On Fri, Sep 08, 2017 at 03:03:49PM +0300, Nikolaos Milas wrote: > On 8/9/2017 2:42 μμ, Wietse Venema wrote: > > Just as with smtpd access maps, permit/reject are a final > > decision, and dunno means 'let something else make the decision'. > > Please let my ask for a clarification here. The problem is that > the rejection seems to have happened by postscreen itself. > > I would expect that by using dunno for a client in > postscript_exceptions (as follows): > > postscreen_access_list = > permit_mynetworks, > cidr:/etc/postfix/postscreen_exceptions.cidr > > all the following postscreen directives would by bypassed for > this client: > > postscreen_dnsbl_threshold = 2 > postscreen_dnsbl_sites = > b.barracudacentral.org*2, > zen.spamhaus.org*2, > psbl.surriel.com*2 > postscreen_dnsbl_action = enforce > postscreen_greet_action = enforce > postscreen_blacklist_action = enforce > > Isn't this true?
No, and I thought that was already answered. > In particular, why the postscreen_access_list did not affect the > postscreen_dnsbl_action, which I would expect to be bypassed? Your DUNNO result only terminated the postscreen_access_list test. > Can you please explain? Which postscreen actions are affected by > postscreen_access_list? A permit/OK result causes all postscreen tests to be bypassed. > Sorry if my question is dumb. It's really the wrong question. The fundamental problem is that you're trusting unsafe DNSBL services for outright rejection. This typically is the case for those who need whitelisting. > postscreen_dnsbl_threshold = 2 Default there is 1, and the way you are scoring things, you didn't need this. > postscreen_dnsbl_sites = > b.barracudacentral.org*2, A very good list, but fully automated from Barracuda devices' input; I have tried using it for rejection and had some complaints about blocking real mail. > zen.spamhaus.org*2, This is the only one I'd trust fully. > psbl.surriel.com*2 Also mostly automated, with a removal tool provided to end users, whether spammers or not. I'd replace your config with: > postscreen_dnsbl_threshold = 2 > postscreen_dnsbl_sites = > b.barracudacentral.org, > zen.spamhaus.org*2, > psbl.surriel.com > postscreen_dnsbl_action = enforce This changes BRBL and PSBL to the default score of 1. More spam would get through postscreen this way, but it's unlikely that you would need to do much whitelisting. Note, I would not stop there; I'd go the rest of the way to my postscreen sample config as can be found at the site in .sig. Upgrade to at least Postfix 2.11 if you're not there yet. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
