Feedback on Postscreen Whitelist Article

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
32 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Feedback on Postscreen Whitelist Article

Steve Jenkins-2
I just posted an article about how to whitelist Gmail and Hotmail/Outlook.com IP addresses for Postscreen, based on the webmaster's SPF records:


I'd appreciate feedback from anyone on this list generous enough to offer it, so I can fix any mistakes or make the article better.

Thanks,

Steve


Steve Jenkins
       
Reply | Threaded
Open this post in threaded view
|

Re: Feedback on Postscreen Whitelist Article

Noel Jones-2
On 11/23/2015 1:42 PM, Steve Jenkins wrote:  x6l2B9n
MJN7t5XX4S9MSCW3LPWyM3LjCtjVQZcFT56dvXWf7fnxkP02?t=https%3A%2F%2Fwww.youtube.com%2Fuser%2FFerrariSteveJenkins&si=4870762816077824&pi=a7bba61c-d5ff-4f17-ffdb-d2d16b1f8221>  <http://t.sidekickopen29.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJN7t5XX4S9MSCW3LPWyM3LjCtjVQZcFT56dvXWf7fnxkP02?t=https%3A%2F%2Finstagram.com%2Fferraristeve%2F&si=4870762816077824&pi=a7bba61c-d5ff-4f17-ffdb-d2d16b1f8221>


Maintaining a local postscreen whitelist of well-known providers is
largely obsolete.

http://www.postfix.org/postconf.5.html#postscreen_dnsbl_whitelist_threshold
http://www.postfix.org/postconf.5.html#postscreen_dnsbl_sites

a minimal main.cf example would be something like:
postscreen_dnsbl_sites = zen.spamhaus.org*1 list.dnswl.org*-1
postscreen_dnsbl_whitelist_threshold = -1




  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Feedback on Postscreen Whitelist Article

Robert Chalmers-2
In reply to this post by Steve Jenkins-2
Interesting article Steve. What happens when/if they change ip blocks in between cron runs?
and I can't help thinking this may be a little redundant though, with spf, dkim and dmarc in place the source of the email is checked and acted upon accordingly.  




Sent from my iPad

On 23 Nov 2015, at 7:42 p.m., Steve Jenkins <[hidden email]> wrote:

I just posted an article about how to whitelist Gmail and Hotmail/Outlook.com IP addresses for Postscreen, based on the webmaster's SPF records:


I'd appreciate feedback from anyone on this list generous enough to offer it, so I can fix any mistakes or make the article better.

Thanks,

Steve


Steve Jenkins
       
Reply | Threaded
Open this post in threaded view
|

Re: Feedback on Postscreen Whitelist Article

Noel Jones-2
On 11/23/2015 3:48 PM, [hidden email] wrote:
> Interesting article Steve. What happens when/if they change ip
> blocks in between cron runs?
> and I can't help thinking this may be a little redundant though,
> with spf, dkim and dmarc in place the source of the email is checked
> and acted upon accordingly.  
>
>

spf, dkim, dmarc, etc. don't work at the postscreen level.  The only
information that is known at this point is the connecting client IP.

That's why postscreen_dnsbl_whitelist_threshold is useful here.



  -- Noel Jones



>
>
> Sent from my iPad
>
> On 23 Nov 2015, at 7:42 p.m., Steve Jenkins <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>> I just posted an article about how to whitelist Gmail and
>> Hotmail/Outlook.com <http://outlook.com> IP addresses for
>> Postscreen, based on the webmaster's SPF records:
>>
>> http://www.stevejenkins.com/blog/2015/11/postscreen-whitelisting-smtp-outbound-ip-addresses-large-webmail-providers/
>>
>> I'd appreciate feedback from anyone on this list generous enough
>> to offer it, so I can fix any mistakes or make the article better.
>>
>> Thanks,
>>
>> Steve
>>
>>
>> *Steve Jenkins*
>> /[hidden email] <mailto:[hidden email]>/
>>
>> <http://t.sidekickopen29.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJN7t5XX4S9MSCW3LPWyM3LjCtjVQZcFT56dvXWf7fnxkP02?t=http%3A%2F%2Fwww.stevejenkins.com%2F&si=4870762816077824&pi=a7bba61c-d5ff-4f17-ffdb-d2d16b1f8221> <http://t.sidekickopen29.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJN7t5XX4S9MSCW3LPWyM3LjCtjVQZcFT56dvXWf7fnxkP02?t=https%3A%2F%2Fwww.linkedin.com%2Fin%2Fsjjenkins&si=4870762816077824&pi=a7bba61c-d5ff-4f17-ffdb-d2d16b1f8221> <http://t.sidekickopen29.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJN7t5XX4S9MSCW3LPWyM3LjCtjVQZcFT56dvXWf7fnxkP02?t=https%3A%2F%2Ftwitter.com%2Fsjjenkins%2F&si=4870762816077824&pi=a7bba61c-d5ff-4f17-ffdb-d2d16b1f8221> <https://www.facebook.com/SteveJenkinsBiz> <http://t.sidekickopen29.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJN7t5XX4S9MSCW3LPWyM3LjCtjVQZcFT56dvXWf7fnxkP02?t=https%3A%2F%2Fplus.google.com%2F%2BSteveJenkins&si=4870762816077824&pi=a7bba61c-d5ff-4f17-ffdb-d2d16b1f8221> <http://t.sidekickopen29.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9
nMJN7t5XX4S9MSCW3LPWyM3LjCtjVQZcFT56dvXWf7fnxkP02?t=https%3A%2F%2Fwww.youtube.com%2Fuser%2FFerrariSteveJenkins&si=4870762816077824&pi=a7bba61c-d5ff-4f17-ffdb-d2d16b1f8221>  <http://t.sidekickopen29.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJN7t5XX4S9MSCW3LPWyM3LjCtjVQZcFT56dvXWf7fnxkP02?t=https%3A%2F%2Finstagram.com%2Fferraristeve%2F&si=4870762816077824&pi=a7bba61c-d5ff-4f17-ffdb-d2d16b1f8221>

Reply | Threaded
Open this post in threaded view
|

Re: Feedback on Postscreen Whitelist Article

yahoogroups@lazygranch.xyz
In reply to this post by Noel Jones-2
‎Regarding Spamhaus, I am periodically blacklisted on my hosted Web service provider because somebody ‎sets up an account on the same service, then spews spam. Because I share the same IP, I'm declared toxic. 

I have set up a VPS, which of course has its own IP, not to get in this boat. But I am so negative regarding Spamhaus due to unwarranted blocking that I refuse to use it.

Reply | Threaded
Open this post in threaded view
|

Re: Feedback on Postscreen Whitelist Article

Viktor Dukhovni
On Mon, Nov 23, 2015 at 02:29:45PM -0800, [hidden email] wrote:

>�Regarding Spamhaus, I am periodically blacklisted on my hosted Web service
> provider because somebody �sets up an account on the same service, then
> spews spam. Because I share the same IP, I'm declared toxic. 

Sounds like the listing is entirely appropriate...  You might want
hosting from a provider that does a better job of controlling
outbound spam.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Feedback on Postscreen Whitelist Article

yahoogroups@lazygranch.xyz
‎If wishes were horses. ;-) 

My xyz domain is on the VPS. I'm going to switch systems in a few days.
  Original Message  
From: Viktor Dukhovni
Sent: Monday, November 23, 2015 2:45 PM
To: [hidden email]
Reply To: [hidden email]
Subject: Re: Feedback on Postscreen Whitelist Article

On Mon, Nov 23, 2015 at 02:29:45PM -0800, [hidden email] wrote:

>�Regarding Spamhaus, I am periodically blacklisted on my hosted Web service
> provider because somebody �sets up an account on the same service, then
> spews spam. Because I share the same IP, I'm declared toxic. 

Sounds like the listing is entirely appropriate... You might want
hosting from a provider that does a better job of controlling
outbound spam.

--
Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Feedback on Postscreen Whitelist Article

Steve Jenkins-2
In reply to this post by Noel Jones-2
On Mon, Nov 23, 2015 at 1:03 PM, Noel Jones <[hidden email]> wrote:

Maintaining a local postscreen whitelist of well-known providers is
largely obsolete.

http://www.postfix.org/postconf.5.html#postscreen_dnsbl_whitelist_threshold
http://www.postfix.org/postconf.5.html#postscreen_dnsbl_sites

a minimal main.cf example would be something like:
postscreen_dnsbl_sites = zen.spamhaus.org*1 list.dnswl.org*-1
postscreen_dnsbl_whitelist_threshold = -1

Hi, Noel. Thanks for your input (it's always appreciated).

I do use both of those directives in my main.cf, after the postscreen_access_list.

Here's what I'm currently running:

# POSTSCREEN OPTIONS v2015-06-02
postscreen_access_list = permit_mynetworks,
        cidr:/etc/postfix/postscreen_access.cidr,
        cidr:/etc/postfix/gmail_whitelist.cidr,
        cidr:/etc/postfix/msft_whitelist.cidr,
        hash:/etc/postfix/postscreen_whitelist

postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce
postscreen_greet_action = enforce
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_whitelist_threshold = -4

postscreen_dnsbl_sites =
        zen.spamhaus.org*3
        bl.mailspike.net*2
        bl.spamcop.net
        dnsbl.sorbs.net
        psbl.surriel.com
        swl.spamhaus.org*-4
        list.dnswl.org=127.[0..255].[0..255].0*-2
        list.dnswl.org=127.[0..255].[0..255].1*-3
        list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
        wl.mailspike.net=127.0.0.[17;18]*-1
        wl.mailspike.net=127.0.0.[19;20]*-2


 
Reply | Threaded
Open this post in threaded view
|

Re: Feedback on Postscreen Whitelist Article

Steve Jenkins-2
In reply to this post by Robert Chalmers-2
On Mon, Nov 23, 2015 at 1:48 PM, [hidden email] <[hidden email]> wrote:
Interesting article Steve. What happens when/if they change ip blocks in between cron runs?
and I can't help thinking this may be a little redundant though, with spf, dkim and dmarc in place the source of the email is checked and acted upon accordingly.  

Hi, Robert. As Noel pointed out, this all occurs way before SPF, DKIM, and/or DMARC come into play.

As for what happens if they IP blocks change between cron runs, a spammer would have to take control of an old Google or Microsoft netblock in order to increase any risk, which is unlikely.

And since this is a whitelist, any new IPs that haven't been picked up in the no more than 7 days since the last query would be evaluated by Postscreen per normal... and would likely still get through.
Reply | Threaded
Open this post in threaded view
|

Re: Feedback on Postscreen Whitelist Article

Robert Chalmers-2
Hi Steve,
I implemented the idea, and it works  treat. I’m on OSX 10.11, and apart from a few directory changes, (and my bad spelling) - no problems.

Interesting idea and an excellent script.

Thanks for the work. I understand now what it’s doing.

Robert

On 23 Nov 2015, at 23:54, Steve Jenkins <[hidden email]> wrote:

On Mon, Nov 23, 2015 at 1:48 PM, [hidden email] <[hidden email]> wrote:
Interesting article Steve. What happens when/if they change ip blocks in between cron runs?
and I can't help thinking this may be a little redundant though, with spf, dkim and dmarc in place the source of the email is checked and acted upon accordingly.  

Hi, Robert. As Noel pointed out, this all occurs way before SPF, DKIM, and/or DMARC come into play.

As for what happens if they IP blocks change between cron runs, a spammer would have to take control of an old Google or Microsoft netblock in order to increase any risk, which is unlikely.

And since this is a whitelist, any new IPs that haven't been picked up in the no more than 7 days since the last query would be evaluated by Postscreen per normal... and would likely still get through.

Robert Chalmers
Mac mini 6.2 - 2012, Intel Core i7,2.3 GHz, Memory:16 GB. El-Capitan 10.11. 2TB Storage made up of - 
Drive 0:HGST HTS721010A9E630. Upper bay. Drive 1:ST1000LM024 HN-M101MBB. Lower Bay



Reply | Threaded
Open this post in threaded view
|

Re: Feedback on Postscreen Whitelist Article

proto
In reply to this post by Steve Jenkins-2
Thank you Steve.
I did something similar some weeks ago because I had to get in contact
with MS Support urgently.

I remember I had to get outbound gateways IPs from
<spf.protection.outlook.com>, but I didn't use <ns1.msft.net>. Actually
in your script this NS return no SPF records (IP and includes).

I think this WL could be completed with records from:

spfa.protection.outlook.com
spfb.protection.outlook.com

a.



Il 23/11/15 20:42, Steve Jenkins ha scritto:

> I just posted an article about how to whitelist Gmail and
> Hotmail/Outlook.com IP addresses for Postscreen, based on the
> webmaster's SPF records:
>
> http://www.stevejenkins.com/blog/2015/11/postscreen-whitelisting-smtp-outbound-ip-addresses-large-webmail-providers/
>
> I'd appreciate feedback from anyone on this list generous enough to
> offer it, so I can fix any mistakes or make the article better.
>
> Thanks,
>
> Steve
>
>
> *Steve Jenkins*
> /[hidden email] <mailto:[hidden email]>/
>
> <http://t.sidekickopen29.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJN7t5XX4S9MSCW3LPWyM3LjCtjVQZcFT56dvXWf7fnxkP02?t=http%3A%2F%2Fwww.stevejenkins.com%2F&si=4870762816077824&pi=a7bba61c-d5ff-4f17-ffdb-d2d16b1f8221>
> <http://t.sidekickopen29.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJN7t5XX4S9MSCW3LPWyM3LjCtjVQZcFT56dvXWf7fnxkP02?t=https%3A%2F%2Fwww.linkedin.com%2Fin%2Fsjjenkins&si=4870762816077824&pi=a7bba61c-d5ff-4f17-ffdb-d2d16b1f8221>
> <http://t.sidekickopen29.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJN7t5XX4S9MSCW3LPWyM3LjCtjVQZcFT56dvXWf7fnxkP02?t=https%3A%2F%2Ftwitter.com%2Fsjjenkins%2F&si=4870762816077824&pi=a7bba61c-d5ff-4f17-ffdb-d2d16b1f8221>
> <https://www.facebook.com/SteveJenkinsBiz>
> <http://t.sidekickopen29.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJN7t5XX4S9MSCW3LPWyM3LjCtjVQZcFT56dvXWf7fnxkP02?t=https%3A%2F%2Fplus.google.com%2F%2BSteveJenkins&si=4870762816077824&pi=a7bba61c-d5ff-4f17-ffdb-d2d16b1f8221>
> <http://t.sidekickopen29.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJN7t5XX4S9MSCW3LPWyM3LjCtjVQZcFT56dvXWf7fnxkP02?t=https%3A%2F%2Fwww.youtube.com%2Fuser%2FFerrariSteveJenkins&si=4870762816077824&pi=a7bba61c-d5ff-4f17-ffdb-d2d16b1f8221><http://t.sidekickopen29.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJN7t5XX4S9MSCW3LPWyM3LjCtjVQZcFT56dvXWf7fnxkP02?t=https%3A%2F%2Finstagram.com%2Fferraristeve%2F&si=4870762816077824&pi=a7bba61c-d5ff-4f17-ffdb-d2d16b1f8221>
Reply | Threaded
Open this post in threaded view
|

Re: Feedback on Postscreen Whitelist Article

Steve Jenkins-2
On Tue, Nov 24, 2015 at 10:32 AM, proto <[hidden email]> wrote:
Thank you Steve.
I did something similar some weeks ago because I had to get in contact with MS Support urgently.

I remember I had to get outbound gateways IPs from <spf.protection.outlook.com>, but I didn't use <ns1.msft.net>. Actually in your script this NS return no SPF records (IP and includes).

I think this WL could be completed with records from:

spfa.protection.outlook.com
spfb.protection.outlook.com

a.

Alessandro:



My scripting and sed skills are NOT that strong, so I'm certain there are many more elegant ways to do that I'm trying to do... including better automation of parsing through the original SPF record and figuring out the right thing to do. But whatever it's worth, the script now grabs more IPs from Microsoft.

I also think it's crazy that MSFT's primary name server's aren't updated, so that I have to use two different nameservers in the script.

I've half a mind just to query Google's 8.8.8.8 nameserver for the correct MS values... because it got them all right in my tests. LOL

SJ
Reply | Threaded
Open this post in threaded view
|

Re: Feedback on Postscreen Whitelist Article

proto
I thinks it's a good starting point, Steve.
And it's much better than doing it manually as I did :-)

Anyway... I rapidly tested delivery time from my office365 account:
- WL disabled: 15 hours
- WL enabled: just a few minutes

postgrey enabled.


Thanks!
a.


Il 25/11/15 04:45, Steve Jenkins ha scritto:

> On Tue, Nov 24, 2015 at 10:32 AM, proto <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     Thank you Steve.
>     I did something similar some weeks ago because I had to get in
>     contact with MS Support urgently.
>
>     I remember I had to get outbound gateways IPs from
>     <spf.protection.outlook.com <http://spf.protection.outlook.com>>,
>     but I didn't use <ns1.msft.net <http://ns1.msft.net>>. Actually in
>     your script this NS return no SPF records (IP and includes).
>
>     I think this WL could be completed with records from:
>
>     spfa.protection.outlook.com <http://spfa.protection.outlook.com>
>     spfb.protection.outlook.com <http://spfb.protection.outlook.com>
>
>     a.
>
>
> Alessandro:
>
> I've updated the script to also query spf.protection.outlook.com
> <http://spf.protection.outlook.com>, spfa.protection.outlook.com
> <http://spfa.protection.outlook.com>, and spfb.protection.outlook.com
> <http://spfb.protection.outlook.com>:
>
> https://gist.github.com/stevejenkins/b8898f3632561f9999f4
>
> My scripting and sed skills are NOT that strong, so I'm certain there
> are many more elegant ways to do that I'm trying to do... including
> better automation of parsing through the original SPF record and
> figuring out the right thing to do. But whatever it's worth, the script
> now grabs more IPs from Microsoft.
>
> I also think it's crazy that MSFT's primary name server's aren't
> updated, so that I have to use two different nameservers in the script.
>
> I've half a mind just to query Google's 8.8.8.8 nameserver for the
> correct MS values... because it got them all right in my tests. LOL
>
> SJ
Reply | Threaded
Open this post in threaded view
|

Re: Feedback on Postscreen Whitelist Article

Steve Jenkins-2
On Wed, Nov 25, 2015 at 4:13 AM, ale@proto <[hidden email]> wrote:
I thinks it's a good starting point, Steve.
And it's much better than doing it manually as I did :-)

Anyway... I rapidly tested delivery time from my office365 account:
- WL disabled: 15 hours
- WL enabled: just a few minutes

postgrey enabled.

Hi, Alessandro. I'd guess that 15 hours was a function of postgrey, and not of anything native to Postfix (including Postscreen).

I don't run postgrey, and have been very satisfied with the combination of Postscreen and some sensible smtpd_recipient_restrictions to block the vast majority of misconfigured mailers trying to connect to my systems.

But regardless of your config, if it's working better for you, that's awesome. :)

SJ
Reply | Threaded
Open this post in threaded view
|

Re: Feedback on Postscreen Whitelist Article

Robert Chalmers-2
Hi Steve,
I’m seeing this in the mail.log

warning: cidr map /usr/local/etc/postfix/msft_whitelist.cidr, line 36: non-null host address bits in "207.68.169.173/30", perhaps you should use "207.68.169.172/30" instead: skipping this rule
Nov 26 11:39:25 zeus postfix/postscreen[29402]: warning: cidr map /usr/local/etc/postfix/msft_whitelist.cidr, line 40: non-null host address bits in "65.55.238.129/26", perhaps you should use "65.55.238.128/26" instead: skipping this rule
Nov 26 11:39:25 zeus postfix/postscreen[29402]: warning: cidr map /usr/local/etc/postfix/msft_whitelist.cidr, line 41: non-null host address bits in "65.55.238.129/26", perhaps you should use "65.55.238.128/26" instead: skipping this rule


What do you think?

Robert



Robert Chalmers
Mac mini 6.2 - 2012, Intel Core i7,2.3 GHz, Memory:16 GB. El-Capitan 10.11. 2TB Storage made up of - 
Drive 0:HGST HTS721010A9E630. Upper bay. Drive 1:ST1000LM024 HN-M101MBB. Lower Bay



On 25 Nov 2015, at 17:19, Steve Jenkins <[hidden email]> wrote:

On Wed, Nov 25, 2015 at 4:13 AM, ale@proto <[hidden email]> wrote:
I thinks it's a good starting point, Steve.
And it's much better than doing it manually as I did :-)

Anyway... I rapidly tested delivery time from my office365 account:
- WL disabled: 15 hours
- WL enabled: just a few minutes

postgrey enabled.

Hi, Alessandro. I'd guess that 15 hours was a function of postgrey, and not of anything native to Postfix (including Postscreen).

I don't run postgrey, and have been very satisfied with the combination of Postscreen and some sensible smtpd_recipient_restrictions to block the vast majority of misconfigured mailers trying to connect to my systems.

But regardless of your config, if it's working better for you, that's awesome. :)

SJ

Reply | Threaded
Open this post in threaded view
|

Re: Feedback on Postscreen Whitelist Article

Ralf Hildebrandt-2
> I’m seeing this in the mail.log
>
> warning: cidr map /usr/local/etc/postfix/msft_whitelist.cidr, line 36: non-null host address bits in "207.68.169.173/30", perhaps you should use "207.68.169.172/30" instead: skipping this rule
> Nov 26 11:39:25 zeus postfix/postscreen[29402]: warning: cidr map /usr/local/etc/postfix/msft_whitelist.cidr, line 40: non-null host address bits in "65.55.238.129/26", perhaps you should use "65.55.238.128/26" instead: skipping this rule
> Nov 26 11:39:25 zeus postfix/postscreen[29402]: warning: cidr map /usr/local/etc/postfix/msft_whitelist.cidr, line 41: non-null host address bits in "65.55.238.129/26", perhaps you should use "65.55.238.128/26" instead: skipping this rule
>
>
> What do you think?

I think postfix is right :)

--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
Reply | Threaded
Open this post in threaded view
|

Re: Feedback on Postscreen Whitelist Article

Robert Chalmers-2
So do I.
So I’ll hand cut the cidr file for now, and wait till the author updates his code..



Robert Chalmers
Mac mini 6.2 - 2012, Intel Core i7,2.3 GHz, Memory:16 GB. El-Capitan 10.11. 2TB Storage made up of - 
Drive 0:HGST HTS721010A9E630. Upper bay. Drive 1:ST1000LM024 HN-M101MBB. Lower Bay



On 26 Nov 2015, at 12:45, Ralf Hildebrandt <[hidden email]> wrote:

I’m seeing this in the mail.log

warning: cidr map /usr/local/etc/postfix/msft_whitelist.cidr, line 36: non-null host address bits in "207.68.169.173/30", perhaps you should use "207.68.169.172/30" instead: skipping this rule
Nov 26 11:39:25 zeus postfix/postscreen[29402]: warning: cidr map /usr/local/etc/postfix/msft_whitelist.cidr, line 40: non-null host address bits in "65.55.238.129/26", perhaps you should use "65.55.238.128/26" instead: skipping this rule
Nov 26 11:39:25 zeus postfix/postscreen[29402]: warning: cidr map /usr/local/etc/postfix/msft_whitelist.cidr, line 41: non-null host address bits in "65.55.238.129/26", perhaps you should use "65.55.238.128/26" instead: skipping this rule


What do you think?

I think postfix is right :)

--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Reply | Threaded
Open this post in threaded view
|

Re: Feedback on Postscreen Whitelist Article

Robert Chalmers-2
In reply to this post by Ralf Hildebrandt-2
In fact on closer inspection, the last two are duplicates.



Robert Chalmers
Mac mini 6.2 - 2012, Intel Core i7,2.3 GHz, Memory:16 GB. El-Capitan 10.11. 2TB Storage made up of - 
Drive 0:HGST HTS721010A9E630. Upper bay. Drive 1:ST1000LM024 HN-M101MBB. Lower Bay



On 26 Nov 2015, at 12:45, Ralf Hildebrandt <[hidden email]> wrote:

I’m seeing this in the mail.log

warning: cidr map /usr/local/etc/postfix/msft_whitelist.cidr, line 36: non-null host address bits in "207.68.169.173/30", perhaps you should use "207.68.169.172/30" instead: skipping this rule
Nov 26 11:39:25 zeus postfix/postscreen[29402]: warning: cidr map /usr/local/etc/postfix/msft_whitelist.cidr, line 40: non-null host address bits in "65.55.238.129/26", perhaps you should use "65.55.238.128/26" instead: skipping this rule
Nov 26 11:39:25 zeus postfix/postscreen[29402]: warning: cidr map /usr/local/etc/postfix/msft_whitelist.cidr, line 41: non-null host address bits in "65.55.238.129/26", perhaps you should use "65.55.238.128/26" instead: skipping this rule


What do you think?

I think postfix is right :)

--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Reply | Threaded
Open this post in threaded view
|

Re: Feedback on Postscreen Whitelist Article

Benny Pedersen-2
In reply to this post by Ralf Hildebrandt-2
On November 26, 2015 1:46:15 PM Ralf Hildebrandt <[hidden email]> wrote:

>> What do you think?
> I think postfix is right :)

wish microsoft learn to use shorewall iprange ? :)

what id have microsoft on dnswl.org ?

hmm
Reply | Threaded
Open this post in threaded view
|

Re: Feedback on Postscreen Whitelist Article

Steve Jenkins-2
In reply to this post by Robert Chalmers-2
On Thu, Nov 26, 2015 at 3:41 AM, Robert Chalmers <[hidden email]> wrote:
Hi Steve,
I’m seeing this in the mail.log

warning: cidr map /usr/local/etc/postfix/msft_whitelist.cidr, line 36: non-null host address bits in "207.68.169.173/30", perhaps you should use "207.68.169.172/30" instead: skipping this rule
Nov 26 11:39:25 zeus postfix/postscreen[29402]: warning: cidr map /usr/local/etc/postfix/msft_whitelist.cidr, line 40: non-null host address bits in "65.55.238.129/26", perhaps you should use "65.55.238.128/26" instead: skipping this rule
Nov 26 11:39:25 zeus postfix/postscreen[29402]: warning: cidr map /usr/local/etc/postfix/msft_whitelist.cidr, line 41: non-null host address bits in "65.55.238.129/26", perhaps you should use "65.55.238.128/26" instead: skipping this rule


What do you think?

G'day, Robert. I think you probably didn't read the entire blog post, particularly the section titled "Microsoft Is Publishing Invalid IP Ranges in their SPF Record" where I show those exact same warnings in my own maillog. :)

Both offending IPs (which are indeed invalid) appear when you do a dig txt of _spf-ssg-b.microsoft.com. It makes me want to cry a little.

I keep going back and forth regarding whether to strip the offending ranges from the script, though the script technically is functioning properly -- it's taking the IPs reported by a mailer and including them in the whitelist. But that would be better is some way to automate verifying they're valid, rather than start coding in special cases. I'll look into that today.

SJ
12