1 Topic by phillipsjk (edited by phillipsjk 2015-01-15 01:20:04)

  • phillipsjk
  • Member
  • Offline
  • Registered: 2015-01-11
  • Posts: 9

Topic: Server bouncing mail due to blocklist shut-down (resolved)

Edit: TL;DR: remove references to blocklists in the "smtpd_recipient_restrictions" variable in /etc/postfix/main.cf.

============ Required information ====
- iRedMail version: 0.8.3
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP (MySQL appears to be used for stuff as well)

Mail Storage:
    - Path:
        + /var/vmail
        + /var/vmail/vmail1

- Linux/BSD distribution name and version: Debian Squeeze (oldstable) 

root@mail:~# cat /proc/version
Linux version 2.6.32-5-amd64 (Debian 2.6.32-48squeeze3) (dannf@debian.org) (gcc version 4.3.5 (Debian 4.3.5
-4) ) #1 SMP Fri May 10 08:43:19 UTC 2013

- Related log if you're reporting an issue:  Sample bounce (trimmed,e-mail mangled):

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  IT AT pirateparty.ca
    SMTP error from remote mail server after RCPT TO:<IT AT pirateparty.ca>:
    host mail.pirateparty.ca [192.95.44.161]: 554 5.7.1 Service unavailable; Client host [184.170.136.98] blocked using dnsbl.ahbl.o
+rg; List shut down.  See:
    http://www.ahbl.org/content/last-notice-wildcarding-services-jan-1st

====

As you can tell from the software verions, our server has not been updated in some time. Apparently on or about Jan 1st, one of the block-lists used by our server started wildcarding all domains. While a proper fix is to install updated software (we have been planning on a migration for moinths), and migrate the data; I have not been able to get a temporary fix of disabling the block-list working. I worry the blocks may now be stored in the postfix policyd now and may be migrated with the data.

Things I have tried:

Initial edits:
/etc/mail/spamassassin/local.cf
-> added:
skip_rbl_checks  1 # temporary measure until ahbl.org is disabled
Set all of the scoring rules to 0 (no effect noticed)

/etc/amavis/conf.d/50-user (above the do not edit line)
$sa_local_tests_only=1;

/etc/hosts # tried null-routing the blocklists
# Can't figure out how to disable misbehaving block-list
127.0.0.1       dnsbl.ahbl.org
127.0.0.1       rhsbl.ahbl.org
(/etc/nsswitch.conf says this *should* take precedence over dns..)

I have since revereted the changes to /etc/mail/spamassassin/local.cf and /etc/amavis/conf.d/50-user
and tried implementing the advice in this post: http://www.iredmail.org/forum/post29696.html#p29696
(still no effect)

I tried poking around in the iredadmin interface and could not find a option to disable certain block-lists. I found it strange that the Admin interface could not do much configuration when I was encountering configuration file after configuration file telling me not to edit things.

BTW, I got into contact with the people in charge of the AHBL via e-mail. They pointed me to this thread for clues:
http://www.gossamer-threads.com/lists/s … ers/190473

Brielle Bruns wrote:

Are you actively updating the spamassassin rules daily/weekly using
'sa-update' - usually via a cronjob in /etc/cron.daily or /etc/cron.weekly?

If you aren't, then you should be.

https://wiki.apache.org/spamassassin/RuleUpdates

If your using debian/ubuntu/centos/rhel/fedora you should already be
doing that update automatically, unless it was disabled by someone.

The rules to disable AHBL were put in back in April or so by the SA
developers in preparation for the 1st, so it sounds like the updates are
not being done.

First, I think she is wrong that Debian runs sa-update by default (but have not double-checked)
Second, the thread was helpful. My version of Spamassassin is no longer supported, and thus does not get updates anyway:

root@mail:~# dpkg -l spamassassin
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name              Version           Description
+++-=================-=================-==================================================
ii  spamassassin      3.3.1-1.1         Perl-based spam filter using text analysis

Note: v3.4 suports the "dns_query_restriction deny bldomain" directive.
Would need debian Stable (Wheezy) for that.
Source: DNS Blocklists (was over-relying on this one as we are using Postfix/dovecot, not apache for mail)
http://wiki.apache.org/spamassassin/DnsBlocklists

Edit: I tried setting "BLACKLISTING=0" in /etc/postfix-policyd.conf

root@mail:~# /etc/init.d/postfix-policyd restart
Restarting Postfix greylisting policy daemon: postfix-policyd.

.. mail still bounces.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by Dexus

  • Dexus
  • Member
  • Offline
  • From: Germany
  • Registered: 2014-10-23
  • Posts: 21

Re: Server bouncing mail due to blocklist shut-down (resolved)

Hey the blacklist ahbl.org is going down!

Do you or the sysadmin not read the roundmail and news-sites?

https://www.server-eye.de/blog/blacklis … ienst-ein/

Since some days the ahbl.org send falsepositive because they close the service!

3 Reply by phillipsjk (edited by phillipsjk 2015-01-15 12:04:47)

  • phillipsjk
  • Member
  • Offline
  • Registered: 2015-01-11
  • Posts: 9

Re: Server bouncing mail due to blocklist shut-down (resolved)

Yes, the wildcarding of all domains made the fact that the list is shutting down abundantly clear. The difficulty is that I can't seem to disable it no matter what I try.

Today I got more agressive, generally following the directions listed here: Completely disable Amavisd + ClamAV + SpamAssassin

In /etc/amavis/conf.d/50-user:

    # don't perform spam/virus/header check.
bypass_spam_checks_maps => [1],
    #bypass_virus_checks_maps => [1],
    #bypass_header_checks_maps => [1],

I previously did not do that because of this line near the top of the file:

#------------ Do not modify anything below this line -------------
#{1}

Don't forget to restart the service:

root@mail:~# /etc/init.d/amavis restart
Stopping amavisd: amavisd-new.
Starting amavisd: amavisd-new.

...mail still bounces.
Ok, in /etc/postfix/main.cf

#content_filter = smtp-amavis:[127.0.0.1]:10024

(no "receive_override_options = no_address_mappings" text was present)
Don't forget to restart the service 

root@mail:~# /etc/init.d/postfix restart
Stopping Postfix Mail Transport Agent: postfix.
Starting Postfix Mail Transport Agent: postfix.

...mail still bounces.
So maybe I should find that magical text in another file and comment it out.
in /etc/postfix/master.cf:

127.0.0.1:10025 inet n  -   -   -   -  smtpd
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_restriction_classes=
    -o smtpd_delay_reject=no
    -o smtpd_tls_security_level=none
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_end_of_data_restrictions=
    -o mynetworks_style=host
    -o mynetworks=127.0.0.0/8
    -o strict_rfc821_envelopes=yes
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
#    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings

Don't forget to restart services....

root@mail:~# /etc/init.d/postfix restart
Stopping Postfix Mail Transport Agent: postfix.
Starting Postfix Mail Transport Agent: postfix.
root@mail:~# /etc/init.d/postfix-policyd restart
Restarting Postfix greylisting policy daemon: postfix-policyd.

...mail still bounces.
Edit: found the culprit; postfix has it's own list of block-lists:

root@mail:~# grep -ir ahbl.org /etc
/etc/postfix/main.cf:smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unlisted_recipient, check_policy_service inet:127.0.0.1:7777, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, check_policy_service inet:127.0.0.1:10031, reject_rbl_client dnsbl.ahbl.org, reject_rbl_client bl.spamcop.net, reject_rbl_client dnsbl-1.uceprotect.net
grep: /etc/fonts/conf.d/30-defoma.conf: No such file or directory
/etc/hosts:127.0.0.1    dnsbl.ahbl.org
/etc/hosts:127.0.0.1    rhsbl.ahbl.org
/etc/spamassassin/local.cf:#skip_rbl_checks  1 # temporary measure until ahbl.org is disabled
/etc/mail/spamassassin/local.cf:#skip_rbl_checks  1 # temporary measure until ahbl.org is disabled

Removing the string "reject_rbl_client dnsbl.ahbl.org," from, /etc/postfix/main.cf has allowed mail to flow.

I would suggest removing all of the block-list checks from the postfix configuration since that is supposed to be spamassassin's job.

Update: successfully rolled back the changes to:

root@mail:~# vi /etc/postfix/master.cf
root@mail:~# vi /etc/postfix/main.cf
root@mail:~# vi /etc/amavis/conf.d/50-user
root@mail:~# /etc/init.d/amavis restart
Stopping amavisd: amavisd-new.
Starting amavisd: amavisd-new.
root@mail:~# /etc/init.d/postfix restart
Stopping Postfix Mail Transport Agent: postfix.
Starting Postfix Mail Transport Agent: postfix.
root@mail:~# vi /etc/postfix-policyd.conf
root@mail:~# /etc/init.d/postfix-policyd restart
Restarting Postfix greylisting policy daemon: postfix-policyd.

...mail still appears to work.

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: Server bouncing mail due to blocklist shut-down (resolved)

phillipsjk wrote:

Removing the string "reject_rbl_client dnsbl.ahbl.org," from, /etc/postfix/main.cf has allowed mail to flow.

Just a remind, iRedMail doesn't use/enable any DNSBL service in Postfix.

To disable ahbl, you can also set 'score DNS_FROM_AHBL_RHSBL 0' in /etc/mail/spamassassin/local.cf to DISABLE ahbl, no need to disable amavisd+clamav+spamassassin services.