advice on postscreen setup / exception / dnsbls

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

advice on postscreen setup / exception / dnsbls

Voytek
I've recently updated Postfix from 2.1, and, enabled postscreen, all's
working well, though, just picked up a false positive:

several users inbound mail blocked with dnsbl.spfbl.net

I have like:

# grep spfbl.net main.cf
postscreen_dnsbl_sites = zen.spamhaus.org*5, psbl.surriel.com*2,
bl.spamcop.net*2, dnsbl.spfbl.net*2,

as this is a gov.au server, should I whitelist health.gov.au ? or sge.net
? how/where ?

what's the best way to prevent emails from health.gov.au/sge.net being
blocked?


# grep health.gov.au /var/log/maillog | grep block
May 21 08:49:16 geko postfix/postscreen[23877]: NOQUEUE: reject: RCPT from
[152.91.65.145]:57512: 550 5.7.1 Service unavailable; client
[152.91.65.145] blocked using dnsbl.spfbl.net;
from=<[hidden email]>, to=<[hidden email]>,
proto=ESMTP, helo=<orland.sge.net>
May 21 16:55:53 geko postfix/postscreen[5875]: NOQUEUE: reject: RCPT from
[152.91.65.145]:42388: 550 5.7.1 Service unavailable; client
[152.91.65.145] blocked using dnsbl.spfbl.net;
from=<[hidden email]>, to=<[hidden email]>, proto=ESMTP,
helo=<orland.sge.net>
May 22 15:54:50 geko postfix/postscreen[22598]: NOQUEUE: reject: RCPT from
[152.91.65.145]:54437: 550 5.7.1 Service unavailable; client
[152.91.65.145] blocked using dnsbl.spfbl.net;
from=<[hidden email]>, to=<[hidden email]>, proto=ESMTP,
helo=<orland.sge.net>
May 24 09:25:55 geko postfix/postscreen[803]: NOQUEUE: reject: RCPT from
[152.91.65.146]:58463: 550 5.7.1 Service unavailable; client
[152.91.65.146] blocked using dnsbl.spfbl.net;
from=<[hidden email]>, to=<[hidden email]>, proto=ESMTP,
helo=<oxford.sge.net>


Reply | Threaded
Open this post in threaded view
|

Re: advice on postscreen setup / exception / dnsbls

@lbutlr
On 2018-05-25 (21:22 MDT), "Voytek" <[hidden email]> wrote:
> # grep health.gov.au /var/log/maillog | grep block
> May 21 08:49:16 geko postfix/postscreen[23877]: NOQUEUE: reject: RCPT from
> [152.91.65.145]:57512: 550 5.7.1 Service unavailable; client
> [152.91.65.145] blocked using dnsbl.spfbl.net;
> from=<[hidden email]>, to=<[hidden email]>,
> proto=ESMTP, helo=<orland.sge.net>

This mail did not come from a gov.au site, it came from orland.sge.net

--
The Salvation Army Band played and the children drunk lemonade and the
morning lasted all day, all day. And through an open window came like
Sinatra in a younger day pushing the town away
Reply | Threaded
Open this post in threaded view
|

Re: advice on postscreen setup / exception / dnsbls

Wietse Venema
@lbutlr:
> On 2018-05-25 (21:22 MDT), "Voytek" <[hidden email]> wrote:
> > # grep health.gov.au /var/log/maillog | grep block
> > May 21 08:49:16 geko postfix/postscreen[23877]: NOQUEUE: reject: RCPT from
> > [152.91.65.145]:57512: 550 5.7.1 Service unavailable; client
> > [152.91.65.145] blocked using dnsbl.spfbl.net;
> > from=<[hidden email]>, to=<[hidden email]>,
> > proto=ESMTP, helo=<orland.sge.net>
>
> This mail did not come from a gov.au site, it came from orland.sge.net

Indeed: orland.sge.net = 152.91.65.145, consistent with the client
IP adress that postscreen reports.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: advice on postscreen setup / exception / dnsbls

/dev/rob0
In reply to this post by Voytek
On Sat, May 26, 2018 at 01:22:01PM +1000, Voytek wrote:

> I've recently updated Postfix from 2.1, and, enabled postscreen,
> all's working well, though, just picked up a false positive:
>
> several users inbound mail blocked with dnsbl.spfbl.net
>
> I have like:
>
> # grep spfbl.net main.cf
> postscreen_dnsbl_sites = zen.spamhaus.org*5, psbl.surriel.com*2,
> bl.spamcop.net*2, dnsbl.spfbl.net*2,
>
> as this is a gov.au server, should I whitelist health.gov.au ? or
> sge.net ? how/where ?
>
> what's the best way to prevent emails from health.gov.au/sge.net
> being blocked?

Bubba: "Doc, it hurts when I do this."
Doc: "So don't do that."

The obvious solution, if dnsbl.spfbl.net is blocking real mail, is to
stop using that list, or possibly to lower its score below your
[unstated] threshold score.

Postscreen is unable to do whitelisting by hostname.  In fact the
reverse DNS is not looked up at all, so only the IP address is known
in postscreen.

Another choice is DNS whitelisting:

145.65.91.152.list.dnswl.org. 10800 IN  TXT     "sge.net https://dnswl.org/s/?s=36576"
145.65.91.152.list.dnswl.org. 10800 IN  A       127.0.9.2

For more information I would refer you to my page on postscreen;
please see the link below, in the .sig .

> # grep health.gov.au /var/log/maillog | grep block
> May 21 08:49:16 geko postfix/postscreen[23877]: NOQUEUE: reject:
> RCPT from [152.91.65.145]:57512: 550 5.7.1 Service unavailable;
> client [152.91.65.145] blocked using dnsbl.spfbl.net;
> from=<[hidden email]>, to=<[hidden email]>,
> proto=ESMTP, helo=<orland.sge.net>

While the helo/ehlo is logged, that's not usable either, because
once postscreen decides to talk to a client, that client is already
blocked.

If you're not going to take the advice above, your only other option
would be to whitelist the IP address[es].  Oh, also, you could talk
to the DNSBL operator about theit listing criteria, and/or to the
sending site about getting delisted.
--
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Reply | Threaded
Open this post in threaded view
|

Re: advice on postscreen setup / exception / dnsbls

@lbutlr
On 2018-05-26 (11:22 MDT), /dev/rob0 <[hidden email]> wrote:
If you're not going to take the advice above, your only other option 
would be to whitelist the IP address[es].  Oh, also, you could talk 
to the DNSBL operator about theit listing criteria, and/or to the 
sending site about getting delisted.


There is nothing wrong with the listing criteria. the domain is listed because there is an issue with its rDNS, and the is what the RBL lists.

Delegation not found at parent.

No delegation could be found at the parent, making your zone unreachable from the Internet.

Not enough nameserver information was found to test the zone orland.sge.net, but an IP address lookup succeeded in spite of that.

-- 
'Yes, but humans are more important than animals,' said Brutha. 'This
is a point of view often expressed by humans,' said Om. (Small Gods)

Reply | Threaded
Open this post in threaded view
|

Re: advice on postscreen setup / exception / dnsbls

Voytek
In reply to this post by /dev/rob0
On Sun, May 27, 2018 3:22 am, /dev/rob0 wrote:

> The obvious solution, if dnsbl.spfbl.net is blocking real mail, is to
> stop using that list, or possibly to lower its score below your [unstated]
> threshold score.

Thanks for all replies and comments!

I guess my starting point should be that, lower the score ?

sorry, the actual setup is, advice/suggestion appreciated:

# grep postscreen  main.cf
postscreen_command_count_limit = 8
postscreen_command_time_limit = 30
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_whitelist_threshold = -1
postscreen_blacklist_action = DROP
postscreen_dnsbl_action = ENFORCE
postscreen_greet_action = ENFORCE
postscreen_access_list = permit_mynetworks,
 cidr:/etc/postfix/postscreen_access.cidr
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_whitelist_threshold = -1
postscreen_dnsbl_sites = zen.spamhaus.org*5, psbl.surriel.com*2,
bl.spamcop.net*2, dnsbl.spfbl.net*2,
 db.wpbl.info, dnsbl.dronebl.org, pofon.foobar.hu,
bl.ipv6.spameatingmonkey.net*2,dnsbl6.anticaptcha.net,
 bl.spameatingmonkey.net*2, bl.mailspike.net, b.barracudacentral.org*2,
dnsbl.sorbs.net, ubl.unsubscore.com, truncate.gbudb.net,
 list.dnswl.org*-3, zz.countries.nerd.dk=127.0.3.58*-1


> Another choice is DNS whitelisting:
> 145.65.91.152.list.dnswl.org. 10800 IN  TXT     "sge.net
> https://dnswl.org/s/?s=36576"
> 145.65.91.152.list.dnswl.org. 10800 IN  A       127.0.9.2

I think I'd rather avoid this path, if I can


> For more information I would refer you to my page on postscreen;
> please see the link below, in the .sig .

thanks, I'll read it today (and try to understand)


> While the helo/ehlo is logged, that's not usable either, because
> once postscreen decides to talk to a client, that client is already
> blocked.
>
> If you're not going to take the advice above, your only other option
> would be to whitelist the IP address[es].  Oh, also, you could talk to the
> DNSBL operator about theit listing criteria, and/or to the
> sending site about getting delisted.

I guess 'health' outsources their email to verizon - whilst I'll try to
contact them, I don't like my chances at getting too far - but never know.

I've struck probs with health/verizon a while back, I think, last time i
came across it, by the time I;ve looked, they were already delisted

thanks again,

Voytek



Reply | Threaded
Open this post in threaded view
|

Re: advice on postscreen setup / exception / dnsbls

@lbutlr
On 26 May 2018, at 23:27, Voytek <[hidden email]> wrote:
> On Sun, May 27, 2018 3:22 am, /dev/rob0 wrote:
>
>> The obvious solution, if dnsbl.spfbl.net is blocking real mail, is to
>> stop using that list, or possibly to lower its score below your [unstated]
>> threshold score.
>
> Thanks for all replies and comments!
>
> I guess my starting point should be that, lower the score ?

No, your starting point should be to not use an RBL if you don’t know what it is doing. Blacklisting a domain for not having a valid rDNS is something you can do right in postfix, without needing to reach out to an RBL.

reject_unknown_reverse_client_hostname or reject_unknown_client_hostname, but these have significant impact on some server for legitimate mail. You can search the archives (or google) for various discussions on these two settings, how they differ, and which you might want to use, if either.

> postscreen_dnsbl_sites = zen.spamhaus.org*5, psbl.surriel.com*2,
> bl.spamcop.net*2, dnsbl.spfbl.net*2,
> db.wpbl.info, dnsbl.dronebl.org, pofon.foobar.hu,
> bl.ipv6.spameatingmonkey.net*2,dnsbl6.anticaptcha.net,
> bl.spameatingmonkey.net*2, bl.mailspike.net, b.barracudacentral.org*2,
> dnsbl.sorbs.net, ubl.unsubscore.com, truncate.gbudb.net,
> list.dnswl.org*-3, zz.countries.nerd.dk=127.0.3.58*-1

Treating all replies from the RBLs as the same is, IMHO, a mistake.

This is what I have:

postscreen_dnsbl_threshold = 9
postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[4..11]*9
    hostkarma.junkemailfilter.com=127.0.0.2*5
    zen.spamhaus.org=127.0.0.[2..3]*4
    hostkarma.junkemailfilter.com=127.0.0.3*2
    hostkarma.junkemailfilter.com=127.0.2.1*4
    hostkarma.junkemailfilter.com=127.0.2.2*2
    hostkarma.junkemailfilter.com=127.0.0.2*4
    hostkarma.junkemailfilter.com=127.0.1.2*4
    hostkarma.junkemailfilter.com=127.0.0.1*-4
    hostkarma.junkemailfilter.com=127.0.0.5*-2
    hostkarma.junkemailfilter.com=127.0.2.3*-2


For example, I score zen differently for 127.0.0.2-3 (much lower) than for 4-11. (.2 is the SBL which hits more ‘false’ positives than the other for my mailstream and .3 is similar) while 4-11 are server that should never be sending mail (DHCP ISP machines, exploited servers, etc).

I *do not* recommend you copy/paste these into your setup. For one thing, I haven’t evaluated them in quite a while since zen hits nearly everything that gets blocked, so I’m not really sure how the downstream ones are performing right now, but mostly because every server is a bit different.

--
Like the moment when the brakes lock/And you slide towards the big
truck/You stretch the frozen moments with your fear