Pmg randomaly not bloking blacklist ip

[koby]

Hello guys ,
I have been in the current story before ,
The systems randomaly not bloking black list ip ,
Please look at the following log ....
This Ip : 45.80.175.52 shuld be blocked but got an PASS NEW
After 2 min or so we have this : postfix/postscreen[15796]: PASS OLD [45.80.175.52]:54770
Can someone please explain where am I wrong or what I need to do.

Then you all for any help.
Koby Peleg Hen

Oct 17 00:53:20 smg01 postfix/postscreen[15754]: CONNECT from [45.80.175.52]:7302 to [207.154.215.33]:25
Oct 17 00:53:20 smg01 postfix/dnsblog[15763]: addr 45.80.175.52 listed by domain b.barracudacentral.org as 127.0.0.2
Oct 17 00:53:26 smg01 postfix/postscreen[15754]: PASS NEW [45.80.175.52]:7302
Oct 17 00:53:26 smg01 postfix/smtpd[15769]: connect from unknown[45.80.175.52]
Oct 17 00:53:27 smg01 postfix/smtpd[15769]: NOQUEUE: client=unknown[45.80.175.52]
Oct 17 00:53:28 smg01 postfix/smtpd[15769]: NOQUEUE: client=unknown[45.80.175.52]
Oct 17 00:53:30 smg01 postfix/smtpd[15769]: disconnect from unknown[45.80.175.52] ehlo=1 mail=2 rcpt=2 data=2 quit=1 commands=8
Oct 17 00:55:12 smg01 postfix/postscreen[15796]: CONNECT from [45.80.175.52]:54770 to [207.154.215.33]:25
Oct 17 00:55:12 smg01 postfix/postscreen[15796]: PASS OLD [45.80.175.52]:54770
Oct 17 00:55:12 smg01 postfix/smtpd[15797]: connect from unknown[45.80.175.52]
Oct 17 00:55:13 smg01 postfix/smtpd[15797]: NOQUEUE: client=unknown[45.80.175.52]
Oct 17 00:55:14 smg01 postfix/smtpd[15797]: disconnect from unknown[45.80.175.52] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Oct 17 00:58:34 smg01 postfix/anvil[15771]: statistics: max connection rate 1/60s for (smtpd:45.80.175.52) at Oct 17 00:53:26
Oct 17 00:58:34 smg01 postfix/anvil[15771]: statistics: max connection count 1 for (smtpd:45.80.175.52) at Oct 17 00:53:26
Oct 17 01:22:00 smg01 postfix/postscreen[16064]: CONNECT from [45.80.175.53]:8695 to [207.154.215.33]:25
Oct 17 01:22:01 smg01 postfix/dnsblog[16066]: addr 45.80.175.53 listed by domain b.barracudacentral.org as 127.0.0.2
Oct 17 01:22:06 smg01 postfix/postscreen[16064]: PASS NEW [45.80.175.53]:8695
Oct 17 01:22:06 smg01 postfix/smtpd[16074]: connect from unknown[45.80.175.53]
Oct 17 01:22:06 smg01 postfix/smtpd[16074]: NOQUEUE: client=unknown[45.80.175.53]
Oct 17 01:22:09 smg01 postfix/smtpd[16074]: NOQUEUE: client=unknown[45.80.175.53]
Oct 17 01:22:11 smg01 postfix/smtpd[16084]: B8F07611BF: client=ip6-localhost[127.0.0.1], orig_client=unknown[45.80.175.53]
Oct 17 01:22:13 smg01 postfix/smtpd[16074]: disconnect from unknown[45.80.175.53] ehlo=1 mail=2 rcpt=2 data=1/2 rset=1 quit=1 commands=8/9
Oct 17 01:23:57 smg01 postfix/postscreen[16064]: CONNECT from [45.80.175.53]:52680 to [207.154.215.33]:25
Oct 17 01:23:57 smg01 postfix/postscreen[16064]: PASS OLD [45.80.175.53]:52680
Oct 17 01:23:57 smg01 postfix/smtpd[16096]: connect from unknown[45.80.175.53]
Oct 17 01:23:58 smg01 postfix/smtpd[16096]: NOQUEUE: client=unknown[45.80.175.53]
Oct 17 01:23:59 smg01 postfix/smtpd[16104]: B1C00611BF: client=ip6-localhost[127.0.0.1], orig_client=unknown[45.80.175.53]
Oct 17 01:23:59 smg01 postfix/smtpd[16096]: disconnect from unknown[45.80.175.53] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Oct 17 01:27:20 smg01 postfix/anvil[16076]: statistics: max connection rate 1/60s for (smtpd:45.80.175.53) at Oct 17 01:22:06
Oct 17 01:27:20 smg01 postfix/anvil[16076]: statistics: max connection count 1 for (smtpd:45.80.175.53) at Oct 17 01:22:06
Oct 17 01:52:01 smg01 postfix/postscreen[16299]: CONNECT from [45.80.175.54]:2620 to [207.154.215.33]:25
Oct 17 01:52:01 smg01 postfix/dnsblog[16304]: addr 45.80.175.54 listed by domain b.barracudacentral.org as 127.0.0.2
Oct 17 01:52:07 smg01 postfix/postscreen[16299]: PASS NEW [45.80.175.54]:2620
Oct 17 01:52:07 smg01 postfix/smtpd[16315]: connect from unknown[45.80.175.54]
Oct 17 01:52:08 smg01 postfix/smtpd[16315]: NOQUEUE: client=unknown[45.80.175.54]
Oct 17 01:52:09 smg01 postfix/smtpd[16315]: NOQUEUE: client=unknown[45.80.175.54]
Oct 17 01:52:11 smg01 postfix/smtpd[16315]: disconnect from unknown[45.80.175.54] ehlo=1 mail=2 rcpt=2 data=2 quit=1 commands=8
Oct 17 01:53:52 smg01 postfix/postscreen[16299]: CONNECT from [45.80.175.54]:53009 to [207.154.215.33]:25
Oct 17 01:53:52 smg01 postfix/postscreen[16299]: PASS OLD [45.80.175.54]:53009

Here is my full pmg postconf as an attchment file

 

[koby]

Hello guys ,
I have been in the current story before ,
The systems randomaly not bloking black list ip ,
Please look at the following log ....
This Ip : 45.80.175.52 shuld be blocked but got an PASS NEW
After 2 min or so we have this : postfix/postscreen[15796]: PASS OLD [45.80.175.52]:54770
Can someone please explain where am I wrong or what I need to do.

Then you all for any help.
Koby Peleg Hen

Oct 17 00:53:20 smg01 postfix/postscreen[15754]: CONNECT from [45.80.175.52]:7302 to [207.154.215.33]:25
Oct 17 00:53:20 smg01 postfix/dnsblog[15763]: addr 45.80.175.52 listed by domain b.barracudacentral.org as 127.0.0.2
Oct 17 00:53:26 smg01 postfix/postscreen[15754]: PASS NEW [45.80.175.52]:7302
Oct 17 00:53:26 smg01 postfix/smtpd[15769]: connect from unknown[45.80.175.52]
Oct 17 00:53:27 smg01 postfix/smtpd[15769]: NOQUEUE: client=unknown[45.80.175.52]
Oct 17 00:53:28 smg01 postfix/smtpd[15769]: NOQUEUE: client=unknown[45.80.175.52]
Oct 17 00:53:30 smg01 postfix/smtpd[15769]: disconnect from unknown[45.80.175.52] ehlo=1 mail=2 rcpt=2 data=2 quit=1 commands=8
Oct 17 00:55:12 smg01 postfix/postscreen[15796]: CONNECT from [45.80.175.52]:54770 to [207.154.215.33]:25
Oct 17 00:55:12 smg01 postfix/postscreen[15796]: PASS OLD [45.80.175.52]:54770
Oct 17 00:55:12 smg01 postfix/smtpd[15797]: connect from unknown[45.80.175.52]
Oct 17 00:55:13 smg01 postfix/smtpd[15797]: NOQUEUE: client=unknown[45.80.175.52]
Oct 17 00:55:14 smg01 postfix/smtpd[15797]: disconnect from unknown[45.80.175.52] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Oct 17 00:58:34 smg01 postfix/anvil[15771]: statistics: max connection rate 1/60s for (smtpd:45.80.175.52) at Oct 17 00:53:26
Oct 17 00:58:34 smg01 postfix/anvil[15771]: statistics: max connection count 1 for (smtpd:45.80.175.52) at Oct 17 00:53:26
Oct 17 01:22:00 smg01 postfix/postscreen[16064]: CONNECT from [45.80.175.53]:8695 to [207.154.215.33]:25
Oct 17 01:22:01 smg01 postfix/dnsblog[16066]: addr 45.80.175.53 listed by domain b.barracudacentral.org as 127.0.0.2
Oct 17 01:22:06 smg01 postfix/postscreen[16064]: PASS NEW [45.80.175.53]:8695
Oct 17 01:22:06 smg01 postfix/smtpd[16074]: connect from unknown[45.80.175.53]
Oct 17 01:22:06 smg01 postfix/smtpd[16074]: NOQUEUE: client=unknown[45.80.175.53]
Oct 17 01:22:09 smg01 postfix/smtpd[16074]: NOQUEUE: client=unknown[45.80.175.53]
Oct 17 01:22:11 smg01 postfix/smtpd[16084]: B8F07611BF: client=ip6-localhost[127.0.0.1], orig_client=unknown[45.80.175.53]
Oct 17 01:22:13 smg01 postfix/smtpd[16074]: disconnect from unknown[45.80.175.53] ehlo=1 mail=2 rcpt=2 data=1/2 rset=1 quit=1 commands=8/9
Oct 17 01:23:57 smg01 postfix/postscreen[16064]: CONNECT from [45.80.175.53]:52680 to [207.154.215.33]:25
Oct 17 01:23:57 smg01 postfix/postscreen[16064]: PASS OLD [45.80.175.53]:52680
Oct 17 01:23:57 smg01 postfix/smtpd[16096]: connect from unknown[45.80.175.53]
Oct 17 01:23:58 smg01 postfix/smtpd[16096]: NOQUEUE: client=unknown[45.80.175.53]
Oct 17 01:23:59 smg01 postfix/smtpd[16104]: B1C00611BF: client=ip6-localhost[127.0.0.1], orig_client=unknown[45.80.175.53]
Oct 17 01:23:59 smg01 postfix/smtpd[16096]: disconnect from unknown[45.80.175.53] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Oct 17 01:27:20 smg01 postfix/anvil[16076]: statistics: max connection rate 1/60s for (smtpd:45.80.175.53) at Oct 17 01:22:06
Oct 17 01:27:20 smg01 postfix/anvil[16076]: statistics: max connection count 1 for (smtpd:45.80.175.53) at Oct 17 01:22:06
Oct 17 01:52:01 smg01 postfix/postscreen[16299]: CONNECT from [45.80.175.54]:2620 to [207.154.215.33]:25
Oct 17 01:52:01 smg01 postfix/dnsblog[16304]: addr 45.80.175.54 listed by domain b.barracudacentral.org as 127.0.0.2
Oct 17 01:52:07 smg01 postfix/postscreen[16299]: PASS NEW [45.80.175.54]:2620
Oct 17 01:52:07 smg01 postfix/smtpd[16315]: connect from unknown[45.80.175.54]
Oct 17 01:52:08 smg01 postfix/smtpd[16315]: NOQUEUE: client=unknown[45.80.175.54]
Oct 17 01:52:09 smg01 postfix/smtpd[16315]: NOQUEUE: client=unknown[45.80.175.54]
Oct 17 01:52:11 smg01 postfix/smtpd[16315]: disconnect from unknown[45.80.175.54] ehlo=1 mail=2 rcpt=2 data=2 quit=1 commands=8
Oct 17 01:53:52 smg01 postfix/postscreen[16299]: CONNECT from [45.80.175.54]:53009 to [207.154.215.33]:25
Oct 17 01:53:52 smg01 postfix/postscreen[16299]: PASS OLD [45.80.175.54]:53009

Here is my full pmg postconf as an attchment file

 

[koby]

Hello Guys ,
In the mean time i did some search I found the the slip check is related to postscreen cache systems.
So I changed the folowwing value :

postscreen_dnsbl_max_ttl = 10s
postscreen_dnsbl_min_ttl = 5s

aftre that , no miss up checking so far....
any comment are very wellcome.

Koby Peleg Hen

 

[hata_ph]

Show the output below command

cat /var/log/mail.log | grep 45.80.175.52
postconf | grep dnsbl
less /etc/resolv.conf

 

[koby]

Hi ,
Here it is...


root@smg01:~# cat /var/log/mail.log.1 | grep 45.80.175.52
Oct 17 00:53:20 smg01 postfix/postscreen[15754]: CONNECT from [45.80.175.52]:7302 to [207.154.215.33]:25
Oct 17 00:53:20 smg01 postfix/dnsblog[15763]: addr 45.80.175.52 listed by domain b.barracudacentral.org as 127.0.0.2
Oct 17 00:53:26 smg01 postfix/postscreen[15754]: PASS NEW [45.80.175.52]:7302
Oct 17 00:53:26 smg01 postfix/smtpd[15769]: connect from unknown[45.80.175.52]
Oct 17 00:53:27 smg01 postfix/smtpd[15769]: NOQUEUE: client=unknown[45.80.175.52]
Oct 17 00:53:28 smg01 postfix/smtpd[15769]: NOQUEUE: client=unknown[45.80.175.52]
Oct 17 00:53:30 smg01 postfix/smtpd[15769]: disconnect from unknown[45.80.175.52] ehlo=1 mail=2 rcpt=2 data=2 quit=1 commands=8
Oct 17 00:55:12 smg01 postfix/postscreen[15796]: CONNECT from [45.80.175.52]:54770 to [207.154.215.33]:25
Oct 17 00:55:12 smg01 postfix/postscreen[15796]: PASS OLD [45.80.175.52]:54770
Oct 17 00:55:12 smg01 postfix/smtpd[15797]: connect from unknown[45.80.175.52]
Oct 17 00:55:13 smg01 postfix/smtpd[15797]: NOQUEUE: client=unknown[45.80.175.52]
Oct 17 00:55:14 smg01 postfix/smtpd[15797]: disconnect from unknown[45.80.175.52] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Oct 17 00:58:34 smg01 postfix/anvil[15771]: statistics: max connection rate 1/60s for (smtpd:45.80.175.52) at Oct 17 00:53:26
Oct 17 00:58:34 smg01 postfix/anvil[15771]: statistics: max connection count 1 for (smtpd:45.80.175.52) at Oct 17 00:53:26


root@smg01:~# postconf | grep dnsbl
dnsblog_reply_delay = 0s
dnsblog_service_name = dnsblog
postscreen_dnsbl_action = enforce
postscreen_dnsbl_max_ttl = 10s
postscreen_dnsbl_min_ttl = 5s
postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply_map
postscreen_dnsbl_sites = ips.backscatterer.org,******8e0b17c4c3e.combined.mail.abusix.zone,dnsbl.cobion.com,rbl.realtimeblacklist.com,b.barracudacentral.org,bl.spamcop.net,zen.spamhaus.org,psbl.surriel.com,bl.spamcop.net,dnsbl.sorbs.net,rbl.interserver.net,bl.mailspike.net,truncate.gbudb.net,rhsbl.zapbl.net
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_timeout = 10s
postscreen_dnsbl_whitelist_threshold = 0

less /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 67.207.67.3
nameserver 67.207.67.2

 

[hata_ph]

From your mail.log, it only show 1 hit from dnsblog while your dnsbl threshold is 2. I suspect that is the reason why IP 45.80.175.52 was not blocked by dnsbl.

Oct 17 00:53:20 smg01 postfix/dnsblog[15763]: addr 45.80.175.52 listed by domain b.barracudacentral.org as 127.0.0.2

Your dnsbl sites seem a bit messy. If it is not working as intended, start from fewer site first and adjust as you feel more comfortable with it.

postscreen_dnsbl_sites = ips.backscatterer.org,******8e0b17c4c3e.combined.mail.abusix.zone,dnsbl.cobion.com,rbl.realtimeblacklist.com,b.barracudacentral.org,bl.spamcop.net,zen.spamhaus.org,psbl.surriel.com,bl.spamcop.net,dnsbl.sorbs.net,rbl.interserver.net,bl.mailspike.net,truncate.gbudb.net,rhsbl.zapbl.net

Your PMG hosted in digitalocean? Might want to check out this if using zen.spamhaus.org

https://www.digitalocean.com/community/questions/how-to-query-spamhaus-dns-blacklist-from-a-droplet

nameserver 67.207.67.3
nameserver 67.207.67.2

 

[hata_ph]

Below is my dnsbl config and blocking in action from the mail.log.

root@pmg:~# less /var/log/mail.log | grep 175.114.196.129
Oct 18 00:06:39 pmg postfix/postscreen[16635]: CONNECT from [175.114.196.129]:37626 to [xxx.xxx.xxx.xxx]:26
Oct 18 00:06:39 pmg postfix/dnsblog[16637]: addr 175.114.196.129 listed by domain bl.mailspike.net as 127.0.0.10
Oct 18 00:06:39 pmg postfix/dnsblog[16638]: addr 175.114.196.129 listed by domain zen.spamhaus.org as 127.0.0.3
Oct 18 00:06:39 pmg postfix/dnsblog[16638]: addr 175.114.196.129 listed by domain zen.spamhaus.org as 127.0.0.4
Oct 18 00:06:40 pmg postfix/dnsblog[16636]: addr 175.114.196.129 listed by domain bl.spamcop.net as 127.0.0.2
Oct 18 00:06:45 pmg postfix/postscreen[16635]: DNSBL rank 3 for [175.114.196.129]:37626
Oct 18 00:06:46 pmg postfix/postscreen[16635]: NOQUEUE: reject: RCPT from [175.114.196.129]:37626: 550 5.7.1 Service unavailable; client [175.114.196.129] blocked using bl.mailspike.net; from=<contact@shayco.com>, to=<xxx@mydomain.com>, proto=ESMTP, helo=<[175.114.196.129]>
Oct 18 00:06:46 pmg postfix/postscreen[16635]: HANGUP after 0.91 from [175.114.196.129]:37626 in tests after SMTP handshake
Oct 18 00:06:46 pmg postfix/postscreen[16635]: DISCONNECT [175.114.196.129]:37626

root@pmg:~# postconf | grep dnsbl
dnsblog_reply_delay = 0s
dnsblog_service_name = dnsblog
postscreen_dnsbl_action = enforce
postscreen_dnsbl_max_ttl = ${postscreen_dnsbl_ttl?{$postscreen_dnsbl_ttl}:{1}}h
postscreen_dnsbl_min_ttl = 60s
postscreen_dnsbl_reply_map =
postscreen_dnsbl_sites = zen.spamhaus.org,bl.spamcop.net,bl.mailspike.net,dnsbl.sorbs.net
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_timeout = 10s
postscreen_dnsbl_whitelist_threshold = 0