Comcast and SPAMHAUS

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Comcast and SPAMHAUS

jason hirsh
My mail at home goes out via COMCAST..  to my server which has a static IP Postfix/Dovecot.  I am using SMT authentication by password and I use spamhaus  to 
filter spam

All of a sudden I am getting

The server response was: 5.7.1 Service unavailable; Client host [68.83.110.217] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=68.83.110.217

When I check a spamhaus I see that

68.82.0.0/15 is listed on the Policy Block List (PBL)



Outbound Email Policy of Comcast for this IP range:

Email sent by Comcast subscribers using a mail program such as Outlook Express are required to send the email through Comcast. 


If I use my att.net mail servers... no issue.

Is there anything I can do to my postfix config other then removing the use of spamhaus??



Jason Hirsh



Reply | Threaded
Open this post in threaded view
|

Re: Comcast and SPAMHAUS

Sahil Tandon
* Jason Hirsh <[hidden email]> [05-18-2008]:

> My mail at home goes out via COMCAST..  to my server which has a static IP
> Postfix/Dovecot.  I am using SMT authentication by password and I use
> spamhaus  to
> filter spam
>
> All of a sudden I am getting
>
> The server response was: 5.7.1 Service unavailable; Client host
> [68.83.110.217] blocked using zen.spamhaus.org;
> http://www.spamhaus.org/query/bl?ip=68.83.110.217
>
> When I check a spamhaus I see that                

[...]

> Is there anything I can do to my postfix config other then removing the use
> of spamhaus??
                   
Reply to this message with the output of 'postconf -n' on your server.  You
should check spamhaus (and other RBLs) _after_ your authenticated users have
been OK'd.

--
Sahil Tandon <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Comcast and SPAMHAUS

mouss-2
In reply to this post by jason hirsh
Jason Hirsh wrote:

> My mail at home goes out via COMCAST..  to my server which has a
> static IP Postfix/Dovecot.  I am using SMT authentication by password
> and I use spamhaus  to
> filter spam
>
> All of a sudden I am getting
>
> The server response was: 5.7.1 Service unavailable; Client host
> [68.83.110.217] blocked using zen.spamhaus.org;
> http://www.spamhaus.org/query/bl?ip=68.83.110.217

I get a lot of these. What is the problem?

>
> When I check a spamhaus I see that
>
> 68.82.0.0/15 is listed on the Policy Block List (PBL)
>
>
>
> Outbound Email Policy of Comcast for this IP range:
>
> Email sent by Comcast subscribers using a mail program such as Outlook
> Express are required to send the email through Comcast.
>
>
> If I use my att.net mail servers... no issue.
>
> Is there anything I can do to my postfix config other then removing
> the use of spamhaus??
>



Reply | Threaded
Open this post in threaded view
|

Re: Comcast and SPAMHAUS

jason hirsh
In reply to this post by Sahil Tandon

On May 18, 2008, at 11:50 AM, Sahil Tandon wrote:

> * Jason Hirsh <[hidden email]> [05-18-2008]:
>
>> My mail at home goes out via COMCAST..  to my server which has a  
>> static IP
>> Postfix/Dovecot.  I am using SMT authentication by password and I use
>> spamhaus  to
>> filter spam
>>
>> All of a sudden I am getting
>>
>> The server response was: 5.7.1 Service unavailable; Client host
>> [68.83.110.217] blocked using zen.spamhaus.org;
>> http://www.spamhaus.org/query/bl?ip=68.83.110.217
>>
>> When I check a spamhaus I see that
>
> [...]
>
>> Is there anything I can do to my postfix config other then  
>> removing the use
>> of spamhaus??
>
> Reply to this message with the output of 'postconf -n' on your  
> server.  You
> should check spamhaus (and other RBLs) _after_ your authenticated  
> users have
> been OK'd.
>
> --
> Sahil Tandon <[hidden email]>

as I read this I have the permits before the rejects



alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
body_checks = regexp:/usr/local/etc/postfix/body_checks
broken_sasl_auth_clients = yes
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/local/libexec/postfix
disable_vrfy_command = yes
header_checks = regexp:/usr/local/etc/postfix/header_checks
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
mail_spool_directory = /var/mail/vmail
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
maps_rbl_domains = bl.spamcop.net
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mynetworks = 127.0.0.0/8, 68.83.110.83, 66.148.68.111, 68.36.241.79,  
66.36.246.219
newaliases_path = /usr/local/bin/newaliases
readme_directory = no
receive_override_options = no_address_mappings
relay_recipient_maps = hash:/usr/local/etc/postfix/relay_recipients
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtp_tls_note_starttls_offer = yes
smtpd_banner = Hi This is the Ocean Window - BV
smtpd_client_restrictions = reject_rhsbl_sender dsn.rfc-
ignorant.org    reject_rbl_client kr.countries.nerd.dk    
reject_rbl_client kr.countries.nerd.dk       reject_rbl_client  
cn.countries.nerd.dk   reject_rbl_client zen.spamhaus.org      
reject_rbl_client bl.spamcop.net reject_rbl_client  
kp.countries.nerd.dk  reject_rbl_client ng.countries.nerd.dk  
reject_rbl_client tw.countries.nerd.dk  reject_rbl_client  
th.countries.nerd.dk  reject_rbl_client pl.countries.nerd.dk  
reject_rbl_client ru.countries.nerd.dk  reject_rbl_client  
it.countries.nerd.dk  reject_rbl_client cz.countries.nerd.dk  
reject_rbl_client ae.countries.nerd.dk  reject_rbl_client  
br.countries.nerd.dk  reject_rbl_client PE.countries.nerd.dk  
reject_rbl_client MX.countries.nerd.dk    reject_rbl_client  
tr.countries.nerd.dk
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,check_helo_access hash:/
usr/local/etc/postfix/helo_access
smtpd_recipient_restrictions = permit_sasl_authenticated,  
check_relay_domains, permit_mynetworks, reject_rbl_client  
zen.spamhaus.org, reject_rbl_client bl.spamcop.net
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = reject_rhsbl_sender dsn.rfc-
ignorant.org    reject_rbl_client kr.countries.nerd.dk  
reject_rbl_client cn.countries.nerd.dk  reject_rbl_client  
zen.spamhaus.org      reject_rbl_client bl.spamcop.net        
reject_rbl_client kp.countries.nerd.dk  reject_rbl_client  
ng.countries.nerd.dk  reject_rbl_client tw.countries.nerd.dk  
reject_rbl_client th.countries.nerd.dk  reject_rbl_client  
pl.countries.nerd.dk  reject_rbl_client ru.countries.nerd.dk  
reject_rbl_client it.countries.nerd.dk  reject_rbl_client  
cz.countries.nerd.dk  reject_rbl_client ae.countries.nerd.dk  
reject_rbl_client br.countries.nerd.dk  reject_rbl_client  
PE.countries.nerd.dk  reject_rbl_client MX.countries.nerd.dk    
reject_rbl_client tr.countries.nerd.dk
smtpd_tls_CAfile = /etc/mail/certs/root.crt
smtpd_tls_cert_file = /etc/mail/certs/server.pem
smtpd_tls_key_file = /etc/mail/certs/server.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/usr/local/etc/postfix/virtual
virtual_gid_maps = static:1002
virtual_mailbox_base = /var/mail/vmail
virtual_mailbox_domains = /usr/local/etc/postfix/virtual_domains
virtual_mailbox_maps = hash:/usr/local/etc/postfix/virtual_mailbox
virtual_minimum_uid = 100
virtual_uid_maps = static:1000

Reply | Threaded
Open this post in threaded view
|

Re: Comcast and SPAMHAUS

Ralf Hildebrandt
* Jason Hirsh <[hidden email]>:

> as I read this I have the permits before the rejects

Uhm, no?

> smtpd_client_restrictions = reject_rhsbl_sender dsn.rfc-ignorant.org    
> reject_rbl_client kr.countries.nerd.dk    reject_rbl_client
> kr.countries.nerd.dk       reject_rbl_client cn.countries.nerd.dk  
> reject_rbl_client zen.spamhaus.org
So where's the permit before that?

--
Ralf Hildebrandt ([hidden email])          [hidden email]
Postfix - Einrichtung, Betrieb und Wartung       Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de
During the million-dollar BIND 9 rewrite, Paul Vixie characterized the
original BIND code as 'sleazeware produced in a drunken fury by a
bunch of U C Berkeley grad students.'                -- D.J. Bernstein
Reply | Threaded
Open this post in threaded view
|

Re: Comcast and SPAMHAUS

mouss-2
In reply to this post by jason hirsh
Jason Hirsh wrote:

>
> On May 18, 2008, at 11:50 AM, Sahil Tandon wrote:
>
>> * Jason Hirsh <[hidden email]> [05-18-2008]:
>>
>>> My mail at home goes out via COMCAST..  to my server which has a
>>> static IP
>>> Postfix/Dovecot.  I am using SMT authentication by password and I use
>>> spamhaus  to
>>> filter spam
>>>
>>> All of a sudden I am getting
>>>
>>> The server response was: 5.7.1 Service unavailable; Client host
>>> [68.83.110.217] blocked using zen.spamhaus.org;
>>> http://www.spamhaus.org/query/bl?ip=68.83.110.217
>>>
>>> When I check a spamhaus I see that
>>
>> [...]
>>
>>> Is there anything I can do to my postfix config other then removing
>>> the use
>>> of spamhaus??
>>
>> Reply to this message with the output of 'postconf -n' on your
>> server.  You
>> should check spamhaus (and other RBLs) _after_ your authenticated
>> users have
>> been OK'd.
>>
>> --
>> Sahil Tandon <[hidden email]>
>
> as I read this I have the permits before the rejects

The problem is that you repeat DNSBL checks under client and sender
restrictions, with no permit before.

better put all your checks under smtpd_recipient_restrictions. This may
be easier for you to follow (single sequence).

>
>
>
> alias_database = hash:/etc/aliases
> alias_maps = hash:/etc/aliases
> body_checks = regexp:/usr/local/etc/postfix/body_checks
> broken_sasl_auth_clients = yes
> command_directory = /usr/local/sbin
> config_directory = /usr/local/etc/postfix
> content_filter = smtp-amavis:[127.0.0.1]:10024
> daemon_directory = /usr/local/libexec/postfix
> disable_vrfy_command = yes
> header_checks = regexp:/usr/local/etc/postfix/header_checks
> home_mailbox = Maildir/
> html_directory = no
> inet_interfaces = all
> mail_spool_directory = /var/mail/vmail
> mailq_path = /usr/local/bin/mailq
> manpage_directory = /usr/local/man
> maps_rbl_domains = bl.spamcop.net
> mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
> mynetworks = 127.0.0.0/8, 68.83.110.83, 66.148.68.111, 68.36.241.79,
> 66.36.246.219
> newaliases_path = /usr/local/bin/newaliases
> readme_directory = no
> receive_override_options = no_address_mappings
> relay_recipient_maps = hash:/usr/local/etc/postfix/relay_recipients
> sample_directory = /usr/local/etc/postfix
> sendmail_path = /usr/local/sbin/sendmail
> setgid_group = maildrop
> smtp_tls_note_starttls_offer = yes
> smtpd_banner = Hi This is the Ocean Window - BV
> smtpd_client_restrictions = reject_rhsbl_sender
> dsn.rfc-ignorant.org    reject_rbl_client kr.countries.nerd.dk    
> reject_rbl_client kr.countries.nerd.dk       reject_rbl_client
> cn.countries.nerd.dk   reject_rbl_client zen.spamhaus.org    
> reject_rbl_client bl.spamcop.net reject_rbl_client
> kp.countries.nerd.dk  reject_rbl_client ng.countries.nerd.dk  
> reject_rbl_client tw.countries.nerd.dk  reject_rbl_client
> th.countries.nerd.dk  reject_rbl_client pl.countries.nerd.dk  
> reject_rbl_client ru.countries.nerd.dk  reject_rbl_client
> it.countries.nerd.dk  reject_rbl_client cz.countries.nerd.dk  
> reject_rbl_client ae.countries.nerd.dk  reject_rbl_client
> br.countries.nerd.dk  reject_rbl_client PE.countries.nerd.dk  
> reject_rbl_client MX.countries.nerd.dk    reject_rbl_client
> tr.countries.nerd.dk
> smtpd_helo_required = yes
> smtpd_helo_restrictions = permit_mynetworks,check_helo_access
> hash:/usr/local/etc/postfix/helo_access
> smtpd_recipient_restrictions = permit_sasl_authenticated,
> check_relay_domains, permit_mynetworks, reject_rbl_client
> zen.spamhaus.org, reject_rbl_client bl.spamcop.net
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_local_domain = $myhostname
> smtpd_sasl_path = private/auth
> smtpd_sasl_type = dovecot
> smtpd_sender_restrictions = reject_rhsbl_sender
> dsn.rfc-ignorant.org    reject_rbl_client kr.countries.nerd.dk  
> reject_rbl_client cn.countries.nerd.dk  reject_rbl_client
> zen.spamhaus.org      reject_rbl_client bl.spamcop.net        
> reject_rbl_client kp.countries.nerd.dk  reject_rbl_client
> ng.countries.nerd.dk  reject_rbl_client tw.countries.nerd.dk  
> reject_rbl_client th.countries.nerd.dk  reject_rbl_client
> pl.countries.nerd.dk  reject_rbl_client ru.countries.nerd.dk  
> reject_rbl_client it.countries.nerd.dk  reject_rbl_client
> cz.countries.nerd.dk  reject_rbl_client ae.countries.nerd.dk  
> reject_rbl_client br.countries.nerd.dk  reject_rbl_client
> PE.countries.nerd.dk  reject_rbl_client MX.countries.nerd.dk    
> reject_rbl_client tr.countries.nerd.dk
> smtpd_tls_CAfile = /etc/mail/certs/root.crt
> smtpd_tls_cert_file = /etc/mail/certs/server.pem
> smtpd_tls_key_file = /etc/mail/certs/server.key
> smtpd_tls_loglevel = 1
> smtpd_tls_received_header = yes
> smtpd_tls_session_cache_timeout = 3600s
> smtpd_use_tls = yes
> tls_random_source = dev:/dev/urandom
> unknown_local_recipient_reject_code = 550
> virtual_alias_maps = hash:/usr/local/etc/postfix/virtual
> virtual_gid_maps = static:1002
> virtual_mailbox_base = /var/mail/vmail
> virtual_mailbox_domains = /usr/local/etc/postfix/virtual_domains
> virtual_mailbox_maps = hash:/usr/local/etc/postfix/virtual_mailbox
> virtual_minimum_uid = 100
> virtual_uid_maps = static:1000
>

Reply | Threaded
Open this post in threaded view
|

Re: Comcast and SPAMHAUS

jason hirsh
In reply to this post by Ralf Hildebrandt

On May 18, 2008, at 12:22 PM, Ralf Hildebrandt wrote:

> * Jason Hirsh <[hidden email]>:
>
>> as I read this I have the permits before the rejects
>
> Uhm, no?
>
>> smtpd_client_restrictions = reject_rhsbl_sender dsn.rfc-ignorant.org
>> reject_rbl_client kr.countries.nerd.dk    reject_rbl_client
>> kr.countries.nerd.dk       reject_rbl_client cn.countries.nerd.dk
>> reject_rbl_client zen.spamhaus.org
> So where's the permit before that?
>
> --  
> Ralf Hildebrandt ([hidden email])          
> [hidden email]
> Postfix - Einrichtung, Betrieb und Wartung       Tel. +49 (0)30-450  
> 570-155
> http://www.arschkrebs.de
> During the million-dollar BIND 9 rewrite, Paul Vixie characterized the
> original BIND code as 'sleazeware produced in a drunken fury by a
> bunch of U C Berkeley grad students.'                -- D.J. Bernstein


I misunderstood and fixed thanks
Reply | Threaded
Open this post in threaded view
|

Re: Comcast and SPAMHAUS

Ralf Hildebrandt
* Jason Hirsh <[hidden email]>:

> I misunderstood and fixed thanks

The tip to put it all into smtpd_recipient_restrictions was a good one.

--
Ralf Hildebrandt ([hidden email])          [hidden email]
Postfix - Einrichtung, Betrieb und Wartung       Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de
"Internet is so big, so powerful and pointless that for some people it
is a complete substitute for life."-Andrew Brown