Hello all.. Running postfix on Mac OS/X...

I'd like to get a handle on spam. It's getting nasty.

My question is the best way to start using blacklists, and more
importantly, how to verify they're working? I currently have the below
in my main.cf (If I'm missing a line, let me know..)

stmpd_client_restrictions = reject_maps_rbl
maps_rbl_domains = rbl-plus.mail-abuse.org
bl.spamcop.net

maps_rbl_domains = relays.ordb.org, reject_rbl_client
opm.blitzed.org, reject_rbl_client list.dsbl.org,
reject_rbl_client sbl.spamhaus.org, reject_rbl_client
cbl.abuseat.org, dul.dnsbl.sorbs.net

Is the above proper, and if so, how would I verify they're working?
Any other suggestions on blacklists to add?


Thanks.

Evan

Evan Platt wrote:
> Hello all.. Running postfix on Mac OS/X...
>
> I'd like to get a handle on spam. It's getting nasty.
>
> My question is the best way to start using blacklists, and more
> importantly, how to verify they're working? I currently have the below
> in my main.cf (If I'm missing a line, let me know..)
>
> stmpd_client_restrictions = reject_maps_rbl
> maps_rbl_domains = rbl-plus.mail-abuse.org
> bl.spamcop.net
>
> maps_rbl_domains = relays.ordb.org, reject_rbl_client
> opm.blitzed.org, reject_rbl_client list.dsbl.org,
> reject_rbl_client sbl.spamhaus.org, reject_rbl_client
> cbl.abuseat.org, dul.dnsbl.sorbs.net
>
> Is the above proper, and if so, how would I verify they're working?
> Any other suggestions on blacklists to add?
>
>
> Thanks.
>
> Evan

As listed above, "stmpd" is a typo in "stmpd_client_restrictions"

Here's an example of how to do it, including the use
of a optional local override/additions database:

smtpd_client_restrictions =
check_client_access hash:/etc/postfix/rbl_access,
permit_mynetworks,
reject_rbl_client relays.ordb.org,
reject_rbl_client bl.spamcop.net

Choosing which RBL services to use is a personal choice, and is often debated decision.
My personal opinion is that if I were only allowed to use one service (a free one), it
would be sbl-xbl.spamhaus.org.

A handly tool is at http://www.dnsstuff.com under "Spam Database Lookup". Sometime when you
get a spam, look it's IP address there, and it will tell you which RBL services block that IP.
You can eventually get a feel for which ones are right for you.

Some that I know about that I don't use are:

rbl-plus.mail-abuse.org (Requires a $$$ subscription to use)

bl.spamcop.net (Experienced blocking of gmail.com and yahoo.com email servers)

psbl.surriel.com (blocked ev1.net mail servers)

spamcannibal (blocked motorola.com, hp.com)

dnsbl-1.uceprotect.net (blocked Roadrunner mail servers; costs $50 to get removed)

The ones I currently use successfully are:

reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client korea.services.net,
reject_rbl_client dynablock.njabl.org,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client bl.csma.biz,
reject_rbl_client relays.ordb.org

Regarding how to tell if it's working... blocks should be logged in the syslog
file, typically named /var/log/maillog on a Linux box. Dunno where on Mac OS/X.

The web sites for each blocking service may provide info on how to test the
service using DNS.

A real example for Spamhaus is the IP address: 24.98.62.140

nslookup 140.62.98.24.sbl-xbl.spamhaus.org
Name: 140.62.98.24.sbl-xbl.spamhaus.org
Address: 127.0.0.4

If it returns a 127 address rather than NXDOMAIN, then it's blocked.

For Spamcop and Spamhaus, the test address is 127.0.0.2. So these are example test commands:
nslookup 2.0.0.127.bl.spamcop.net
nslookup 2.0.0.127.sbl-xbl.spamhaus.org

--
Greg

On Wed, 26 Apr 2006 17:49:46 GMT, Greg Hackney <hackney@swbell.net>
wrote:
>As listed above, "stmpd" is a typo in "stmpd_client_restrictions"
>
>Here's an example of how to do it, including the use
>of a optional local override/additions database:
>
>smtpd_client_restrictions =
> check_client_access hash:/etc/postfix/rbl_access,
> permit_mynetworks,
> reject_rbl_client relays.ordb.org,
> reject_rbl_client bl.spamcop.net

Thanks for the info..

I added to my main.cf:

smtpd_client_restrictions =
permit_mynetworks,
reject_rbl_client bl.spamcop.net,
reject_rbl_client,
reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client korea.services.net,
reject_rbl_client dynablock.njabl.org,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client bl.csma.biz,
reject_rbl_client relays.ordb.org


(I removed the access.db entry since I don't use that yet).

I get errors in my mail.log and all mail is rejected. I get a bounce
to postmaster:

Subject: Postfix SMTP server: errors from....

In: RCPT TO:<evan@ESPPHOTOGRAPHY.COM>
Out: 451 Server configuration error
In: DATA
Out: 554 Error: no valid recipients
In: RSET
Out: 250 Ok
In: QUIT
Out: 221 Bye


I do see in my mail.log:
Apr 26 11:08:27 www postfix/smtpd[268]: warning: unknown smtpd
restriction: "maps_rbl_domains"

Apr 26 11:08:27 www postfix/smtpd[268]: NOQUEUE: reject: RCPT from
unknown[69.95.226.3]: 451 Server configuration error;

Any ideas?

Thanks.

Evan

> I added to my main.cf:
>
> smtpd_client_restrictions =
> permit_mynetworks,
> reject_rbl_client bl.spamcop.net,
> reject_rbl_client,
> reject_rbl_client sbl-xbl.spamhaus.org,
> reject_rbl_client korea.services.net,
> reject_rbl_client dynablock.njabl.org,
> reject_rbl_client cbl.abuseat.org,
> reject_rbl_client bl.csma.biz,
> reject_rbl_client relays.ordb.org


About the 4th line down in the above example, there is a "reject_rbl_client"
statement, but no RBL service name.


> I do see in my mail.log:
> Apr 26 11:08:27 www postfix/smtpd[268]: warning: unknown smtpd
> restriction: "maps_rbl_domains"

Search your main.cf file for the string "maps_rbl_domains". That string is
presently obsolete, and shouldn't be used anywhere.

BTW, are you possibly running a really ancient version of Postfix? The way that
RBL was implemented on very old Postfix systems is:

maps_rbl_domains = bl.spamcop.net, sbl-xbl.spamhaus.org, korea.services.net,
dynablock.njabl.org, cbl.abuseat.org, bl.csma.biz, relays.ordb.org

smtpd_client_restrictions = permit_mynetworks, reject_maps_rbl

The correct syntax for your version should be contained within "man 5 postconf".

Also, run the command "postfix check" to look for errors.
--
Greg

On Wed, 26 Apr 2006 20:23:41 GMT, Greg Hackney <hackney@swbell.net>
wrote:

>About the 4th line down in the above example, there is a "reject_rbl_client"
>statement, but no RBL service name.

D'oh! Good catch, thanks.

>> I do see in my mail.log:
>> Apr 26 11:08:27 www postfix/smtpd[268]: warning: unknown smtpd
>> restriction: "maps_rbl_domains"
>
>Search your main.cf file for the string "maps_rbl_domains". That string is
>presently obsolete, and shouldn't be used anywhere.
>
>BTW, are you possibly running a really ancient version of Postfix? The way that
>RBL was implemented on very old Postfix systems is:

Didn't find maps_rbl_domains in main.cf.

I'm not sure what version I'm running. I have a combo of some stuff
installed from source, some stuff from fink / apt-get/ port install.

postfix -v shows 2.2.4, but postfix restart or stop says postfix isn't
running. ps aux | grep postfix shows:

postfix 230 0.0 0.4 39604 2208 ?? SNs 2:41PM 0:00.62
/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mdimportserver
postfix 273 0.0 0.1 27408 756 ?? S 2:42PM 0:00.11
qmgr -l -t fifo -u
postfix 477 0.0 0.1 27352 708 ?? S 3:07PM 0:00.02
proxymap -t unix -u
postfix 478 0.0 0.1 27376 752 ?? S 3:07PM 0:00.03
trivial-rewrite -n rewrite -t unix -u
postfix 520 0.0 0.3 29816 1620 ?? S 3:11PM 0:00.06
smtpd -n smtp -t inet -u
root 528 0.0 0.0 8776 8 p0 R+ 3:11PM 0:00.00
grep postfix

so I couldn't tell ya.

But thanks for your advice, I'm now seeing postfix entries telling me
bl.spamcop.net is working. :-D

Thanks.

Evan

On Wed, 26 Apr 2006 20:23:41 GMT, Greg Hackney <hackney@swbell.net>
wrote:

>Also, run the command "postfix check" to look for errors.

Ok.. slight problem:

How do I add a bypass for say Yahoo Groups?

Apr 26 11:26:07 www postfix/smtpd[270]: NOQUEUE: reject: RCPT from
n32.bullet.scd.yahoo.com[66.94.237.26]: 554 Service unavailable;
Client host [66.94.237.26] blocked using bl.spamcop.net; Blocked - see
http://www.spamcop.net/bl.shtml?66.94.237.26;
from=<sentto-151496-26653-1146075822-evan=espphotography.com@returns.groups.yahoo.com>
to=<evan@espphotography.com> proto=SMTP
helo=<n32.bullet.scd.yahoo.com>

Might be a slight problem. Would love to use spamcop blacklist, but
don't want to get booted from yahoo groups.

Thanks.

:-D

Evan

>
> How do I add a bypass for say Yahoo Groups?
>
> Apr 26 11:26:07 www postfix/smtpd[270]: NOQUEUE: reject: RCPT from
> n32.bullet.scd.yahoo.com[66.94.237.26]: 554 Service unavailable;
> Client host [66.94.237.26] blocked using bl.spamcop.net; Blocked - see
> http://www.spamcop.net/bl.shtml?66.94.237.26;

Hey, I already warned you that bl.spamcop.net would block yahoo.com...
And that's just one of the reasons why I don't use them...

There's a couple of things you can do:
1. Don't use bl.spamcop.net
--or--
2. Put that "access" table back in that I previously suggested you use, and
painstakingly add all the yahoo (and others) blocked mail servers. Examples:

66.94.237.26 OK
.dcn.yahoo.com OK
.scd.yahoo.com OK
.mud.yahoo.com OK

--
Greg

P.S. You can determine your Postfix version with the command: postconf mail_version

On Wed, 26 Apr 2006 23:26:13 GMT, Greg Hackney <hackney@swbell.net>
wrote:

>Hey, I already warned you that bl.spamcop.net would block yahoo.com...
>And that's just one of the reasons why I don't use them...

My bad, I misunderstood that. :-D

>There's a couple of things you can do:
> 1. Don't use bl.spamcop.net
> --or--
> 2. Put that "access" table back in that I previously suggested you use, and
> painstakingly add all the yahoo (and others) blocked mail servers. Examples:
>
> 66.94.237.26 OK
> .dcn.yahoo.com OK
> .scd.yahoo.com OK
> .mud.yahoo.com OK

ok, I've got just a little experience with hash files.. So I created
rbl_access , then ran postmap rbl_access, which created the
rbl_access.db file. I then get:
Apr 27 06:22:47 www postfix/smtpd[3544]: fatal: open database
/etc/postfix/rbl_access.db: Inappropriate file type or format

I can put the .db file on my webserver if that would , unless I'm
missing something obvious. I googled postfix's website and google for
rbl_access.db, no joy.

Thanks again for all your .

Evan
--
To reply, remove TheObvious from my e-mail address.

Evan Platt wrote:

> ok, I've got just a little experience with hash files.. So I created
> rbl_access , then ran postmap rbl_access, which created the
> rbl_access.db file. I then get:
> Apr 27 06:22:47 www postfix/smtpd[3544]: fatal: open database
> /etc/postfix/rbl_access.db: Inappropriate file type or format

OK, I think you are the guy with MAC OS/X. right? I'm not sure
which database formats Apple uses. But you can list all the ones that
are supported with the command: postconf -m

The default database type on your system can be displayed with the command:


postconf default_database_type


When you ran "postmap /etc/postfix/rbl_access", you said it created a .db
file. I believe that means you have to use either the "hash" or "btree" types
as the database type, as in:

check_client_access hash:/etc/postfix/rbl_access,
--or--
check_client_access btree:/etc/postfix/rbl_access,

Since you already tried "hash", it's probably "btree".


You can also force the postmap command to use any supported database type,
for example:

postmap btree:/etc/postfix/rbl_access


> I googled postfix's website and google for rbl_access.db, no joy.

That's because "rbl_access" is just a file name that I made up. You
can name the file anything that's convenient for you to remember what it's used for.

--
Greg

On Thu, 27 Apr 2006 17:24:33 GMT, Greg Hackney <hackney@swbell.net>
wrote:

>OK, I think you are the guy with MAC OS/X. right? I'm not sure
>which database formats Apple uses. But you can list all the ones that
>are supported with the command: postconf -m

That is me..

Postconf -m shows:

btree
cidr
environ
hash
mysql
pcre
proxy
regexp
static
unix

>The default database type on your system can be displayed with the command:
>
>
> postconf default_database_type

that shows default_database_type = hash

>When you ran "postmap /etc/postfix/rbl_access", you said it created a .db
>file. I believe that means you have to use either the "hash" or "btree" types
>as the database type, as in:
>
>check_client_access hash:/etc/postfix/rbl_access,
>--or--
>check_client_access btree:/etc/postfix/rbl_access,
>
>Since you already tried "hash", it's probably "btree".

Tried both. No joy.

>You can also force the postmap command to use any supported database type,
>for example:
>
> postmap btree:/etc/postfix/rbl_access

Tried both - obviously creating a btree, and using btree, and hash /
hash. I'm wondering if there isn't something mac specific. I've got a
mac nerd I know, I'll see if I can catch him when he logs in. Might be
something mac specific.

If it's any clue, I do have
smtpd_sender_restrictions = hash:/etc/postfix/access
in my main.cf, and I do have a access and access.db.

>That's because "rbl_access" is just a file name that I made up. You
>can name the file anything that's convenient for you to remember what it's used for.

Oh. Heh, thought that was like a common name or something.