Postscreen and reject_rhsbl

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Postscreen and reject_rhsbl

Alex Regan
Hi,
I'm using postfix-3.1.4 on fedora. I've just noticed I've configured
both postscreen to use spamhaus and other RBLs as well as have
configured the reject_rhsbl_* options. Is this duplicative and
unnecessary?

I've posted what I think are the relevant pieces in hopes someone
could review and clarify.

smtpd_recipient_restrictions =
        reject_non_fqdn_recipient,
        reject_non_fqdn_sender,
        reject_unlisted_recipient,
        reject_unknown_recipient_domain,
        permit_mynetworks,
        reject_unauth_destination,
        reject_rhsbl_reverse_client mykey.dbl.dq.spamhaus.net,
        reject_rhsbl_sender mykey.dbl.dq.spamhaus.net,
        reject_rhsbl_helo mykey.dbl.dq.spamhaus.net,
        check_sender_access hash:/etc/postfix/check_backscatterer,
        check_helo_access pcre:/etc/postfix/helo_checks.pcre,
        check_helo_access hash:/etc/postfix/helo_checks,
        reject_non_fqdn_helo_hostname,
        reject_invalid_helo_hostname,
        check_policy_service unix:private/policy-spf,
        check_policy_service inet:127.0.0.1:2501,
        check_recipient_access pcre:/etc/postfix/relay_recips_access,
        permit

smtpd_client_restrictions =
        permit_mynetworks,
        check_client_access hash:/etc/postfix/client_checks,
        check_reverse_client_hostname_access
pcre:/etc/postfix/fqrdns-042715a.pcre,
        check_reverse_client_hostname_access
pcre:/etc/postfix/reverse_client_hostname_access.pcre,
        check_client_access cidr:/etc/postfix/client_access_blocklist
        check_client_access cidr:/etc/postfix/ransomware-ipbl


postscreen_dnsbl_ttl = 10m
postscreen_access_list =
        permit_mynetworks,
        cidr:/etc/postfix/postscreen_access.cidr,
        cidr:/etc/postfix/gmail_whitelist.cidr,
        cidr:/etc/postfix/postscreen_spf_whitelist.cidr
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce
postscreen_greet_action = enforce
postscreen_greet_wait = ${stress?2}${stress:11}s
postscreen_dnsbl_threshold = 8
postscreen_dnsbl_reply_map =
        texthash:$config_directory/postscreen_dnsbl_reply_map.pcre
postscreen_dnsbl_sites =
        mykey.zen.dq.spamhaus.net=127.0.0.[10;11]*8
        score.senderscore.com=127.0.4.[0..19]*3
        score.senderscore.com=127.0.4.[20..29]*3
        score.senderscore.com=127.0.4.[30..49]*2
        score.senderscore.com=127.0.4.[50..59]*1
        score.senderscore.com=127.0.4.[60..69]*1
        score.senderscore.com=127.0.4.[70..79]*-1
        score.senderscore.com=127.0.4.[80..89]*-2
        score.senderscore.com=127.0.4.[90..100]*-4
        b.barracudacentral.org*7
        mykey.zen.dq.spamhaus.net=127.0.0.[4..7]*6
        bl.mailspike.net*4
        bl.spamcop.net*4
        bl.spameatingmonkey.net*4
        mykey.zen.dq.spamhaus.net=127.0.0.3*4
        ubl.unsubscore.com=127.0.0.2*1
        list.dnswl.org=127.[0..255].[0..255].0*-2
        list.dnswl.org=127.[0..255].[0..255].1*-3
        list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
        dnsbl.sorbs.net=127.0.0.[10;14]*8
        dnsbl.sorbs.net=127.0.0.5*7
        dnsbl.sorbs.net=127.0.0.7*4
        dnsbl.sorbs.net=127.0.0.6*3
        dnsbl.sorbs.net=127.0.0.[8;9]*2
        dnsbl.sorbs.net=127.0.0.4*1
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Postscreen and reject_rhsbl

techlist06
Here's a related recent thread
http://postfix.1071664.n5.nabble.com/postscreen-dnsbl-AND-smtpd-recipient-restrictions-rbl-tt91307.html#none



>-----Original Message-----
>From: [hidden email] [mailto:[hidden email]] On Behalf Of Alex
>Sent: Tuesday, August 01, 2017 3:58 PM
>To: postfix users list
>Subject: Postscreen and reject_rhsbl
>
>Hi,
>I'm using postfix-3.1.4 on fedora. I've just noticed I've configured
>both postscreen to use spamhaus and other RBLs as well as have
>configured the reject_rhsbl_* options. Is this duplicative and
>unnecessary?
>
>I've posted what I think are the relevant pieces in hopes someone
>could review and clarify.
>
>smtpd_recipient_restrictions =
>        reject_non_fqdn_recipient,
>        reject_non_fqdn_sender,
>        reject_unlisted_recipient,
>        reject_unknown_recipient_domain,
>        permit_mynetworks,
>        reject_unauth_destination,
>        reject_rhsbl_reverse_client mykey.dbl.dq.spamhaus.net,
>        reject_rhsbl_sender mykey.dbl.dq.spamhaus.net,
>        reject_rhsbl_helo mykey.dbl.dq.spamhaus.net,
>        check_sender_access hash:/etc/postfix/check_backscatterer,
>        check_helo_access pcre:/etc/postfix/helo_checks.pcre,
>        check_helo_access hash:/etc/postfix/helo_checks,
>        reject_non_fqdn_helo_hostname,
>        reject_invalid_helo_hostname,
>        check_policy_service unix:private/policy-spf,
>        check_policy_service inet:127.0.0.1:2501,
>        check_recipient_access pcre:/etc/postfix/relay_recips_access,
>        permit
>
>smtpd_client_restrictions =
>        permit_mynetworks,
>        check_client_access hash:/etc/postfix/client_checks,
>        check_reverse_client_hostname_access
>pcre:/etc/postfix/fqrdns-042715a.pcre,
>        check_reverse_client_hostname_access
>pcre:/etc/postfix/reverse_client_hostname_access.pcre,
>        check_client_access cidr:/etc/postfix/client_access_blocklist
>        check_client_access cidr:/etc/postfix/ransomware-ipbl
>
>
>postscreen_dnsbl_ttl = 10m
>postscreen_access_list =
>        permit_mynetworks,
>        cidr:/etc/postfix/postscreen_access.cidr,
>        cidr:/etc/postfix/gmail_whitelist.cidr,
>        cidr:/etc/postfix/postscreen_spf_whitelist.cidr
>postscreen_blacklist_action = drop
>postscreen_dnsbl_action = enforce
>postscreen_greet_action = enforce
>postscreen_greet_wait = ${stress?2}${stress:11}s
>postscreen_dnsbl_threshold = 8
>postscreen_dnsbl_reply_map =
>        texthash:$config_directory/postscreen_dnsbl_reply_map.pcre
>postscreen_dnsbl_sites =
>        mykey.zen.dq.spamhaus.net=127.0.0.[10;11]*8
>        score.senderscore.com=127.0.4.[0..19]*3
>        score.senderscore.com=127.0.4.[20..29]*3
>        score.senderscore.com=127.0.4.[30..49]*2
>        score.senderscore.com=127.0.4.[50..59]*1
>        score.senderscore.com=127.0.4.[60..69]*1
>        score.senderscore.com=127.0.4.[70..79]*-1
>        score.senderscore.com=127.0.4.[80..89]*-2
>        score.senderscore.com=127.0.4.[90..100]*-4
>        b.barracudacentral.org*7
>        mykey.zen.dq.spamhaus.net=127.0.0.[4..7]*6
>        bl.mailspike.net*4
>        bl.spamcop.net*4
>        bl.spameatingmonkey.net*4
>        mykey.zen.dq.spamhaus.net=127.0.0.3*4
>        ubl.unsubscore.com=127.0.0.2*1
>        list.dnswl.org=127.[0..255].[0..255].0*-2
>        list.dnswl.org=127.[0..255].[0..255].1*-3
>        list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
>        dnsbl.sorbs.net=127.0.0.[10;14]*8
>        dnsbl.sorbs.net=127.0.0.5*7
>        dnsbl.sorbs.net=127.0.0.7*4
>        dnsbl.sorbs.net=127.0.0.6*3
>        dnsbl.sorbs.net=127.0.0.[8;9]*2
>        dnsbl.sorbs.net=127.0.0.4*1

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Postscreen and reject_rhsbl

Matus UHLAR - fantomas
In reply to this post by Alex Regan
On 01.08.17 16:58, Alex wrote:
>I'm using postfix-3.1.4 on fedora. I've just noticed I've configured
>both postscreen to use spamhaus and other RBLs as well as have
>configured the reject_rhsbl_* options. Is this duplicative and
>unnecessary?

no. rehect_rhsbl rejects based on mail from: address, that is unavailable in
postscreen.

>smtpd_client_restrictions =
>        permit_mynetworks,
>        check_client_access hash:/etc/postfix/client_checks,

if there are IPs here, they could be moved to postscreen config

>        check_reverse_client_hostname_access
>pcre:/etc/postfix/fqrdns-042715a.pcre,
>        check_reverse_client_hostname_access
>pcre:/etc/postfix/reverse_client_hostname_access.pcre,
>        check_client_access cidr:/etc/postfix/client_access_blocklist
>        check_client_access cidr:/etc/postfix/ransomware-ipbl

these cidr: ranges can be moved to poscreen.
even if not, I would specify cidr: before pcre: maps.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Spam is for losers who can't get business any other way.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Postscreen and reject_rhsbl

Bill Cole-3
In reply to this post by Alex Regan
On 1 Aug 2017, at 16:58, Alex wrote:

> Hi,
> I'm using postfix-3.1.4 on fedora. I've just noticed I've configured
> both postscreen to use spamhaus and other RBLs as well as have
> configured the reject_rhsbl_* options. Is this duplicative and
> unnecessary?

No. There's no RHSBL support in postscreen.

Loading...