New distro

Remco Barendse mailscanner at barendse.to
Wed Jun 9 17:23:54 UTC 2021


Wow, thanks!!

That ill be first thing I'll be working on after successfully migrating
CentOS+sendmail+MailScanner -> Ubuntu-postfix-MailScanner :)

Thanks for list of blacklists :)


On Wed, 9 Jun 2021, L.P.H. van Belle via MailScanner wrote:

> Thats also a way for spammer to verify if the email address exists..
>
> I would recommend enabling postscreen in postfix also, that stops
> some scans on email adresses.  See the addition below in the mail.
>
> Greetz,
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: MailScanner
>> [mailto:mailscanner-bounces+belle=bazuin.nl at lists.mailscanner.
>> info] Namens Ian
>> Verzonden: woensdag 9 juni 2021 10:38
>> Aan: mailscanner at lists.mailscanner.info
>> Onderwerp: Re: New distro
>>
>> On 08/06/2021 15:30, Remco Barendse wrote:
>>
>>> I yet need to figure out some things. Can I forward scanned mail to
>>> exchange by putting this in /etc/postfix/transport :
>>> mynicedomain.com         smtp:[10.1.0.60]
>>
>> Hi,
>>
>> Yes, that's exactly what I use.
>>
>> If forwarding to exchange you might be interested in 'address
>> verification'*.  This allows postfix to verify an email address with
>> exchange before accepting it on the MailScanner.  Which means
>> that you
>> don't have to maintain a local list of acceptable addresses.
>>
>> * http://www.postfix.org/ADDRESS_VERIFICATION_README.html
>>
>>
>> Regards
>>
>> Ian
>> --
>>
>
> Im using this for years now, on debian 8/9 and now 10, soon debian 11. :-)
>
> For postscreen you need (something) like this:
> /etc/postfix/postscreen_dnsbl_reply_map.pcre
> # Example content
> !/^fakename\.spamhaus\.org$/         multiple DNS-based blocklists used.
>
> # /etc/postfix/postscreen_access_list.cidr
> # Example content
> # https://mailchimp.com/about/ips/
> 205.201.128.0/20        permit
> 198.2.128.0/18          permit
> 148.105.0.0/16          permit
>
> # /etc/postfix/postscreen_access_list-reject.fqrdns.pcre
> see : https://github.com/stevejenkins/hardwarefreak.com-fqrdns.pcre
>
>
> Add this in main.cf and please do read what postscreen is and does before you add it.
>
> Now, below part. you see a big list of DNSBL servers.
> so what it does, it give values to the connections, checked per RBL server.
> if you hit treshold 7 then its seen as a RBL listed hosts.
> it adds and subtracts..
>
> An example rejection.
> Jun  9 11:46:01 mail postfix/postscreen[126750]: DNSBL rank 10 for [94.152.193.19]:45170
> Jun  9 11:46:01 mail postfix/postscreen[126750]: NOQUEUE: reject: RCPT from [94.152.193.19]:45170: 550 5.7.1 Service unavailable; client [94.152.193.19] blocked using multiple DNS-based blocklists, please check http://multirbl.valli.org/; from=<odbicia at offerly.com.pl>, to=<mail at adress.tld>, proto=ESMTP, helo=<smtp.5119.niebieski.net>
>
> So Rank 10, above treshold 7.. and we can use these treshold numbers with fail2ban.
> by doing that your server get less stress/hammered, because i block them in the firewalls after rejections.
> The fail2ban part i'll add on the bottom.
>
>
> ### Before-220 tests (postscreen / DNSBL)
> postscreen_tls_security_level=encrypt
> postscreen_greet_banner =
> 	$myhostname, checking blacklists, please wait.
> # Drop connections if other server is sending too quickly
> postscreen_greet_action = enforce
> postscreen_greet_wait = 5s
> postscreen_greet_ttl = 2d
> postscreen_access_list =
>    permit_mynetworks,
>    cidr:/etc/postfix/postscreen_access_list.cidr,
>    pcre:/etc/postfix/postscreen_access_list-reject.fqrdns.pcre
> postscreen_whitelist_interfaces = $mynetworks, static:all
> postscreen_blacklist_action     = drop
> postscreen_dnsbl_reply_map      = pcre:/etc/postfix/postscreen_dnsbl_reply_map.pcre
> postscreen_dnsbl_action         = enforce
> postscreen_dnsbl_ttl            = 2h
> postscreen_dnsbl_threshold      = 7
> postscreen_dnsbl_sites =
>        zen.spamhaus.org*5
>        b.barracudacentral.org=127.0.0.2*2
>        dnsbl.cobion.com*2
>        bl.spameatingmonkey.net*2
>        fresh.spameatingmonkey.net*2
>        rhsbl.rbl.polspam.pl=127.0.0.1*2
>        rbl.rbldns.ru=127.0.0.1*1
>        dnsbl.kempt.net*1
>        dnsbl.inps.de*2
>        bl.spamcop.net*2
>        spam.dnsbl.sorbs.net=127.0.0.6*2
>        problems.sorbs.net=127.0.0.6*2
>        new.spam.sorbs.net=127.0.0.6*2
>        psbl.surriel.com*2
>        bl.mailspike.net*2
>        rep.mailspike.net=127.0.0.[13;14]*1
>        bl.suomispam.net*1
>        bl.blocklist.de*2
>        ix.dnsbl.manitu.net*2
>        dnsbl-1.uceprotect.net*1
>        dnsbl-2.uceprotect.net*1
>        dnsbl.justspam.org=127.0.0.2*2
>        multi.surbl.org*2
>        black.junkemailfilter.com=127.0.0.2*2
>        rbl.metunet.com=127.0.0.2*2
>        all.s5h.net=127.0.0.2*1
>        hostkarma.junkemailfilter.com=127.0.0.[2;4]*2
>        rbl.abuse.ro=127.0.0.[2;4]*2
>        gl.suomispam.net=127.0.0.2*1
>        truncate.gbudb.net=127.0.0.2*1
>        dnsbl.zapbl.net=127.0.0.2*1
>        spamsources.fabel.dk=127.0.0.2*1
>        dnsbl.spfbl.net=127.0.0.[2;4]*2
>        dnsbl-3.uceprotect.net=127.0.0.2*2
>        # No RDNS
>        dnsbl.spfbl.net=127.0.0.3*1
>        hostkarma.junkemailfilter.com=127.0.0.3*1
>        # whitelists
>        swl.spamhaus.org*-6
>        dnswl.spfbl.net=127.0.0.[2;3;4]*-3
>        list.dnswl.org=127.0.[0..254].[0..3]*-4
>        rep.mailspike.net=127.0.0.[17;18]*-1
>        rep.mailspike.net=127.0.0.[19;20]*-2
>        hostkarma.junkemailfilter.com=127.0.0.1*-4
>        nobl.junkemailfilter.com=127.0.0.5*-4
> #
> ### End of before-220 tests
> ### After-220 tests
> ### WARNING -- See "Tests after the 220 SMTP server greeting" in the
> ### Postscreen Howto and *UNDERSTAND* it *BEFORE* you enable the
> ### following tests! This basically enables some kind of greylisting!
> #postscreen_bare_newline_action = enforce
> #postscreen_bare_newline_enable = yes
> #postscreen_non_smtp_command_enable = yes
> #postscreen_pipelining_enable = yes
> ### ADDENDUM: Any one of the foregoing three *_enable settings may cause
> ### significant and annoying mail delays.
>
>
>
> ###  Fail2ban addition added in : jail.local
> [postfix-postscreen]
> port     = smtp
> logpath  = /var/log/mail.log
> maxretry = 1
> bantime = 86400
> findtime = 3600
> banaction = ufw-all
>
> ###  Fail2ban addition added in : /etc/fail2ban/jail.local
> #
> # Fail2Ban filter for Postfix's Postscreen blocks.
> #
> # you need to adjust the Rank number to what you please.
> # make sure you match the first number [7-9] so the 7 with postfix/postscreen_dnsbl_threshold value=
> # For now we have set rank 7 and up are getting blocked and put in the firewall
>
> [INCLUDES]
>
> # Read common prefixes. If any customizations available -- read them from
> # common.local
> before = common.conf
>
> [Definition]
>
> _daemon = postfix(-\w+)?/postscreen
>
> failregex = DNSBL rank ([7-9]|[1-9][0-9]) for \[<HOST>\]
>
> ignoreregex =
>
> # Author: Me.. ;-)
>
> ###  Fail2ban addition added in : /etc/fail2ban/jail.d/personal-enabled.conf
> [postfix-postscreen]
> enabled = true
> ignoreip = 127.0.0.1/8
> # add ips in ignore if needed, you most probley want to add some.
>
> and last.. i use ufw as firewall..
> ###  Fail2ban addition added in : /etc/fail2ban/action.d/ufw-all.conf
> # Fail2Ban configuration file
> #
> # We add the rules to ufw for better control and management
> # official ufw version uses ufw insert 1 .. that errors with IPv6.
>
> [Definition]
> actionstart =
> actionstop =
> actioncheck =
> actionban = ufw prepend deny from <ip> to any
> actionunban = ufw delete deny from <ip> to any
>
>
>
>
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the MailScanner mailing list