Loading ...
Sorry, an error occurred while loading the content.

Re: postscreen and Google

Expand Messages
  • Wietse Venema
    ... Don t enable the after 220 tests, or wait until whitelisting is stable. Given that Google has many servers, manual whitelisting is not a long-term
    Message 1 of 9 , May 13, 2013
    • 0 Attachment
      LuKreme:
      > I have postscreen running well after having it run in non-blocking
      > mode for awhile, but I continue to see ?new? google servers every
      > day.
      >
      > I?m not sure how many different mail servers google has (over 600
      > have appeared in my logs), but it?s a large number, and each new
      > one hits the postscreen and delays the mail. And it appears that
      > sometimes, the re-attempt is from a different server, so it hits
      > the postscreen again.

      Don't enable the "after 220" tests, or wait until whitelisting
      is stable. Given that Google has many servers, manual whitelisting
      is not a long-term solution.

      Wietse
    • LuKreme
      /dev/rob0 opined on Monday 13-May-2013@06:06:27 ... Thanks! That sounds very promising. I was hoping I could do something to pass *.google.com instead of the
      Message 2 of 9 , May 13, 2013
      • 0 Attachment
        /dev/rob0 opined on Monday 13-May-2013@06:06:27
        > All the Google, Facebook, Yahoo, et c. outbounds as well as most ISPs
        > and legitimate bulk mailers are listed in the dnswl.org whitelist.
        > Your best choice is to upgrade to postfix-2.11-20130512 and use the
        > new feature (see Wietse's thread about it yesterday.)

        Thanks! That sounds very promising. I was hoping I could do something to pass *.google.com instead of the cidr map, but this sounds like it will be better.

        --
        The brain is an amazing organ, it works every second of every day
        from before we're even born right up until the instant we fall in
        love.
      • /dev/rob0
        ... So far so good, here; now running the revised snapshot postfix-2.11-20130513. Mail (and spam) from Google gets through postscreen as soon as the DNS[BW]L
        Message 3 of 9 , May 14, 2013
        • 0 Attachment
          On Tue, May 14, 2013 at 12:00:00AM -0600, LuKreme wrote:
          > /dev/rob0 opined on Monday 13-May-2013@06:06:27
          > > All the Google, Facebook, Yahoo, et c. outbounds as well as
          > > most ISPs and legitimate bulk mailers are listed in the
          > > dnswl.org whitelist. Your best choice is to upgrade to
          > > postfix-2.11-20130512 and use the new feature (see Wietse's
          > > thread about it yesterday.)
          >
          > Thanks! That sounds very promising.

          So far so good, here; now running the revised snapshot
          postfix-2.11-20130513. Mail (and spam) from Google gets through
          postscreen as soon as the DNS[BW]L score is computed. Not just
          Google: I have lots of others with a dnswl.org hit and "PASS NEW".

          > I was hoping I could do something to pass *.google.com instead
          > of the cidr map, but this sounds like it will be better.

          This is not possible because postscreen does not look up a client's
          reverse DNS.
          --
          http://rob0.nodns4.us/ -- system administration and consulting
          Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
        • LuKreme
          Wietse Venema opined on Monday 13-May-2013@07:22:03 ... [snip] ... After looking at my log files I’ve disabled all the “after 220” test for now. Looking
          Message 4 of 9 , May 30, 2013
          • 0 Attachment
            Wietse Venema opined on Monday 13-May-2013@07:22:03
            > LuKreme:
            >> I have postscreen running well after having it run in non-blocking
            >> mode for awhile, but I continue to see “new" google servers every
            >> day.

            [snip]

            > Don't enable the "after 220" tests, or wait until whitelisting
            > is stable. Given that Google has many servers, manual whitelisting
            > is not a long-term solution.

            After looking at my log files I’ve disabled all the “after 220” test for now. Looking forward to the stable whitelisting support in the 2.11 when that’s released.

            --
            And Super Heroes come to feast
            To taste the flesh not yet deceased
            And all I know is still the beast is feeding.
          • Wietse Venema
            ... postscreen 2.11 DNS-based whitelisting is finished. It also eliminates most of the postscreen_greet_wait delay for whitelisted sites. My settings are
            Message 5 of 9 , May 31, 2013
            • 0 Attachment
              LuKreme:
              > > Don't enable the "after 220" tests, or wait until whitelisting
              > > is stable. Given that Google has many servers, manual whitelisting
              > > is not a long-term solution.
              >
              > After looking at my log files I?ve disabled all the ?after 220?
              > test for now. Looking forward to the stable whitelisting support
              > in the 2.11 when that?s released.

              postscreen 2.11 DNS-based whitelisting is finished. It also eliminates
              most of the postscreen_greet_wait delay for whitelisted sites.

              My settings are relatively generous, but they don't have to stop
              all spam. I still rely on smtpd_mumble_restrictions and so on.

              postscreen_dnsbl_action = enforce
              postscreen_dnsbl_sites = zen.spamhaus.org*2 bl.spamcop.net*1
              b.barracudacentral.org*1 list.dnswl.org=127.0.[0..255].[1..3]*-2
              postscreen_dnsbl_threshold = 2
              postscreen_dnsbl_ttl = 1h (the default)
              postscreen_dnsbl_whitelist_threshold = -1

              Wietse
            Your message has been successfully submitted and would be delivered to recipients shortly.