On 3/15/2024 1:11 PM, Matt Saladna via Postfix-users wrote:
Hello,
I'm seeking a workaround for Microsoft's litany of IPs landing on
DNSBL. They'd like all mail irrespective of DNSBL status to be
delivered, which requires a skip if the sender IP is blacklisted in
postscreen. With separation between postscreen and smtpd, postscreen
rejects the connection before handing off to smtpd so
smtpd_recipient_restrictions isn't triggered.
Is there an appropriate workaround that allows postscreen to report
DUNNO after DNSBL checks if the recipient matches in a table?
Postscreen by design only looks at the IP, and has no mechanism to
consider other envelope data.
The solution is to not use a DNSBL that routinely blocks wanted mail
in postscreen.
You can move those checks into smtpd restrictions where there can be
an allowed sender list proceeding the DNSBL checks.
Sample line:
Mar 15 13:51:22 atlas postfix/postscreen[5978]: NOQUEUE: reject:
RCPT from [1.2.3.4]:51944: 550 5.7.1 Service unavailable; client
[1.2.3.4] blocked using zen.spamhaus.org; from=<x@y>, to=<a@b>,
proto=ESMTP, helo=<aspmx3.googlemail.com>
Postscreen config:
postscreen_dnsbl_action=enforce
postscreen_dnsbl_sites=bl.spamcop.net*2 b.barracudacentral.org*2
zen.spamhaus.org=127.0.[0;1;2].[0..254]*2 list.dnswl.org*-2
I'm somewhat surprised that your (fake) sample singles out zen. It's
been pretty reliable for me.
Here, spamcop (especially) and barracudacentral are much more
likely to reject wanted mail.
Of course, YMMV...
-- Noel Jones
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
