Re: Numerous problems with SA under Raspbian jessie & Ubuntu 15.10

[Jari Fredriksson]

On 20.12.2015 15.48, Reindl Harald wrote:

Am 20.12.2015 um 14:37 schrieb Jari Fredriksson:

Dec 20 12:32:58 diseapps postfix/smtpd[17381]: NOQUEUE: reject: RCPT
from ds4366.hostname.net.au[202.125.44.24]: 554 5.7.1 Service
unavailable; Client host [202.125.44.24] blocked using zen.spamhaus.org;
https://www.spamhaus.org/sbl/query/SBL256495;
from=<ad...@hostname.net.au> to=<x...@xx.fi> proto=ESMTP
helo=<ds4366.hostname.net.au>

and basic postfix checks

non-scored blacklisting in the smtpd process is not very good

enable postscreen in master.cf and enforce it
it's less FP prone and zombies don't make it to smtpd

well and you can use more blacklists without give them a yes/no weight
and so take some into account which can not be used for reject because
too much FP's while "postscreen_greet_wait" and pre-greeting tests kill
most zombies with or wiothout blacklist hits
______________________________________

master.cf:

smtpd           pass  -       -       n       -      50       smtpd -o
max_idle=3600 -o max_use=500
smtp            inet  n       -       y       -       1       postscreen
-o max_idle=3600 -o max_use=500
dnsblog         unix  -       -       y       -       0       dnsblog -o
max_idle=3600 -o max_use=1000
______________________________________

postscreen_cache_retention_time      = 7d
postscreen_bare_newline_ttl          = 7d
postscreen_greet_ttl                 = 7d
postscreen_non_smtp_command_ttl      = 7d
postscreen_pipelining_ttl            = 7d
postscreen_dnsbl_ttl                 = 1m
postscreen_dnsbl_threshold           = 8
postscreen_dnsbl_action              = enforce
postscreen_greet_action              = enforce
postscreen_greet_wait                = ${stress?1}${stress:11}s

# deep protocol tests (don't do it)
postscreen_bare_newline_enable       = no
postscreen_bare_newline_action       = enforce
postscreen_pipelining_enable         = no
postscreen_pipelining_action         = enforce
postscreen_non_smtp_command_enable   = no
postscreen_non_smtp_command_action   = enforce

postscreen_dnsbl_sites =
  dnsbl.sorbs.net=127.0.0.10*9
  dnsbl.sorbs.net=127.0.0.14*9
  zen.spamhaus.org=127.0.0.[10;11]*8
  dnsbl.sorbs.net=127.0.0.5*7
  zen.spamhaus.org=127.0.0.[4..7]*7
  b.barracudacentral.org=127.0.0.2*7
  dnsbl.inps.de=127.0.0.2*7
  zen.spamhaus.org=127.0.0.3*6
  dnsbl.sorbs.net=127.0.0.7*4
  hostkarma.junkemailfilter.com=127.0.0.2*4
  bl.spamcop.net=127.0.0.2*4
  bl.spameatingmonkey.net=127.0.0.[2;3]*4
  dnsrbl.swinog.ch=127.0.0.3*4
  bl.mailspike.net=127.0.0.[10;11;12]*4
  bl.mailspike.net=127.0.0.2*4
  zen.spamhaus.org=127.0.0.2*3
  dnsbl.sorbs.net=127.0.0.6*3
  dnsbl.sorbs.net=127.0.0.8*2
  dnsbl.sorbs.net=127.0.0.9*2
  bl.spamcannibal.org=127.0.0.2*2
  all.spamrats.com=127.0.0.38*2
  hostkarma.junkemailfilter.com=127.0.0.4*1
  dnsbl.sorbs.net=127.0.0.4*1
  hostkarma.junkemailfilter.com=127.0.1.2*1
  wl.mailspike.net=127.0.0.[18;19;20]*-2
  list.dnswl.org=127.0.[0..255].0*-2
  hostkarma.junkemailfilter.com=127.0.0.1*-2
  dnswl.inps.de=127.0.[0;1].[2..10]*-2
  list.dnswl.org=127.0.[0..255].1*-3
  list.dnswl.org=127.0.[0..255].2*-4
  list.dnswl.org=127.0.[0..255].3*-5

Using this now.

--
jarif.bit