gmail servers on blacklists?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

gmail servers on blacklists?

David Mehler
Hello,

I'm starting to see blocks on my messages to my mail server. For some
reason postscreen is not letting any gmail servers send mail, it's
blocking them.

Has anyone got an idea or have you seen this?

Here's my postscreen setup:

# postscreen(8) settings
### Before-220 tests
postscreen_greet_action = enforce
postscreen_blacklist_action = enforce
postscreen_dnsbl_action = enforce
postscreen_access_list = permit_mynetworks
cidr:/usr/local/etc/postfix/postscreen_access.cidr
postscreen_dnsbl_reply_map =
pcre:/usr/local/etc/postfix/postscreen_dnsbl_reply_map.pcre
postscreen_dnsbl_sites = zen.spamhaus.org*3
 b.barracudacentral.org*2
 bl.spameatingmonkey.net*2
 dnsbl.ahbl.org*2
   bl.spamcop.net
 dnsbl.sorbs.net
 psbl.surriel.com
 bl.mailspike.net
 swl.spamhaus.org*-4
 list.dnswl.org=127.[0..255].[0..255].0*-2
 list.dnswl.org=127.[0..255].[0..255].1*-3
 list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_whitelist_threshold = -2
### End of before-220 tests
### After-220 tests
### WARNING -- See "Tests after the 220 SMTP server greeting" in the
### Postscreen Howto and *UNDERSTAND* it *BEFORE* you enable the
### following tests!
#postscreen_bare_newline_action = drop
#postscreen_bare_newline_enable = yes
#postscreen_non_smtp_command_action = drop
#postscreen_non_smtp_command_enable = yes
#postscreen_pipelining_enable = yes
#postscreen_pipelining_action = drop
### ADDENDUM: Any one of the foregoing three *_enable settings may cause
### significant and annoying mail delays.
# For sharing a tempoary whitelist of addresses
postscreen_cache_map = proxy:btree:${data_directory}/postscreen_cache
postscreen_cache_cleanup_interval = 0
   # Rules are evaluated in the order as specified.
   # Blacklist 192.168.* except 192.168.0.1.

# /usr/local/etc/postfix/postscreen_access.cidr 2011-02-27
# A simple combined white/blacklist
# Only "permit", "reject" and "dunno" work on the RHS
# This is a CIDR table, so see cidr_table(5) for LHS syntax

# Permit local clients
127.0.0.0/8 permit

# 2011-05-17 brute force attack
# May 17 05:35:14 cardinal postfix/anvil[3667]: statistics: max
# connection count 47 for (smtpd:66.23.228.27) at May 17 05:31:38
66.23.228.27 reject
# a lot from here including some DBL hits
108.62.112.160/29 reject
# 2011-08-09 eWayDirect whitelisted, but hitting spamtraps
# was having PREGREET protocol errors before today
207.45.161.0/24 reject
##
# 2011-11-22 brute force mail attacks, smtp and imap
61.175.253.59 reject
# 2012-09-23 spammer not in DNSBLs
66.7.197.45 reject
# 2012-11-19 hillapex.com spammer
184.173.107.11 reject
# Allow gmail server through
74.125.82.43 permit

Any assistance appreciated.

Thanks.
Dave.
Reply | Threaded
Open this post in threaded view
|

Re: gmail servers on blacklists?

Christian Kivalo


On 2017-03-17 22:12, David Mehler wrote:
> Hello,
>
> I'm starting to see blocks on my messages to my mail server. For some
> reason postscreen is not letting any gmail servers send mail, it's
> blocking them.
>
> Has anyone got an idea or have you seen this?
You could use postwhite https://github.com/stevejenkins/postwhite to
whitelist gmail.
The map is created by postwhite from gmails spf records.

--
  Christian Kivalo
Reply | Threaded
Open this post in threaded view
|

Re: gmail servers on blacklists?

/dev/rob0
In reply to this post by David Mehler
On Fri, Mar 17, 2017 at 05:12:07PM -0400, David Mehler wrote:
> I'm starting to see blocks on my messages to my mail server. For some
> reason postscreen is not letting any gmail servers send mail, it's
> blocking them.
>
> Has anyone got an idea or have you seen this?

Typically you would SHOW LOGS of the blocking when asking for help,
but in your case it's pretty obvious.

> Here's my postscreen setup:
>
> # postscreen(8) settings
> ### Before-220 tests
> postscreen_greet_action = enforce
> postscreen_blacklist_action = enforce
> postscreen_dnsbl_action = enforce
> postscreen_access_list = permit_mynetworks
> cidr:/usr/local/etc/postfix/postscreen_access.cidr
> postscreen_dnsbl_reply_map =
> pcre:/usr/local/etc/postfix/postscreen_dnsbl_reply_map.pcre
> postscreen_dnsbl_sites = zen.spamhaus.org*3
>  b.barracudacentral.org*2
>  bl.spameatingmonkey.net*2
>  dnsbl.ahbl.org*2

Closed as of 2015-01-01 when it began flagging EVERYTHING by means of
a DNS wildcard.

Read:
  http://www.ahbl.org/ (click through to the main page) and
  http://rob0.nodns4.us/postscreen.html

In the latter start with the BIG FAT WARNING and then take special
note of what it says about AHBL in the "Last Changes" section.

>    bl.spamcop.net
>  dnsbl.sorbs.net
>  psbl.surriel.com
>  bl.mailspike.net
>  swl.spamhaus.org*-4
>  list.dnswl.org=127.[0..255].[0..255].0*-2
>  list.dnswl.org=127.[0..255].[0..255].1*-3
>  list.dnswl.org=127.[0..255].[0..255].[2..255]*-4

These are as I published them but they are wrong.  Better:
   list.dnswl.org=127.0.[2..15].0*-2
   list.dnswl.org=127.0.[2..15].1*-3
   list.dnswl.org=127.0.[2..15].[2..3]*-4
This corresponds to DNSWL.org's own usage instructions.

> postscreen_dnsbl_threshold = 2
> postscreen_dnsbl_whitelist_threshold = -2

Looks familiar except you changed these two threshold values.  Just
stick with what I have:
  postscreen_dnsbl_threshold = 3
  postscreen_dnsbl_whitelist_threshold = -1

Your lower postscreen_dnsbl_threshold value caused every single AHBL
listing (which, in case you didn't understand, now includes the
entirety of the Internet) to be a rejection unless offset by a
whitelist entry.

Your higher whitelist threshold makes it more difficult to avoid the
after-220 tests ...

> ### End of before-220 tests
> ### After-220 tests
> ### WARNING -- See "Tests after the 220 SMTP server greeting" in the
> ### Postscreen Howto and *UNDERSTAND* it *BEFORE* you enable the
> ### following tests!
> #postscreen_bare_newline_action = drop
> #postscreen_bare_newline_enable = yes
> #postscreen_non_smtp_command_action = drop
> #postscreen_non_smtp_command_enable = yes
> #postscreen_pipelining_enable = yes
> #postscreen_pipelining_action = drop
> ### ADDENDUM: Any one of the foregoing three *_enable settings may cause
> ### significant and annoying mail delays.

... which in your case doesn't matter because you didn't enable them.

> Any assistance appreciated.

Lose AHBL.
--
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Reply | Threaded
Open this post in threaded view
|

Re: gmail servers on blacklists?

David Mehler
Hi,

Much thanks. Lost ahbl, and glad to see it go.

Thanks.
Dave.


On 3/17/17, /dev/rob0 <[hidden email]> wrote:

> On Fri, Mar 17, 2017 at 05:12:07PM -0400, David Mehler wrote:
>> I'm starting to see blocks on my messages to my mail server. For some
>> reason postscreen is not letting any gmail servers send mail, it's
>> blocking them.
>>
>> Has anyone got an idea or have you seen this?
>
> Typically you would SHOW LOGS of the blocking when asking for help,
> but in your case it's pretty obvious.
>
>> Here's my postscreen setup:
>>
>> # postscreen(8) settings
>> ### Before-220 tests
>> postscreen_greet_action = enforce
>> postscreen_blacklist_action = enforce
>> postscreen_dnsbl_action = enforce
>> postscreen_access_list = permit_mynetworks
>> cidr:/usr/local/etc/postfix/postscreen_access.cidr
>> postscreen_dnsbl_reply_map =
>> pcre:/usr/local/etc/postfix/postscreen_dnsbl_reply_map.pcre
>> postscreen_dnsbl_sites = zen.spamhaus.org*3
>>  b.barracudacentral.org*2
>>  bl.spameatingmonkey.net*2
>>  dnsbl.ahbl.org*2
>
> Closed as of 2015-01-01 when it began flagging EVERYTHING by means of
> a DNS wildcard.
>
> Read:
>   http://www.ahbl.org/ (click through to the main page) and
>   http://rob0.nodns4.us/postscreen.html
>
> In the latter start with the BIG FAT WARNING and then take special
> note of what it says about AHBL in the "Last Changes" section.
>
>>    bl.spamcop.net
>>  dnsbl.sorbs.net
>>  psbl.surriel.com
>>  bl.mailspike.net
>>  swl.spamhaus.org*-4
>>  list.dnswl.org=127.[0..255].[0..255].0*-2
>>  list.dnswl.org=127.[0..255].[0..255].1*-3
>>  list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
>
> These are as I published them but they are wrong.  Better:
>    list.dnswl.org=127.0.[2..15].0*-2
>    list.dnswl.org=127.0.[2..15].1*-3
>    list.dnswl.org=127.0.[2..15].[2..3]*-4
> This corresponds to DNSWL.org's own usage instructions.
>
>> postscreen_dnsbl_threshold = 2
>> postscreen_dnsbl_whitelist_threshold = -2
>
> Looks familiar except you changed these two threshold values.  Just
> stick with what I have:
>   postscreen_dnsbl_threshold = 3
>   postscreen_dnsbl_whitelist_threshold = -1
>
> Your lower postscreen_dnsbl_threshold value caused every single AHBL
> listing (which, in case you didn't understand, now includes the
> entirety of the Internet) to be a rejection unless offset by a
> whitelist entry.
>
> Your higher whitelist threshold makes it more difficult to avoid the
> after-220 tests ...
>
>> ### End of before-220 tests
>> ### After-220 tests
>> ### WARNING -- See "Tests after the 220 SMTP server greeting" in the
>> ### Postscreen Howto and *UNDERSTAND* it *BEFORE* you enable the
>> ### following tests!
>> #postscreen_bare_newline_action = drop
>> #postscreen_bare_newline_enable = yes
>> #postscreen_non_smtp_command_action = drop
>> #postscreen_non_smtp_command_enable = yes
>> #postscreen_pipelining_enable = yes
>> #postscreen_pipelining_action = drop
>> ### ADDENDUM: Any one of the foregoing three *_enable settings may cause
>> ### significant and annoying mail delays.
>
> ... which in your case doesn't matter because you didn't enable them.
>
>> Any assistance appreciated.
>
> Lose AHBL.
> --
>   http://rob0.nodns4.us/
>   Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
>
Reply | Threaded
Open this post in threaded view
|

Re: gmail servers on blacklists?

Christian Kivalo
In reply to this post by Christian Kivalo
On 2017-03-17 22:47, David Mehler wrote:
> Hello,
>
> Thank you.
Hi

Please reply to the list
>
> I have postwhite running, not sure if it's updating?
>
> Do you run postwhite and if so do you have an update procedure so you
> always have the updated postwhite?
I use it but doing updates manually. Doing it automatically is on a todo
list ;)

> Thanks.
> Dave.
>
> On 3/17/17, Christian Kivalo <[hidden email]> wrote:
>>
>>
>> On 2017-03-17 22:12, David Mehler wrote:
>>> Hello,
>>>
>>> I'm starting to see blocks on my messages to my mail server. For some
>>> reason postscreen is not letting any gmail servers send mail, it's
>>> blocking them.
>>>
>>> Has anyone got an idea or have you seen this?
>> You could use postwhite https://github.com/stevejenkins/postwhite to
>> whitelist gmail.
>> The map is created by postwhite from gmails spf records.
>>
>> --
>>   Christian Kivalo
>>

--
  Christian Kivalo