Re: postscreen_access_list and SPF bypass

On Sat, May 07, 2022 at 02:55:36PM -0400, Alex wrote: > It appears that entries included in my postscreen_access_list are > being used to also bypass SPF checks by policyd-spf. Is this > intentional? Would someone explain to me how this works? This is not possible. Postscreen(8) jus

postscreen_access_list and SPF bypass

Hi, It appears that entries included in my postscreen_access_list are being used to also bypass SPF checks by policyd-spf. Is this intentional? Would someone explain to me how this works? smtpd_recipient_restrictions = ... check_policy_service unix:private/policy-spf

Re: hostnames in postscreen_access_list

On 27.11.18 21:48, John Fawcett wrote: The reason the ip changes frequently is because it's an xDSL line with a dynamic ip. Some devices on the network need to send emails to my mail server which can go out over this connection. My ISP correctly lists the dynamic ips in PBL. I use zen.spamhaus.or

Re: hostnames in postscreen_access_list

s to specify access table lookups which contains hostnames. >> >> postscreen_access_list does not seem to allow hostnames in lookup tables. >> >> Is my understanding correct? Is there a reason why hostnames should not >> be supported in postscreen_access_list lookup tables

hostnames in postscreen_access_list

>> smtpd allows to specify access table lookups which contains hostnames. >> >> postscreen_access_list does not seem to allow hostnames in lookup tables. >> >> Is my understanding correct? Is there a reason why hostnames should not >> be supported in postscreen_a

Re: hostnames in postscreen_access_list

John Fawcett: > Hi > > I was recently trying to whitelist a client hostname that frequently > changes ip. > > >From the documentation check_client_access restriction for use with > smtpd allows to specify access table lookups which contains hostnames. > > postscree

Re: hostnames in postscreen_access_list

ch contains hostnames. > > postscreen_access_list does not seem to allow hostnames in lookup tables. > > Is my understanding correct? Is there a reason why hostnames should not > be supported in postscreen_access_list lookup tables? > > thanks > > John > Yes, postscreen by desig

hostnames in postscreen_access_list

Hi I was recently trying to whitelist a client hostname that frequently changes ip. >From the documentation check_client_access restriction for use with smtpd allows to specify access table lookups which contains hostnames. postscreen_access_list does not seem to allow hostnames in loo

Re: Postscreen_access_list not working

On 8/4/2016 4:08 PM, Dave Jones wrote: > Thank you for the response. > > I do have a submission setup but you reminded me to > look in he master.conf and disable rate limiting: > > submission inet n - n - - smtpd > -o syslog_name=postfix/submission > -o smtpd_tls

Re: Postscreen_access_list not working

hing like permit_sasl_authenticated that >> could be put in the postscreen_access_list and the >> smtpd_client_event_limit_exceptions that could bypass >> dnsbl and rate limiting for SASL authenticated senders? > > No, since the SASL AUTH won't happen until the client is talking to > smtp

Re: Postscreen_access_list not working

On Thu, Aug 04, 2016 at 02:25:19PM -0500, Dave Jones wrote: > Is there something like permit_sasl_authenticated that > could be put in the postscreen_access_list and the > smtpd_client_event_limit_exceptions that could bypass > dnsbl and rate limiting for SASL authenticated senders? N

Re: Postscreen_access_list not working

l and rate limiting for SASL authenticated senders and I may have put an invalid option in the postscreen_access_list. I get so much mail that I didn't see the warning: in the logs until now. Is there something like permit_sasl_authenticated that could be put in the postscreen_acce

Re: Postscreen_access_list not working

hat postscreen is not bypassing dnsbl checks: > > main.cf > === > postscreen_access_list = > permit_mynetworks, > cidr:/etc/postfix/postscreen_spf_whitelist.cidr > > /etc/postfix/postscreen_spf_whitelist.cidr > === > ... > 69.252.

Postscreen_access_list not working

: main.cf === postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_spf_whitelist.cidr /etc/postfix/postscreen_spf_whitelist.cidr === ... 69.252.207.0/25 permit ... Jul 28 07:41:30 mail3 postfix/postscreen[9105]: NOQUEUE: reject RCPT from

Re: numerical score result for postscreen_access_list?

that the host is not a bot. btb: right. we do that now. taking advantage of whitelist negative scoring to reduce some of the administrative burden would be nice though, and also avoid the "fix it after finding out it's broken" scenario. Instead of postscreen_access_list, you c

Re: numerical score result for postscreen_access_list?

bot. btb: > right. we do that now. taking advantage of whitelist negative > scoring to reduce some of the administrative burden would be nice > though, and also avoid the "fix it after finding out it's broken" > scenario. Instead of postscreen_access_list, you could use

Re: numerical score result for postscreen_access_list?

On 2015.01.22 10.35, wie...@porcupine.org (Wietse Venema) wrote: btb: we have a small local blacklist, mostly used for clients which aren't listed in dnsbls. postscreen_access_list = cidr:$table_directory/postscreen_access_list-rejects.cidr sometimes when a larger netblock gets liste

Re: numerical score result for postscreen_access_list?

btb: > we have a small local blacklist, mostly used for clients which > aren't listed in dnsbls. > > postscreen_access_list = > cidr:$table_directory/postscreen_access_list-rejects.cidr > > sometimes when a larger netblock gets listed, it can have the > unintended

numerical score result for postscreen_access_list?

we have a small local blacklist, mostly used for clients which aren't listed in dnsbls. postscreen_access_list = cidr:$table_directory/postscreen_access_list-rejects.cidr sometimes when a larger netblock gets listed, it can have the unintended consequences of blocking well behaved cl

PATCH: postscreen_access_list requires 'permit', not 'PERMIT'

francis picabia: [ Charset ISO-8859-1 unsupported, converting... ] > On Tue, Oct 2, 2012 at 9:20 PM, Wietse Venema wrote: > > > Nope. If you were testing this more carefully then you would have > > found that upper or lower case does not matter in this context. > > I tested the exact same line w

Re: postscreen_access_list requires 'permit', not 'PERMIT'

On Tue, Oct 2, 2012 at 9:20 PM, Wietse Venema wrote: > Nope. If you were testing this more carefully then you would have > found that upper or lower case does not matter in this context. I tested the exact same line with PERMIT and permit. permit allowed the whitelist entry to work. PERMIT gene

Re: postscreen_access_list requires 'permit', not 'PERMIT'

MIT > >> > >> I'm simply listing an IP, some tabs, and PERMIT or OK > >> in attempt to whitelist dnsbl false positives. > > > > Where does the postscreen_access_list documentation say that OK is > > valid input? > > OK was just an attempt

Re: postscreen_access_list requires 'permit', not 'PERMIT'

IT or OK >> in attempt to whitelist dnsbl false positives. > > Where does the postscreen_access_list documentation say that OK is > valid input? OK was just an attempt when noticing another CIDR format file using OK in the right column. I tried reversing the IP octets too. Anything to

Re: postscreen_access_list requires 'permit', not 'PERMIT'

/postscreen_access: unknown command: OK -- ignoring > the remainder of this access list > > Also same warning with PERMIT > > I'm simply listing an IP, some tabs, and PERMIT or OK > in attempt to whitelist dnsbl false positives. Where does the postscreen_access_list

postscreen_access_list requires 'permit', not 'PERMIT'

I now notice there is a warning in the log file only when the postscreen_access file is read (and should have matched): Oct 2 15:41:05 mx10 postfix/postscreen[11731]: warning: cidr:/etc/postfix/postscreen_access: unknown command: OK -- ignoring the remainder of this access list Also same warning

Re: Behavior of postscreen_access_list = static:retry

On 1/31/2012 7:55 AM, Mark Alan wrote: > The intention is to simply have postscreen immediately answer '450 > Service currently unavailable' to all connections (friend or foe) that > are presented to it. > > So, ideally: > a) postscreen must answer. It is not enough to simply drop the > connecti

Re: Behavior of postscreen_access_list = static:retry

ard at all. # postconf -n|grep postscreen postscreen_access_list = static:reject postscreen_blacklist_action = enforce postscreen_greet_banner = # telnet 127.0.0.1 smtp Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 foo.example.com ESMTP Postfix ehlo foo 250-foo

Re: Behavior of postscreen_access_list = static:retry

On Tue, 31 Jan 2012 06:17:39 -0600, Noel Jones wrote: > You need to set both "postscreen_blacklist_action = drop" and > "soft_bounce = yes". The soft_bounce changes the 521 hangup into a > 421 hangup. Thank you Noel, If we wanted a mere 4.x.x hangup, it would be more elegant to set a single 'm

Re: Behavior of postscreen_access_list = static:retry

Mark Alan: > On Mon, 30 Jan 2012 19:17:17 -0500 (EST), Wietse Venema > wrote: > > Mark Alan: > > > > > Would the following be an acceptable way to do it? > > > > > postconf -e 'postscreen_access_list = reject' > > > > >

Re: Behavior of postscreen_access_list = static:retry

On 1/31/2012 4:36 AM, Mark Alan wrote: > On Mon, 30 Jan 2012 19:17:17 -0500 (EST), Wietse Venema > wrote: >> Mark Alan: >>>>> Would the following be an acceptable way to do it? >>>>> postconf -e 'postscreen_access_list = reject' >>>&

Re: Behavior of postscreen_access_list = static:retry

On Mon, 30 Jan 2012 19:17:17 -0500 (EST), Wietse Venema wrote: > Mark Alan: > > > > Would the following be an acceptable way to do it? > > > > postconf -e 'postscreen_access_list = reject' > > > > postconf -e 'soft_bounce = yes

Re: Behavior of postscreen_access_list = static:retry

Mark Alan: > > > Would the following be an acceptable way to do it? > > > postconf -e 'postscreen_access_list = reject' > > > postconf -e 'soft_bounce = yes' > > > > Only if this is documented. The soft_bounce parameter is listed on

Re: Behavior of postscreen_access_list = static:retry

r. Thank you Viktor, In this particular setup I really need to have the server answering: "Don't worry, I am alive but right now I am not able to accept your email", i.e., 450 Service currently unavailable > > > The documentation for the "postscreen_access_list" param

Re: Behavior of postscreen_access_list = static:retry

o migrate > > > the postfix server to some other IP) ? Just turn off the SMTP listener. This functionally identical to a 4.X.X reject and saves resources on both client and server. > > The documentation for the "postscreen_access_list" parameter. > >

Re: Behavior of postscreen_access_list = static:retry

t; > the postfix server to some other IP) ? > > The documentation for the "postscreen_access_list" parameter. Would the following be an acceptable way to do it? postconf -e 'postscreen_access_list = reject' postconf -e 'soft_bounce = yes' M.

Re: Behavior of postscreen_access_list = static:retry

On Mon, Jan 30, 2012 at 09:03:39PM +, Mark Alan wrote: > Regarding the config option: > postscreen_access_list = static:retry Where is "retry" documented as a valid access list keyword? > 3) the similar syntax of 'transport_maps = static:retry' The transport

Behavior of postscreen_access_list = static:retry

Hello, Regarding the config option: postscreen_access_list = static:retry And considering that: 1) "Permanent white/blacklist for remote SMTP client IP addresses. postscreen(8) searches this list immediately after a remote SMTP client connects." 2) static is a valid lookup tabl

Re: DNS whitelilst for postscreen_access_list

??hsan??Do??an: [ Charset UTF-8 unsupported, converting... ] > Hi, > > Am 10.07.2011 20:31, schrieb Wietse Venema: > > >> I would like to use dnswl.org as an access list for > >> postscreen_access_list. Unfortunately, permit_dnswl_client can be only > >>

Re: DNS whitelilst for postscreen_access_list

On 2011-07-10 21:47, İhsan Doğan wrote: Hi, Am 10.07.2011 20:31, schrieb Wietse Venema: I would like to use dnswl.org as an access list for postscreen_access_list. Unfortunately, permit_dnswl_client can be only used for the smtpd_client_restrictions. Is there any other way to use dns based

Re: DNS whitelilst for postscreen_access_list

Hi, Am 10.07.2011 20:31, schrieb Wietse Venema: >> I would like to use dnswl.org as an access list for >> postscreen_access_list. Unfortunately, permit_dnswl_client can be only >> used for the smtpd_client_restrictions. >> >> Is there any other way

Re: DNS whitelilst for postscreen_access_list

??hsan??Do??an: > Hi, > > I would like to use dnswl.org as an access list for > postscreen_access_list. Unfortunately, permit_dnswl_client can be only > used for the smtpd_client_restrictions. > > Is there any other way to use dns based whitelist for > post

DNS whitelilst for postscreen_access_list

Hi, I would like to use dnswl.org as an access list for postscreen_access_list. Unfortunately, permit_dnswl_client can be only used for the smtpd_client_restrictions. Is there any other way to use dns based whitelist for postscreen_access_list? Ihsan -- ih...@dogan.chhttp

Re: postscreen_access_list action code

itelisted for smtpd would also be >> whitelisted for postscreen (in particular this whitelisting is used to >> avoid DNSBL checks on specific IPs). >> >> I noticed that postscreen_access_list requires a permit action rather >> than an OK action in order to whitelist,

Re: postscreen_access_list action code

lar this whitelisting is used to > avoid DNSBL checks on specific IPs). > > I noticed that postscreen_access_list requires a permit action rather > than an OK action in order to whitelist, so I will now need to duplicate > the access file and change the action (that can be automa

postscreen_access_list action code

specific IPs). I noticed that postscreen_access_list requires a permit action rather than an OK action in order to whitelist, so I will now need to duplicate the access file and change the action (that can be automated). Is there an advantage in having postscreen_whitelist_networks use permit action

Re: man postscreen_access_list

* Wietse Venema : > Yes it does. You are looking at the old postconf manpage. Damn. Gotta fix this mess: # locate postconf.5 | xargs ls -l -rw-r--r-- 1 root root 432025 13. Jan 16:00 /usr/share/man/man5/postconf.5 -rw-r--r-- 1 root root 85140 18. Sep 2009 /usr/share/man/man5/postconf.5.gz --

Re: man postscreen_access_list

Ralf Hildebrandt: > The POSTSCREEN_README mentions: > "See the postscreen_access_list manpage documentation for more details." > > ./man/man8/postscreen.8 is the only man page with postscreen as part > of the name - it does mention postscreen_access_list. > > man

Re: postscreen_access_list

On Thu, Jan 13, 2011 at 10:41:53PM +0100, Ralf Hildebrandt wrote: > From my log: > > Jan 13 22:37:21 mail postfix/postscreen[17587]: warning: > postscreen_access_list: unknown command: permit_mynetworks, -- ignoring the > remainder of this access list >

man postscreen_access_list

The POSTSCREEN_README mentions: "See the postscreen_access_list manpage documentation for more details." ./man/man8/postscreen.8 is the only man page with postscreen as part of the name - it does mention postscreen_access_list. man 5 postconf is also not listing postscreen_access_list

Re: postscreen_access_list

Ralf Hildebrandt: > >From my log: > > Jan 13 22:37:21 mail postfix/postscreen[17587]: warning: > postscreen_access_list: unknown command: permit_mynetworks, -- ignoring the > remainder of this access list > > The README says: > postscreen_access_list = permit_myn

postscreen_access_list

>From my log: Jan 13 22:37:21 mail postfix/postscreen[17587]: warning: postscreen_access_list: unknown command: permit_mynetworks, -- ignoring the remainder of this access list The README says: postscreen_access_list = permit_mynetworks, /etc/postfix/postscreen_access.c