Messages are not blocked when RBL has multiple DNS answers
in [Postfix]
|
From: JF Mezei on 21 May 2010 05:20 I am new to the list. This is on OS-X Server 10.6.3 on an Xserve with postfix 2.5.5 that came with the system. I have a situation where using zen.spamhaus.org , spam gets through despite zen saying that IP is bad. here is a sample error message: connect from cpe-67-252-139-22.buffalo.res.rr.com [67.252.139.22] May 19 01:09:15 velo postfix/smtpdP26473]: warning: 22.139.252.67.zen.spamhaus.org: RBL lookup error: Host or domain name not found. Name service error for name=22.139.252.67.zen.spamhaus.org type=A: Host not found, try again nslookup 22.139.252.67.zen.spamhaus.org Server: 10.0.0.20 Address: 10.0.0.20#53 Non-authoritative answer: Name: 22.139.252.67.zen.spamhaus.org Address: 127.0.0.10 Name: 22.139.252.67.zen.spamhaus.org Address: 127.0.0.4 Is it possible that the postfix software barfs when the RBL lookup returns multiple responses and lets the messsage through ? Is there a way to fix this (other than removing zen and adding the individual lists it contains) ? This is a low volume server. And if I exceeded my daily quota, wouldn't the nslookup command also fail ?
From: Wietse Venema on 21 May 2010 07:10 JF Mezei: > I am new to the list. > > This is on OS-X Server 10.6.3 on an Xserve with postfix 2.5.5 that came > with the system. > > > I have a situation where using zen.spamhaus.org , spam gets through > despite zen saying that IP is bad. > > here is a sample error message: > > connect from cpe-67-252-139-22.buffalo.res.rr.com [67.252.139.22] > May 19 01:09:15 velo postfix/smtpdP26473]: warning: > 22.139.252.67.zen.spamhaus.org: RBL lookup error: Host or domain name > not found. Name service error for name=22.139.252.67.zen.spamhaus.org > type=A: Host not found, try again You have a mis-configured name service that breaks Postfix's DNS lookups. That can be due to bad contents in the resolv.conf file that POSTFIX uses, or some missing file that is needed to resolve names (not necessarily the same file as when YOU type commands). It can also be due to a file or DIRECTORY permission problem. POSTFIX does not use root privileges, whereas users often debug problems as root. For that, the simple solution is to debug DNS lookups as a non-root user. Wietse
From: JF Mezei on 21 May 2010 07:44 Wietse Venema wrote: >> connect from cpe-67-252-139-22.buffalo.res.rr.com [67.252.139.22] >> May 19 01:09:15 velo postfix/smtpdP26473]: warning: >> 22.139.252.67.zen.spamhaus.org: RBL lookup error: Host or domain name >> not found. Name service error for name=22.139.252.67.zen.spamhaus.org >> type=A: Host not found, try again > > You have a mis-configured name service that breaks Postfix's > DNS lookups. But I have plenty of hits where the RBL lookups work fine and block messages (or let them pass through). If my DNS was problematic, wouldn't it fail for all RBL lookups ? Every "RBL lookup error" IP I have manually tested with nslookup returned multiple ip addresses as response to the zen.spamhaus.org request. But I can't say that they ALL did it because I didn't test all such messages. Similarly, every IP that was succesfully rejected had only one response when using nslookup. (but can't say ALL because I only tested a sample). An example where it works: May 21 04:58:31 velo postfix/smtpd[94073]: NOQUEUE: reject: RCPT from p5099e3b4.dip0.t-ipconnect.de[80.153.227.180]: 521 5.7.1 www.spamhaus.org considers your IP address 80.153.227.180 as inappropriate; from=<aahonuryk3493(a)t-ipconnect.de> to=<jfmezei(a)vIxEnation.ca> proto=ESMTP helo=<t-ipconnect.de> Postfix finds the message format in my rbl_reply_maps = hash:/etc/postfix/rbl_reply_maps And I have: reject_rbl_client zen.spamhaus.org, in the smtpd_recipient_restrictions A non privileged user is able to read /etc/resolv.conf What else should I look for/test ?
From: Wietse Venema on 21 May 2010 08:46 JF Mezei: [ Charset ISO-8859-1 unsupported, converting... ] > Wietse Venema wrote: > > >> connect from cpe-67-252-139-22.buffalo.res.rr.com [67.252.139.22] > >> May 19 01:09:15 velo postfix/smtpdP26473]: warning: > >> 22.139.252.67.zen.spamhaus.org: RBL lookup error: Host or domain name > >> not found. Name service error for name=22.139.252.67.zen.spamhaus.org > >> type=A: Host not found, try again > > > > You have a mis-configured name service that breaks Postfix's > > DNS lookups. > > But I have plenty of hits where the RBL lookups work fine and block > messages (or let them pass through). If my DNS was problematic, wouldn't > it fail for all RBL lookups ? Your problem report had ZERO evidence that other Spamhaus lookups succeed. Given a useless problem report, we are just wasting each other's time. > Every "RBL lookup error" IP I have manually tested with nslookup > returned multiple ip addresses as response to the zen.spamhaus.org > request. But I can't say that they ALL did it because I didn't test all > such messages. Your manual DNS tests are made at a different time than Postfix's DNS lookups. Successful measurements made at a different time prove nothing about the conditions when the lookup failed. If the same lookup fails or succeeds at different times, then that is almost certainly a problem with DNS requests being dropped. If you believe that dropped replies depend on the form of the response, then you need to prove that with evidence. All this is easy enough to debug by recording the DNS traffic at your end with a network sniffer over a longer period of time. Then, you can go back in time and see what queries were sent and what replies were returned, if any. Wietse
From: Stan Hoeppner on 21 May 2010 13:55
JF Mezei put forth on 5/21/2010 4:20 AM: > connect from cpe-67-252-139-22.buffalo.res.rr.com [67.252.139.22] > May 19 01:09:15 velo postfix/smtpdP26473]: warning: > 22.139.252.67.zen.spamhaus.org: RBL lookup error: Host or domain name > not found. Name service error for name=22.139.252.67.zen.spamhaus.org > type=A: Host not found, try again That error is telling you Postfix it can't locate zen.spamhaus.org. You're misreading the error. If I'm not mistaken, this is the same error I received when I switched my Postfix MX to use Google Public resolvers (without checking the Spamhaus TOS first) quite a while ago. I discovered, with help from this list, that Spamhaus blocks Google's public resolvers, as well as many other "public" type resolvers, such as many ISPs--basically any single IP address that surpasses the query volume threshold for free use. The best long term solution is to install something like PowerDNS recursor which is a very lightweight caching resolver. I installed it many months ago. It solved this problem permanently, and my Postfix performance increased a bit to boot due to lower latency on client rDNS and dnsbl lookups. -- Stan |