dnsbl postscreen - not blocking

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

dnsbl postscreen - not blocking

Stefan Bauer-2
Hi,

Dec 19 13:04:36 mx1 postfix/postscreen[4770]: CONNECT from [209.85.166.196]:52168 to [public-ip]:25
Dec 19 13:04:42 mx1 postfix/dnsblog[4774]: addr 209.85.166.196 listed by domain dnsbl.sorbs.net as 127.0.0.6
Dec 19 13:04:42 mx1 postfix/postscreen[4770]: PASS NEW [209.85.166.196]:52168
Dec 19 13:04:42 mx1 postfix/smtpd[4778]: connect from mail-it1-f196.google.com[209.85.166.196]

why did google pass postscreen even though its listed in one of the RBL?


postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce

Am i missing something obvious?

Stefan

Reply | Threaded
Open this post in threaded view
|

RE: dnsbl postscreen - not blocking

L.P.H. van Belle
Hai,

recent.spam.dnsbl.sorbs.net = 127.0.0.6
and you gave it 1 point.

whats the postscreen_dnsbl_threshold set at ?
I'll bet thats set higher than 1.


Greetz,

Louis


________________________________

        Van: [hidden email] [mailto:[hidden email]] Namens Stefan Bauer
        Verzonden: woensdag 19 december 2018 14:01
        Aan: Postfix users
        Onderwerp: dnsbl postscreen - not blocking
       
       
        Hi,

        Dec 19 13:04:36 mx1 postfix/postscreen[4770]: CONNECT from [209.85.166.196]:52168 to [public-ip]:25
        Dec 19 13:04:42 mx1 postfix/dnsblog[4774]: addr 209.85.166.196 listed by domain dnsbl.sorbs.net as 127.0.0.6
        Dec 19 13:04:42 mx1 postfix/postscreen[4770]: PASS NEW [209.85.166.196]:52168
        Dec 19 13:04:42 mx1 postfix/smtpd[4778]: connect from mail-it1-f196.google.com[209.85.166.196]

        why did google pass postscreen even though its listed in one of the RBL?


        postscreen_dnsbl_sites = zen.spamhaus.org*2 bl.spamcop.net*1 b.barracudacentral.org*1 dnsbl.sorbs.net*1
        postscreen_blacklist_action = drop
        postscreen_dnsbl_action = enforce

        Am i missing something obvious?

        Stefan



Reply | Threaded
Open this post in threaded view
|

RE: dnsbl postscreen - not blocking

Fazzina, Angelo
In reply to this post by Stefan Bauer-2

Hi, I don’t know the answer to your question but from this site

http://www.sorbs.net/using.shtml

it looks like the IP 209.85.166.196 seems to have tripped one of these :

 

 

new.spam.dnsbl.sorbs.net    127.0.0.6

   recent.spam.dnsbl.sorbs.net    127.0.0.6

      old.spam.dnsbl.sorbs.net    127.0.0.6

          spam.dnsbl.sorbs.net    127.0.0.6

   escalations.dnsbl.sorbs.net    127.0.0.6

 

 

Maybe going down that rabbit hole will get you some answers ?

Good Luck.

 

 

-ANGELO FAZZINA

 

ITS Service Manager:

Spam and Virus Prevention

Mass Mailing

G Suite/Gmail

 

[hidden email]

University of Connecticut,  ITS, SSG, Server Systems

860-486-9075

 

From: [hidden email] <[hidden email]> On Behalf Of Stefan Bauer
Sent: Wednesday, December 19, 2018 8:01 AM
To: Postfix users <[hidden email]>
Subject: dnsbl postscreen - not blocking

 

Hi,

 

Dec 19 13:04:36 mx1 postfix/postscreen[4770]: CONNECT from [209.85.166.196]:52168 to [public-ip]:25

Dec 19 13:04:42 mx1 postfix/dnsblog[4774]: addr 209.85.166.196 listed by domain dnsbl.sorbs.net as 127.0.0.6

Dec 19 13:04:42 mx1 postfix/postscreen[4770]: PASS NEW [209.85.166.196]:52168

Dec 19 13:04:42 mx1 postfix/smtpd[4778]: connect from mail-it1-f196.google.com[209.85.166.196]

 

why did google pass postscreen even though its listed in one of the RBL?

 

 

postscreen_blacklist_action = drop

postscreen_dnsbl_action = enforce

 

Am i missing something obvious?

 

Stefan

 

Reply | Threaded
Open this post in threaded view
|

Re: dnsbl postscreen - not blocking

Matus UHLAR - fantomas
In reply to this post by Stefan Bauer-2
On 19.12.18 14:00, Stefan Bauer wrote:

>Dec 19 13:04:36 mx1 postfix/postscreen[4770]: CONNECT from
>[209.85.166.196]:52168 to [public-ip]:25
>Dec 19 13:04:42 mx1 postfix/dnsblog[4774]: addr 209.85.166.196 listed by
>domain dnsbl.sorbs.net as 127.0.0.6
>Dec 19 13:04:42 mx1 postfix/postscreen[4770]: PASS NEW
>[209.85.166.196]:52168
>Dec 19 13:04:42 mx1 postfix/smtpd[4778]: connect from
>mail-it1-f196.google.com[209.85.166.196]
>
>why did google pass postscreen even though its listed in one of the RBL?
>
>
>postscreen_dnsbl_sites = zen.spamhaus.org*2 bl.spamcop.net*1
>b.barracudacentral.org*1 dnsbl.sorbs.net*1
>postscreen_blacklist_action = drop
>postscreen_dnsbl_action = enforce
>
>Am i missing something obvious?

on some systems I have implemented postscreen with especially to avoid refusing
mail just because of a single dnsbl listing.

on some systems the google ranges are whitelisted.
--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Have you got anything without Spam in it?
- Well, there's Spam egg sausage and Spam, that's not got much Spam in it.
Reply | Threaded
Open this post in threaded view
|

Re: dnsbl postscreen - not blocking

Dominic Raferd


On Wed, 19 Dec 2018 at 14:51, Matus UHLAR - fantomas <[hidden email]> wrote:
On 19.12.18 14:00, Stefan Bauer wrote:
>Dec 19 13:04:36 mx1 postfix/postscreen[4770]: CONNECT from
>[209.85.166.196]:52168 to [public-ip]:25
>Dec 19 13:04:42 mx1 postfix/dnsblog[4774]: addr 209.85.166.196 listed by
>domain dnsbl.sorbs.net as 127.0.0.6
>Dec 19 13:04:42 mx1 postfix/postscreen[4770]: PASS NEW
>[209.85.166.196]:52168
>Dec 19 13:04:42 mx1 postfix/smtpd[4778]: connect from
>mail-it1-f196.google.com[209.85.166.196]
>
>why did google pass postscreen even though its listed in one of the RBL?
>
>
>postscreen_dnsbl_sites = zen.spamhaus.org*2 bl.spamcop.net*1
>b.barracudacentral.org*1 dnsbl.sorbs.net*1
>postscreen_blacklist_action = drop
>postscreen_dnsbl_action = enforce
>
>Am i missing something obvious?

on some systems I have implemented postscreen with especially to avoid refusing
mail just because of a single dnsbl listing.

on some systems the google ranges are whitelisted.

This might help OP identify any non-default postscreen settings (kudos: Viktor) -

LC_ALL=C join --check-order <(postconf -n) <(postconf -d | sed 's/=/(default:/; s/$/)/')|grep ^postscreen_
Reply | Threaded
Open this post in threaded view
|

Re: dnsbl postscreen - not blocking

Wietse Venema
In reply to this post by Stefan Bauer-2
Stefan Bauer:
> Hi,
>
> Dec 19 13:04:36 mx1 postfix/postscreen[4770]: CONNECT from
> [209.85.166.196]:52168 to [public-ip]:25
> Dec 19 13:04:42 mx1 postfix/dnsblog[4774]: addr 209.85.166.196 listed by
> domain dnsbl.sorbs.net as 127.0.0.6

It took 6s for dnsblog to figure out that the client is listed.

Unfortunately the result came too late to have an effect on postscreen,
because postscreen will normally wait only 6s for DNS replies, so
it had already decided to let the client pass (under overload it will
wait only 2s).

I suppose it is OK that postscreen will not wait forever for DNS results...

        Wietse

> Dec 19 13:04:42 mx1 postfix/postscreen[4770]: PASS NEW
> [209.85.166.196]:52168
> Dec 19 13:04:42 mx1 postfix/smtpd[4778]: connect from
> mail-it1-f196.google.com[209.85.166.196]
>
> why did google pass postscreen even though its listed in one of the RBL?
>
>
> postscreen_dnsbl_sites = zen.spamhaus.org*2 bl.spamcop.net*1
> b.barracudacentral.org*1 dnsbl.sorbs.net*1
> postscreen_blacklist_action = drop
> postscreen_dnsbl_action = enforce
>
> Am i missing something obvious?
>
> Stefan
Reply | Threaded
Open this post in threaded view
|

Re: dnsbl postscreen - not blocking

Viktor Dukhovni
In reply to this post by Dominic Raferd
On Wed, Dec 19, 2018 at 02:58:00PM +0000, Dominic Raferd wrote:

> This might help OP identify any non-default postscreen settings (kudos:
> Viktor) -
>
> LC_ALL=C join --check-order <(postconf -n) <(postconf -d | sed
> 's/=/(default:/; s/$/)/')|grep ^postscreen_

Thanks, but may be worth noting that "--check-order" (which I did
not suggest) is a non-portable Linux-specific feature.  Leaving it
out is more portable.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: dnsbl postscreen - not blocking

Viktor Dukhovni
In reply to this post by Stefan Bauer-2
On Wed, Dec 19, 2018 at 02:00:34PM +0100, Stefan Bauer wrote:

> Dec 19 13:04:36 mx1 postfix/postscreen[4770]: CONNECT from
> [209.85.166.196]:52168 to [public-ip]:25
> Dec 19 13:04:42 mx1 postfix/dnsblog[4774]: addr 209.85.166.196 listed by
> domain dnsbl.sorbs.net as 127.0.0.6
> Dec 19 13:04:42 mx1 postfix/postscreen[4770]: PASS NEW
> [209.85.166.196]:52168
> Dec 19 13:04:42 mx1 postfix/smtpd[4778]: connect from
> mail-it1-f196.google.com[209.85.166.196]
>
> why did google pass postscreen even though its listed in one of the RBL?
>
> postscreen_dnsbl_sites = zen.spamhaus.org*2 bl.spamcop.net*1
> b.barracudacentral.org*1 dnsbl.sorbs.net*1
> postscreen_blacklist_action = drop
> postscreen_dnsbl_action = enforce
>
> Am i missing something obvious?

What is the minimum weight you require for an RBL block?  The sorbs
RBL has weight 1, perhaps you require 2 or more.

    http://www.postfix.org/postconf.5.html#postscreen_dnsbl_threshold

You've not posted your complete "postconf -n" output, so it is all
conjectural.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: dnsbl postscreen - not blocking

Stefan Bauer-2
the threshold is at default, so 1.

but the dns timeout, Wietse mentioned, might be the real cause. gonna check manuals, if this is configurable.

Thank you.

Am Mittwoch, 19. Dezember 2018 schrieb Viktor Dukhovni <[hidden email]>:

> On Wed, Dec 19, 2018 at 02:00:34PM +0100, Stefan Bauer wrote:
>
>> Dec 19 13:04:36 mx1 postfix/postscreen[4770]: CONNECT from
>> [209.85.166.196]:52168 to [public-ip]:25
>> Dec 19 13:04:42 mx1 postfix/dnsblog[4774]: addr 209.85.166.196 listed by
>> domain dnsbl.sorbs.net as 127.0.0.6
>> Dec 19 13:04:42 mx1 postfix/postscreen[4770]: PASS NEW
>> [209.85.166.196]:52168
>> Dec 19 13:04:42 mx1 postfix/smtpd[4778]: connect from
>> mail-it1-f196.google.com[209.85.166.196]
>>
>> why did google pass postscreen even though its listed in one of the RBL?
>>
>> postscreen_dnsbl_sites = zen.spamhaus.org*2 bl.spamcop.net*1
>> b.barracudacentral.org*1 dnsbl.sorbs.net*1
>> postscreen_blacklist_action = drop
>> postscreen_dnsbl_action = enforce
>>
>> Am i missing something obvious?
>
> What is the minimum weight you require for an RBL block?  The sorbs
> RBL has weight 1, perhaps you require 2 or more.
>
>     http://www.postfix.org/postconf.5.html#postscreen_dnsbl_threshold
>
> You've not posted your complete "postconf -n" output, so it is all
> conjectural.
>
> --
>         Viktor.
>
Reply | Threaded
Open this post in threaded view
|

Re: dnsbl postscreen - not blocking

Wietse Venema
Stefan Bauer:
> the threshold is at default, so 1.
>
> but the dns timeout, Wietse mentioned, might be the real cause. gonna check
> manuals, if this is configurable.

postscreen will wait for DNS lookup results until the postscreen_greet_wait
timer expires.

    postscreen_greet_wait = ${stress?{2}:{6}}s

I don't think that making this larger is a good idea.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: dnsbl postscreen - not blocking

Kai Schaetzl
In reply to this post by Stefan Bauer-2
Stefan Bauer wrote on Wed, 19 Dec 2018 21:10:10 +0100:

> the threshold is at default, so 1.

This may not be part of your problem, but using a threshold of 1 and then
using this weighting scheme is nonsense:

postscreen_dnsbl_sites = zen.spamhaus.org*2 bl.spamcop.net*1
b.barracudacentral.org*1 dnsbl.sorbs.net*1

Using Sorbs is dangerous, anyway, we abandoned it years ago. If you want
to use it then use it in the way it is intended for weighted RBLs. e.g. do
not use it as the sole source of blocking.

> but the dns timeout, Wietse mentioned, might be the real cause.

check if Sorbs is always taking very long compared to others. Then the
solution should be clear.

Kai


Reply | Threaded
Open this post in threaded view
|

Re: dnsbl postscreen - not blocking

@lbutlr
On 20 Dec 2018, at 06:46, Kai Schaetzl <[hidden email]> wrote:
> Using Sorbs is dangerous, anyway, we abandoned it years ago. If you want
> to use it then use it in the way it is intended for weighted RBLs. e.g. do
> not use it as the sole source of blocking.

I keep parring down my list and am considering going to simply using zen only for blocking and dnswl for whitelisting. Something like

 zen.spamhaus.org=127.0.0.[4..11]*5
 zen.spamhaus.org=127.0.0.[2..3]*1
 list.dnswl.org=127.0.[0..255].0*-2
 list.dnswl.org=127.0.[0..255].1*-3
 list.dnswl.org=127.0.[0..255].2*-4
 list.dnswl.org=127.0.[0..255].3*-5

And a threshold of 3.

None the others seem to be particularly effective.


--
Truth is seen through keyholes