does order of postscreen_* params matter?

Prev: postscreen ps_cache fatal
Next: up'd Fedora from 10->11, now postmap won't query pgsql db

From: "Len Conrad" on 9 Dec 2009 14:59

---

We have an IP whitelisted because it was also blacklisted, but the postscreen whitelist comes after the postscreen blacklist, and the IP is still being postscreen dropped as blacklisted.

the man page says nothing about the order of the main.cf postscreen params.

Len

From: Wietse Venema on 9 Dec 2009 15:14

---

Len Conrad:
> We have an IP whitelisted because it was also blacklisted, but
> the postscreen whitelist comes after the postscreen blacklist,
> and the IP is still being postscreen dropped as blacklisted.
>
> the man page says nothing about the order of the main.cf postscreen params.

main.cf syntax is in the postconf(5) manpage.

When in doubt, "postconf -n" output may be helpful.

Wietse

DESCRIPTION
The Postfix main.cf configuration file specifies a small subset of all
....
o When the same parameter is defined multiple times, only the last
instance is remembered.

o Otherwise, the order of main.cf parameter definitions does not
matter.

From: "Len Conrad" on 9 Dec 2009 15:28

---

>Len Conrad:
>> We have an IP whitelisted because it was also blacklisted, but
>> the postscreen whitelist comes after the postscreen blacklist,
>> and the IP is still being postscreen dropped as blacklisted.
>>
>> the man page says nothing about the order of the main.cf postscreen params.
>
>main.cf syntax is in the postconf(5) manpage.
>
>When in doubt, "postconf -n" output may be helpful.

postconf -n | egrep postscreen

postscreen_blacklist_action = drop
postscreen_blacklist_networks = mysql:/usr/local/etc/postfix/mysql-mta_clients_b.cf
postscreen_cache_map = btree:$data_directory/ps_cache
postscreen_cache_ttl = 1d
postscreen_dnsbl_action = drop
postscreen_dnsbl_sites = zen.spamhaus.org
postscreen_greet_action = drop
postscreen_greet_banner = $smtpd_banner
postscreen_greet_wait = 2
postscreen_hangup_action = drop
postscreen_post_queue_limit = $default_process_limit
postscreen_pre_queue_limit = $default_process_limit
postscreen_whitelist_networks = $mynetworks, hash:/usr/local/etc/postfix/mta_clients_white.map

postmap -q "12.184.45.106" /usr/local/etc/postfix/mta_clients_white.map
ok

but still

Dec 9 15:16:01 mx101 postfix/postscreen[94732]: BLACKLISTED 12.184.45.106


we are getting postscreen whitelist hits:

egrep -i "postscreen" /var2/log/maillog | awk '{ print $6}' | sort -f | uniq -ic | sort -rfn

1404371 DNSBL
561433 BLACKLISTED
263804 PREGREET
209050 PASS
22237 HANGUP
7792 reject:
862 WHITELISTED
455 warning:
65 fatal:
7 error:

Len

From: Wietse Venema on 9 Dec 2009 15:42

---

Len Conrad:
> postconf -n | egrep postscreen
>
> postscreen_blacklist_action = drop
> postscreen_blacklist_networks = mysql:/usr/local/etc/postfix/mysql-mta_clients_b.cf
....
> postscreen_whitelist_networks = $mynetworks, hash:/usr/local/etc/postfix/mta_clients_white.map
>
> postmap -q "12.184.45.106" /usr/local/etc/postfix/mta_clients_white.map
> ok
>
> but still
>
> Dec 9 15:16:01 mx101 postfix/postscreen[94732]: BLACKLISTED 12.184.45.106

The postscreen manpage lists the tests in the order of execution.
Thus, the blacklist is done tested first. If the client is not
blacklisted, then the whitelist test is done. And so on.

I could swap the order of black/white tests if there is agreement that
the current order is not optimal, but something has to go first.

Wietse

From: Kenneth Marshall on 9 Dec 2009 16:18

---

On Wed, Dec 09, 2009 at 03:42:30PM -0500, Wietse Venema wrote:
> Len Conrad:
> > postconf -n | egrep postscreen
> >
> > postscreen_blacklist_action = drop
> > postscreen_blacklist_networks = mysql:/usr/local/etc/postfix/mysql-mta_clients_b.cf
> ...
> > postscreen_whitelist_networks = $mynetworks, hash:/usr/local/etc/postfix/mta_clients_white.map
> >
> > postmap -q "12.184.45.106" /usr/local/etc/postfix/mta_clients_white.map
> > ok
> >
> > but still
> >
> > Dec 9 15:16:01 mx101 postfix/postscreen[94732]: BLACKLISTED 12.184.45.106
>
> The postscreen manpage lists the tests in the order of execution.
> Thus, the blacklist is done tested first. If the client is not
> blacklisted, then the whitelist test is done. And so on.
>
> I could swap the order of black/white tests if there is agreement that
> the current order is not optimal, but something has to go first.
>
> Wietse
>
It would make more sense to have the whitelist first since that
is its normal use, overriding a restriction.

Regards,
Ken

 |  Next  |  Last
Pages: 1 2
Prev: postscreen ps_cache fatal
Next: up'd Fedora from 10->11, now postmap won't query pgsql db