On Fri, Mar 17, 2017 at 05:12:07PM -0400, David Mehler wrote: > I'm starting to see blocks on my messages to my mail server. For some > reason postscreen is not letting any gmail servers send mail, it's > blocking them. > > Has anyone got an idea or have you seen this?
Typically you would SHOW LOGS of the blocking when asking for help, but in your case it's pretty obvious. > Here's my postscreen setup: > > # postscreen(8) settings > ### Before-220 tests > postscreen_greet_action = enforce > postscreen_blacklist_action = enforce > postscreen_dnsbl_action = enforce > postscreen_access_list = permit_mynetworks > cidr:/usr/local/etc/postfix/postscreen_access.cidr > postscreen_dnsbl_reply_map = > pcre:/usr/local/etc/postfix/postscreen_dnsbl_reply_map.pcre > postscreen_dnsbl_sites = zen.spamhaus.org*3 > b.barracudacentral.org*2 > bl.spameatingmonkey.net*2 > dnsbl.ahbl.org*2 Closed as of 2015-01-01 when it began flagging EVERYTHING by means of a DNS wildcard. Read: http://www.ahbl.org/ (click through to the main page) and http://rob0.nodns4.us/postscreen.html In the latter start with the BIG FAT WARNING and then take special note of what it says about AHBL in the "Last Changes" section. > bl.spamcop.net > dnsbl.sorbs.net > psbl.surriel.com > bl.mailspike.net > swl.spamhaus.org*-4 > list.dnswl.org=127.[0..255].[0..255].0*-2 > list.dnswl.org=127.[0..255].[0..255].1*-3 > list.dnswl.org=127.[0..255].[0..255].[2..255]*-4 These are as I published them but they are wrong. Better: list.dnswl.org=127.0.[2..15].0*-2 list.dnswl.org=127.0.[2..15].1*-3 list.dnswl.org=127.0.[2..15].[2..3]*-4 This corresponds to DNSWL.org's own usage instructions. > postscreen_dnsbl_threshold = 2 > postscreen_dnsbl_whitelist_threshold = -2 Looks familiar except you changed these two threshold values. Just stick with what I have: postscreen_dnsbl_threshold = 3 postscreen_dnsbl_whitelist_threshold = -1 Your lower postscreen_dnsbl_threshold value caused every single AHBL listing (which, in case you didn't understand, now includes the entirety of the Internet) to be a rejection unless offset by a whitelist entry. Your higher whitelist threshold makes it more difficult to avoid the after-220 tests ... > ### End of before-220 tests > ### After-220 tests > ### WARNING -- See "Tests after the 220 SMTP server greeting" in the > ### Postscreen Howto and *UNDERSTAND* it *BEFORE* you enable the > ### following tests! > #postscreen_bare_newline_action = drop > #postscreen_bare_newline_enable = yes > #postscreen_non_smtp_command_action = drop > #postscreen_non_smtp_command_enable = yes > #postscreen_pipelining_enable = yes > #postscreen_pipelining_action = drop > ### ADDENDUM: Any one of the foregoing three *_enable settings may cause > ### significant and annoying mail delays. ... which in your case doesn't matter because you didn't enable them. > Any assistance appreciated. Lose AHBL. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
