Pmg randomaly not bloking blacklist ip

K

koby

Renowned Member
Jun 21, 2012
137
4
83
Natanya , Israel
Hello guys ,
I have been in the current story before ,
The systems randomaly not bloking black list ip ,
Please look at the following log ....
This Ip : 45.80.175.52 shuld be blocked but got an PASS NEW
After 2 min or so we have this : postfix/postscreen[15796]: PASS OLD [45.80.175.52]:54770
Can someone please explain where am I wrong or what I need to do.

Then you all for any help.
Koby Peleg Hen


Code: 
Oct 17 00:53:20 smg01 postfix/postscreen[15754]: CONNECT from [45.80.175.52]:7302 to [207.154.215.33]:25
Oct 17 00:53:20 smg01 postfix/dnsblog[15763]: addr 45.80.175.52 listed by domain b.barracudacentral.org as 127.0.0.2
Oct 17 00:53:26 smg01 postfix/postscreen[15754]: PASS NEW [45.80.175.52]:7302
Oct 17 00:53:26 smg01 postfix/smtpd[15769]: connect from unknown[45.80.175.52]
Oct 17 00:53:27 smg01 postfix/smtpd[15769]: NOQUEUE: client=unknown[45.80.175.52]
Oct 17 00:53:28 smg01 postfix/smtpd[15769]: NOQUEUE: client=unknown[45.80.175.52]
Oct 17 00:53:30 smg01 postfix/smtpd[15769]: disconnect from unknown[45.80.175.52] ehlo=1 mail=2 rcpt=2 data=2 quit=1 commands=8
Oct 17 00:55:12 smg01 postfix/postscreen[15796]: CONNECT from [45.80.175.52]:54770 to [207.154.215.33]:25
Oct 17 00:55:12 smg01 postfix/postscreen[15796]: PASS OLD [45.80.175.52]:54770
Oct 17 00:55:12 smg01 postfix/smtpd[15797]: connect from unknown[45.80.175.52]
Oct 17 00:55:13 smg01 postfix/smtpd[15797]: NOQUEUE: client=unknown[45.80.175.52]
Oct 17 00:55:14 smg01 postfix/smtpd[15797]: disconnect from unknown[45.80.175.52] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Oct 17 00:58:34 smg01 postfix/anvil[15771]: statistics: max connection rate 1/60s for (smtpd:45.80.175.52) at Oct 17 00:53:26
Oct 17 00:58:34 smg01 postfix/anvil[15771]: statistics: max connection count 1 for (smtpd:45.80.175.52) at Oct 17 00:53:26
Oct 17 01:22:00 smg01 postfix/postscreen[16064]: CONNECT from [45.80.175.53]:8695 to [207.154.215.33]:25
Oct 17 01:22:01 smg01 postfix/dnsblog[16066]: addr 45.80.175.53 listed by domain b.barracudacentral.org as 127.0.0.2
Oct 17 01:22:06 smg01 postfix/postscreen[16064]: PASS NEW [45.80.175.53]:8695
Oct 17 01:22:06 smg01 postfix/smtpd[16074]: connect from unknown[45.80.175.53]
Oct 17 01:22:06 smg01 postfix/smtpd[16074]: NOQUEUE: client=unknown[45.80.175.53]
Oct 17 01:22:09 smg01 postfix/smtpd[16074]: NOQUEUE: client=unknown[45.80.175.53]
Oct 17 01:22:11 smg01 postfix/smtpd[16084]: B8F07611BF: client=ip6-localhost[127.0.0.1], orig_client=unknown[45.80.175.53]
Oct 17 01:22:13 smg01 postfix/smtpd[16074]: disconnect from unknown[45.80.175.53] ehlo=1 mail=2 rcpt=2 data=1/2 rset=1 quit=1 commands=8/9
Oct 17 01:23:57 smg01 postfix/postscreen[16064]: CONNECT from [45.80.175.53]:52680 to [207.154.215.33]:25
Oct 17 01:23:57 smg01 postfix/postscreen[16064]: PASS OLD [45.80.175.53]:52680
Oct 17 01:23:57 smg01 postfix/smtpd[16096]: connect from unknown[45.80.175.53]
Oct 17 01:23:58 smg01 postfix/smtpd[16096]: NOQUEUE: client=unknown[45.80.175.53]
Oct 17 01:23:59 smg01 postfix/smtpd[16104]: B1C00611BF: client=ip6-localhost[127.0.0.1], orig_client=unknown[45.80.175.53]
Oct 17 01:23:59 smg01 postfix/smtpd[16096]: disconnect from unknown[45.80.175.53] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Oct 17 01:27:20 smg01 postfix/anvil[16076]: statistics: max connection rate 1/60s for (smtpd:45.80.175.53) at Oct 17 01:22:06
Oct 17 01:27:20 smg01 postfix/anvil[16076]: statistics: max connection count 1 for (smtpd:45.80.175.53) at Oct 17 01:22:06
Oct 17 01:52:01 smg01 postfix/postscreen[16299]: CONNECT from [45.80.175.54]:2620 to [207.154.215.33]:25
Oct 17 01:52:01 smg01 postfix/dnsblog[16304]: addr 45.80.175.54 listed by domain b.barracudacentral.org as 127.0.0.2
Oct 17 01:52:07 smg01 postfix/postscreen[16299]: PASS NEW [45.80.175.54]:2620
Oct 17 01:52:07 smg01 postfix/smtpd[16315]: connect from unknown[45.80.175.54]
Oct 17 01:52:08 smg01 postfix/smtpd[16315]: NOQUEUE: client=unknown[45.80.175.54]
Oct 17 01:52:09 smg01 postfix/smtpd[16315]: NOQUEUE: client=unknown[45.80.175.54]
Oct 17 01:52:11 smg01 postfix/smtpd[16315]: disconnect from unknown[45.80.175.54] ehlo=1 mail=2 rcpt=2 data=2 quit=1 commands=8
Oct 17 01:53:52 smg01 postfix/postscreen[16299]: CONNECT from [45.80.175.54]:53009 to [207.154.215.33]:25
Oct 17 01:53:52 smg01 postfix/postscreen[16299]: PASS OLD [45.80.175.54]:53009

Here is my full pmg postconf as an attchment file
 

Attachments

  • postconf.txt
    37.8 KB · Views: 0
koby said:
Hello guys ,
I have been in the current story before ,
The systems randomaly not bloking black list ip ,
Please look at the following log ....
This Ip : 45.80.175.52 shuld be blocked but got an PASS NEW
After 2 min or so we have this : postfix/postscreen[15796]: PASS OLD [45.80.175.52]:54770
Can someone please explain where am I wrong or what I need to do.

Then you all for any help.
Koby Peleg Hen


Code: 
Oct 17 00:53:20 smg01 postfix/postscreen[15754]: CONNECT from [45.80.175.52]:7302 to [207.154.215.33]:25
Oct 17 00:53:20 smg01 postfix/dnsblog[15763]: addr 45.80.175.52 listed by domain b.barracudacentral.org as 127.0.0.2
Oct 17 00:53:26 smg01 postfix/postscreen[15754]: PASS NEW [45.80.175.52]:7302
Oct 17 00:53:26 smg01 postfix/smtpd[15769]: connect from unknown[45.80.175.52]
Oct 17 00:53:27 smg01 postfix/smtpd[15769]: NOQUEUE: client=unknown[45.80.175.52]
Oct 17 00:53:28 smg01 postfix/smtpd[15769]: NOQUEUE: client=unknown[45.80.175.52]
Oct 17 00:53:30 smg01 postfix/smtpd[15769]: disconnect from unknown[45.80.175.52] ehlo=1 mail=2 rcpt=2 data=2 quit=1 commands=8
Oct 17 00:55:12 smg01 postfix/postscreen[15796]: CONNECT from [45.80.175.52]:54770 to [207.154.215.33]:25
Oct 17 00:55:12 smg01 postfix/postscreen[15796]: PASS OLD [45.80.175.52]:54770
Oct 17 00:55:12 smg01 postfix/smtpd[15797]: connect from unknown[45.80.175.52]
Oct 17 00:55:13 smg01 postfix/smtpd[15797]: NOQUEUE: client=unknown[45.80.175.52]
Oct 17 00:55:14 smg01 postfix/smtpd[15797]: disconnect from unknown[45.80.175.52] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Oct 17 00:58:34 smg01 postfix/anvil[15771]: statistics: max connection rate 1/60s for (smtpd:45.80.175.52) at Oct 17 00:53:26
Oct 17 00:58:34 smg01 postfix/anvil[15771]: statistics: max connection count 1 for (smtpd:45.80.175.52) at Oct 17 00:53:26
Oct 17 01:22:00 smg01 postfix/postscreen[16064]: CONNECT from [45.80.175.53]:8695 to [207.154.215.33]:25
Oct 17 01:22:01 smg01 postfix/dnsblog[16066]: addr 45.80.175.53 listed by domain b.barracudacentral.org as 127.0.0.2
Oct 17 01:22:06 smg01 postfix/postscreen[16064]: PASS NEW [45.80.175.53]:8695
Oct 17 01:22:06 smg01 postfix/smtpd[16074]: connect from unknown[45.80.175.53]
Oct 17 01:22:06 smg01 postfix/smtpd[16074]: NOQUEUE: client=unknown[45.80.175.53]
Oct 17 01:22:09 smg01 postfix/smtpd[16074]: NOQUEUE: client=unknown[45.80.175.53]
Oct 17 01:22:11 smg01 postfix/smtpd[16084]: B8F07611BF: client=ip6-localhost[127.0.0.1], orig_client=unknown[45.80.175.53]
Oct 17 01:22:13 smg01 postfix/smtpd[16074]: disconnect from unknown[45.80.175.53] ehlo=1 mail=2 rcpt=2 data=1/2 rset=1 quit=1 commands=8/9
Oct 17 01:23:57 smg01 postfix/postscreen[16064]: CONNECT from [45.80.175.53]:52680 to [207.154.215.33]:25
Oct 17 01:23:57 smg01 postfix/postscreen[16064]: PASS OLD [45.80.175.53]:52680
Oct 17 01:23:57 smg01 postfix/smtpd[16096]: connect from unknown[45.80.175.53]
Oct 17 01:23:58 smg01 postfix/smtpd[16096]: NOQUEUE: client=unknown[45.80.175.53]
Oct 17 01:23:59 smg01 postfix/smtpd[16104]: B1C00611BF: client=ip6-localhost[127.0.0.1], orig_client=unknown[45.80.175.53]
Oct 17 01:23:59 smg01 postfix/smtpd[16096]: disconnect from unknown[45.80.175.53] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Oct 17 01:27:20 smg01 postfix/anvil[16076]: statistics: max connection rate 1/60s for (smtpd:45.80.175.53) at Oct 17 01:22:06
Oct 17 01:27:20 smg01 postfix/anvil[16076]: statistics: max connection count 1 for (smtpd:45.80.175.53) at Oct 17 01:22:06
Oct 17 01:52:01 smg01 postfix/postscreen[16299]: CONNECT from [45.80.175.54]:2620 to [207.154.215.33]:25
Oct 17 01:52:01 smg01 postfix/dnsblog[16304]: addr 45.80.175.54 listed by domain b.barracudacentral.org as 127.0.0.2
Oct 17 01:52:07 smg01 postfix/postscreen[16299]: PASS NEW [45.80.175.54]:2620
Oct 17 01:52:07 smg01 postfix/smtpd[16315]: connect from unknown[45.80.175.54]
Oct 17 01:52:08 smg01 postfix/smtpd[16315]: NOQUEUE: client=unknown[45.80.175.54]
Oct 17 01:52:09 smg01 postfix/smtpd[16315]: NOQUEUE: client=unknown[45.80.175.54]
Oct 17 01:52:11 smg01 postfix/smtpd[16315]: disconnect from unknown[45.80.175.54] ehlo=1 mail=2 rcpt=2 data=2 quit=1 commands=8
Oct 17 01:53:52 smg01 postfix/postscreen[16299]: CONNECT from [45.80.175.54]:53009 to [207.154.215.33]:25
Oct 17 01:53:52 smg01 postfix/postscreen[16299]: PASS OLD [45.80.175.54]:53009

Here is my full pmg postconf as an attchment file
Click to expand...
 
Hello Guys ,
In the mean time i did some search I found the the slip check is related to postscreen cache systems.
So I changed the folowwing value :

postscreen_dnsbl_max_ttl = 10s
postscreen_dnsbl_min_ttl = 5s

aftre that , no miss up checking so far....
any comment are very wellcome.

Koby Peleg Hen
 
Show the output below command
Code: 
cat /var/log/mail.log | grep 45.80.175.52
postconf | grep dnsbl
less /etc/resolv.conf
 
Hi ,
Here it is...


root@smg01:~# cat /var/log/mail.log.1 | grep 45.80.175.52
Oct 17 00:53:20 smg01 postfix/postscreen[15754]: CONNECT from [45.80.175.52]:7302 to [207.154.215.33]:25
Oct 17 00:53:20 smg01 postfix/dnsblog[15763]: addr 45.80.175.52 listed by domain b.barracudacentral.org as 127.0.0.2
Oct 17 00:53:26 smg01 postfix/postscreen[15754]: PASS NEW [45.80.175.52]:7302
Oct 17 00:53:26 smg01 postfix/smtpd[15769]: connect from unknown[45.80.175.52]
Oct 17 00:53:27 smg01 postfix/smtpd[15769]: NOQUEUE: client=unknown[45.80.175.52]
Oct 17 00:53:28 smg01 postfix/smtpd[15769]: NOQUEUE: client=unknown[45.80.175.52]
Oct 17 00:53:30 smg01 postfix/smtpd[15769]: disconnect from unknown[45.80.175.52] ehlo=1 mail=2 rcpt=2 data=2 quit=1 commands=8
Oct 17 00:55:12 smg01 postfix/postscreen[15796]: CONNECT from [45.80.175.52]:54770 to [207.154.215.33]:25
Oct 17 00:55:12 smg01 postfix/postscreen[15796]: PASS OLD [45.80.175.52]:54770
Oct 17 00:55:12 smg01 postfix/smtpd[15797]: connect from unknown[45.80.175.52]
Oct 17 00:55:13 smg01 postfix/smtpd[15797]: NOQUEUE: client=unknown[45.80.175.52]
Oct 17 00:55:14 smg01 postfix/smtpd[15797]: disconnect from unknown[45.80.175.52] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Oct 17 00:58:34 smg01 postfix/anvil[15771]: statistics: max connection rate 1/60s for (smtpd:45.80.175.52) at Oct 17 00:53:26
Oct 17 00:58:34 smg01 postfix/anvil[15771]: statistics: max connection count 1 for (smtpd:45.80.175.52) at Oct 17 00:53:26


root@smg01:~# postconf | grep dnsbl
dnsblog_reply_delay = 0s
dnsblog_service_name = dnsblog
postscreen_dnsbl_action = enforce
postscreen_dnsbl_max_ttl = 10s
postscreen_dnsbl_min_ttl = 5s
postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply_map
postscreen_dnsbl_sites = ips.backscatterer.org,******8e0b17c4c3e.combined.mail.abusix.zone,dnsbl.cobion.com,rbl.realtimeblacklist.com,b.barracudacentral.org,bl.spamcop.net,zen.spamhaus.org,psbl.surriel.com,bl.spamcop.net,dnsbl.sorbs.net,rbl.interserver.net,bl.mailspike.net,truncate.gbudb.net,rhsbl.zapbl.net
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_timeout = 10s
postscreen_dnsbl_whitelist_threshold = 0

less /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 67.207.67.3
nameserver 67.207.67.2
 
From your mail.log, it only show 1 hit from dnsblog while your dnsbl threshold is 2. I suspect that is the reason why IP 45.80.175.52 was not blocked by dnsbl.

Code: 
Oct 17 00:53:20 smg01 postfix/dnsblog[15763]: addr 45.80.175.52 listed by domain b.barracudacentral.org as 127.0.0.2

Your dnsbl sites seem a bit messy. If it is not working as intended, start from fewer site first and adjust as you feel more comfortable with it.

Code: 
postscreen_dnsbl_sites = ips.backscatterer.org,******8e0b17c4c3e.combined.mail.abusix.zone,dnsbl.cobion.com,rbl.realtimeblacklist.com,b.barracudacentral.org,bl.spamcop.net,zen.spamhaus.org,psbl.surriel.com,bl.spamcop.net,dnsbl.sorbs.net,rbl.interserver.net,bl.mailspike.net,truncate.gbudb.net,rhsbl.zapbl.net

Your PMG hosted in digitalocean? Might want to check out this if using zen.spamhaus.org

https://www.digitalocean.com/community/questions/how-to-query-spamhaus-dns-blacklist-from-a-droplet

Code: 
nameserver 67.207.67.3
nameserver 67.207.67.2
 
Last edited:
Below is my dnsbl config and blocking in action from the mail.log.

Code: 
root@pmg:~# less /var/log/mail.log | grep 175.114.196.129
Oct 18 00:06:39 pmg postfix/postscreen[16635]: CONNECT from [175.114.196.129]:37626 to [xxx.xxx.xxx.xxx]:26
Oct 18 00:06:39 pmg postfix/dnsblog[16637]: addr 175.114.196.129 listed by domain bl.mailspike.net as 127.0.0.10
Oct 18 00:06:39 pmg postfix/dnsblog[16638]: addr 175.114.196.129 listed by domain zen.spamhaus.org as 127.0.0.3
Oct 18 00:06:39 pmg postfix/dnsblog[16638]: addr 175.114.196.129 listed by domain zen.spamhaus.org as 127.0.0.4
Oct 18 00:06:40 pmg postfix/dnsblog[16636]: addr 175.114.196.129 listed by domain bl.spamcop.net as 127.0.0.2
Oct 18 00:06:45 pmg postfix/postscreen[16635]: DNSBL rank 3 for [175.114.196.129]:37626
Oct 18 00:06:46 pmg postfix/postscreen[16635]: NOQUEUE: reject: RCPT from [175.114.196.129]:37626: 550 5.7.1 Service unavailable; client [175.114.196.129] blocked using bl.mailspike.net; from=<contact@shayco.com>, to=<xxx@mydomain.com>, proto=ESMTP, helo=<[175.114.196.129]>
Oct 18 00:06:46 pmg postfix/postscreen[16635]: HANGUP after 0.91 from [175.114.196.129]:37626 in tests after SMTP handshake
Oct 18 00:06:46 pmg postfix/postscreen[16635]: DISCONNECT [175.114.196.129]:37626

root@pmg:~# postconf | grep dnsbl
dnsblog_reply_delay = 0s
dnsblog_service_name = dnsblog
postscreen_dnsbl_action = enforce
postscreen_dnsbl_max_ttl = ${postscreen_dnsbl_ttl?{$postscreen_dnsbl_ttl}:{1}}h
postscreen_dnsbl_min_ttl = 60s
postscreen_dnsbl_reply_map =
postscreen_dnsbl_sites = zen.spamhaus.org,bl.spamcop.net,bl.mailspike.net,dnsbl.sorbs.net
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_timeout = 10s
postscreen_dnsbl_whitelist_threshold = 0
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back