Loading ...
Sorry, an error occurred while loading the content.

Whitelisting individual addresses with postscreen

Expand Messages
  • D'Arcy J.M. Cain
    It looks like hotmail is on two DNSBLs and postscreen is blocking them. I would like to offer my users a way to whitelist individual addresses but it looks
    Message 1 of 11 , May 14, 2014
    • 0 Attachment
      It looks like hotmail is on two DNSBLs and postscreen is blocking
      them. I would like to offer my users a way to whitelist individual
      addresses but it looks like I can only whitelist CIDR blocks. Is
      that the case or do I have another option?

      Cheers.

      --
      D'Arcy J.M. Cain
      System Administrator, Vex.Net
      http://www.Vex.Net/ IM:darcy@...
      VoIP: sip:darcy@...
    • Noel Jones
      ... The only postscreen whitelisting possible is by IP. Postscreen will never (and cannot) see a hostname nor an email address. Your choices are: - remove the
      Message 2 of 11 , May 14, 2014
      • 0 Attachment
        On 5/14/2014 9:59 AM, D'Arcy J.M. Cain wrote:
        > It looks like hotmail is on two DNSBLs and postscreen is blocking
        > them. I would like to offer my users a way to whitelist individual
        > addresses but it looks like I can only whitelist CIDR blocks. Is
        > that the case or do I have another option?
        >
        > Cheers.
        >

        The only postscreen whitelisting possible is by IP. Postscreen will
        never (and cannot) see a hostname nor an email address.

        Your choices are:
        - remove the offending DNSBL. Postscreen is not appropriate for a
        DNSBL that intentionally lists hosts sending a mixture of good and
        bad mail, such as hotmail, AOL, etc.

        - move the offending DNSBL to the regular smtpd_*_access checks,
        where whitelisting is possible.

        - Use a DNSWL and adjust your scores so the offending DNSBL doesn't
        reject real servers.


        -- Noel Jones
      • Marius Gologan
        This should help you discover most (not all) IP ranges in cidr format: host -t txt outlook.com | tr n | awk / ./ | sed s/include: |ip4://g | sort -u
        Message 3 of 11 , May 14, 2014
        • 0 Attachment
          This should help you discover most (not all) IP ranges in cidr format:
          host -t txt outlook.com | tr " " '\n' | awk '/\./' | sed
          "s/include:\|ip4://g" | sort -u | grep -i "[a-z]" | while read record; do
          host -t txt $record ; done | tr ' ' '\n' | awk -F ":" '/[0-9]*\.[0-9]/
          {print $2"\tpermit"}' | sort -u

          -----Original Message-----
          From: owner-postfix-users@...
          [mailto:owner-postfix-users@...] On Behalf Of D'Arcy J.M. Cain
          Sent: Wednesday, May 14, 2014 5:59 PM
          To: postfix-users@...
          Subject: Whitelisting individual addresses with postscreen

          It looks like hotmail is on two DNSBLs and postscreen is blocking
          them. I would like to offer my users a way to whitelist individual
          addresses but it looks like I can only whitelist CIDR blocks. Is
          that the case or do I have another option?

          Cheers.

          --
          D'Arcy J.M. Cain
          System Administrator, Vex.Net
          http://www.Vex.Net/ IM:darcy@...
          VoIP: sip:darcy@...
        • D'Arcy J.M. Cain
          On Wed, 14 May 2014 10:09:19 -0500 ... Yah, that s what I was afraid of. ... I know that SORBS, one of the listing DNSBLs, shouldn t be used but in my case it
          Message 4 of 11 , May 14, 2014
          • 0 Attachment
            On Wed, 14 May 2014 10:09:19 -0500
            Noel Jones <njones@...> wrote:
            > On 5/14/2014 9:59 AM, D'Arcy J.M. Cain wrote:
            > > It looks like hotmail is on two DNSBLs and postscreen is blocking
            > > them. I would like to offer my users a way to whitelist individual
            > > addresses but it looks like I can only whitelist CIDR blocks. Is
            > > that the case or do I have another option?
            >
            > The only postscreen whitelisting possible is by IP. Postscreen will
            > never (and cannot) see a hostname nor an email address.

            Yah, that's what I was afraid of.

            > Your choices are:
            > - remove the offending DNSBL. Postscreen is not appropriate for a
            > DNSBL that intentionally lists hosts sending a mixture of good and
            > bad mail, such as hotmail, AOL, etc.

            I know that SORBS, one of the listing DNSBLs, shouldn't be used but in
            my case it is spamcop that is blocking the mails. I thought that they
            were generally considered a good source.

            > - move the offending DNSBL to the regular smtpd_*_access checks,
            > where whitelisting is possible.

            Sounds like my best option here.

            --
            D'Arcy J.M. Cain
            System Administrator, Vex.Net
            http://www.Vex.Net/ IM:darcy@...
            VoIP: sip:darcy@...
          • Benny Pedersen
            ... dig hotmail.com txt use same whitelist.cidr from txt record this maps can safely be croned to take the spf cidr map from it, basicly the map seen in
            Message 5 of 11 , May 14, 2014
            • 0 Attachment
              D'Arcy J.M. Cain skrev den 2014-05-14 16:59:
              > It looks like hotmail is on two DNSBLs and postscreen is blocking
              > them. I would like to offer my users a way to whitelist individual
              > addresses but it looks like I can only whitelist CIDR blocks. Is
              > that the case or do I have another option?

              dig hotmail.com txt

              use same whitelist.cidr from txt record

              this maps can safely be croned to take the spf cidr map from it, basicly
              the map seen in dmarcian flatted maps

              if there is a perl or python code that does this it would cool, another
              way is to make another map that is checked live, i just dont know how

              since postscreen is to be done without delay on whitelist is must not
              delay checking

              more help post postconf -n (as useal)


              >
              > Cheers.

              --
              senders that put my email into body content will deliver it to my own
              trashcan, so if you like to get reply, dont do it
            • Benny Pedersen
              ... missing ip6 mx a aaaa but the basic are there :=) if one make a spf tool that list all ips pr sender domain in a easy parselble form it would be nice to
              Message 6 of 11 , May 14, 2014
              • 0 Attachment
                Marius Gologan skrev den 2014-05-14 17:21:
                > This should help you discover most (not all) IP ranges in cidr format:
                > host -t txt outlook.com | tr " " '\n' | awk '/\./' | sed
                > "s/include:\|ip4://g" | sort -u | grep -i "[a-z]" | while read record;
                > do
                > host -t txt $record ; done | tr ' ' '\n' | awk -F ":" '/[0-9]*\.[0-9]/
                > {print $2"\tpermit"}' | sort -u

                missing ip6 mx a aaaa

                but the basic are there :=)

                if one make a spf tool that list all ips pr sender domain in a easy
                parselble form it would be nice to see, use spf as safe source for the
                cidr list to postscreen
              • D'Arcy J.M. Cain
                On Wed, 14 May 2014 17:44:37 +0200 ... You mean whitelist it? That s not the issue. I see no point in whitelisting someone *because* they send a lot of spam.
                Message 7 of 11 , May 14, 2014
                • 0 Attachment
                  On Wed, 14 May 2014 17:44:37 +0200
                  Benny Pedersen <me@...> wrote:
                  > dig hotmail.com txt
                  >
                  > use same whitelist.cidr from txt record

                  You mean whitelist it? That's not the issue. I see no point in
                  whitelisting someone *because* they send a lot of spam. I don't think
                  that the answer is to figure out how to whitelist hotmail. The answer
                  is to figure out how to push back on hotmail to manage their users
                  better and control spam.

                  --
                  D'Arcy J.M. Cain
                  System Administrator, Vex.Net
                  http://www.Vex.Net/ IM:darcy@...
                  VoIP: sip:darcy@...
                • Noel Jones
                  ... A far more scalable solution: a) don t use scoring DNSBL s such as spamcop in postscreen b) use a DNSWL such as list.dnswl.org in postscreen so you don t
                  Message 8 of 11 , May 14, 2014
                  • 0 Attachment
                    On 5/14/2014 10:50 AM, Benny Pedersen wrote:
                    > Marius Gologan skrev den 2014-05-14 17:21:
                    >> This should help you discover most (not all) IP ranges in cidr
                    >> format:
                    >> host -t txt outlook.com | tr " " '\n' | awk '/\./' | sed
                    >> "s/include:\|ip4://g" | sort -u | grep -i "[a-z]" | while read
                    >> record; do
                    >> host -t txt $record ; done | tr ' ' '\n' | awk -F ":"
                    >> '/[0-9]*\.[0-9]/
                    >> {print $2"\tpermit"}' | sort -u
                    >
                    > missing ip6 mx a aaaa
                    >
                    > but the basic are there :=)
                    >
                    > if one make a spf tool that list all ips pr sender domain in a easy
                    > parselble form it would be nice to see, use spf as safe source for
                    > the cidr list to postscreen


                    A far more scalable solution:

                    a) don't use "scoring" DNSBL's such as spamcop in postscreen

                    b) use a DNSWL such as list.dnswl.org in postscreen so you don't
                    reject mail from a legit host. Yes, hotmail is a legit host.

                    Remember, postscreen is designed to keep easily identified zombies
                    out, not to do all your spam filtering.

                    This doesn't mean accept all mail from hotmail, but instead be
                    careful when you're painting with a very broad brush.

                    Hotmail should still be passed to the content filters and antivirus
                    for more in-depth analysis.




                    -- Noel Jones
                  • Armando Soto Baeza
                    ... Please, remove my address from this list. I have sent messages with admin commands to do this, and all I get is a notification that I am not me, but a
                    Message 9 of 11 , May 14, 2014
                    • 0 Attachment
                      El 14/05/14 16:22, Noel Jones escribió:
                      > On 5/14/2014 10:50 AM, Benny Pedersen wrote:
                      >> Marius Gologan skrev den 2014-05-14 17:21:
                      >>> This should help you discover most (not all) IP ranges in cidr
                      >>> format:
                      >>> host -t txt outlook.com | tr " " '\n' | awk '/\./' | sed
                      >>> "s/include:\|ip4://g" | sort -u | grep -i "[a-z]" | while read
                      >>> record; do
                      >>> host -t txt $record ; done | tr ' ' '\n' | awk -F ":"
                      >>> '/[0-9]*\.[0-9]/
                      >>> {print $2"\tpermit"}' | sort -u
                      >> missing ip6 mx a aaaa
                      >>
                      >> but the basic are there :=)
                      >>
                      >> if one make a spf tool that list all ips pr sender domain in a easy
                      >> parselble form it would be nice to see, use spf as safe source for
                      >> the cidr list to postscreen
                      >
                      > A far more scalable solution:
                      >
                      > a) don't use "scoring" DNSBL's such as spamcop in postscreen
                      >
                      > b) use a DNSWL such as list.dnswl.org in postscreen so you don't
                      > reject mail from a legit host. Yes, hotmail is a legit host.
                      >
                      > Remember, postscreen is designed to keep easily identified zombies
                      > out, not to do all your spam filtering.
                      >
                      > This doesn't mean accept all mail from hotmail, but instead be
                      > careful when you're painting with a very broad brush.
                      >
                      > Hotmail should still be passed to the content filters and antivirus
                      > for more in-depth analysis.
                      >
                      >
                      >
                      >
                      > -- Noel Jones
                      >
                      Please, remove my address from this list.

                      I have sent messages with admin commands to do this, and all I get is a
                      notification that I am not me, but a program. Ok, maybe I am a virus or
                      a worm, but, please, remove me.
                    • Benny Pedersen
                      ... you get forwarded mails from maillist with another email address of yours, and you are not asking the list owner now to get help, but spamming a thread on
                      Message 10 of 11 , May 14, 2014
                      • 0 Attachment
                        Armando Soto Baeza skrev den 2014-05-14 23:32:

                        > Please, remove my address from this list.

                        you get forwarded mails from maillist with another email address of
                        yours, and you are not asking the list owner now to get help, but
                        spamming a thread on a maillist archive, well done

                        > I have sent messages with admin commands to do this, and all I get is a
                        > notification that I am not me, but a program. Ok, maybe I am a virus or
                        > a worm, but, please, remove me.

                        see all headers in this email here, find your own mailaddress you are
                        subscribed with, then send a email from that email with subject help to
                        postfix-owner@...

                        sorry if that is not the right email, but since you already have sent
                        commands you know with one to send to already

                        and lastly you are the only one that can do it, no one else can do it
                        execpt list owners that use all there knowlegde to build a better
                        postfix each day, not get payed for unsubscribe users

                        YMMV
                      • /dev/rob0
                        ... Yikes, no. See, Spamcop is fully automated. A lot of large email providers classify their outbound. Stuff that their filters consider suspect, but they are
                        Message 11 of 11 , May 15, 2014
                        • 0 Attachment
                          On Wed, May 14, 2014 at 11:35:59AM -0400, D'Arcy J.M. Cain wrote:
                          > On Wed, 14 May 2014 10:09:19 -0500
                          > Noel Jones <njones@...> wrote:
                          > > On 5/14/2014 9:59 AM, D'Arcy J.M. Cain wrote:
                          > > > It looks like hotmail is on two DNSBLs and postscreen is
                          > > > blocking them. I would like to offer my users a way to
                          > > > whitelist individual addresses but it looks like I can
                          > > > only whitelist CIDR blocks. Is that the case or do I
                          > > > have another option?
                          > >
                          > > The only postscreen whitelisting possible is by IP. Postscreen
                          > > will never (and cannot) see a hostname nor an email address.
                          >
                          > Yah, that's what I was afraid of.
                          >
                          > > Your choices are:

                          > > - remove the offending DNSBL. Postscreen is not appropriate
                          > > for a DNSBL that intentionally lists hosts sending a mixture
                          > > of good and bad mail, such as hotmail, AOL, etc.
                          >
                          > I know that SORBS, one of the listing DNSBLs, shouldn't be
                          > used but in my case it is spamcop that is blocking the mails.
                          > I thought that they were generally considered a good source.

                          Yikes, no.

                          See, Spamcop is fully automated. A lot of large email providers
                          classify their outbound. Stuff that their filters consider suspect,
                          but they are afraid to block because of complaints, goes out a
                          certain set of outbound servers.

                          That's why hotmail, gmail, and others are regularly seen on Spamcop,
                          and why it's usually the same set of IP addresses. They ARE sending
                          spam, and SORBS and Spamcop thus list them. (SORBS deliberately,
                          Spamcop automatically.)

                          An aggressive site might be fine with taking the risk, but me, I'd
                          never trust SORBS nor Spamcop for blocking, even if they both were
                          agreed about a host.

                          I use each of them as one point where the threshold is three. And
                          also as Noel suggests, I use DNSWL.org with negative scores.

                          As a matter of fact, most spam I see in my personal mailbox
                          originated from providers of this kind. I don't usually bother to
                          look them up in my logs, but I know I have seen this scenario before:
                          listed on SORBS, Spamcop and DNSWL.

                          > > - move the offending DNSBL to the regular smtpd_*_access
                          > > checks, where whitelisting is possible.
                          >
                          > Sounds like my best option here.

                          Disagree. Better scoring solves the problem nicely. Your content
                          filtering will probably catch the ones your postscreen allows
                          through.
                          --
                          http://rob0.nodns4.us/
                          Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
                        Your message has been successfully submitted and would be delivered to recipients shortly.