On Mon, Dec 24, 2012 at 05:34:20PM -0500, Alex wrote:
> >> Dec 24 00:28:50 mail02 postfix/postscreen[1468]: NOQUEUE: 
> >> reject: RCPT from [195.81.140.87]:32798: 550 5.7.1 Service 
> >> unavailable; client [195.81.140.87] blocked using 
> >> bl.spamcop.net; from=<u...@libero.it>, to=<f...@example.com>, 
> >> proto=SMTP, helo=<static-195-81-140-87.irtnet.net>
> >
> > Here's your problem Alex.  You're using spamcop to outright block 
> > on hit.  This is not advised and is well known to cause FPs.  
> > Spamcop hits are best scored with other DNSBL hits inside SA, 
> > which does so automatically in a default config.  Remove spamcop 
> > from your postscreen configuration and that will fix this 
> > problem.

The problem was not the existence of spamcop within the list. The 
problem was the *scoring* of spamcop and the threshold of 1.

If you're going to set scores, USE them. Set the 
postscreen_dnsbl_threshold *higher* than 1.

> Awesome, thanks. So psbl.surriel.com is okay to keep?

It's probably safer than spamcop, but the best answer is to check 
their policies, test its performance, and see if it works for you.

The pre-postscreen way was to use "warn_if_reject reject_rbl_client 
psbl.surriel.com" in your smtpd restrictions.

The postscreen way is, again, to raise your threshold score to ensure 
it's never used:

postscreen_dnsbl_threshold = 9
postscreen_dnsbl_sites = zen.spamhaus.org*9, b.barracudacentral.org*9
    bl.spameatingmonkey.net*9 dnsbl.njabl.org*7 dnsbl.ahbl.org*7
    bl.spamcop.net*3 dnsbl.sorbs.net*3 spamtrap.trblspam.com*3
    psbl.surriel.com [ ... other sites such as whitelists with
    negative scores ... ]

In the example above, psbl.surriel.com would never trigger a 
rejection. The extra one point would never be significant.

Note I am not recommending this; I am merely illustrating how the 
scoring system can work. My own postscreen_dnsbl_threshold is 3, with 
three tiers of DNSBL sites:
    Tier 1, 3 points: reject with that site alone
    Tier 2, 2 points: reject with that site plus any other
    Tier 3, 1 point: reject with three of these sites

I'm not currently using psbl.surriel.com, but I'm sure it would be 
fine in Tier 3. The whole point of Tier 3 is that it does NOT require 
much confidence in those sites, but that when three of them agree, 
there might be good reason to block.
-- 
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

Reply via email to