re-route mails on demand during block of ip address

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

re-route mails on demand during block of ip address

Stefan Bauer-2
Hi,

I'm running a pair of postfix-servers in different data-centers (different ip networks) for outgoing-only delivery. once in a while my providers /22 appear on public blacklists, so mails from my nodes also gets rejected.

For this, i have now a third backup-instance in another data center that is not visible to my users and only fairly with dummy mails used to keep reputation up and good. Howto re-route traffic on demand with postfix in case, ip-networks get blocked again?

How do others handle this?

Thank you.

Stefan
Reply | Threaded
Open this post in threaded view
|

Re: re-route mails on demand during block of ip address

Noel Jones-2
On 5/31/2019 1:48 AM, Stefan Bauer wrote:

> Hi,
>
> I'm running a pair of postfix-servers in different data-centers
> (different ip networks) for outgoing-only delivery. once in a while
> my providers /22 appear on public blacklists, so mails from my nodes
> also gets rejected.
>
> For this, i have now a third backup-instance in another data center
> that is not visible to my users and only fairly with dummy mails
> used to keep reputation up and good. Howto re-route traffic on
> demand with postfix in case, ip-networks get blocked again?
>
> How do others handle this?
>
> Thank you.
>
> Stefan


Much better to send all your mail via the ISP that doesn't get their
whole space blocked, rather than a crappy workaround.

For a crappy workaround, you can use smtp_reply_filter to turn 5xx
rejects due to blacklists into 4xx temp failures, then use
smtp_fallback_relay to send the temp failures to your backup server.
  This will send other mail to the backup server, such as greylisted
mail or mail that temp fails for unrelated reasons. Try to make your
reply filter narrow enough that it doesn't transform rejects for
non-rbl reasons, such as unknown recipient.

http://www.postfix.org/postconf.5.html#smtp_reply_filter
http://www.postfix.org/postconf.5.html#smtp_fallback_relay



   -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: re-route mails on demand during block of ip address

Stefan Bauer-2
Hi Noel,

thank you for your reply. You know, in real world, ips/ranges get blocked from time to time and i would like to be ready for this and not rely on others :)
The workaround looks indeed crappy - i wonder how others handle this situation in "bigger" setups? I'm currently having 7000-8000 mails / day.

Stefan

Am Fr., 31. Mai 2019 um 18:37 Uhr schrieb Noel Jones <[hidden email]>:
On 5/31/2019 1:48 AM, Stefan Bauer wrote:
> Hi,
>
> I'm running a pair of postfix-servers in different data-centers
> (different ip networks) for outgoing-only delivery. once in a while
> my providers /22 appear on public blacklists, so mails from my nodes
> also gets rejected.
>
> For this, i have now a third backup-instance in another data center
> that is not visible to my users and only fairly with dummy mails
> used to keep reputation up and good. Howto re-route traffic on
> demand with postfix in case, ip-networks get blocked again?
>
> How do others handle this?
>
> Thank you.
>
> Stefan


Much better to send all your mail via the ISP that doesn't get their
whole space blocked, rather than a crappy workaround.

For a crappy workaround, you can use smtp_reply_filter to turn 5xx
rejects due to blacklists into 4xx temp failures, then use
smtp_fallback_relay to send the temp failures to your backup server.
  This will send other mail to the backup server, such as greylisted
mail or mail that temp fails for unrelated reasons. Try to make your
reply filter narrow enough that it doesn't transform rejects for
non-rbl reasons, such as unknown recipient.

http://www.postfix.org/postconf.5.html#smtp_reply_filter
http://www.postfix.org/postconf.5.html#smtp_fallback_relay



   -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: re-route mails on demand during block of ip address

Blake Hudson
The majority of blacklists work on the individual host level (IPv4 /32 or IPv6 /64). If your provider's entire /22 is being listed by public blacklists then I suspect you either have a very disreputable provider or the provider has indicated that the /22 is intended for use by residential/dynamic subscribers only (not for mail servers). Most of the folks with the "bigger" setups you asked about tend to use reputable providers, use internet connections intended for servers, or obtain their own IP space. If you intend to operate an email server, you might want to find a provider whose policies allow you to do so reliably.

Stefan Bauer wrote on 5/31/2019 12:12 PM:
Hi Noel,

thank you for your reply. You know, in real world, ips/ranges get blocked from time to time and i would like to be ready for this and not rely on others :)
The workaround looks indeed crappy - i wonder how others handle this situation in "bigger" setups? I'm currently having 7000-8000 mails / day.

Stefan

Am Fr., 31. Mai 2019 um 18:37 Uhr schrieb Noel Jones <[hidden email]>:
On 5/31/2019 1:48 AM, Stefan Bauer wrote:
> Hi,
>
> I'm running a pair of postfix-servers in different data-centers
> (different ip networks) for outgoing-only delivery. once in a while
> my providers /22 appear on public blacklists, so mails from my nodes
> also gets rejected.
>
> For this, i have now a third backup-instance in another data center
> that is not visible to my users and only fairly with dummy mails
> used to keep reputation up and good. Howto re-route traffic on
> demand with postfix in case, ip-networks get blocked again?
>
> How do others handle this?
>
> Thank you.
>
> Stefan

Reply | Threaded
Open this post in threaded view
|

Re: re-route mails on demand during block of ip address

@lbutlr
In reply to this post by Stefan Bauer-2
On 31 May 2019, at 11:12, Stefan Bauer <[hidden email]> wrote:
> thank you for your reply. You know, in real world, ips/ranges get blocked from time to time

Not be legitimate RBLs they don't unless you are actually sending spam. If more IPs than just you mail server are getting blocked, then you probably need to get a new NSP that doesn't tolerate spammers.

If you want to send mail to others you pretty much need to meet these criteria.

Fixed IP with valid rDNS
NSP that does not allow spammers
A valid secure configuration on your server (no open relay)
Not be sending spam yourself

If you can't meet all of those, then you need to rely on someone else who does meet those minimums to send mail on your behalf.

I've been through several IP changes over the years and the only RBL that haas ever listed me was barracuda, which was coincidently after I replied to one of their marketing emails
with "fuck off" but even that was more than a decade ago.


--
'Detectoring is like gambling,' said Vimes, putting down the clove. 'The
secret is to know the winner in advance.'


Reply | Threaded
Open this post in threaded view
|

Re: re-route mails on demand during block of ip address

Noel Jones-2
In reply to this post by Noel Jones-2
On 3/10/2020 4:55 PM, Stefan Bauer wrote:
> Hi Noel,
>
> i know this is quite old, but
> smtp_fallback_relay should only get triggered on
> undeliverable-events and not when remote replies with a 4xx or 5xx -
> right?
>
>


That's what the docs say, which implies my off-the-cuff crappy
workaround is misguided.
http://www.postfix.org/postconf.5.html#smtp_fallback_relay

So the solution is to use a better ISP.



   -- Noel Jones


>
> Am Freitag, 31. Mai 2019 schrieb Noel Jones <[hidden email]
> <mailto:[hidden email]>>:
>  > On 5/31/2019 1:48 AM, Stefan Bauer wrote:
>  >>
>  >> Hi,
>  >>
>  >> I'm running a pair of postfix-servers in different data-centers
> (different ip networks) for outgoing-only delivery. once in a while
> my providers /22 appear on public blacklists, so mails from my nodes
> also gets rejected.
>  >>
>  >> For this, i have now a third backup-instance in another data
> center that is not visible to my users and only fairly with dummy
> mails used to keep reputation up and good. Howto re-route traffic on
> demand with postfix in case, ip-networks get blocked again?
>  >>
>  >> How do others handle this?
>  >>
>  >> Thank you.
>  >>
>  >> Stefan
>  >
>  >
>  > Much better to send all your mail via the ISP that doesn't get
> their whole space blocked, rather than a crappy workaround.
>  >
>  > For a crappy workaround, you can use smtp_reply_filter to turn
> 5xx rejects due to blacklists into 4xx temp failures, then use
> smtp_fallback_relay to send the temp failures to your backup
> server.  This will send other mail to the backup server, such as
> greylisted mail or mail that temp fails for unrelated reasons. Try
> to make your reply filter narrow enough that it doesn't transform
> rejects for non-rbl reasons, such as unknown recipient.
>  >
>  > http://www.postfix.org/postconf.5.html#smtp_reply_filter
>  > http://www.postfix.org/postconf.5.html#smtp_fallback_relay
>  >
>  >
>  >
>  >   -- Noel Jones
>  >

Reply | Threaded
Open this post in threaded view
|

Re: re-route mails on demand during block of ip address

Viktor Dukhovni
On Tue, Mar 10, 2020 at 05:18:01PM -0500, Noel Jones wrote:

> On 3/10/2020 4:55 PM, Stefan Bauer wrote:
> >
> > i know this is quite old, but
> > smtp_fallback_relay should only get triggered on
> > undeliverable-events and not when remote replies with a 4xx or 5xx -
> > right?

Not quite.  When a delivery via the primary nexthop tempfails, the
fallback relay is used:

    smtp_mx_session_limit (default: 2)
        The maximal number of SMTP sessions per delivery request before the
        Postfix SMTP client gives up or delivers to a fall-back relay host, or
        zero (no limit). This restriction ignores sessions that fail to
        complete the SMTP initial handshake (Postfix version 2.2 and earlier)
        or that fail to complete the EHLO and TLS handshake (Postfix version
        2.3 and later).

With 5xx, of course, the message the message is normally immediately
bounced (modulo soft_bounce and all that).

--
    Viktor.