Loading ...
Sorry, an error occurred while loading the content.
 

Re: Postscreen config

Expand Messages
  • Marko Weber | ZBF
    ... Tony, in robs config example, have you SEEN this: ### Postscreen Howto and *UNDERSTAND* it *BEFORE* you enable the ### following tests!
    Message 1 of 6 , Apr 29, 2013
      Am 2013-04-24 15:59, schrieb Tony Nelson:
      > After reading through the recent Postscreen DNSBL threads I decided
      > to give it a try.
      >
      > I used Rob's example from http://rob0.nodns4.us/postscreen.html [1]
      > as a leaping off point, but chose to leave pipelining disabled until
      > I'm sure I understand what I have going on.
      >
      > I definitely see some mail coming in from the outside world being
      > passed through, and I also see some being blocked by various RBLs
      > which is great. I also see a few blocks that I can't identity the
      > reason for.
      >
      > A specific example:
      >
      > tnelson@njmail:/var/log$ grep info@... mail.log
      > Apr 24 09:46:21 njmail postfix/postscreen[8764]: NOQUEUE: reject:
      > RCPT from [142.11.233.149]:21725: 450 4.3.2 Service currently
      > unavailable; from=<info@...>, to=<validuser@...>,
      > proto=ESMTP, helo=<dsc149.opulum.us [2]>
      >
      > Service unavailable makes me think I have a problem with my config.
      > Digging a little further:
      >
      > tnelson@njmail:/var/log$ grep 142.11.233.149 mail.log
      > Apr 24 09:46:15 njmail postfix/postscreen[8764]: CONNECT from
      > [142.11.233.149]:21725 to [192.168.6.66]:25
      > Apr 24 09:46:21 njmail postfix/postscreen[8764]: NOQUEUE: reject:
      > RCPT from [142.11.233.149]:21725: 450 4.3.2 Service currently
      > unavailable; from=<info@...>, to=<validuser@...>,
      > proto=ESMTP, helo=<dsc149.opulum.us [2]>
      > Apr 24 09:46:21 njmail postfix/postscreen[8764]: PASS NEW
      > [142.11.233.149]:21725
      > Apr 24 09:46:21 njmail postfix/postscreen[8764]: DISCONNECT
      > [142.11.233.149]:21725
      >
      > Why is there a "PASS NEW" after the "NOQUEUE"? I'm obviously missing
      > something, but I can't figure out what.
      >
      > Thanks for any help,
      > Tony Nelson
      >
      > This is the config I've setup:
      >
      > # config originally from http://rob0.nodns4.us/postscreen.html [1]
      > postscreen_access_list =
      > permit_mynetworks,
      > cidr:/etc/postfix/postscreen_access.cidr
      >
      > postscreen_bare_newline_action = enforce
      > postscreen_bare_newline_enable = yes
      > postscreen_blacklist_action = drop
      >
      > postscreen_dnsbl_action = enforce
      > postscreen_dnsbl_reply_map =
      > pcre:/etc/postfix/postscreen_dnsbl_reply_map.pcre
      >
      > postscreen_dnsbl_threshold = 3
      > postscreen_dnsbl_sites =
      > zen.spamhaus.org [3]*3
      > b.barracudacentral.org [4]*2
      > bl.spameatingmonkey.net [5]*2
      > dnsbl.ahbl.org [6]*2
      > bl.spamcop.net [7]
      > dnsbl.sorbs.net [8]
      > psbl.surriel.com [9]
      > bl.mailspike.net [10]
      > swl.spamhaus.org [11]*-4
      > list.dnswl.org [12]=127.[0..255].[0..255].0*-2
      > list.dnswl.org [12]=127.[0..255].[0..255].1*-3
      > list.dnswl.org [12]=127.[0..255].[0..255].[2..255]*-4
      >
      > postscreen_greet_action = enforce
      > postscreen_non_smtp_command_enable = yes
      >
      > -------------------------
      > Since 1982, Starpoint Solutions has been a trusted source of human
      > capital and solutions. We are committed to our clients, employees,
      > environment, community and social concerns. We foster an inclusive
      > culture based on trust, respect, honesty and solid performance. Learn
      > more about Starpoint and our social responsibility at
      > http://www.starpoint.com/social_responsibility
      >
      > -------------------------
      > This email message from Starpoint Solutions LLC is for the sole use
      > of the intended recipient(s) and may contain confidential and
      > privileged information. Any unauthorized review, use, disclosure or
      > distribution is prohibited. If you are not the intended recipient,
      > please contact the sender by reply email and destroy all copies of the
      > original message. Opinions, conclusions and other information in this
      > message that do not relate to the official business of Starpoint
      > Solutions shall be understood as neither given nor endorsed by it.
      >
      >
      > Links:
      > ------
      > [1] http://rob0.nodns4.us/postscreen.html
      > [2] http://dsc149.opulum.us
      > [3] http://zen.spamhaus.org
      > [4] http://b.barracudacentral.org
      > [5] http://bl.spameatingmonkey.net
      > [6] http://dnsbl.ahbl.org
      > [7] http://bl.spamcop.net
      > [8] http://dnsbl.sorbs.net
      > [9] http://psbl.surriel.com
      > [10] http://bl.mailspike.net
      > [11] http://swl.spamhaus.org
      > [12] http://list.dnswl.org


      Tony,
      in robs config example, have you SEEN this:


      ### Postscreen Howto and *UNDERSTAND* it *BEFORE* you enable the
      ### following tests!
      postscreen_bare_newline_action = enforce
      postscreen_bare_newline_enable = yes
      postscreen_non_smtp_command_enable = yes
      postscreen_pipelining_enable = yes
      ### ADDENDUM: Any one of the foregoing three *_enable settings may
      cause
      ### significant and annoying mail delays.


      READ the postscreen howto, and understand what happens.
      i would not recommend you to enable this.

      marko
    • /dev/rob0
      ... snip ... Hahaha, no, Tony had not seen that, because those were warnings I added because of his feedback. :) ... -- http://rob0.nodns4.us/ -- system
      Message 2 of 6 , Apr 29, 2013
        On Mon, Apr 29, 2013 at 09:48:00AM +0200, Marko Weber | ZBF wrote:
        > Am 2013-04-24 15:59, schrieb Tony Nelson:
        > >After reading through the recent Postscreen DNSBL threads I decided
        > >to give it a try.
        > >
        > >I used Rob's example from http://rob0.nodns4.us/postscreen.html [1]
        > >as a leaping off point, but chose to leave pipelining disabled until
        > >I'm sure I understand what I have going on.
        snip

        > in robs config example, have you SEEN this:

        Hahaha, no, Tony had not seen that, because those were warnings I
        added because of his feedback. :)

        > ### Postscreen Howto and *UNDERSTAND* it *BEFORE* you enable the
        > ### following tests!
        > postscreen_bare_newline_action = enforce
        > postscreen_bare_newline_enable = yes
        > postscreen_non_smtp_command_enable = yes
        > postscreen_pipelining_enable = yes
        > ### ADDENDUM: Any one of the foregoing three *_enable settings may
        > cause
        > ### significant and annoying mail delays.
        >
        >
        > READ the postscreen howto, and understand what happens.
        > i would not recommend you to enable this.
        --
        http://rob0.nodns4.us/ -- system administration and consulting
        Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
      Your message has been successfully submitted and would be delivered to recipients shortly.