RBL problems with smarthost on private address range

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
17 messages Options
Reply | Threaded
Open this post in threaded view
|

RBL problems with smarthost on private address range

Jim Potter
Hi all,
  I'm trying to use RBL, but I am getting messages like this:

May  7 09:20:59 mars postfix/smtpd[11400]: warning:
10.4.20.10.opm.blitzed.org: RBL lookup error: Host or domain name not
found. Name service error for name=10.4.20.10.opm.blitzed.org type=A:
Host not found, try again

My mailserver (mars) is inside our local council network, and all
incoming/outgoing mail goes through a smarthost, 10.4.20.10 . How can I
add a positive RBL  entry for this MTA?  I've tried adding this to
/etc/hosts, but to no avail.
10.4.20.10      10.4.20.10.relays.ordb.org

Is it worth setting up a separate DNS zone for it? this seems like
overkill. any ideas?

cheers

Jim Potter
Bristol
UK


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Reply | Threaded
Open this post in threaded view
|

Re: RBL problems with smarthost on private address range

Ralf Hildebrandt
* Jim Potter <[hidden email]>:
> Hi all,
>  I'm trying to use RBL, but I am getting messages like this:
>
> May  7 09:20:59 mars postfix/smtpd[11400]: warning:  
> 10.4.20.10.opm.blitzed.org: RBL lookup error: Host or domain name not  
> found. Name service error for name=10.4.20.10.opm.blitzed.org type=A:  
> Host not found, try again

Show "postconf -n"
Your restrictions are fubared

--
Ralf Hildebrandt ([hidden email])          [hidden email]
Postfix - Einrichtung, Betrieb und Wartung       Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de
When the going gets weird, the weird turn pro.
Reply | Threaded
Open this post in threaded view
|

Re: RBL problems with smarthost on private address range

Jim Potter
hi Ralf,
 postconf -n says this:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = yes
biff = no
config_directory = /etc/postfix
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = ipv4
invalid_hostname_reject_code = 554
mailbox_command = procmail -m /etc/procmailrc -a "$EXTENSION"
mailbox_size_limit = 0
multi_recipient_bounce_reject_code = 554
mydestination = brislington.bristol.sch.uk      because.org.uk  mars.brislington.bristol.sch.uk         becuse.org.uk   becasue.org.uk  becase.org.uk
mydomain = because.org.uk
myhostname = www.because.org.uk
mynetworks = 127.0.0.0/8        10.14.92.0/22   10.14.96.0/22
myorigin = /etc/mailname
non_fqdn_reject_code = 554
recipient_delimiter = +
relay_domains_reject_code = 554
relayhost = 10.20.4.10
smtp_use_tls = no
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,   
    reject_non_fqdn_hostname,      
    reject_invalid_hostname,       
    permit
smtpd_recipient_restrictions = permit_mynetworks,      
    reject_non_fqdn_sender,    
    reject_unknown_recipient_domain, 
    reject_unauth_pipelining,      
    reject_non_fqdn_recipient,   
    permit_sasl_authenticated,    
    reject_unauth_destination,    
    reject_rbl_client list.dsbl.org,       
    reject_rbl_client opm.blitzed.org,
    reject_rbl_client dnsbl.njabl.org,         
    reject_rbl_client blackholes.wirehub.net,      
    reject_rbl_client list.dsbl.org,       
    reject_rbl_client sbl-xbl.spamhaus.org,      
    check_client_access pcre:/etc/postfix/dspam_filter_access      
    permit
smtpd_sender_restrictions = permit_sasl_authenticated, 
    permit_mynetworks,     
    reject_non_fqdn_sender, permit
smtpd_use_tls = no
transport_maps = hash:/etc/postfix/transport
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554

cheers

Jim


Ralf Hildebrandt wrote:
* Jim Potter [hidden email]:
  
Hi all,
 I'm trying to use RBL, but I am getting messages like this:

May  7 09:20:59 mars postfix/smtpd[11400]: warning:  
10.4.20.10.opm.blitzed.org: RBL lookup error: Host or domain name not  
found. Name service error for name=10.4.20.10.opm.blitzed.org type=A:  
Host not found, try again
    

Show "postconf -n"
Your restrictions are fubared

  


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Reply | Threaded
Open this post in threaded view
|

Re: RBL problems with smarthost on private address range

Ralf Hildebrandt
* Jim Potter <[hidden email]>:
> append_dot_mydomain = yes
Default, just leave it out

> inet_interfaces = all
Default, just leave it out

> mydestination = brislington.bristol.sch.uk      because.org.uk  
> mars.brislington.bristol.sch.uk         becuse.org.uk   becasue.org.uk  
> becase.org.uk

I blame speling :)

> mydomain = because.org.uk
> myhostname = www.because.org.uk

myhostname = www.because.org.uk
IMPLIES
mydomain = because.org.uk

> mynetworks = 127.0.0.0/8        10.14.92.0/22   10.14.96.0/22
OK

> relayhost = 10.20.4.10
relayhost = [10.20.4.10]

> smtpd_delay_reject = yes
Default, just leave it out


> smtpd_recipient_restrictions =
> permit_mynetworks, reject_non_fqdn_sender,
> reject_unknown_recipient_domain, reject_unauth_pipelining,
> reject_non_fqdn_recipient, permit_sasl_authenticated,
> reject_unauth_destination,

*

> reject_rbl_client list.dsbl.org,
> reject_rbl_client opm.blitzed.org,
> reject_rbl_client dnsbl.njabl.org,
> reject_rbl_client blackholes.wirehub.net,
> reject_rbl_client list.dsbl.org,
> reject_rbl_client sbl-xbl.spamhaus.org,
> check_client_access pcre:/etc/postfix/dspam_filter_access

These of course check 10.20.4.10 against all the RBLs
Solution: Simply add:
check_client_access hash:/etc/postfix/my_relayhost
with
10.20.4.10 OK
where I put the *

NB: blackholes.wirehub.net is dead.

> permit smtpd_sender_restrictions = permit_sasl_authenticated,

That's wrong. It must go into smtpd_recipient_restrictions!

> permit_mynetworks, reject_non_fqdn_sender, permit
You already have that in smtpd_recipient_restrictions, so just nuke
the stuff entirely.

> smtpd_use_tls = no
Default, just leave it out

--
Ralf Hildebrandt ([hidden email])          [hidden email]
Postfix - Einrichtung, Betrieb und Wartung       Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de
"I had a fortune cookie the other day and it said: 'Outlook not so
good'. I said: 'Sure, but Microsoft ships it anyway'."
Reply | Threaded
Open this post in threaded view
|

Re: RBL problems with smarthost on private address range

Ramprasad-5
In reply to this post by Jim Potter

On Wed, 2008-05-07 at 09:30 +0100, Jim Potter wrote:

> Hi all,
>   I'm trying to use RBL, but I am getting messages like this:
>
> May  7 09:20:59 mars postfix/smtpd[11400]: warning:
> 10.4.20.10.opm.blitzed.org: RBL lookup error: Host or domain name not
> found. Name service error for name=10.4.20.10.opm.blitzed.org type=A:
> Host not found, try again
>
> My mailserver (mars) is inside our local council network, and all
> incoming/outgoing mail goes through a smarthost, 10.4.20.10 . How can I
> add a positive RBL  entry for this MTA?  I've tried adding this to
> /etc/hosts, but to no avail.
> 10.4.20.10      10.4.20.10.relays.ordb.org
>

ORDB & opm.blitzed are dead RBL's

Stick to zen.spamhaus and you will be fine





Thanks
Ram


Reply | Threaded
Open this post in threaded view
|

Re: RBL problems with smarthost on private address range

Jim Potter
In reply to this post by Ralf Hildebrandt
Hi Ralf,

Doesnt the bit you've suggested below just say that if it's been forwarded through 10.4.20.10 then allow it, so it never gets checked by any rbl, dspam etc??
(Mail gets onto our server by only 2 routes - from my_networks or via 10.4.20.10)

cheers

Jim

smtpd_recipient_restrictions = 
permit_mynetworks, reject_non_fqdn_sender,
reject_unknown_recipient_domain, reject_unauth_pipelining,
reject_non_fqdn_recipient, permit_sasl_authenticated,
reject_unauth_destination, 
    

*

  
reject_rbl_client list.dsbl.org, 
reject_rbl_client opm.blitzed.org, 
reject_rbl_client dnsbl.njabl.org, 
reject_rbl_client blackholes.wirehub.net,
reject_rbl_client list.dsbl.org,
reject_rbl_client sbl-xbl.spamhaus.org,
check_client_access pcre:/etc/postfix/dspam_filter_access
    

These of course check 10.20.4.10 against all the RBLs
Solution: Simply add:
check_client_access hash:/etc/postfix/my_relayhost
with
10.20.4.10 OK
where I put the *

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Reply | Threaded
Open this post in threaded view
|

Re: RBL problems with smarthost on private address range

Ralf Hildebrandt
* Jim Potter <[hidden email]>:
> Hi Ralf,
>
> Doesnt the bit you've suggested below just say that if it's been  
> forwarded through 10.4.20.10 then allow it, so it never gets checked by  
> any rbl, dspam etc??

Do you expect your relayhost to be a source of spam?

--
Ralf Hildebrandt ([hidden email])          [hidden email]
Postfix - Einrichtung, Betrieb und Wartung       Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de
"Who's General Failure and why's he reading my disk?"        -- Anon.
Reply | Threaded
Open this post in threaded view
|

Re: RBL problems with smarthost on private address range

Ralf Hildebrandt
* Ralf Hildebrandt <[hidden email]>:
> * Jim Potter <[hidden email]>:
> > Hi Ralf,
> >
> > Doesnt the bit you've suggested below just say that if it's been  
> > forwarded through 10.4.20.10 then allow it, so it never gets checked by  
> > any rbl, dspam etc??
>
> Do you expect your relayhost to be a source of spam?

To answer my own sugeestive question: These RBL checks need to be done
on the relayhost, not your box :)

--
Ralf Hildebrandt ([hidden email])          [hidden email]
Postfix - Einrichtung, Betrieb und Wartung       Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de
Echte Informatiker benutzen kein M$-Windows.
Reply | Threaded
Open this post in threaded view
|

Re: RBL problems with smarthost on private address range

Jim Potter
In reply to this post by Ralf Hildebrandt
Hi Ralf,
> Ralf Hildebrandt wrote:
>  
> Do you expect your relayhost to be a source of spam?
>  
Oh yes. All mail from the outside world comes through it.

Jim


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Reply | Threaded
Open this post in threaded view
|

Re: RBL problems with smarthost on private address range

Jim Potter
In reply to this post by Ralf Hildebrandt
Hi Ralf,
  I have suggested that the folks who run the relayhost should do the spam filtering. They claim their filtering is quite adequate. (I reckon ~90% of all mail arriving via the relayhost being spam is a bit less than adequate, but hey.)

So the problem is - I still need to do this on my mailserver

Jim


Ralf Hildebrandt wrote:
* Ralf Hildebrandt [hidden email]:
  
* Jim Potter [hidden email]:
    
Hi Ralf,

Doesnt the bit you've suggested below just say that if it's been  
forwarded through 10.4.20.10 then allow it, so it never gets checked by  
any rbl, dspam etc??
      
Do you expect your relayhost to be a source of spam?
    

To answer my own sugeestive question: These RBL checks need to be done
on the relayhost, not your box :)

  


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Reply | Threaded
Open this post in threaded view
|

Re: RBL problems with smarthost on private address range

Ralf Hildebrandt
In reply to this post by Jim Potter
* Jim Potter <[hidden email]>:
> Hi Ralf,
>> Ralf Hildebrandt wrote:
>>   Do you expect your relayhost to be a source of spam?
>>  
> Oh yes. All mail from the outside world comes through it.

Like I said: Checks need to be done on the relay, not on your box then.

--
Ralf Hildebrandt ([hidden email])          [hidden email]
Postfix - Einrichtung, Betrieb und Wartung       Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de
With searching comes loss
and the presence of absence:
"My Novel" not found.
Reply | Threaded
Open this post in threaded view
|

Re: RBL problems with smarthost on private address range

Ralf Hildebrandt
In reply to this post by Jim Potter
* Jim Potter <[hidden email]>:
> Hi Ralf,
>  I have suggested that the folks who run the relayhost should do the spam
> filtering. They claim their filtering is quite adequate. (I reckon ~90% of
> all mail arriving via the relayhost being spam is a bit less than
> adequate, but hey.)

You should see what they see :)

> So the problem is - I still need to do this on my mailserver

You can't. At least not with Postfix. Use SpamAssassin

--
Ralf Hildebrandt ([hidden email])          [hidden email]
Postfix - Einrichtung, Betrieb und Wartung       Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de
"If it is blue and winding, it is biology. If it stinks, it is chemistry. If
it doesn�t work, it is physics. If it is unintelligible, it is mathematics.
If it is all of above, it must has been made by M$."      -- Holger Dittmann
Reply | Threaded
Open this post in threaded view
|

Re: RBL problems with smarthost on private address range

Jim Potter
OK...

I've made changes as recommended by you and Ram, and the errors have stopped (I've taken the dead RBLs out), and it is still doing queries to the other RBLs...
I'm not sure if this is filtering, but at least there's no error messages to deal with, so I can sleep soundly.

thanks againg everyone.

Jim
Bristol, UK

Ralf Hildebrandt wrote:
* Jim Potter [hidden email]:
  
Hi Ralf,
 I have suggested that the folks who run the relayhost should do the spam 
filtering. They claim their filtering is quite adequate. (I reckon ~90% of 
all mail arriving via the relayhost being spam is a bit less than 
adequate, but hey.)
    

You should see what they see :)

  
So the problem is - I still need to do this on my mailserver
    

You can't. At least not with Postfix. Use SpamAssassin

  


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Reply | Threaded
Open this post in threaded view
|

Re: RBL problems with smarthost on private address range

mouss-2
Jim Potter wrote:
> OK...
>
> I've made changes as recommended by you and Ram, and the errors have
> stopped (I've taken the dead RBLs out), and it is still doing queries
> to the other RBLs...

- You should not reject mail already accepted by your relay. This causes
backscatter.
- for such mail, reject_rbl_client is useless sicn the client is the relay.

As Ralf said, use spamassassin. this will parse the Received headers and
do various DNSBL checks (among other things).

> I'm not sure if this is filtering, but at least there's no error
> messages to deal with, so I can sleep soundly.

Reply | Threaded
Open this post in threaded view
|

Re: RBL problems with smarthost on private address range

Mauro Sanna
In reply to this post by Ralf Hildebrandt
Il giorno mer, 07/05/2008 alle 11.00 +0200, Ralf Hildebrandt ha scritto:
> * Jim Potter <[hidden email]>:
> > append_dot_mydomain = yes
> Default, just leave it out

Why leave out if it is the default?
If I put it's just the same or not?

Reply | Threaded
Open this post in threaded view
|

Re: RBL problems with smarthost on private address range

mouss-2
Mauro Sanna wrote:

> Il giorno mer, 07/05/2008 alle 11.00 +0200, Ralf Hildebrandt ha scritto:
>  
>> * Jim Potter <[hidden email]>:
>>    
>>> append_dot_mydomain = yes
>>>      
>> Default, just leave it out
>>    
>
> Why leave out if it is the default?
> If I put it's just the same or not?
>
>  

it pollutes the output of 'postconf -n' and makes it harder to help you

and in some cases, default values may evolve. if you don't set the
value, you will get the new default automatically. if you set it, you
will keep the old value.


Reply | Threaded
Open this post in threaded view
|

Re: RBL problems with smarthost on private address range

Ralf Hildebrandt
In reply to this post by Mauro Sanna
* Mauro Sanna <[hidden email]>:
> Il giorno mer, 07/05/2008 alle 11.00 +0200, Ralf Hildebrandt ha scritto:
> > * Jim Potter <[hidden email]>:
> > > append_dot_mydomain = yes
> > Default, just leave it out
>
> Why leave out if it is the default?

Because it just makes the config longer and harder to read :)

--
Ralf Hildebrandt ([hidden email])          [hidden email]
Postfix - Einrichtung, Betrieb und Wartung       Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de
If you feel you have received this message in error, please recall
that exp(i*pi) + 1 = 0;