Introducing Postscreen

[17Halbe]

Cheaper, earlier and simpler blocking of zombies/spambots.

From http://postfix.cs.utah.edu/POSTSCREEN_README.html :
As a first layer, postscreen(8) blocks connections from zombies and other spambots that are responsible for about 90% of all spam. It is implemented as a single process to make this defense as cheap as possible.

Things we need to consider:

• Do we need a whitelist/backlist file? (http://postfix.cs.utah.edu/postconf.5.html#postscreen_access_list)
  • Via introducing an optional config/postfix-access.cidr
  • The only permanent whitelisting I could imagine are monitoring services(which might (still?) behave weird/hastely) or blacklisting backup servers(since no traffic should be coming from them anyway)
• Do we need deep inspections? They are desireable, but these tests are expensive: a good client must disconnect after it passes the test, before it can talk to a real Postfix SMTP server. Considered tests are:
  • postscreen_bare_newline_enable (http://postfix.cs.utah.edu/postconf.5.html#postscreen_bare_newline_action)
  • postscreen_non_smtp_command_enable (http://postfix.cs.utah.edu/postconf.5.html#postscreen_non_smtp_command_action)
  • postscreen_pipelining_enable (http://postfix.cs.utah.edu/postconf.5.html#postscreen_pipelining_action)
• Do we need to make the blacklisting via dnsblocking configurable? It's currently set and weighted as follows, where a score of 3 results in blocking, a score of -1 results in whitelisting:
  (*: adds the specified weight to the SMTP client's DNSBL score. Specify a negative number for whitelisting.)
  (http://postfix.cs.utah.edu/postconf.5.html#postscreen_dnsbl_sites)
  • zen.spamhaus.org*3
  • bl.mailspike.net
  • b.barracudacentral.org*2
  • bl.spameatingmonkey.net
  • bl.spamcop.net
  • dnsbl.sorbs.net
  • psbl.surriel.com
  • list.dnswl.org=127.0.[0..255].0*-2
  • list.dnswl.org=127.0.[0..255].1*-3
  • list.dnswl.org=127.0.[0..255].[2..3]*-4
• What to do when blacklisting? I currently set it to drop. We could
  • ignore: Ignore the failure of this test. Allow other tests to complete. Repeat this test the next time the client connects. This option is useful for testing and collecting statistics without blocking mail.
  • enforce: Allow other tests to complete. Reject attempts to deliver mail with a 550 SMTP reply, and log the helo/sender/recipient information. Repeat this test the next time the client connects.
  • drop: Drop the connection immediately with a 521 SMTP reply. Repeat this test the next time the client connects.

In the end I think we could drop postgrey support. Postscreen replaces postgrey in its entirety, while being more selective and not delaying mail. Especially if we consider using the deep inspection options of postscreen.

Hope that wasn't too much to read! ;)
This closes #780 and closes #718

[johansmitsnl]

Build is failing very early, did tests pass on your pc?

[17Halbe]

This should work now.. I guess I tested the master branch m)
The fail2ban test is failing, since postscreen is dropping the connection early.
We dump the Auth request into postfix via nc, which is not waiting for its turn to speak and therefore gets correctly banned by postscreen:
Jan 28 22:34:15 mail postfix/postscreen[3421]: CONNECT from [172.17.0.17]:53116 to [172.17.0.8]:25 Jan 28 22:34:15 mail postfix/postscreen[3421]: PREGREET 80 after 0 from [172.17.0.17]:53116: EHLO mail\nAUTH LOGIN dXNlcjFAbG9jYWxob3N0LmxvY2FsZG9tYWlu\nBn3JKisq4HQ2RO==\nQUIT\n Jan 28 22:34:15 mail postfix/postscreen[3421]: DISCONNECT [172.17.0.17]:53116 Jan 28 22:34:15 mail postfix/postscreen[3421]: CONNECT from [172.17.0.17]:53118 to [172.17.0.8]:25 Jan 28 22:34:15 mail postfix/postscreen[3421]: PREGREET 80 after 0 from [172.17.0.17]:53118: EHLO mail\nAUTH LOGIN dXNlcjFAbG9jYWxob3N0LmxvY2FsZG9tYWlu\nBn3JKisq4HQ2RO==\nQUIT\n Jan 28 22:34:15 mail postfix/postscreen[3421]: DISCONNECT [172.17.0.17]:53118

So no failed Auth request is ever logged.

I guess I have to rewrite the test.. Which is going to be much more painfull!

[17Halbe]

Fail2Ban tests have been revised. I just deleted the postscreen section during the fail2ban test. Otherwise postscreen will always drop those connections(reverse lookup).

regarding configurablity:
I think the only reasonable setting for the user to choose from would be the action option:

• ignore: Ignore the failure of this test. Allow other tests to complete. Repeat this test the next time the client connects. This option is useful for testing and collecting statistics without blocking mail.
• enforce: Allow other tests to complete. Reject attempts to deliver mail with a 550 SMTP reply, and log the helo/sender/recipient information. Repeat this test the next time the client connects.
• drop: Drop the connection immediately with a 521 SMTP reply. Repeat this test the next time the client connects.

What do you think, do we need a variable for that, or shall we leave it at "drop"?

[17Halbe]

Added:

• tests
• new config option POSTSCREEN_ACTION (default enforce)
• added links to Intro in README.md
• added documentation to README.md
• repaired Fail2Ban testcase

[johansmitsnl]

@17Halbe Very good work!