Tuesday, March 3, 2020

Postfix/Postscreen using Blocklists and Deep Protocol tests

When configuring Postfix, it is worth considering using an 'aggressive" postscreen configuration thus saving valuable bandwidth and processing power.

However, some configurations may lead to issues with some mail providers. Specifically I've had issues with Google GMail and Microsoft Hotmail with blocklists and deep protocol tests respectively.

Microsoft Hotmail / Outlook / live

Initially postscreen was configured to use the following blocklists:
  1. zen.spamhaus.org
  2. bl.spameatingmonkey.net
  3. dnsbl.habl.org
  4. bl.spamcop.net
  5. dnsbl.sorbs.net
However sorbs.net appear to be a little too harsh on Microsoft, leading to rejects of Hotmail IP addresses, so if that is a problem for you, consider not using that list.

Google GMail

GMail use a large number of IPv4 and IPv6 addresses. That combined with the behavior of deep protocol tests:
"When any "deep protocol tests" are configured, postscreen(8) cannot hand off the "live" connection to a Postfix SMTP server process in the middle of the session. Instead, postscreen(8) defers mail delivery attempts with a 4XX status, logs the helo/sender/recipient information, and waits for the client to disconnect. The next time the client connects it will be allowed to talk to a Postfix SMTP server process to deliver its mail. postscreen(8) mitigates the impact of this limitation by giving deep protocol tests a long expiration time."

As GMail does not resend from the same IP-address after the 4xx, this generates a lot of "reject noise" in the mail log (not least for IPv6). Instead of disabling deep protocol tests, instead just configure postscreen_dnsbl_whitelist_threshold with a negative value.

Given the above the postscreen section of /etc/postfix/main.cf now looks like this:
## Postcreen settings
postscreen_access_list =
postscreen_blacklist_action = enforce

# Use selected DNSBLs
postscreen_dnsbl_sites =
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_action = enforce
# Whitelist everything below threshold on BLs
postscreen_dnsbl_whitelist_threshold = -1

postscreen_greet_banner = Welcome, please wait...
postscreen_greet_action = enforce

# Deep protocol tests
postscreen_pipelining_enable = yes
postscreen_pipelining_action = enforce

postscreen_non_smtp_command_enable = yes
postscreen_non_smtp_command_action = enforce

postscreen_bare_newline_enable = yes
postscreen_bare_newline_action = enforce
run - postfix reload - to activate any changes.

Before going full reject, read the howto from postfix http://www.postfix.org/POSTSCREEN_README.html and start with ignore instead of enforce, which is useful for testing and collecting statistics without blocking mail from the get go.

No comments: