Postscreen temporary whitelist

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Postscreen temporary whitelist

allenc
Is there any way of reducing the TTL of the postscreen temporary whitelist?

I am having problems with spammers repeatedly getting through postscreen
with a "PASS OLD" result.

While I can't stop them trying, at least I can cost them time by making
them run the full postscreen gauntlet more frequently...

Many thanks

Allen C
Reply | Threaded
Open this post in threaded view
|

Re: Postscreen temporary whitelist

Wietse Venema
Allen Coates:
> Is there any way of reducing the TTL of the postscreen temporary whitelist?

As of Postfix 3.1, these are the defaults:

postscreen_bare_newline_ttl = 30d
postscreen_dnsbl_max_ttl = ${postscreen_dnsbl_ttl?{$postscreen_dnsbl_ttl}:{1}}h
postscreen_dnsbl_min_ttl = 60s
postscreen_greet_ttl = 1d
postscreen_non_smtp_command_ttl = 30d
postscreen_pipelining_ttl = 30d

Earlier versions have postscreen_dnsbl_ttl instead of postscreen_dnsbl_max_ttl,
and they don't have postscreen_dnsbl_min_ttl.

> I am having problems with spammers repeatedly getting through postscreen
> with a "PASS OLD" result.
>
> While I can't stop them trying, at least I can cost them time by making
> them run the full postscreen gauntlet more frequently...

The postscreen_dnsbl(_max)_ttl setting should fix that.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Postscreen temporary whitelist

allenc
Thanks for your comments

I am currently trying

postscreen_cache_retention_time = 1d
postscreen_non_smtp_command_ttl = 1d
postscreen_bare_newline_ttl = 1d
postscreen_pipelining_ttl  = 1d

FWIW I am also using the "deep protocol tests as a form of grey-listing

Allen C

On 23/08/17 13:24, Wietse Venema wrote:

> Allen Coates:
>> Is there any way of reducing the TTL of the postscreen temporary whitelist?
>
> As of Postfix 3.1, these are the defaults:
>
> postscreen_bare_newline_ttl = 30d
> postscreen_dnsbl_max_ttl = ${postscreen_dnsbl_ttl?{$postscreen_dnsbl_ttl}:{1}}h
> postscreen_dnsbl_min_ttl = 60s
> postscreen_greet_ttl = 1d
> postscreen_non_smtp_command_ttl = 30d
> postscreen_pipelining_ttl = 30d
>
> Earlier versions have postscreen_dnsbl_ttl instead of postscreen_dnsbl_max_ttl,
> and they don't have postscreen_dnsbl_min_ttl.
>
>> I am having problems with spammers repeatedly getting through postscreen
>> with a "PASS OLD" result.
>>
>> While I can't stop them trying, at least I can cost them time by making
>> them run the full postscreen gauntlet more frequently...
>
> The postscreen_dnsbl(_max)_ttl setting should fix that.
>
> Wietse
>
Reply | Threaded
Open this post in threaded view
|

Re: Postscreen temporary whitelist

Wietse Venema
Allen Coates:
> Thanks for your comments
>
> I am currently trying
>
> postscreen_cache_retention_time = 1d
> postscreen_non_smtp_command_ttl = 1d
> postscreen_bare_newline_ttl = 1d
> postscreen_pipelining_ttl  = 1d

These ONLY block spambots (custom SMTP implementations that cut
corners to increase delivery 'performance').

They do ABSOLUTELY NOTHING against other systems that send spam.

> The postscreen_dnsbl(_max)_ttl setting should fix that.

That is the only postscreen feature that helps against non-spambots.

        Wietse