NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> current

Re: postscreen_dnsbl_whitelist_threshold

From: /dev/rob0 (rob0gmx.co.uk)
Date: Mon May 13 2013 - 08:06:16 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, May 12, 2013 at 08:11:14PM -0500, /dev/rob0 wrote:
> On Sun, May 12, 2013 at 08:47:38PM -0400, Wietse Venema wrote:
> > A lightly-tested version is available as postfix-2.11-20130512.
>
> Woohoo! Thanks!
>
> I installed it, set postscreen_dnsbl_whitelist_threshold=-1
> followed by a reload. Two seconds later I think it is working.
>
> May 13 00:59:50 harrier postfix/postfix-script[12251]: starting the Postfix mail system
> May 13 00:59:50 harrier postfix/master[12253]: daemon started -- version 2.11-20130512, configuration /etc/postfix
> May 13 01:02:23 harrier postfix/postfix-script[12502]: refreshing the Postfix mail system
> May 13 01:02:23 harrier postfix/master[12253]: reload -- version 2.11-20130512, configuration /etc/postfix
> May 13 01:02:25 harrier postfix/postscreen[12508]: CONNECT from [66.220.144.151]:57808 to [207.223.116.211]:25
> May 13 01:02:25 harrier postfix/dnsblog[12509]: addr 66.220.144.151 listed by domain list.dnswl.org as 127.0.9.1
> May 13 01:02:25 harrier postfix/smtpd[12518]: connect from outmail017.snc4.facebook.com[66.220.144.151]
> May 13 01:02:26 harrier postfix/smtpd[12518]: 3b83fB2KJ4z3B92: client=outmail017.snc4.facebook.com[66.220.144.151]
>
> I don't see any PASS OLD in there, so I guess the whitelist did the
> trick? Would anything else be logged?

Hmm, I'm not sure what that was; maybe 66.220.144.151 was due for
retesting in some tests? Here are some from a bit later, which get
"PASS NEW" without any after-220 tests:

May 13 01:15:09 harrier postfix/postscreen[13360]: CONNECT from [98.136.219.129]:36682 to [207.223.116.211]:25
May 13 01:15:09 harrier postfix/dnsblog[13365]: addr 98.136.219.129 listed by domain list.dnswl.org as 127.0.5.0
May 13 01:15:09 harrier postfix/postscreen[13360]: PASS NEW [98.136.219.129]:36682
May 13 01:15:10 harrier postfix/smtpd[13371]: connect from ng10-vm12.bullet.mail.gq1.yahoo.com[98.136.219.129]
May 13 01:15:10 harrier postfix/smtpd[13371]: 3b83wt3SgQz3B99: client=ng10-vm12.bullet.mail.gq1.yahoo.com[98.136.219.129]

May 13 02:22:50 harrier postfix/postscreen[18837]: CONNECT from [98.138.214.175]:46014 to [207.223.116.211]:25
May 13 02:22:50 harrier postfix/dnsblog[18943]: addr 98.138.214.175 listed by domain list.dnswl.org as 127.0.5.0
May 13 02:22:50 harrier postfix/postscreen[18837]: PASS NEW [98.138.214.175]:46014
May 13 02:22:50 harrier postfix/smtpd[18952]: connect from ng19-vm1.bullet.mail.ne1.yahoo.com[98.138.214.175]
May 13 02:22:51 harrier postfix/smtpd[18952]: 3b85Qz1WQfz3BMc: client=ng19-vm1.bullet.mail.ne1.yahoo.com[98.138.214.175]

May 13 07:45:06 harrier postfix/postscreen[9497]: CONNECT from [144.160.128.166]:38244 to [207.223.116.211]:25
May 13 07:45:06 harrier postfix/dnsblog[9502]: addr 144.160.128.166 listed by domain list.dnswl.org as 127.0.5.0
May 13 07:45:06 harrier postfix/postscreen[9497]: PASS NEW [144.160.128.166]:38244
May 13 07:45:07 harrier postfix/smtpd[9507]: connect from egssmtp02.att.com[144.160.128.166]
May 13 07:45:07 harrier postfix/smtpd[9507]: 3b8DZq6bcpz38Bm: client=egssmtp02.att.com[144.160.128.166]

May 13 07:48:54 harrier postfix/postscreen[9811]: CONNECT from [54.240.15.13]:45225 to [207.223.116.211]:25
May 13 07:48:54 harrier postfix/dnsblog[9812]: addr 54.240.15.13 listed by domain list.dnswl.org as 127.0.5.1
May 13 07:48:54 harrier postfix/postscreen[9811]: PASS NEW [54.240.15.13]:45225
May 13 07:48:54 harrier postfix/smtpd[9821]: connect from a15-13.smtp-out.amazonses.com[54.240.15.13]
May 13 07:48:55 harrier postfix/smtpd[9821]: 3b8DgC17cnz38D6: client=a15-13.smtp-out.amazonses.com[54.240.15.13]

This next one is very interesting. Whitelisted and blacklisted,
coming in with a score of +1, so not reaching either of the
thresholds. This host hits the lower priority MX .214 before the
DISCONNECT on the main address of .211, and gets a WHITELIST VETO.

May 13 11:53:27 harrier postfix/postscreen[28908]: CONNECT from [200.11.173.11]:46875 to [207.223.116.211]:25
May 13 11:53:27 harrier postfix/dnsblog[28910]: addr 200.11.173.11 listed by domain b.barracudacentral.org as 127.0.0.2
May 13 11:53:27 harrier postfix/dnsblog[28913]: addr 200.11.173.11 listed by domain list.dnswl.org as 127.0.5.0
May 13 11:53:27 harrier postfix/dnsblog[28909]: addr 200.11.173.11 listed by domain dnsbl.sorbs.net as 127.0.0.6
May 13 11:53:33 harrier postfix/tlsproxy[28928]: CONNECT from [200.11.173.11]:46875
May 13 11:53:33 harrier postfix/tlsproxy[28928]: Anonymous TLS connection established from [200.11.173.11]:46875: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
May 13 11:53:33 harrier postfix/postscreen[28908]: NOQUEUE: reject: RCPT from [200.11.173.11]:46875: 450 4.3.2 Service currently unavailable; from=<officefile8184cantv.net>, to=<1001slackbuilds.org>, proto=ESMTP, helo=<10ibl20ser04.datacenter.cha.cantv.net>
May 13 11:53:34 harrier postfix/postscreen[28908]: CONNECT from [200.11.173.11]:54443 to [207.223.116.214]:25
May 13 11:53:34 harrier postfix/postscreen[28908]: WHITELIST VETO [200.11.173.11]:54443
May 13 11:53:34 harrier postfix/dnsblog[28913]: addr 200.11.173.11 listed by domain list.dnswl.org as 127.0.5.0
May 13 11:53:34 harrier postfix/dnsblog[28912]: addr 200.11.173.11 listed by domain b.barracudacentral.org as 127.0.0.2
May 13 11:53:34 harrier postfix/dnsblog[28911]: addr 200.11.173.11 listed by domain dnsbl.sorbs.net as 127.0.0.6
May 13 11:53:40 harrier postfix/tlsproxy[28928]: CONNECT from [200.11.173.11]:54443
May 13 11:53:40 harrier postfix/tlsproxy[28928]: Anonymous TLS connection established from [200.11.173.11]:54443: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
May 13 11:53:41 harrier postfix/postscreen[28908]: NOQUEUE: reject: RCPT from [200.11.173.11]:54443: 450 4.3.2 Service currently unavailable; from=<officefile8184cantv.net>, to=<1001slackbuilds.org>, proto=ESMTP, helo=<10ibl20ser04.datacenter.cha.cantv.net>
May 13 11:54:25 harrier postfix/postscreen[28908]: PASS NEW [200.11.173.11]:46875
May 13 11:54:25 harrier postfix/postscreen[28908]: DISCONNECT [200.11.173.11]:46875
May 13 11:54:25 harrier postfix/tlsproxy[28928]: DISCONNECT [200.11.173.11]:46875
May 13 11:54:27 harrier postfix/postscreen[28908]: DISCONNECT [200.11.173.11]:54443
May 13 11:54:27 harrier postfix/tlsproxy[28928]: DISCONNECT [200.11.173.11]:54443

Sadly, this host which was definitely carrying spam got a PASS NEW.
But this is not the sort of spam which postscreen can safely block.
--
http://rob0.nodns4.us/ -- system administration and consulting
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]