Is postscreen really this good?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Is postscreen really this good?

The Stovebolt Geek
I've been running postfix with policyd-weight and spamassassin for years on
a small hobby domain that I manage.  I usually have a few hundred spam
messages in the spam folder after a few days.

Recently I found out about postscreen on this list.  After reading about
it, I implemented it in pretty much the default configuration (copied
below.)

I run all mail through a filter script (copied below) that routes the mail
through spamassassin and then either labels it as spam and puts it in a
folder (/var/spool/spam), sends it to me for analysis or sends to the
intended recipient.

Since implementing postscreen my spam folder is empty and my daily message
count has been cut about in half.  Is postscreen really that good???

# postconf -n | grep postscreen
postscreen_access_list = permit_mynetworks
postscreen_bare_newline_action = ignore
postscreen_bare_newline_enable = no
postscreen_bare_newline_ttl = 30d
postscreen_blacklist_action = ignore
postscreen_cache_cleanup_interval = 12h
postscreen_cache_map = btree:$data_directory/postscreen_cache
postscreen_cache_retention_time = 7d
postscreen_client_connection_count_limit =
$smtpd_client_connection_count_limit
postscreen_command_count_limit = 20
postscreen_command_filter =
postscreen_command_time_limit = ${stress?10}${stress:300}s
postscreen_disable_vrfy_command = $disable_vrfy_command
postscreen_discard_ehlo_keyword_address_maps =
$smtpd_discard_ehlo_keyword_address_maps
postscreen_discard_ehlo_keywords = $smtpd_discard_ehlo_keywords
postscreen_dnsbl_action = ignore
postscreen_dnsbl_reply_map =
postscreen_dnsbl_sites = bl.spamcop.net, zen.spamhaus.org, dnsbl.sorbs.net
postscreen_dnsbl_threshold = 1
postscreen_dnsbl_ttl = 1h
postscreen_enforce_tls = $smtpd_enforce_tls
postscreen_expansion_filter = $smtpd_expansion_filter
postscreen_forbidden_commands = $smtpd_forbidden_commands
postscreen_greet_action = ignore
postscreen_greet_banner = $smtpd_banner
postscreen_greet_ttl = 1d
postscreen_greet_wait = ${stress?2}${stress:6}s
postscreen_helo_required = $smtpd_helo_required
postscreen_non_smtp_command_action = drop
postscreen_non_smtp_command_enable = no
postscreen_non_smtp_command_ttl = 30d
postscreen_pipelining_action = enforce
postscreen_pipelining_enable = no
postscreen_pipelining_ttl = 30d
postscreen_post_queue_limit = $default_process_limit
postscreen_pre_queue_limit = $default_process_limit
postscreen_reject_footer = $smtpd_reject_footer
postscreen_tls_security_level = $smtpd_tls_security_level
postscreen_use_tls = $smtpd_use_tls
postscreen_watchdog_timeout = 10s
postscreen_whitelist_interfaces = static:all

# cat /usr/local/bin/filter.sh
#!/bin/sh

# Simple shell-based filter. It is meant to be invoked as follows:
#       /path/to/script -f sender recipients...

# Localize these.
INSPECT_DIR=/usr/local/filter
SPAMDIR=/var/spool/spam
SENDMAIL="/usr/sbin/sendmail -i"
SPAMASSASSIN=/usr/local/bin/spamassassin
SPAMLIMIT=6
SPAMCK=2

# Exit codes from <sysexits.h>
EX_TEMPFAIL=75
EX_UNAVAILABLE=69

# Start processing.
cd $INSPECT_DIR || {
    echo $INSPECT_DIR does not exist; exit $EX_TEMPFAIL; }

# Clean up when done or when aborting.
trap "rm -f in.$$" 0 1 2 3 15

cat | $SPAMASSASSIN -x > out.$$ || \
    { echo Cannot save mail to file; exit $EX_TEMPFAIL; }

if egrep -q "^X-Spam-Level: \*{$SPAMLIMIT,}" < out.$$
then
  mv out.$$ $SPAMDIR
elif egrep -q "^X-Spam-Level: \*{$SPAMCK,}" < out.$$
then
  $SENDMAIL geek < out.$$
else
  $SENDMAIL "$@" < out.$$
fi

exit $?

# grep filter /usr/local/etc/postfix/master.cf
smtp      inet  n       -       n       -       -       smtpd -o
content_filter=filter:dummyr
filter    unix  -       n       n       -      10       pipe
  flags=Rq user=filter argv=/usr/local/bin/filter.sh -f ${sender} --
${recipient}

Paul Schmehl ([hidden email])
The Stovebolt Geek
The Net's Oldest and Most Complete
Resource for Antique Chevy and GM Trucks
http://www.stovebolt.com
Reply | Threaded
Open this post in threaded view
|

Re: Is postscreen really this good?

Wietse Venema
The Stovebolt Geek:
> Recently I found out about postscreen on this list.  After reading about
> it, I implemented it in pretty much the default configuration (copied
> below.)

> postscreen_bare_newline_action = ignore
> postscreen_bare_newline_enable = no
> postscreen_blacklist_action = ignore
> postscreen_dnsbl_action = ignore
> postscreen_greet_action = ignore
> postscreen_non_smtp_command_action = drop
> postscreen_non_smtp_command_enable = no
> postscreen_pipelining_action = enforce
> postscreen_pipelining_enable = no

This means postscreen blocks nothing. All it does is send half a
greeting banner and wait 6s. I would not expect that to make
a major difference in the amount of mail handled by your server.

Did you actually look at the maillog file? You should see lots
of clients hanging up without sending mail.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Is postscreen really this good?

ktm@rice.edu
In reply to this post by The Stovebolt Geek
On Tue, Oct 09, 2012 at 11:38:57PM -0500, The Stovebolt Geek wrote:

> I've been running postfix with policyd-weight and spamassassin for
> years on a small hobby domain that I manage.  I usually have a few
> hundred spam messages in the spam folder after a few days.
>
> Recently I found out about postscreen on this list.  After reading
> about it, I implemented it in pretty much the default configuration
> (copied below.)
>
> I run all mail through a filter script (copied below) that routes
> the mail through spamassassin and then either labels it as spam and
> puts it in a folder (/var/spool/spam), sends it to me for analysis
> or sends to the intended recipient.
>
> Since implementing postscreen my spam folder is empty and my daily
> message count has been cut about in half.  Is postscreen really that
> good???

This sounds like an apples to oranges comparison. Have you looked at
false positives and false negatives?

Cheers,
Ken
Reply | Threaded
Open this post in threaded view
|

Re: Is postscreen really this good?

The Stovebolt Geek
In reply to this post by Wietse Venema
--On October 10, 2012 7:12:19 AM -0400 Wietse Venema <[hidden email]>
wrote:

> The Stovebolt Geek:
>> Recently I found out about postscreen on this list.  After reading about
>> it, I implemented it in pretty much the default configuration (copied
>> below.)
>
>> postscreen_bare_newline_action = ignore
>> postscreen_bare_newline_enable = no
>> postscreen_blacklist_action = ignore
>> postscreen_dnsbl_action = ignore
>> postscreen_greet_action = ignore
>> postscreen_non_smtp_command_action = drop
>> postscreen_non_smtp_command_enable = no
>> postscreen_pipelining_action = enforce
>> postscreen_pipelining_enable = no
>
> This means postscreen blocks nothing. All it does is send half a
> greeting banner and wait 6s. I would not expect that to make
> a major difference in the amount of mail handled by your server.
>
> Did you actually look at the maillog file? You should see lots
> of clients hanging up without sending mail.
>

I looked at the maillog and didn't see anything out of the ordinary.

Here's an egrep of the log:

# egrep '(error|fail|warn)' /var/log/maillog
Oct 10 00:16:09 mail postfix/smtpd[71817]: warning: hostname
tail.rpdevco.com does not resolve to address 173.232.29.122
Oct 10 00:16:12 mail postfix/smtpd[71817]: warning: hostname
tail.rpdevco.com does not resolve to address 173.232.29.122
Oct 10 00:20:30 mail postfix/smtpd[71827]: warning: hostname
dynamic-ip-adsl-190.186.20.68.cotas.com.bo does not resolve to address
190.186.20.68: hostname nor servname provided, or not known
Oct 10 01:20:35 mail postfix/smtpd[72056]: warning: hostname tw7.com7.tw
does not resolve to address 184.82.169.124: hostname nor servname provided,
or not known
Oct 10 01:25:12 mail postfix/policyd-weight[6870]: decided action=550
temporarily blocked because of previous errors - retrying too fast.
penalty: 30 seconds x 0 retries.; <client=unknown[220.152.169.130]>
<helo=126.com> <from=[hidden email]>
<to=[hidden email]>; delay: 0s
Oct 10 01:25:12 mail postfix/smtpd[72085]: NOQUEUE: reject: RCPT from
unknown[220.152.169.130]: 550 5.7.1 <[hidden email]>:
Recipient address rejected: temporarily blocked because of previous errors
- retrying too fast. penalty: 30 seconds x 0 retries.;
from=<[hidden email]> to=<[hidden email]>
proto=ESMTP helo=<126.com>
Oct 10 01:33:02 mail postfix/smtpd[72115]: warning: hostname
177.132.27.90.dynamic.adsl.gvt.net.br does not resolve to address
177.132.27.90: hostname nor servname provided, or not known
Oct 10 01:51:51 mail postfix/smtpd[72146]: warning: hostname
190-51-206-57.speedy.com.ar does not resolve to address 190.51.206.57:
hostname nor servname provided, or not known
Oct 10 01:53:53 mail postfix/smtpd[72146]: warning: hostname
190-51-206-57.speedy.com.ar does not resolve to address 190.51.206.57:
hostname nor servname provided, or not known
Oct 10 01:53:55 mail postfix/policyd-weight[6870]: decided action=550
temporarily blocked because of previous errors - retrying too fast.
penalty: 30 seconds x 0 retries.; <client=unknown[190.51.206.57]>
<helo=[190.51.206.57]> <from=[hidden email]>
<to=[hidden email]>; delay: 0s
Oct 10 01:53:55 mail postfix/smtpd[72146]: NOQUEUE: reject: RCPT from
unknown[190.51.206.57]: 550 5.7.1 <[hidden email]>: Recipient address
rejected: temporarily blocked because of previous errors - retrying too
fast. penalty: 30 seconds x 0 retries.;
from=<[hidden email]> to=<[hidden email]>
proto=ESMTP helo=<[190.51.206.57]>
Oct 10 01:58:51 mail postfix/smtpd[72181]: warning: hostname
190-51-206-57.speedy.com.ar does not resolve to address 190.51.206.57:
hostname nor servname provided, or not known
Oct 10 02:00:33 mail postfix/smtpd[72181]: warning: hostname
customer-187-157-143-94-sta.uninet-ide.com.mx does not resolve to address
187.157.143.94: hostname nor servname provided, or not known
Oct 10 02:33:33 mail postfix/smtp[72330]: warning: numeric domain name in
resource data of MX record for bettynbud.com: 76.167.181.36
Oct 10 02:45:48 mail postfix/smtpd[72379]: warning: hostname
35.30.32.125.adsl-pool.jlccptt.net.cn does not resolve to address
125.32.30.35: hostname nor servname provided, or not known
Oct 10 03:05:33 mail postfix/smtpd[72525]: warning: hostname
Charls-60-10.pacenet-india.com does not resolve to address 210.89.60.10:
hostname nor servname provided, or not known
Oct 10 03:06:28 mail postfix/smtpd[72525]: warning: hostname
static.23.40.64.95.buh.evh.ro does not resolve to address 95.64.40.23:
hostname nor servname provided, or not known
Oct 10 04:16:28 mail postfix/smtpd[78621]: warning: hostname
box01.nflk1ck0ff.com does not resolve to address 94.242.224.77: hostname
nor servname provided, or not known
Oct 10 04:26:22 mail postfix/smtpd[78660]: warning: hostname
server-plesk.lumomm.nl does not resolve to address 195.184.64.30
Oct 10 04:33:45 mail postfix/smtpd[78700]: warning: hostname
static.23.40.64.95.buh.evh.ro does not resolve to address 95.64.40.23:
hostname nor servname provided, or not known
Oct 10 05:14:47 mail postfix/smtpd[78851]: warning: hostname
184-82-187-247.static.hostnoc.net does not resolve to address
184.82.187.247: hostname nor servname provided, or not known
Oct 10 05:44:42 mail postfix/smtpd[78937]: warning: hostname
www.semtoolroom.com does not resolve to address 72.22.65.82
Oct 10 08:57:14 mail postfix/smtpd[79473]: warning: hostname
web1.flightsimdemo.com does not resolve to address 108.178.59.78: hostname
nor servname provided, or not known
Oct 10 10:44:24 mail postfix/smtpd[79748]: warning: hostname
173.244.206.149.static.ctohome.com does not resolve to address
173.244.206.149: hostname nor servname provided, or not known
Oct 10 10:53:01 mail postfix/smtpd[79761]: warning: hostname
121.245.20.77.cdma-hyderabad.vsnl.net.in does not resolve to address
121.245.20.77: hostname nor servname provided, or not known
Oct 10 10:53:13 mail postfix/smtpd[79761]: warning: hostname
121.245.20.77.cdma-hyderabad.vsnl.net.in does not resolve to address
121.245.20.77: hostname nor servname provided, or not known
Oct 10 11:13:58 mail postfix/smtpd[79854]: warning: hostname
host.colocrossing.com does not resolve to address 198.144.187.214
Oct 10 11:17:06 mail postfix/smtpd[79874]: warning: hostname
host.galagiftsandarrangements.com does not resolve to address 66.171.178.163
Oct 10 11:23:37 mail postfix/smtpd[79906]: warning: hostname
web2.flightsimdemo.com does not resolve to address 198.143.133.158:
hostname nor servname provided, or not known
Oct 10 11:24:49 mail postfix/smtpd[79906]: warning: hostname
ip-69.65.13.3.servernap.net does not resolve to address 69.65.13.3:
hostname nor servname provided, or not known
Oct 10 11:35:33 mail postfix/smtpd[79949]: warning: hostname
199.195.194.101.static.midphase.com does not resolve to address
199.195.194.101: hostname nor servname provided, or not known
Oct 10 11:42:59 mail postfix/smtpd[79960]: warning: hostname
host147.kvchosting.com does not resolve to address 173.214.191.177:
hostname nor servname provided, or not known
Oct 10 11:43:59 mail postfix/policyd-weight[6870]: decided action=550
temporarily blocked because of previous errors - retrying too fast.
penalty: 30 seconds x 0 retries.; <client=unknown[173.214.191.177]>
<helo=host146.kvchosting.com> <from=[hidden email]>
<to=[hidden email]>; delay: 0s
Oct 10 11:43:59 mail postfix/smtpd[79960]: NOQUEUE: reject: RCPT from
unknown[173.214.191.177]: 550 5.7.1 <[hidden email]>:
Recipient address rejected: temporarily blocked because of previous errors
- retrying too fast. penalty: 30 seconds x 0 retries.;
from=<[hidden email]> to=<[hidden email]>
proto=ESMTP helo=<host146.kvchosting.com>
Oct 10 12:16:02 mail postfix/smtpd[80093]: warning: hostname tw68.com5.tw
does not resolve to address 184.82.169.123: hostname nor servname provided,
or not known
Oct 10 13:17:19 mail postfix/smtpd[80285]: warning: hostname
ip-69.65.40.65.servernap.net does not resolve to address 69.65.40.65:
hostname nor servname provided, or not known
Oct 10 13:32:39 mail postfix/smtpd[80323]: warning: hostname
host.colocrossing.com does not resolve to address 198.144.187.210
Oct 10 13:39:49 mail postfix/smtpd[80373]: warning: hostname
server1.youthbasketballlessons.biz does not resolve to address
94.242.224.107: hostname nor servname provided, or not known
Oct 10 14:00:00 mail postfix/smtpd[80451]: warning: hostname
173-208-33-2.rdns.ubiquityservers.com does not resolve to address
173.208.33.2: hostname nor servname provided, or not known
Oct 10 14:01:55 mail postfix/smtpd[80476]: warning: hostname
web1.flightsimdemo.com does not resolve to address 108.178.59.77: hostname
nor servname provided, or not known
Oct 10 14:14:42 mail postfix/smtpd[80527]: warning: hostname
hosted-by.altushost.com does not resolve to address 79.142.79.104: hostname
nor servname provided, or not known
Oct 10 14:17:09 mail postfix/smtpd[80527]: warning: hostname
198.105.209.244.static.midphase.com does not resolve to address
198.105.209.244: hostname nor servname provided, or not known
Oct 10 14:22:59 mail postfix/smtpd[80562]: warning: hostname static.kpn.net
does not resolve to address 92.71.230.81: hostname nor servname provided,
or not known
Oct 10 14:26:51 mail postfix/smtpd[80570]: warning: hostname
64-120-168-166.static.hostnoc.net does not resolve to address
64.120.168.166: hostname nor servname provided, or not known

For completeness, here's postconf -n

# postconf -n
alias_database = hash:/usr/local/etc/postfix/aliases
alias_maps = hash:/usr/local/etc/postfix/aliases
hash:/usr/local/mailman/data/aliases
allow_mail_to_commands = alias,forward
allow_mail_to_files = alias,forward
allow_percent_hack = no
anvil_status_update_time = 1d
biff = no
body_checks = pcre:$config_directory/body-checks.pcre
broken_sasl_auth_clients = yes
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
debug_peer_list = 127.0.0.1
debugger_command = PATH=/usr/bin: xxgdb $daemon_directory/$process_name
$process_id & sleep 5
default_privs = nobody
default_process_limit = 75
delay_warning_time = 1d
header_checks = pcre:$config_directory/header-checks.pcre
home_mailbox = Maildir/
html_directory = /usr/local/share/doc/postfix
inet_interfaces = all
inet_protocols = ipv4
lmtp_destination_recipient_limit = 3000
lmtp_sasl_auth_enable = no
local_destination_concurrency_limit = 2
local_destination_recipient_limit = 100
local_recipient_maps = unix:passwd.byname $alias_maps
mail_owner = postfix
mailbox_size_limit = 104857600
maildrop_destination_recipient_limit = 1
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
maximal_queue_lifetime = 5d
mydestination = $myhostname, localhost.$mydomain, localhost mail.$mydomain,
www.$mydomain, lists.$mydomain, $mydomain
mydomain = stovebolt.com
myhostname = mail.$mydomain
mynetworks = 127.0.0.0/8,216.58.158.170/32
myorigin = $mydomain
newaliases_path = /usr/local/bin/newaliases
owner_request_special = no
postscreen_access_list = permit_mynetworks
postscreen_bare_newline_action = ignore
postscreen_bare_newline_enable = no
postscreen_bare_newline_ttl = 30d
postscreen_blacklist_action = ignore
postscreen_cache_cleanup_interval = 12h
postscreen_cache_map = btree:$data_directory/postscreen_cache
postscreen_cache_retention_time = 7d
postscreen_client_connection_count_limit =
$smtpd_client_connection_count_limit
postscreen_command_count_limit = 20
postscreen_command_filter =
postscreen_command_time_limit = ${stress?10}${stress:300}s
postscreen_disable_vrfy_command = $disable_vrfy_command
postscreen_discard_ehlo_keyword_address_maps =
$smtpd_discard_ehlo_keyword_address_maps
postscreen_discard_ehlo_keywords = $smtpd_discard_ehlo_keywords
postscreen_dnsbl_action = ignore
postscreen_dnsbl_reply_map =
postscreen_dnsbl_sites = bl.spamcop.net, zen.spamhaus.org, dnsbl.sorbs.net
postscreen_dnsbl_threshold = 1
postscreen_dnsbl_ttl = 1h
postscreen_enforce_tls = $smtpd_enforce_tls
postscreen_expansion_filter = $smtpd_expansion_filter
postscreen_forbidden_commands = $smtpd_forbidden_commands
postscreen_greet_action = ignore
postscreen_greet_banner = $smtpd_banner
postscreen_greet_ttl = 1d
postscreen_greet_wait = ${stress?2}${stress:6}s
postscreen_helo_required = $smtpd_helo_required
postscreen_non_smtp_command_action = drop
postscreen_non_smtp_command_enable = no
postscreen_non_smtp_command_ttl = 30d
postscreen_pipelining_action = enforce
postscreen_pipelining_enable = no
postscreen_pipelining_ttl = 30d
postscreen_post_queue_limit = $default_process_limit
postscreen_pre_queue_limit = $default_process_limit
postscreen_reject_footer = $smtpd_reject_footer
postscreen_tls_security_level = $smtpd_tls_security_level
postscreen_use_tls = $smtpd_use_tls
postscreen_watchdog_timeout = 10s
postscreen_whitelist_interfaces = static:all
queue_directory = /var/spool/postfix
readme_directory = /usr/local/share/doc/postfix
recipient_delimiter = +
relay_domains = $mydestination, www.stovebolt.com, server1.stovebolt.com
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtpd_delay_reject = yes
smtpd_helo_restrictions = permit_mynetworks reject_invalid_hostname
smtpd_junk_command_limit = 5
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated
reject_unauth_destination check_client_access hash:$config_directory/access
reject_unauth_pipelining reject_non_fqdn_sender reject_non_fqdn_recipient
reject_unknown_sender_domain check_recipient_access
hash:$config_directory/policyd_weight_recipient_whitelist
check_client_access hash:$config_directory/policyd_weight_client_whitelist
check_policy_service inet:127.0.0.1:12525 permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_tls_CAfile = /usr/local/etc/postfix/server.pem
smtpd_tls_cert_file = /usr/local/etc/postfix/server.pem
smtpd_tls_key_file = /usr/local/etc/postfix/server.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
soft_bounce = no
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_domains = friendshipforest.com fieldoftrees.com
txantimedia.com
virtual_alias_maps = hash:/usr/local/etc/postfix/virtual

--
Paul Schmehl ([hidden email])
The Stovebolt Geek
The Net's Oldest and Most Complete
Resource for Antique Chevy and GM Trucks
http://www.stovebolt.com

Reply | Threaded
Open this post in threaded view
|

Re: Is postscreen really this good?

The Stovebolt Geek
In reply to this post by ktm@rice.edu
I think I may not what's wrong.  Here's the master.cf settings:

# grep -v "#" /usr/local/etc/postfix/master.cf
smtp      inet  n       -       n       -       -       smtpd -o
content_filter=filter:dummyr
smtps    inet  n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       n       -       -       smtp
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache  unix - - n - 1 scache
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
($recipient)
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop
$recipient
filter    unix  -       n       n       -      10       pipe
  flags=Rq user=filter argv=/usr/local/bin/filter.sh -f ${sender} --
${recipient}
relay  unix - - n - - smtp
retry     unix  -       -       n       -       -       error
proxywrite unix -       -       n       -       1       proxymap
smtp      inet  n       -       n       -       1       postscreen
smtpd     pass  -       -       n       -       -       smtpd
dnsblog   unix  -       -       n       -       0       dnsblog

In reading the docs it says to comment out the smtp line and uncomment the
one that routes to postscreen.  I have both uncommented.

# grep -v "#" /usr/local/etc/postfix/master.cf | grep smtp
smtp      inet  n       -       n       -       -       smtpd -o
content_filter=filter:dummyr
smtps    inet  n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
smtp      unix  -       -       n       -       -       smtp
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop
$recipient
relay  unix - - n - - smtp
smtp      inet  n       -       n       -       1       postscreen
smtpd     pass  -       -       n       -       -       smtpd

The problem is, I also want to route through filter.sh, so how do I do that?

--
Paul Schmehl ([hidden email])
The Stovebolt Geek
The Net's Oldest and Most Complete
Resource for Antique Chevy and GM Trucks
http://www.stovebolt.com

Reply | Threaded
Open this post in threaded view
|

Re: Is postscreen really this good?

Brian Evans - Postfix List
On 10/10/2012 11:04 AM, Paul Schmehl wrote:

> I think I may not what's wrong.  Here's the master.cf settings:
>
> In reading the docs it says to comment out the smtp line and uncomment
> the one that routes to postscreen.  I have both uncommented.
>
> # grep -v "#" /usr/local/etc/postfix/master.cf | grep smtp
> smtp      inet  n       -       n       -       -       smtpd -o
> content_filter=filter:dummyr
> smtps    inet  n       -       n       -       -       smtpd
>  -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
> smtp      unix  -       -       n       -       -       smtp
> bsmtp     unix  -       n       n       -       -       pipe
>  flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop
> $recipient
> relay      unix    -    -    n    -    -    smtp
> smtp      inet  n       -       n       -       1       postscreen
> smtpd     pass  -       -       n       -       -       smtpd
>
> The problem is, I also want to route through filter.sh, so how do I do
> that?
>
You comment out the first line.
Then, do this on the pass line:
smtpd     pass  -       -       n       -       -       smtpd -o
content_filter=filter:dummyr

This is all documented in the POSTSCREEN_README.
Until you see postscreen lines in your syslog, it's not doing anything.
The ignore actions will let you check the log for what would be blocked.
Then you can use the enforce action to get results.

Brian
Reply | Threaded
Open this post in threaded view
|

Re: Is postscreen really this good?

Noel Jones-2
In reply to this post by The Stovebolt Geek
On 10/10/2012 10:04 AM, Paul Schmehl wrote:
> In reading the docs it says to comment out the smtp line and
> uncomment the one that routes to postscreen.  I have both uncommented.
>

Yes, that's important, only one will have control of port 25.


> # grep -v "#" /usr/local/etc/postfix/master.cf | grep smtp
> smtp      inet  n       -       n       -       -       smtpd -o
> content_filter=filter:dummyr

Yes, the above line must be commented out or removed.

Anything postscreen does will be logged:
# grep '/postscreen' /var/log/maillog


> smtp      inet  n       -       n       -       1       postscreen
> smtpd     pass  -       -       n       -       -       smtpd
>
> The problem is, I also want to route through filter.sh, so how do I
> do that?

add your -o content_filter override to the new smtpd pass service.



  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Is postscreen really this good?

The Stovebolt Geek
--On October 10, 2012 10:37:26 AM -0500 Noel Jones <[hidden email]>
wrote:

>
> add your -o content_filter override to the new smtpd pass service.
>

Thanks, Brian and Noel.  I appreciate the help.  I read all the readme
files, but some of this stuff is above my pay grade.  I get confused and am
not sure what to do.

--
Paul Schmehl ([hidden email])
The Stovebolt Geek
The Net's Oldest and Most Complete
Resource for Antique Chevy and GM Trucks
http://www.stovebolt.com

Reply | Threaded
Open this post in threaded view
|

Re: Is postscreen really this good? [how to configure postscreen]

Mark Alan-2
On Wed, 10 Oct 2012 10:43:47 -0500, Paul Schmehl <[hidden email]>
wrote:

> readme files, but some of this stuff is above my pay grade.  I get
> confused and am not sure what to do.

In order to benefit from postscreen you need to change both master.cf
and main.cf.
Assuming that you are starting with a fresh Postfix install:

I. To change master.cf:
  a) comment out the line that starts with smtp  and ends with smtpd
  b) uncomment the lines that: start with smtpd and end in pass; or the
  lines that have the following terms in them 'postscreen', 'dnsblog'
  'tlsproxy'
 In a debian/ubuntu linux you would only need to execute the following
 single line command as root:
 sed -i
's,^smtp .*smtpd$,#&,;/\(smtpd .*pass\|postscreen\|dnsblog\|tlsproxy\)/s/^#//' /etc/postfix/master.cf

II. To change main.cf (maybe it will be safer for you to use the
postconf -e '' construct, instead of editing main.cf directly).
  You could start with the following:
  a) to enforce tests & log attempts
    postconf -e 'postscreen_blacklist_action = enforce'
    postconf -e 'postscreen_dnsbl_action = enforce'
    postconf -e 'postscreen_greet_action = enforce'
  b) to benefit from RBL lists
  # ( do check options at: http://www.sdsc.edu/~jeff/spam/cbc.html )
    postconf -e 'postscreen_dnsbl_sites = bl.spamcop.net,
    zen.spamhaus.org, dnsbl.sorbs.net'
    postconf -e 'postscreen_dnsbl_threshold = 1'
  c) to enable (more expansive) tests after the 220 SMTP greeting
    postconf -e 'postscreen_pipelining_enable = yes'
    postconf -e 'postscreen_non_smtp_command_enable = yes'
    postconf -e 'postscreen_bare_newline_action = enforce'
    postconf -e 'postscreen_bare_newline_enable = yes'

All other postscreen related settings will work rather well at their
default values. Probably you will not need to explicitly set them.

Finally, remember that changes at master.cf need a Postfix restart. A simple 'reload' won't be enough). So, after executing the above commands, run as root:
   /etc/init.d/postfix restart


Regards,

Mark
Reply | Threaded
Open this post in threaded view
|

Re: Is postscreen really this good? [how to configure postscreen]

/dev/rob0
On Thu, Oct 11, 2012 at 09:57:29AM +0100, Mark Alan wrote:
> On Wed, 10 Oct 2012 10:43:47 -0500, Paul Schmehl
> <[hidden email]> wrote:
>
> > readme files, but some of this stuff is above my pay grade.  I
> > get confused and am not sure what to do.
>
> In order to benefit from postscreen you need to change both
> master.cf and main.cf.
> Assuming that you are starting with a fresh Postfix install:

I would recommend the Postscreen README:

http://www.postfix.org/POSTSCREEN_README.html

I don't think copy-and-paste howtos of this nature are useful. The
administrator really does need to think and fully understand what
s/he is doing and why.

> I. To change master.cf:
>   a) comment out the line that starts with smtp  and ends with smtpd
>   b) uncomment the lines that: start with smtpd and end in pass; or the
>   lines that have the following terms in them 'postscreen', 'dnsblog'
>   'tlsproxy'
>  In a debian/ubuntu linux you would only need to execute the following
>  single line command as root:
>  sed -i
> 's,^smtp .*smtpd$,#&,;/\(smtpd .*pass\|postscreen\|dnsblog\|tlsproxy\)/s/^#//' /etc/postfix/master.cf
>
> II. To change main.cf (maybe it will be safer for you to use the
> postconf -e '' construct, instead of editing main.cf directly).
>   You could start with the following:
>   a) to enforce tests & log attempts
>     postconf -e 'postscreen_blacklist_action = enforce'
>     postconf -e 'postscreen_dnsbl_action = enforce'
>     postconf -e 'postscreen_greet_action = enforce'
>   b) to benefit from RBL lists
>   # ( do check options at: http://www.sdsc.edu/~jeff/spam/cbc.html )

That is good advice, but it should also mention that one must be
familiar with any DNSBL's policies before entrusting it to control
access to your mailboxes. The site above has links to each DNSBL's
web pages which describe those policies.

>     postconf -e 'postscreen_dnsbl_sites = bl.spamcop.net,
>     zen.spamhaus.org, dnsbl.sorbs.net'
>     postconf -e 'postscreen_dnsbl_threshold = 1'

This is not good advice. Using the default postscreen_dnsbl_threshold
setting of 1 (you do not need to set that), each site will be doing
blocking of mail. Any DNSBL listing means rejection.

Spamcop is too unpredictable for outright blocking of mail. It might
prove safe enough if combined with a whitelist like list.dnswl.org,
but expect occasional problems with freemail sites if using Spamcop
in this way.

SORBS has a reputation for being aggressive, and such aggression
against spam can cause blockage of real mail. Here too I would not
suggest SORBS for use in this manner.

Zen of course is excellent. I can also recommend Barracuda's BRBL as
safe and effective for general use, but that requires you to
register, and lo and behold, that can't be covered in a copy/paste
howto!

Personally, I use postscreen_dnsbl_threshold=3 and weights in my
postscreen_dnsbl_sites. Three one-point sites or a two-point site
plus any other, will cause mail to be blocked unless in a DNS
whitelist. I posted my config on this list in 2011:
https://groups.google.com/d/topic/mailing.postfix.users/v1bUYV98amE/

>   c) to enable (more expansive) tests after the 220 SMTP greeting

Aforementioned README explains that these might have unintended
consequences. See the "Important note:" following this:

http://www.postfix.org/POSTSCREEN_README.html#after_220

>     postconf -e 'postscreen_pipelining_enable = yes'
>     postconf -e 'postscreen_non_smtp_command_enable = yes'
>     postconf -e 'postscreen_bare_newline_action = enforce'
>     postconf -e 'postscreen_bare_newline_enable = yes'
>
> All other postscreen related settings will work rather well at
> their default values. Probably you will not need to explicitly
> set them.
>
> Finally, remember that changes at master.cf need a Postfix restart.
> A simple 'reload' won't be enough). So, after executing the above
> commands, run as root:
>    /etc/init.d/postfix restart

This is a script which may (or may not) be provided by the
distributor. "postfix stop" and "postfix start" are the generic
upstream commands (this is the upstream list, not a Debian one.)
--
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: