On Monday 20 October 2008 13:51:45 Wietse Venema wrote:
> > There are two loop detection mechanisms. You override one with []
> > around the next-hop domain. This mechanism is based on MX lookups.
> > You override the second one with myhostname, or a non-standard TCP
> > server port. This mechanis
Jim Balo a écrit :
> Hi,
>
> I am currently using Postfix w/ Amavis-new, Pyzor, DCC and Clam.
> I have trained the Bayesian Classifier with over 2,000 ham and 2,000
> spam, but I am still getting quite a bit of spam.
>
> I am about to install a new mail server and I wonder if there is
> somet
mouss schrieb:
Jim Balo a écrit :
Hi,
I am currently using Postfix w/ Amavis-new, Pyzor, DCC and Clam.
I have trained the Bayesian Classifier with over 2,000 ham and 2,000
spam, but I am still getting quite a bit of spam.
I am about to install a new mail server and I wonder if there is
so
>
> I see the same in my logs - default setup + submission port.
>
> Oct 21 22:00:53 glacier postfix/smtpd[2914]: Anonymous TLS connection
> established from zion.mikecappella.com[10.0.0.10]: TLSv1 with cipher
> DHE-RSA-AES256-SHA (256/256 bits)
>
>
>>
>> When I added support for anonymous TLS ciph
On Wednesday 22 October 2008 01:27:51 Terry Carmen wrote:
>
> Although it's frowned on by some, I've had much better success using a
> combination of RBLs and RDNS pattern matching to reject spam. Since a
> huge proportion of spam comes from zombie networks that are identified
> by DHCP address
[EMAIL PROTECTED]:
> For example, if an user send a mail to 70 ncrpt (number of recipient)
> at a time, Postfix will handle it as two seperate message and queued
> at qmgr by default. The first queue is ncrpt = 50 and the second is
> ncrpt = 20. It is because by default, default_destination_reci
Richard Foley wrote, at 10/22/2008 07:56 AM:
> On Wednesday 22 October 2008 01:27:51 Terry Carmen wrote:
>>
>> check_client_access=regexp:/etc/postfix/spam_ip_regex
>>
>> spam_ip_regex file:
>>
>> /[ax]dsl.*\..*\..*/i 450 AUTO_XDSL Email Rejected. You appear to be
>> connecting from a Dynamic
On Tue, Oct 21, 2008 at 11:34:28PM +, Duane Hill wrote:
> On Tue, 21 Oct 2008, Terry Carmen wrote:
>
>> /[ax]dsl.*\..*\..*/i 450 AUTO_XDSL Email Rejected. You appear to be
>> connecting from a Dynamic IP address. /client.*\..*\..*/i 450
>> AUTO_CLIENT Email Rejected. You appear to
Hello,
I'd like to test different Postfix configs and approaches for spam fighting
but I need to have a way to evaluate the effect of different rules and
configs, without affecting normal service. I find "warn_if_reject" option
very useful, so I could make some kind of stats based on warnings bein
On Wed, 22 Oct 2008, Jorey Bump wrote:
Richard Foley wrote, at 10/22/2008 07:56 AM:
On Wednesday 22 October 2008 01:27:51 Terry Carmen wrote:
check_client_access=regexp:/etc/postfix/spam_ip_regex
spam_ip_regex file:
/[ax]dsl.*\..*\..*/i 450 AUTO_XDSL Email Rejected. You appear to be
c
On Wed, Oct 22, 2008 at 2:31 PM, Henrik K <[EMAIL PROTECTED]> wrote:
> On Tue, 21 Oct 2008, Terry Carmen wrote:
>
>> /[ax]dsl.*\..*\..*/i 450 AUTO_XDSL Email Rejected. You appear to be
>> connecting from a Dynamic IP address. /client.*\..*\..*/i 450
>> AUTO_CLIENT Email Rejected. You appe
Jim Balo wrote:
>> From: Jim Garrison <[EMAIL PROTECTED]>
>> I can highly recommend gray-listing. It's all I use on
>> two Postfix servers, and SPAM is reduced by 98%. A few
>> get through, but it's quite tolerable, and I
>> haven't seen
>> a false-positive in at least two years.
>>
>
> Hi,
MrC wrote:
Victor Duchovni wrote:
It is interesting to see an MUA negotiate an anonymous session. Clearly
T-Bird did not care to ask for or verify the server certificate. Did
it require special configuration to enable this, or is this default
T-Bird behaviour?
I see the same in my logs - defau
On Wed, Oct 22, 2008 at 03:24:07PM +0200, Diego Liziero wrote:
> On Wed, Oct 22, 2008 at 2:31 PM, Henrik K <[EMAIL PROTECTED]> wrote:
> > On Tue, 21 Oct 2008, Terry Carmen wrote:
> >
> >> /[ax]dsl.*\..*\..*/i 450 AUTO_XDSL Email Rejected. You appear to be
> >> connecting from a Dynamic IP addre
Diego Liziero schrieb:
> On Wed, Oct 22, 2008 at 2:31 PM, Henrik K <[EMAIL PROTECTED]> wrote:
>> On Tue, 21 Oct 2008, Terry Carmen wrote:
>>
>>> /[ax]dsl.*\..*\..*/i 450 AUTO_XDSL Email Rejected. You appear to be
>>> connecting from a Dynamic IP address. /client.*\..*\..*/i 450
>>> AUTO_C
On 22 Oct 2008, at 12:56, Richard Foley wrote:
...
spam_ip_regex file:
/[ax]dsl.*\..*\..*/i 450 AUTO_XDSL Email Rejected. You appear
to be
connecting from a Dynamic IP address.
/client.*\..*\..*/i 450 AUTO_CLIENT Email Rejected. You
appear to
be connecting from a Dynamic IP addr
Andreas Schuldei:
> * Wietse Venema ([EMAIL PROTECTED]) [081022 02:37]:
> > Andreas Schuldei:
> > > The goal is that the server starts sending mail every 10th
> > > second, then after 50 mails increase to 2 mails every 10 seconds,
> > > until it sends 10 mails every then seconds, ramping up
> > > s
Hello All,
Does anyone have a good reference of how to create my own RBL so I can load
IP's into it and check against it from postfix?
Thanks!
On Wed, Oct 22, 2008 at 3:47 PM, Matthias Haegele
<[EMAIL PROTECTED]> wrote:
> Diego Liziero schrieb:
>>
>> BTW, has anyone a regexp ready to accept all names that might be real
>> smtp-out servers?
>>
>> (such as mail|smtp|mx|email and so on)
>>
>> I think it can be useful for example to whitelist
>
> Same thing here - *only* Anonymous TLS from Tbird, Eudora, and Windows
> Mobile devices.
>
> This is somewhat confusing to me since all those clients will complain when
> the server certificate isn't valid, which is one reason we coughed up the
> $15 for a real certificate.
>
>
> --
> Noel
Victor Duchovni <[EMAIL PROTECTED]> wrote:
> > However, I'm puzzled - it defaults to 18000s but the watchdog timer
> > seems to kill qmgr during these incidents after about a half hour,
> > which is 1800 seconds.
>
> Wrong timer. The watchdog timeout is hard-coded to 1000s.
Ahhh. I was going on
Joey wrote:
Hello All,
Does anyone have a good reference of how to create my own RBL so I can
load IP’s into it and check against it from postfix?
This is a simple script which converts a text file with a list of IP
addresses into a bind zone
http://j-chkmail.ensmp.fr/tools/mk_dns
There is/was a piece of software written by the author
of the DSPAM program called RABL with a server and a
client piece. I think that it would do what you need.
Ken
On Wed, Oct 22, 2008 at 10:12:41AM -0400, Joey wrote:
> Hello All,
>
>
> Does anyone have a good reference of how to create my ow
Matthias Haegele schrieb:
(...)
BTW, has anyone a regexp ready to accept all names that might be real
smtp-out servers?
(such as mail|smtp|mx|email and so on)
I think it can be useful for example to whitelist them before greylisting.
I think this is rather a bad idea. I would prefer to trea
Hello,
I just wanted to update everyone since it was a bit heated in respect to the
methods I was using.
Our maillog file shows that we have rejected 3,365,962 month to date.
This is above and beyond my original firewall rules, and then my new over the
top added country based CIDR rules.
This i
On Wed, 22 Oct 2008, Jose-Marcio Martins da Cruz wrote:
Joey wrote:
Hello All,
Does anyone have a good reference of how to create my own RBL so I can load
IP?s into it and check against it from postfix?
This is a simple script which converts a text file with a list of IP
addresses into a
Ofer Inbar:
> Victor Duchovni <[EMAIL PROTECTED]> wrote:
> > > However, I'm puzzled - it defaults to 18000s but the watchdog timer
> > > seems to kill qmgr during these incidents after about a half hour,
> > > which is 1800 seconds.
> >
> > Wrong timer. The watchdog timeout is hard-coded to 1000s.
Brian Evans - Postfix List a écrit :
> Jim Balo wrote:
>>> From: Jim Garrison <[EMAIL PROTECTED]>
>>> I can highly recommend gray-listing. It's all I use on
>>> two Postfix servers, and SPAM is reduced by 98%. A few
>>> get through, but it's quite tolerable, and I
>>> haven't seen
>>> a false-pos
Stroller a écrit :
>
> On 22 Oct 2008, at 12:56, Richard Foley wrote:
>>> ...
>>> spam_ip_regex file:
>>>
>>> /[ax]dsl.*\..*\..*/i 450 AUTO_XDSL Email Rejected. You appear to be
>>> connecting from a Dynamic IP address.
>>> /client.*\..*\..*/i 450 AUTO_CLIENT Email Rejected. You appear t
Roman Medina-Heigl Hernandez a écrit :
> Hello,
>
> I'd like to test different Postfix configs and approaches for spam fighting
> but I need to have a way to evaluate the effect of different rules and
> configs, without affecting normal service. I find "warn_if_reject" option
> very useful, so I c
Joey a écrit :
> Hello All,
>
>
> Does anyone have a good reference of how to create my own RBL so I can
> load IP’s into it and check against it from postfix?
>
use Michael Tokarev's (Michael is a member of this list) rbldnsd:
http://www.corpit.ru/mjt/rbldnsd.html
http://www.njabl.org/rsync.h
On Wed, Oct 22, 2008 at 03:47:53PM +0200, Matthias Haegele wrote:
>
> I think this is rather a bad idea. I would prefer to treat them on their
> behaviour
> (use helo checks, check for reverse dns ..., you should find several
> examples in this thread, from mouss ...) .
> What would prevent a spam
Hi Ihr!
Welche Blacklists kann man denn gerade empfehlen oder welche sollte ich
lieber nicht auf MTA-Level anwenden?
momentan hab ich folgendes im Einsatz:
reject_rbl_client zen.spamhaus.org,
reject_rhsbl_sender dsn.rfc-ignorant.org
reject_rhsbl_sender postmaster.rfc-igno
Henrik K a écrit :
> On Wed, Oct 22, 2008 at 03:47:53PM +0200, Matthias Haegele wrote:
>> I think this is rather a bad idea. I would prefer to treat them on their
>> behaviour
>> (use helo checks, check for reverse dns ..., you should find several
>> examples in this thread, from mouss ...) .
>> Wh
Matthias Haegele a écrit :
> Hi Ihr!
>
ja vol :)
wrong list? maybe meant the german postfix list?
> Welche Blacklists kann man denn gerade empfehlen oder welche sollte ich
> lieber nicht auf MTA-Level anwenden?
>
> momentan hab ich folgendes im Einsatz:
>
> reject_rbl_client zen.spamha
Matthias Haegele schrieb:
> Hi Ihr!
>
> Welche Blacklists kann man denn gerade empfehlen oder welche sollte ich
> lieber nicht auf MTA-Level anwenden?
>
> momentan hab ich folgendes im Einsatz:
Shame on me. Sorry. I took the wrong list.
So i should translate it at least:
What would you recommend
Reinaldo de Carvalho wrote:
Same thing here - *only* Anonymous TLS from Tbird, Eudora, and Windows
Mobile devices.
This is somewhat confusing to me since all those clients will complain when
the server certificate isn't valid, which is one reason we coughed up the
$15 for a real certificate.
mouss wrote:
Joey a écrit :
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
On Behalf Of Zbigniew Szalbot
Sent: Monday, October 13, 2008 12:06 PM
To: Postfix users
Subject: Re: Finally blocking some spam
I am still using spamhaus at the RBL
Hi all
I installed altermime to the working postfix + amavisd mail system
Unfortunatelly altermime is not working properly.
cat /etc/postfix/disclaimer
#!/bin/sh
# System dependent settings
ALTERMIME=/usr/local/bin/altermime
ALTERMIME_DIR=/var/spool/altermime
SENDMAIL=/usr/sbin/sendmail
# Exit
* Matthias Haegele <[EMAIL PROTECTED]>:
> Hi Ihr!
>
> Welche Blacklists kann man denn gerade empfehlen oder welche sollte ich
> lieber nicht auf MTA-Level anwenden?
>
> momentan hab ich folgendes im Einsatz:
>
> reject_rbl_client zen.spamhaus.org,
> reject_rhsbl_sender dsn.rfc-igno
Hello,
I don't know the details of what you're trying to do, but it seems aligned
with the concept I'd like to implement, so perhaps we could colaborate and
help each other.
My main premise is to reduce the number of false negatives, sacrifying (it
necessary) the number of false positives (i.e. I
Roman Medina-Heigl Hernandez escreveu:
- I wouldn't set up a global greylist filter, because all my receiving mail
is going to be delayed (I guess my users don't like this ;-))
after years deploying mail servers with greylisting enabled, i think
you should definitely, at least, try to
Henrik K wrote:
On Tue, Oct 21, 2008 at 11:34:28PM +, Duane Hill wrote:
On Tue, 21 Oct 2008, Terry Carmen wrote:
/[ax]dsl.*\..*\..*/i 450 AUTO_XDSL Email Rejected. You appear to be
connecting from a Dynamic IP address. /client.*\..*\..*/i 450
AUTO_CLIENT Email Rejected.
On Wed, Oct 22, 2008 at 10:23:33AM -0500, Noel Jones wrote:
> Yes, the clients have the CA cert and do properly validate the
> server certificate.
>
> That raises the question why the server logs the TLS
> connection as Anonymous. Maybe because postfix doesn't ask
> for a client certificate (
Jim Balo wrote:
Depends on the source/nature of your spam. It's good for reducing the
load on SpamAssassin et. al. and it blocks lots of virus-sent spam.
Greylisting alone lets some through at work but I just rebuilt my *very*
old (circa late-90s) server at home and added grey
On Wed, Oct 22, 2008 at 12:16:13PM -0400, Terry Carmen wrote:
> Henrik K wrote:
>> On Tue, Oct 21, 2008 at 11:34:28PM +, Duane Hill wrote:
>>
>>> On Tue, 21 Oct 2008, Terry Carmen wrote:
>>>
>>>
/[ax]dsl.*\..*\..*/i 450 AUTO_XDSL Email Rejected. You appear
to be connectin
>>
>> CA certificate (root certificate) is installed on MUAs? If not MUA
>> can't validade server certificate.
>>
>>--
>>Reinaldo de Carvalho
>
> Yes, the clients have the CA cert and do properly validate the server
> certificate.
>
> That raises the question why the server logs the TLS connection
When reasonable file permissions don't work, consider fixing
killing Selinux, Apparmor, and so on.
Wietse
On Wed, 22 Oct 2008, mouss wrote:
/[ax]dsl.*\..*\..*/i 450 AUTO_XDSL Email Rejected. You appear to be
connecting from a Dynamic IP address.
What I am working on now is this:
- if name (PTR or helo) looks dynamic, then do:
One problem is DSL does not mean dynamic. Many DSL providers pro
>
> Sorry but developing stupid regexpes anywhere is not appropriate, especially
> when it can be done right. But hey, you are free to block /.*/ if you want,
> who am I to judge. It certainly blocks spam!
>
>
Regexp to reject "generic hostname" like dialup, dsl, cable, is not stupid.
--
Reinald
mouss a écrit :
> Matthias Haegele a écrit :
>> Hi Ihr!
>>
>
> ja vol :)
>
> wrong list? maybe meant the german postfix list?
>
>
>> Welche Blacklists kann man denn gerade empfehlen oder welche sollte ich
>> lieber nicht auf MTA-Level anwenden?
>>
>> momentan hab ich folgendes im Einsatz:
>>
>>
On Wed, Oct 22, 2008 at 02:05:02PM -0300, Reinaldo de Carvalho wrote:
> >
> > Sorry but developing stupid regexpes anywhere is not appropriate, especially
> > when it can be done right. But hey, you are free to block /.*/ if you want,
> > who am I to judge. It certainly blocks spam!
> >
> >
>
> Re
On some fallback relay servers that receive legitimate incoming mail
(relayed from the first-pass MTAs) much faster than they can process
it at times, I tried slowing things down using in_flow_delay.
I set in_flow_delay = 10s, and decreased maxproc for smtpd in master.conf.
Changing maxproc did r
Henrik K a écrit :
> On Wed, Oct 22, 2008 at 02:05:02PM -0300, Reinaldo de Carvalho wrote:
>>> Sorry but developing stupid regexpes anywhere is not appropriate, especially
>>> when it can be done right. But hey, you are free to block /.*/ if you want,
>>> who am I to judge. It certainly blocks spam
On Wed, Oct 22, 2008 at 01:58:24PM -0400, Ofer Inbar wrote:
> On some fallback relay servers that receive legitimate incoming mail
> (relayed from the first-pass MTAs) much faster than they can process
> it at times, I tried slowing things down using in_flow_delay.
>
> I set in_flow_delay = 10s,
Ofer Inbar:
> On some fallback relay servers that receive legitimate incoming mail
> (relayed from the first-pass MTAs) much faster than they can process
> it at times, I tried slowing things down using in_flow_delay.
>
> I set in_flow_delay = 10s, and decreased maxproc for smtpd in master.conf.
>
Larry Stone a écrit :
> On Wed, 22 Oct 2008, mouss wrote:
>
> /[ax]dsl.*\..*\..*/i 450 AUTO_XDSL Email Rejected. You appear
> to be
> connecting from a Dynamic IP address.
>
>> What I am working on now is this:
>>
>> - if name (PTR or helo) looks dynamic, then do:
>
> One problem
> - I wouldn't set up a global greylist filter, because all my receiving
mail
> is going to be delayed (I guess my users don't like this ;-))
...
> - I wouldn't set up a global REJECT based on RBL...
> - *BUT* I would combine any of the former. For instance: "pass all
mail
> appearing to come from
Ahh, this is very very helpful, thank you.
The problem on the fallback relays is indeed that they're disk I/O
bound, so "incoming" grows too quickly and qmgr can't get messages
into active fast enough.
If I understand you correctly, in_flow_delay will limit the *growth
rate* of the incoming queue
Wietse Venema <[EMAIL PROTECTED]> wrote:
> > see clearly in the logs that each one of them is still taking several
> > incoming messages per second at peak times, and cleanup is placing
> > them all in the incoming queue, and the incoming queue gets very big.
> > in_flow_delay is apparently not tri
On Wed, Oct 22, 2008 at 02:28:11PM -0400, Dan Horne wrote:
> > - I wouldn't set up a global greylist filter, because all my receiving
> mail
> > is going to be delayed (I guess my users don't like this ;-))
> ...
> > - I wouldn't set up a global REJECT based on RBL...
> > - *BUT* I would combine an
On Wed, Oct 22, 2008 at 03:45:45PM +0200, mouss wrote:
> Brian Evans - Postfix List a écrit :
> >
> > I use and recommend policyd-weight looking at it as "if it isn't broke,
> > don't fix it."
>
> note however that some people use policyd-weight with "bad
> configuration". some (or is it all?) de
Ofer Inbar:
> Wietse Venema <[EMAIL PROTECTED]> wrote:
> > > see clearly in the logs that each one of them is still taking several
> > > incoming messages per second at peak times, and cleanup is placing
> > > them all in the incoming queue, and the incoming queue gets very big.
> > > in_flow_delay
Randy a écrit :
> mouss wrote:
>> Joey a écrit :
>> [snip]
>>> You feel like we are doing you a disservice unintentionally because
>>> we may
>>> be blocking your IP, but in reality the other people in Poland who are
>>> exploiting the internet are to blame. :(
reread the last sentence.
>>
>> If
On Wed, Oct 22, 2008 at 02:42:09PM -0400, Ofer Inbar wrote:
> What I expected to see, however, is that when in_flow_delay were
> trigerred, each smtpd process would not be taking in multiple messages
> per second. Seeing that they were taking in multiple messages per
> second (per process ID) whe
Robert Felber a écrit :
> On Wed, Oct 22, 2008 at 03:45:45PM +0200, mouss wrote:
>> Brian Evans - Postfix List a écrit :
>>> I use and recommend policyd-weight looking at it as "if it isn't broke,
>>> don't fix it."
>> note however that some people use policyd-weight with "bad
>> configuration". so
On Thu, Oct 9, 2008 at 5:36 PM, Alvaro Marín <[EMAIL PROTECTED]> wrote:
> Hi again,
>
> I've upgraded to Debian Lenny's package:
>
> # postconf mail_version
> mail_version = 2.5.5
>
> and the problem has dissapear :S
Mmm.. If I recall correctly I had a similar issue that has been solved
by increas
I've been able to get a simple content filter running using the example
from (http://www.postfix.org/FILTER_README.html). However, am having
problems getting it to run configured as shown under the advanced content
filter section. I'm not seeing something right. The error shown in the
logs is:
Diego Liziero:
> On Thu, Oct 9, 2008 at 5:36 PM, Alvaro Mar?n <[EMAIL PROTECTED]> wrote:
> > Hi again,
> >
> > I've upgraded to Debian Lenny's package:
> >
> > # postconf mail_version
> > mail_version = 2.5.5
> >
> > and the problem has dissapear :S
>
> Mmm.. If I recall correctly I had a similar
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Stroller
> Sent: Thursday, 23 October 2008 12:53 AM
> To: Postfix
> Subject: Re: Best anti-spam
>
>
> On 22 Oct 2008, at 12:56, Richard Foley wrote:
> >> ...
> >> spam_ip_regex file:
> >>
> >> /[ax]d
Hi Wietse,
That' great in Postfix 2.5, but if I am still using Postfix 2.3, how can I
deal with it?
Since I may not plan to upgrade to Postfix 2.5 soon.
Thank you very much!
Yours Sincerely,
Jacky, Hoi Kei Chan,
Technical and User Support Section,
Information and Communication Technology Office
On 23 Oct 2008, at 00:49, MacShane, Tracy wrote:
On 22 Oct 2008, at 12:56, Richard Foley wrote:
...
spam_ip_regex file:
/[ax]dsl.*\..*\..*/i 450 AUTO_XDSL Email Rejected. You appear
to be
This looks fairly useful. Does anyone else have any experience with
this approach, who might be
On 20 Oct 2008, at 10:24, Wietse Venema wrote:
Michele:
Hi list,
I have a system that receive mails from internal network and
deliver them
directly on Internet. Sometimes mx server for some domains, refuse
mails for
users. It's there the possibility, by postfix, to relay that mails
to a sa
Wietse Venema:
> Diego Liziero:
>> Mmm.. If I recall correctly I had a similar issue that has been solved
>> by increasing the default_process_limit.
>>
>> Postfix logged the same "lost connection after CONNECT from
>> localhost", but postfix was not even bound to localhost.
>>
>> No packet were pa
74 matches
Mail list logo
