Quantcast

postsceen and smtpd_recipients_restrictions

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

postsceen and smtpd_recipients_restrictions

Den1
Hello list,

I would highly appreciate it if someone advised on the following, please.

I have these settings:

postscreen_greet_action = enforce
postscreen_dnsbl_action = drop
postscreen_dnsbl_threshold = 1
postscreen_dnsbl_sites = zen.spamhaus.org bl.spamcop.net b.barracudacentral.org

The IP address of 46.22.210.20 is listed on spamhaus but it goes straight through to smtpd like this anyway:

22:19:13 postfix/postscreen[14390]: CONNECT from [46.22.210.20]:58953 to [1.1.1.1]:25
22:19:13 postfix/dnsblog[14391]: addr 46.22.210.20 listed by domain zen.spamhaus.org as 127.0.0.3
22:19:17 postfix/postscreen[14390]: DNSBL rank 1 for [46.22.210.20]:58953
22:19:17 postfix/postscreen[14390]: DISCONNECT [46.22.210.20]:58953
22:19:18 postfix/postscreen[14390]: CONNECT from [46.22.210.20]:53440 to [1.1.1.1]:25
22:19:22 postfix/postscreen[14390]: PASS NEW [46.22.210.20]:53440
22:19:22 postfix/smtpd[14403]: connect from construct.baladle.us[46.22.210.20]

Now apart from the other settings (this is just an extract) I also have spamhaus set in my smtpd like this:

smtpd_recipient_restrictions = reject_rbl_client zen.spamhaus.org

As I've mentioned before the IP address of 46.22.210.20 is listed on spamhaus but nontheless it has no effect in smtpd either, that is it's not blocked by spamhaus at all and simply goes onward to spf checks and graylisting like this:

22:19:23  postfix/policy-spf[14407]: Policy action=PREPEND Received-SPF: pass (duplicate.jimello.us: 46.22.210.20 is authorized to use 'Jet_Charters@duplicate.jimello.us' in 'mfrom' identity (mechanism 'a' matched)) receiver=mymail; identity=mailfrom; envelope-from="Jet_Charters@duplicate.jimello.us"; helo=duplicate.jimello.us; client-ip=46.22.210.20
22:19:23  postgrey[4355]: action=greylist, reason=new, client_name=construct.baladle.us, client_address=46.22.210.20, sender=Jet_Charters@duplicate.jimello.us, recipient=mail@domain.com
22:19:23  postfix/smtpd[14403]: NOQUEUE: reject: RCPT from construct.baladle.us[46.22.210.20]: 450 4.2.0 <mail@domain.com>: Recipient address rejected: This is my graylising.; from=<Jet_Charters@duplicate.jimello.us> to=<mail@domain.com> proto=ESMTP helo=<duplicate.jimello.us>
22:19:43  postfix/smtpd[14403]: disconnect from construct.baladle.us[46.22.210.20]

Now if reject_unknown_reverse_client_hostname and reject_unknown_client_hostname are set in the incoming spam messages all right then it passes these ones further onwards as well and the only place where I can stop it going straight through all the "protection" is my header_checks with regexp.

I would be really grateful is someone could advise me on what am I missing here? Is this a regular behavior? It does not happen all the time though but I noticed it's 50/50. That is despite the fact that IP addresses are listed on RBLs that are referenced in postscreen_dnsbl_sites and smtpd_recipient_restrictions it has no effect and allows these blacklisted IPs to slip through all the "protection" in 50 % of all the cases, the other half reaches my regexp in header_checks where it finally "dies".

First, trying to shoot randomly in the dark I looked at the timing of connections and tried to adjust the smtpd_clients_connection_rate_limit keeping the anvil_rate_time_unit at its default but it didn't help much...

Many thanks in advance for any comments / help / assistance at all!
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: postsceen and smtpd_recipients_restrictions

Wietse Venema
Den1:
> 22:19:13 postfix/postscreen[14390]: CONNECT from [46.22.210.20]:58953 to
> [1.1.1.1]:25
> 22:19:13 postfix/dnsblog[14391]: addr 46.22.210.20 listed by domain
> zen.spamhaus.org as 127.0.0.3
> 22:19:17 postfix/postscreen[14390]: DNSBL rank 1 for [46.22.210.20]:58953
> 22:19:17 postfix/postscreen[14390]: DISCONNECT [46.22.210.20]:58953

The client is listed at zen.spamhaus.org. The client does not talk to
the Postfix SMTP daemon (smtpd).

> 22:19:18 postfix/postscreen[14390]: CONNECT from [46.22.210.20]:53440 to
> [1.1.1.1]:25
> 22:19:22 postfix/postscreen[14390]: PASS NEW [46.22.210.20]:53440
> 22:19:22 postfix/smtpd[14403]: connect from
> construct.baladle.us[46.22.210.20]

The client is NOT LISTED at zen.spamhaus.org, or more likely, you
use multiple DNS servers, some of which get service from spamhaus.org,
and some of which don't get service from spamhaus.org.

        Wietse
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: postsceen and smtpd_recipients_restrictions

Den1
Wietse Venema wrote
Den1:
> 22:19:13 postfix/postscreen[14390]: CONNECT from [46.22.210.20]:58953 to
> [1.1.1.1]:25
> 22:19:13 postfix/dnsblog[14391]: addr 46.22.210.20 listed by domain
> zen.spamhaus.org as 127.0.0.3
> 22:19:17 postfix/postscreen[14390]: DNSBL rank 1 for [46.22.210.20]:58953
> 22:19:17 postfix/postscreen[14390]: DISCONNECT [46.22.210.20]:58953

The client is listed at zen.spamhaus.org. The client does not talk to
the Postfix SMTP daemon (smtpd).

> 22:19:18 postfix/postscreen[14390]: CONNECT from [46.22.210.20]:53440 to
> [1.1.1.1]:25
> 22:19:22 postfix/postscreen[14390]: PASS NEW [46.22.210.20]:53440
> 22:19:22 postfix/smtpd[14403]: connect from
> construct.baladle.us[46.22.210.20]

The client is NOT LISTED at zen.spamhaus.org, or more likely, you
use multiple DNS servers, some of which get service from spamhaus.org,
and some of which don't get service from spamhaus.org.

        Wietse
Thank you so much for your directions and guidance. I really do appreciate.

Although I am getting a bit lost. Is it possible for different clients to have the same IP address in such a short period of time as per my logs posted?

The first client on the IP address of 46.22.210.20 connected to postscreen, was listed on spamhaus therefore disconnected and didn't talk to SMTP daemon. Then literally just a second later a different client but on the same IP address of 46.22.210.20 connected to postscreen and was allowed to go to SMTPd straight away. How can postscreen tell one client from another if both clients are on the same IP address?  Doesn't zen.spamhaus.org check by IP address as well does it? I am somewhat confused.

22:19:13 postfix/postscreen[14390]: CONNECT from [46.22.210.20]:58953 to [1.1.1.1]:25
22:19:13 postfix/dnsblog[14391]: addr 46.22.210.20 listed by domain zen.spamhaus.org as 127.0.0.3
22:19:17 postfix/postscreen[14390]: DNSBL rank 1 for [46.22.210.20]:58953
22:19:17 postfix/postscreen[14390]: DISCONNECT [46.22.210.20]:58953

Then just a second later another client on the same IP address

22:19:18 postfix/postscreen[14390]: CONNECT from [46.22.210.20]:53440 to [1.1.1.1]:25
22:19:22 postfix/postscreen[14390]: PASS NEW [46.22.210.20]:53440
22:19:22 postfix/smtpd[14403]: connect from construct.baladle.us[46.22.210.20]

No, I do not use multiple DNS servers.

Would be thankful for any further pointers.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: postsceen and smtpd_recipients_restrictions

Wietse Venema
Den1:

> Wietse Venema wrote
> > Den1:
> >> 22:19:13 postfix/postscreen[14390]: CONNECT from [46.22.210.20]:58953 to
> >> [1.1.1.1]:25
> >> 22:19:13 postfix/dnsblog[14391]: addr 46.22.210.20 listed by domain
> >> zen.spamhaus.org as 127.0.0.3
> >> 22:19:17 postfix/postscreen[14390]: DNSBL rank 1 for [46.22.210.20]:58953
> >> 22:19:17 postfix/postscreen[14390]: DISCONNECT [46.22.210.20]:58953
> >
> > The client is listed at zen.spamhaus.org. The client does not talk to
> > the Postfix SMTP daemon (smtpd).
> >
> >> 22:19:18 postfix/postscreen[14390]: CONNECT from [46.22.210.20]:53440 to
> >> [1.1.1.1]:25
> >> 22:19:22 postfix/postscreen[14390]: PASS NEW [46.22.210.20]:53440
> >> 22:19:22 postfix/smtpd[14403]: connect from
> >> construct.baladle.us[46.22.210.20]
> >
> > The client is NOT LISTED at zen.spamhaus.org, or more likely, you
> > use multiple DNS servers, some of which get service from spamhaus.org,
> > and some of which don't get service from spamhaus.org.
> >
> > Wietse
>
> Thank you so much for your directions and guidance. I really do appreciate.

That's a nice way of saying you did not understand 99% of the reply.

> Although I am getting a bit lost. Is it possible for different clients to
> have the same IP address in such a short period of time as per my logs
> posted?

zen.spamhaus.org provides a service that depends the DNS client IP
address. Low-volume DNS clients get free service, but high-volume
DNS clients have to pay for a subscription.

For example, if you use the resolver at a big ISP, or a public
service like 8.8.8.8 or 4.4.4.4, then zen.spamhaus.org won't work
well for you, if at all.

        Wietse
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: postsceen and smtpd_recipients_restrictions

L.P.H. van Belle
He is multiple times listed.

See :
http://multirbl.valli.org/lookup/46.22.210.2.html 
Spamhaus ( listed in DBL Advisory. ) ( aerial.astogle.us.dbl.spamhaus.org )

The remote server probley sends "listed at zen.spamhaus.org" but is using DBL also.
https://www.spamhaus.org/dbl/ 


Greetz,

Louis


> -----Oorspronkelijk bericht-----
> Van: [hidden email] [mailto:[hidden email]] Namens
> [hidden email]
> Verzonden: maandag 27 februari 2017 13:07
> Aan: Postfix users
> Onderwerp: Re: postsceen and smtpd_recipients_restrictions
>
> Den1:
> > Wietse Venema wrote
> > > Den1:
> > >> 22:19:13 postfix/postscreen[14390]: CONNECT from [46.22.210.20]:58953
> to
> > >> [1.1.1.1]:25
> > >> 22:19:13 postfix/dnsblog[14391]: addr 46.22.210.20 listed by domain
> > >> zen.spamhaus.org as 127.0.0.3
> > >> 22:19:17 postfix/postscreen[14390]: DNSBL rank 1 for
> [46.22.210.20]:58953
> > >> 22:19:17 postfix/postscreen[14390]: DISCONNECT [46.22.210.20]:58953
> > >
> > > The client is listed at zen.spamhaus.org. The client does not talk to
> > > the Postfix SMTP daemon (smtpd).
> > >
> > >> 22:19:18 postfix/postscreen[14390]: CONNECT from [46.22.210.20]:53440
> to
> > >> [1.1.1.1]:25
> > >> 22:19:22 postfix/postscreen[14390]: PASS NEW [46.22.210.20]:53440
> > >> 22:19:22 postfix/smtpd[14403]: connect from
> > >> construct.baladle.us[46.22.210.20]
> > >
> > > The client is NOT LISTED at zen.spamhaus.org, or more likely, you
> > > use multiple DNS servers, some of which get service from spamhaus.org,
> > > and some of which don't get service from spamhaus.org.
> > >
> > > Wietse
> >
> > Thank you so much for your directions and guidance. I really do
> appreciate.
>
> That's a nice way of saying you did not understand 99% of the reply.
>
> > Although I am getting a bit lost. Is it possible for different clients
> to
> > have the same IP address in such a short period of time as per my logs
> > posted?
>
> zen.spamhaus.org provides a service that depends the DNS client IP
> address. Low-volume DNS clients get free service, but high-volume
> DNS clients have to pay for a subscription.
>
> For example, if you use the resolver at a big ISP, or a public
> service like 8.8.8.8 or 4.4.4.4, then zen.spamhaus.org won't work
> well for you, if at all.
>
> Wietse


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: postsceen and smtpd_recipients_restrictions

Peter van der Does
In reply to this post by Den1
> Thank you so much for your directions and guidance. I really do appreciate.
>
> Although I am getting a bit lost. Is it possible for different clients to
> have the same IP address in such a short period of time as per my logs
> posted?
>

Spamhaus and others limit the replies they get from large DNS
providers[1], like Wietse said.

You can overcome this issue by running a local forwarding DNS server
locally on your network and use this as a DSN resolver for your network.

Peter

[1] https://www.spamhaus.org/faq/section/DNSBL%20Usage#365
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: postsceen and smtpd_recipients_restrictions

Den1
In reply to this post by Wietse Venema
Wietse Venema wrote
zen.spamhaus.org provides a service that depends the DNS client IP
address. Low-volume DNS clients get free service, but high-volume
DNS clients have to pay for a subscription.

For example, if you use the resolver at a big ISP, or a public
service like 8.8.8.8 or 4.4.4.4, then zen.spamhaus.org won't work
well for you, if at all.

        Wietse
Thank you so much once again for being of assistance. It's utmost clear now. Much obliged.   
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: postsceen and smtpd_recipients_restrictions

Den1
In reply to this post by Peter van der Does
Peter van der Does wrote
Spamhaus and others limit the replies they get from large DNS
providers[1], like Wietse said.

You can overcome this issue by running a local forwarding DNS server
locally on your network and use this as a DSN resolver for your network.

Peter

[1] https://www.spamhaus.org/faq/section/DNSBL%20Usage#365
That's a pretty cool idea. Will take a closer look. Thank you!
Loading...