Loading ...
Sorry, an error occurred while loading the content.

Postscreen config

Expand Messages
  • Tony Nelson
    After reading through the recent Postscreen DNSBL threads I decided to give it a try. I used Rob s example from http://rob0.nodns4.us/postscreen.html as a
    Message 1 of 6 , Apr 24 6:59 AM
    • 0 Attachment
      After reading through the recent Postscreen DNSBL threads I decided to give it a try.  

      I used Rob's example from http://rob0.nodns4.us/postscreen.html as a leaping off point, but chose to leave pipelining disabled until I'm sure I understand what I have going on.

      I definitely see some mail coming in from the outside world being passed through, and I also see some being blocked by various RBLs which is great.  I also see a few blocks that I can't identity the reason for.

      A specific example:

      tnelson@njmail:/var/log$ grep info@... mail.log
      Apr 24 09:46:21 njmail postfix/postscreen[8764]: NOQUEUE: reject: RCPT from [142.11.233.149]:21725: 450 4.3.2 Service currently unavailable; from=<info@...>, to=<validuser@...>, proto=ESMTP, helo=<dsc149.opulum.us>

      Service unavailable makes me think I have a problem with my config. Digging a little further:

      tnelson@njmail:/var/log$ grep 142.11.233.149 mail.log
      Apr 24 09:46:15 njmail postfix/postscreen[8764]: CONNECT from [142.11.233.149]:21725 to [192.168.6.66]:25
      Apr 24 09:46:21 njmail postfix/postscreen[8764]: NOQUEUE: reject: RCPT from [142.11.233.149]:21725: 450 4.3.2 Service currently unavailable; from=<info@...>, to=<validuser@...>, proto=ESMTP, helo=<dsc149.opulum.us>
      Apr 24 09:46:21 njmail postfix/postscreen[8764]: PASS NEW [142.11.233.149]:21725
      Apr 24 09:46:21 njmail postfix/postscreen[8764]: DISCONNECT [142.11.233.149]:21725

      Why is there a "PASS NEW" after the "NOQUEUE"? I'm obviously missing something, but I can't figure out what.

      Thanks for any help,
      Tony Nelson


      This is the config I've setup:

      # config originally from http://rob0.nodns4.us/postscreen.html
      postscreen_access_list =
         permit_mynetworks,
         cidr:/etc/postfix/postscreen_access.cidr

      postscreen_bare_newline_action = enforce
      postscreen_bare_newline_enable = yes
      postscreen_blacklist_action = drop

      postscreen_dnsbl_action = enforce
      postscreen_dnsbl_reply_map =
              pcre:/etc/postfix/postscreen_dnsbl_reply_map.pcre

      postscreen_dnsbl_threshold = 3
      postscreen_dnsbl_sites =
              zen.spamhaus.org*3
              dnsbl.ahbl.org*2
              bl.spamcop.net
              dnsbl.sorbs.net
              psbl.surriel.com
              bl.mailspike.net
              swl.spamhaus.org*-4
              list.dnswl.org=127.[0..255].[0..255].0*-2
              list.dnswl.org=127.[0..255].[0..255].1*-3
              list.dnswl.org=127.[0..255].[0..255].[2..255]*-4

      postscreen_greet_action = enforce
      postscreen_non_smtp_command_enable = yes




      Since 1982, Starpoint Solutions has been a trusted source of human capital and solutions. We are committed to our clients, employees, environment, community and social concerns. We foster an inclusive culture based on trust, respect, honesty and solid performance. Learn more about Starpoint and our social responsibility at http://www.starpoint.com/social_responsibility


      This email message from Starpoint Solutions LLC is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Opinions, conclusions and other information in this message that do not relate to the official business of Starpoint Solutions shall be understood as neither given nor endorsed by it.
    • Wietse Venema
      ... The following text is plastered over the postscreen(8) manpage and over the POSTSCREEN_README file. The optional after 220 server greeting tests involve
      Message 2 of 6 , Apr 24 7:08 AM
      • 0 Attachment
        Tony Nelson:
        > tnelson@njmail:/var/log$ grep info@...<mailto:info@...> mail.log
        > Apr 24 09:46:21 njmail postfix/postscreen[8764]: NOQUEUE: reject: RCPT from [142.11.233.149]:21725: 450 4.3.2 Service currently unavailable; from=<info@...<mailto:info@...>>, to=<validuser@...<mailto:validuser@...>>, proto=ESMTP, helo=<dsc149.opulum.us<http://dsc149.opulum.us>>
        >
        > Service unavailable makes me think I have a problem with my config.
        > Digging a little further:

        The following text is plastered over the postscreen(8) manpage and
        over the POSTSCREEN_README file.

        The optional "after 220 server greeting" tests involve postscreen(8)'s
        built-in SMTP protocol engine. When these tests succeed, postscreen(8)
        adds the client to the temporary whitelist, but it cannot not hand off
        the "live" connection to a Postfix SMTP server process in the middle of
        a session. Instead, postscreen(8) defers attempts to deliver mail with
        a 4XX status, and waits for the client to disconnect. When the client
        connects again, postscreen(8) will allow the client to talk to a Post-
        fix SMTP server process (provided that the whitelist status has not
        expired). postscreen(8) mitigates the impact of this limitation by
        giving the "after 220 server greeting" tests a long expiration time.

        It is really hard to miss, if one bothers to read.

        Wietse
      • Tony Nelson
        ... I m sorry Wietse, I did read that ,there is just a lot to take in. After re-reading it again, I see that these config options are what caused it.
        Message 3 of 6 , Apr 24 7:20 AM
        • 0 Attachment
          > -----Original Message-----
          > From: owner-postfix-users@... [mailto:owner-postfix-
          > users@...] On Behalf Of Wietse Venema
          > Sent: Wednesday, April 24, 2013 10:09 AM
          > To: Tony Nelson
          > Cc: postfix-users@...
          > Subject: Re: Postscreen config
          >
          > Tony Nelson:
          > > tnelson@njmail:/var/log$ grep info@...<mailto:info@...>
          > > mail.log Apr 24 09:46:21 njmail postfix/postscreen[8764]: NOQUEUE:
          > > reject: RCPT from [142.11.233.149]:21725: 450 4.3.2 Service currently
          > > unavailable; from=<info@...<mailto:info@...>>,
          > > to=<validuser@...<mailto:validuser@...>>,
          > > proto=ESMTP, helo=<dsc149.opulum.us<http://dsc149.opulum.us>>
          > >
          > > Service unavailable makes me think I have a problem with my config.
          > > Digging a little further:
          >
          > The following text is plastered over the postscreen(8) manpage and over the
          > POSTSCREEN_README file.
          >
          > The optional "after 220 server greeting" tests involve postscreen(8)'s
          > built-in SMTP protocol engine. When these tests succeed, postscreen(8)
          > adds the client to the temporary whitelist, but it cannot not hand off
          > the "live" connection to a Postfix SMTP server process in the middle of
          > a session. Instead, postscreen(8) defers attempts to deliver mail with
          > a 4XX status, and waits for the client to disconnect. When the client
          > connects again, postscreen(8) will allow the client to talk to a Post-
          > fix SMTP server process (provided that the whitelist status has not
          > expired). postscreen(8) mitigates the impact of this limitation by
          > giving the "after 220 server greeting" tests a long expiration time.
          >
          > It is really hard to miss, if one bothers to read.
          >
          > Wietse

          I'm sorry Wietse, I did read that ,there is just a lot to take in.

          After re-reading it again, I see that these config options are what caused it.

          postscreen_non_smtp_command_enable = yes
          postscreen_bare_newline_action = enforce
          postscreen_bare_newline_enable = yes

          Thanks
          Tony



          Since 1982, Starpoint Solutions has been a trusted source of human capital and solutions. We are committed to our clients, employees, environment, community and social concerns. We foster an inclusive culture based on trust, respect, honesty and solid performance. Learn more about Starpoint and our social responsibility at http://www.starpoint.com/social_responsibility

          This email message from Starpoint Solutions LLC is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Opinions, conclusions and other information in this message that do not relate to the official business of Starpoint Solutions shall be understood as neither given nor endorsed by it.
        • /dev/rob0
          ... Not postscreen_bare_newline_action, it s these three *_enable parameters: postscreen_bare_newline_enable = yes postscreen_non_smtp_command_enable = yes
          Message 4 of 6 , Apr 24 7:37 AM
          • 0 Attachment
            On Wed, Apr 24, 2013 at 10:20:29AM -0400, Tony Nelson wrote:
            > I'm sorry Wietse, I did read that ,there is just a lot to take in.
            >
            > After re-reading it again, I see that these config options are what
            > caused it.
            >
            > postscreen_non_smtp_command_enable = yes
            > postscreen_bare_newline_action = enforce
            > postscreen_bare_newline_enable = yes

            Not postscreen_bare_newline_action, it's these three *_enable
            parameters:

            postscreen_bare_newline_enable = yes
            postscreen_non_smtp_command_enable = yes
            postscreen_pipelining_enable = yes

            Thanks for the feedback. I have rearranged the content and added
            scary warnings to show that these settings can cause pain. :)
            --
            http://rob0.nodns4.us/ -- system administration and consulting
            Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
          • Marko Weber | ZBF
            ... Tony, in robs config example, have you SEEN this: ### Postscreen Howto and *UNDERSTAND* it *BEFORE* you enable the ### following tests!
            Message 5 of 6 , Apr 29 12:48 AM
            • 0 Attachment
              Am 2013-04-24 15:59, schrieb Tony Nelson:
              > After reading through the recent Postscreen DNSBL threads I decided
              > to give it a try.
              >
              > I used Rob's example from http://rob0.nodns4.us/postscreen.html [1]
              > as a leaping off point, but chose to leave pipelining disabled until
              > I'm sure I understand what I have going on.
              >
              > I definitely see some mail coming in from the outside world being
              > passed through, and I also see some being blocked by various RBLs
              > which is great. I also see a few blocks that I can't identity the
              > reason for.
              >
              > A specific example:
              >
              > tnelson@njmail:/var/log$ grep info@... mail.log
              > Apr 24 09:46:21 njmail postfix/postscreen[8764]: NOQUEUE: reject:
              > RCPT from [142.11.233.149]:21725: 450 4.3.2 Service currently
              > unavailable; from=<info@...>, to=<validuser@...>,
              > proto=ESMTP, helo=<dsc149.opulum.us [2]>
              >
              > Service unavailable makes me think I have a problem with my config.
              > Digging a little further:
              >
              > tnelson@njmail:/var/log$ grep 142.11.233.149 mail.log
              > Apr 24 09:46:15 njmail postfix/postscreen[8764]: CONNECT from
              > [142.11.233.149]:21725 to [192.168.6.66]:25
              > Apr 24 09:46:21 njmail postfix/postscreen[8764]: NOQUEUE: reject:
              > RCPT from [142.11.233.149]:21725: 450 4.3.2 Service currently
              > unavailable; from=<info@...>, to=<validuser@...>,
              > proto=ESMTP, helo=<dsc149.opulum.us [2]>
              > Apr 24 09:46:21 njmail postfix/postscreen[8764]: PASS NEW
              > [142.11.233.149]:21725
              > Apr 24 09:46:21 njmail postfix/postscreen[8764]: DISCONNECT
              > [142.11.233.149]:21725
              >
              > Why is there a "PASS NEW" after the "NOQUEUE"? I'm obviously missing
              > something, but I can't figure out what.
              >
              > Thanks for any help,
              > Tony Nelson
              >
              > This is the config I've setup:
              >
              > # config originally from http://rob0.nodns4.us/postscreen.html [1]
              > postscreen_access_list =
              > permit_mynetworks,
              > cidr:/etc/postfix/postscreen_access.cidr
              >
              > postscreen_bare_newline_action = enforce
              > postscreen_bare_newline_enable = yes
              > postscreen_blacklist_action = drop
              >
              > postscreen_dnsbl_action = enforce
              > postscreen_dnsbl_reply_map =
              > pcre:/etc/postfix/postscreen_dnsbl_reply_map.pcre
              >
              > postscreen_dnsbl_threshold = 3
              > postscreen_dnsbl_sites =
              > zen.spamhaus.org [3]*3
              > b.barracudacentral.org [4]*2
              > bl.spameatingmonkey.net [5]*2
              > dnsbl.ahbl.org [6]*2
              > bl.spamcop.net [7]
              > dnsbl.sorbs.net [8]
              > psbl.surriel.com [9]
              > bl.mailspike.net [10]
              > swl.spamhaus.org [11]*-4
              > list.dnswl.org [12]=127.[0..255].[0..255].0*-2
              > list.dnswl.org [12]=127.[0..255].[0..255].1*-3
              > list.dnswl.org [12]=127.[0..255].[0..255].[2..255]*-4
              >
              > postscreen_greet_action = enforce
              > postscreen_non_smtp_command_enable = yes
              >
              > -------------------------
              > Since 1982, Starpoint Solutions has been a trusted source of human
              > capital and solutions. We are committed to our clients, employees,
              > environment, community and social concerns. We foster an inclusive
              > culture based on trust, respect, honesty and solid performance. Learn
              > more about Starpoint and our social responsibility at
              > http://www.starpoint.com/social_responsibility
              >
              > -------------------------
              > This email message from Starpoint Solutions LLC is for the sole use
              > of the intended recipient(s) and may contain confidential and
              > privileged information. Any unauthorized review, use, disclosure or
              > distribution is prohibited. If you are not the intended recipient,
              > please contact the sender by reply email and destroy all copies of the
              > original message. Opinions, conclusions and other information in this
              > message that do not relate to the official business of Starpoint
              > Solutions shall be understood as neither given nor endorsed by it.
              >
              >
              > Links:
              > ------
              > [1] http://rob0.nodns4.us/postscreen.html
              > [2] http://dsc149.opulum.us
              > [3] http://zen.spamhaus.org
              > [4] http://b.barracudacentral.org
              > [5] http://bl.spameatingmonkey.net
              > [6] http://dnsbl.ahbl.org
              > [7] http://bl.spamcop.net
              > [8] http://dnsbl.sorbs.net
              > [9] http://psbl.surriel.com
              > [10] http://bl.mailspike.net
              > [11] http://swl.spamhaus.org
              > [12] http://list.dnswl.org


              Tony,
              in robs config example, have you SEEN this:


              ### Postscreen Howto and *UNDERSTAND* it *BEFORE* you enable the
              ### following tests!
              postscreen_bare_newline_action = enforce
              postscreen_bare_newline_enable = yes
              postscreen_non_smtp_command_enable = yes
              postscreen_pipelining_enable = yes
              ### ADDENDUM: Any one of the foregoing three *_enable settings may
              cause
              ### significant and annoying mail delays.


              READ the postscreen howto, and understand what happens.
              i would not recommend you to enable this.

              marko
            • /dev/rob0
              ... snip ... Hahaha, no, Tony had not seen that, because those were warnings I added because of his feedback. :) ... -- http://rob0.nodns4.us/ -- system
              Message 6 of 6 , Apr 29 7:20 AM
              • 0 Attachment
                On Mon, Apr 29, 2013 at 09:48:00AM +0200, Marko Weber | ZBF wrote:
                > Am 2013-04-24 15:59, schrieb Tony Nelson:
                > >After reading through the recent Postscreen DNSBL threads I decided
                > >to give it a try.
                > >
                > >I used Rob's example from http://rob0.nodns4.us/postscreen.html [1]
                > >as a leaping off point, but chose to leave pipelining disabled until
                > >I'm sure I understand what I have going on.
                snip

                > in robs config example, have you SEEN this:

                Hahaha, no, Tony had not seen that, because those were warnings I
                added because of his feedback. :)

                > ### Postscreen Howto and *UNDERSTAND* it *BEFORE* you enable the
                > ### following tests!
                > postscreen_bare_newline_action = enforce
                > postscreen_bare_newline_enable = yes
                > postscreen_non_smtp_command_enable = yes
                > postscreen_pipelining_enable = yes
                > ### ADDENDUM: Any one of the foregoing three *_enable settings may
                > cause
                > ### significant and annoying mail delays.
                >
                >
                > READ the postscreen howto, and understand what happens.
                > i would not recommend you to enable this.
                --
                http://rob0.nodns4.us/ -- system administration and consulting
                Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
              Your message has been successfully submitted and would be delivered to recipients shortly.