Re: Spamhaus blocking Spectrum IPs; rbl_override not working

Tue, 21 Aug 2018 10:28:53 -0700 

On 21 Aug 2018, at 11:42, Fongaboo wrote:
I tried putting a bunch of /8's that I know to be assigned to Spectrum, 
one of which my own IP was definitely within, into rbl_override.

[...]

This is what my Spectrum IP section looks like:

# Spectrum
23.0.0.0/8 OK
24.0.0.0/8 OK
50.0.0.0/8 OK
63.0.0.0/8 OK
64.0.0.0/8 OK
65.0.0.0/8 OK
66.0.0.0/8 OK
67.0.0.0/8 OK
68.0.0.0/8 OK
69.0.0.0/8 OK
70.0.0.0/8 OK
71.0.0.0/8 OK
72.0.0.0/8 OK
73.0.0.0/8 OK
74.0.0.0/8 OK
75.0.0.0/8 OK
76.0.0.0/8 OK
96.0.0.0/8 OK
97.0.0.0/8 OK
98.0.0.0/8 OK
99.0.0.0/8 OK
100.0.0.0/8 OK
104.0.0.0/8 OK
107.0.0.0/8 OK
108.0.0.0/8 OK
173.0.0.0/8 OK
174.0.0.0/8 OK
184.0.0.0/8 OK
199.0.0.0/8 OK
204.0.0.0/8 OK
205.0.0.0/8 OK
206.0.0.0/8 OK
207.0.0.0/8 OK
208.0.0.0/8 OK
209.0.0.0/8 OK
216.0.0.0/8 OK
Apart from the hash/cidr issue and Viktor's point about having a dedicated port 587 submission daemon instead of using port 25 SMTP for submission, this list is ridiculous. It is far more than just Spectrum and the arbitrary exemption of /8 blocks eliminates the point of using DNSBLs at all.
I am guessing that since you didn't specifically say what type of listing is causing trouble but that it covers multiple Spectrum addresses, it is probably a PBL listing. In many cases you can exempt a single static address by yourself on the Spamhaus site. If that's not possible for Spectrum space (i.e. because Spectrum wants that space listed) you can still be more careful in your exemption by splitting up your use of Zen by return code. So you could have: 

smtpd_client_restrictions
    check_client_access cidr:/usr/local/etc/postfix/rbl_override
    reject_rbl_client zen.spamhaus.org=127.0.0.2,
    reject_rbl_client zen.spamhaus.org=127.0.0.3,
    reject_rbl_client zen.spamhaus.org=127.0.0.4,
    check_client_access cidr:/usr/local/etc/postfix/pbl_override
    reject_rbl_client zen.spamhaus.org=127.0.0.10,
    reject_rbl_client zen.spamhaus.org=127.0.0.11,
Where "rbl_override" is a list of CIDR ranges you want to exempt from ALL classes of Zen listings, while "pbl_override" is a list of CIDR ranges you want to exempt from just PBL listings.
Using a dedicated submission daemon for which you require encryption and authentication is still the better solution, as you then do not need to bother with any DNSBLs for submission OR overrides of any sort for inbound transport.

Reply via email to