Re: postscreen CIDR access blocks compared to in-firewall?

On 4/8/2016 12:04 PM, jaso...@mail-central.com wrote: > > For me then, simplest seems that "known bad" can stay in fail2ban-ready > firewall IPSETs, and "need to investigate a bit more" in postscreen's CIDR > accces list. > Note that updating the postscreen CIDR table requires that you restart

Re: Improving / fixing my helo_access restriction matches?

On Fri, Apr 8, 2016, at 11:05 AM, /dev/rob0 wrote: > /^User[^\.]*/i REJECT your message here So it *is* true that that *starts* at the beginning of the line (and so the "^U"). That makes it easier to not fubar it. > A case-sensitive string that begins with "User" followed by zero or > more

Re: Improving / fixing my helo_access restriction matches?

On Fri, Apr 08, 2016 at 08:55:13AM -0700, jaso...@mail-central.com wrote: > My focus atm is strictly and only on what I asked about ... > crafting the right HELO match for those three examples. /^User[^\.]*/i REJECT your message here A case-sensitive string that begins with "User" followed

Re: postscreen CIDR access blocks compared to in-firewall?

jaso...@mail-central.com: > Wietse, > > On Fri, Apr 8, 2016, at 10:04 AM, jaso...@mail-central.com wrote: > > > Writing to the postscreen access list (with fail2bain etc.) is > > > generally not supported. It can be done with LMDB but only if you > > > use the locking protocol described in lmdb_t

Re: postscreen CIDR access blocks compared to in-firewall?

Wietse, On Fri, Apr 8, 2016, at 10:04 AM, jaso...@mail-central.com wrote: > > Writing to the postscreen access list (with fail2bain etc.) is > > generally not supported. It can be done with LMDB but only if you > > use the locking protocol described in lmdb_table(5). Otherwise the > > result will

Re: postscreen CIDR access blocks compared to in-firewall?

On Fri, Apr 8, 2016, at 09:58 AM, Wietse Venema wrote: > It is a superset, as the postscreen_blacklist_action parameter alows > you to choose between dropping the connection and logging the helo, > mail from and rcpt to, so that you can find out what mail is blocked. Good point. I've so far been

Re: postscreen CIDR access blocks compared to in-firewall?

jaso...@mail-central.com: > To date I've maintained & deployed a firewall blacklist of bad-actor, port25 > CIDRs. > > Its blocking is obviously in front of Postfix, and logs if/as I choose to my > firewall logs. > > I populate it both manually, and append it using fail2ban. > > Its a 'fast' IP

Re: False positives from header_checks

> On Apr 6, 2016, at 10:02 PM, Laz C. Peterson wrote: > > It's very odd ... Apple has been responsible for the foundation of quite a > few RFC's but in our experience has actually made it difficult for our > software to both comply with the RFC as well as Apple's client software. The fault he

postscreen CIDR access blocks compared to in-firewall?

To date I've maintained & deployed a firewall blacklist of bad-actor, port25 CIDRs. Its blocking is obviously in front of Postfix, and logs if/as I choose to my firewall logs. I populate it both manually, and append it using fail2ban. Its a 'fast' IPSET hash table, not just iptables. postscre

Re: False positives from header_checks

Curtis Villamizar wrote: > Since pcre evaluates in order you could add> > /^Content-(Disposition|Type).*;??x-apple-part-url="[^"]+"$/x DUNNO > > before the pcre that does the rejection. That's one possibility, but: (a) you probably won't want the '??' qualifying the ';'. '??' in the Postfix lo

Re: Improving / fixing my helo_access restriction matches?

On Fri, Apr 8, 2016, at 08:22 AM, /dev/rob0 wrote: ... > Rejected by your smtpd's reject_non_fqdn_helo_hostname restriction. ... > Rejected by postscreen as a pre-banner talker. ... > And that's the postscreen_dnsbl_threshold having been met. Also, a > different non-FQDN EHLO string. Yes, as I

SV: smtp_relay_restrictions

No, authentication is always attempted. So even if theres no permit_sasl_authenticated in the rules stack, you can still authenticate (if SASL is enabled) and gain "authenticated" rights, which would then be no more than "guest" rights. So to correctly try out the tables, you would need to try t

Re: smtp_relay_restrictions

On 2016-04-07 2:47 PM, Noel Jones wrote: On 4/7/2016 7:44 AM, John Allen wrote: I am trying to work out what parameters to add to /smtpd_relay_restrictions, /both in main.cf and master.cf. 1. We do not allow relaying by any means! 2. In-house users must be registered, use our domains and po

Re: Improving / fixing my helo_access restriction matches?

On Fri, Apr 08, 2016 at 08:04:12AM -0700, jaso...@mail-central.com wrote: > I want to add a helo_access block entry for literal matches of > "User". Because "user" is uesd all over the place, I want to make > sure I don't screw this up. > > Here are three instances that I'd like to match, > >

Improving / fixing my helo_access restriction matches?

I want to add a helo_access block entry for literal matches of "User". Because "user" is uesd all over the place, I want to make sure I don't screw this up. Here are three instances that I'd like to match, Jan 17 19:21:13 mail01 postfix/psint/smtpd[24295]: NOQUEUE: reject: EHLO from 75

Blacklisting senders (based on domainnames) from emailing certain domains

Hi, everyone, In need to block/reject one of my hosted domains foo.tld from sending emails to a couple of external domains, while not restricting sending to other domains like gmail.com nor restricting any of my other hosted domains i.e. bar.tld from sending to these "bad domains". I also need to

Re: Sender domain based blocking to certain domains

Please ignore, accidentally hit send. Will revise email. On Fri, Apr 8, 2016 at 4:10 PM, Kristjan Nii wrote: > Hi, everyone, > > In need to block/reject one of my hosted domains foo.tld from sending > emails to a couple of external domains, while not restricting sending > to other domains like

Sender domain based blocking to certain domains

Hi, everyone, In need to block/reject one of my hosted domains foo.tld from sending emails to a couple of external domains, while not restricting sending to other domains like gmail.com nor restricting any of my other hosted domains i.e. bar.tld from sending to these "bad domains". I also need to

Re: bad.psky.me RBL?

On 2016-04-06 16:48, Quanah Gibson-Mount wrote: Is anyone familiar with this RBL and its quality? Not a whole lot of info at . Terms seem probably ok . it gives currently lame servers in bind9

Re: header rewrite not working

Please disregard. It would appear that a certain unnamed-user changed the header_check file in the main.cf That will teach me to use postconf -n more often. On Fri, Apr 8, 2016 at 9:58 AM, Thomas kinghorn wrote: > Good morning list. > > I hope someone can assist with a problem. > > We have a d

header rewrite not working

Good morning list. I hope someone can assist with a problem. We have a device which uses a GSM sim and a non-configurable device setting. It is currently sending data relating to water flow. The problem occurring is that Amavisd-new (SpamAssassin) is tagging the mail as spam due to the message-i