On 7/7/2011 7:37 PM, Steve Jenkins wrote:
> I'm currently using Stan's pcre file with check_client_access. But
> even after re-reading this while thread and that doc link, I can't
> tell whether I should keep it as-is or switch to
> check_reverse_client_hostname_access.
>
> SteveJ
Yes, absolutely
On Thu, Jul 7, 2011 at 2:04 PM, Noel Jones wrote:
> On 7/7/2011 3:42 PM, mouss wrote:
>
>>
>> Noel, are you telling me that check_reverse... will match the client IP?
>> my understanding is that it will only match against the PTR.
>
> It's even documented.
> http://www.postfix.org/postconf.5.html#
On 7/7/2011 10:14 AM, /dev/rob0 wrote:
> On Thu, Jul 07, 2011 at 08:24:42AM -0500, Noel Jones wrote:
>> On 7/7/2011 7:48 AM, /dev/rob0 wrote:
>>> On Thu, Jul 07, 2011 at 06:44:49AM -0500, Stan Hoeppner wrote:
On 7/7/2011 5:58 AM, /dev/rob0 wrote:
> The anchors at both ends mean you are saf
On 7/7/2011 3:42 PM, mouss wrote:
>
> Noel, are you telling me that check_reverse... will match the client IP?
> my understanding is that it will only match against the PTR.
It's even documented.
http://www.postfix.org/postconf.5.html#check_reverse_client_hostname_access
And I can say with auth
Le 07/07/2011 22:48, Victor Duchovni a écrit :
> On Thu, Jul 07, 2011 at 10:35:56PM +0200, mouss wrote:
>
>> /^[0-9\.]$/
>> is equivalent to
>> any string formed with digits and/or dots
>
> No, just any single character that is a digit or ".". You left off the
> "*" or "+" to make it a strin
On Thu, Jul 07, 2011 at 10:35:56PM +0200, mouss wrote:
> /^[0-9\.]$/
> is equivalent to
> any string formed with digits and/or dots
No, just any single character that is a digit or ".". You left off the
"*" or "+" to make it a string composed of one (or zero) or more of said.
> with pcre;
Le 06/07/2011 23:14, Noel Jones a écrit :
> On 7/6/2011 3:57 PM, mouss wrote:
>> Le 06/07/2011 22:52, Noel Jones a écrit :
>>> On 7/6/2011 3:44 PM, mouss wrote:
Le 06/07/2011 07:07, Simon Deziel a écrit :
> Hi all,
>
> Since I started using Stan's fqrdns.pcre file to reduce spam I
Le 07/07/2011 13:44, Stan Hoeppner a écrit :
> On 7/7/2011 5:58 AM, /dev/rob0 wrote:
>> On Thu, Jul 07, 2011 at 03:36:02AM -0500, Stan Hoeppner wrote:
>>> I received a request to ignore IPv4 addresses as well in order to
>>> improve performance. But given the extensive IF loops it seems
>>> we'd
On Thu, Jul 07, 2011 at 08:24:42AM -0500, Noel Jones wrote:
> On 7/7/2011 7:48 AM, /dev/rob0 wrote:
> > On Thu, Jul 07, 2011 at 06:44:49AM -0500, Stan Hoeppner wrote:
> >> On 7/7/2011 5:58 AM, /dev/rob0 wrote:
> >>> The anchors at both ends mean you are safe. You start with ^
> >>> and end with $,
On 7/7/2011 7:48 AM, /dev/rob0 wrote:
> On Thu, Jul 07, 2011 at 06:44:49AM -0500, Stan Hoeppner wrote:
>> On 7/7/2011 5:58 AM, /dev/rob0 wrote:
>>> The anchors at both ends mean you are safe. You start with ^ and
>>> end with $, so nothing else can sneak in between those.
>>>
>>> A simpler express
On Thu, Jul 07, 2011 at 06:44:49AM -0500, Stan Hoeppner wrote:
> On 7/7/2011 5:58 AM, /dev/rob0 wrote:
> > The anchors at both ends mean you are safe. You start with ^ and
> > end with $, so nothing else can sneak in between those.
> >
> > A simpler expression to accomplish the same thing:
> >
On 7/7/2011 5:58 AM, /dev/rob0 wrote:
> On Thu, Jul 07, 2011 at 03:36:02AM -0500, Stan Hoeppner wrote:
>> I received a request to ignore IPv4 addresses as well in order to
>> improve performance. But given the extensive IF loops it seems
>> we'd only save something like a few picoseconds of CPU
On Thu, Jul 07, 2011 at 03:36:02AM -0500, Stan Hoeppner wrote:
> I received a request to ignore IPv4 addresses as well in order to
> improve performance. But given the extensive IF loops it seems
> we'd only save something like a few picoseconds of CPU time (<30
> expressions processed). If th
On 7/6/2011 12:08 PM, Wietse Venema wrote:
> Some table types such as CIDR ignore the domain name. With table
> types such as CIDR, regexp and pcre, check_client_access does no
> prefix/suffix lookups.
>
> Given this, a pcre rule with ``/:/ DUNNO'' is sufficient to skip
> IPv6 addresses.
Thanks
On 7/6/2011 3:57 PM, mouss wrote:
> Le 06/07/2011 22:52, Noel Jones a écrit :
>> On 7/6/2011 3:44 PM, mouss wrote:
>>> Le 06/07/2011 07:07, Simon Deziel a écrit :
Hi all,
Since I started using Stan's fqrdns.pcre file to reduce spam I have some
problems receiving emails from with
Le 06/07/2011 22:52, Noel Jones a écrit :
> On 7/6/2011 3:44 PM, mouss wrote:
>> Le 06/07/2011 07:07, Simon Deziel a écrit :
>>> Hi all,
>>>
>>> Since I started using Stan's fqrdns.pcre file to reduce spam I have some
>>> problems receiving emails from with IPv6 clients.
>>
>> replace
>> check
On 7/6/2011 3:44 PM, mouss wrote:
> Le 06/07/2011 07:07, Simon Deziel a écrit :
>> Hi all,
>>
>> Since I started using Stan's fqrdns.pcre file to reduce spam I have some
>> problems receiving emails from with IPv6 clients.
>
> replace
> check_client_access pcre:/etc/postfix/fqrdns.pcre
> wit
Le 06/07/2011 15:13, Noel Jones a écrit :
> On 7/6/2011 2:32 AM, Henrik K wrote:
>> On Wed, Jul 06, 2011 at 12:38:05AM -0500, Noel Jones wrote:
>>> On 7/6/2011 12:07 AM, Simon Deziel wrote:
Hi all,
Since I started using Stan's fqrdns.pcre file to reduce spam I have some
problems
Le 06/07/2011 07:07, Simon Deziel a écrit :
> Hi all,
>
> Since I started using Stan's fqrdns.pcre file to reduce spam I have some
> problems receiving emails from with IPv6 clients.
replace
check_client_access pcre:/etc/postfix/fqrdns.pcre
with
check_reverse_client_hostname_acce
On 7/6/2011 12:08 PM, Wietse Venema wrote:
>
> Given this, a pcre rule with ``/:/ DUNNO'' is sufficient to skip
> IPv6 addresses.
>
> Wietse
Thanks.
-- Noel Jones
On 7/6/2011 8:15 AM, Simon Deziel wrote:
> On 07/06/2011 03:32 AM, Henrik K wrote:
>> On Wed, Jul 06, 2011 at 12:38:05AM -0500, Noel Jones wrote:
>>> On 7/6/2011 12:07 AM, Simon Deziel wrote:
Hi all,
Since I started using Stan's fqrdns.pcre file to reduce spam I have some
proble
On 07/06/2011 09:13 AM, Noel Jones wrote:
> On 7/6/2011 2:32 AM, Henrik K wrote:
>> On Wed, Jul 06, 2011 at 12:38:05AM -0500, Noel Jones wrote:
>>> On 7/6/2011 12:07 AM, Simon Deziel wrote:
Hi all,
Since I started using Stan's fqrdns.pcre file to reduce spam I have some
problems
On 07/06/2011 03:32 AM, Henrik K wrote:
> On Wed, Jul 06, 2011 at 12:38:05AM -0500, Noel Jones wrote:
>> On 7/6/2011 12:07 AM, Simon Deziel wrote:
>>> Hi all,
>>>
>>> Since I started using Stan's fqrdns.pcre file to reduce spam I have some
>>> problems receiving emails from with IPv6 clients.
>>>
>
On 7/6/2011 2:32 AM, Henrik K wrote:
> On Wed, Jul 06, 2011 at 12:38:05AM -0500, Noel Jones wrote:
>> On 7/6/2011 12:07 AM, Simon Deziel wrote:
>>> Hi all,
>>>
>>> Since I started using Stan's fqrdns.pcre file to reduce spam I have some
>>> problems receiving emails from with IPv6 clients.
>>>
>>>
On Wed, Jul 06, 2011 at 12:38:05AM -0500, Noel Jones wrote:
> On 7/6/2011 12:07 AM, Simon Deziel wrote:
> > Hi all,
> >
> > Since I started using Stan's fqrdns.pcre file to reduce spam I have some
> > problems receiving emails from with IPv6 clients.
> >
> > Jul 4 05:19:10 mx postfix/smtpd[10191
On 7/6/2011 12:07 AM, Simon Deziel wrote:
> Hi all,
>
> Since I started using Stan's fqrdns.pcre file to reduce spam I have some
> problems receiving emails from with IPv6 clients.
>
> Jul 4 05:19:10 mx postfix/smtpd[10191]: NOQUEUE: reject: RCPT from
> mail.python.org[2001:888:2000:d::a6]: 554
Am 2010-12-10 23:32, schrieb Steve:
>
> Original-Nachricht
>> Datum: Fri, 10 Dec 2010 22:46:35 +0100 Von: "Stefan G. Weichinger"
>> An: Steve CC:
>> postfix-users@postfix.org Betreff: Re: fqrdns.pcre
>
>>
>> We are getting q
Original-Nachricht
> Datum: Fri, 10 Dec 2010 22:46:35 +0100
> Von: "Stefan G. Weichinger"
> An: Steve
> CC: postfix-users@postfix.org
> Betreff: Re: fqrdns.pcre
>
> We are getting quite off topic here, I assume.
> BLs aren't postfix, I
We are getting quite off topic here, I assume.
BLs aren't postfix, I know.
Maybe we should continue off-list, Steve?
Am 10.12.2010 20:08, schrieb Steve:
>>> zen.spamhaus.org should be the only spamhaus.org DNSBL in your
>>> IP blocklist configuration. You should not use ZEN together with
>>> oth
Original-Nachricht
> Datum: Fri, 10 Dec 2010 18:38:28 +0100
> Von: "Stefan G. Weichinger"
> An: postfix-users@postfix.org
> Betreff: Re: fqrdns.pcre
> Am 2010-12-09 21:59, schrieb Steve:
>
> > Hacking? Adding one additional BL to polic
Am 2010-12-09 21:59, schrieb Steve:
> Hacking? Adding one additional BL to policyd-weight.conf is not
> hacking. Hacking policyd-weight would be if you add additional
> features like OS fingerprinting support, GeoIP support, etc...
ok ok, you're right ;-)
I just thought of the advice of the au
Original-Nachricht
> Datum: Thu, 09 Dec 2010 15:42:48 +0100
> Von: "Stefan G. Weichinger"
> An: Stan Hoeppner
> CC: postfix-users@postfix.org
> Betreff: Re: fqrdns.pcre
> Am 09.12.2010 08:19, schrieb Stan Hoeppner:
> > Stefan G. Weichin
Paul Cartwright put forth on 12/9/2010 9:38 AM:
> mail.info now has this:
> Dec 9 10:32:06 paulandcilla postfix/master[17432]: warning:
> /usr/lib/postfix/smtpd: bad command startup -- throttling
Ok, we need to troubleshoot this as Postfix isn't starting. What do you see in
/var/log/mail.log
Am 09.12.2010 08:12, schrieb Stan Hoeppner:
> The original design usage of greylisting was to stop spam bots as they
> don't retry as an RFC compliant MTA does. If that is your main goal for
> your greylisting daemon, then this set of pcres, along with spamhaus pbl
> and cbl checks (use zen) is
Steffan A. Cline:
> Weitse,
Please take the trouble to spell my name correctly. Thank you.
> To me this comment from you, "Stan, go take this discussion off-list or be
> removed." is completely out of line. While I understand your complaint and
> frustration, I think you forget that Stan provides
On 12/09/2010 09:44 AM, Stan Hoeppner wrote:
> Everything from here...
>
> to here
>
> is being ignored by postfix or will cause errors. These all need to be under
> an smtpd_foo_restriction heading. You have most it duplicated once, if not
> twice, below.
>
yeah, well,
Weitse,
To me this comment from you, "Stan, go take this discussion off-list or be
removed." is completely out of line. While I understand your complaint and
frustration, I think you forget that Stan provides a great deal of
technical support for YOUR outstanding product at NO charge. Your answers
Stan Hoeppner:
> Paul Cartwright put forth on 12/9/2010 5:09 AM:
>
> This is exactly why I wanted to see your main.cf. It's a total mess. I'll
> try to annotate needed changes.
>
> > then my main.cf:
> > cat /etc/postfix/main.cf
>
> Everything from here...
>
> > permit_s
Paul Cartwright put forth on 12/9/2010 5:09 AM:
This is exactly why I wanted to see your main.cf. It's a total mess. I'll try
to annotate needed changes.
> then my main.cf:
> cat /etc/postfix/main.cf
Everything from here...
> permit_sasl_authenticated, reject_unauth_dest
Am 09.12.2010 08:19, schrieb Stan Hoeppner:
> Stefan G. Weichinger put forth on 12/8/2010 5:55 PM:
>> Am 09.12.2010 00:53, schrieb Stefan G. Weichinger:
>>
>>> * is it really making greylisting useless? I use postgrey successfully
>>
>> small correction: on my own servers I run policyd for greylist
Wietse Venema put forth on 12/9/2010 6:10 AM:
> Stan, don't encourage people to cut and paste main.cf snippets.
>
> PLEASE PLEASE PLEASE PLEASE PLEASE PLEASE PLEASE PLEASE PLEASE PLEASE.
>
> Wietse
My apologies. I thought in this case it would be better for the OP and
possibly easier on
Stan Hoeppner:
> Noel Jones put forth on 12/8/2010 9:22 PM:
> > On 12/8/2010 7:07 PM, Stan Hoeppner wrote:
> >
> >> While discussing restrictions in main.cf only, and specifically order
> >> processing, it would actually be better if you pasted main.cf snippets
> >> instead of postconf -n snippets
On 12/08/2010 10:32 PM, Stan Hoeppner wrote:
> Paste your entire main.cf so we can give you pointers on how to properly
> format it. You're obviously missing something.
postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = yes
config_directo
Stefan G. Weichinger put forth on 12/8/2010 5:55 PM:
> Am 09.12.2010 00:53, schrieb Stefan G. Weichinger:
>
>> * is it really making greylisting useless? I use postgrey successfully
>
> small correction: on my own servers I run policyd for greylisting, not
> postgrey ... ;) just to be correct, an
Stefan G. Weichinger put forth on 12/8/2010 5:53 PM:
> Am 08.12.2010 07:52, schrieb Stan Hoeppner:
>> I just added installation/usage instructions to the top of the file
>> yesterday. As mouss stated, you'll see an entry in your mail log file
>> with detailed optional text, usually identifying the
Noel Jones put forth on 12/8/2010 9:22 PM:
> On 12/8/2010 7:07 PM, Stan Hoeppner wrote:
>
>> While discussing restrictions in main.cf only, and specifically order
>> processing, it would actually be better if you pasted main.cf snippets
>> instead of postconf -n snippets, contrary to the list guid
Paul Cartwright put forth on 12/8/2010 8:01 PM:
> On 12/08/2010 08:07 PM, Stan Hoeppner wrote:
>> As a general rule for smtpd_foo_restrictions:
>>
>> 1. inbuilt Postfix checks are fastest (eg. reject_non_fqdn_sender)
>> 2. local table lookups are 2nd fastest (eg. hash, cidr, pcre)
>> 3. policy s
On 12/8/2010 8:01 PM, Paul Cartwright wrote:
putting each item on a line by itself, even with the comma at the end
causes postfix to give errors on reloading.
here is what it looks like now:
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination,
c
On 12/8/2010 7:07 PM, Stan Hoeppner wrote:
While discussing restrictions in main.cf only, and specifically order
processing, it would actually be better if you pasted main.cf snippets
instead of postconf -n snippets, contrary to the list guidelines.
Nonsense. Always use "postconf -n" except
On 12/08/2010 08:07 PM, Stan Hoeppner wrote:
> As a general rule for smtpd_foo_restrictions:
>
> 1. inbuilt Postfix checks are fastest (eg. reject_non_fqdn_sender)
> 2. local table lookups are 2nd fastest (eg. hash, cidr, pcre)
> 3. policy servers can be fast or not so fast, depending on what th
Jack put forth on 12/8/2010 1:30 PM:
> FYI I have done this CIDR blocking for years at the firewall level ( people
> on the list harassed me about it) with minimal false positives but still
> enough to be a pain.
>
> I have lists from Turkey, Russia and other countries as well, but using the
> fir
Paul Cartwright put forth on 12/8/2010 8:21 AM:
> I didn't realize they were order specific..
> it now reads:
> smtpd_recipient_restrictions = permit_mynetworks
> permit_sasl_authenticated, reject_unauth_destination check_client_access
> pcre:/etc/postfix/fqrdns.pcre, reject_rbl_client dnsbl.sorbs
Am 09.12.2010 00:53, schrieb Stefan G. Weichinger:
> * is it really making greylisting useless? I use postgrey successfully
small correction: on my own servers I run policyd for greylisting, not
postgrey ... ;) just to be correct, and maybe there are specific issues
with policyd vs. postgrey ...
Am 08.12.2010 07:52, schrieb Stan Hoeppner:
> I just added installation/usage instructions to the top of the file
> yesterday. As mouss stated, you'll see an entry in your mail log file
> with detailed optional text, usually identifying the ISP by name.
> Pflogsumm or logwatch can help you easily
On 2010-12-08 3:21 PM, Paul Cartwright wrote:
> I'm still getting LOTS of emails in thunderbird that have the "junk
> status" flame turned on.
Thunderbirds 'Junk' controls are client side - ie, totally separate from
server-side spam stuff... and they do not add anything to an emails
headers...
If
On 12/08/2010 02:30 PM, Jack wrote:
> I have lists from Turkey, Russia and other countries as well, but
> using the
> firewall method was rough when people didn't get a rejection so what I did
> is I converted to postfix CIDR and use fail2ban to monitor the log. If I
> bounce the same IP 4 times w
On 2010-12-08 9:21 AM, Paul Cartwright wrote:
> I didn't realize they were order specific..
> it now reads:
> smtpd_recipient_restrictions = permit_mynetworks
> permit_sasl_authenticated, reject_unauth_destination check_client_access
> pcre:/etc/postfix/fqrdns.pcre, reject_rbl_client dnsbl.sorbs.ne
FYI I have done this CIDR blocking for years at the firewall level ( people
on the list harassed me about it) with minimal false positives but still
enough to be a pain.
I have lists from Turkey, Russia and other countries as well, but using the
firewall method was rough when people didn't get a r
On 12/08/2010 01:52 AM, Stan Hoeppner wrote:
>> > this is what I added:
>> > smtpd_recipient_restrictions = permit_mynetworks
>> > permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client
>> > dnsbl.sorbs.net, reject_rbl_client zen.spamhaus.org, reject_rhsbl_sender
>> > dbl.spamhaus.
On 12/08/2010 02:00 AM, Stan Hoeppner wrote:
> To IP block all of China:
>
> wget http://ipdeny.com/ipblocks/data/countries/cn.zone
>
> sed 's/$/ REJECT/g' cn.zone > /etc/postfix/china.cidr
>
> smtpd_recipient_restrictions
> ...
> check_client_access cidr:/etc/postfix/china.cidr
>
On Tue, 07 Dec 2010 17:10:45 -0500
Paul Cartwright wrote:
> On 12/07/2010 04:48 PM, Steffan A. Cline wrote:
> > CIDR blocking all of China with an auto whitelist for those that
> > you email directly?
> I don't know anyone in China, I know someone who travels there, but he
> has a Bellsouth addre
Paul Cartwright put forth on 12/7/2010 4:10 PM:
> On 12/07/2010 04:48 PM, Steffan A. Cline wrote:
>> CIDR blocking all of China with an auto whitelist for those that you email
>> directly?
> I don't know anyone in China, I know someone who travels there, but he
> has a Bellsouth address..
> so how
Paul Cartwright put forth on 12/7/2010 2:56 PM:
> On 12/07/2010 02:30 PM, Stan Hoeppner wrote:
>> Everyone's mileage varies. If you're having good results with Postgrey
>> you should try the fqrdns.pcre file that I recommended in the thread you
>> replied to. You'll likely see very quickly why gr
Le 07/12/2010 22:19, Paul Cartwright a écrit :
On 12/07/2010 04:02 PM, mouss wrote:
yes. if it hits, you'll see a reject log. if you're using Stan's file
unmodified, you would see "... Dynamic - Please relay via ISP...".
lately I've been getting TONS of emails with all Chinese ( Asian..)
char
On 12/7/10 11:10 PM, Paul Cartwright wrote:
On 12/07/2010 04:48 PM, Steffan A. Cline wrote:
CIDR blocking all of China with an auto whitelist for those that you email
directly?
I don't know anyone in China, I know someone who travels there, but he
has a Bellsouth address..
so how do you impleme
On 12/07/2010 04:48 PM, Steffan A. Cline wrote:
> CIDR blocking all of China with an auto whitelist for those that you email
> directly?
I don't know anyone in China, I know someone who travels there, but he
has a Bellsouth address..
so how do you implement CIDR blocking?? well I see where you can
CIDR blocking all of China with an auto whitelist for those that you email
directly?
Works great on my end, thanks to Stan the Man.
Thanks
Steffan
---
T E L 6 0 2 . 7 9 3 . 0 0 1 4 | F A X 6 0 2 . 9 7 1 . 1 6 9 4
Steffan A. Cline
On 12/07/2010 04:02 PM, mouss wrote:
>
> yes. if it hits, you'll see a reject log. if you're using Stan's file
> unmodified, you would see "... Dynamic - Please relay via ISP...".
lately I've been getting TONS of emails with all Chinese ( Asian..)
characters, coming from email addresses like mkdj
Le 07/12/2010 21:56, Paul Cartwright a écrit :
On 12/07/2010 02:30 PM, Stan Hoeppner wrote:
Everyone's mileage varies. If you're having good results with Postgrey
you should try the fqrdns.pcre file that I recommended in the thread you
replied to. You'll likely see very quickly why greylisting
69 matches
Mail list logo
