postscreen randomly ignore blacklisted IP

[hata.ph]

Hi all,

I have setup postscreen to use zen.spamhaus.org to reduce spam mail. It work but I notice postscreen will ignore few blacklisted IP randomly. I am not sure what is the problem. Maybe someone can help. thanks..

Below are the postconf -n and log show the blacklisted IP is ignored.

root@pmg:~# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = yes
best_mx_transport = local
biff = no
command_directory = /usr/sbin
compatibility_level = 2
content_filter = scan:127.0.0.1:10024
daemon_directory = /usr/lib/postfix/sbin
data_directory = /var/lib/postfix
default_destination_concurrency_limit = 40
delay_warning_time = 4h
lmtp_destination_concurrency_limit = 20
mail_name = Proxmox
mailbox_size_limit = 51200000
message_size_limit = 15728640
mydestination = localhost, $myhostname
mydomain = example.com
myhostname = pmg.example
mynetworks = 127.0.0.0/8 [::1]/128
parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,smtpd_access_maps
postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_access
postscreen_blacklist_action = enforce
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = zen.spamhaus.org
postscreen_dnsbl_threshold = 1
postscreen_greet_action = enforce
recipient_delimiter = +
relay_destination_concurrency_limit = 20
relay_domains = hash:/etc/pmg/domains
relay_transport = smtp:192.168.xx.xx:25
smtp_destination_concurrency_limit = 20
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
smtpd_banner = $myhostname ESMTP Proxmox
smtpd_client_connection_count_limit = 50
smtpd_client_connection_rate_limit = 0
smtpd_client_message_rate_limit = 0
smtpd_helo_restrictions =
smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination reject_non_fqdn_recipient check_recipient_access regexp:/etc/postfix/rcptaccess check_sender_access regexp:/etc/postfix/senderaccess check_client_access cidr:/etc/postfix/clientaccess check_policy_service inet:127.0.0.1:10022
smtpd_sender_restrictions = permit_mynetworks reject_non_fqdn_sender check_client_access cidr:/etc/postfix/clientaccess check_sender_access regexp:/etc/postfix/senderaccess check_recipient_access regexp:/etc/postfix/rcptaccess
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
transport_maps = hash:/etc/pmg/transport
unverified_recipient_reject_reason = Recipient address lookup failed
virtual_destination_concurrency_limit = 20

root@pmg:~# less /var/log/mail.log | grep 194.62.55.50
May  9 23:03:45 pmg postfix/postscreen[9814]: CONNECT from [194.62.55.50]:50991 to [192.168.40.106]:26
May  9 23:03:51 pmg postfix/postscreen[9814]: PASS NEW [194.62.55.50]:50991
May  9 23:03:51 pmg postfix/smtpd[9931]: warning: hostname 50.55.62.194.in-addr.arpa.routergate.com does not resolve to address 194.62.55.50: Name or service not known
May  9 23:03:51 pmg postfix/smtpd[9931]: connect from unknown[194.62.55.50]
May  9 23:03:54 pmg postfix/smtpd[9931]: AB1EC20462: client=unknown[194.62.55.50]
May  9 23:03:58 pmg postfix/smtpd[9931]: 268EA22F74: client=unknown[194.62.55.50]
May  9 23:04:01 pmg postfix/smtpd[9900]: D83DA22F88: client=localhost.localdomain[127.0.0.1], orig_client=unknown[194.62.55.50]
May  9 23:04:19 pmg postfix/smtpd[9900]: A367C22F73: client=localhost.localdomain[127.0.0.1], orig_client=unknown[194.62.55.50]
May  9 23:04:19 pmg postfix/smtpd[9931]: D1F6620462: client=unknown[194.62.55.50]
May  9 23:04:20 pmg postfix/postscreen[9814]: CONNECT from [194.62.55.50]:26367 to [192.168.40.106]:26
May  9 23:04:20 pmg postfix/postscreen[9814]: PASS OLD [194.62.55.50]:26367
May  9 23:04:20 pmg postfix/smtpd[9816]: warning: hostname 50.55.62.194.in-addr.arpa.routergate.com does not resolve to address 194.62.55.50: Name or service not known
May  9 23:04:20 pmg postfix/smtpd[9816]: connect from unknown[194.62.55.50]
May  9 23:04:20 pmg postfix/smtpd[9816]: BE7FD2225C: client=unknown[194.62.55.50]
May  9 23:04:21 pmg postfix/smtpd[9816]: disconnect from unknown[194.62.55.50] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
May  9 23:04:22 pmg postfix/smtpd[9900]: 71C5922F88: client=localhost.localdomain[127.0.0.1], orig_client=unknown[194.62.55.50]
May  9 23:04:39 pmg postfix/smtpd[9931]: disconnect from unknown[194.62.55.50] ehlo=1 mail=3 rcpt=3 data=3 quit=1 commands=11
May  9 23:04:40 pmg postfix/smtpd[9900]: CD2E722F74: client=localhost.localdomain[127.0.0.1], orig_client=unknown[194.62.55.50]
May  9 23:05:05 pmg postfix/postscreen[9814]: CONNECT from [194.62.55.50]:62816 to [192.168.40.106]:26
May  9 23:05:05 pmg postfix/postscreen[9814]: PASS OLD [194.62.55.50]:62816
May  9 23:05:05 pmg postfix/smtpd[9816]: warning: hostname 50.55.62.194.in-addr.arpa.routergate.com does not resolve to address 194.62.55.50: Name or service not known
May  9 23:05:05 pmg postfix/smtpd[9816]: connect from unknown[194.62.55.50]
May  9 23:05:06 pmg postfix/smtpd[9816]: 0A80420462: client=unknown[194.62.55.50]
May  9 23:05:20 pmg postfix/smtpd[9816]: disconnect from unknown[194.62.55.50] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
May  9 23:05:51 pmg postfix/postscreen[9814]: CONNECT from [194.62.55.50]:12198 to [192.168.40.106]:26
May  9 23:05:51 pmg postfix/postscreen[9814]: PASS OLD [194.62.55.50]:12198
May  9 23:05:51 pmg postfix/smtpd[9931]: warning: hostname 50.55.62.194.in-addr.arpa.routergate.com does not resolve to address 194.62.55.50: Name or service not known
May  9 23:05:51 pmg postfix/smtpd[9931]: connect from unknown[194.62.55.50]
May  9 23:05:52 pmg postfix/smtpd[9931]: 3C13320462: client=unknown[194.62.55.50]
May  9 23:05:54 pmg postfix/smtpd[9900]: 0A5DA22F74: client=localhost.localdomain[127.0.0.1], orig_client=unknown[194.62.55.50]
May  9 23:06:00 pmg postfix/smtpd[9931]: disconnect from unknown[194.62.55.50] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
May  9 23:07:48 pmg postfix/anvil[9619]: statistics: max connection count 2 for (smtpd:194.62.55.50) at May  9 23:04:20

 

[Stoiko Ivanov]

I just checked that IP on 2 rbl lookup sites http://www.anti-abuse.org/ and http://multirbl.valli.org . It's listed with one, but not with the other.

* The log you posted only shows that this address is passed by postscreen (I would guess that when postscreen asked the DNS-resolver for the rbl-entry of that ip at spamhaus, it was not listed). - Did it ever block this ip?
* Caching of these lookups happen on multiple levels (otherwise even more dns-lookups would be needed than right now)
* DNS-entries are cached by the recursors after getting an answer from spamhaus (for at least 15 minutes - depending on the configuration for longer )
* Postscreen has also a cache and uses it (see http://www.postfix.org/POSTSCREEN_README.html)


hope this helps!

 

[hata.ph]

Hi Stoikov,

Sorry for the lates reply. After some further reading, I try to change postscreen_dnsbl_ttl from default 1h to 10m.
And I notice no more spam IP slip through postscreen. Now I change to 30m and will continue to monitor.

root@pmg:~# postconf | grep dnsbl_ttl
postscreen_dnsbl_max_ttl = ${postscreen_dnsbl_ttl?{$postscreen_dnsbl_ttl}:{1}}h
postscreen_dnsbl_ttl = 30m

Is there a way to change the setting in PMG GUI instead of through CLI to modify the /var/lib/pmg/templates/main.cf.in?

 

[koby]

Thank you very much @hata_ph I thought I was dreaming....

 

[ittk]

Hi Stoikov,

Sorry for the lates reply. After some further reading, I try to change postscreen_dnsbl_ttl from default 1h to 10m.
And I notice no more spam IP slip through postscreen. Now I change to 30m and will continue to monitor.

root@pmg:~# postconf | grep dnsbl_ttl
postscreen_dnsbl_max_ttl = ${postscreen_dnsbl_ttl?{$postscreen_dnsbl_ttl}:{1}}h
postscreen_dnsbl_ttl = 30m

Is there a way to change the setting in PMG GUI instead of through CLI to modify the /var/lib/pmg/templates/main.cf.in?

And what are your current "long-term" results decreasing the default from 1h to 30m?

 

[hata_ph]

And what are your current "long-term" results decreasing the default from 1h to 30m?

Long story short, I end up did not set postscreen_dnsbl_ttl and use multiple dnsbl sites for extra checking.

postscreen_dnsbl_sites = zen.spamhaus.org,bl.spamcop.net,bl.mailspike.net
postscreen_dnsbl_threshold = 2

 

[ittk]

Long story short, I end up did not set postscreen_dnsbl_ttl and use multiple dnsbl sites for extra checking.

Thanks, any special reasons for it to not decreasing the RBL max ttl?

 

[hata_ph]

Thanks, any special reasons for it to not decreasing the RBL max ttl?

Just feel no need to use custom main.in.cf if I can have the same end result when can configure it from the GUI.

 

[ittk]

Just feel no need to use custom main.in.cf if I can have the same end result when can configure it from the GUI.

But this is currently not possible via GUI?

 

[hata_ph]

But this is currently not possible via GUI?

There is no GUI option to set postscreen_dnsbl_ttl in the web console.

 

[koby]

Hello guys ,
I did set the max_ttl to 3m... and it is still miss up checkes.
And I do use multi rbl check let's say about 10 of them.
I really do not understand why is this, It does looks like some delay or so or some white list error.
I realy do not have much confidence with it , I do check it every day and see some missed checks ,lucky me I have clamav working so it is end up there as a virus...
Does any one have the same issue ?

 

[hata_ph]

Hello guys ,
I did set the max_ttl to 3m... and it is still miss up checkes.
And I do use multi rbl check let's say about 10 of them.
I really do not understand why is this, It does looks like some delay or so or some white list error.
I realy do not have much confidence with it , I do check it every day and see some missed checks ,lucky me I have clamav working so it is end up there as a virus...
Does any one have the same issue ?

Did you create a custom templates for your max_ttl setting in postfix?
Pls show your dnsbl config and also the mail log.

 

[koby]

Hi ,
This is an example of miss up log...
The bold addr (31.169.70.165 ) should be block by the black list : SORBS SPAM + SORBS NEW ,
The systems seems to miss that check.
As you can see , it is blocked by virus rule that come after.

"
Oct 1 09:40:38 smg01 postfix/smtpd[27822]: connect from linux.netuv.com[31.169.70.165]
Oct 1 09:40:40 smg01 postfix/smtpd[27822]: NOQUEUE: client=linux.netuv.com[31.169.70.165]
Oct 1 09:40:41 smg01 pmg-smtp-filter[24435]: 60DE25F7579E8E2480: new mail message-id=<2636df99ec4ddfb6d6865edd38dcc4a5@unilever.coupahost.com>#012
Oct 1 09:40:41 smg01 pmg-smtp-filter[24435]: 60DE25F7579E8E2480: virus detected: Sanesecurity.Malware.27382.Rar5Heur.UNOFFICIAL (clamav)
Oct 1 09:40:46 smg01 pmg-smtp-filter[24435]: 60DE25F7579E8E2480: SA score=1/5 time=4.445 bayes=undefined autolearn=no autolearn_force=no hits=HTML_MESSAGE(0.001),KAM_DMARC_STATUS(0.01),KAM_NUMSUBJECT(0.5),LH_URI_DOM_IN_PATH(0.001),SPF_HELO_NONE(0.001),SPF_SOFTFAIL(0.972),T_REMOTE_IMAGE(0.01)
Oct 1 09:40:46 smg01 pmg-smtp-filter[24435]: 60DE25F7579E8E2480: notify <koby@mksoft.co.il> (rule: 00 - OnViruses, 0BC8C60F54)
Oct 1 09:40:46 smg01 pmg-smtp-filter[24435]: 60DE25F7579E8E2480: notify <meirkr@mksoft.co.il> (rule: 00 - OnViruses, 0FF5B60F57)
Oct 1 09:40:46 smg01 pmg-smtp-filter[24435]: 60DE25F7579E8E2480: moved mail for <meirkr@mksoft.co.il> to virus quarantine - 60F635F7579EE1BE43 (rule: 00 - OnViruses)
Oct 1 09:40:46 smg01 pmg-smtp-filter[24435]: 60DE25F7579E8E2480: processing time: 5.192 seconds (4.445, 0.483, 0)
Oct 1 09:40:46 smg01 postfix/smtpd[27822]: proxy-accept: END-OF-MESSAGE: 250 2.5.0 OK (60DE25F7579E8E2480); from=<do_not_reply@unilever.coupahost.com> to=<meirkr@mksoft.co.il> proto=ESMTP helo=<linux.netuv.com>
Oct 1 09:40:46 smg01 postfix/smtpd[27822]: disconnect from linux.netuv.com[31.169.70.165] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
"

As for my custom template , here it is.
"
# auto-generated by proxmox

compatibility_level = 2
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix/sbin
data_directory = /var/lib/postfix

# appending .domain is the MUA's job.
append_dot_mydomain = yes

smtpd_banner = $myhostname [% pmg.mail.banner %]
biff = no

[% IF pmg.mail.dwarning %]
delay_warning_time = [% pmg.mail.dwarning %]h
[% END %]

best_mx_transport = local
message_size_limit = [% pmg.mail.maxsize %]
mailbox_size_limit = [% ((pmg.mail.maxsize*2 > 51200000) ? pmg.mail.maxsize*2 : 51200000) %]

mydomain = [% dns.domain %]
myhostname = [% dns.hostname %].[% dns.domain %]

parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,smtpd_access_maps

alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = localhost, $myhostname
mynetworks = [% postfix.mynetworks %]

relay_domains = hash:/etc/pmg/domains

transport_maps = hash:/etc/pmg/transport

[% IF pmg.mail.relay %]
[% IF pmg.mail.relayprotocol == 'lmtp' %]
relay_transport = [% pmg.mail.relayprotocol %]:inet:[% pmg.mail.relay %]:[% pmg.mail.relayport %]
[% ELSE %]
[% IF pmg.mail.relaynomx %]
relay_transport = [% pmg.mail.relayprotocol %]:[[% pmg.mail.relay %]]:[% pmg.mail.relayport %]
[% ELSE %]
relay_transport = [% pmg.mail.relayprotocol %]:[% pmg.mail.relay %]:[% pmg.mail.relayport %]
[% END %]
[% END %]
[% END %]

[% IF pmg.mail.smarthost %]
default_transport = smtp:[% pmg.mail.smarthost %]:[% pmg.mail.smarthostport %]
[% END %]

[% IF ! pmg.mail.before_queue_filtering -%]
content_filter=scan:127.0.0.1:10024
[%- END %]

mail_name = Proxmox

[% IF pmg.mail.helotests %]
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks reject_non_fqdn_helo_hostname reject_invalid_helo_hostname
[% ELSE %]
smtpd_helo_restrictions =
[% END %]

postscreen_access_list =
permit_mynetworks,
cidr:/etc/postfix/postscreen_access

[% IF postfix.dnsbl_sites %]
postscreen_dnsbl_sites = [% postfix.dnsbl_sites %]
postscreen_dnsbl_threshold = [% postfix.dnsbl_threshold %]
[% END %]


# Begin Added by koby
postscreen_dnsbl_ttl = 3m
postscreen_cache_retention_time = 3m

rbl_reply_maps = texthash:/etc/postfix/rbl_reply_map
postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply_map

# End



postscreen_dnsbl_action = enforce
postscreen_greet_action = enforce

smtpd_sender_restrictions =
permit_mynetworks
reject_non_fqdn_sender
check_client_access cidr:/etc/postfix/clientaccess
check_sender_access regexp:/etc/postfix/senderaccess
check_recipient_access regexp:/etc/postfix/rcptaccess
[%- IF pmg.mail.rejectunknown %] reject_unknown_client_hostname[% END %]
[%- IF pmg.mail.rejectunknownsender %] reject_unknown_sender_domain[% END %]

smtpd_recipient_restrictions =
permit_mynetworks
reject_unauth_destination
reject_non_fqdn_recipient
check_recipient_access regexp:/etc/postfix/rcptaccess
[%- IF postfix.usepolicy %] check_sender_access regexp:/etc/postfix/senderaccess[% END %]
[%- IF postfix.usepolicy %] check_client_access cidr:/etc/postfix/clientaccess[% END %]
[%- IF postfix.usepolicy %] check_policy_service inet:127.0.0.1:10022[% END %]
[%- IF pmg.mail.verifyreceivers %] reject_unknown_recipient_domain[% END %]
[%- IF pmg.mail.verifyreceivers %] reject_unverified_recipient[% END %]

# Begin Add By Koby
#reject_rbl_client = 173e.combined.mail.abusix.zone
#rbl_reply_maps = texthash:/etc/postfix/rbl_reply_map
# End


[% IF pmg.mail.verifyreceivers %]
unverified_recipient_reject_code = [% pmg.mail.verifyreceivers %]
[% END %]

smtpd_client_connection_count_limit = [% pmg.mail.conn_count_limit %]
smtpd_client_connection_rate_limit = [% pmg.mail.conn_rate_limit %]
smtpd_client_message_rate_limit = [% pmg.mail.message_rate_limit %]

[% IF pmg.mail.tls %]
smtp_tls_security_level = may
smtp_tls_policy_maps = hash:/etc/pmg/tls_policy
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtpd_tls_security_level = may
smtpd_tls_cert_file = /etc/pmg/pmg-tls.pem
smtpd_tls_key_file = $smtpd_tls_cert_file

lmtp_tls_security_level = $smtp_tls_security_level
lmtp_tls_policy_maps = $smtp_tls_policy_maps
lmtp_tls_CAfile = $smtp_tls_CAfile
[% IF pmg.mail.tlslog %]
smtpd_tls_loglevel = 1
smtp_tls_loglevel = 1
lmtp_tls_loglevel = $smtp_tls_loglevel
[% END %]
[% IF pmg.mail.tlsheader %]
smtpd_tls_received_header = yes
[% END %]
[% END %]

smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
lmtp_tls_session_cache_database = btree:/var/lib/postfix/lmtp_tls_session_cache

[% IF pmg.mail.hide_received %]
unverified_recipient_reject_reason = Recipient address lookup failed
[% END %]


default_destination_concurrency_limit = 40
lmtp_destination_concurrency_limit = 20
relay_destination_concurrency_limit = 20
smtp_destination_concurrency_limit = 20
virtual_destination_concurrency_limit = 20

recipient_delimiter = +

##########################################
# Added By Koby for sending with MailGun #
##########################################

#specify SMTP relay host
relayhost = [smtp.mailgun.org]:587

# enable SASL authentication
smtp_sasl_auth_enable = yes

# disallow methods that allow anonymous authentication.
smtp_sasl_security_options = noanonymous

# where to find sasl_passwd
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd

# Enable STARTTLS encryption
#smtp_use_tls = yes
smtp_tls_security_level = encrypt


# where to find CA certificates
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

# allow IPV$
inet_protocols = ipv4

"

 

[hata_ph]

You did not show your dnsbl site. Pls run postconf | grep dnsbl in terminal and show the output

 

[koby]

You did not show your dnsbl site. Pls run postconf | grep dnsbl in terminal and show the output

Here it is...
"
dnsblog_reply_delay = 0s
dnsblog_service_name = dnsblog
postscreen_dnsbl_action = enforce
postscreen_dnsbl_max_ttl = ${postscreen_dnsbl_ttl?{$postscreen_dnsbl_ttl}:{1}}h
postscreen_dnsbl_min_ttl = 60s
postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply_map
postscreen_dnsbl_sites = 7c4c3e.combined.mail.abusix.zone,dnsbl.cobion.com,rbl.realtimeblacklist.com,b.barracudacentral.org,bl.spamcop.net,zen.spamhaus.org,psbl.surriel.com,bl.spamcop.net,dnsbl.sorbs.net,rbl.interserver.net,bl.mailspike.net,truncate.gbudb.net
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_timeout = 10s
postscreen_dnsbl_ttl = 3m
postscreen_dnsbl_whitelist_threshold = 0
"

 

[mira]

Use postscreen_dnsbl_max_ttl instead of postscreen_dnsbl_ttl as the second one is deprecated: http://www.postfix.org/postconf.5.html
Also according to the value of postscreen_dnsbl_max_ttl I would assume that it always appends 'h', even when $postscreen_dnsbl_ttl is configured.

 

[hata_ph]

Here it is...
"
dnsblog_reply_delay = 0s
dnsblog_service_name = dnsblog
postscreen_dnsbl_action = enforce
postscreen_dnsbl_max_ttl = ${postscreen_dnsbl_ttl?{$postscreen_dnsbl_ttl}:{1}}h
postscreen_dnsbl_min_ttl = 60s
postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply_map
postscreen_dnsbl_sites = 7c4c3e.combined.mail.abusix.zone,dnsbl.cobion.com,rbl.realtimeblacklist.com,b.barracudacentral.org,bl.spamcop.net,zen.spamhaus.org,psbl.surriel.com,bl.spamcop.net,dnsbl.sorbs.net,rbl.interserver.net,bl.mailspike.net,truncate.gbudb.net
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_timeout = 10s
postscreen_dnsbl_ttl = 3m
postscreen_dnsbl_whitelist_threshold = 0
"

You have set postscreen_dnsbl_threshold = 2 mean require 2 or more hits from your listed dnsbl_sites to get blocked by spamassasin.
So far I checked IP 31.169.70.165 only get listed in dnsbl.sorbs.net, that is the reason why the email get delivered.

 

[koby]

Hi Guy's ,
I did set the

postscreen_dnsbl_max_ttl = 3m

But the systems sill miss up check , much less but still.

Here is miss up check log :

Oct 4 03:36:03 smg01 postfix/smtpd[31553]: connect from unknown[66.206.0.122]
Oct 4 03:36:06 smg01 postfix/smtpd[31553]: NOQUEUE: client=unknown[66.206.0.122]
Oct 4 03:36:06 smg01 pmg-smtp-filter[25131]: 610A85F7918F6E3965: new mail message-id=<b356b5966c412be7cc8feb6b576982c2@jabalierty.net>#012
Oct 4 03:36:10 smg01 pmg-smtp-filter[25131]: 610A85F7918F6E3965: SA score=11/5 time=3.426 bayes=undefined autolearn=no autolearn_force=no hits=CK_HELO_DYNAMIC_SPLIT_IP(0.533),HELO_MISC_IP(0.084),HTML_MESSAGE(0.001),KAM_DMARC_STATUS(0.01),KAM_LAZY_DOMAIN_SECURITY(1),MPART_ALT_DIFF(0.724),RDNS_NONE(1.274),SPF_HELO_NONE(0.001),SPF_NONE(0.001),TVD_RCVD_IP(0.001),T_KAM_HTML_FONT_INVALID(0.01),T_REMOTE_IMAGE(0.01),UNWANTED_LANGUAGE_BODY(2.8),URIBL_BLOCKED(5)
Oct 4 03:36:10 smg01 pmg-smtp-filter[25131]: 610A85F7918F6E3965: moved mail for <***@mksoft.co.il> to spam quarantine - 610F65F7918FA6DB34 (rule: 00 - Block Spam (Level 8))
Oct 4 03:36:10 smg01 pmg-smtp-filter[25131]: 610A85F7918F6E3965: processing time: 3.52 seconds (3.426, 0.075, 0)
Oct 4 03:36:10 smg01 postfix/smtpd[31553]: proxy-accept: END-OF-MESSAGE: 250 2.5.0 OK (610A85F7918F6E3965); from=<support@jabalierty.net> to=<***@mksoft.co.il> proto=ESMTP helo=<66-206-0-122.cprapid.com>
Oct 4 03:36:10 smg01 postfix/smtpd[31553]: disconnect from unknown[66.206.0.122] ehlo=1 mail=1 rcpt=1

Here is my setting :

root@smg01:~# postconf | grep ttl
address_verify_sender_ttl = 0s
connection_cache_ttl_limit = 2s
dns_ncache_ttl_fix_enable = no
ipc_ttl = 1000s
lmtp_starttls_timeout = 300s
lmtp_tls_note_starttls_offer = no
postscreen_bare_newline_ttl = 30d
postscreen_dnsbl_max_ttl = 3m
postscreen_dnsbl_min_ttl = 60s
postscreen_greet_ttl = 1d
postscreen_non_smtp_command_ttl = 30d
postscreen_pipelining_ttl = 30d
service_throttle_time = 60s
smtp_starttls_timeout = 300s
smtp_tls_note_starttls_offer = no
smtpd_policy_service_max_ttl = 1000s
smtpd_starttls_timeout = ${stress?{10}:{300}}s

Does someone can advise please.

Bast Regards,
Koby Peleg Hen

 

[hata_ph]

Set postscreen_dnsbl_threshold = 1 and monitor again.

 

[koby]

Set postscreen_dnsbl_threshold = 1 and monitor again.

I did set this on purpose because I like to be sure on the black list means ==> at list 2 blacklist for blocking..
this is not our problem , if you check the above IP against mxtoolbox you will sen that this IP is listed more than one.