On Mon, Dec 24, 2012 at 05:34:20PM -0500, Alex wrote: > >> Dec 24 00:28:50 mail02 postfix/postscreen[1468]: NOQUEUE: > >> reject: RCPT from [195.81.140.87]:32798: 550 5.7.1 Service > >> unavailable; client [195.81.140.87] blocked using > >> bl.spamcop.net; from=<u...@libero.it>, to=<f...@example.com>, > >> proto=SMTP, helo=<static-195-81-140-87.irtnet.net> > > > > Here's your problem Alex. You're using spamcop to outright block > > on hit. This is not advised and is well known to cause FPs. > > Spamcop hits are best scored with other DNSBL hits inside SA, > > which does so automatically in a default config. Remove spamcop > > from your postscreen configuration and that will fix this > > problem.
The problem was not the existence of spamcop within the list. The problem was the *scoring* of spamcop and the threshold of 1. If you're going to set scores, USE them. Set the postscreen_dnsbl_threshold *higher* than 1. > Awesome, thanks. So psbl.surriel.com is okay to keep? It's probably safer than spamcop, but the best answer is to check their policies, test its performance, and see if it works for you. The pre-postscreen way was to use "warn_if_reject reject_rbl_client psbl.surriel.com" in your smtpd restrictions. The postscreen way is, again, to raise your threshold score to ensure it's never used: postscreen_dnsbl_threshold = 9 postscreen_dnsbl_sites = zen.spamhaus.org*9, b.barracudacentral.org*9 bl.spameatingmonkey.net*9 dnsbl.njabl.org*7 dnsbl.ahbl.org*7 bl.spamcop.net*3 dnsbl.sorbs.net*3 spamtrap.trblspam.com*3 psbl.surriel.com [ ... other sites such as whitelists with negative scores ... ] In the example above, psbl.surriel.com would never trigger a rejection. The extra one point would never be significant. Note I am not recommending this; I am merely illustrating how the scoring system can work. My own postscreen_dnsbl_threshold is 3, with three tiers of DNSBL sites: Tier 1, 3 points: reject with that site alone Tier 2, 2 points: reject with that site plus any other Tier 3, 1 point: reject with three of these sites I'm not currently using psbl.surriel.com, but I'm sure it would be fine in Tier 3. The whole point of Tier 3 is that it does NOT require much confidence in those sites, but that when three of them agree, there might be good reason to block. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: