[pfx] Re: Ignoring postscreen DNSBL disposition by recipient address

[Matt Saladna via Postfix-users]

On 3/15/2024 3:06 PM, Noel Jones via Postfix-users wrote:
> You can move those checks into smtpd restrictions where there can be 
an allowed sender list proceeding the DNSBL checks.

Downside to this approach is no weighting.

> Postscreen by design only looks at the IP, and has no mechanism to 
consider other envelope data.

I had some optimism that there would be a mechanism to override the 
disposition since the envelope recipient is examined as part of the 
NOQUEUE log result.

> I'm somewhat surprised that your (fake) sample singles out zen... 
Here, spamcop (especially)

Ding ding.

- Matt

On 3/15/2024 1:11 PM, Matt Saladna via Postfix-users wrote:
Hello,

I'm seeking a workaround for Microsoft's litany of IPs landing on 
DNSBL. They'd like all mail irrespective of DNSBL status to be 
delivered, which requires a skip if the sender IP is blacklisted in 
postscreen. With separation between postscreen and smtpd, postscreen 
rejects the connection before handing off to smtpd so 
smtpd_recipient_restrictions isn't triggered.

Is there an appropriate workaround that allows postscreen to report 
DUNNO after DNSBL checks if the recipient matches in a table?


Postscreen by design only looks at the IP, and has no mechanism to 
consider other envelope data.

The solution is to not use a DNSBL that routinely blocks wanted mail 
in postscreen.

You can move those checks into smtpd restrictions where there can be 
an allowed sender list proceeding the DNSBL checks.

Sample line:

Mar 15 13:51:22 atlas postfix/postscreen[5978]: NOQUEUE: reject: RCPT 
from [1.2.3.4]:51944: 550 5.7.1 Service unavailable; client [1.2.3.4] 
blocked using zen.spamhaus.org; from=<x@y>, to=<a@b>, proto=ESMTP, 
helo=<aspmx3.googlemail.com>

Postscreen config:

postscreen_dnsbl_action=enforce
postscreen_dnsbl_sites=bl.spamcop.net*2 b.barracudacentral.org*2 
zen.spamhaus.org=127.0.[0;1;2].[0..254]*2 list.dnswl.org*-2

I'm somewhat surprised that your (fake) sample singles out zen. It's 
been pretty reliable for me.

Here, spamcop (especially) and barracudacentral are much more likely 
to reject wanted mail.

Of course, YMMV...



   -- Noel Jones
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org