[Postfixbuch-users] check_client_ns_access greift nicht

Kai Fürstenberg kai_postfix at fuerstenberg.ws
Sa Mär 30 13:42:55 CET 2013 

Hi Leuts,

ich bekomme neuerdings "qualitativ hochwertigen Spam": Ganz normaler 
(englischer) Text, keine (oder zu wenig) Einträge in Blacklisten, 
gültige DKIM-Signatur, korrekte DNS-Einträge.

Da ich befürchte, dass ich vermehrt false positives erhalte, wenn ich 
mit den Spams den Bayes-Filter füttere, wollte ich mit 
check_(client|sender)_ns_access dem ganzen Herr werden, da alle 
Spam-Domains die gleichen Name-Server haben.

Aber irgendwie greift die Restriktion nicht. Hab ich da was übersehen?


Noch ein Hinweis vorab: "Panamaps" ist ein von mir geschriebener 
Policy-Daemon.


mx2:~# postconf mail_version
mail_version = 2.9-20110501


Log:
----------
Mar 30 11:09:58 mx2 postfix/postscreen[32651]: CONNECT from 
[209.54.34.196]:41900 to [85.114.132.89]:25
Mar 30 11:09:58 mx2 postfix/dnsblog[32654]: addr 209.54.34.196 listed by 
domain black.uribl.com as 127.0.0.1
Mar 30 11:10:04 mx2 postfix/postscreen[32651]: PASS OLD 
[209.54.34.196]:41900
Mar 30 11:10:04 mx2 postfix/smtpd[32656]: connect from 
mta20.zxxwt.com[209.54.34.196]
Mar 30 11:10:06 mx2 panamaps[32666]: Recipient found in NF Database but 
no matching client. Timing: 36ms
Mar 30 11:10:06 mx2 postfix/policyd-weight[17619]: weighted check: 
NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 CL_IP_EQ_FROM_MX=-3.1; 
<client=mta20.zxxwt.com[209.54.34.196]> <helo=mta20.zxxwt.com> 
<from=fuerstenberg.ws.134002.kai at mta20.zxxwt.com> 
<to=kai at fuerstenberg.ws>; rate: -6.1
Mar 30 11:10:06 mx2 postfix/policyd-weight[17619]: decided 
action=PREPEND X-policyd-weight:  NOT_IN_SBL_XBL_SPAMHAUS=-1.5 
NOT_IN_SPAMCOP=-1.5 CL_IP_EQ_FROM_MX=-3.1; rate: -6.1; 
<client=mta20.zxxwt.com[209.54.34.196]> <helo=mta20.zxxwt.com> 
<from=fuerstenberg.ws.134002.kai at mta20.zxxwt.com> 
<to=kai at fuerstenberg.ws>; delay: 0s
Mar 30 11:10:06 mx2 postfix/smtpd[32656]: NOQUEUE: 
client=mta20.zxxwt.com[209.54.34.196]
Mar 30 11:10:06 mx2 amavis[8427]: (08427-13) ESMTP::10024 
/tmp/amavis/amavis-20130325T221257-08427: 
<fuerstenberg.ws.134002.kai at mta20.zxxwt.com> -> <kai at fuerstenberg.ws> 
Received: from mx2.mxservices.de ([127.0.0.1]) by localhost 
(mx2.mxservices.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for 
<kai at fuerstenberg.ws>; Sat, 30 Mar 2013 11:10:06 +0100 (CET)
Mar 30 11:10:07 mx2 amavis[8427]: (08427-13) Checking: WTQYms1wJJUu 
[209.54.34.196] <fuerstenberg.ws.134002.kai at mta20.zxxwt.com> -> 
<kai at fuerstenberg.ws>
Mar 30 11:10:07 mx2 postfix/smtpd[32668]: connect from localhost[127.0.0.1]
Mar 30 11:10:07 mx2 postfix/smtpd[32668]: CF4FD41007C: 
client=localhost[127.0.0.1]
Mar 30 11:10:07 mx2 postfix/cleanup[32672]: CF4FD41007C: 
message-id=<1-134002-wc35yZyVmYuVGdzJXZ1ZGQpF2aQ at mta20.zxxwt.com>
Mar 30 11:10:07 mx2 postfix/qmgr[31440]: CF4FD41007C: 
from=<fuerstenberg.ws.134002.kai at mta20.zxxwt.com>, size=3109, nrcpt=1 
(queue active)
Mar 30 11:10:07 mx2 amavis[8427]: (08427-13) FWD via SMTP: 
<fuerstenberg.ws.134002.kai at mta20.zxxwt.com> -> 
<kai at fuerstenberg.ws>,BODY=7BIT 250 2.0.0 Ok, id=08427-13, from 
MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as CF4FD41007C
Mar 30 11:10:07 mx2 amavis[8427]: (08427-13) Passed CLEAN, 
[209.54.34.196] [209.54.34.196] 
<fuerstenberg.ws.134002.kai at mta20.zxxwt.com> -> <kai at fuerstenberg.ws>, 
Message-ID: <1-134002-wc35yZyVmYuVGdzJXZ1ZGQpF2aQ at mta20.zxxwt.com>, 
mail_id: WTQYms1wJJUu, Hits: 5.099, size: 2016, queued_as: CF4FD41007C, 
dkim_id=@zxxwt.com,james at zxxwt.com, 1118 ms
Mar 30 11:10:07 mx2 postfix/smtpd[32656]: proxy-accept: END-OF-MESSAGE: 
250 2.0.0 Ok, id=08427-13, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: 
queued as CF4FD41007C; from=<fuerstenberg.ws.134002.kai at mta20.zxxwt.com> 
to=<kai at fuerstenberg.ws> proto=SMTP helo=<mta20.zxxwt.com>
Mar 30 11:10:07 mx2 postfix/smtpd[32668]: disconnect from 
localhost[127.0.0.1]
Mar 30 11:10:07 xserv01 postfix/smtpd[31038]: connect from 
mx2.mxservices.de[2001:4ba0:fff4:18b::1]
Mar 30 11:10:08 mx2 postfix/smtpd[32656]: disconnect from 
mta20.zxxwt.com[209.54.34.196]
Mar 30 11:10:09 mx2 postfix/smtp[32673]: CF4FD41007C: 
to=<kai at fuerstenberg.ws>, 
relay=xserv01.mxservices.de[2001:4ba0:fff7:104::1]:25, delay=1.9, 
delays=0.04/0.01/1.6/0.3, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued 
as 7A4334E8039)
Mar 30 11:10:09 mx2 postfix/qmgr[31440]: CF4FD41007C: removed


postconf -n (lesbar modifiziert)
----------
alias_maps = hash:/etc/aliases
biff = no
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
disable_vrfy_command = yes
html_directory = no
inet_interfaces = 127.0.0.1, 85.114.132.89, [2001:4ba0:fff4:18b::1]
inet_protocols = all
mail_owner = postfix
mailq_path = /usr/bin/mailq
manpage_directory = /usr/local/man
message_size_limit = 40000000
mydestination = localhost, localhost.localdomain
mydomain = mxservices.de
myhostname = mx2.mxservices.de
mynetworks = 127.0.0.1 [::1]/128
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
postscreen_access_list = permit_mynetworks
postscreen_bare_newline_action = drop
postscreen_bare_newline_enable = yes
postscreen_blacklist_action = drop
postscreen_dnsbl_action = drop
postscreen_dnsbl_sites =
   zen.spamhaus.org
   bl.spamcop.net
   ix.dnsbl.manitu.net
   black.uribl.com
postscreen_dnsbl_threshold = 2
postscreen_greet_action = drop
postscreen_non_smtp_command_action = drop
postscreen_non_smtp_command_enable = yes
postscreen_pipelining_action = drop
postscreen_pipelining_enable = yes
queue_directory = /var/spool/postfix
readme_directory = no
recipient_delimiter = +
relay_domains = mysql:/etc/postfix/sql/domains.cf
relay_recipient_maps =
   mysql:/etc/postfix/sql/aliases.cf
   mysql:/etc/postfix/sql/postmaster.cf
   mysql:/etc/postfix/sql/abuse.cf
   mysql:/etc/postfix/sql/mailboxes.cf
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
show_user_unknown_table_name = no
smtp_tls_CAfile = /etc/postfix/certs/root.pem
smtp_tls_cert_file = /etc/postfix/certs/servercert.pem
smtp_tls_key_file = /etc/postfix/certs/serverkey.pem
smtp_tls_security_level = may
smtp_use_tls = yes
smtpd_data_restrictions =
   reject_unauth_pipelining,
   reject_multi_recipient_bounce
smtpd_delay_reject = no
smtpd_discard_ehlo_keywords = silent-discard, dsn
smtpd_error_sleep_time = 15s
smtpd_hard_error_limit = 5
smtpd_helo_required = yes
smtpd_junk_command_limit = 2
smtpd_recipient_restrictions =
   permit_mynetworks
   check_client_access mysql:/etc/postfix/sql/own_network.cf
   check_recipient_access hash:/etc/postfix/check_recipient_access_rfc
   check_sender_access mysql:/etc/postfix/sql/reject_own_sender.cf
   reject_unauth_destination
   reject_unlisted_recipient
   check_client_ns_access hash:/etc/postfix/ns_access
   check_sender_ns_access hash:/etc/postfix/ns_access
   check_policy_service unix:private/panamaps
   spam_check
smtpd_restriction_classes =
   spam_check
   spam_none
   spam_low
   spam_mid
   spam_high
   spam_extreme
   greylisting
   sel_greylisting
   policyd
smtpd_soft_error_limit = 2
smtpd_tls_CAfile = /etc/postfix/certs/root.pem
smtpd_tls_ask_ccert = yes
smtpd_tls_cert_file = /etc/postfix/certs/servercert.pem
smtpd_tls_key_file = /etc/postfix/certs/serverkey.pem
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
transport_maps = mysql:/etc/postfix/sql/transport.cf
unknown_address_reject_code = 554


mx2:~# dig ns zxxwt.com

; <<>> DiG 9.7.2-P3 <<>> ns zxxwt.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23449
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;zxxwt.com.                     IN      NS

;; ANSWER SECTION:
zxxwt.com.              4800    IN      NS      ns1.castrack.edu.pl.
zxxwt.com.              4800    IN      NS      ns2.castrack.edu.pl.

;; Query time: 324 msec
;; SERVER: 62.141.32.3#53(62.141.32.3)
;; WHEN: Sat Mar 30 13:13:28 2013
;; MSG SIZE  rcvd: 78


mx2:~# cat /etc/postfix/ns_access
.lovehotmail.com REJECT
.shadoma.com     REJECT
.castrack.edu.pl REJECT


mx2:~# ls -l /etc/postfix/ns_access*
-rw-r--r-- 1 root root    77 30. Mär 08:52 /etc/postfix/ns_access
-rw-r--r-- 1 root root 12288 30. Mär 08:55 /etc/postfix/ns_access.db


Grüße
-- 
Kai Fürstenberg

PM an kai at fuerstenberg punkt ws

Mehr Informationen über die Mailingliste Postfixbuch-users