Subject
I would like some feedback concerning a use case
Description
I guess there is unnecessary double check with zen.spamhaus.org in current default DMS configuration:
- There is a good smart spam scoring check in postscreen (with whitelist scores combination using list.dnswl.org)
postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11]*3 bl.mailspike.net=127.0.0.[2;14;13;12;11;10] b.barracudacentral.org*2 bl.spameatingmonkey.net=127.0.0.2 dnsbl.sorbs.net psbl.surriel.com list.dnswl.org=127.0.[0..255].0*-2 list.dnswl.org=127.0.[0..255].1*-3 list.dnswl.org=127.0.[0..255].[2..3]*-4
- The second check by postfix itself with smtpd_recipient_restrictions parameter, where only(!) zen.spamhaus.org is checked
smtpd_recipient_restrictions = check_recipient_access texthash:/tmp/docker-mailserver/postfix-receive-access.cf, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policyd-spf, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_recipient_domain, check_policy_service inet:localhost:65265, reject_rbl_client zen.spamhaus.org=127.0.0.[2..11]
So, I think this reject_rbl_client zen.spamhaus.org=127.0.0.[2..11] opption for smtpd_recipient_restrictions parameter is unnecessary and excess.
Real example:
- Common SPAM email successfuly blocked by postscreen:
Jan 3 13:35:37 persistent postfix/postscreen[1868]: CONNECT from [163.123.140.73]:56883 to [192.168.166.153]:25
Jan 3 13:35:37 persistent postfix/dnsblog[1510659]: addr 163.123.140.73 listed by domain zen.spamhaus.org as 127.0.0.3
Jan 3 13:35:37 persistent postfix/dnsblog[1510655]: addr 163.123.140.73 listed by domain b.barracudacentral.org as 127.0.0.2
Jan 3 13:35:37 persistent postfix/dnsblog[1510660]: addr 163.123.140.73 listed by domain dnsbl.sorbs.net as 127.0.0.6
Jan 3 13:35:37 persistent postfix/dnsblog[1510659]: addr 163.123.140.73 listed by domain psbl.surriel.com as 127.0.0.2
Jan 3 13:35:43 persistent postfix/postscreen[1868]: DNSBL rank 7 for [163.123.140.73]:56883
Jan 3 13:35:44 persistent postfix/postscreen[1868]: NOQUEUE: reject: RCPT from [163.123.140.73]:56883: 550 5.7.1 Service unavailable; client [163.123.140.73] blocked using zen.s
pamhaus.org; from=<59954-94134-7606-13991-***@mail.solarcostmy.rest>, to=<***>, proto=ESMTP, helo=<corona.solarcostmy.rest>
Jan 3 13:35:44 persistent postfix/postscreen[1868]: DISCONNECT [163.123.140.73]:56883
- Good email is passed by postscreen (taking account witn list.dnswl.org) but rejected by postfix using smtpd_recipient_restrictions later:
Jan 3 19:56:55 persistent postfix/postscreen[1868]: CONNECT from [192.30.252.201]:36709 to [192.168.166.153]:25
Jan 3 19:56:55 persistent postfix/dnsblog[1566326]: addr 192.30.252.201 listed by domain list.dnswl.org as 127.0.9.3
Jan 3 19:56:55 persistent postfix/dnsblog[1566327]: addr 192.30.252.201 listed by domain zen.spamhaus.org as 127.0.0.3
Jan 3 19:56:55 persistent postfix/postscreen[1868]: PASS NEW [192.30.252.201]:36709
Jan 3 19:56:55 persistent postfix/smtpd[1566330]: connect from out-18.smtp.github.com[192.30.252.201]
Jan 3 19:56:56 persistent postfix/smtpd[1566330]: Anonymous TLS connection established from out-18.smtp.github.com[192.30.252.201]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jan 3 19:56:56 persistent policyd-spf[1566337]: prepend Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=192.30.252.201; helo=smtp.github.com; [email protected]; receiver=<UNKNOWN>
Jan 3 19:56:56 persistent postfix/smtpd[1566330]: NOQUEUE: reject: RCPT from out-18.smtp.github.com[192.30.252.201]: 554 5.7.1 Service unavailable; Client host [192.30.252.201] blocked using zen.spamhaus.org; https://www.spamhaus.org/sbl/query/SBLCSS; from=<[email protected]> to=<***> proto=ESMTP helo=<smtp.github.com>
Jan 3 19:56:56 persistent postfix/smtpd[1566330]: disconnect from out-18.smtp.github.com[192.30.252.201] ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 rset=1 quit=1 commands=6/8
This is for version DMS 11.3.0 (linux, arm, k8s) with default config files.
Subject
I would like some feedback concerning a use case
Description
I guess there is unnecessary double check with zen.spamhaus.org in current default DMS configuration:
So, I think this reject_rbl_client zen.spamhaus.org=127.0.0.[2..11] opption for smtpd_recipient_restrictions parameter is unnecessary and excess.
Real example:
This is for version DMS 11.3.0 (linux, arm, k8s) with default config files.