Best place for DNSBL restrictions

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Best place for DNSBL restrictions

J Doe
Hello,

I manage a small mail server and have been using Spamcop as a DNSBL’s via postscreen:

    /etc/postfix/main.cf
        postscreen_dnsbl_sites = bl.spamcop.net
        postscreen_dnsbl_action = drop

After reading RFC 5782 “DNS Blacklists and Whitelists”, I decided to add some more 
DNSBL’s and specify filters and weighting.  While looking at various samples of main.cf 
using DNSBL’s, I came back to an old question - where should I implement DNSBL restrictions ?

On this list I seem to recall that using a DNSBL via postscreen is discouraged.  Many examples
place a DNSBL entry in smtpd_recipient_restrictions:

    /etc/postfix/main.cf
        . . .
        smtpd_recipient_restrictions = . . . reject_rbl_client bl.spamcop.net

However, isn’t it better to place this in postscreen, as a SMTP transaction will not be started
when a spammer listed on the DNSBL connects ?  Or are smtpd restrictions preferred
as there is more metadata about the mail transaction which I can check to see if a false
positive listing on a DNSBL has taken place ?

This confuses me as whether I place a DNSBL in postscreen or SMTP restrictions, in both
cases the message is blocked.  What are the advantages of placing in SMTP restrictions ?

Thanks,

- J
Reply | Threaded
Open this post in threaded view
|

Re: Best place for DNSBL restrictions

Bill Cole-3
On 23 Jun 2018, at 21:18 (-0400), J Doe wrote:

> On this list I seem to recall that using a DNSBL via postscreen is
> discouraged

Your recollection is incorrect.

I seem to recall that the last 2-3 times this question came up here, it
was discussed to death with the original inquirers resisting the idea
that the answer is nuanced, complex, and site-specific.

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steadier Work: https://linkedin.com/in/billcole
Reply | Threaded
Open this post in threaded view
|

Re: Best place for DNSBL restrictions

Wietse Venema
In reply to this post by J Doe
J Doe:
> Hello,
>
> I manage a small mail server and have been using Spamcop as a DNSBL?s via postscreen:
>
>     /etc/postfix/main.cf
>         postscreen_dnsbl_sites = bl.spamcop.net
>         postscreen_dnsbl_action = drop

spamcop is not system that flags spambots (systems that send spam
ONLY); it also flags sites that send mostly legitimate mail.

If you must use spamcop (I would not), you might want to use that
with a small weight so that spamcop alone cannot veto your mail.
Note that postscreen supports weights, while smtpd does not.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Best place for DNSBL restrictions

J Doe

> On Jun 24, 2018, at 9:37 AM, Wietse Venema <[hidden email]> wrote:
>
> J Doe:
>> Hello,
>>
>> I manage a small mail server and have been using Spamcop as a DNSBL?s via postscreen:
>>
>>    /etc/postfix/main.cf
>>        postscreen_dnsbl_sites = bl.spamcop.net
>>        postscreen_dnsbl_action = drop
>
> spamcop is not system that flags spambots (systems that send spam
> ONLY); it also flags sites that send mostly legitimate mail.
>
> If you must use spamcop (I would not), you might want to use that
> with a small weight so that spamcop alone cannot veto your mail.
> Note that postscreen supports weights, while smtpd does not.
>
> Wietse

Hi Bill and Wietse,

Thank you for your replies.

Ah, thank you for the warning regarding SpamCop - and also for the note about weighting being a postscreen only feature.

I was wondering if perhaps one of the reasons why people tend to use SMTP restrictions instead of postscreen is related
to history - IIRC, postscreen came later, so perhaps the reason why I see many examples advocating SMTP restrictions
is because that’s how people kept spam away before the release of postscreen ?

In terms of weighting, I am assuming that one thing I could do when I have more than one DNSBL (say, 2) is to set a threshold of
2 and have each list weighted as 1 (the default).  That would mean that an IP address would have to be listed on both
lists before being banned, correct ?

Thanks,

- J
Reply | Threaded
Open this post in threaded view
|

Re: Best place for DNSBL restrictions

J Doe

> Hi Bill and Wietse,
>
> Thank you for your replies.
>
> Ah, thank you for the warning regarding SpamCop - and also for the note about weighting being a postscreen only feature.
>
> I was wondering if perhaps one of the reasons why people tend to use SMTP restrictions instead of postscreen is related
> to history - IIRC, postscreen came later, so perhaps the reason why I see many examples advocating SMTP restrictions
> is because that’s how people kept spam away before the release of postscreen ?
>
> In terms of weighting, I am assuming that one thing I could do when I have more than one DNSBL (say, 2) is to set a threshold of
> 2 and have each list weighted as 1 (the default).  That would mean that an IP address would have to be listed on both
> lists before being banned, correct ?

As a follow-on - I have migrated the DNSBL blocking to SMTPD restrictions to see what SMTP transaction data is recorded.
I may revert that back to postscreen, with weighting, but as this is a lower volume server I thought it would be interesting
to try this out and gather some data.

I note, though, that I can place a reject_rbl_client statement in multiple places (ie: smtpd_client_restrictions, smtpd_recipient_restrictions).
For spam, wouldn’t I always want this in smtpd_client_restrictions because the senders IP address is presented here and can be
looked up on the DNSBL ?  Why would I want to put it later in the transaction at say: smtpd_recipient_restrictions ?

Thanks,

- J
Reply | Threaded
Open this post in threaded view
|

Re: Best place for DNSBL restrictions

Matus UHLAR - fantomas
In reply to this post by J Doe
>> J Doe:
>>> I manage a small mail server and have been using Spamcop as a DNSBL?s via postscreen:
>>>
>>>    /etc/postfix/main.cf
>>>        postscreen_dnsbl_sites = bl.spamcop.net
>>>        postscreen_dnsbl_action = drop

>> On Jun 24, 2018, at 9:37 AM, Wietse Venema <[hidden email]> wrote:
>> spamcop is not system that flags spambots (systems that send spam
>> ONLY); it also flags sites that send mostly legitimate mail.
>>
>> If you must use spamcop (I would not), you might want to use that
>> with a small weight so that spamcop alone cannot veto your mail.
>> Note that postscreen supports weights, while smtpd does not.

On 24.06.18 15:22, J Doe wrote:
>I was wondering if perhaps one of the reasons why people tend to use SMTP
>restrictions instead of postscreen is related to history - IIRC, postscreen
>came later, so perhaps the reason why I see many examples advocating SMTP
>restrictions is because that’s how people kept spam away before the release
>of postscreen ?

another reason is that with postscreen you can't e.g. whitelist senders
using SMTP autnentication, because rejection happens before the
authentication can start.

There are many servers and companies that use port 25 for outgoing mail, and
behing behind blacklisted IP they couldn't send mail at all.

The solution for this is of course to use alternative ports (that exactly is
what those alternative ports are for), but that requires reconfiguration of
end-user device, often located at home, owned by user not competent to
reconfigure the mail client.

>In terms of weighting, I am assuming that one thing I could do when I have
>more than one DNSBL (say, 2) is to set a threshold of 2 and have each list
>weighted as 1 (the default).  That would mean that an IP address would have
>to be listed on both lists before being banned, correct ?

For example. You can also have three lists and require IP to be blacklisted
in two of them (postscreen_dnsbl_threshold=2).  You can also use dnswl
whitelist (weight -1) and require the IP to be blacklisted in at least of
two blacklists so the whitelist can override one of those blacklists.

I believe you can find some pretty examples on the net.
--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759
Reply | Threaded
Open this post in threaded view
|

Re: Best place for DNSBL restrictions

Matus UHLAR - fantomas
In reply to this post by J Doe
>> Hi Bill and Wietse,
>>
>> Thank you for your replies.
>>
>> Ah, thank you for the warning regarding SpamCop - and also for the note about weighting being a postscreen only feature.
>>
>> I was wondering if perhaps one of the reasons why people tend to use SMTP restrictions instead of postscreen is related
>> to history - IIRC, postscreen came later, so perhaps the reason why I see many examples advocating SMTP restrictions
>> is because that’s how people kept spam away before the release of postscreen ?
>>
>> In terms of weighting, I am assuming that one thing I could do when I have more than one DNSBL (say, 2) is to set a threshold of
>> 2 and have each list weighted as 1 (the default).  That would mean that an IP address would have to be listed on both
>> lists before being banned, correct ?

On 24.06.18 17:07, J Doe wrote:
>As a follow-on - I have migrated the DNSBL blocking to SMTPD restrictions to see what SMTP transaction data is recorded.
>I may revert that back to postscreen, with weighting, but as this is a lower volume server I thought it would be interesting
>to try this out and gather some data.
>
>I note, though, that I can place a reject_rbl_client statement in multiple places (ie: smtpd_client_restrictions, smtpd_recipient_restrictions).
>For spam, wouldn’t I always want this in smtpd_client_restrictions because the senders IP address is presented here and can be
>looked up on the DNSBL ?  Why would I want to put it later in the transaction at say: smtpd_recipient_restrictions ?

When having reject_rbl_client in smtpd_sender_restrictions, you can
whitelist sender addresses (by sllowing specific senders before using
blacklists).

When having it in smtpd_recipient_restrictions, you can also whitelist
recipient, e.g. postmaster - someone may tell you the blacklist you use has
gone dead and blacklists everything - this happened multiple times in the
past.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I don't have lysdexia. The Dog wouldn't allow that.