postscreen dnsbl AND smtpd_recipient_restrictions rbl?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

postscreen dnsbl AND smtpd_recipient_restrictions rbl?

techlist06
I'm converting to use postscreen.  I have a question about dnsbl's in postscreen vs smtpd_recipient_restrictions

Following threads here and a git by Steve Jenkins I was going to start with this for postscreen:

postscreen_dnsbl_sites =
        zen.spamhaus.org*3
        bl.mailspike.net*2
        b.barracudacentral.org*2
        bl.spameatingmonkey.net
        bl.spamcop.net
        dnsbl.sorbs.net
        psbl.surriel.com
        swl.spamhaus.org*-4
        list.dnswl.org=127.0.[2..15].0*-2
        list.dnswl.org=127.0.[2..15].1*-3
        list.dnswl.org=127.0.[2..15].[2..3]*-4
        wl.mailspike.net=127.0.0.[17;18]*-1
        wl.mailspike.net=127.0.0.[19;20]*-2

I had my smtpd_recipient_restrictions RBLs as:
  ...
  reject_rbl_client zen.spamhaus.org=127.0.0.[2..255],
  reject_rhsbl_client dbl.spamhaus.org=127.0.1.[2..99],
  reject_rhsbl_sender dbl.spamhaus.org=127.0.1.[2..99],
  reject_rhsbl_helo dbl.spamhaus.org=127.0.1.[2..99],
  reject_rbl_client bl.spamcop.net
  reject_rbl_client psbl.surriel.com
  reject_rbl_client cbl.abuseat.org,
  ...

I've seen in other threads configs that left some but not all rbl's in their smtpd_recipient_restrictions.  If I'm going to reject no matter what at smtpd_recipient_restrictions, it seems I should give that rbl a high score in postscreen checks and not do the second check in smtpd_recipient_restrictions?  I understood that the second lookup is "free" since it's cached, but is there any advantage/disadvantage to having both?

Any advise appreciated.


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: postscreen dnsbl AND smtpd_recipient_restrictions rbl?

/dev/rob0
On Sat, Jul 15, 2017 at 10:30:25AM -0700, techlist06 wrote:
> I'm converting to use postscreen.  I have a question about dnsbl's
> in postscreen vs smtpd_recipient_restrictions
>
> Following threads here and a git by Steve Jenkins I was going to
> start with this for postscreen:
>
> postscreen_dnsbl_sites =
>         zen.spamhaus.org*3

This looks similar to my own config, from which I think Steve adapted
his.  I presume therefore that you're using a threshold of 3?

>         bl.mailspike.net*2
>         b.barracudacentral.org*2
>         bl.spameatingmonkey.net
>         bl.spamcop.net
>         dnsbl.sorbs.net
>         psbl.surriel.com
>         swl.spamhaus.org*-4

SWL is no longer active; the zone has been emptied.

>         list.dnswl.org=127.0.[2..15].0*-2
>         list.dnswl.org=127.0.[2..15].1*-3
>         list.dnswl.org=127.0.[2..15].[2..3]*-4
>         wl.mailspike.net=127.0.0.[17;18]*-1
>         wl.mailspike.net=127.0.0.[19;20]*-2
>
> I had my smtpd_recipient_restrictions RBLs as:
>   ...
>   reject_rbl_client zen.spamhaus.org=127.0.0.[2..255],
>   reject_rhsbl_client dbl.spamhaus.org=127.0.1.[2..99],
>   reject_rhsbl_sender dbl.spamhaus.org=127.0.1.[2..99],
>   reject_rhsbl_helo dbl.spamhaus.org=127.0.1.[2..99],

>   reject_rbl_client bl.spamcop.net
>   reject_rbl_client psbl.surriel.com

I would not use those two to reject outright.  If you wanted to do
that, why not just increase their postscreen scoring to 3?

>   reject_rbl_client cbl.abuseat.org,

While there can be occasional slight lag between XBL (part of Zen)
and CBL, that's not significant.  You already have this query, in
effect, through the Zen lookup.

> I've seen in other threads configs that left some but not all rbl's
> in their smtpd_recipient_restrictions.  If I'm going to reject no
> matter what at smtpd_recipient_restrictions, it seems I should give
> that rbl a high score in postscreen checks and not do the second
> check in smtpd_recipient_restrictions?  I understood that the
> second lookup is "free" since it's cached, but is there any
> advantage/disadvantage to having both?

Advantages:
- Second chance in case of slow DNS response to dnsblog(8)
- Second chance in case a Zen-listed host was on one of your
  DNS whitelist queries (these should be rare, and I think the
  popular DNSWL services check Zen against their own lists.)

Disadvantage:
- The tiny time and CPU expenditure of the second, cached lookup

> Any advise appreciated.

It really can't hurt to leave it enabled, if it's a DNSBL you
considered worthy to use to block outright.  I would, however, advise
you to remove the PSBL and spamcop smtpd restrictions.
--
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: postscreen dnsbl AND smtpd_recipient_restrictions rbl?

techlist06
>This looks similar to my own config, from which I think Steve adapted his.
I
>presume therefore that you're using a threshold of 3?

Yes.

>SWL is no longer active; the zone has been emptied.

Check.  Thanks.

>>   reject_rbl_client bl.spamcop.net
>>   reject_rbl_client psbl.surriel.com
>
>I would not use those two to reject outright.  If you wanted to do that,
why not
>just increase their postscreen scoring to 3?

Thanks.  Yes, that was kind of an indirect to my original question.  If
wanting to reject outright, increase score.

>>   reject_rbl_client cbl.abuseat.org,
>
>While there can be occasional slight lag between XBL (part of Zen) and CBL,
>that's not significant.  You already have this query, in effect, through
the Zen
>lookup.

Check.  Will remove.  

>- Second chance in case of slow DNS response to dnsblog(8)
>- Second chance in case a Zen-listed host was on one of your
>  DNS whitelist queries (these should be rare, and I think the
>  popular DNSWL services check Zen against their own lists.)
>
>Disadvantage:
>- The tiny time and CPU expenditure of the second, cached lookup
>
>> Any advise appreciated.
>
>It really can't hurt to leave it enabled, if it's a DNSBL you considered
worthy to
>use to block outright.  I would, however, advise you to remove the PSBL and
>spamcop smtpd restrictions.

Wilco.

Thanks Rob, much appreciated.




Loading...