1 (edited by virakocha 2017-01-04 06:33:26)

Topic: DNSBLs not blocking listed IP's

============ Required information ====
- iRedMail version (check /etc/iredmail-release): v0.9.5-1
- Linux/BSD distribution name and version: Debian 8 (jessie)
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): v0.6.3 (MySQL)
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? NO
- Related log if you're reporting an issue:
====

Hi to all. hope some one can help me with my current problem regarding spam fighting.

In the /etc/postfix/main.cf I have added according to http://www.iredmail.org/docs/enable.dnsbl.html the following

# Recipient restrictions
smtpd_recipient_restrictions = 
    reject_unknown_recipient_domain
    reject_non_fqdn_recipient
    reject_unlisted_recipient
    check_policy_service inet:127.0.0.1:7777
    permit_mynetworks
    permit_sasl_authenticated
    reject_unauth_destination
        reject_rhsbl_sender dsn.rfc-ignorant.org
    reject_rbl_client zen.spamhaus.org
    reject_rbl_client b.barracudacentral.org

I also added additional Razor2 and pyzor iaw http://oskarhane.com/better-spam-protec … and-pyzor/

But I am still getting spam from IP's that are listed in the RBL. For example IP 5.230.102.144 and .143 is listed in Spamhaus ZEN and I have seen that Ip has been even greylisted

2017-01-02 07:30:54 INFO [5.230.102.144] Client has not been seen before, greylisted.
2017-01-02 07:30:54 INFO [5.230.102.144] RCPT, binder@luckysnote.com -> my@email, 451 4.7.1 Intentional policy rejection, please try again later

I found it in sql greylisting_tracking

(360, 'recaution@ziegler-erden.com', 'my@email', '5.230.102.143', 'ziegler-erden.com', 'mydomain', 1483275217, 1483276117, 1485868418, 2, 1),
(361, 'gonyaulax@ziegler-erden.com', 'my@email', '5.230.102.143', 'ziegler-erden.com', 'mydomain', 1483275219, 1483276119, 1485868422, 2, 1),
(364, 'gymnasiarch@luckysnote.com', 'my@email', '5.230.102.144', 'luckysnote.com', 'mydomain', 1483338331, 1483339231, 1485931532, 2, 1),
(365, 'pseudocharitable@luckysnote.com', 'my@email', '5.230.102.144', 'luckysnote.com', 'mydomain', 1483338339, 1483339239, 1485931539, 2, 1),
(366, 'horripilate@luckysnote.com', 'my@email', '5.230.102.144', 'luckysnote.com', 'mydomain', 1483338381, 1483339281, 1485931630, 2, 1),
(367, 'foundation@luckysnote.com', 'my@email', '5.230.102.144', 'luckysnote.com', 'mydomain', 1483338383, 1483339283, 1485931583, 2, 1);

Can I delete unwanted greylisting_tracking IP's

Here is also readout from postconf -n

alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_min_user = no
allow_percent_hack = no
biff = no
body_checks = pcre:/etc/postfix/body_checks.pcre
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/lib/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
enable_original_recipient = no
header_checks = pcre:/etc/postfix/header_checks
inet_protocols = all
lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3
lmtp_tls_protocols = !SSLv2 !SSLv3
mailq_path = /usr/bin/mailq
message_size_limit = 51200000
mydestination = $myhostname, localhost, localhost.localdomain
mydomain = mail.mydomain
myhostname = mail.mydomain
mynetworks = 127.0.0.1
myorigin = mail.mydomain
newaliases_path = /usr/bin/newaliases
postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_access.cidr
postscreen_blacklist_action = enforce
postscreen_dnsbl_action = enforce
postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply
postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_whitelist_threshold = -2
postscreen_greet_action = enforce
proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions $sender_dependent_relayhost_maps
recipient_bcc_maps = proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf
recipient_delimiter = +
relay_domains = $mydestination proxy:mysql:/etc/postfix/mysql/relay_domains.cf
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf
sender_dependent_relayhost_maps = proxy:mysql:/etc/postfix/mysql/sender_dependent_relayhost_maps.cf
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtp-amavis_destination_recipient_limit = 1
smtp_tls_CAfile = $smtpd_tls_CAfile
smtp_tls_loglevel = 1
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2 !SSLv3
smtp_tls_security_level = may
smtpd_banner = cpe-xx.xx.xxx.xx.static.domain.net
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:7777
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks permit_sasl_authenticated check_helo_access pcre:/etc/postfix/helo_access.pcre reject_non_fqdn_helo_hostname reject_invalid_helo_hostname
smtpd_recipient_restrictions = reject_unknown_recipient_domain reject_non_fqdn_recipient reject_unlisted_recipient check_policy_service inet:127.0.0.1:7777 permit_mynetworks permit_sasl_authenticated reject_unauth_destination reject_rhsbl_sender dsn.rfc-ignorant.org reject_rbl_client zen.spamhaus.org reject_rbl_client b.barracudacentral.org
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = no
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf
smtpd_sender_restrictions = reject_unknown_sender_domain reject_non_fqdn_sender reject_unlisted_sender permit_mynetworks permit_sasl_authenticated check_sender_access pcre:/etc/postfix/sender_access.pcre
smtpd_tls_CAfile = /etc/ssl/certs/iRedMail.crt
smtpd_tls_cert_file = /etc/ssl/certs/iRedMail.crt
smtpd_tls_dh1024_param_file = /etc/ssl/dh2048_param.pem
smtpd_tls_dh512_param_file = /etc/ssl/dh512_param.pem
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
smtpd_tls_key_file = /etc/ssl/private/iRedMail.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
smtpd_tls_protocols = !SSLv2 !SSLv3
smtpd_tls_security_level = may
swap_bangpath = no
tls_random_source = dev:/dev/urandom
transport_maps = proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf
unknown_local_recipient_reject_code = 550
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf proxy:mysql:/etc/postfix/mysql/domain_alias_maps.cf proxy:mysql:/etc/postfix/mysql/catchall_maps.cf proxy:mysql:/etc/postfix/mysql/domain_alias_catchall_maps.cf
virtual_gid_maps = static:2000
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf
virtual_minimum_uid = 2000
virtual_transport = dovecot
virtual_uid_maps = static:2000

It seems that the only spam fighting available to me now is the from FQDN

here is an example.

Jan  3 15:32:29 mail postfix/smtpd[23341]: connect from unknown[185.123.0.20]
Jan  3 15:32:30 mail postfix/smtpd[23341]: NOQUEUE: reject: RCPT from unknown[185.123.0.20]: 554 5.7.1 <[185.123.0.20]>: Helo command rejected: ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (185.123.0.20); 

Any ideas ??

Thanks in advance
Ziga

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: DNSBLs not blocking listed IP's

Postfix will apply the restrictions listed in smtpd_recipient_restrictions in order, and greylisting service (check_policy_service inet:127.0.0.1:7777) is triggered BEFORE DNSBL service.

If the bad clients passed greylisting service, Postfix will apply DNSBL services also, so no worry here.

3

Re: DNSBLs not blocking listed IP's

Hey Zhang thanks for the reply.

But if we check IP 5.230.102.144 with mxtoolbox http://mxtoolbox.com/SuperTool.aspx?act … n=toolpage the IP is listed in the zen.spamhaus.org 

So why did not reject_rbl_client zen.spamhaus.org blocked the IP?

Also can I delete unwanted greylisted in the sqldatabase as listed in my first post. Jst asking so that i don't mess around too much.

4

Re: DNSBLs not blocking listed IP's

virakocha wrote:

But if we check IP 5.230.102.144 with mxtoolbox http://mxtoolbox.com/SuperTool.aspx?act … n=toolpage the IP is listed in the zen.spamhaus.org 

So why did not reject_rbl_client zen.spamhaus.org blocked the IP?

Your log doesn't contain any log related to DNSBL checking. Please extract related log first.

5

Re: DNSBLs not blocking listed IP's

Hi Zhang,

Here is now another example for DNSBL not filtering the blacklisted IP

Email was received from sql@rrandall.com (IP 64.91.229.113) that is listed in the BARRACUDA list.
Thunderbird email source view:

Return-Path: <sql@rrandall.com>
Delivered-To: my@email.com
Received: from mail.mymailserver (mail.mymailserver [127.0.0.1])
    by mail.mymailserver (Postfix) with ESMTP id ECCFD9EA11E5
    for <my@email.com>; Mon,  6 Feb 2017 04:01:45 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at mail.mymailserver
X-Spam-Flag: NO
X-Spam-Score: 4.531
X-Spam-Level: ****
X-Spam-Status: No, score=4.531 tagged_above=-999 required=5
    tests=[ADVANCE_FEE_3_NEW_MONEY=0.001, FREEMAIL_FORGED_REPLYTO=2.503,
    FREEMAIL_REPLYTO_END_DIGIT=0.25, HTML_MESSAGE=0.001,
    LOTS_OF_MONEY=0.001, MISSING_MID=0.14, SUBJ_ALL_CAPS=1.625,
    T_HK_NAME_MR_MRS=0.01] autolearn=no autolearn_force=no
Received: from mail.mymailserver ([127.0.0.1])
    by mail.mymailserver (mail.mymailserver [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id rc-gLNh4Cq9b for <my@email.com>;
    Mon,  6 Feb 2017 04:01:43 +0100 (CET)
Received: from hosted.thurber.org (hosted.thurber.org [64.91.229.113])
    by mail.mymailserver (Postfix) with ESMTPS id 379409EA1138
    for <my@email.com>; Mon,  6 Feb 2017 04:01:42 +0100 (CET)
Received: from [176.61.138.243] (port=4535)
    by hosted.thurber.org with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256)
    (Exim 4.87)
    (envelope-from <sql@rrandall.com>)
    id 1cZXUb-0003sC-G2; Fri, 03 Feb 2017 01:37:09 -0500
Content-Type: multipart/alternative; boundary="===============1991872991=="
MIME-Version: 1.0
Subject: ARE YOU DEAD OR ALIVE? CALL THIS OFFICE IMMEDIATEL?
To: Recipients <sql@rrandall.com>
From: "Mr. Ekpo Nta" <sql@rrandall.com>
Date: Thu, 02 Feb 2017 22:33:53 -0800
Reply-To: mrekponta11@gmail.com
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - hosted.thurber.org
X-AntiAbuse: Original Domain - avioms.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - rrandall.com
X-Get-Message-Sender-Via: hosted.thurber.org: authenticated_id: sql@rrandall.com
X-Authenticated-Sender: hosted.thurber.org: sql@rrandall.com
X-Source: 
X-Source-Args: 
X-Source-Dir: 
Message-Id: <20170206030145.ECCFD9EA11E5@mail.mymailserver>

You will not see this in a MIME-aware mail reader.
--===============1991872991==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Description: Mail message body

My /var/log/mail.log shows related

/var/log/syslog.1:410:Feb  5 13:54:37 mail postfix/smtpd[32119]: NOQUEUE: reject: RCPT from hosted.thurber.org[64.91.229.113]: 451 4.7.1 <my@email.com>: Recipient address rejected: Intentional policy rejection, please try again later; from=<sql@rrandall.com> to=<my@email.com> proto=ESMTP helo=<hosted.thurber.org>
/var/log/syslog.1:1287:Feb  6 04:01:43 mail postfix/qmgr[12779]: 379409EA1138: from=<sql@rrandall.com>, size=24820, nrcpt=1 (queue active)
/var/log/syslog.1:1293:Feb  6 04:01:46 mail postfix/qmgr[12779]: ECCFD9EA11E5: from=<sql@rrandall.com>, size=25703, nrcpt=1 (queue active)
/var/log/syslog.1:1295:Feb  6 04:01:46 mail amavis[9488]: (09488-09) Passed CLEAN {RelayedInbound}, [64.91.229.113]:42882 [176.61.138.243] <sql@rrandall.com> -> <my@email.com>, Queue-ID: 379409EA1138, mail_id: rc-gLNh4Cq9b, Hits: 4.531, size: 24820, queued_as: ECCFD9EA11E5, 2547 ms, Tests: [ADVANCE_FEE_3_NEW_MONEY=0.001,FREEMAIL_FORGED_REPLYTO=2.503,FREEMAIL_REPLYTO_END_DIGIT=0.25,HTML_MESSAGE=0.001,LOTS_OF_MONEY=0.001,MISSING_MID=0.14,SUBJ_ALL_CAPS=1.625,T_HK_NAME_MR_MRS=0.01]
/var/log/iredapd/iredapd.log:138:2017-02-06 04:01:43 INFO [64.91.229.113] RCPT, sql@rrandall.com -> my@email.com, DUNNO
/var/log/iredapd/iredapd.log:139:2017-02-06 04:01:43 INFO [64.91.229.113] END-OF-MESSAGE, sql@rrandall.com -> my@email.com, DUNNO
/var/log/mail.log.1:3520:Feb  1 21:09:01 mail postfix/smtpd[31008]: NOQUEUE: reject: RCPT from hosted.thurber.org[64.91.229.113]: 451 4.7.1 <my@email.com>: Recipient address rejected: Intentional policy rejection, please try again later; from=<sql@rrandall.com> to=<my@email.com> proto=ESMTP helo=<hosted.thurber.org>
/var/log/mail.log.1:5698:Feb  5 13:54:37 mail postfix/smtpd[32119]: NOQUEUE: reject: RCPT from hosted.thurber.org[64.91.229.113]: 451 4.7.1 <my@email.com>: Recipient address rejected: Intentional policy rejection, please try again later; from=<sql@rrandall.com> to=<my@email.com> proto=ESMTP helo=<hosted.thurber.org>
/var/log/mail.log.1:6202:Feb  6 04:01:43 mail postfix/qmgr[12779]: 379409EA1138: from=<sql@rrandall.com>, size=24820, nrcpt=1 (queue active)
/var/log/mail.log.1:6207:Feb  6 04:01:46 mail postfix/qmgr[12779]: ECCFD9EA11E5: from=<sql@rrandall.com>, size=25703, nrcpt=1 (queue active)
/var/log/mail.log.1:6209:Feb  6 04:01:46 mail amavis[9488]: (09488-09) Passed CLEAN {RelayedInbound}, [64.91.229.113]:42882 [176.61.138.243] <sql@rrandall.com> -> <my@email.com>, Queue-ID: 379409EA1138, mail_id: rc-gLNh4Cq9b, Hits: 4.531, size: 24820, queued_as: ECCFD9EA11E5, 2547 ms, Tests: [ADVANCE_FEE_3_NEW_MONEY=0.001,FREEMAIL_FORGED_REPLYTO=2.503,FREEMAIL_REPLYTO_END_DIGIT=0.25,HTML_MESSAGE=0.001,LOTS_OF_MONEY=0.001,MISSING_MID=0.14,SUBJ_ALL_CAPS=1.625,T_HK_NAME_MR_MRS=0.01]

It looks to me that DNSBL service is never trigger. Is there a way how I can manually test DNSBL service?

6

Re: DNSBLs not blocking listed IP's

Pasted log is not FULL log of smtp session related to this IP, it's useless for troubleshooting.

Please extract log of at least one FULL smtp session in Postfix log file.