DNS RBL error
in [Postfix]
|
From: donovan jeffrey j on 19 Apr 2010 08:31 Greetings i have been seeing tons of errors coming from spamhaus, it seems it's not resolving. at least for me. is anyone else having any problems ? Apr 19 08:21:48 mail2 postfix/smtpd[21485]: warning: 130.60.141.41.zen.spamhaus.org: RBL lookup error: Host or domain name not found. Name service error for name=130.60.141.41.zen.spamhaus.org type=A: Host not found, try again Apr 19 08:21:49 mail2 postfix/smtpd[21433]: warning: 70.195.122.178.zen.spamhaus.org: RBL lookup error: Host or domain name not found. Name service error for name=70.195.122.178.zen.spamhaus.org type=A: Host not found, try again Apr 19 08:21:50 mail2 postfix/smtpd[21427]: warning: 26.125.83.80.zen.spamhaus.org: RBL lookup error: Host or domain name not found. Name service error for name=26.125.83.80.zen.spamhaus.org type=A: Host not found, try again Apr 19 08:21:50 mail2 postfix/smtpd[21324]: warning: 163.152.43.91.zen.spamhaus.org: RBL lookup error: Host or domain name not found. Name service error for name=163.152.43.91.zen.spamhaus.org type=A: Host not found, try again Apr 19 08:21:51 mail2 postfix/smtpd[21397]: warning: 23.118.201.117.zen.spamhaus.org: RBL lookup error: Host or domain name not found. Name service error for name=23.118.201.117.zen.spamhaus.org type=A: Host not found, try again postconf -n | grep zen maps_rbl_domains = zen.spamhaus.org,bl.spamcop.net smtpd_client_restrictions = permit_mynetworks, check_client_access hash:/etc/postfix/access, hash:/etc/postfix/smtpdreject reject_rbl_client zen.spamhaus.org reject_rbl_client cbl.abuseat.org reject_rbl_client bl.spamcop.net permit smtpd_recipient_restrictions = permit_mynetworks, check_recipient_access hash:/etc/postfix/recipient_access check_sender_mx_access cidr:/etc/postfix/reject_private_mx.cidr warn_if_reject reject_unknown_client, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_invalid_hostname,reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_destination, reject_unlisted_recipient, reject_unlisted_sender, reject_unauth_pipelining, reject_rbl_client cbl.abuseat.org, reject_rbl_client zen.spamhaus.org, permit abuseat.org is working fine. I'm only having trouble with zen. Apr 19 08:29:12 mail2 postfix/smtpd[21642]: NOQUEUE: reject: RCPT from unknown[117.201.68.108]: 554 Service unavailable; Client host [117.201.68.108] blocked using cbl.abuseat.org; Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=117.201.68.108; from=<duser(a)beth.k12.pa.us> to=<duser(a)beth.k12.pa.us> proto=ESMTP helo=<[117.201.69.50]> any ideas ? -jeff
From: Ralf Hildebrandt on 19 Apr 2010 08:41 * donovan jeffrey j <donovan(a)beth.k12.pa.us>: > Greetings > > i have been seeing tons of errors coming from spamhaus, it seems it's not resolving. at least for me. is anyone else having any problems ? You might have been blocked because you exceeded the limits for free usage. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt(a)charite.de | http://www.charite.de
From: "Steve" on 20 Apr 2010 08:10 -------- Original-Nachricht -------- > Datum: Mon, 19 Apr 2010 20:52:57 -0500 > Von: Noel Jones <njones(a)megan.vbhcs.org> > An: postfix-users(a)postfix.org > Betreff: Re: DNS RBL error > On 4/19/2010 8:22 PM, Steve wrote: > > > > -------- Original-Nachricht -------- > >> Datum: Mon, 19 Apr 2010 21:03:51 -0400 > >> Von: donovan jeffrey j<donovan(a)beth.k12.pa.us> > >> An: Ralf Hildebrandt<Ralf.Hildebrandt(a)charite.de> > >> CC: Postfix users<postfix-users(a)postfix.org> > >> Betreff: Re: DNS RBL error > > > >> > >> On Apr 19, 2010, at 3:07 PM, Ralf Hildebrandt wrote: > >>> > >>> Rather test with: > >>> 2.0.0.127.zen.spamhaus.org > >>> > >>> which should return: > >>> 2.0.0.127.zen.spamhaus.org has address 127.0.0.2 > >>> 2.0.0.127.zen.spamhaus.org has address 127.0.0.4 > >>> 2.0.0.127.zen.spamhaus.org has address 127.0.0.10 > >> > >> yes this is working now. > >> > >> question on my setup. my primary MX server sits inside my network, with > a > >> NATed IP. my postfix config references only the inside network. > >> should i move this MX server outside and use it's public address in the > >> config ? inbound mail gets checked and relayed to a content filter on > another > >> server. > >> > >> mynetworks = 127.0.0.1/32,192.168.0.10/32,10.135.0.0/16 > >> > >> or am i fine leaving it behind the NAT ? > >> to help fix the dns problem i want to run a cache only dns on the > primary > >> mx. Not sure i wanted that inside or outside. i'm leaning to outside. > >> tips flames welcome > >> > > You can run that caching DNS where ever you want as long as you secure > that DNS. If you use BIND and are using forwarders to your ISP name servers > then that caching will not necessarily help much if your ISP's NS are the > problem. > > > > If this would be the case then instruct your BIND to forward queries for > spamhaus.org directly to their name servers instead going over your ISP's > name servers. Something like that here below might be helpful to you: > > ------------------------------------------ > > zone "spamhaus.org" in { > > type forward; > > allow-query { 127.0.0.1; }; > > forwarders { > > 82.94.216.239; // ns8.spamhaus.org > > 194.82.174.6; // ns20.ja.net > > 149.20.58.65; // ns.dns-oarc.net > > 194.109.9.101; // ns3.xs4all.nl > > 207.241.224.5; // ns2.spamhaus.org > > 192.150.94.200; // ns3.spamhaus.org > > 195.169.124.71; // ns3.surfnet.nl > > }; > > ------------------------------------------ > > > > Much simpler to just turn off forwarding for that zone. Bind > can figure it out itself without you having to update manually. > zone "spamhaus.org" in { > type forward; > forwarders {}; > }; > That is right. I just wanted to be extra verbose. You remember the time when spamhaus.org got removed from some big DNS servers because of some obscure juristic thing going against them in the states? Well way back then one of the ways to still use spamhaus.org was to directly hardwire those forwarders into the zone definition. Off course omitting those forwarders inside the zone definition will force BIND to figure out the name servers of the domain and use that. Just yesterday I had one user on a mailing list that is hosted on SourceForge and where I have admin rights complaining that he could not send mail to the list. He was claiming that he has subscribed weeks ago and that out of the blue he is not able to send mails to the list. He was able but he needs to subscribe in order to be able to post. Anyway... to make the story short: He got removed by mailman after a bunch of NDR. Looking at his name servers showed a (in my viewpoint catastrophic) mess. This is a part of the mail text from me to him: ================================================= I see as well that your domain is on the DNS level not set up correctly. Maybe on purpose? If I query the NS entries of your domain from my infrastructure then I get (I masked his domain with XxXxX): ----------------------------------- theia ~ # dig +short in ns XxXxXxX.com ns1.setupsite.com. ns5.eapps.com. ns1.eapps.com. ns2.eapps.com. ns6.eapps.com. theia ~ # ----------------------------------- Doing the same from an cable provider in Switzerland I get: ----------------------------------- netbox ~ # dig +short in ns XxXxXxX.com ns1.setupsite.com. ns2.setupsite.com. netbox ~ # ----------------------------------- Doing the same from an hoster in Germany I get: ----------------------------------- janosch ~ # dig +short in ns XxXxXxX.com ns2.setupsite.com. ns1.setupsite.com. ns1.eapps.com. janosch ~ # ----------------------------------- Even their serial is not in sync (from my system): ----------------------------------- theia ~ # dig +short in ns XxXxXxX.com|sed "s:\.$::"|while read foo;do echo "${foo}: $(dig @${foo} +short in soa XxXxXxX.com)";done ns6.eapps.com: ns1.eapps.com. root.cp.eapps.com. 2009050101 7200 3600 604800 3600 ns1.setupsite.com: ns1.setupsite.com. admin.setupsite.com. 2007010130 3600 600 1209600 3600 ns2.eapps.com: ns1.eapps.com. root.cp.eapps.com. 2009050101 7200 3600 604800 3600 ns1.eapps.com: ns1.eapps.com. root.cp.eapps.com. 2009050101 7200 3600 604800 3600 ns5.eapps.com: ns1.eapps.com. root.cp.eapps.com. 2009050101 7200 3600 604800 3600 theia ~ # ----------------------------------- From the Swiss cable provider: ----------------------------------- netbox ~ # dig +short in ns XxXxXxX.com|sed "s:\.$::"|while read foo;do echo "${foo}: $(dig @${foo} +short in soa XxXxXxX.com)";done ns2.setupsite.com: ns1.setupsite.com. setupsite.com. 2005120809 3600 600 1209600 3600 ns1.setupsite.com: ns1.setupsite.com. admin.setupsite.com. 2007010130 3600 600 1209600 3600 netbox ~ # ----------------------------------- From the German hoster: ----------------------------------- netbox ~ # dig +short in ns XxXxXxX.com|sed "s:\.$::"|while read foo;do echo "${foo}: $(dig @${foo} +short in soa XxXxXxX.com)";done ns1.setupsite.com: ns1.setupsite.com. admin.setupsite.com. 2007010130 3600 600 1209600 3600 ns2.setupsite.com: ns1.setupsite.com. setupsite.com. 2005120809 3600 600 1209600 3600 netbox ~ # ----------------------------------- ================================================= And now back to that spamhaus.org zone file. Yes. You are absolutely right that you don't need to specify those forwarders. But since the OP had issues with DNS it could be well possible that he would have better result/success by hardwiring those forwarders. > -- Noel Jones > Steve -- GRATIS f�r alle GMX-Mitglieder: Die maxdome Movie-FLAT! Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01
From: donovan jeffrey j on 19 Apr 2010 08:53 On Apr 19, 2010, at 8:41 AM, Ralf Hildebrandt wrote: > * donovan jeffrey j <donovan(a)beth.k12.pa.us>: >> Greetings >> >> i have been seeing tons of errors coming from spamhaus, it seems it's not resolving. at least for me. is anyone else having any problems ? > > You might have been blocked because you exceeded the limits for free > usage. i did not know there was such a thing. I may be having some type of dns issue with zen. My local dns server does not resolve zen, but google public dns does. i found this ins2:~ root# nslookup zen.spamhaus.org Server: 207.172.3.20 Address: 207.172.3.20#53 ** server can't find zen.spamhaus.org: REFUSED ins2:~ root# nslookup zen.spamhaus.com Server: 10.135.1.2 Address: 10.135.1.2#53 Non-authoritative answer: Name: zen.spamhaus.com Address: 208.87.33.151 I certainly do not want to exceed any limits, how do i avoid that ? -jeff
From: Ralf Hildebrandt on 19 Apr 2010 08:54 * donovan jeffrey j <donovan(a)beth.k12.pa.us>: > I certainly do not want to exceed any limits, how do i avoid that ? Well, how big is your server? -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt(a)charite.de | http://www.charite.de
|
Next
|
Last
Pages: 1 2 3 4 5 Prev: ADV: SMTP clustering solution - Proto Balance Mail Next: postfix loop detection |