Discussion:
Postscreen client based access through reverse DNS lookup
(too old to reply)
Lefteris Tsintjelis
2016-07-21 15:21:38 UTC
Permalink
Would it be too much to ask for a single reverse DNS lookup client based
black/white listing in postscreen?

...
.gmail.com reject
.live.com reject
.postfix.org accept
...
/dev/rob0
2016-07-21 15:42:47 UTC
Permalink
Post by Lefteris Tsintjelis
Would it be too much to ask for a single reverse DNS lookup client
based black/white listing in postscreen?
...
.gmail.com reject
.live.com reject
.postfix.org accept
...
Can't you do the same thing (to solve your unstated problem, which I
assume might be to avoid delays with after-220 tests) with DNSWL and
postscreen_dnsbl_whitelist_threshold?

Most large-scale legitimate senders are listed in list.dnswl.org.
Those which are not listed are usually small enough to retry from the
same IP address, so the delays won't be much.
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Steve Jenkins
2016-07-21 15:58:39 UTC
Permalink
Post by Lefteris Tsintjelis
Would it be too much to ask for a single reverse DNS lookup client based
black/white listing in postscreen?
...
.gmail.com reject
.live.com reject
.postfix.org accept
...
If you're looking into Postscreen whitelisting, you might consider
including Postwhite in your solution:

http://www.stevejenkins.com/blog/2015/11/postscreen-whitelisting-smtp-outbound-ip-addresses-large-webmail-providers/

It helps you whitelist trusted senders' known SMTP IP addresses based on
their published SPF records. You can choose which mailers to whitelist and
add easily your own.

SteveJ
Lefteris Tsintjelis
2016-07-21 16:09:45 UTC
Permalink
http://www.stevejenkins.com/blog/2015/11/postscreen-whitelisting-smtp-outbound-ip-addresses-large-webmail-providers/ <http://www.stevejenkins.com/blog/2015/11/postscreen-whitelisting-smtp-outbound-ip-addresses-large-webmail-providers/>
It helps you whitelist trusted senders' known SMTP IP addresses based on their published SPF records. You can choose which mailers to whitelist and add easily your own.
This is a CIDR based access list and you have to know the IP but Gmail for example changes often so something like ".google.com accept” or “.hotmail.com reject” would make life much much easier.
Steve Jenkins
2016-07-21 16:23:20 UTC
Permalink
Post by Steve Jenkins
If you're looking into Postscreen whitelisting, you might consider
http://www.stevejenkins.com/blog/2015/11/postscreen-whitelisting-smtp-outbound-ip-addresses-large-webmail-providers/
It helps you whitelist trusted senders' known SMTP IP addresses based on
their published SPF records. You can choose which mailers to whitelist and
add easily your own.
This is a CIDR based access list
Postwhite handles CIDR and individual IP addresses, and formats them
properly for Postscreen.
Post by Steve Jenkins
and you have to know the IP but Gmail for example changes often so
something like ".google.com accept” or “.hotmail.com reject” would make
life much much easier.
You're right -- Gmail (and others) change their IP addresses often... so
I'm going to guess you didn't make it to the part of the article that says
"I also recommend creating a cron job to refresh your whitelist with
updated queries every week." Actually, Postwhite is lightweight enough to
be run daily (or even multiple times per day) to update your Postscreen
whitelist, if you're concerned with super-freshness.

If the blog post was too much reading, just skip right to the GitHub
project for it: https://github.com/stevejenkins/postwhite

What you're asking for doesn't exist currently in Postscreen, and it's not
likely it will any time soon (if ever). Your best approach is to combine
dnswl whitelisting with Postwhite. It's literally a 5 minute job that will
"make life much much easier." :)

SteveJ
Steve Jenkins
2016-07-21 16:25:28 UTC
Permalink
Post by Lefteris Tsintjelis
This is a CIDR based access list and you have to know the IP
Also... you don't need to know the IP. Postwhite looks it (them) up for you
based on domain name and stuffs them into a Postscreen-friendly whitelist.
It's literally the entire raison d'etre for the script. :)
Lefteris Tsintjelis
2016-07-21 16:28:14 UTC
Permalink
Post by /dev/rob0
Can't you do the same thing (to solve your unstated problem, which I
assume might be to avoid delays with after-220 tests) with DNSWL and
postscreen_dnsbl_whitelist_threshold?
Most large-scale legitimate senders are listed in list.dnswl.org.
Those which are not listed are usually small enough to retry from the
same IP address, so the delays won't be much.
I am already doing this but I would personally much rather have the
choice of a domain white/black listing as it is a much cleaner solution
even for smaller and unlisted domains with the extra delay cost of a
single reverse lookup of course, if that is the problem.

The DNSW/BL only covers single IP access and not a whole domain. A
reverse lookup would cover both white and black listing of whole domains
of anyone’s choice and make life easier/harder dealing with smaller email
communities.
Wietse Venema
2016-07-21 17:13:32 UTC
Permalink
Post by Lefteris Tsintjelis
Would it be too much to ask for a single reverse DNS lookup client based
black/white listing in postscreen?
I have already explained at length why postscreen will not query
DNS domains other than the few DNSB/WLs that are configured by the
Postfix system administrator.

Wietse
Steve Jenkins
2016-07-21 18:27:31 UTC
Permalink
Post by Lefteris Tsintjelis
I am already doing this but I would personally much rather have the
choice of a domain white/black listing as it is a much cleaner solution
even for smaller and unlisted domains with the extra delay cost of a
single reverse lookup of course, if that is the problem.
The DNSW/BL only covers single IP access and not a whole domain. A
reverse lookup would cover both white and black listing of whole domains
of anyone’s choice and make life easier/harder dealing with smaller email
communities.
Hi, Lefteris. Wietse has reiterated that Postscreen is not designed to do
DNS queries (beyond DNSB/WLs). His is the final word on the subject. :)

I had a few extra minutes this morning, so I updated Postwhite to
optionally allow blacklisting. It's not enabled by default, and I added a
warning in the README about the dangers of manual blacklisting. But it's
the closest you're going to get to building whitelists and blacklists for
Postscreen based on hostnames:

https://github.com/stevejenkins/postwhite

Good luck!

SteveJ
Benny Pedersen
2016-07-21 23:14:15 UTC
Permalink
Post by Steve Jenkins
https://github.com/stevejenkins/postwhite
can blacklist be saved to seperate cidr file ?, so order of
blacklist/whitelist is user choices ? :=)

postfix have always being first match wins
Wietse Venema
2016-07-21 23:18:33 UTC
Permalink
Post by Benny Pedersen
Post by Steve Jenkins
https://github.com/stevejenkins/postwhite
can blacklist be saved to seperate cidr file ?, so order of
blacklist/whitelist is user choices ? :=)
postfix have always being first match wins
You could generate the file with good old cat from multiple sources.

cat f1 f2 f3 >postscreen_access.tmp && mv postscreen_access.tmp postscreen_access

Wietse
Steve Jenkins
2016-07-21 23:30:52 UTC
Permalink
Post by Benny Pedersen
Post by Steve Jenkins
https://github.com/stevejenkins/postwhite
can blacklist be saved to seperate cidr file ?, so order of
blacklist/whitelist is user choices ? :=)
postfix have always being first match wins
Yes, the black list is saved as a separate file for that very reason. Then
just make sure the whitelist is first:

postscreen_access_list = permit_mynetworks,
...
cidr:/etc/postfix/postscreen_spf_whitelist.cidr,
cidr:/etc/postfix/postscreen_spf_blacklist.cidr,
...

Presto! :)

SteveJ
Lefteris Tsintjelis
2016-07-22 06:51:20 UTC
Permalink
Hi, Lefteris. Wietse has reiterated that Postscreen is not designed to do DNS queries (beyond DNSB/WLs). His is the final word on the subject. :)
No doubt about this one, of course and it is! :)
https://github.com/stevejenkins/postwhite <https://github.com/stevejenkins/postwhite>
Thank you Steve I will give it a shot and see how it works out.

Continue reading on narkive:
Loading...