finding things postscreen rejects
in [Postfix]
|
Prev: Two Postfix instances
Next: Alternative MDA for postfix
From: Ralf Hildebrandt on 16 Jun 2010 16:04 Today I got this bounce from somebody whose mail had been rejected: <catalog-sig(a)python.org>: Protocol error: host mail.python.org[82.94.164.166] refused to talk to me: 220-mail.python.org ESMTP Postfix 521 5.7.1 Blocked by DNSBL It was quite hard finding this in my log, since the bounce from the french system only contained hostnames which would not resolve :( May I recommend that Postfix at least emits the IP in it's rejection message, e.g. like: 521 5.7.1 123.123.123.123 Blocked by DNSBL -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt(a)charite.de | http://www.charite.de
From: Wietse Venema on 16 Jun 2010 18:45 Ralf Hildebrandt: > Today I got this bounce from somebody whose mail had been rejected: > > <catalog-sig(a)python.org>: Protocol error: host > mail.python.org[82.94.164.166] refused to talk to me: > 220-mail.python.org ESMTP Postfix 521 5.7.1 Blocked by DNSBL > > It was quite hard finding this in my log, since the bounce from the > french system only contained hostnames which would not resolve :( > > May I recommend that Postfix at least emits the IP in it's rejection message, e.g. like: > > 521 5.7.1 123.123.123.123 Blocked by DNSBL That would be redundant because Postfix already logs: Jun 16 00:00:55 spike postfix/postscreen[78055]: DNSBL rank 1 for 115.174.34.7 I will update the logging once postscreen has a built-in smtp-sink engine that can log the client, helo, sender and recipient. Once that is in place postscreen can have weighted DNSBLs and simplified greylisting, and by then it becomes viable for the stable release. Wietse
From: Noel Jones on 16 Jun 2010 19:34 On 6/16/2010 5:45 PM, Wietse Venema wrote: > Ralf Hildebrandt: >> Today I got this bounce from somebody whose mail had been rejected: >> >> <catalog-sig(a)python.org>: Protocol error: host >> mail.python.org[82.94.164.166] refused to talk to me: >> 220-mail.python.org ESMTP Postfix 521 5.7.1 Blocked by DNSBL >> >> It was quite hard finding this in my log, since the bounce from the >> french system only contained hostnames which would not resolve :( >> >> May I recommend that Postfix at least emits the IP in it's rejection message, e.g. like: >> >> 521 5.7.1 123.123.123.123 Blocked by DNSBL > > That would be redundant because Postfix already logs: > > Jun 16 00:00:55 spike postfix/postscreen[78055]: DNSBL rank 1 for 115.174.34.7 > > I will update the logging once postscreen has a built-in smtp-sink > engine that can log the client, helo, sender and recipient. > > Once that is in place postscreen can have weighted DNSBLs and simplified > greylisting, and by then it becomes viable for the stable release. > > Wietse I believe Ralf's request is about the smtp rejection message sent to the remote client, not about postfix logging. ie. the current reject response in postscreen.c around line 920 or so looks something like: if (dnsbl_action == PS_ACT_DROP) { smtp_reply(vstream_fileno(state->smtp_client_stream), state->smtp_client_addr, state->smtp_client_port, "521 5.7.1 Blocked by DNSBL\r\n"); state->flags |= PS_FLAG_NOFORWARD; } Often complaints are reported by a remote customer forwarding the reject message by an alternate channel. It would be easier to track down customer complaints if the reject message contained "521 5.7.1 Client 192.0.2.1 Blocked by DNSBL" Yes, the enhanced logging would help too, since you could then search logs for the rejected sender, but this is a far smaller change that would help a great deal in some cases. (I wanted to include a patch, but my C foo is limited to cut-and-paste, and sometimes I manage to mess that up too.) -- Noel Jones
From: Wietse Venema on 16 Jun 2010 21:00 Noel Jones: > I believe Ralf's request is about the smtp rejection message > sent to the remote client, not about postfix logging. > > ie. the current reject response in postscreen.c around line > 920 or so looks something like: > > if (dnsbl_action == PS_ACT_DROP) { > smtp_reply(vstream_fileno(state->smtp_client_stream), > state->smtp_client_addr, state->smtp_client_port, > "521 5.7.1 Blocked by DNSBL\r\n"); > state->flags |= PS_FLAG_NOFORWARD; > } > > Often complaints are reported by a remote customer forwarding > the reject message by an alternate channel. It would be easier > to track down customer complaints if the reject message contained > "521 5.7.1 Client 192.0.2.1 Blocked by DNSBL" > > > Yes, the enhanced logging would help too, since you could then > search logs for the rejected sender, but this is a far smaller > change that would help a great deal in some cases. > > (I wanted to include a patch, but my C foo is limited to > cut-and-paste, and sometimes I manage to mess that up too.) It will involve more change, as smtp_reply() currently does not take a format string. All smtp_reply() calls would need to be replaced by smtp_reply(handle, addr, port, "%s", text). The alternative, a second smtp_reply() function that does take a format string, would be asking for format string errors. Wietse
From: Ralf Hildebrandt on 17 Jun 2010 03:32
* Wietse Venema <wietse(a)porcupine.org>: > Ralf Hildebrandt: > > Today I got this bounce from somebody whose mail had been rejected: > > > > <catalog-sig(a)python.org>: Protocol error: host > > mail.python.org[82.94.164.166] refused to talk to me: > > 220-mail.python.org ESMTP Postfix 521 5.7.1 Blocked by DNSBL > > > > It was quite hard finding this in my log, since the bounce from the > > french system only contained hostnames which would not resolve :( > > > > May I recommend that Postfix at least emits the IP in it's rejection message, e.g. like: > > > > 521 5.7.1 123.123.123.123 Blocked by DNSBL > > That would be redundant because Postfix already logs: > > Jun 16 00:00:55 spike postfix/postscreen[78055]: DNSBL rank 1 for 115.174.34.7 If all I have is the bounce from some remote system (which, like I said, contains only bullshit hostnames), then I cannot find the IP from that bounce, since the bounce only contains the Postfix message: "521 5.7.1 Blocked by DNSBL" (no IP there) I was only able to find the rejection based on that sender OTHER / PRIOR use email before the incident. I then had a IP range (not even a single IP!) which I could grep for in the log. Admittedly, this only happened ONCE and for an obscure DNSBL which I then removed from the config. > I will update the logging once postscreen has a built-in smtp-sink > engine that can log the client, helo, sender and recipient. In that case it would be sufficient, yes. > Once that is in place postscreen can have weighted DNSBLs and simplified > greylisting, and by then it becomes viable for the stable release. Again, that would be really cool. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt(a)charite.de | http://www.charite.de |