Postfix Postscreen Pregreet Test

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Postfix Postscreen Pregreet Test

Nguyen Nang Thang
Hi all,

I've used Postfix/Postcreen to protect zombies/spambots to our email system.
Currently, I've setup the pregreet test of Postscreen as configuration below:
In main.cf:
postscreen_access_list = permit_mynetworks,
    cidr:/etc/postfix/postscreen_access.cidr
postscreen_blacklist_action = enforce
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_sites =
        zen.spamhaus.org*3
        bl.mailspike.net*3
        b.barracudacentral.org*2
postscreen_dnsbl_action = enforce
postscreen_dnsbl_ttl    = 1h
postscreen_greet_banner = $smtpd_banner
postscreen_greet_wait = 6s
postscreen_greet_action = enforce

I donot know how to demonstrate the test "postscreen_greet_wait" to know that
Postscreen is protecting zombies/spambots that speak before its turn.
Any tools or ways for this test?

Regards,
Thang
Reply | Threaded
Open this post in threaded view
|

Re: Postfix Postscreen Pregreet Test

Wietse Venema
Nguyen Nang Thang:
> I donot know how to demonstrate the test "postscreen_greet_wait" to know that
> Postscreen is protecting zombies/spambots that speak before its turn.
> Any tools or ways for this test?

Turn it on, and let the zombies be your testers.

Jan 22 00:00:53 spike postfix/postscreen[44350]: CONNECT from [177.231.207.212]:38026 to [168.100.189.4]:25
Jan 22 00:00:53 spike postfix/dnsblog[44354]: addr 177.231.207.212 listed by domain zen.spamhaus.org as 127.0.0.11
Jan 22 00:00:53 spike postfix/dnsblog[44354]: addr 177.231.207.212 listed by domain zen.spamhaus.org as 127.0.0.3
Jan 22 00:00:53 spike postfix/dnsblog[44354]: addr 177.231.207.212 listed by domain zen.spamhaus.org as 127.0.0.4
Jan 22 00:00:53 spike postfix/postscreen[44350]: PREGREET 16 after 0.69 from [177.231.207.212]:38026: HELO bryozoann\r\n
Jan 22 00:00:54 spike postfix/postscreen[44350]: DNSBL rank 2 for [177.231.207.212]:38026
Jan 22 00:00:54 spike postfix/postscreen[44350]: NOQUEUE: reject: RCPT from [177.231.207.212]:38026: 550 5.7.1 Service unavailable; client [177.231.207.212] blocked using zen.spamhaus.org; from=<[hidden email]>, to=<[hidden email]>, proto=SMTP, helo=<bryozoann>
Jan 22 00:01:01 spike postfix/postscreen[44350]: DISCONNECT [177.231.207.212]:38026
 
        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Postfix Postscreen Pregreet Test

Nguyen Nang Thang
----- Original Message -----
> From: "Wietse Venema" <[hidden email]>
> To: "Postfix users" <[hidden email]>
> Cc: [hidden email], [hidden email]
> Sent: Saturday, January 23, 2016 7:29:00 AM
> Subject: Re: Postfix Postscreen Pregreet Test

> Nguyen Nang Thang:
>> I donot know how to demonstrate the test "postscreen_greet_wait" to know that
>> Postscreen is protecting zombies/spambots that speak before its turn.
>> Any tools or ways for this test?
>
> Turn it on, and let the zombies be your testers.
>
> Jan 22 00:00:53 spike postfix/postscreen[44350]: CONNECT from
> [177.231.207.212]:38026 to [168.100.189.4]:25
> Jan 22 00:00:53 spike postfix/dnsblog[44354]: addr 177.231.207.212 listed by
> domain zen.spamhaus.org as 127.0.0.11
> Jan 22 00:00:53 spike postfix/dnsblog[44354]: addr 177.231.207.212 listed by
> domain zen.spamhaus.org as 127.0.0.3
> Jan 22 00:00:53 spike postfix/dnsblog[44354]: addr 177.231.207.212 listed by
> domain zen.spamhaus.org as 127.0.0.4
> Jan 22 00:00:53 spike postfix/postscreen[44350]: PREGREET 16 after 0.69 from
> [177.231.207.212]:38026: HELO bryozoann\r\n
> Jan 22 00:00:54 spike postfix/postscreen[44350]: DNSBL rank 2 for
> [177.231.207.212]:38026
> Jan 22 00:00:54 spike postfix/postscreen[44350]: NOQUEUE: reject: RCPT from
> [177.231.207.212]:38026: 550 5.7.1 Service unavailable; client
> [177.231.207.212] blocked using zen.spamhaus.org;
> from=<[hidden email]>, to=<[hidden email]>, proto=SMTP,
> helo=<bryozoann>
> Jan 22 00:01:01 spike postfix/postscreen[44350]: DISCONNECT
> [177.231.207.212]:38026

Wietse Venema:

I'm clear that zombies/spambots is my testers. The feature DNSBL works fine.
But, I'm not clear that how to know that "SMTP clients speak before its turns" by
some tests?
I've configured the parameter "postscreen_greet_wait = 6s" due to my goal is find out
some ways to test this parameter (not the feature DNSBL that worked fine).

Your example log is for the DNSBL, not for the parameter "postscreen_greet_wait", right?

Regards,
Thang
Reply | Threaded
Open this post in threaded view
|

Re: Postfix Postscreen Pregreet Test

Wietse Venema
Nguyen Nang Thang:
> > domain zen.spamhaus.org as 127.0.0.4
> > Jan 22 00:00:53 spike postfix/postscreen[44350]: PREGREET 16 after 0.69 from
> > [177.231.207.212]:38026: HELO bryozoann\r\n

That is a zombie that speaks before its turn.

Quoting from POSTSCREEN_README"

When an SMTP client sends a command before the postscreen_greet_wait time has
elapsed, postscreen(8) logs this as:

    PREGREET count after time from [address]:port text...

Translation: the client at [address]:port sent count bytes before its turn to
speak. This happened time seconds after the postscreen_greet_wait timer was
started. The text is what the client sent (truncated to 100 bytes, and with
non-printable characters replaced with C-style escapes such as \r for carriage-
return and \n for newline).


        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Postfix Postscreen Pregreet Test

Nguyen Nang Thang
----- Original Message -----
> From: "Wietse Venema" <[hidden email]>
> To: "Postfix users" <[hidden email]>
> Sent: Saturday, January 23, 2016 8:21:47 AM
> Subject: Re: Postfix Postscreen Pregreet Test

> Nguyen Nang Thang:
>> > domain zen.spamhaus.org as 127.0.0.4
>> > Jan 22 00:00:53 spike postfix/postscreen[44350]: PREGREET 16 after 0.69 from
>> > [177.231.207.212]:38026: HELO bryozoann\r\n
>
> That is a zombie that speaks before its turn.

Ok, I'm clear about the operation of the parameter "postscreen_greet_wait".
Log in our email system shows as below:
Jan 22 00:57:59 gw postfix/postscreen[4837]: CONNECT from [201.139.132.41]:37245 to [192.168.100.79]:25
Jan 22 00:57:59 gw postfix/postscreen[4837]: PREGREET 50 after 0.52 from [201.139.132.41]:37245: HELO 201.139.132.41.cable.dyn.cableonline.com.mx\r\n
=> The IP 201.139.132.41 is monitored by Pregreeting test.

But my current concern is that how to manually test the parameter "postscreen_greet_wait" by my own test?
Because my goal is to test the operation of this parameter manually, but I donot know how to test it.

Regards,
N. Thang
Reply | Threaded
Open this post in threaded view
|

Re: Postfix Postscreen Pregreet Test

Wietse Venema
Nguyen Nang Thang:

> >> > domain zen.spamhaus.org as 127.0.0.4
> >> > Jan 22 00:00:53 spike postfix/postscreen[44350]: PREGREET 16 after 0.69 from
> >> > [177.231.207.212]:38026: HELO bryozoann\r\n
> >
> > That is a zombie that speaks before its turn.
>
> Ok, I'm clear about the operation of the parameter "postscreen_greet_wait".
> Log in our email system shows as below:
> Jan 22 00:57:59 gw postfix/postscreen[4837]: CONNECT from [201.139.132.41]:37245 to [192.168.100.79]:25
> Jan 22 00:57:59 gw postfix/postscreen[4837]: PREGREET 50 after 0.52 from [201.139.132.41]:37245: HELO 201.139.132.41.cable.dyn.cableonline.com.mx\r\n
> => The IP 201.139.132.41 is monitored by Pregreeting test.
>
> But my current concern is that how to manually test the parameter
> "postscreen_greet_wait" by my own test?

Postfix sends:

        220-myhostname ESMTP

Postfix waits $postscreen_greet_wait seconds.
Bad SMTP clients will greet before $postscreen_greet_wait seconds
have passed.

        220 myhostname ESMTP

Good SMTP clients will greet now.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Postfix Postscreen Pregreet Test

Nguyen Nang Thang
----- Original Message -----
> From: "Wietse Venema" <[hidden email]>
> To: "Nguyen Nang Thang" <[hidden email]>
> Cc: "Postfix users" <[hidden email]>
> Sent: Saturday, January 23, 2016 9:09:09 AM
> Subject: Re: Postfix Postscreen Pregreet Test

> Nguyen Nang Thang:
>> >> > domain zen.spamhaus.org as 127.0.0.4
>> >> > Jan 22 00:00:53 spike postfix/postscreen[44350]: PREGREET 16 after 0.69 from
>> >> > [177.231.207.212]:38026: HELO bryozoann\r\n
>> >
>> > That is a zombie that speaks before its turn.
>>
>> Ok, I'm clear about the operation of the parameter "postscreen_greet_wait".
>> Log in our email system shows as below:
>> Jan 22 00:57:59 gw postfix/postscreen[4837]: CONNECT from [201.139.132.41]:37245
>> to [192.168.100.79]:25
>> Jan 22 00:57:59 gw postfix/postscreen[4837]: PREGREET 50 after 0.52 from
>> [201.139.132.41]:37245: HELO 201.139.132.41.cable.dyn.cableonline.com.mx\r\n
>> => The IP 201.139.132.41 is monitored by Pregreeting test.
>>
>> But my current concern is that how to manually test the parameter
>> "postscreen_greet_wait" by my own test?
>
> Postfix sends:
>
> 220-myhostname ESMTP
>
> Postfix waits $postscreen_greet_wait seconds.
> Bad SMTP clients will greet before $postscreen_greet_wait seconds
> have passed.
>
> 220 myhostname ESMTP
>
> Good SMTP clients will greet now.

Wietse:
Thanks for your detailed explain. Can you suggest me technical ways to manually test Bad SMTP clients
that greet before $postscreen_greet_wait seconds have passed?
It's true that we cannot use the "telnet" command to test because I'm thinking scripts/tools are suitable
ways to test Bad SMTP client, right?

Regards,
Thang
Reply | Threaded
Open this post in threaded view
|

Re: Postfix Postscreen Pregreet Test

Wietse Venema
Nguyen Nang Thang:

> > Postfix sends:
> >
> > 220-myhostname ESMTP
> >
> > Postfix waits $postscreen_greet_wait seconds.
> > Bad SMTP clients will greet before $postscreen_greet_wait seconds
> > have passed.
> >
> > 220 myhostname ESMTP
> >
> > Good SMTP clients will greet now.
>
> Wietse:
> Thanks for your detailed explain. Can you suggest me technical ways to manually test Bad SMTP clients
> that greet before $postscreen_greet_wait seconds have passed?

echo whatever | nc host 25

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Postfix Postscreen Pregreet Test

Nguyen Nang Thang
----- Original Message -----
> From: "Wietse Venema" <[hidden email]>
> To: "Postfix users" <[hidden email]>
> Sent: Saturday, January 23, 2016 9:57:40 AM
> Subject: Re: Postfix Postscreen Pregreet Test

> Nguyen Nang Thang:
>> > Postfix sends:
>> >
>> > 220-myhostname ESMTP
>> >
>> > Postfix waits $postscreen_greet_wait seconds.
>> > Bad SMTP clients will greet before $postscreen_greet_wait seconds
>> > have passed.
>> >
>> > 220 myhostname ESMTP
>> >
>> > Good SMTP clients will greet now.
>>
>> Wietse:
>> Thanks for your detailed explain. Can you suggest me technical ways to manually
>> test Bad SMTP clients
>> that greet before $postscreen_greet_wait seconds have passed?
>
> echo whatever | nc host 25
 
Wietse:
I dit my test as below:
# nc localhost 25 < /tmp/postscreen-greet-wait.txt
The output:
220 gw.mydomain.com ESMTP Postfix (2.10.1)
250 2.1.0 Ok
250 2.1.5 Ok
354 End data with <CR><LF>.<CR><LF>
250 2.0.0 Ok: queued as 35CA025E69

The postfix/postcreeen log does not show info "PREGREET count after time from [address]:port text...",
test message delivered normally (expect: test message prevented by postscreen).
So, is there another way to quickly make smtp connection via "nc" or another tool to test the parameter
"postscreen_greet_wait"?

Thanks.

Regards,
N. Thang
Reply | Threaded
Open this post in threaded view
|

Re: Postfix Postscreen Pregreet Test

Christian Kivalo


Am 23. Jänner 2016 04:30:02 MEZ, schrieb Nguyen Nang Thang <[hidden email]>:

>----- Original Message -----
>> From: "Wietse Venema" <[hidden email]>
>> To: "Postfix users" <[hidden email]>
>> Sent: Saturday, January 23, 2016 9:57:40 AM
>> Subject: Re: Postfix Postscreen Pregreet Test
>
>> Nguyen Nang Thang:
>>> > Postfix sends:
>>> >
>>> > 220-myhostname ESMTP
>>> >
>>> > Postfix waits $postscreen_greet_wait seconds.
>>> > Bad SMTP clients will greet before $postscreen_greet_wait seconds
>>> > have passed.
>>> >
>>> > 220 myhostname ESMTP
>>> >
>>> > Good SMTP clients will greet now.
>>>
>>> Wietse:
>>> Thanks for your detailed explain. Can you suggest me technical ways
>to manually
>>> test Bad SMTP clients
>>> that greet before $postscreen_greet_wait seconds have passed?
>>
>> echo whatever | nc host 25
>
>Wietse:
>I dit my test as below:
># nc localhost 25 < /tmp/postscreen-greet-wait.txt
>The output:
>220 gw.mydomain.com ESMTP Postfix (2.10.1)
>250 2.1.0 Ok
>250 2.1.5 Ok
>354 End data with <CR><LF>.<CR><LF>
>250 2.0.0 Ok: queued as 35CA025E69
>
>The postfix/postcreeen log does not show info "PREGREET count after
>time from [address]:port text...",
>test message delivered normally (expect: test message prevented by
>postscreen).
>So, is there another way to quickly make smtp connection via "nc" or
>another tool to test the parameter
>"postscreen_greet_wait"?
Do this test from a different device. You probably have localhost in mynetworks and have configured
> postscreen_access_list = permit_mynetworks,
> cidr:/etc/postfix/postscreen_access.cidr

>Thanks.
>
>Regards,
>N. Thang
--
Christian

Reply | Threaded
Open this post in threaded view
|

Re: Postfix Postscreen Pregreet Test

Peter Ajamian
In reply to this post by Nguyen Nang Thang
On 23/01/16 16:30, Nguyen Nang Thang wrote:

> Wietse:
> I dit my test as below:
> # nc localhost 25 < /tmp/postscreen-greet-wait.txt
> The output:
> 220 gw.mydomain.com ESMTP Postfix (2.10.1)
> 250 2.1.0 Ok
> 250 2.1.5 Ok
> 354 End data with <CR><LF>.<CR><LF>
> 250 2.0.0 Ok: queued as 35CA025E69
>
> The postfix/postcreeen log does not show info "PREGREET count after time from [address]:port text...",
> test message delivered normally (expect: test message prevented by postscreen).
> So, is there another way to quickly make smtp connection via "nc" or another tool to test the parameter
> "postscreen_greet_wait"?

You would have localhost listed in mynetworks, which by default bypasses
the postscreen tests:

> postscreen_access_list (default: permit_mynetworks)
>        Permanent white/blacklist for remote SMTP client IP addresses.  postscreen(8) searches this list immediately after a remote SMTP client connects.  Specify a comma- or whitespace-
>        separated list of commands (in upper or lower case) or lookup tables. The search stops upon the first command that fires for the client IP address.
>
>         permit_mynetworks
>               Whitelist  the  client  and terminate the search if the client IP address matches $mynetworks.  Do not subject the client to any before/after 220 greeting tests.  Pass the
>               connection immediately to a Postfix SMTP server process.

Try the test again from a host that is not listed in mynetworks.


Peter
Reply | Threaded
Open this post in threaded view
|

Re: Postfix Postscreen Pregreet Test

Nguyen Nang Thang
In reply to this post by Christian Kivalo
----- Original Message -----
> From: "Christian Kivalo" <[hidden email]>
> To: [hidden email]
> Sent: Saturday, January 23, 2016 2:56:25 PM
> Subject: Re: Postfix Postscreen Pregreet Test

> Am 23. Jänner 2016 04:30:02 MEZ, schrieb Nguyen Nang Thang
> <[hidden email]>:
>>----- Original Message -----
>>> From: "Wietse Venema" <[hidden email]>
>>> To: "Postfix users" <[hidden email]>
>>> Sent: Saturday, January 23, 2016 9:57:40 AM
>>> Subject: Re: Postfix Postscreen Pregreet Test
>>
>>> Nguyen Nang Thang:
>>>> > Postfix sends:
>>>> >
>>>> > 220-myhostname ESMTP
>>>> >
>>>> > Postfix waits $postscreen_greet_wait seconds.
>>>> > Bad SMTP clients will greet before $postscreen_greet_wait seconds
>>>> > have passed.
>>>> >
>>>> > 220 myhostname ESMTP
>>>> >
>>>> > Good SMTP clients will greet now.
>>>>
>>>> Wietse:
>>>> Thanks for your detailed explain. Can you suggest me technical ways
>>to manually
>>>> test Bad SMTP clients
>>>> that greet before $postscreen_greet_wait seconds have passed?
>>>
>>> echo whatever | nc host 25
>>
>>Wietse:
>>I dit my test as below:
>># nc localhost 25 < /tmp/postscreen-greet-wait.txt
>>The output:
>>220 gw.mydomain.com ESMTP Postfix (2.10.1)
>>250 2.1.0 Ok
>>250 2.1.5 Ok
>>354 End data with <CR><LF>.<CR><LF>
>>250 2.0.0 Ok: queued as 35CA025E69
>>
>>The postfix/postcreeen log does not show info "PREGREET count after
>>time from [address]:port text...",
>>test message delivered normally (expect: test message prevented by
>>postscreen).
>>So, is there another way to quickly make smtp connection via "nc" or
>>another tool to test the parameter
>>"postscreen_greet_wait"?
> Do this test from a different device. You probably have localhost in mynetworks
> and have configured
>> postscreen_access_list = permit_mynetworks,
>> cidr:/etc/postfix/postscreen_access.cidr

Christian & Wietse:
I've tested successfully the parameter "postscreen_greet_wait" of postscreen as
Christian & Wietse's suggestions.

Here is the experience:
* Shoud test from a different device/host
* Technical way to test the parameter "postscreen_greet_wait" via the tool "nc" and "echo":
$ echo "Hello. I'm spambot" | nc host 25

Here is the log to show that the parameter "postscreen_greet_wait" works fine:
Jan 23 15:09:17 gw postfix/postscreen[8783]: PREGREET 19 after 0 from [IP]:Port: Hello. I'm spambot\n
Jan 23 15:09:18 gw postfix/postscreen[8783]: BARE NEWLINE from [IP]:Port after Hello. I'm spambot
Jan 23 15:09:18 gw postfix/postscreen[8783]: HANGUP after 0 from [IP]:Port in tests after SMTP handshake
Jan 23 15:09:18 gw postfix/postscreen[8783]: DISCONNECT [IP]:Port
Note: I have my localhost and my LAN subnet in mynetworks and have configured, so my tests before did not
work as expected.

Thanks.

Regards,
N. Thang