Loading ...
Sorry, an error occurred while loading the content.

Re: postscreen and Google

Expand Messages
  • LuKreme
    /dev/rob0 opined on Monday 13-May-2013@06:06:27 ... Thanks! That sounds very promising. I was hoping I could do something to pass *.google.com instead of the
    Message 1 of 9 , May 13, 2013
    • 0 Attachment
      /dev/rob0 opined on Monday 13-May-2013@06:06:27
      > All the Google, Facebook, Yahoo, et c. outbounds as well as most ISPs
      > and legitimate bulk mailers are listed in the dnswl.org whitelist.
      > Your best choice is to upgrade to postfix-2.11-20130512 and use the
      > new feature (see Wietse's thread about it yesterday.)

      Thanks! That sounds very promising. I was hoping I could do something to pass *.google.com instead of the cidr map, but this sounds like it will be better.

      --
      The brain is an amazing organ, it works every second of every day
      from before we're even born right up until the instant we fall in
      love.
    • /dev/rob0
      ... So far so good, here; now running the revised snapshot postfix-2.11-20130513. Mail (and spam) from Google gets through postscreen as soon as the DNS[BW]L
      Message 2 of 9 , May 14, 2013
      • 0 Attachment
        On Tue, May 14, 2013 at 12:00:00AM -0600, LuKreme wrote:
        > /dev/rob0 opined on Monday 13-May-2013@06:06:27
        > > All the Google, Facebook, Yahoo, et c. outbounds as well as
        > > most ISPs and legitimate bulk mailers are listed in the
        > > dnswl.org whitelist. Your best choice is to upgrade to
        > > postfix-2.11-20130512 and use the new feature (see Wietse's
        > > thread about it yesterday.)
        >
        > Thanks! That sounds very promising.

        So far so good, here; now running the revised snapshot
        postfix-2.11-20130513. Mail (and spam) from Google gets through
        postscreen as soon as the DNS[BW]L score is computed. Not just
        Google: I have lots of others with a dnswl.org hit and "PASS NEW".

        > I was hoping I could do something to pass *.google.com instead
        > of the cidr map, but this sounds like it will be better.

        This is not possible because postscreen does not look up a client's
        reverse DNS.
        --
        http://rob0.nodns4.us/ -- system administration and consulting
        Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
      • LuKreme
        Wietse Venema opined on Monday 13-May-2013@07:22:03 ... [snip] ... After looking at my log files I’ve disabled all the “after 220” test for now. Looking
        Message 3 of 9 , May 30, 2013
        • 0 Attachment
          Wietse Venema opined on Monday 13-May-2013@07:22:03
          > LuKreme:
          >> I have postscreen running well after having it run in non-blocking
          >> mode for awhile, but I continue to see “new" google servers every
          >> day.

          [snip]

          > Don't enable the "after 220" tests, or wait until whitelisting
          > is stable. Given that Google has many servers, manual whitelisting
          > is not a long-term solution.

          After looking at my log files I’ve disabled all the “after 220” test for now. Looking forward to the stable whitelisting support in the 2.11 when that’s released.

          --
          And Super Heroes come to feast
          To taste the flesh not yet deceased
          And all I know is still the beast is feeding.
        • Wietse Venema
          ... postscreen 2.11 DNS-based whitelisting is finished. It also eliminates most of the postscreen_greet_wait delay for whitelisted sites. My settings are
          Message 4 of 9 , May 31, 2013
          • 0 Attachment
            LuKreme:
            > > Don't enable the "after 220" tests, or wait until whitelisting
            > > is stable. Given that Google has many servers, manual whitelisting
            > > is not a long-term solution.
            >
            > After looking at my log files I?ve disabled all the ?after 220?
            > test for now. Looking forward to the stable whitelisting support
            > in the 2.11 when that?s released.

            postscreen 2.11 DNS-based whitelisting is finished. It also eliminates
            most of the postscreen_greet_wait delay for whitelisted sites.

            My settings are relatively generous, but they don't have to stop
            all spam. I still rely on smtpd_mumble_restrictions and so on.

            postscreen_dnsbl_action = enforce
            postscreen_dnsbl_sites = zen.spamhaus.org*2 bl.spamcop.net*1
            b.barracudacentral.org*1 list.dnswl.org=127.0.[0..255].[1..3]*-2
            postscreen_dnsbl_threshold = 2
            postscreen_dnsbl_ttl = 1h (the default)
            postscreen_dnsbl_whitelist_threshold = -1

            Wietse
          Your message has been successfully submitted and would be delivered to recipients shortly.