Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
postscreen whitelist
52 views
Skip to first unread message
Terry Barnum
May 31, 2016, 8:17:20 PM5/31/16
to
I have a subcontractor who uses web.com as his email provider. Some of their outgoing servers are listed on sorbs.net and postscreen (correctly) rejects this emails but I would like to be able to receive his email.
May 31 15:16:40 mail postfix/postscreen[36888]: NOQUEUE: reject: RCPT from [209.17.115.52]:50612: 550 5.7.1 Service unavailable; client [209.17.115.52] blocked using dnsbl.sorbs.net; from=<contr...@example.com>, to=<x...@dop.com>, proto=ESMTP, helo=<atl4mhob14.myregisteredsite.com>
Since web.com probably has a fleet of mail servers, do I need to find and enter all their IPs into my postscreen_access.cidr? Is there an easier way?
Thanks,
-Terry
$ postconf -n
body_checks = pcre:/opt/local/etc/postfix/body_checks
broken_sasl_auth_clients = yes
command_directory = /opt/local/sbin
compatibility_level = 2
daemon_directory = /opt/local/libexec/postfix
data_directory = /opt/local/var/lib/postfix
debugger_command = PATH=/opt/local/bin:/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
default_privs = nobody
delay_warning_time = 4h
dovecot_destination_recipient_limit = 1
dspam-lmtp_destination_recipient_limit = 1
header_checks = pcre:/opt/local/etc/postfix/header_checks
home_mailbox = Maildir/
html_directory = no
inet_protocols = ipv4
mail_owner = _postfix
mailq_path = /opt/local/bin/mailq
manpage_directory = /opt/local/share/man
message_size_limit = 51200000
milter_default_action = accept
mydestination = $myhostname, localhost.$mydomain, localhost
myhostname = mailbox.dop.com
mynetworks = 192.168.0.0/23, 127.0.0.0/8
myorigin = $mydomain
newaliases_path = /opt/local/bin/newaliases
non_smtpd_milters = $smtpd_milters
postscreen_access_list = permit_mynetworks, cidr:/opt/local/etc/postfix/postscreen_access.cidr
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = b.barracudacentral.org=127.0.0.2*7 bl.mailspike.net=127.0.0.2*5 bl.mailspike.net=127.0.0.[10;11;12]*4 bl.spameatingmonkey.net*2 all.spamrats.com=127.0.0.[36;38] bl.spamcannibal.org dnsbl-1.uceprotect.net dnsbl.sorbs.net=127.0.0.10*8 dnsbl.sorbs.net=127.0.0.5*6 dnsbl.sorbs.net=127.0.0.7*3 dnsbl.sorbs.net=127.0.0.8*2 dnsbl.sorbs.net=127.0.0.6*2 dnsbl.sorbs.net=127.0.0.9*2 dnsbl.sorbs.net=127.0.0.[2..4]*2 dnsbl.sorbs.net=127.0.0.12*2 dnsbl.sorbs.net=127.0.0.14*2 aspews.ext.sorbs.net=127.0.0.2*2 zen.spamhaus.org=127.0.0.[10;11]*8 zen.spamhaus.org=127.0.0.[4..7]*6 zen.spamhaus.org=127.0.0.3*4 zen.spamhaus.org=127.0.0.2*3 hostkarma.junkemailfilter.com=127.0.0.2*3 hostkarma.junkemailfilter.com=127.0.0.4*1 hostkarma.junkemailfilter.com=127.0.1.2*1 bad.psky.me=127.0.0.[2;3] spam.dnsbl.anonmails.de dnsbl.kempt.net bl.spamcop.net wl.mailspike.net=127.0.0.[18;19;20]*-2 list.dnswl.org=127.0.[0..255].0*-2 list.dnswl.org=127.0.[0..255].1*-3 list.dnswl.org=127.0.[0..255].2*-4 list.dnswl.org=127.0.[0..255].3*-5 hostkarma.junkemailfilter.com=127.0.0.1*-2
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_timeout = 20s
postscreen_dnsbl_ttl = 4m
postscreen_greet_action = enforce
proxy_interfaces = 70.167.15.110
queue_directory = /opt/local/var/spool/postfix
readme_directory = /opt/local/share/postfix/readme
sample_directory = /opt/local/share/postfix/sample
sendmail_path = /opt/local/sbin/sendmail
setgid_group = _postdrop
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, check_helo_access hash:/opt/local/etc/postfix/helo_checks, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname
smtpd_milters = inet:127.0.0.1:8891
smtpd_recipient_limit = 25
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, reject_unauth_destination, reject_unlisted_recipient, check_recipient_access pcre:/opt/local/etc/postfix/recipient_checks.pcre, check_helo_access hash:/opt/local/etc/postfix/helo_checks, check_sender_access hash:/opt/local/etc/postfix/sender_checks, check_client_access hash:/opt/local/etc/postfix/client_checks, check_reverse_client_hostname_access pcre:/opt/local/etc/postfix/fqrdns.pcre, reject_rhsbl_client dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org, reject_rhsbl_helo dbl.spamhaus.org, check_client_access pcre:/opt/local/etc/postfix/dspam_filter_access
smtpd_reject_unlisted_sender = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks, reject_unknown_address
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /opt/local/etc/postfix/ssl/certs/postfix.cert
smtpd_tls_key_file = /opt/local/etc/postfix/ssl/private/postfix.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/opt/local/var/lib/postfix/smtpd_tls_cache
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
transport_maps = hash:/opt/local/etc/postfix/transport
unknown_local_recipient_reject_code = 550
vacation_destination_recipient_limit = 1
virtual_alias_maps = proxy:mysql:/opt/local/etc/postfix/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:_vmail
virtual_mailbox_base = /Volumes/mail/vmail/
virtual_mailbox_domains = proxy:mysql:/opt/local/etc/postfix/mysql_virtual_mailbox_domains.cf
virtual_mailbox_maps = proxy:mysql:/opt/local/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = _vmail
virtual_transport = dovecot
virtual_uid_maps = static:_vmail
Terry Barnum
digital OutPost
Carlsbad, CA
http://www.dop.com
800/464-6434
May 31 15:16:40 mail postfix/postscreen[36888]: NOQUEUE: reject: RCPT from [209.17.115.52]:50612: 550 5.7.1 Service unavailable; client [209.17.115.52] blocked using dnsbl.sorbs.net; from=<contr...@example.com>, to=<x...@dop.com>, proto=ESMTP, helo=<atl4mhob14.myregisteredsite.com>
Since web.com probably has a fleet of mail servers, do I need to find and enter all their IPs into my postscreen_access.cidr? Is there an easier way?
Thanks,
-Terry
$ postconf -n
body_checks = pcre:/opt/local/etc/postfix/body_checks
broken_sasl_auth_clients = yes
command_directory = /opt/local/sbin
compatibility_level = 2
daemon_directory = /opt/local/libexec/postfix
data_directory = /opt/local/var/lib/postfix
debugger_command = PATH=/opt/local/bin:/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
default_privs = nobody
delay_warning_time = 4h
dovecot_destination_recipient_limit = 1
dspam-lmtp_destination_recipient_limit = 1
header_checks = pcre:/opt/local/etc/postfix/header_checks
home_mailbox = Maildir/
html_directory = no
inet_protocols = ipv4
mail_owner = _postfix
mailq_path = /opt/local/bin/mailq
manpage_directory = /opt/local/share/man
message_size_limit = 51200000
milter_default_action = accept
mydestination = $myhostname, localhost.$mydomain, localhost
myhostname = mailbox.dop.com
mynetworks = 192.168.0.0/23, 127.0.0.0/8
myorigin = $mydomain
newaliases_path = /opt/local/bin/newaliases
non_smtpd_milters = $smtpd_milters
postscreen_access_list = permit_mynetworks, cidr:/opt/local/etc/postfix/postscreen_access.cidr
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = b.barracudacentral.org=127.0.0.2*7 bl.mailspike.net=127.0.0.2*5 bl.mailspike.net=127.0.0.[10;11;12]*4 bl.spameatingmonkey.net*2 all.spamrats.com=127.0.0.[36;38] bl.spamcannibal.org dnsbl-1.uceprotect.net dnsbl.sorbs.net=127.0.0.10*8 dnsbl.sorbs.net=127.0.0.5*6 dnsbl.sorbs.net=127.0.0.7*3 dnsbl.sorbs.net=127.0.0.8*2 dnsbl.sorbs.net=127.0.0.6*2 dnsbl.sorbs.net=127.0.0.9*2 dnsbl.sorbs.net=127.0.0.[2..4]*2 dnsbl.sorbs.net=127.0.0.12*2 dnsbl.sorbs.net=127.0.0.14*2 aspews.ext.sorbs.net=127.0.0.2*2 zen.spamhaus.org=127.0.0.[10;11]*8 zen.spamhaus.org=127.0.0.[4..7]*6 zen.spamhaus.org=127.0.0.3*4 zen.spamhaus.org=127.0.0.2*3 hostkarma.junkemailfilter.com=127.0.0.2*3 hostkarma.junkemailfilter.com=127.0.0.4*1 hostkarma.junkemailfilter.com=127.0.1.2*1 bad.psky.me=127.0.0.[2;3] spam.dnsbl.anonmails.de dnsbl.kempt.net bl.spamcop.net wl.mailspike.net=127.0.0.[18;19;20]*-2 list.dnswl.org=127.0.[0..255].0*-2 list.dnswl.org=127.0.[0..255].1*-3 list.dnswl.org=127.0.[0..255].2*-4 list.dnswl.org=127.0.[0..255].3*-5 hostkarma.junkemailfilter.com=127.0.0.1*-2
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_timeout = 20s
postscreen_dnsbl_ttl = 4m
postscreen_greet_action = enforce
proxy_interfaces = 70.167.15.110
queue_directory = /opt/local/var/spool/postfix
readme_directory = /opt/local/share/postfix/readme
sample_directory = /opt/local/share/postfix/sample
sendmail_path = /opt/local/sbin/sendmail
setgid_group = _postdrop
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, check_helo_access hash:/opt/local/etc/postfix/helo_checks, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname
smtpd_milters = inet:127.0.0.1:8891
smtpd_recipient_limit = 25
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, reject_unauth_destination, reject_unlisted_recipient, check_recipient_access pcre:/opt/local/etc/postfix/recipient_checks.pcre, check_helo_access hash:/opt/local/etc/postfix/helo_checks, check_sender_access hash:/opt/local/etc/postfix/sender_checks, check_client_access hash:/opt/local/etc/postfix/client_checks, check_reverse_client_hostname_access pcre:/opt/local/etc/postfix/fqrdns.pcre, reject_rhsbl_client dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org, reject_rhsbl_helo dbl.spamhaus.org, check_client_access pcre:/opt/local/etc/postfix/dspam_filter_access
smtpd_reject_unlisted_sender = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks, reject_unknown_address
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /opt/local/etc/postfix/ssl/certs/postfix.cert
smtpd_tls_key_file = /opt/local/etc/postfix/ssl/private/postfix.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/opt/local/var/lib/postfix/smtpd_tls_cache
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
transport_maps = hash:/opt/local/etc/postfix/transport
unknown_local_recipient_reject_code = 550
vacation_destination_recipient_limit = 1
virtual_alias_maps = proxy:mysql:/opt/local/etc/postfix/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:_vmail
virtual_mailbox_base = /Volumes/mail/vmail/
virtual_mailbox_domains = proxy:mysql:/opt/local/etc/postfix/mysql_virtual_mailbox_domains.cf
virtual_mailbox_maps = proxy:mysql:/opt/local/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = _vmail
virtual_transport = dovecot
virtual_uid_maps = static:_vmail
Terry Barnum
digital OutPost
Carlsbad, CA
http://www.dop.com
800/464-6434
Michael Orlitzky
May 31, 2016, 10:25:03 PM5/31/16
to
On 05/31/2016 08:16 PM, Terry Barnum wrote:
>
> Since web.com probably has a fleet of mail servers, do I need to find and enter all their IPs into my postscreen_access.cidr? Is there an easier way?
>
That's generally what you have to do. Postscreen is meant to catch the
>
> Since web.com probably has a fleet of mail servers, do I need to find and enter all their IPs into my postscreen_access.cidr? Is there an easier way?
>
most obvious offenders quickly, so false positives should be rare. Your
"grey area" mail should be analyzed by something more time-consuming and
configurable (i.e. easier to whitelist).
With that in mind, you're putting way too much faith in dnsbl.sorbs.net
and hostkarma.junkemailfilter.com. For a reference point, I have the
same threshold as you (3) but score them each one point.
Steve Jenkins
May 31, 2016, 10:30:43 PM5/31/16
to
On Tue, May 31, 2016 at 7:24 PM, Michael Orlitzky <mic...@orlitzky.com> wrote:
On 05/31/2016 08:16 PM, Terry Barnum wrote:
>
> Since web.com probably has a fleet of mail servers, do I need to find and enter all their IPs into my postscreen_access.cidr? Is there an easier way?
>
That's generally what you have to do. Postscreen is meant to catch the
most obvious offenders quickly, so false positives should be rare. Your
"grey area" mail should be analyzed by something more time-consuming and
configurable (i.e. easier to whitelist).
A quick way to do this is to download postwhite and add web.com to the list of queried hosts. All their known (published) IPs and CIDRs wlll be added to your Postscreen whitelist.
SteveJ
@lbutlr
Jun 1, 2016, 9:29:54 AM6/1/16
to
On May 31, 2016, at 8:30 PM, Steve Jenkins <st...@stevejenkins.com> wrote:
> A quick way to do this is to download postwhite and add web.com to the list of queried hosts. All their known (published) IPs and CIDRs wlll be added to your Postscreen whitelist.
Post white looks interesting, but what is web.com? It looks like it might be the sort of site I wouldn’t want to trust with something like a whitelist.
> A quick way to do this is to download postwhite and add web.com to the list of queried hosts. All their known (published) IPs and CIDRs wlll be added to your Postscreen whitelist.
--
A bartender is just a pharmacist with a limited inventory.
Steve Jenkins
Jun 1, 2016, 12:18:33 PM6/1/16
to
On Wed, Jun 1, 2016 at 6:29 AM, @lbutlr <kre...@kreme.com> wrote:
On May 31, 2016, at 8:30 PM, Steve Jenkins <st...@stevejenkins.com> wrote:
> A quick way to do this is to download postwhite and add web.com to the list of queried hosts. All their known (published) IPs and CIDRs wlll be added to your Postscreen whitelist.
Post white looks interesting, but what is web.com? It looks like it might be the sort of site I wouldn’t want to trust with something like a whitelist.
Postwhite is only a tool that helps accelerate the implementation of policies. As with many things that present themselves to Postfix admins, you need to decide what those policies are.
So it's up to you to determine whether any given host's published mailers should be included in your whitelist.
As of postwhite v1.3.2 (most current), web.com is not included in the default list of hosts. If you choose to add it, it's very easy to do. If any of the default hosts in postwhite are worrisome to you, it's just as easy to remove them.
SteveJ
Terry Barnum
Jun 1, 2016, 4:32:33 PM6/1/16
to
> On May 31, 2016, at 7:24 PM, Michael Orlitzky <mic...@orlitzky.com> wrote:
>
> With that in mind, you're putting way too much faith in dnsbl.sorbs.net
> and hostkarma.junkemailfilter.com. For a reference point, I have the
> same threshold as you (3) but score them each one point.
Thank you for the info on postwhite Steve.
-Terry
Bill Cole
Jun 3, 2016, 12:08:03 PM6/3/16
to
On 1 Jun 2016, at 9:29, @lbutlr wrote:
> On May 31, 2016, at 8:30 PM, Steve Jenkins <st...@stevejenkins.com>
> wrote:
>> A quick way to do this is to download postwhite and add web.com to
>> the list of queried hosts. All their known (published) IPs and CIDRs
>> wlll be added to your Postscreen whitelist.
>
> Post white looks interesting, but what is web.com?
A demonstration of the de facto value of branding.
> On May 31, 2016, at 8:30 PM, Steve Jenkins <st...@stevejenkins.com>
> wrote:
>> A quick way to do this is to download postwhite and add web.com to
>> the list of queried hosts. All their known (published) IPs and CIDRs
>> wlll be added to your Postscreen whitelist.
>
> Post white looks interesting, but what is web.com?
They are a lot of different things, including the owners of the Network
Solutions name and the Register.com name. An ungenerous description
might be that they are a Florida call center that has jumped on their
opportunities to slurp up a bunch of fail(ed|ing) dotcoms and sclerotic
brands with a little existing infrastructure and lots of high-inertia
clients.
> It looks like it might be the sort of site I wouldn’t want to trust
> with something like a whitelist.
class and scale, but they definitely aren't clean enough to whitelist.
0 new messages