New distro

L.P.H. van Belle belle at bazuin.nl
Wed Jun 9 10:14:01 UTC 2021 

Thats also a way for spammer to verify if the email address exists.. 

I would recommend enabling postscreen in postfix also, that stops
some scans on email adresses.  See the addition below in the mail. 

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: MailScanner 
> [mailto:mailscanner-bounces+belle=bazuin.nl at lists.mailscanner.
> info] Namens Ian
> Verzonden: woensdag 9 juni 2021 10:38
> Aan: mailscanner at lists.mailscanner.info
> Onderwerp: Re: New distro
> 
> On 08/06/2021 15:30, Remco Barendse wrote:
> 
> > I yet need to figure out some things. Can I forward scanned mail to 
> > exchange by putting this in /etc/postfix/transport :
> > mynicedomain.com         smtp:[10.1.0.60]
> 
> Hi,
> 
> Yes, that's exactly what I use.
> 
> If forwarding to exchange you might be interested in 'address 
> verification'*.  This allows postfix to verify an email address with 
> exchange before accepting it on the MailScanner.  Which means 
> that you 
> don't have to maintain a local list of acceptable addresses.
> 
> * http://www.postfix.org/ADDRESS_VERIFICATION_README.html
> 
> 
> Regards
> 
> Ian
> -- 
> 

Im using this for years now, on debian 8/9 and now 10, soon debian 11. :-) 

For postscreen you need (something) like this: 
/etc/postfix/postscreen_dnsbl_reply_map.pcre
# Example content 
!/^fakename\.spamhaus\.org$/         multiple DNS-based blocklists used.

# /etc/postfix/postscreen_access_list.cidr 
# Example content 
# https://mailchimp.com/about/ips/
205.201.128.0/20        permit
198.2.128.0/18          permit
148.105.0.0/16          permit

# /etc/postfix/postscreen_access_list-reject.fqrdns.pcre
see : https://github.com/stevejenkins/hardwarefreak.com-fqrdns.pcre


Add this in main.cf and please do read what postscreen is and does before you add it. 

Now, below part. you see a big list of DNSBL servers. 
so what it does, it give values to the connections, checked per RBL server.
if you hit treshold 7 then its seen as a RBL listed hosts. 
it adds and subtracts.. 

An example rejection. 
Jun  9 11:46:01 mail postfix/postscreen[126750]: DNSBL rank 10 for [94.152.193.19]:45170
Jun  9 11:46:01 mail postfix/postscreen[126750]: NOQUEUE: reject: RCPT from [94.152.193.19]:45170: 550 5.7.1 Service unavailable; client [94.152.193.19] blocked using multiple DNS-based blocklists, please check http://multirbl.valli.org/; from=<odbicia at offerly.com.pl>, to=<mail at adress.tld>, proto=ESMTP, helo=<smtp.5119.niebieski.net>

So Rank 10, above treshold 7.. and we can use these treshold numbers with fail2ban. 
by doing that your server get less stress/hammered, because i block them in the firewalls after rejections. 
The fail2ban part i'll add on the bottom. 


### Before-220 tests (postscreen / DNSBL)
postscreen_tls_security_level=encrypt
postscreen_greet_banner =
	$myhostname, checking blacklists, please wait.
# Drop connections if other server is sending too quickly
postscreen_greet_action = enforce
postscreen_greet_wait = 5s
postscreen_greet_ttl = 2d
postscreen_access_list =
    permit_mynetworks,
    cidr:/etc/postfix/postscreen_access_list.cidr,
    pcre:/etc/postfix/postscreen_access_list-reject.fqrdns.pcre
postscreen_whitelist_interfaces = $mynetworks, static:all
postscreen_blacklist_action     = drop
postscreen_dnsbl_reply_map      = pcre:/etc/postfix/postscreen_dnsbl_reply_map.pcre
postscreen_dnsbl_action         = enforce
postscreen_dnsbl_ttl            = 2h
postscreen_dnsbl_threshold      = 7
postscreen_dnsbl_sites =
        zen.spamhaus.org*5
        b.barracudacentral.org=127.0.0.2*2
        dnsbl.cobion.com*2
        bl.spameatingmonkey.net*2
        fresh.spameatingmonkey.net*2
        rhsbl.rbl.polspam.pl=127.0.0.1*2
        rbl.rbldns.ru=127.0.0.1*1
        dnsbl.kempt.net*1
        dnsbl.inps.de*2
        bl.spamcop.net*2
        spam.dnsbl.sorbs.net=127.0.0.6*2
        problems.sorbs.net=127.0.0.6*2
        new.spam.sorbs.net=127.0.0.6*2
        psbl.surriel.com*2
        bl.mailspike.net*2
        rep.mailspike.net=127.0.0.[13;14]*1
        bl.suomispam.net*1
        bl.blocklist.de*2
        ix.dnsbl.manitu.net*2
        dnsbl-1.uceprotect.net*1
        dnsbl-2.uceprotect.net*1
        dnsbl.justspam.org=127.0.0.2*2
        multi.surbl.org*2
        black.junkemailfilter.com=127.0.0.2*2
        rbl.metunet.com=127.0.0.2*2
        all.s5h.net=127.0.0.2*1
        hostkarma.junkemailfilter.com=127.0.0.[2;4]*2
        rbl.abuse.ro=127.0.0.[2;4]*2
        gl.suomispam.net=127.0.0.2*1
        truncate.gbudb.net=127.0.0.2*1
        dnsbl.zapbl.net=127.0.0.2*1
        spamsources.fabel.dk=127.0.0.2*1
        dnsbl.spfbl.net=127.0.0.[2;4]*2
        dnsbl-3.uceprotect.net=127.0.0.2*2
        # No RDNS
        dnsbl.spfbl.net=127.0.0.3*1
        hostkarma.junkemailfilter.com=127.0.0.3*1
        # whitelists
        swl.spamhaus.org*-6
        dnswl.spfbl.net=127.0.0.[2;3;4]*-3
        list.dnswl.org=127.0.[0..254].[0..3]*-4
        rep.mailspike.net=127.0.0.[17;18]*-1
        rep.mailspike.net=127.0.0.[19;20]*-2
        hostkarma.junkemailfilter.com=127.0.0.1*-4
        nobl.junkemailfilter.com=127.0.0.5*-4
#
### End of before-220 tests
### After-220 tests
### WARNING -- See "Tests after the 220 SMTP server greeting" in the
### Postscreen Howto and *UNDERSTAND* it *BEFORE* you enable the
### following tests! This basically enables some kind of greylisting!
#postscreen_bare_newline_action = enforce
#postscreen_bare_newline_enable = yes
#postscreen_non_smtp_command_enable = yes
#postscreen_pipelining_enable = yes
### ADDENDUM: Any one of the foregoing three *_enable settings may cause
### significant and annoying mail delays.



###  Fail2ban addition added in : jail.local 
[postfix-postscreen]
port     = smtp
logpath  = /var/log/mail.log
maxretry = 1
bantime = 86400
findtime = 3600
banaction = ufw-all

###  Fail2ban addition added in : /etc/fail2ban/jail.local 
#
# Fail2Ban filter for Postfix's Postscreen blocks.
#
# you need to adjust the Rank number to what you please.
# make sure you match the first number [7-9] so the 7 with postfix/postscreen_dnsbl_threshold value=
# For now we have set rank 7 and up are getting blocked and put in the firewall

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = postfix(-\w+)?/postscreen

failregex = DNSBL rank ([7-9]|[1-9][0-9]) for \[<HOST>\]

ignoreregex =

# Author: Me.. ;-) 

###  Fail2ban addition added in : /etc/fail2ban/jail.d/personal-enabled.conf
[postfix-postscreen]
enabled = true
ignoreip = 127.0.0.1/8 
# add ips in ignore if needed, you most probley want to add some. 

and last.. i use ufw as firewall.. 
###  Fail2ban addition added in : /etc/fail2ban/action.d/ufw-all.conf
# Fail2Ban configuration file
#
# We add the rules to ufw for better control and management
# official ufw version uses ufw insert 1 .. that errors with IPv6. 

[Definition]
actionstart =
actionstop =
actioncheck =
actionban = ufw prepend deny from <ip> to any
actionunban = ufw delete deny from <ip> to any

More information about the MailScanner mailing list