Re: postscreen_dnsbl_sites precedence

Matt Saladna: > Hello, > > When specifying a range of responses to ignore in postscreen_dnsbl_sites > it appears that if a weight is zero it is ignored in favor of a non-zero > weight. Coming back to this thread, please ignore my previuous responses about order dependence. They were wrong. Sim

Re: postscreen_dnsbl_sites questions about multiple matches.

On 30.05.22 14:02, Peter wrote: Next question: What happens if zen returns multiple responses: 127.0.0.10 127.0.0.3 postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[1..2]*3 zen.spamhaus.org=127.0.0.3*2 zen.spamhaus.org=127.0.0.[4..255]*3 On 30.05.22 10:06, Matus UHLAR - fantomas wrote: th

Re: postscreen_dnsbl_sites questions about multiple matches.

On 30.05.22 14:02, Peter wrote: First off my goal is that I want all zen.spamhaus.org entries to have a score of 3 except for CSS entries which should have a score of 2. zen returns 127.0.0.n for all entries and CSS specifically returns 127.0.0.3. What I think I can do is this: postscreen_d

Re: postscreen_dnsbl_sites questions about multiple matches.

On 30/05/22 3:49 pm, Bill Cole wrote: I have no idea, but assigning scores to DNSBL return values that are not currently in use is quite optimistic and dangerous. Also, 127.0.0.1 specifically is an indicator of likely DNSBL malfunction. Well, spamhaus documents that 127.0.0.0/24 are for curre

Re: postscreen_dnsbl_sites questions about multiple matches.

On 2022-05-29 at 22:02:54 UTC-0400 (Mon, 30 May 2022 14:02:54 +1200) Peter is rumored to have said: First off my goal is that I want all zen.spamhaus.org entries to have a score of 3 except for CSS entries which should have a score of 2. zen returns 127.0.0.n for all entries and CSS specifica

Re: postscreen_dnsbl_sites precedence

Matt Saladna: > Is there any difference other than cognitive load between the two forms? > > postscreen_dnsbl_sites = > zen.spamhaus.org=127.[0..255].[0..254].[0..255]*2 > zen.spamhaus.org=127.255.255.[252;254;255]*0 This explicitly assigns weights. > versus > > post

Re: postscreen_dnsbl_sites precedence

/> The implemenation is order-dependent./ On 12.03.22 11:56, Wietse Venema wrote: It does store the configuration in reverse order. However upon closer reading of code that I haven't touched in 10+ years... You are correct in that it applies all patterns that match. The implementation simply a

Re: postscreen_dnsbl_sites precedence

On 12.03.22 11:50, Matt Saladna wrote: Is there any difference other than cognitive load between the two forms? postscreen_dnsbl_sites = zen.spamhaus.org=127.[0..255].[0..254].[0..255]*2 zen.spamhaus.org=127.255.255.[252;254;255]*0 versus postscreen_dnsbl_sites = zen.

Re: postscreen_dnsbl_sites precedence

Matt Saladna: > For Wieste, That is WieTSe, if you don't mind. > > /> The implemenation is order-dependent./ It does store the configuration in reverse order. However upon closer reading of code that I haven't touched in 10+ years... You are correct in that it applies all patterns that match. T

Re: postscreen_dnsbl_sites precedence

On 2022-03-11 at 22:34:14 UTC-0500 (Fri, 11 Mar 2022 21:34:14 -0600) Matt Saladna is rumored to have said: Spamhaus began flagging Cloudflare's servers, 1.0.0.1/1.1.1.1 as public resolver resulting in the error message. Other DNSBLs pick up responsibility, so the judgment shouldn't rely square

Re: postscreen_dnsbl_sites precedence

On 2022-03-11 at 17:20:41 UTC-0500 (Sat, 12 Mar 2022 09:20:41 +1100) Phil Biggs is rumored to have said: Should the 127.255.255.[0..255] return codes really be weighted zero, given that they indicate an error? Absolutely. With .254 being use of a public/open resolver: https://www.spamh

Re: postscreen_dnsbl_sites precedence

Title: Re: postscreen_dnsbl_sites precedence Saturday, March 12, 2022, 2:37:15 AM, Matt Saladna  wrote: Hello, When specifying a range of responses to ignore in postscreen_dnsbl_sites it appears that if a weight is zero it is ignored in favor of a non-zero weight. mail_version=3.5.9

Re: postscreen_dnsbl_sites precedence

Matt Saladna: > postscreen_dnsbl_sites=zen.spamhaus.org=127.255.255.[252;254;255]*0 > zen.spamhaus.org*2 The implemenation is order-dependent. Postscreen maintains a list for zen.spamhaus.org, where the last entry appears first: zen.spamhaus.org: pattern=empty, weight=2 p

Re: postscreen_dnsbl_sites precedence

On Fri, Mar 11, 2022 at 09:37:15AM -0600, Matt Saladna wrote: > When specifying a range of responses to ignore in postscreen_dnsbl_sites > it appears that if a weight is zero it is ignored in favor of a non-zero > weight. No. Rather, when the same source is listed twice, the weights are added,

Re: postscreen_dnsbl_sites load list to memory from external file

Uffe Jakobsen: > > On 2014-06-24 18:35, Wietse Venema wrote: > > > >> But it was not was I was looking for - because for various reasons the > >> userid that writes the dnsbl sites file has no permissions to write > >> main.cf nor realod postfix. > > > > Including data from an non-root account int

Re: postscreen_dnsbl_sites load list to memory from external file

On 2014-06-24 18:35, Wietse Venema wrote: But it was not was I was looking for - because for various reasons the userid that writes the dnsbl sites file has no permissions to write main.cf nor realod postfix. Including data from an non-root account into main.cf is not supported. Anyone who

Re: postscreen_dnsbl_sites load list to memory from external file

Am 24.06.2014 18:41, schrieb Viktor Dukhovni: > On Tue, Jun 24, 2014 at 12:35:15PM -0400, Wietse Venema wrote: >> Uffe Jakobsen: >>> Your installation or platform must be differeent from mine (FreeBSD) - I >>> have no Makefile, GNUmakefile or BSDmakefile in /usr/local/etc/postfix/ >>> config di

Re: postscreen_dnsbl_sites load list to memory from external file

On Tue, Jun 24, 2014 at 12:35:15PM -0400, Wietse Venema wrote: > Uffe Jakobsen: > > Your installation or platform must be differeent from mine (FreeBSD) - I > > have no Makefile, GNUmakefile or BSDmakefile in /usr/local/etc/postfix/ > > config dir. > > The idea is that you to create that Makefil

Re: postscreen_dnsbl_sites load list to memory from external file

Uffe Jakobsen: > Your installation or platform must be differeent from mine (FreeBSD) - I > have no Makefile, GNUmakefile or BSDmakefile in /usr/local/etc/postfix/ > config dir. The idea is that you to create that Makefile. > But it was not was I was looking for - because for various reasons th

Re: postscreen_dnsbl_sites load list to memory from external file

On 2014-06-24 18:06, Viktor Dukhovni wrote: On Tue, Jun 24, 2014 at 05:55:47PM +0200, Uffe Jakobsen wrote: Feature request: It would be nice if the "postscreen_dnsbl_sites" list could be loaded into memory (once - upon start/reload) from an external file - that doesn't seem to be possible ri

Re: postscreen_dnsbl_sites load list to memory from external file

On Tue, Jun 24, 2014 at 05:55:47PM +0200, Uffe Jakobsen wrote: > Feature request: > > It would be nice if the "postscreen_dnsbl_sites" list could be loaded into > memory (once - upon start/reload) from an external file - that doesn't seem > to be possible right now - or am I wrong ? # cd /et

Re: postscreen_dnsbl_sites

On Tue, May 07, 2013 at 01:03:51PM -0600, Robert Lopez wrote: > What is not clear to me in that description is the reason for > my original question > "Does it matter what the short name returned is; that is could > I use zen.spamhaus.org just to keep it shorter?" In my example: http://rob

Re: postscreen_dnsbl_sites

Robert Lopez: > On Mon, May 6, 2013 at 3:10 PM, Wietse Venema wrote: > > Robert Lopez: > >> Let me try again. I am assuming the link between a line in the > >> dndsbl_reply file and the main.cf file is only a label and it could be > >> anything. > >> Is that a wrong assumption? > > > > Please des

Re: postscreen_dnsbl_sites

On Mon, May 6, 2013 at 3:10 PM, Wietse Venema wrote: > Robert Lopez: >> Let me try again. I am assuming the link between a line in the >> dndsbl_reply file and the main.cf file is only a label and it could be >> anything. >> Is that a wrong assumption? > > Please describe what is not clear about

Re: postscreen_dnsbl_sites

On Sat, May 04, 2013 at 06:48:36AM -0500, I wrote: > On Fri, May 03, 2013 at 06:27:15PM -0600, Robert Lopez wrote: > > I had > > postscreen_dnsbl_sites = zen.dq.spamhaus.org > > This is right. Let me try again also! I presume your lookup is actually against key.zen.dq.spamhaus.org. That's what I

Re: postscreen_dnsbl_sites

Jan P. Kessler: > > > Is it possible that the key is being exposed not from the > > postscreen_dnsbl_sites line but from a line also in main.cf which says > > the following? > > smtpd_client_restrictions = reject_rbl_client > > .zen.dq.spamhaus.net Yes. Postfix logging will tell you which progra

Re: postscreen_dnsbl_sites

> Is it possible that the key is being exposed not from the > postscreen_dnsbl_sites line but from a line also in main.cf which says > the following? > smtpd_client_restrictions = reject_rbl_client .zen.dq.spamhaus.net Use rbl_reply_maps and a text without $rbl_domain: http://www.postfix.org/post

Re: postscreen_dnsbl_sites

Robert Lopez: > Let me try again. I am assuming the link between a line in the > dndsbl_reply file and the main.cf file is only a label and it could be > anything. > Is that a wrong assumption? Please describe what is not clear about the following text: postscreen_dnsbl_reply_map (default: empty

Re: postscreen_dnsbl_sites

Let me try again. I am assuming the link between a line in the dndsbl_reply file and the main.cf file is only a label and it could be anything. Is that a wrong assumption? I have changed the label to make it more obvious. Right now in the dnsbl_reply file I have this line (except for the key bei

Re: postscreen_dnsbl_sites

Please disable HTML when posting to mailing lists. On Fri, May 03, 2013 at 06:27:15PM -0600, Robert Lopez wrote: > I had > postscreen_dnsbl_sites = zen.dq.spamhaus.org This is right. > and > postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply > in main.cf > > and I had > .zen.dq.spam

Re: postscreen_dnsbl_sites

I had postscreen_dnsbl_sites = zen.dq.spamhaus.org and postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply in main.cf and I had .zen.dq.spamhaus.net zen.dq.spamhaus.org in the /etc/posrfix/dnsbl_reply file. One of many email se

Re: postscreen_dnsbl_sites

On 5/3/2013 9:33 PM, Robert Lopez wrote: If in /etc/postfix/dnsbl_reply file there is a line: the-authorization-key-was-here.zen.dq.spamhaus.net zen.dq.spamhaus.org And in main.cf there

Re: postscreen_dnsbl_sites vs. reject_rbl_client

Rich Wales: > Another thing I think I see about postscreen is that it apparently will only > look up IP addresses. There doesn't seem to be any "postscreen_rhsbl_sites" > feature (which might allow me to move my current reject_rhsbl_client and > permit_rhswl_client checks into postscreen). Is suc

Re: postscreen_dnsbl_sites vs. reject_rbl_client

On Wed, Jun 08, 2011 at 10:05:05AM -0700, Rich Wales wrote: > Another thing I think I see about postscreen is that it apparently > will only look up IP addresses. There doesn't seem to be any > "postscreen_rhsbl_sites" feature (which might allow me to move my > current reject_rhsbl_client and p

Re: postscreen_dnsbl_sites vs. reject_rbl_client

On 6/8/2011 12:05 PM, Rich Wales wrote: Another thing I think I see about postscreen is that it apparently will only look up IP addresses. There doesn't seem to be any "postscreen_rhsbl_sites" feature (which might allow me to move my current reject_rhsbl_client and permit_rhswl_client checks int

Re: postscreen_dnsbl_sites vs. reject_rbl_client

Another thing I think I see about postscreen is that it apparently will only look up IP addresses. There doesn't seem to be any "postscreen_rhsbl_sites" feature (which might allow me to move my current reject_rhsbl_client and permit_rhswl_client checks into postscreen). Is such a thing planned, n

Re: postscreen_dnsbl_sites vs. reject_rbl_client

On Tue, Jun 07, 2011 at 07:03:34AM -0400, Wietse Venema wrote: > Note the following difference. > > postscreen caches that the client IS NOT listed in DNSBL. > It doesn't cache clients that are listed. > > DNS servers cache that the client IS listed in DNSBL. > They don't cache non-existent DNS

Re: postscreen_dnsbl_sites vs. reject_rbl_client

Rich Wales: > > Note that postscreen caches the results of successful tests, > > so that it does not repeat every test for every connection. > > This is controlled by the postscreen_mumble_ttl parameters. > > Some caching may also be done by my DNS server too, right? This would, > of course, be t

Re: postscreen_dnsbl_sites vs. reject_rbl_client

* Rich Wales : > value from a given list. (I won't go into the details, they would be > off-topic here, but it's nice to have this capability.) It will probably start a flamewar, but I personally am interested in your particular weights on the different RBLs -- Ralf Hildebrandt Geschäftsbere

Re: postscreen_dnsbl_sites vs. reject_rbl_client

* Rich Wales : > If I enable postscreen and specify my choice of blocklists and whitelists > in postscreen_dnsbl_sites, am I correct in assuming that I might as well > remove any reject_rbl_client and permit_dnswl_client clauses from my > smtpd_*_restrictions, since they will now be redundant? Sin

Re: postscreen_dnsbl_sites vs. reject_rbl_client

Rich Wales: > > Note that postscreen caches the results of successful tests, > > so that it does not repeat every test for every connection. > > This is controlled by the postscreen_mumble_ttl parameters. > > Some caching may also be done by my DNS server too, right? This would, > of course, be t

Re: postscreen_dnsbl_sites vs. reject_rbl_client

> Note that postscreen caches the results of successful tests, > so that it does not repeat every test for every connection. > This is controlled by the postscreen_mumble_ttl parameters. Some caching may also be done by my DNS server too, right? This would, of course, be transparent to Postfix an

Re: postscreen_dnsbl_sites vs. reject_rbl_client

Rich Wales: > If I enable postscreen and specify my choice of blocklists and whitelists > in postscreen_dnsbl_sites, am I correct in assuming that I might as well > remove any reject_rbl_client and permit_dnswl_client clauses from my > smtpd_*_restrictions, since they will now be redundant? Almost

Re: postscreen_dnsbl_sites vs. reject_rbl_client

> On the interfaces and ports that postscreen(8) passes mail to, yes. > Do note that the behaviour is different; you will be able to directly > transplant your reject_rbl_client RBLs to postscreen, but postscreen > has many more options available, such as checking for exact return > values, and sco

Re: postscreen_dnsbl_sites vs. reject_rbl_client

On 6/6/2011 5:34 PM, Jeroen Geilman wrote: On 06/06/2011 10:45 PM, Rich Wales wrote: If I enable postscreen and specify my choice of blocklists and whitelists in postscreen_dnsbl_sites, am I correct in assuming that I might as well remove any reject_rbl_client and permit_dnswl_client clauses fro

Re: postscreen_dnsbl_sites vs. reject_rbl_client

On 06/06/2011 10:45 PM, Rich Wales wrote: If I enable postscreen and specify my choice of blocklists and whitelists in postscreen_dnsbl_sites, am I correct in assuming that I might as well remove any reject_rbl_client and permit_dnswl_client clauses from my smtpd_*_restrictions, since they will n

Re: postscreen_dnsbl_sites filter syntax?

Wietse Venema: > > * Wietse Venema : > > > Victor Duchovni: > > > > On Tue, Jan 18, 2011 at 03:56:45PM -0500, Wietse Venema wrote: > > > > > > > > > Something along the lines of: > > > > > > > > > > /* > > > > > * Workaround. The "," was already in use as dnsbl list separator. > > > > >

Re: postscreen_dnsbl_sites filter syntax?

Patrick Ben Koetter: > * Wietse Venema : > > Victor Duchovni: > > > On Tue, Jan 18, 2011 at 03:56:45PM -0500, Wietse Venema wrote: > > > > > > > Something along the lines of: > > > > > > > > /* > > > > * Workaround. The "," was already in use as dnsbl list separator. > > > > */ > >

Re: postscreen_dnsbl_sites filter syntax?

* Patrick Ben Koetter : > * Wietse Venema : > > Victor Duchovni: > > > On Tue, Jan 18, 2011 at 03:56:45PM -0500, Wietse Venema wrote: > > > > > > > Something along the lines of: > > > > > > > > /* > > > > * Workaround. The "," was already in use as dnsbl list separator. > > > > */ >

Re: postscreen_dnsbl_sites filter syntax?

On Tue, Jan 18, 2011 at 04:08:12PM -0500, Wietse Venema wrote: > But having "," inside an access control feature it is likely to > break third-party tools that maintain Postfix configuration files. > > The alternative is to [modify] the address filter syntax, and to > replace "," by a different s

Re: postscreen_dnsbl_sites filter syntax?

* Wietse Venema : > Victor Duchovni: > > On Tue, Jan 18, 2011 at 03:56:45PM -0500, Wietse Venema wrote: > > > > > Something along the lines of: > > > > > > /* > > > * Workaround. The "," was already in use as dnsbl list separator. > > > */ > > > for (keep = 0, cp = var_psc_dnsbl

Re: postscreen_dnsbl_sites filter syntax?

Victor Duchovni: > On Tue, Jan 18, 2011 at 03:56:45PM -0500, Wietse Venema wrote: > > > Something along the lines of: > > > > /* > > * Workaround. The "," was already in use as dnsbl list separator. > > */ > > for (keep = 0, cp = var_psc_dnsbl_sites; *cp; cp++) { > > if

Re: postscreen_dnsbl_sites filter syntax?

On Tue, Jan 18, 2011 at 03:56:45PM -0500, Wietse Venema wrote: > Something along the lines of: > > /* > * Workaround. The "," was already in use as dnsbl list separator. > */ > for (keep = 0, cp = var_psc_dnsbl_sites; *cp; cp++) { > if (*cp == '[') { > keep++

Re: postscreen_dnsbl_sites filter syntax?

Victor Duchovni: > On Tue, Jan 18, 2011 at 03:36:12PM -0500, Victor Duchovni wrote: > > > On Tue, Jan 18, 2011 at 09:19:50PM +0100, Mark Martinec wrote: > > > > > $ postconf postscreen_dnsbl_sites > > > postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2,3,4..8,10..11] > > > > > > postfix/posts

Re: postscreen_dnsbl_sites filter syntax?

On Tue, Jan 18, 2011 at 03:36:12PM -0500, Victor Duchovni wrote: > On Tue, Jan 18, 2011 at 09:19:50PM +0100, Mark Martinec wrote: > > > $ postconf postscreen_dnsbl_sites > > postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2,3,4..8,10..11] > > > > postfix/postscreen[26161]: fatal: bad DNSBL fi

Re: postscreen_dnsbl_sites filter syntax?

On 1/18/2011 2:46 PM, Wietse Venema wrote: Mark Martinec: I must be doing something silly, but I can't see my mistake. $ postconf postscreen_dnsbl_sites postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2,3,4..8,10..11] postfix/postscreen[26161]: fatal: bad DNSBL filter syntax: need "," or "]

Re: postscreen_dnsbl_sites filter syntax?

Mark Martinec: > I must be doing something silly, but I can't see my mistake. > > $ postconf postscreen_dnsbl_sites > postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2,3,4..8,10..11] > > postfix/postscreen[26161]: fatal: bad DNSBL filter syntax: need "," or "]" at > "127.0.0.[2><" The proble

Re: postscreen_dnsbl_sites filter syntax?

On Tue, Jan 18, 2011 at 09:19:50PM +0100, Mark Martinec wrote: > $ postconf postscreen_dnsbl_sites > postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2,3,4..8,10..11] > > postfix/postscreen[26161]: fatal: bad DNSBL filter syntax: need "," or "]" at > "127.0.0.[2><" There is a parser issue her