Re: Numerous problems with SA under Raspbian jessie & Ubuntu 15.10

Sun, 20 Dec 2015 05:49:28 -0800 


Am 20.12.2015 um 14:37 schrieb Jari Fredriksson:

Dec 20 12:32:58 diseapps postfix/smtpd[17381]: NOQUEUE: reject: RCPT
from ds4366.hostname.net.au[202.125.44.24]: 554 5.7.1 Service
unavailable; Client host [202.125.44.24] blocked using zen.spamhaus.org;
https://www.spamhaus.org/sbl/query/SBL256495;
from=<ad...@hostname.net.au> to=<x...@xx.fi> proto=ESMTP
helo=<ds4366.hostname.net.au>

and basic postfix checks


non-scored blacklisting in the smtpd process is not very good

enable postscreen in master.cf and enforce it
it's less FP prone and zombies don't make it to smtpd


well and you can use more blacklists without give them a yes/no weight 
and so take some into account which can not be used for reject because 
too much FP's while "postscreen_greet_wait" and pre-greeting tests kill 
most zombies with or wiothout blacklist hits

______________________________________

master.cf:


smtpd           pass  -       -       n       -      50       smtpd -o 
max_idle=3600 -o max_use=500
smtp            inet  n       -       y       -       1       postscreen 
-o max_idle=3600 -o max_use=500
dnsblog         unix  -       -       y       -       0       dnsblog -o 
max_idle=3600 -o max_use=1000

______________________________________

postscreen_cache_retention_time      = 7d
postscreen_bare_newline_ttl          = 7d
postscreen_greet_ttl                 = 7d
postscreen_non_smtp_command_ttl      = 7d
postscreen_pipelining_ttl            = 7d
postscreen_dnsbl_ttl                 = 1m
postscreen_dnsbl_threshold           = 8
postscreen_dnsbl_action              = enforce
postscreen_greet_action              = enforce
postscreen_greet_wait                = ${stress?1}${stress:11}s

# deep protocol tests (don't do it)
postscreen_bare_newline_enable       = no
postscreen_bare_newline_action       = enforce
postscreen_pipelining_enable         = no
postscreen_pipelining_action         = enforce
postscreen_non_smtp_command_enable   = no
postscreen_non_smtp_command_action   = enforce

postscreen_dnsbl_sites =
 dnsbl.sorbs.net=127.0.0.10*9
 dnsbl.sorbs.net=127.0.0.14*9
 zen.spamhaus.org=127.0.0.[10;11]*8
 dnsbl.sorbs.net=127.0.0.5*7
 zen.spamhaus.org=127.0.0.[4..7]*7
 b.barracudacentral.org=127.0.0.2*7
 dnsbl.inps.de=127.0.0.2*7
 zen.spamhaus.org=127.0.0.3*6
 dnsbl.sorbs.net=127.0.0.7*4
 hostkarma.junkemailfilter.com=127.0.0.2*4
 bl.spamcop.net=127.0.0.2*4
 bl.spameatingmonkey.net=127.0.0.[2;3]*4
 dnsrbl.swinog.ch=127.0.0.3*4
 bl.mailspike.net=127.0.0.[10;11;12]*4
 bl.mailspike.net=127.0.0.2*4
 zen.spamhaus.org=127.0.0.2*3
 dnsbl.sorbs.net=127.0.0.6*3
 dnsbl.sorbs.net=127.0.0.8*2
 dnsbl.sorbs.net=127.0.0.9*2
 bl.spamcannibal.org=127.0.0.2*2
 all.spamrats.com=127.0.0.38*2
 hostkarma.junkemailfilter.com=127.0.0.4*1
 dnsbl.sorbs.net=127.0.0.4*1
 hostkarma.junkemailfilter.com=127.0.1.2*1
 wl.mailspike.net=127.0.0.[18;19;20]*-2
 list.dnswl.org=127.0.[0..255].0*-2
 hostkarma.junkemailfilter.com=127.0.0.1*-2
 dnswl.inps.de=127.0.[0;1].[2..10]*-2
 list.dnswl.org=127.0.[0..255].1*-3
 list.dnswl.org=127.0.[0..255].2*-4
 list.dnswl.org=127.0.[0..255].3*-5




Attachment:
signature.asc

Description: OpenPGP digital signature






















					Reply via email to