regexp for allowing helo host

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

regexp for allowing helo host

Eric Abrahamsen
I'm trying to successfully receive emails from my state's health care
service, which is apparently broken in the way it sends emails. These
are the errors:

ericabrahamsen.net/smtpd[24193]: warning: hostname\
     mail-relay.secure-24.net does not resolve to address 199.71.239.178

ericabrahamsen.net/smtpd[24193]: NOQUEUE: reject: RCPT from\
     unknown[199.71.239.178]: 550 5.7.1\
     <msp-es0101mta01.msp.secure-24.net>: Helo command rejected: Host\
     not found; from=<[hidden email]>\
     to=<[hidden email]> proto=ESMTP\
     helo=<msp-es0101mta01.msp.secure-24.net>

The helo host seems to change ever time; at least there are a lot of
them.

I just want to check here: is it safe to change my check_helo_access
from a hash to a regexp, and do:

/msp.secure-24.net/ OK

Is that likely to cause me any problems?

Thanks!
Eric

Reply | Threaded
Open this post in threaded view
|

Re: regexp for allowing helo host

Eric Abrahamsen
Eric Abrahamsen <[hidden email]> writes:

> I'm trying to successfully receive emails from my state's health care
> service, which is apparently broken in the way it sends emails. These
> are the errors:
>
> ericabrahamsen.net/smtpd[24193]: warning: hostname\
>      mail-relay.secure-24.net does not resolve to address 199.71.239.178
>
> ericabrahamsen.net/smtpd[24193]: NOQUEUE: reject: RCPT from\
>      unknown[199.71.239.178]: 550 5.7.1\
>      <msp-es0101mta01.msp.secure-24.net>: Helo command rejected: Host\
>      not found; from=<[hidden email]>\
>      to=<[hidden email]> proto=ESMTP\
>      helo=<msp-es0101mta01.msp.secure-24.net>
>
> The helo host seems to change ever time; at least there are a lot of
> them.
>
> I just want to check here: is it safe to change my check_helo_access
> from a hash to a regexp, and do:
>
> /msp.secure-24.net/ OK
>
> Is that likely to cause me any problems?

Hmm, I just tried it, and it didn't actually work! Anyway, any advice on
this would be much appreciated...

Reply | Threaded
Open this post in threaded view
|

Re: regexp for allowing helo host

John Peach
In reply to this post by Eric Abrahamsen
On 11/15/16 13:43, Eric Abrahamsen wrote:
> I'm trying to successfully receive emails from my state's health care
> service, which is apparently broken in the way it sends emails. These
> are the errors:
>
> ericabrahamsen.net/smtpd[24193]: warning: hostname\
>      mail-relay.secure-24.net does not resolve to address 199.71.239.178


You could just whitelist 199.71.236.0/22

>
> ericabrahamsen.net/smtpd[24193]: NOQUEUE: reject: RCPT from\
>      unknown[199.71.239.178]: 550 5.7.1\
>      <msp-es0101mta01.msp.secure-24.net>: Helo command rejected: Host\
>      not found; from=<[hidden email]>\
>      to=<[hidden email]> proto=ESMTP\
>      helo=<msp-es0101mta01.msp.secure-24.net>
>
> The helo host seems to change ever time; at least there are a lot of
> them.
>
> I just want to check here: is it safe to change my check_helo_access
> from a hash to a regexp, and do:
>
> /msp.secure-24.net/ OK
>
> Is that likely to cause me any problems?
>
> Thanks!
> Eric
>




--
John
PGP Public Key: 412934AC
Reply | Threaded
Open this post in threaded view
|

Re: regexp for allowing helo host

Bill Cole-3
In reply to this post by Eric Abrahamsen
On 15 Nov 2016, at 13:46, Eric Abrahamsen wrote:

> Eric Abrahamsen <[hidden email]> writes:
>
>> I'm trying to successfully receive emails from my state's health care
>> service, which is apparently broken in the way it sends emails. These
>> are the errors:
>>
>> ericabrahamsen.net/smtpd[24193]: warning: hostname\
>>      mail-relay.secure-24.net does not resolve to address
>> 199.71.239.178
>>
>> ericabrahamsen.net/smtpd[24193]: NOQUEUE: reject: RCPT from\
>>      unknown[199.71.239.178]: 550 5.7.1\
>>      <msp-es0101mta01.msp.secure-24.net>: Helo command rejected:
>> Host\
>>      not found; from=<[hidden email]>\
>>      to=<[hidden email]> proto=ESMTP\
>>      helo=<msp-es0101mta01.msp.secure-24.net>
>>
>> The helo host seems to change ever time; at least there are a lot of
>> them.
>>
>> I just want to check here: is it safe to change my check_helo_access
>> from a hash to a regexp, and do:
>>
>> /msp.secure-24.net/ OK
>>
>> Is that likely to cause me any problems?
>
> Hmm, I just tried it, and it didn't actually work! Anyway, any advice
> on
> this would be much appreciated...

You've got reject_unknown_helo_hostname in a smtpd_*_restrictions list.
Which one is unknown, as you've ignored the suggestions provided when
you subscribed here and about a dozen times per week on the list about
how to help us help you. The ordering of directives in each restriction
list and which list has reject_unknown_helo_hostname in it determines
how you would need to whitelist patterns against it. Provide postconf
-nf output for more specific help.

Be aware that if you use reject_unknown_helo_hostname you will have a
steady stream of cases for which  you will have to make special
exceptions. How steady that stream is depends more on your volume and
diversity of legitimate mail than on how heavily spammed you are.
Reply | Threaded
Open this post in threaded view
|

Re: regexp for allowing helo host

Tanstaafl
On 11/15/2016 6:11 PM, Bill Cole
<[hidden email]> wrote:
> Be aware that if you use reject_unknown_helo_hostname you will have a
> steady stream of cases for which  you will have to make special
> exceptions. How steady that stream is depends more on your volume and
> diversity of legitimate mail than on how heavily spammed you are.

What Bill is saying here is using reject_unknown_helo_hostname to
outright reject clients will reject legitimate clients, so unless you
have a good reason for doing so and know what you are doing and are
prepared to handle issues like you are experiencing now, or don't do it.
Reply | Threaded
Open this post in threaded view
|

RE: regexp for allowing helo host

L.P.H. van Belle
I suggest you read :
http://faculty.cs.niu.edu/~rickert/cf/bad-ehlo.html 

personaly i use the following.
smtpd_helo_restrictions =
    permit_mynetworks,
    check_helo_access pcre:/etc/postfix/pcre/helo.pcre
    check_helo_access hash:/etc/postfix/overrule/allow_helo_access.map
    reject_invalid_helo_hostname,
    reject_non_fqdn_helo_hostname,
    reject_unknown_helo_hostname,
    reject_unauth_destination

and in the helo.pcre
## Namebase
/^localhost$/                   554 Don't use my own hostname
/^localhost\.localdomain$/      554 Don't use my own hostname
/^domain\.tld$/                  554 Don't use my own domainname
/^hostname\.domain\.tld$/      554 Don't use my own hostname

## IP Based
/^127\.0\.0\.1$/                554 Don't use my own IP address
/^\[127\.0\.0\.1\]$/            554 Don't use my own IP address
/^\:\:1$/                       554 Don't use my own IP address
/^\[\:\:1\]$/                   554 Don't use my own IP address
/^\1\.2\.3\.4$/         554 Don't use my own IP address

And change domain.tld to you domain.
Here you need all names know to you server ( for accepting mail )
And change ip 1.2.3.4 to you ip.

The allow_helo_access.map is use for anoying customers to allow them.
I give them 2 weeks to fix there setup.
Also due to changes in dutch law, im oblgated to check the helo for correctness.

Normaly i just refer to these links.  
rfc2821 section-3.6 en 4.1.1.1 en 10.3 en  rfc5321 section 2.3.5)
https://www.ietf.org/rfc/rfc2821.txt
https://www.ietf.org/rfc/rfc5321.txt

and lots of misconfigured exchange server ( most the .local domains )
https://technet.microsoft.com/EN-US/library/jj657457(v=exchg.150).aspx 
Lots of them forget to adjust the outgoing smtp connectos.

And best of all. ( to avoid spam ) the use of postscreen.
Example:
### Before-220 tests (postscreen / DNSBL)
postscreen_greet_banner         = $myhostname, checking blacklists, please wait.
postscreen_greet_wait = 3s
postscreen_greet_ttl = 2d
postscreen_access_list          =
    permit_mynetworks,
    cidr:/etc/postfix/cidr/postscreen_whitelist_access.cidr,
    cidr:/etc/postfix/cidr/drop.spamhaus-lasso.cidr
postscreen_dnsbl_reply_map      = pcre:/etc/postfix/pcre/postscreen_dnsbl_reply_map.pcre
postscreen_blacklist_action     = drop
postscreen_dnsbl_action         = enforce
postscreen_greet_action         = enforce
postscreen_dnsbl_ttl            = 2h
postscreen_dnsbl_threshold      = 4
postscreen_dnsbl_sites =
        b.barracudacentral.org*4
        bad.psky.me*4
        zen.spamhaus.org*4
        dnsbl.cobion.com*2
        bl.spameatingmonkey.net*2
        fresh.spameatingmonkey.net*2
        dnsbl.anonmails.de*2
        dnsbl.kempt.net*1
        dnsbl.inps.de*2
        bl.spamcop.net*2
        dnsbl.sorbs.net*1
        spam.dnsbl.sorbs.net*2
        psbl.surriel.com*2
        bl.mailspike.net*2
        rep.mailspike.net=127.0.0.[13;14]*1
        bl.suomispam.net*2
        bl.blocklist.de*2
        ix.dnsbl.manitu.net*2
        dnsbl-2.uceprotect.net
        hostkarma.junkemailfilter.com=127.0.0.3
        hostkarma.junkemailfilter.com=127.0.0.[2;4]*2
        # whitelists
        swl.spamhaus.org*-4
        list.dnswl.org=127.0.[0..255].[2;3]*-1
        rep.mailspike.net=127.0.0.[17;18]*-1
        rep.mailspike.net=127.0.0.[19;20]*-2
        hostkarma.junkemailfilter.com=127.0.0.1*-1

At this moment the antispam server behind this postfix setup,
is 99.7% spam free.
A good check for rbl servers : http://multirbl.valli.org/ 



Best regards,

Louis



> -----Oorspronkelijk bericht-----
> Van: [hidden email] [mailto:[hidden email]]
> Namens Tanstaafl
> Verzonden: woensdag 16 november 2016 13:40
> Aan: [hidden email]
> Onderwerp: Re: regexp for allowing helo host
>
> On 11/15/2016 6:11 PM, Bill Cole
> <[hidden email]> wrote:
> > Be aware that if you use reject_unknown_helo_hostname you will have a
> > steady stream of cases for which  you will have to make special
> > exceptions. How steady that stream is depends more on your volume and
> > diversity of legitimate mail than on how heavily spammed you are.
>
> What Bill is saying here is using reject_unknown_helo_hostname to
> outright reject clients will reject legitimate clients, so unless you
> have a good reason for doing so and know what you are doing and are
> prepared to handle issues like you are experiencing now, or don't do it.


Reply | Threaded
Open this post in threaded view
|

Re: regexp for allowing helo host

Florian Piekert
Am 16.11.2016 um 13:59 schrieb L.P.H. van Belle:

After going from
postscreen_dnsbl_sites =
  zen.spamhaus.org*2,
  bl.mailspike.net,
  bl.spamcop.net,
  b.barracudacentral.org,
  swl.spamhaus.org*-2
to

> postscreen_dnsbl_sites =
>         b.barracudacentral.org*4
>         bad.psky.me*4
>         zen.spamhaus.org*4
>         dnsbl.cobion.com*2
>         bl.spameatingmonkey.net*2
>         fresh.spameatingmonkey.net*2
>         dnsbl.anonmails.de*2
>         dnsbl.kempt.net*1
>         dnsbl.inps.de*2
>         bl.spamcop.net*2
>         dnsbl.sorbs.net*1
>         spam.dnsbl.sorbs.net*2
>         psbl.surriel.com*2
>         bl.mailspike.net*2
>         rep.mailspike.net=127.0.0.[13;14]*1
>         bl.suomispam.net*2
>         bl.blocklist.de*2
>         ix.dnsbl.manitu.net*2
>         dnsbl-2.uceprotect.net
>         hostkarma.junkemailfilter.com=127.0.0.3
>         hostkarma.junkemailfilter.com=127.0.0.[2;4]*2
>         # whitelists
>         swl.spamhaus.org*-4
>         list.dnswl.org=127.0.[0..255].[2;3]*-1
>         rep.mailspike.net=127.0.0.[17;18]*-1
>         rep.mailspike.net=127.0.0.[19;20]*-2
>         hostkarma.junkemailfilter.com=127.0.0.1*-1
I am rewarded with
Nov 16 14:20:35 blueberry postfix/postscreen[18461]: warning:
psc_dnsbl_request: connect to private/dnsblog service: Resource temporarily
unavailable
Nov 16 14:20:35 blueberry postfix/postscreen[18461]: message repeated 7
times: [ warning: psc_dnsbl_request: connect to private/dnsblog service:
Resource temporarily unavailable]

Any idea?!

I stopped pf, removed the postscreen_cache.db file just in case, restarted
pf. Still getting those messages...

--

Florian Piekert, PMP                                      [hidden email]

Spargelweg 5                                Telephone+Fax: +49-179- 3928582
38179 Schwülper-Walle/Germany

===========================================================================
Note:  this message was  send by me *only* if the  eMail message contains a
correct pgp signature corresponding to my address at  [hidden email]. Do
you need my  PGP  public key? Check out http://www.floppy.org or send me an
email with  the subject "send pgp public key" to  this address of mine.Thx!


signature.asc (220 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: regexp for allowing helo host

L.P.H. van Belle
Ah yes,

In master.cf  adust these.

smtp      inet  n       -       -       -       1       postscreen
smtpd     pass  -       -       -       -       -       smtpd
dnsblog   unix  -       -       -       -       0       dnsblog



> -----Oorspronkelijk bericht-----
> Van: [hidden email] [mailto:[hidden email]] Namens
> Florian Piekert
> Verzonden: woensdag 16 november 2016 14:27
> Aan: L.P.H. van Belle; [hidden email]
> Onderwerp: Re: regexp for allowing helo host
>
> Am 16.11.2016 um 13:59 schrieb L.P.H. van Belle:
>
> After going from
> postscreen_dnsbl_sites =
>   zen.spamhaus.org*2,
>   bl.mailspike.net,
>   bl.spamcop.net,
>   b.barracudacentral.org,
>   swl.spamhaus.org*-2
> to
> > postscreen_dnsbl_sites =
> >         b.barracudacentral.org*4
> >         bad.psky.me*4
> >         zen.spamhaus.org*4
> >         dnsbl.cobion.com*2
> >         bl.spameatingmonkey.net*2
> >         fresh.spameatingmonkey.net*2
> >         dnsbl.anonmails.de*2
> >         dnsbl.kempt.net*1
> >         dnsbl.inps.de*2
> >         bl.spamcop.net*2
> >         dnsbl.sorbs.net*1
> >         spam.dnsbl.sorbs.net*2
> >         psbl.surriel.com*2
> >         bl.mailspike.net*2
> >         rep.mailspike.net=127.0.0.[13;14]*1
> >         bl.suomispam.net*2
> >         bl.blocklist.de*2
> >         ix.dnsbl.manitu.net*2
> >         dnsbl-2.uceprotect.net
> >         hostkarma.junkemailfilter.com=127.0.0.3
> >         hostkarma.junkemailfilter.com=127.0.0.[2;4]*2
> >         # whitelists
> >         swl.spamhaus.org*-4
> >         list.dnswl.org=127.0.[0..255].[2;3]*-1
> >         rep.mailspike.net=127.0.0.[17;18]*-1
> >         rep.mailspike.net=127.0.0.[19;20]*-2
> >         hostkarma.junkemailfilter.com=127.0.0.1*-1
>
> I am rewarded with
> Nov 16 14:20:35 blueberry postfix/postscreen[18461]: warning:
> psc_dnsbl_request: connect to private/dnsblog service: Resource
> temporarily
> unavailable
> Nov 16 14:20:35 blueberry postfix/postscreen[18461]: message repeated 7
> times: [ warning: psc_dnsbl_request: connect to private/dnsblog service:
> Resource temporarily unavailable]
>
> Any idea?!
>
> I stopped pf, removed the postscreen_cache.db file just in case, restarted
> pf. Still getting those messages...
>
> --
>
> Florian Piekert, PMP
> [hidden email]
>
> Spargelweg 5                                Telephone+Fax: +49-179-
> 3928582
> 38179 Schwülper-Walle/Germany
>
> ==========================================================================
> =
> Note:  this message was  send by me *only* if the  eMail message contains
> a
> correct pgp signature corresponding to my address at  [hidden email].
> Do
> you need my  PGP  public key? Check out http://www.floppy.org or send me
> an
> email with  the subject "send pgp public key" to  this address of
> mine.Thx!


Reply | Threaded
Open this post in threaded view
|

RE: regexp for allowing helo host

L.P.H. van Belle
In reply to this post by Florian Piekert
Some good info to read into.

http://rob0.nodns4.us/postscreen.html
http://blog.schaal-24.de/mail/postscreen-im-kampf-gegen-spam/?lang=en 

and ofcourse a must read:
http://www.postfix.org/POSTSCREEN_README.html 

Greetz,

Louis

> -----Oorspronkelijk bericht-----
> Van: [hidden email] [mailto:[hidden email]] Namens
> Florian Piekert
> Verzonden: woensdag 16 november 2016 14:27
> Aan: L.P.H. van Belle; [hidden email]
> Onderwerp: Re: regexp for allowing helo host
>
> Am 16.11.2016 um 13:59 schrieb L.P.H. van Belle:
>
> After going from
> postscreen_dnsbl_sites =
>   zen.spamhaus.org*2,
>   bl.mailspike.net,
>   bl.spamcop.net,
>   b.barracudacentral.org,
>   swl.spamhaus.org*-2
> to
> > postscreen_dnsbl_sites =
> >         b.barracudacentral.org*4
> >         bad.psky.me*4
> >         zen.spamhaus.org*4
> >         dnsbl.cobion.com*2
> >         bl.spameatingmonkey.net*2
> >         fresh.spameatingmonkey.net*2
> >         dnsbl.anonmails.de*2
> >         dnsbl.kempt.net*1
> >         dnsbl.inps.de*2
> >         bl.spamcop.net*2
> >         dnsbl.sorbs.net*1
> >         spam.dnsbl.sorbs.net*2
> >         psbl.surriel.com*2
> >         bl.mailspike.net*2
> >         rep.mailspike.net=127.0.0.[13;14]*1
> >         bl.suomispam.net*2
> >         bl.blocklist.de*2
> >         ix.dnsbl.manitu.net*2
> >         dnsbl-2.uceprotect.net
> >         hostkarma.junkemailfilter.com=127.0.0.3
> >         hostkarma.junkemailfilter.com=127.0.0.[2;4]*2
> >         # whitelists
> >         swl.spamhaus.org*-4
> >         list.dnswl.org=127.0.[0..255].[2;3]*-1
> >         rep.mailspike.net=127.0.0.[17;18]*-1
> >         rep.mailspike.net=127.0.0.[19;20]*-2
> >         hostkarma.junkemailfilter.com=127.0.0.1*-1
>
> I am rewarded with
> Nov 16 14:20:35 blueberry postfix/postscreen[18461]: warning:
> psc_dnsbl_request: connect to private/dnsblog service: Resource
> temporarily
> unavailable
> Nov 16 14:20:35 blueberry postfix/postscreen[18461]: message repeated 7
> times: [ warning: psc_dnsbl_request: connect to private/dnsblog service:
> Resource temporarily unavailable]
>
> Any idea?!
>
> I stopped pf, removed the postscreen_cache.db file just in case, restarted
> pf. Still getting those messages...
>
> --
>
> Florian Piekert, PMP
> [hidden email]
>
> Spargelweg 5                                Telephone+Fax: +49-179-
> 3928582
> 38179 Schwülper-Walle/Germany
>
> ==========================================================================
> =
> Note:  this message was  send by me *only* if the  eMail message contains
> a
> correct pgp signature corresponding to my address at  [hidden email].
> Do
> you need my  PGP  public key? Check out http://www.floppy.org or send me
> an
> email with  the subject "send pgp public key" to  this address of
> mine.Thx!


Reply | Threaded
Open this post in threaded view
|

Re: regexp for allowing helo host

Florian Piekert
In reply to this post by L.P.H. van Belle
Am 16.11.2016 um 14:35 schrieb L.P.H. van Belle:

I have those entries in the master.cf, except it's having the "n" for
chrooted as well (should be transparent)...

I assume it is due to the sheer NUMBER of dnsbl sites to query simultaneously?

> Ah yes,
>
> In master.cf  adust these.
>
> smtp      inet  n       -       -       -       1       postscreen
> smtpd     pass  -       -       -       -       -       smtpd
> dnsblog   unix  -       -       -       -       0       dnsblog
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: [hidden email] [mailto:[hidden email]] Namens
>> Florian Piekert
>> Verzonden: woensdag 16 november 2016 14:27
>> Aan: L.P.H. van Belle; [hidden email]
>> Onderwerp: Re: regexp for allowing helo host
>>
>> Am 16.11.2016 um 13:59 schrieb L.P.H. van Belle:
>>
>> After going from
>> postscreen_dnsbl_sites =
>>   zen.spamhaus.org*2,
>>   bl.mailspike.net,
>>   bl.spamcop.net,
>>   b.barracudacentral.org,
>>   swl.spamhaus.org*-2
>> to
>>> postscreen_dnsbl_sites =
>>>         b.barracudacentral.org*4
>>>         bad.psky.me*4
>>>         zen.spamhaus.org*4
>>>         dnsbl.cobion.com*2
>>>         bl.spameatingmonkey.net*2
>>>         fresh.spameatingmonkey.net*2
>>>         dnsbl.anonmails.de*2
>>>         dnsbl.kempt.net*1
>>>         dnsbl.inps.de*2
>>>         bl.spamcop.net*2
>>>         dnsbl.sorbs.net*1
>>>         spam.dnsbl.sorbs.net*2
>>>         psbl.surriel.com*2
>>>         bl.mailspike.net*2
>>>         rep.mailspike.net=127.0.0.[13;14]*1
>>>         bl.suomispam.net*2
>>>         bl.blocklist.de*2
>>>         ix.dnsbl.manitu.net*2
>>>         dnsbl-2.uceprotect.net
>>>         hostkarma.junkemailfilter.com=127.0.0.3
>>>         hostkarma.junkemailfilter.com=127.0.0.[2;4]*2
>>>         # whitelists
>>>         swl.spamhaus.org*-4
>>>         list.dnswl.org=127.0.[0..255].[2;3]*-1
>>>         rep.mailspike.net=127.0.0.[17;18]*-1
>>>         rep.mailspike.net=127.0.0.[19;20]*-2
>>>         hostkarma.junkemailfilter.com=127.0.0.1*-1
>>
>> I am rewarded with
>> Nov 16 14:20:35 blueberry postfix/postscreen[18461]: warning:
>> psc_dnsbl_request: connect to private/dnsblog service: Resource
>> temporarily
>> unavailable
>> Nov 16 14:20:35 blueberry postfix/postscreen[18461]: message repeated 7
>> times: [ warning: psc_dnsbl_request: connect to private/dnsblog service:
>> Resource temporarily unavailable]
>>
>> Any idea?!
>>
>> I stopped pf, removed the postscreen_cache.db file just in case, restarted
>> pf. Still getting those messages...


--

Florian Piekert, PMP                                      [hidden email]

Spargelweg 5                                Telephone+Fax: +49-179- 3928582
38179 Schwülper-Walle/Germany

===========================================================================
Note:  this message was  send by me *only* if the  eMail message contains a
correct pgp signature corresponding to my address at  [hidden email]. Do
you need my  PGP  public key? Check out http://www.floppy.org or send me an
email with  the subject "send pgp public key" to  this address of mine.Thx!




signature.asc (220 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: regexp for allowing helo host

L.P.H. van Belle
Hai Florian,

No, Thats is due my setup with the mailscanner antispam behind it.

Just give those sites a good read, and the adjust the config to your needs.

Running a caching dns on that server helps dns queries.
Extra to that, install fail2ban and add postfix-dnsbl.conf
With filter :
failregex = NOQUEUE: reject: RCPT from (.*)\[<HOST>\]:([0-9]{4,5}:)? 550 5.7.1 Service unavailable; client \[(.*)\] blocked

And this all helpt my traffic down about 5-10%. Not much but still.


Greetz,

Louis




> -----Oorspronkelijk bericht-----
> Van: [hidden email] [mailto:[hidden email]] Namens
> Florian Piekert
> Verzonden: woensdag 16 november 2016 14:39
> Aan: L.P.H. van Belle; [hidden email]
> Onderwerp: Re: regexp for allowing helo host
>
> Am 16.11.2016 um 14:35 schrieb L.P.H. van Belle:
>
> I have those entries in the master.cf, except it's having the "n" for
> chrooted as well (should be transparent)...
>
> I assume it is due to the sheer NUMBER of dnsbl sites to query
> simultaneously?
>
> > Ah yes,
> >
> > In master.cf  adust these.
> >
> > smtp      inet  n       -       -       -       1       postscreen
> > smtpd     pass  -       -       -       -       -       smtpd
> > dnsblog   unix  -       -       -       -       0       dnsblog
> >
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: [hidden email] [mailto:[hidden email]] Namens
> >> Florian Piekert
> >> Verzonden: woensdag 16 november 2016 14:27
> >> Aan: L.P.H. van Belle; [hidden email]
> >> Onderwerp: Re: regexp for allowing helo host
> >>
> >> Am 16.11.2016 um 13:59 schrieb L.P.H. van Belle:
> >>
> >> After going from
> >> postscreen_dnsbl_sites =
> >>   zen.spamhaus.org*2,
> >>   bl.mailspike.net,
> >>   bl.spamcop.net,
> >>   b.barracudacentral.org,
> >>   swl.spamhaus.org*-2
> >> to
> >>> postscreen_dnsbl_sites =
> >>>         b.barracudacentral.org*4
> >>>         bad.psky.me*4
> >>>         zen.spamhaus.org*4
> >>>         dnsbl.cobion.com*2
> >>>         bl.spameatingmonkey.net*2
> >>>         fresh.spameatingmonkey.net*2
> >>>         dnsbl.anonmails.de*2
> >>>         dnsbl.kempt.net*1
> >>>         dnsbl.inps.de*2
> >>>         bl.spamcop.net*2
> >>>         dnsbl.sorbs.net*1
> >>>         spam.dnsbl.sorbs.net*2
> >>>         psbl.surriel.com*2
> >>>         bl.mailspike.net*2
> >>>         rep.mailspike.net=127.0.0.[13;14]*1
> >>>         bl.suomispam.net*2
> >>>         bl.blocklist.de*2
> >>>         ix.dnsbl.manitu.net*2
> >>>         dnsbl-2.uceprotect.net
> >>>         hostkarma.junkemailfilter.com=127.0.0.3
> >>>         hostkarma.junkemailfilter.com=127.0.0.[2;4]*2
> >>>         # whitelists
> >>>         swl.spamhaus.org*-4
> >>>         list.dnswl.org=127.0.[0..255].[2;3]*-1
> >>>         rep.mailspike.net=127.0.0.[17;18]*-1
> >>>         rep.mailspike.net=127.0.0.[19;20]*-2
> >>>         hostkarma.junkemailfilter.com=127.0.0.1*-1
> >>
> >> I am rewarded with
> >> Nov 16 14:20:35 blueberry postfix/postscreen[18461]: warning:
> >> psc_dnsbl_request: connect to private/dnsblog service: Resource
> >> temporarily
> >> unavailable
> >> Nov 16 14:20:35 blueberry postfix/postscreen[18461]: message repeated 7
> >> times: [ warning: psc_dnsbl_request: connect to private/dnsblog
> service:
> >> Resource temporarily unavailable]
> >>
> >> Any idea?!
> >>
> >> I stopped pf, removed the postscreen_cache.db file just in case,
> restarted
> >> pf. Still getting those messages...
>
>
>
> --
>
> Florian Piekert, PMP
> [hidden email]
>
> Spargelweg 5                                Telephone+Fax: +49-179-
> 3928582
> 38179 Schwülper-Walle/Germany
>
> ==========================================================================
> =
> Note:  this message was  send by me *only* if the  eMail message contains
> a
> correct pgp signature corresponding to my address at  [hidden email].
> Do
> you need my  PGP  public key? Check out http://www.floppy.org or send me
> an
> email with  the subject "send pgp public key" to  this address of
> mine.Thx!
>
>


Reply | Threaded
Open this post in threaded view
|

Re: regexp for allowing helo host

Florian Piekert
Am 16.11.2016 um 15:00 schrieb L.P.H. van Belle:

Hello,

> No, Thats is due my setup with the mailscanner antispam behind it.

What is so different in your pf configuration, that you do not encounter
these warnings?
Nov 16 17:08:31 blueberry postfix/postscreen[27495]: warning:
psc_dnsbl_request: connect to private/dnsblog service: Resource temporarily
unavailable
Nov 16 17:08:31 blueberry postfix/postscreen[27495]: message repeated 8
times: [ warning: psc_dnsbl_request: connect to private/dnsblog service:
Resource temporarily unavailable]

I have now 20 (!) dnsblog processes running and still I receive these warnings.

> Just give those sites a good read, and the adjust the config to your needs.
>
> Running a caching dns on that server helps dns queries.

I have a full fledged bind9 running, doing exactly that...

> Extra to that, install fail2ban and add postfix-dnsbl.conf

Or is there something I miss, Wietse? Viktor?

Cheers,
Florian

===========================================================================
Note:  this message was  send by me *only* if the  eMail message contains a
correct pgp signature corresponding to my address at  [hidden email]. Do
you need my  PGP  public key? Check out http://www.floppy.org or send me an
email with  the subject "send pgp public key" to  this address of mine.Thx!


signature.asc (220 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: regexp for allowing helo host

Eric Abrahamsen
In reply to this post by Tanstaafl
Tanstaafl <[hidden email]> writes:

> On 11/15/2016 6:11 PM, Bill Cole
> <[hidden email]> wrote:
>> Be aware that if you use reject_unknown_helo_hostname you will have a
>> steady stream of cases for which  you will have to make special
>> exceptions. How steady that stream is depends more on your volume and
>> diversity of legitimate mail than on how heavily spammed you are.
>
> What Bill is saying here is using reject_unknown_helo_hostname to
> outright reject clients will reject legitimate clients, so unless you
> have a good reason for doing so and know what you are doing and are
> prepared to handle issues like you are experiencing now, or don't do it.

Okay, thanks for all the responses. First of all, sorry for not
specifying this at the beginning:

smtpd_helo_restrictions =
   permit_mynetworks,
   permit_sasl_authenticated,
   check_helo_access regexp:/etc/postfix/helo_access,
   reject_invalid_helo_hostname,
   reject_unknown_helo_hostname

I had been under the impression that rejecting unknown hostnames was a
fairly normal thing to do (on my low-usage server, I've only had to add
two exceptions). If it isn't, I'll just take it out, I'm not set on
using it.

Thanks for the link, Louis.

Eric

Reply | Threaded
Open this post in threaded view
|

Re: regexp for allowing helo host

Niklaas Baudet von Gersdorff-2
In reply to this post by L.P.H. van Belle
L.P.H. van Belle [2016-11-16 13:59 +0100] :

> I suggest you read :
> http://faculty.cs.niu.edu/~rickert/cf/bad-ehlo.html 
>
> personaly i use the following.
> smtpd_helo_restrictions =
>     permit_mynetworks,
>     check_helo_access pcre:/etc/postfix/pcre/helo.pcre
>     check_helo_access hash:/etc/postfix/overrule/allow_helo_access.map
>     reject_invalid_helo_hostname,
>     reject_non_fqdn_helo_hostname,
>     reject_unknown_helo_hostname,
>     reject_unauth_destination
>
> and in the helo.pcre
> ## Namebase
> /^localhost$/                   554 Don't use my own hostname
> /^localhost\.localdomain$/      554 Don't use my own hostname
> /^domain\.tld$/                  554 Don't use my own domainname
> /^hostname\.domain\.tld$/      554 Don't use my own hostname
>
> ## IP Based
> /^127\.0\.0\.1$/                554 Don't use my own IP address
> /^\[127\.0\.0\.1\]$/            554 Don't use my own IP address
> /^\:\:1$/                       554 Don't use my own IP address
> /^\[\:\:1\]$/                   554 Don't use my own IP address
> /^\1\.2\.3\.4$/         554 Don't use my own IP address
>
> And change domain.tld to you domain.
> Here you need all names know to you server ( for accepting mail )
> And change ip 1.2.3.4 to you ip.
>
> The allow_helo_access.map is use for anoying customers to allow them.
> I give them 2 weeks to fix there setup.
> Also due to changes in dutch law, im oblgated to check the helo for correctness.
>
> Normaly i just refer to these links.  
> rfc2821 section-3.6 en 4.1.1.1 en 10.3 en  rfc5321 section 2.3.5)
> https://www.ietf.org/rfc/rfc2821.txt
> https://www.ietf.org/rfc/rfc5321.txt
>
> and lots of misconfigured exchange server ( most the .local domains )
> https://technet.microsoft.com/EN-US/library/jj657457(v=exchg.150).aspx 
> Lots of them forget to adjust the outgoing smtp connectos.
>
> And best of all. ( to avoid spam ) the use of postscreen.
> Example:
> ### Before-220 tests (postscreen / DNSBL)
> postscreen_greet_banner         = $myhostname, checking blacklists, please wait.
> postscreen_greet_wait = 3s
> postscreen_greet_ttl = 2d
> postscreen_access_list          =
>     permit_mynetworks,
>     cidr:/etc/postfix/cidr/postscreen_whitelist_access.cidr,
>     cidr:/etc/postfix/cidr/drop.spamhaus-lasso.cidr
> postscreen_dnsbl_reply_map      = pcre:/etc/postfix/pcre/postscreen_dnsbl_reply_map.pcre
> postscreen_blacklist_action     = drop
> postscreen_dnsbl_action         = enforce
> postscreen_greet_action         = enforce
> postscreen_dnsbl_ttl            = 2h
> postscreen_dnsbl_threshold      = 4
> postscreen_dnsbl_sites =
>         b.barracudacentral.org*4
>         bad.psky.me*4
>         zen.spamhaus.org*4
>         dnsbl.cobion.com*2
>         bl.spameatingmonkey.net*2
>         fresh.spameatingmonkey.net*2
>         dnsbl.anonmails.de*2
>         dnsbl.kempt.net*1
>         dnsbl.inps.de*2
>         bl.spamcop.net*2
>         dnsbl.sorbs.net*1
>         spam.dnsbl.sorbs.net*2
>         psbl.surriel.com*2
>         bl.mailspike.net*2
>         rep.mailspike.net=127.0.0.[13;14]*1
>         bl.suomispam.net*2
>         bl.blocklist.de*2
>         ix.dnsbl.manitu.net*2
>         dnsbl-2.uceprotect.net
>         hostkarma.junkemailfilter.com=127.0.0.3
>         hostkarma.junkemailfilter.com=127.0.0.[2;4]*2
>         # whitelists
>         swl.spamhaus.org*-4
>         list.dnswl.org=127.0.[0..255].[2;3]*-1
>         rep.mailspike.net=127.0.0.[17;18]*-1
>         rep.mailspike.net=127.0.0.[19;20]*-2
>         hostkarma.junkemailfilter.com=127.0.0.1*-1
>
> At this moment the antispam server behind this postfix setup,
> is 99.7% spam free.
> A good check for rbl servers : http://multirbl.valli.org/ 

Thanks for sharing your configuration and links. All very helpful
-- and multirbl.valli.org is a great tool!

    Niklaas
Reply | Threaded
Open this post in threaded view
|

Re: regexp for allowing helo host

Florian Piekert
In reply to this post by L.P.H. van Belle
Am 16.11.2016 um 15:00 schrieb L.P.H. van Belle:

Good evening,

can you check what your setting regarding

default_process_limit = 25

is? I had 10 and increased it to 25 and that somehow seems to have fixed it for me too.

Dank u well!

> Hai Florian,
>
> No, Thats is due my setup with the mailscanner antispam behind it.
>
> Just give those sites a good read, and the adjust the config to your needs.
>
> Running a caching dns on that server helps dns queries.
> Extra to that, install fail2ban and add postfix-dnsbl.conf
> With filter :
> failregex = NOQUEUE: reject: RCPT from (.*)\[<HOST>\]:([0-9]{4,5}:)? 550 5.7.1 Service unavailable; client \[(.*)\] blocked
>
> And this all helpt my traffic down about 5-10%. Not much but still.


--

Florian Piekert                                           [hidden email]

Spargelweg 5                                Telephone+Fax: +49-700-00floppy
38179 Schwülper-Walle/Germany                              +49-179- 3928582
===========================================================================
Note:  this message was  send by me *only* if the  eMail message contains a
correct pgp signature corresponding to my address at  [hidden email]. Do
you need my  PGP  public key? Check out http://www.floppy.org or send me an
email with  the subject "send pgp public key" to this address of mine. Thx!


signature.asc (220 bytes) Download Attachment