noel Jones

                          Merry Christmas to all! And I get my name up in lights all over town!
                        • Wietse Venema
                          ... Don t use spamcop, or use it only with small weight in a scoring system. Wietse
                          Message 12 of 28 , Dec 24, 2012
                          • 0 Attachment
                            Alex:
                            > Dec 24 04:23:11 mail02 postfix/postscreen[1468]: NOQUEUE: reject: RCPT
                            > from [212.52.84.101]:54948: 550 5.7.1 Service unavailable; client
                            > [212.52.84.101] blocked using bl.spamcop.net;

                            Don't use spamcop, or use it only with small weight in a scoring system.

                            Wietse
                          • /dev/rob0
                            ... The problem was not the existence of spamcop within the list. The problem was the *scoring* of spamcop and the threshold of 1. If you re going to set
                            Message 13 of 28 , Dec 24, 2012
                            • 0 Attachment
                              On Mon, Dec 24, 2012 at 05:34:20PM -0500, Alex wrote:
                              > >> Dec 24 00:28:50 mail02 postfix/postscreen[1468]: NOQUEUE:
                              > >> reject: RCPT from [195.81.140.87]:32798: 550 5.7.1 Service
                              > >> unavailable; client [195.81.140.87] blocked using
                              > >> bl.spamcop.net; from=<user@...>, to=<fm3@...>,
                              > >> proto=SMTP, helo=<static-195-81-140-87.irtnet.net>
                              > >
                              > > Here's your problem Alex. You're using spamcop to outright block
                              > > on hit. This is not advised and is well known to cause FPs.
                              > > Spamcop hits are best scored with other DNSBL hits inside SA,
                              > > which does so automatically in a default config. Remove spamcop
                              > > from your postscreen configuration and that will fix this
                              > > problem.

                              The problem was not the existence of spamcop within the list. The
                              problem was the *scoring* of spamcop and the threshold of 1.

                              If you're going to set scores, USE them. Set the
                              postscreen_dnsbl_threshold *higher* than 1.

                              > Awesome, thanks. So psbl.surriel.com is okay to keep?

                              It's probably safer than spamcop, but the best answer is to check
                              their policies, test its performance, and see if it works for you.

                              The pre-postscreen way was to use "warn_if_reject reject_rbl_client
                              psbl.surriel.com" in your smtpd restrictions.

                              The postscreen way is, again, to raise your threshold score to ensure
                              it's never used:

                              postscreen_dnsbl_threshold = 9
                              postscreen_dnsbl_sites = zen.spamhaus.org*9, b.barracudacentral.org*9
                              bl.spameatingmonkey.net*9 dnsbl.njabl.org*7 dnsbl.ahbl.org*7
                              bl.spamcop.net*3 dnsbl.sorbs.net*3 spamtrap.trblspam.com*3
                              psbl.surriel.com [ ... other sites such as whitelists with
                              negative scores ... ]

                              In the example above, psbl.surriel.com would never trigger a
                              rejection. The extra one point would never be significant.

                              Note I am not recommending this; I am merely illustrating how the
                              scoring system can work. My own postscreen_dnsbl_threshold is 3, with
                              three tiers of DNSBL sites:
                              Tier 1, 3 points: reject with that site alone
                              Tier 2, 2 points: reject with that site plus any other
                              Tier 3, 1 point: reject with three of these sites

                              I'm not currently using psbl.surriel.com, but I'm sure it would be
                              fine in Tier 3. The whole point of Tier 3 is that it does NOT require
                              much confidence in those sites, but that when three of them agree,
                              there might be good reason to block.
                              --
                              http://rob0.nodns4.us/ -- system administration and consulting
                              Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
                            • Alex
                              Hi, ... Yes, exactly. I actually had it at 2, based on the examples from the postscreen README. I think I got confused when Stan wrote back in November (during
                              Message 14 of 28 , Dec 25, 2012
                              • 0 Attachment
                                Hi,

                                >> My postscreen config contains:
                                >> postscreen_access_list = permit_mynetworks,
                                >> cidr:/etc/postfix/postscreen_access.cidr
                                >> postscreen_dnsbl_threshold = 1
                                >> postscreen_dnsbl_action = enforce
                                >> postscreen_greet_action = enforce
                                >> postscreen_blacklist_action = enforce
                                >> postscreen_dnsbl_sites = mykey.zen.dq.spamhaus.net*2
                                >> bl.spamcop.net*1 b.barracudacentral.org*1 psbl.surriel.com*1
                                >
                                >
                                > I see. Perhaps you intended postscreen_dnsbl_threshold = 2 with the
                                > above RBLs and weights.

                                Yes, exactly. I actually had it at 2, based on the examples from the
                                postscreen README. I think I got confused when Stan wrote back in
                                November (during our whole snowshoe thread conversation) that I should
                                set the postscreen weighting so any hit causes a reject, but he
                                probably didn't realize I had spamcop among those RBLs.

                                I've since removed spamcop, but perhaps I'll add it back and increase
                                the weighting, as was also recently suggested.

                                Thanks for the tips on the whiltelists with postscreen. I'll
                                definitely add those.

                                Back from Christmas dinner with the relatives, eager to learn more
                                about postfix, so thanks for your help.

                                Happy holidays,
                                Alex
                              • Stan Hoeppner
                                ... Yes. Use Zen and BRBL for heavy lifting, use PSBL last for stragglers potentially not listed by the others. My current mail log shows rejections of 42,
                                Message 15 of 28 , Dec 26, 2012
                                • 0 Attachment
                                  On 12/24/2012 4:34 PM, Alex wrote:
                                  > Hi,
                                  >
                                  >>> Dec 24 00:28:50 mail02 postfix/postscreen[1468]: NOQUEUE: reject: RCPT
                                  >>> from [195.81.140.87]:32798: 550 5.7.1 Service unavailable; client
                                  >>> [195.81.140.87] blocked using bl.spamcop.net; from=<user@...>,
                                  >>> to=<fm3@...>, proto=SMTP,
                                  >>> helo=<static-195-81-140-87.irtnet.net>
                                  >>
                                  >> Here's your problem Alex. You're using spamcop to outright block on
                                  >> hit. This is not advised and is well known to cause FPs. Spamcop hits
                                  >> are best scored with other DNSBL hits inside SA, which does so
                                  >> automatically in a default config. Remove spamcop from your postscreen
                                  >> configuration and that will fix this problem.
                                  >
                                  > Awesome, thanks. So psbl.surriel.com is okay to keep?

                                  Yes. Use Zen and BRBL for heavy lifting, use PSBL last for stragglers
                                  potentially not listed by the others. My current mail log shows
                                  rejections of 42, 22, and 6 respectively, and I use them in that order.

                                  >> Happy holidays to Alex, and to everyone.
                                  >
                                  > Happy holidays to you as well! Thanks for helping out on this late
                                  > holiday eve...
                                  >
                                  > btw, Stan, I eventually ordered the proper supermicro trays for the
                                  > SSD disks and migrated two servers already. Performance is much
                                  > improved, although I'm sure there's still room for improvement.
                                  > Project for another day.

                                  Nice. Are you doing mirror pairs, or? Hardware or md RAID?

                                  --
                                  Stan
                                • Stan Hoeppner
                                  ... Nonsense. The mere fact that a listing on one DNSBL is absent on others doesn t make it questionable . Many DNSBL operators have in fact been working to
                                  Message 16 of 28 , Dec 26, 2012
                                  • 0 Attachment
                                    On 12/24/2012 4:57 PM, Noel Jones wrote:

                                    > Opinions differ on psbl.surriel and barracudacentral,
                                    > but they are frequently used in scoring rather than outright. A
                                    > site listed on two of these three is likely spam, a site listed on
                                    > only one of them is questionable.

                                    Nonsense. The mere fact that a listing on one DNSBL is absent on others
                                    doesn't make it "questionable". Many DNSBL operators have in fact been
                                    working to decrease overlap amongst lists in recent years. If everyone
                                    listed the same IPs the world would do with a single DNSBL, mirrored
                                    everywhere for load.

                                    Recent rejection data here, in order of restriction, not including
                                    inbuilt Postfix checks. Direct rejection, no scoring/weighting, in SMTPD:

                                    local
                                    tables 6406

                                    Zen 223
                                    BRBL 757
                                    PSBL 42

                                    Zero FPs.

                                    --
                                    Stan
                                  • Noel Jones
                                    ... Glad it works for you at your sites, I use them too. As with all third-party blacklists (and whitelists!) each sysop should make their own decision about
                                    Message 17 of 28 , Dec 26, 2012
                                    • 0 Attachment
                                      On 12/26/2012 4:52 PM, Stan Hoeppner wrote:
                                      > On 12/24/2012 4:57 PM, Noel Jones wrote:
                                      >
                                      >> Opinions differ on psbl.surriel and barracudacentral,
                                      >> but they are frequently used in scoring rather than outright. A
                                      >> site listed on two of these three is likely spam, a site listed on
                                      >> only one of them is questionable.
                                      >
                                      > Nonsense. The mere fact that a listing on one DNSBL is absent on others


                                      Glad it works for you at your sites, I use them too.

                                      As with all third-party blacklists (and whitelists!) each sysop
                                      should make their own decision about who to hand the keys to. When
                                      giving advice to others knowing next to nothing about their local
                                      policy, it would be foolish to be anything but conservative.

                                      Even Zen isn't universally used, that's why it's called a local
                                      policy decision.



                                      -- Noel Jones
                                    • Stan Hoeppner
                                      ... I did. But note what I said in that thread: ... Note that I recommended testing before going live without scoring but direct rejection, and gave
                                      Message 18 of 28 , Dec 26, 2012
                                      • 0 Attachment
                                        On 12/25/2012 9:26 PM, Alex wrote:
                                        > Hi,
                                        >
                                        >>> My postscreen config contains:
                                        >>> postscreen_access_list = permit_mynetworks,
                                        >>> cidr:/etc/postfix/postscreen_access.cidr
                                        >>> postscreen_dnsbl_threshold = 1
                                        >>> postscreen_dnsbl_action = enforce
                                        >>> postscreen_greet_action = enforce
                                        >>> postscreen_blacklist_action = enforce
                                        >>> postscreen_dnsbl_sites = mykey.zen.dq.spamhaus.net*2
                                        >>> bl.spamcop.net*1 b.barracudacentral.org*1 psbl.surriel.com*1
                                        >>
                                        >>
                                        >> I see. Perhaps you intended postscreen_dnsbl_threshold = 2 with the
                                        >> above RBLs and weights.
                                        >
                                        > Yes, exactly. I actually had it at 2, based on the examples from the
                                        > postscreen README. I think I got confused when Stan wrote back in
                                        > November (during our whole snowshoe thread conversation) that I should
                                        > set the postscreen weighting so any hit causes a reject, but he
                                        > probably didn't realize I had spamcop among those RBLs.

                                        I did. But note what I said in that thread:

                                        On 11/22/2012 2:19 AM, Stan Hoeppner wrote:

                                        > With any of the reputable DNSBLs you should
                                        > probably outright block, not score. So set postscreen weighting so
                                        > any hit causes a rejection. If you are FP averse, simply duplicate
                                        > your postscreen DNSBL config in SMTPD with 'WARN_IF_REJECT' and do a
                                        > log comparison to see what additional clients would be rejected. If
                                        > you're not seeing warnings on ham, go live.

                                        Note that I recommended testing before going live without scoring but
                                        direct rejection, and gave instructions on how to do so. If you'd done
                                        that you'd have seen the FPs from spamcop before going live.

                                        --
                                        Stan
                                      • Stan Hoeppner
                                        ... Yes, conservative. Note my last response in this thread which contained this instruction with my scoring recommendation: test first -- Stan
                                        Message 19 of 28 , Dec 26, 2012
                                        • 0 Attachment
                                          On 12/26/2012 6:19 PM, Noel Jones wrote:
                                          > On 12/26/2012 4:52 PM, Stan Hoeppner wrote:
                                          >> On 12/24/2012 4:57 PM, Noel Jones wrote:
                                          >>
                                          >>> Opinions differ on psbl.surriel and barracudacentral,
                                          >>> but they are frequently used in scoring rather than outright. A
                                          >>> site listed on two of these three is likely spam, a site listed on
                                          >>> only one of them is questionable.
                                          >>
                                          >> Nonsense. The mere fact that a listing on one DNSBL is absent on others
                                          >
                                          >
                                          > Glad it works for you at your sites, I use them too.
                                          >
                                          > As with all third-party blacklists (and whitelists!) each sysop
                                          > should make their own decision about who to hand the keys to. When
                                          > giving advice to others knowing next to nothing about their local
                                          > policy, it would be foolish to be anything but conservative.

                                          Yes, conservative. Note my last response in this thread which contained
                                          this instruction with my scoring recommendation: test first

                                          --
                                          Stan
                                        • mouss
                                          ... unfortunately, testing isn t enough. things keep changing: - DNSBL listings change. - sites situation changes - new sites appear ... when I first tested
                                          Message 20 of 28 , Dec 27, 2012
                                          • 0 Attachment
                                            Le 27/12/2012 04:05, Stan Hoeppner a écrit :
                                            > On 12/26/2012 6:19 PM, Noel Jones wrote:
                                            >> On 12/26/2012 4:52 PM, Stan Hoeppner wrote:
                                            >>> On 12/24/2012 4:57 PM, Noel Jones wrote:
                                            >>>
                                            >>>> Opinions differ on psbl.surriel and barracudacentral,
                                            >>>> but they are frequently used in scoring rather than outright. A
                                            >>>> site listed on two of these three is likely spam, a site listed on
                                            >>>> only one of them is questionable.
                                            >>> Nonsense. The mere fact that a listing on one DNSBL is absent on others
                                            >>
                                            >> Glad it works for you at your sites, I use them too.
                                            >>
                                            >> As with all third-party blacklists (and whitelists!) each sysop
                                            >> should make their own decision about who to hand the keys to. When
                                            >> giving advice to others knowing next to nothing about their local
                                            >> policy, it would be foolish to be anything but conservative.
                                            > Yes, conservative. Note my last response in this thread which contained
                                            > this instruction with my scoring recommendation: test first
                                            >

                                            unfortunately, testing isn't enough. things keep changing:
                                            - DNSBL listings change.
                                            - sites situation changes
                                            - new sites appear
                                            ...

                                            when I first tested BRBL, I found it safe for outright rejection. but
                                            this didn't last.
                                            I also added local rules, which worked for a long time, but many of
                                            these rules proved unsafe.
                                          • Stan Hoeppner
                                            ... mouss, what you and Noel are failing to take into account is that Alex sells anti spam appliance boxes for a living. He has boxen at sites with enough
                                            Message 21 of 28 , Dec 27, 2012
                                            • 0 Attachment
                                              On 12/27/2012 9:17 AM, mouss wrote:
                                              > Le 27/12/2012 04:05, Stan Hoeppner a écrit :
                                              >> On 12/26/2012 6:19 PM, Noel Jones wrote:
                                              >>> On 12/26/2012 4:52 PM, Stan Hoeppner wrote:
                                              >>>> On 12/24/2012 4:57 PM, Noel Jones wrote:
                                              >>>>
                                              >>>>> Opinions differ on psbl.surriel and barracudacentral,
                                              >>>>> but they are frequently used in scoring rather than outright. A
                                              >>>>> site listed on two of these three is likely spam, a site listed on
                                              >>>>> only one of them is questionable.
                                              >>>> Nonsense. The mere fact that a listing on one DNSBL is absent on others
                                              >>>
                                              >>> Glad it works for you at your sites, I use them too.
                                              >>>
                                              >>> As with all third-party blacklists (and whitelists!) each sysop
                                              >>> should make their own decision about who to hand the keys to. When
                                              >>> giving advice to others knowing next to nothing about their local
                                              >>> policy, it would be foolish to be anything but conservative.
                                              >> Yes, conservative. Note my last response in this thread which contained
                                              >> this instruction with my scoring recommendation: test first
                                              >>
                                              >
                                              > unfortunately, testing isn't enough. things keep changing:
                                              > - DNSBL listings change.
                                              > - sites situation changes
                                              > - new sites appear
                                              > ...
                                              >
                                              > when I first tested BRBL, I found it safe for outright rejection. but
                                              > this didn't last.
                                              > I also added local rules, which worked for a long time, but many of
                                              > these rules proved unsafe.

                                              mouss, what you and Noel are failing to take into account is that Alex
                                              sells anti spam appliance boxes for a living. He has boxen at sites
                                              with enough volume to require a Spamhaus pay license (the commercial
                                              aspect of his boxen not withstanding).

                                              My recommendations to him are based on the fact that he (should have)
                                              some requisite knowledge and experience with DNSBL usage and general
                                              mail admin experience above noob level. Thus I was giving him quick 'n
                                              dirty instruction with sparse caveats/reminders, not the step by step
                                              stuff with lengthy explanations designed to educate noob admins to keep
                                              them from shooting themselves in the foot. I.e. he would perform a
                                              little due diligence on the information I provided before jumping in
                                              with both feet.

                                              Using DNSBLs always has a small amount of FP risk, whether configured
                                              for direct rejection or scoring. Scoring mitigates FP risk but it does
                                              not eliminate it entirely. So we can go round 'n round about the
                                              best/proper/safest way to use a DNBBL, but at the end of the day, yes,
                                              it is up to the individual admin to decide how to best use them. Which
                                              is why, in this case, I gave an assumed to be experienced admin, selling
                                              commercial solutions, the aggressive approach with the testing reminder
                                              and the assumption he knew what he was doing.

                                              If I made a mistake here, it wasn't my recommendation per se, but was my
                                              assessment/understanding of the OP's knowledge/experience level based on
                                              his business, and interaction with him both on, and extensively off,
                                              this list.

                                              No offense intended here toward Alex.

                                              --
                                              Stan
                                            • Jos Chrispijn
                                              ... What is your concern about Spamcop? Happy to learn, Jos
                                              Message 22 of 28 , Jan 6, 2013
                                              • 0 Attachment
                                                Wietse Venema:
                                                > Don't use spamcop, or use it only with small weight in a scoring
                                                > system. Wietse

                                                What is your concern about Spamcop?

                                                Happy to learn,
                                                Jos
                                              • Wietse Venema
                                                ... Read their blocklist policy. I use it, thusly: postscreen_dnsbl_sites = zen.spamhaus.org*2 bl.spamcop.net*1 b.barracudacentral.org*1
                                                Message 23 of 28 , Jan 6, 2013
                                                • 0 Attachment
                                                  Jos Chrispijn:
                                                  >
                                                  > Wietse Venema:
                                                  > > Don't use spamcop, or use it only with small weight in a scoring
                                                  > > system. Wietse
                                                  >
                                                  > What is your concern about Spamcop?

                                                  Read their blocklist policy.

                                                  I use it, thusly:

                                                  postscreen_dnsbl_sites = zen.spamhaus.org*2
                                                  bl.spamcop.net*1 b.barracudacentral.org*1
                                                  postscreen_dnsbl_threshold = 2

                                                  Wietse
                                                • John Levine
                                                  ... I agree that Spamcop used to be awful, with vast numbers of false alarms. But since Ironport bought them several years ago, there s been a nearly complete
                                                  Message 24 of 28 , Jan 6, 2013
                                                  • 0 Attachment
                                                    >Don't use spamcop, or use it only with small weight in a scoring system.

                                                    I agree that Spamcop used to be awful, with vast numbers of false
                                                    alarms. But since Ironport bought them several years ago, there's
                                                    been a nearly complete turnover of staff and it's much better run.

                                                    Take another look. I find its false positive rates down with
                                                    Spamhaus' now.

                                                    R's,
                                                    John
                                                  • Noel Jones
                                                    ... Glad it works for you. Please keep in mind the original question of this discussion was how to allow wanted mail blocked by spamcop. The way to achieve
                                                    Message 25 of 28 , Jan 6, 2013
                                                    • 0 Attachment
                                                      On 1/6/2013 11:29 AM, John Levine wrote:
                                                      >> Don't use spamcop, or use it only with small weight in a scoring system.
                                                      >
                                                      > I agree that Spamcop used to be awful, with vast numbers of false
                                                      > alarms. But since Ironport bought them several years ago, there's
                                                      > been a nearly complete turnover of staff and it's much better run.
                                                      >
                                                      > Take another look. I find its false positive rates down with
                                                      > Spamhaus' now.
                                                      >
                                                      > R's,
                                                      > John
                                                      >

                                                      Glad it works for you.

                                                      Please keep in mind the original question of this discussion was how
                                                      to allow wanted mail blocked by spamcop.

                                                      The way to achieve that goal is by using a scoring system, as
                                                      recommended by the spamcop documentation.

                                                      Clearly the current, vastly improved, false positive rate is still
                                                      not acceptable for everyone.



                                                      -- Noel Jones
                                                    • Ron Guerin
                                                      ... I presume you re not talking about the Spamhaus DBL, which is quite awful. - Ron
                                                      Message 26 of 28 , Jan 6, 2013
                                                      • 0 Attachment
                                                        On 01/06/2013 12:29 PM, John Levine wrote:
                                                        >> Don't use spamcop, or use it only with small weight in a scoring system.
                                                        >
                                                        > I agree that Spamcop used to be awful, with vast numbers of false
                                                        > alarms. But since Ironport bought them several years ago, there's
                                                        > been a nearly complete turnover of staff and it's much better run.
                                                        >
                                                        > Take another look. I find its false positive rates down with
                                                        > Spamhaus' now.

                                                        I presume you're not talking about the Spamhaus DBL, which is quite awful.

                                                        - Ron
                                                      • Stan Hoeppner
                                                        ... Since the DBL is an RHSBL, not DNSBL, it cannot be used with postscreen, which is the topic of this thread. Discussion of the merits of [DNS|RHS]BLs is
                                                        Message 27 of 28 , Jan 6, 2013
                                                        • 0 Attachment
                                                          On 1/6/2013 6:18 PM, Ron Guerin wrote:
                                                          > On 01/06/2013 12:29 PM, John Levine wrote:
                                                          >>> Don't use spamcop, or use it only with small weight in a scoring system.
                                                          >>
                                                          >> I agree that Spamcop used to be awful, with vast numbers of false
                                                          >> alarms. But since Ironport bought them several years ago, there's
                                                          >> been a nearly complete turnover of staff and it's much better run.
                                                          >>
                                                          >> Take another look. I find its false positive rates down with
                                                          >> Spamhaus' now.
                                                          >
                                                          > I presume you're not talking about the Spamhaus DBL, which is quite awful.

                                                          Since the DBL is an RHSBL, not DNSBL, it cannot be used with postscreen,
                                                          which is the topic of this thread. Discussion of the merits of
                                                          [DNS|RHS]BLs is off topic on the postfix list, thus I don't desire to
                                                          create a long OT thread, but I am curious as to why you feel the DBL is
                                                          awful. I've had no problems using it for direct rejections with these
                                                          restrictions:

                                                          reject_rhsbl_reverse_client dbl.spamhaus.org
                                                          reject_rhsbl_sender dbl.spamhaus.org
                                                          reject_rhsbl_helo dbl.spamhaus.org

                                                          No FPs do date.

                                                          --
                                                          Stan
                                                        • Benny Pedersen
                                                          ... http://www.dnswl.org/tech see more on permit_dnswl_client it does not need to be specific dnswl.org as dnsbl/dnswl, its just an good example on postfix
                                                          Message 28 of 28 , Jan 7, 2013
                                                          • 0 Attachment
                                                            Noel Jones skrev den 2013-01-06 19:40:

                                                            > Clearly the current, vastly improved, false positive rate is still
                                                            > not acceptable for everyone.

                                                            http://www.dnswl.org/tech see more on permit_dnswl_client

                                                            it does not need to be specific dnswl.org as dnsbl/dnswl, its just an
                                                            good example on postfix config
                                                          Your message has been successfully submitted and would be delivered to recipients shortly.