From 740fe164d20bb00cfca65c2744f07edf96b46aa6 Mon Sep 17 00:00:00 2001 From: stevejenkins Date: Tue, 12 Sep 2017 10:35:14 -0700 Subject: [PATCH 01/14] Update README --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index a216027..0975ae7 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,7 @@ If all of the whitelist mailers are selected when Postwhite runs, the resulting By default, Postwhite has blacklisting turned off. Most users will not need to ever turn it on, but it's there if you *really* believe you need it. If you choose to enable it, make sure you understand the implications of blacklisting IP addresses based on their hostnames and associated mailers, and re-run Postwhite often via cron to make sure you're not inadvertently blocking legitimate senders. # Requirements -Postwhite runs as a **Bash** script and relies on two scripts from the SPF-Tools project (**despf.sh** and **simplify.sh**) to help recursively query SPF records. I recommend cloning or copying the entire SPF-Tools repo to ```/usr/local/bin/```directory on your system, then confirming the ```spftoolspath``` value in ```postwhite```. **Please update SPF-Tools whenever you update Postwhite, as both are under continuous development, and sometimes new features of Postwhite depend upon an updated version of SPF-Tools.** From 1c1f2f55c2739d1dd4b782eee07110ca2b421b04 Mon Sep 17 00:00:00 2001 From: laemmy Date: Wed, 7 Feb 2018 17:43:01 +0100 Subject: [PATCH 02/14] Update postwhite --- postwhite | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/postwhite b/postwhite index fca03e3..eec5840 100755 --- a/postwhite +++ b/postwhite @@ -36,7 +36,7 @@ lastupdated="30 April 2017" # CUSTOM HOSTS CAN BE ADDED IN /etc/postwhite.conf # Hosts to query -webmail_hosts="aol.com google.com microsoft.com outlook.com hotmail.com gmx.com icloud.com mail.com inbox.com zoho.com fastmail.com" +webmail_hosts="aol.com google.com microsoft.com outlook.com hotmail.com gmx.com icloud.com mail.com inbox.com zoho.com fastmail.com secure-mailgate.com" social_hosts="facebook.com facebookmail.com twitter.com pinterest.com instagram.com tumblr.com reddit.com linkedin.com" From e3415b2897a9541da858503d31d5534ba5304f98 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Viktor=20Sz=C3=A9pe?= Date: Sun, 11 Feb 2018 18:48:54 +0100 Subject: [PATCH 03/14] Add Travis CI Have some overview on commits, PR-s --- .travis.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 .travis.yml diff --git a/.travis.yml b/.travis.yml new file mode 100644 index 0000000..bcdea3c --- /dev/null +++ b/.travis.yml @@ -0,0 +1,17 @@ +language: bash + +# Use container-based infrastructure for quicker build start-up +sudo: false + +addons: + apt: + sources: + - debian-sid # Grab shellcheck from the Debian repo (o_O) + packages: + - shellcheck + +script: + - bash -c 'shopt -s globstar; shellcheck postwhite' + +matrix: + fast_finish: true From 65c0184f3d5b7a29f50f72514cdefcddc7f9c839 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Viktor=20Sz=C3=A9pe?= Date: Sun, 11 Feb 2018 19:01:33 +0100 Subject: [PATCH 04/14] Else is not development-friendly ...and hard to read --- postwhite | 23 ++++++++++------------- 1 file changed, 10 insertions(+), 13 deletions(-) diff --git a/postwhite b/postwhite index fca03e3..f03305e 100755 --- a/postwhite +++ b/postwhite @@ -58,29 +58,26 @@ set -e printf "Starting Postwhite v$version ($lastupdated)\n" # Check for passed config file +config_file="/etc/postwhite.conf" if [ -n "$1" ]; then config_file="$1" -else - config_file="/etc/postwhite.conf" fi # Read config file options -if [ -s $config_file ] ; then - printf "\nReading options from %s...\n" "$config_file" - . "${config_file}" -else - >&2 printf "%s: Can't find %s. Exiting.\n" "$0" "$config_file" +if [ ! -s $config_file ] ; then + printf "%s: Can't find %s. Exiting.\n" "$0" "$config_file" 1>&2 exit 1 fi +printf "\nReading options from %s...\n" "$config_file" +. "${config_file}" # Create temporary files printf "\nCreating temporary files...\n" tmpBase=$(basename "$0") +tmpPrefix="tmp" if [ x"$enable_blacklist" = x"yes" ]; then tmpPrefix="tmp blktmp" -else - tmpPrefix="tmp" fi for p in $tmpPrefix; do @@ -137,7 +134,7 @@ normalize_ip() { # split by ":" normalize_ip_type="$( echo $1 | cut -s -d\: -f1)" normalize_ip_value="$( echo $1 | cut -s -d\: -f2-)" - normalize_ip_IP="" + normalize_ip_IP="" if [ x"${normalize_ip_type}" = x"ip4" ] ; then # check if is a CIDR if expr "x${normalize_ip_value}" : "x.*/[0-9]*" > /dev/null; then @@ -162,9 +159,9 @@ query_black_host() { # Create progress dots function show_dots() { - while ps "$1" >/dev/null ; do - printf "." - sleep 1 + while ps "$1" >/dev/null; do + printf "." + sleep 1 done printf "\n" } From e4b6baed9fe9c0c4609273ed1fed420ef5829a9b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Viktor=20Sz=C3=A9pe?= Date: Sun, 11 Feb 2018 19:05:14 +0100 Subject: [PATCH 05/14] Nicer header Joining the comments! --- postwhite | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/postwhite b/postwhite index fca03e3..db7b73e 100755 --- a/postwhite +++ b/postwhite @@ -1,12 +1,11 @@ #!/bin/sh - +# ################################################################### # Postwhite - Automatic Postcreen Whitelist / Blacklist Generator # # https://github.com/stevejenkins/postwhite # +# By Steve Jenkins (https://www.stevejenkins.com/) # ################################################################### -# By Steve Jenkins (https://www.stevejenkins.com/) - version="3.1" lastupdated="30 April 2017" @@ -14,22 +13,22 @@ lastupdated="30 April 2017" # 2) Move postwhite.conf to /etc # 3) Run ./postwhite [config-file] # Optional config file passed via command line overrides the default config file location. - +# # Requires SPF-Tools (https://github.com/jsarenik/spf-tools) # Please update your copy of spf-tools whenever you update Postwhite - +# # Thanks to Mike Miller (mmiller@mgm51.com) for gwhitelist.sh script # Thanks to Jan Sarenik for SPF-Tools # Thanks to Jose Borges Ferreira for IPv4 normalization help # Thanks to Ricardo Iván Vieitez Parra for improved error reporting, normalization, conf file improvements, # and removal of bash-isms so that script is usable on more systems # Thanks to Steve Cook for Yahoo! IP scraping help - +# # USER-DEFINABLE OPTIONS AND CUSTOM HOSTS STORED IN /etc/postwhite.conf # CONFIGURATION FILE CAN ALSO BE PASSED FROM COMMAND LINE - +# # NO NEED TO EDIT PAST THIS LINE - +# ################################################################# # DEFAULT HOSTS From 0a618bc9179b17c1df83abb4b3a0b419372c46cf Mon Sep 17 00:00:00 2001 From: Dave Jones Date: Wed, 14 Mar 2018 10:15:37 -0500 Subject: [PATCH 06/14] Fixed ip4 /32's being removed. --- postwhite | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/postwhite b/postwhite index fca03e3..5e74c54 100755 --- a/postwhite +++ b/postwhite @@ -270,7 +270,7 @@ if [ x"$simplify" = x"yes" ]; then printf "\nSimplifying whitelist IP addresses already included in CIDR ranges. These calculations\n" printf "can take a LONG time if you have many mailers selected. Please be patient..." - cat "${tmp1}" | sort -u | "${spftoolspath}"/simplify.sh > "${tmp2}" & + sed '/\./s/\/32//g' "${tmp1}" | sort -u | "${spftoolspath}"/simplify.sh > "${tmp2}" & show_dots "$!" if [ x"$enable_blacklist" = x"yes" ] ; then @@ -282,7 +282,7 @@ if [ x"$simplify" = x"yes" ]; then printf "\nIP address simplification complete.\n" else - cat "${tmp1}" > "${tmp2}" + sed '/\./s/\/32//g' "${tmp1}" > "${tmp2}" if [ x"$enable_blacklist" = x"yes" ] ; then cat "${blktmp1}" > "${blktmp2}" fi From adbc0b545fa69a451864479b7d02918960bbe06a Mon Sep 17 00:00:00 2001 From: Steve Jenkins Date: Sun, 25 Mar 2018 19:28:26 -0700 Subject: [PATCH 07/14] Update README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 15768a0..f0bf74f 100644 --- a/README.md +++ b/README.md @@ -101,6 +101,7 @@ Other options in ```postwhite.conf``` include changing the filenames for your wh * Thanks to Jose Borges Ferreira for patches and contributions to Postwhite, include internal code to validate CIDRs. * Thanks to Ricardo Iván Vieitez Parra for contributions to Postwhite, including external config file support, normalization improvements, error handling, and additional modifications that allow Postwhite to run on additional systems. * Thanks to partner (business... not life) Steve Cook for helping me cludge through Bash scripting, and for writing the initial version of the ```scrape_yahoo``` script. +* Thanks to all the generous [contributors](https://github.com/stevejenkins/postwhite/graphs/contributors) right here on GitHub who have helped move the project along! # More Info My blog post discussing how Postwhite came to be is here: From 7395bdd149cfa3072c238baff238ffc777c21bc4 Mon Sep 17 00:00:00 2001 From: Steve Jenkins Date: Sun, 25 Mar 2018 19:29:38 -0700 Subject: [PATCH 08/14] Update postwhite --- postwhite | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/postwhite b/postwhite index 9676661..5a223a0 100755 --- a/postwhite +++ b/postwhite @@ -6,8 +6,8 @@ # By Steve Jenkins (https://www.stevejenkins.com/) # ################################################################### -version="3.1" -lastupdated="30 April 2017" +version="3.2" +lastupdated="25 March 2018" # Usage: 1) Place entire /postwhite directory in /usr/local/bin # 2) Move postwhite.conf to /etc @@ -23,6 +23,7 @@ lastupdated="30 April 2017" # Thanks to Ricardo Iván Vieitez Parra for improved error reporting, normalization, conf file improvements, # and removal of bash-isms so that script is usable on more systems # Thanks to Steve Cook for Yahoo! IP scraping help +# Thanks to all the additional contributors on GitHub! # # USER-DEFINABLE OPTIONS AND CUSTOM HOSTS STORED IN /etc/postwhite.conf # CONFIGURATION FILE CAN ALSO BE PASSED FROM COMMAND LINE From fe2f00e86cabc6db7a64843b5e3d67e40d9868da Mon Sep 17 00:00:00 2001 From: Steve Jenkins Date: Sun, 25 Mar 2018 20:16:13 -0700 Subject: [PATCH 09/14] Added additional hosts (Issue #2) Added amazonses.com, messagelabs.com, messagegears.net, and authsmtp.com as bulk_hosts. Thanks @dajones70. --- postwhite | 29 +++++++++++++++++------------ 1 file changed, 17 insertions(+), 12 deletions(-) diff --git a/postwhite b/postwhite index 5a223a0..86ce569 100755 --- a/postwhite +++ b/postwhite @@ -6,7 +6,7 @@ # By Steve Jenkins (https://www.stevejenkins.com/) # ################################################################### -version="3.2" +version="3.3" lastupdated="25 March 2018" # Usage: 1) Place entire /postwhite directory in /usr/local/bin @@ -17,12 +17,12 @@ lastupdated="25 March 2018" # Requires SPF-Tools (https://github.com/jsarenik/spf-tools) # Please update your copy of spf-tools whenever you update Postwhite # -# Thanks to Mike Miller (mmiller@mgm51.com) for gwhitelist.sh script -# Thanks to Jan Sarenik for SPF-Tools -# Thanks to Jose Borges Ferreira for IPv4 normalization help -# Thanks to Ricardo Iván Vieitez Parra for improved error reporting, normalization, conf file improvements, -# and removal of bash-isms so that script is usable on more systems -# Thanks to Steve Cook for Yahoo! IP scraping help +# Thanks to Mike Miller (mmiller@mgm51.com) for gwhitelist.sh script. +# Thanks to Jan Sarenik for SPF-Tools. +# Thanks to Jose Borges Ferreira for IPv4 normalization help. +# Thanks to Ricardo Iván Vieitez Parra for improved error reporting, normalization, conf file +# improvements, and removal of bash-isms so that script is usable on more systems. +# Thanks to Steve Cook for Yahoo! IP scraping help. # Thanks to all the additional contributors on GitHub! # # USER-DEFINABLE OPTIONS AND CUSTOM HOSTS STORED IN /etc/postwhite.conf @@ -36,15 +36,20 @@ lastupdated="25 March 2018" # CUSTOM HOSTS CAN BE ADDED IN /etc/postwhite.conf # Hosts to query -webmail_hosts="aol.com google.com microsoft.com outlook.com hotmail.com gmx.com icloud.com mail.com inbox.com zoho.com fastmail.com secure-mailgate.com" +webmail_hosts="aol.com fastmail.com google.com gmx.com hotmail.com icloud.com \ + inbox.com mail.com microsoft.com outlook.com secure-mailgate.com zoho.com" -social_hosts="facebook.com facebookmail.com twitter.com pinterest.com instagram.com tumblr.com reddit.com linkedin.com" +social_hosts="facebook.com facebookmail.com instagram.com linkedin.com \ + pinterest.com reddit.com tumblr.com twitter.com" -commerce_hosts="craigslist.org amazon.com ebay.com paypal.com" +commerce_hosts="amazon.com craigslist.org ebay.com paypal.com" -bulk_hosts="sendgrid.com sendgrid.net mailchimp.com exacttarget.com cust-spf.exacttarget.com constantcontact.com icontact.com mailgun.com fishbowl.com fbmta.com mailjet.com sparkpost.com sparkpostmail.com" +bulk_hosts="amazonses.com authsmtp.com constantcontact.com \ + cust-spf.exacttarget.com exacttarget.com fbmta.com fishbowl.com \ + icontact.com mailchimp.com mailgun.com mailjet.com messagelabs.com \ + messagegears.net sendgrid.com sendgrid.net sparkpost.com sparkpostmail.com" -misc_hosts="zendesk.com github.com" +misc_hosts="github.com zendesk.com" permit_line_v4="%s\tpermit\n" reject_line_v4="%s\treject\n" From 43363fb58988154541f1fd4da02050b00d4dfba2 Mon Sep 17 00:00:00 2001 From: Steve Jenkins Date: Mon, 26 Mar 2018 16:17:19 -0700 Subject: [PATCH 10/14] Include bind-utils in requirements Fixes #34. Signed-off-by: Steve Jenkins --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index f0bf74f..df11f9c 100644 --- a/README.md +++ b/README.md @@ -21,6 +21,8 @@ href="https://github.com/jsarenik/spf-tools">SPF-Tools project (**despf.sh** **Please update SPF-Tools whenever you update Postwhite, as both are under continuous development, and sometimes new features of Postwhite depend upon an updated version of SPF-Tools.** +Postwhite also assumes that you have **Postfix** and the appropriate **bind-utils** package for your Linux distro installed on your system. + # Usage 1. Make sure you have SPF-Tools on your system 2. Move the ```postwhite.conf``` file to your `/etc/` directory From 9569c790d00be962cb35f0a1212a3b8128b1c8e9 Mon Sep 17 00:00:00 2001 From: Steve Jenkins Date: Sat, 14 Apr 2018 10:49:47 -0600 Subject: [PATCH 11/14] Update README.md --- README.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index df11f9c..8da6829 100644 --- a/README.md +++ b/README.md @@ -75,8 +75,15 @@ To add your own additional custom hosts, add them to the ```custom_hosts``` sect Additional trusted mailers are added to the script from time to time, so check back periodically for new versions, or "Watch" this repo to receive update notifications. +## Hosts That Don't Publish Their Outbound Mailers via SPF Records +Because Postwhite relies on published SPF records to build its whitelist, mailers who refuse to publish outbound mailer IP addresses via SPF are problematic. The largest such host is Yahoo!, which is dealt with separately (see below). For smaller mailhosts without SPF-published mailer lists, the included `query_host_ovh` file is a working example of a script that queries a range of hostnames for a specific mailer (`mail-out.ovh.net` in the included example), collects valid IP addresses, and includes them in a custom whitelist. The new custom whitelist may then be included in as an additional entry in your Postfix's `postscreen_access_list` parameter (see **Usage** above). + +To create additional customized query scripts for mailers that don't publish outbound IPs via SPF, copy the example `query_host_ovh` file to a new unique filename, edit the script's mailhost and numerical range values as required, set a unique output file (`/etc/postfix/postscreen_*_whitelist.cidr`), include the output file in Postfix's `postscreen_access_list` parameter, then configure cron to run the new query script periodically. + +Depending on the size of the range you wish to query, this script could take a long time to complete. I recommend testing on a small fraction of the mailhost's range before pushing the script to a production environment. + ## Yahoo! Hosts -As mentioned in the **Known Issues**, Yahoo's SPF record doesn't support queries to expose their netblocks, and therefore a dynamic list of Yahoo mailers can't be built. However, Yahoo! does publish a list of outbound mailer IP addresses at https://help.yahoo.com/kb/SLN23997.html. +As mentioned in the **Known Issues**, Yahoo!'s SPF record doesn't support queries to expose their netblocks, and therefore a dynamic list of Yahoo mailers can't be built. However, Yahoo! does publish a list of outbound mailer IP addresses at https://help.yahoo.com/kb/SLN23997.html. A list of Yahoo! outbound IP addresses, based on the linked knowledgebase article and formatted for Postwhite, is included as ```yahoo_static_hosts.txt```. By default, the contents of this file are added to the final whitelist. To disable the Yahoo! IPs from being included in your whitelist, set the ```include_yahoo``` configuration option in ```/etc/postwhite.conf``` to ```include_yahoo="no"```. From 523e69e8f14632793c4cfe07cff19f82cce0ebc4 Mon Sep 17 00:00:00 2001 From: stevejenkins Date: Sat, 14 Apr 2018 10:02:56 -0700 Subject: [PATCH 12/14] Add custom query script for non-SPF-compliant mailers --- .../example_whitelist.cidr | 0 examples/postscreen_ovh_whitelist.cidr | 997 ++++++++++++++++++ postwhite | 4 +- query_mailer_ovh | 61 ++ 4 files changed, 1060 insertions(+), 2 deletions(-) rename example_whitelist.cidr => examples/example_whitelist.cidr (100%) create mode 100644 examples/postscreen_ovh_whitelist.cidr create mode 100755 query_mailer_ovh diff --git a/example_whitelist.cidr b/examples/example_whitelist.cidr similarity index 100% rename from example_whitelist.cidr rename to examples/example_whitelist.cidr diff --git a/examples/postscreen_ovh_whitelist.cidr b/examples/postscreen_ovh_whitelist.cidr new file mode 100644 index 0000000..6798eab --- /dev/null +++ b/examples/postscreen_ovh_whitelist.cidr @@ -0,0 +1,997 @@ +46.105.32.81 permit +46.105.32.172 permit +46.105.32.186 permit +46.105.32.188 permit +46.105.32.190 permit +46.105.32.191 permit +46.105.32.194 permit +46.105.32.236 permit +46.105.32.238 permit +46.105.33.36 permit +46.105.33.49 permit +46.105.33.73 permit +46.105.33.181 permit +46.105.33.219 permit +46.105.33.231 permit +46.105.34.113 permit +46.105.34.118 permit +46.105.34.145 permit +46.105.34.162 permit +46.105.34.195 permit +46.105.34.207 permit +46.105.34.221 permit +46.105.34.231 permit +46.105.34.245 permit +46.105.34.246 permit +46.105.35.4 permit +46.105.35.60 permit +46.105.35.68 permit +46.105.35.72 permit +46.105.35.78 permit +46.105.35.92 permit +46.105.35.156 permit +46.105.35.174 permit +46.105.35.203 permit +46.105.35.204 permit +46.105.36.132 permit +46.105.36.144 permit +46.105.36.150 permit +46.105.36.192 permit +46.105.36.252 permit +46.105.37.52 permit +46.105.37.77 permit +46.105.37.173 permit +46.105.37.185 permit +46.105.37.209 permit +46.105.38.11 permit +46.105.38.34 permit +46.105.38.108 permit +46.105.38.231 permit +46.105.39.47 permit +46.105.39.65 permit +46.105.39.71 permit +46.105.39.115 permit +46.105.39.122 permit +46.105.39.148 permit +46.105.39.163 permit +46.105.39.168 permit +46.105.39.171 permit +46.105.39.199 permit +46.105.39.221 permit +46.105.40.29 permit +46.105.40.108 permit +46.105.40.157 permit +46.105.40.176 permit +46.105.40.177 permit +46.105.41.15 permit +46.105.41.16 permit +46.105.41.145 permit +46.105.41.160 permit +46.105.41.205 permit +46.105.41.244 permit +46.105.42.25 permit +46.105.42.134 permit +46.105.42.182 permit +46.105.42.187 permit +46.105.42.221 permit +46.105.42.251 permit +46.105.43.20 permit +46.105.43.46 permit +46.105.43.56 permit +46.105.43.66 permit +46.105.43.80 permit +46.105.43.129 permit +46.105.43.131 permit +46.105.43.147 permit +46.105.43.205 permit +46.105.43.253 permit +46.105.44.64 permit +46.105.44.144 permit +46.105.44.175 permit +46.105.44.202 permit +46.105.44.226 permit +46.105.44.248 permit +46.105.45.45 permit +46.105.45.177 permit +46.105.45.201 permit +46.105.45.217 permit +46.105.45.224 permit +46.105.45.239 permit +46.105.46.12 permit +46.105.46.70 permit +46.105.46.158 permit +46.105.46.185 permit +46.105.46.194 permit +46.105.47.34 permit +46.105.47.46 permit +46.105.47.77 permit +46.105.47.83 permit +46.105.47.91 permit +46.105.47.167 permit +46.105.47.184 permit +46.105.47.188 permit +46.105.47.226 permit +46.105.47.241 permit +46.105.47.251 permit +46.105.48.8 permit +46.105.48.14 permit +46.105.48.21 permit +46.105.48.26 permit +46.105.48.48 permit +46.105.48.52 permit +46.105.48.164 permit +46.105.49.79 permit +46.105.49.139 permit +46.105.49.177 permit +46.105.49.208 permit +46.105.50.53 permit +46.105.50.63 permit +46.105.50.118 permit +46.105.51.9 permit +46.105.51.21 permit +46.105.51.67 permit +46.105.51.134 permit +46.105.51.136 permit +46.105.51.139 permit +46.105.51.140 permit +46.105.51.191 permit +46.105.51.192 permit +46.105.51.194 permit +46.105.51.241 permit +46.105.52.30 permit +46.105.52.67 permit +46.105.52.76 permit +46.105.52.80 permit +46.105.52.148 permit +46.105.52.155 permit +46.105.52.186 permit +46.105.52.210 permit +46.105.52.247 permit +46.105.53.126 permit +46.105.53.141 permit +46.105.53.166 permit +46.105.53.167 permit +46.105.53.176 permit +46.105.53.195 permit +46.105.53.199 permit +46.105.53.214 permit +46.105.53.224 permit +46.105.53.230 permit +46.105.53.236 permit +46.105.54.31 permit +46.105.54.55 permit +46.105.54.58 permit +46.105.54.105 permit +46.105.54.117 permit +46.105.54.123 permit +46.105.54.134 permit +46.105.54.135 permit +46.105.54.145 permit +46.105.54.146 permit +46.105.54.147 permit +46.105.54.156 permit +46.105.54.169 permit +46.105.54.175 permit +46.105.54.179 permit +46.105.54.196 permit +46.105.54.203 permit +46.105.55.63 permit +46.105.55.136 permit +46.105.55.162 permit +46.105.55.252 permit +46.105.56.30 permit +46.105.56.106 permit +46.105.56.113 permit +46.105.56.132 permit +46.105.56.136 permit +46.105.56.161 permit +46.105.56.218 permit +46.105.57.57 permit +46.105.57.59 permit +46.105.57.115 permit +46.105.57.117 permit +46.105.57.125 permit +46.105.57.127 permit +46.105.57.129 permit +46.105.57.145 permit +46.105.57.146 permit +46.105.57.155 permit +46.105.57.165 permit +46.105.57.191 permit +46.105.57.200 permit +46.105.57.224 permit +46.105.57.227 permit +46.105.57.236 permit +46.105.57.238 permit +46.105.57.239 permit +46.105.57.240 permit +46.105.57.248 permit +46.105.57.252 permit +46.105.58.83 permit +46.105.58.93 permit +46.105.58.99 permit +46.105.58.124 permit +46.105.58.127 permit +46.105.58.131 permit +46.105.58.153 permit +46.105.58.162 permit +46.105.58.165 permit +46.105.58.166 permit +46.105.58.172 permit +46.105.58.175 permit +46.105.58.183 permit +46.105.58.186 permit +46.105.58.192 permit +46.105.58.226 permit +46.105.58.229 permit +46.105.58.238 permit +46.105.58.240 permit +46.105.59.66 permit +46.105.59.83 permit +46.105.59.97 permit +46.105.59.124 permit +46.105.59.131 permit +46.105.59.141 permit +46.105.59.142 permit +46.105.59.145 permit +46.105.59.155 permit +46.105.59.157 permit +46.105.59.184 permit +46.105.59.196 permit +46.105.59.214 permit +46.105.59.215 permit +46.105.59.221 permit +46.105.59.222 permit +46.105.59.232 permit +46.105.59.251 permit +46.105.60.177 permit +46.105.60.186 permit +46.105.60.189 permit +46.105.60.225 permit +46.105.60.232 permit +46.105.60.248 permit +46.105.60.251 permit +46.105.61.55 permit +46.105.61.64 permit +46.105.61.80 permit +46.105.61.82 permit +46.105.61.84 permit +46.105.61.85 permit +46.105.61.87 permit +46.105.61.88 permit +46.105.61.89 permit +46.105.61.93 permit +46.105.61.97 permit +46.105.61.108 permit +46.105.61.109 permit +46.105.61.111 permit +46.105.61.112 permit +46.105.61.120 permit +46.105.61.122 permit +46.105.61.151 permit +46.105.61.156 permit +46.105.62.87 permit +46.105.62.156 permit +46.105.62.169 permit +46.105.62.173 permit +46.105.62.182 permit +46.105.62.192 permit +46.105.62.198 permit +46.105.62.209 permit +46.105.62.224 permit +46.105.62.226 permit +46.105.62.229 permit +46.105.63.46 permit +46.105.63.65 permit +46.105.63.97 permit +46.105.63.121 permit +46.105.63.150 permit +46.105.63.157 permit +46.105.63.165 permit +46.105.63.174 permit +46.105.63.175 permit +46.105.63.177 permit +46.105.63.217 permit +46.105.63.253 permit +46.105.72.36 permit +46.105.72.64 permit +46.105.72.116 permit +46.105.72.119 permit +46.105.72.130 permit +46.105.72.133 permit +46.105.72.137 permit +46.105.72.140 permit +46.105.72.153 permit +46.105.72.169 permit +46.105.72.174 permit +46.105.72.179 permit +46.105.72.188 permit +46.105.72.196 permit +46.105.72.198 permit +46.105.72.202 permit +46.105.72.203 permit +46.105.72.216 permit +46.105.72.218 permit +46.105.72.222 permit +46.105.72.230 permit +46.105.72.233 permit +46.105.72.235 permit +46.105.72.236 permit +46.105.72.237 permit +46.105.72.249 permit +46.105.73.110 permit +46.105.73.126 permit +46.105.73.146 permit +46.105.73.165 permit +46.105.73.168 permit +46.105.73.179 permit +46.105.73.206 permit +46.105.73.214 permit +46.105.73.236 permit +46.105.74.88 permit +46.105.74.94 permit +46.105.74.101 permit +46.105.74.103 permit +46.105.74.114 permit +46.105.74.136 permit +46.105.74.150 permit +46.105.74.156 permit +46.105.74.157 permit +46.105.74.169 permit +46.105.74.173 permit +46.105.74.177 permit +46.105.74.178 permit +46.105.74.185 permit +46.105.74.191 permit +46.105.74.193 permit +46.105.74.197 permit +46.105.74.206 permit +46.105.74.207 permit +46.105.74.208 permit +46.105.74.216 permit +46.105.74.220 permit +46.105.74.241 permit +46.105.74.249 permit +46.105.75.36 permit +46.105.75.89 permit +46.105.75.107 permit +46.105.75.137 permit +46.105.75.150 permit +46.105.75.160 permit +46.105.75.170 permit +46.105.75.197 permit +46.105.76.26 permit +46.105.76.65 permit +46.105.76.144 permit +46.105.76.172 permit +46.105.76.173 permit +46.105.76.181 permit +46.105.76.184 permit +46.105.76.196 permit +46.105.77.29 permit +46.105.77.35 permit +46.105.77.68 permit +46.105.77.73 permit +46.105.77.114 permit +46.105.77.209 permit +46.105.77.212 permit +46.105.77.213 permit +46.105.77.232 permit +46.105.78.5 permit +46.105.78.54 permit +46.105.78.203 permit +46.105.78.204 permit +46.105.78.213 permit +46.105.78.218 permit +46.105.79.201 permit +46.105.79.237 permit +87.98.129.247 permit +87.98.130.244 permit +87.98.131.72 permit +87.98.131.103 permit +87.98.133.133 permit +87.98.133.174 permit +87.98.134.233 permit +87.98.135.181 permit +87.98.138.227 permit +87.98.139.99 permit +87.98.139.208 permit +87.98.140.253 permit +87.98.141.82 permit +87.98.143.68 permit +87.98.145.159 permit +87.98.146.108 permit +87.98.146.229 permit +87.98.147.69 permit +87.98.148.115 permit +87.98.148.146 permit +87.98.148.215 permit +87.98.149.19 permit +87.98.150.21 permit +87.98.150.175 permit +87.98.150.177 permit +87.98.150.205 permit +87.98.152.239 permit +87.98.153.124 permit +87.98.155.69 permit +87.98.155.138 permit +87.98.157.236 permit +87.98.158.110 permit +87.98.159.208 permit +87.98.160.151 permit +87.98.162.31 permit +87.98.162.189 permit +87.98.162.229 permit +87.98.163.110 permit +87.98.163.167 permit +87.98.164.98 permit +87.98.165.38 permit +87.98.165.71 permit +87.98.165.232 permit +87.98.166.124 permit +87.98.166.192 permit +87.98.167.122 permit +87.98.168.193 permit +87.98.168.250 permit +87.98.169.13 permit +87.98.169.150 permit +87.98.170.142 permit +87.98.170.166 permit +87.98.170.235 permit +87.98.171.54 permit +87.98.171.122 permit +87.98.171.146 permit +87.98.172.75 permit +87.98.172.162 permit +87.98.172.249 permit +87.98.173.17 permit +87.98.173.103 permit +87.98.173.157 permit +87.98.173.169 permit +87.98.173.225 permit +87.98.174.5 permit +87.98.174.144 permit +87.98.174.156 permit +87.98.176.130 permit +87.98.176.203 permit +87.98.177.69 permit +87.98.177.216 permit +87.98.177.220 permit +87.98.177.223 permit +87.98.177.230 permit +87.98.177.235 permit +87.98.177.239 permit +87.98.177.243 permit +87.98.178.36 permit +87.98.178.58 permit +87.98.178.125 permit +87.98.178.174 permit +87.98.179.66 permit +87.98.179.93 permit +87.98.179.142 permit +87.98.180.21 permit +87.98.180.39 permit +87.98.180.195 permit +87.98.180.216 permit +87.98.180.241 permit +87.98.180.252 permit +87.98.181.23 permit +87.98.181.61 permit +87.98.181.88 permit +87.98.181.200 permit +87.98.181.235 permit +87.98.181.237 permit +87.98.181.248 permit +87.98.182.46 permit +87.98.182.69 permit +87.98.182.191 permit +87.98.182.239 permit +87.98.183.136 permit +87.98.183.153 permit +87.98.183.167 permit +87.98.184.65 permit +87.98.184.99 permit +87.98.184.141 permit +87.98.184.158 permit +87.98.184.159 permit +87.98.184.162 permit +87.98.184.163 permit +87.98.184.167 permit +87.98.184.219 permit +87.98.184.254 permit +87.98.185.87 permit +87.98.185.155 permit +87.98.185.180 permit +87.98.185.215 permit +87.98.185.239 permit +87.98.186.98 permit +87.98.186.136 permit +87.98.186.221 permit +87.98.187.172 permit +87.98.187.209 permit +87.98.187.214 permit +87.98.187.215 permit +87.98.187.240 permit +87.98.188.89 permit +87.98.188.193 permit +87.98.188.209 permit +87.98.188.219 permit +87.98.188.226 permit +87.98.189.181 permit +87.98.190.31 permit +87.98.221.139 permit +91.121.46.154 permit +91.121.47.65 permit +91.121.55.239 permit +91.121.57.82 permit +91.121.57.104 permit +91.121.57.155 permit +91.121.57.176 permit +91.121.57.194 permit +91.121.58.189 permit +91.121.59.69 permit +91.121.59.168 permit +91.121.62.11 permit +91.121.62.60 permit +91.121.63.64 permit +178.32.96.90 permit +178.32.96.102 permit +178.32.96.110 permit +178.32.96.118 permit +178.32.96.149 permit +178.32.96.176 permit +178.32.96.204 permit +178.32.97.10 permit +178.32.97.11 permit +178.32.97.129 permit +178.32.97.145 permit +178.32.97.161 permit +178.32.97.206 permit +178.32.97.215 permit +178.32.97.238 permit +178.32.97.239 permit +178.32.98.131 permit +178.32.98.231 permit +178.32.98.242 permit +178.32.99.39 permit +178.32.100.81 permit +178.32.100.115 permit +178.32.101.123 permit +178.32.101.241 permit +178.32.102.5 permit +178.32.102.24 permit +178.32.102.156 permit +178.32.102.222 permit +178.32.102.231 permit +178.32.102.249 permit +178.32.103.16 permit +178.32.103.53 permit +178.32.103.160 permit +178.32.104.11 permit +178.32.104.63 permit +178.32.104.182 permit +178.32.104.196 permit +178.32.105.7 permit +178.32.105.32 permit +178.32.105.92 permit +178.32.105.96 permit +178.32.105.254 permit +178.32.106.169 permit +178.32.106.239 permit +178.32.106.250 permit +178.32.107.11 permit +178.32.107.182 permit +178.32.107.186 permit +178.32.107.219 permit +178.32.108.57 permit +178.32.108.119 permit +178.32.108.122 permit +178.32.108.162 permit +178.32.108.172 permit +178.32.109.4 permit +178.32.109.69 permit +178.32.109.123 permit +178.32.109.131 permit +178.32.109.175 permit +178.32.110.17 permit +178.32.110.113 permit +178.32.110.186 permit +178.32.110.197 permit +178.32.110.211 permit +178.32.110.229 permit +178.32.111.20 permit +178.32.111.190 permit +178.32.111.226 permit +178.32.111.254 permit +178.32.112.17 permit +178.32.112.34 permit +178.32.112.193 permit +178.32.112.248 permit +178.32.113.14 permit +178.32.113.43 permit +178.32.113.77 permit +178.32.113.183 permit +178.32.113.248 permit +178.32.114.3 permit +178.32.114.16 permit +178.32.114.76 permit +178.32.114.111 permit +178.32.114.128 permit +178.32.115.34 permit +178.32.115.61 permit +178.32.115.234 permit +178.32.116.1 permit +178.32.116.20 permit +178.32.116.54 permit +178.32.116.77 permit +178.32.116.78 permit +178.32.116.92 permit +178.32.116.214 permit +178.32.116.223 permit +178.32.117.99 permit +178.32.117.227 permit +178.32.117.251 permit +178.32.118.42 permit +178.32.118.78 permit +178.32.118.106 permit +178.32.118.186 permit +178.32.118.208 permit +178.32.118.242 permit +178.32.119.10 permit +178.32.119.138 permit +178.32.119.228 permit +178.32.119.250 permit +178.32.120.105 permit +178.32.120.204 permit +178.32.120.213 permit +178.32.120.239 permit +178.32.120.250 permit +178.32.121.12 permit +178.32.121.83 permit +178.32.121.88 permit +178.32.121.112 permit +178.32.121.234 permit +178.32.122.4 permit +178.32.122.241 permit +178.32.122.253 permit +178.32.122.254 permit +178.32.123.89 permit +178.32.123.107 permit +178.32.123.152 permit +178.32.123.170 permit +178.32.123.219 permit +178.32.123.222 permit +178.32.123.254 permit +178.32.124.17 permit +178.32.124.100 permit +178.32.124.216 permit +178.32.124.237 permit +178.32.125.77 permit +178.32.125.81 permit +178.32.125.182 permit +178.32.125.192 permit +178.32.125.228 permit +178.32.125.242 permit +178.32.126.32 permit +178.32.126.83 permit +178.32.126.100 permit +178.32.126.153 permit +178.32.126.168 permit +178.32.126.230 permit +178.32.127.22 permit +178.32.127.41 permit +178.32.127.206 permit +178.32.127.250 permit +178.33.40.126 permit +178.33.40.224 permit +178.33.41.46 permit +178.33.41.51 permit +178.33.41.93 permit +178.33.41.95 permit +178.33.41.96 permit +178.33.41.120 permit +178.33.41.174 permit +178.33.42.89 permit +178.33.42.131 permit +178.33.42.184 permit +178.33.42.201 permit +178.33.42.204 permit +178.33.42.233 permit +178.33.42.253 permit +178.33.43.122 permit +178.33.43.187 permit +178.33.43.227 permit +178.33.43.246 permit +178.33.44.139 permit +178.33.44.150 permit +178.33.44.193 permit +178.33.45.10 permit +178.33.45.29 permit +178.33.45.51 permit +178.33.45.77 permit +178.33.45.107 permit +178.33.45.209 permit +178.33.45.212 permit +178.33.46.10 permit +178.33.46.74 permit +178.33.46.78 permit +178.33.46.151 permit +178.33.46.170 permit +178.33.46.223 permit +178.33.47.24 permit +178.33.47.84 permit +178.33.47.89 permit +178.33.47.94 permit +178.33.47.95 permit +178.33.47.98 permit +178.33.47.183 permit +178.33.104.120 permit +178.33.104.128 permit +178.33.104.198 permit +178.33.104.224 permit +178.33.104.238 permit +178.33.104.253 permit +178.33.105.44 permit +178.33.105.89 permit +178.33.105.148 permit +178.33.105.206 permit +178.33.105.229 permit +178.33.105.246 permit +178.33.106.63 permit +178.33.106.72 permit +178.33.106.95 permit +178.33.106.198 permit +178.33.107.29 permit +178.33.107.49 permit +178.33.107.135 permit +178.33.107.136 permit +178.33.107.167 permit +178.33.107.174 permit +178.33.107.184 permit +178.33.107.185 permit +178.33.107.229 permit +178.33.108.33 permit +178.33.108.60 permit +178.33.108.114 permit +178.33.108.132 permit +178.33.108.154 permit +178.33.108.240 permit +178.33.109.12 permit +178.33.109.38 permit +178.33.109.43 permit +178.33.109.65 permit +178.33.109.73 permit +178.33.109.86 permit +178.33.109.94 permit +178.33.109.111 permit +178.33.109.113 permit +178.33.109.147 permit +178.33.109.153 permit +178.33.109.155 permit +178.33.109.196 permit +178.33.110.42 permit +178.33.110.45 permit +178.33.110.99 permit +178.33.110.131 permit +178.33.110.199 permit +178.33.110.207 permit +178.33.110.239 permit +178.33.111.21 permit +178.33.111.23 permit +178.33.111.27 permit +178.33.111.39 permit +178.33.111.133 permit +178.33.111.140 permit +178.33.111.162 permit +178.33.111.214 permit +178.33.111.245 permit +178.33.111.247 permit +178.33.248.11 permit +178.33.248.13 permit +178.33.248.67 permit +178.33.248.87 permit +178.33.248.104 permit +178.33.248.124 permit +178.33.248.175 permit +178.33.248.177 permit +178.33.248.188 permit +178.33.248.196 permit +178.33.249.1 permit +178.33.249.22 permit +178.33.249.100 permit +178.33.249.147 permit +178.33.249.179 permit +178.33.249.243 permit +178.33.250.42 permit +178.33.250.56 permit +178.33.250.138 permit +178.33.250.168 permit +178.33.250.243 permit +178.33.251.8 permit +178.33.251.19 permit +178.33.251.73 permit +178.33.251.76 permit +178.33.251.77 permit +178.33.251.95 permit +178.33.251.104 permit +178.33.251.118 permit +178.33.251.152 permit +178.33.252.21 permit +178.33.252.35 permit +178.33.252.88 permit +178.33.252.92 permit +178.33.252.105 permit +178.33.252.135 permit +178.33.252.226 permit +178.33.253.8 permit +178.33.253.26 permit +178.33.253.27 permit +178.33.253.33 permit +178.33.253.54 permit +178.33.253.115 permit +178.33.253.120 permit +178.33.253.128 permit +178.33.253.167 permit +178.33.254.4 permit +178.33.254.52 permit +178.33.254.102 permit +178.33.254.123 permit +178.33.254.212 permit +178.33.255.60 permit +178.33.255.105 permit +178.33.255.125 permit +178.33.255.148 permit +178.33.255.172 permit +178.33.255.211 permit +178.33.255.223 permit +188.165.32.12 permit +188.165.32.128 permit +188.165.33.69 permit +188.165.33.85 permit +188.165.33.109 permit +188.165.33.112 permit +188.165.33.202 permit +188.165.34.115 permit +188.165.34.173 permit +188.165.34.209 permit +188.165.34.231 permit +188.165.34.248 permit +188.165.35.18 permit +188.165.35.127 permit +188.165.35.227 permit +188.165.35.233 permit +188.165.35.242 permit +188.165.36.73 permit +188.165.36.253 permit +188.165.37.20 permit +188.165.37.95 permit +188.165.37.237 permit +188.165.38.115 permit +188.165.38.119 permit +188.165.38.159 permit +188.165.38.175 permit +188.165.38.208 permit +188.165.38.218 permit +188.165.38.232 permit +188.165.39.66 permit +188.165.39.72 permit +188.165.39.161 permit +188.165.39.164 permit +188.165.39.188 permit +188.165.39.192 permit +188.165.39.218 permit +188.165.39.222 permit +188.165.40.97 permit +188.165.40.146 permit +188.165.41.37 permit +188.165.41.62 permit +188.165.41.99 permit +188.165.41.179 permit +188.165.41.191 permit +188.165.41.226 permit +188.165.41.254 permit +188.165.42.35 permit +188.165.42.94 permit +188.165.42.182 permit +188.165.42.213 permit +188.165.43.4 permit +188.165.43.97 permit +188.165.43.98 permit +188.165.43.119 permit +188.165.43.123 permit +188.165.43.173 permit +188.165.44.15 permit +188.165.44.50 permit +188.165.44.154 permit +188.165.44.165 permit +188.165.44.187 permit +188.165.44.201 permit +188.165.45.114 permit +188.165.45.168 permit +188.165.45.178 permit +188.165.45.216 permit +188.165.46.33 permit +188.165.46.37 permit +188.165.46.67 permit +188.165.46.149 permit +188.165.46.247 permit +188.165.46.248 permit +188.165.47.15 permit +188.165.47.41 permit +188.165.47.65 permit +188.165.47.147 permit +188.165.47.200 permit +188.165.48.26 permit +188.165.48.29 permit +188.165.48.107 permit +188.165.48.139 permit +188.165.48.140 permit +188.165.48.182 permit +188.165.48.198 permit +188.165.48.212 permit +188.165.49.9 permit +188.165.49.161 permit +188.165.50.212 permit +188.165.50.233 permit +188.165.50.246 permit +188.165.51.82 permit +188.165.51.94 permit +188.165.51.121 permit +188.165.51.161 permit +188.165.51.182 permit +188.165.52.59 permit +188.165.52.147 permit +188.165.52.190 permit +188.165.52.236 permit +188.165.52.239 permit +188.165.53.9 permit +188.165.53.117 permit +188.165.53.119 permit +188.165.53.149 permit +188.165.53.156 permit +188.165.53.235 permit +188.165.53.247 permit +188.165.53.252 permit +188.165.54.43 permit +188.165.54.92 permit +188.165.54.133 permit +188.165.54.143 permit +188.165.54.176 permit +188.165.55.20 permit +188.165.55.102 permit +188.165.55.104 permit +188.165.55.128 permit +188.165.55.186 permit +188.165.55.229 permit +188.165.55.230 permit +188.165.56.67 permit +188.165.56.90 permit +188.165.56.92 permit +188.165.56.124 permit +188.165.56.131 permit +188.165.56.145 permit +188.165.56.158 permit +188.165.56.163 permit +188.165.56.177 permit +188.165.56.217 permit +188.165.56.249 permit +188.165.56.252 permit +188.165.57.91 permit +188.165.57.92 permit +188.165.57.218 permit +188.165.57.246 permit +188.165.58.38 permit +188.165.58.45 permit +188.165.59.28 permit +188.165.59.30 permit +188.165.59.37 permit +188.165.60.7 permit +188.165.60.123 permit +188.165.60.158 permit +188.165.60.244 permit +188.165.61.18 permit +188.165.61.21 permit +188.165.61.22 permit +188.165.61.53 permit +188.165.61.70 permit +213.186.56.160 permit diff --git a/postwhite b/postwhite index 86ce569..fab86bb 100755 --- a/postwhite +++ b/postwhite @@ -6,8 +6,8 @@ # By Steve Jenkins (https://www.stevejenkins.com/) # ################################################################### -version="3.3" -lastupdated="25 March 2018" +version="3.4" +lastupdated="14 April 2018" # Usage: 1) Place entire /postwhite directory in /usr/local/bin # 2) Move postwhite.conf to /etc diff --git a/query_mailer_ovh b/query_mailer_ovh new file mode 100755 index 0000000..5abf017 --- /dev/null +++ b/query_mailer_ovh @@ -0,0 +1,61 @@ +#!/bin/sh + +########################################################################### +# Query Mailer - Generates a Postscreen whitelist for a mailhost that # +# doesn't publish their outbound mailer IPs via SPF records # +# https://github.com/stevejenkins/postwhite # +########################################################################### + +# By Jesse Norell (https://github.com/jnorell) +# and Steve Jenkins (https://www.stevejenkins.com/) + +version="1.0" +lastupdated="14 April 2018" + +temp_file="/tmp/ovh_hosts.txt" +whitelist_file="/etc/postfix/postscreen_ovh_whitelist.cidr" + +########################################################################### + +# This script uses "mail-out.ovh.net" as a working example of a mailhost +# that does not publish their outbound mailer IP address via SPF records. To +# use this script as a template for additional hosts: + +# 1. Copy this script to a new unique filename +# 2. Edit the script's mailhost and numerical range values as required +# 3. Set a unique output file (/etc/postfix/postscreen_*_whitelist.cidr) +# 4. Configure cron to run the new script as often as you like +# 5. Include the output file in Postfix's postscreen_access_list parameter + +########################################################################### + +# Uncomment to see output +set -x + +printf "Querying outbound IP addresses. This could take a while...\n" + +# Query user-defined mailer range + +for a in {1..50}; + do for b in {1..50}; + do host ${a}.mo${b}.mail-out.ovh.net; + done; +done > $temp_file + +# Format queried hosts + +printf "Formatting custom whitelist...\n" + +grep 'has address' /tmp/ovh_hosts.txt | awk '{print $4 " permit"}' | sort -uV > $whitelist_file + +# Restart Postfix + +printf "Restarting Postfix...\n" + +postfix reload + +# All done! + +printf "Done!\n" + +exit From b2370d3c55b869922dcd7042cc4ef2d754d2510e Mon Sep 17 00:00:00 2001 From: stevejenkins Date: Sat, 14 Apr 2018 10:06:35 -0700 Subject: [PATCH 13/14] Updated README --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 8da6829..c0aeb88 100644 --- a/README.md +++ b/README.md @@ -75,7 +75,7 @@ To add your own additional custom hosts, add them to the ```custom_hosts``` sect Additional trusted mailers are added to the script from time to time, so check back periodically for new versions, or "Watch" this repo to receive update notifications. -## Hosts That Don't Publish Their Outbound Mailers via SPF Records +## Hosts that Don't Publish their Outbound Mailers via SPF Records Because Postwhite relies on published SPF records to build its whitelist, mailers who refuse to publish outbound mailer IP addresses via SPF are problematic. The largest such host is Yahoo!, which is dealt with separately (see below). For smaller mailhosts without SPF-published mailer lists, the included `query_host_ovh` file is a working example of a script that queries a range of hostnames for a specific mailer (`mail-out.ovh.net` in the included example), collects valid IP addresses, and includes them in a custom whitelist. The new custom whitelist may then be included in as an additional entry in your Postfix's `postscreen_access_list` parameter (see **Usage** above). To create additional customized query scripts for mailers that don't publish outbound IPs via SPF, copy the example `query_host_ovh` file to a new unique filename, edit the script's mailhost and numerical range values as required, set a unique output file (`/etc/postfix/postscreen_*_whitelist.cidr`), include the output file in Postfix's `postscreen_access_list` parameter, then configure cron to run the new query script periodically. From 0cac3857d58d64d3977abc1a89d04deecb6abbe2 Mon Sep 17 00:00:00 2001 From: Steve Jenkins Date: Sat, 14 Apr 2018 11:11:56 -0600 Subject: [PATCH 14/14] Update README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index c0aeb88..767b71f 100644 --- a/README.md +++ b/README.md @@ -76,7 +76,7 @@ To add your own additional custom hosts, add them to the ```custom_hosts``` sect Additional trusted mailers are added to the script from time to time, so check back periodically for new versions, or "Watch" this repo to receive update notifications. ## Hosts that Don't Publish their Outbound Mailers via SPF Records -Because Postwhite relies on published SPF records to build its whitelist, mailers who refuse to publish outbound mailer IP addresses via SPF are problematic. The largest such host is Yahoo!, which is dealt with separately (see below). For smaller mailhosts without SPF-published mailer lists, the included `query_host_ovh` file is a working example of a script that queries a range of hostnames for a specific mailer (`mail-out.ovh.net` in the included example), collects valid IP addresses, and includes them in a custom whitelist. The new custom whitelist may then be included in as an additional entry in your Postfix's `postscreen_access_list` parameter (see **Usage** above). +Because Postwhite relies on published SPF records to build its whitelist, mailers who refuse to publish outbound mailer IP addresses via SPF are problematic. The largest such host is Yahoo!, which is dealt with separately (see below). For smaller mailhosts without SPF-published mailer lists, the included `query_host_ovh` file is a working example of a script that queries a range of hostnames for a specific mailer (`mail-out.ovh.net` in the included example), collects valid IP addresses, and includes them in a custom whitelist. The new custom whitelist may then be included in as an additional entry in your Postfix's `postscreen_access_list` parameter (see **Usage** above). An example of the `query_host_ovh` file's output is included in the `/examples/` folder as `postscreen_ovh_whitelist.cidr`. To create additional customized query scripts for mailers that don't publish outbound IPs via SPF, copy the example `query_host_ovh` file to a new unique filename, edit the script's mailhost and numerical range values as required, set a unique output file (`/etc/postfix/postscreen_*_whitelist.cidr`), include the output file in Postfix's `postscreen_access_list` parameter, then configure cron to run the new query script periodically. @@ -122,7 +122,7 @@ http://www.stevejenkins.com/blog/2015/11/postscreen-whitelisting-smtp-outbound-i * I have no way of validating IPv6 CIDRs yet. For now, the script assumes all SPF-published IPv6 CIDRs are valid and includes them in the whitelist. -* I've improved the sorting by doing the ```uniq``` separately, after the sort. ```sort -u -V``` is still ideal, but it the ```-V``` option doesn't exist on all platforms (OSX doesn't support it, for example). For now, I can live with the two-step ```sort``` and ```uniq```, even though the final output splits the IPv6 address into two grips: those that start with letters and numbers (2a00, 2a01, etc.) at the top, and those that start with numbers only (2001, 2004, etc.) at the bottom. All the IPv4 addresses in the middle are sorted properly. See the **testdata** directory for examples of different sorting attempts or to play around with your own attempts at sorting. If you have any suggestions to improve the sorting without losing any data, I'm all ears! +* I've improved the sorting by doing the ```uniq``` separately, after the sort. ```sort -u -V``` is still ideal, but it the ```-V``` option doesn't exist on all platforms (OSX doesn't support it, for example). For now, I can live with the two-step ```sort``` and ```uniq```, even though the final output splits the IPv6 address into two grips: those that start with letters and numbers (2a00, 2a01, etc.) at the top, and those that start with numbers only (2001, 2004, etc.) at the bottom. All the IPv4 addresses in the middle are sorted properly. See the `/testdata/` folder for examples of different sorting attempts or to play around with your own attempts at sorting. If you have any suggestions to improve the sorting without losing any data, I'm all ears! # Suggestions for Additional Mailers If you're a Postfix admin who sees a good number of ```PASS OLD``` entries for Postscreen in your mail logs, and have a suggestion for an additional mail host that might be a good candidate to include in Postwhite, please comment on this issue: https://github.com/stevejenkins/postwhite/issues/2