On 12/24/2012 2:16 PM, Alex wrote:
> Hi,
>
>>> I haven't been able to find much available on the proper use for
>>> smtpd_mumble_restrictions. It doesn't seem to be documented with
>>> postscreen or the postconf page or even my postconf output.
>>
>> smtpd_mumble_restrictions is shorthand for "use any of
>> smtpd_{client, helo, sender, recipient, data,
>> end_of_data}_restrictions."
>
> Okay, duh. Maybe it never occurred to me because I thought postscreen
> was well before any of the smtpd restrictions.
>
>> I'm curious what postscreen rules you're using that are rejecting
>> mail from an ISP. (I'm not familiar with the two you mention, and
>> assume they aren't spammer-haven worthy of global blocking.)
>
> Perhaps many of the rejects from users at those domains are really
> just spoofed. Here's one reject actually from them, however:
>
> Dec 24 04:23:11 mail02 postfix/postscreen[1468]: NOQUEUE: reject: RCPT
> from [212.52.84.101]:54948: 550 5.7.1 Service unavailable; client
> [212.52.84.101] blocked using bl.spamcop.net;
> from=<rossopompei...@libero.it>, to=<mi...@example.com>, proto=ESMTP,
> helo=<outrelay01.libero.it>
>
> My postscreen config contains:
> postscreen_access_list = permit_mynetworks,
> cidr:/etc/postfix/postscreen_access.cidr
> postscreen_dnsbl_threshold = 1
> postscreen_dnsbl_action = enforce
> postscreen_greet_action = enforce
> postscreen_blacklist_action = enforce
> postscreen_dnsbl_sites = mykey.zen.dq.spamhaus.net*2
> bl.spamcop.net*1 b.barracudacentral.org*1 psbl.surriel.com*1
I see. Perhaps you intended postscreen_dnsbl_threshold = 2 with the
above RBLs and weights.
Spamcop in particular is not safe and not recommended for outright
rejection. Opinions differ on psbl.surriel and barracudacentral,
but they are frequently used in scoring rather than outright. A
site listed on two of these three is likely spam, a site listed on
only one of them is questionable.
The spamhaus zen list is widely considered safe for outright rejection.
You also might benefit from using dns whitelists with postscreen.
The idea is to "rescue" mostly-good IPs from postscreen and pass
them to SpamAssassin for deeper inspection. Some to consider
list.dnswl.org*-1
hostkarma.junkemailfilter.com=127.0.0.1*-1
swl.spamhaus.org*-2
-- Noel Jones
Merry Christmas to all! And I get my name up in lights all over town!
