From: JF Mezei on
I am new to the list.

This is on OS-X Server 10.6.3 on an Xserve with postfix 2.5.5 that came
with the system.


I have a situation where using zen.spamhaus.org , spam gets through
despite zen saying that IP is bad.

here is a sample error message:

connect from cpe-67-252-139-22.buffalo.res.rr.com [67.252.139.22]
May 19 01:09:15 velo postfix/smtpdP26473]: warning:
22.139.252.67.zen.spamhaus.org: RBL lookup error: Host or domain name
not found. Name service error for name=22.139.252.67.zen.spamhaus.org
type=A: Host not found, try again



nslookup 22.139.252.67.zen.spamhaus.org
Server: 10.0.0.20
Address: 10.0.0.20#53

Non-authoritative answer:
Name: 22.139.252.67.zen.spamhaus.org
Address: 127.0.0.10
Name: 22.139.252.67.zen.spamhaus.org
Address: 127.0.0.4


Is it possible that the postfix software barfs when the RBL lookup
returns multiple responses and lets the messsage through ?

Is there a way to fix this (other than removing zen and adding the
individual lists it contains) ?


This is a low volume server. And if I exceeded my daily quota, wouldn't
the nslookup command also fail ?

From: Wietse Venema on
JF Mezei:
> I am new to the list.
>
> This is on OS-X Server 10.6.3 on an Xserve with postfix 2.5.5 that came
> with the system.
>
>
> I have a situation where using zen.spamhaus.org , spam gets through
> despite zen saying that IP is bad.
>
> here is a sample error message:
>
> connect from cpe-67-252-139-22.buffalo.res.rr.com [67.252.139.22]
> May 19 01:09:15 velo postfix/smtpdP26473]: warning:
> 22.139.252.67.zen.spamhaus.org: RBL lookup error: Host or domain name
> not found. Name service error for name=22.139.252.67.zen.spamhaus.org
> type=A: Host not found, try again

You have a mis-configured name service that breaks Postfix's
DNS lookups.

That can be due to bad contents in the resolv.conf file that POSTFIX
uses, or some missing file that is needed to resolve names (not
necessarily the same file as when YOU type commands).

It can also be due to a file or DIRECTORY permission problem.
POSTFIX does not use root privileges, whereas users often debug
problems as root. For that, the simple solution is to debug DNS
lookups as a non-root user.


Wietse

From: JF Mezei on
Wietse Venema wrote:

>> connect from cpe-67-252-139-22.buffalo.res.rr.com [67.252.139.22]
>> May 19 01:09:15 velo postfix/smtpdP26473]: warning:
>> 22.139.252.67.zen.spamhaus.org: RBL lookup error: Host or domain name
>> not found. Name service error for name=22.139.252.67.zen.spamhaus.org
>> type=A: Host not found, try again
>
> You have a mis-configured name service that breaks Postfix's
> DNS lookups.

But I have plenty of hits where the RBL lookups work fine and block
messages (or let them pass through). If my DNS was problematic, wouldn't
it fail for all RBL lookups ?

Every "RBL lookup error" IP I have manually tested with nslookup
returned multiple ip addresses as response to the zen.spamhaus.org
request. But I can't say that they ALL did it because I didn't test all
such messages.

Similarly, every IP that was succesfully rejected had only one response
when using nslookup. (but can't say ALL because I only tested a sample).






An example where it works:

May 21 04:58:31 velo postfix/smtpd[94073]: NOQUEUE: reject: RCPT from
p5099e3b4.dip0.t-ipconnect.de[80.153.227.180]: 521 5.7.1
www.spamhaus.org considers your IP address 80.153.227.180 as
inappropriate; from=<aahonuryk3493(a)t-ipconnect.de>
to=<jfmezei(a)vIxEnation.ca> proto=ESMTP helo=<t-ipconnect.de>


Postfix finds the message format in my
rbl_reply_maps = hash:/etc/postfix/rbl_reply_maps

And I have:
reject_rbl_client zen.spamhaus.org,
in the smtpd_recipient_restrictions



A non privileged user is able to read /etc/resolv.conf


What else should I look for/test ?

From: Wietse Venema on
JF Mezei:
[ Charset ISO-8859-1 unsupported, converting... ]
> Wietse Venema wrote:
>
> >> connect from cpe-67-252-139-22.buffalo.res.rr.com [67.252.139.22]
> >> May 19 01:09:15 velo postfix/smtpdP26473]: warning:
> >> 22.139.252.67.zen.spamhaus.org: RBL lookup error: Host or domain name
> >> not found. Name service error for name=22.139.252.67.zen.spamhaus.org
> >> type=A: Host not found, try again
> >
> > You have a mis-configured name service that breaks Postfix's
> > DNS lookups.
>
> But I have plenty of hits where the RBL lookups work fine and block
> messages (or let them pass through). If my DNS was problematic, wouldn't
> it fail for all RBL lookups ?

Your problem report had ZERO evidence that other Spamhaus lookups
succeed. Given a useless problem report, we are just wasting each
other's time.

> Every "RBL lookup error" IP I have manually tested with nslookup
> returned multiple ip addresses as response to the zen.spamhaus.org
> request. But I can't say that they ALL did it because I didn't test all
> such messages.

Your manual DNS tests are made at a different time than Postfix's
DNS lookups. Successful measurements made at a different time prove
nothing about the conditions when the lookup failed.

If the same lookup fails or succeeds at different times, then that
is almost certainly a problem with DNS requests being dropped.

If you believe that dropped replies depend on the form of the
response, then you need to prove that with evidence.

All this is easy enough to debug by recording the DNS traffic at
your end with a network sniffer over a longer period of time. Then,
you can go back in time and see what queries were sent and what
replies were returned, if any.

Wietse

From: Stan Hoeppner on
JF Mezei put forth on 5/21/2010 4:20 AM:

> connect from cpe-67-252-139-22.buffalo.res.rr.com [67.252.139.22]
> May 19 01:09:15 velo postfix/smtpdP26473]: warning:
> 22.139.252.67.zen.spamhaus.org: RBL lookup error: Host or domain name
> not found. Name service error for name=22.139.252.67.zen.spamhaus.org
> type=A: Host not found, try again

That error is telling you Postfix it can't locate zen.spamhaus.org. You're
misreading the error.

If I'm not mistaken, this is the same error I received when I switched my
Postfix MX to use Google Public resolvers (without checking the Spamhaus TOS
first) quite a while ago. I discovered, with help from this list, that
Spamhaus blocks Google's public resolvers, as well as many other "public" type
resolvers, such as many ISPs--basically any single IP address that surpasses
the query volume threshold for free use.

The best long term solution is to install something like PowerDNS recursor
which is a very lightweight caching resolver. I installed it many months ago.
It solved this problem permanently, and my Postfix performance increased a
bit to boot due to lower latency on client rDNS and dnsbl lookups.

--
Stan