Prev: mail for mx2.youngguns.nl loops back to myself
Next: Timeout of SMTP servers
From: Stan Hoeppner on 22 Jan 2010 07:18
Stan Hoeppner put forth on 1/22/2010 1:28 AM:
> I've wondered for a couple of months why my rbl check is being skipped. I've
> not seen a spamhaus entry in my logs since Sept 25 '09. Interestingly, postgrey
> is being called now and then, and it is after the rbl check in main.cf. Any
> idea why my rbl check is being skipped? What have I screwed up to cause this?

Bad form replying to my own post but...

After a hint from Ralf, I started digging around and here is what I found:

1. Spamhaus has banned Google Public DNS resolver queries. I didn't know this
until today. If Postfix is using Google Public DNS resolvers, rbl queries to
zen.spamhaus.org fail but Postfix (Debian Lenny 2.5.5-1.1) logs NOTHING about
it. Not the query attempt, not the failure, zilch, nut'n. This explains why I
haven't seen any zen entries in my log since Sept 25 last year, apparently the
day I switched to Google DNS resolvers. A total lack of log entries makes
troubleshooting anything very difficult. Thanks to Ralf's off list suggestion,
I was able to start troubleshooting down the correct path.

2. For other dns resolvers that Spamhaus doesn't like, such as a few under the
CenturyLink umbrella (former Embarq/Sprint resolvers) an error is logged, such as:

Jan 22 05:27:53 greer postfix/smtpd[19251]: warning:
50.211.118.82.zen.spamhaus.org: RBL lookup error: Host or domain name not found.
Name service error for name=50.211.118.82.zen.spamhaus.org type=A: Host not
found, try again

3. Sometime between my switch to the Google resolvers and today, Spamhaus
decided to ban my previous Embarq resolvers. So, when I switched back to the
old ones, I got errors like that above, and my zen queries still failed. I dug
around through some very old paperwork and found a set of old Sprint resolvers
in Kansas City I'd never actually used which aren't banned by Spamhaus. Turns
out this is probably a good thing since the resolvers I found that work are also
closest physically and electrically, the primary being 4 hops and 35ms away, the
secondary 7 hops and 40ms away.

I'm glad I got this solved. I really wish that when I was using the Google
resolvers that Postfix would have been logging some kind of errors. If it had,
I'd have known I had a real problem much sooner. The total lack of log entries
for ~3 months is what finally jolted me to look into this. This is a sad state
of affairs. So the question at this point is, why didn't Postfix log any errors
when NXDOMAIN domain was returned, but did log errors when SERVFAIL is returned?

--
Stan

From: Mikael Bak on 22 Jan 2010 08:50
Stan Hoeppner wrote:
>
> 1. Spamhaus has banned Google Public DNS resolver queries.

Stan,
Do you have a good enough reason to not run your own name resolver on
your front MX machine?

IMO relying on third parties for DNS on an MX is bad design.

Mikael

From: Wietse Venema on 22 Jan 2010 08:58
Stan Hoeppner:
> 1. Spamhaus has banned Google Public DNS resolver queries. I
> didn't know this until today. If Postfix is using Google Public
> DNS resolvers, rbl queries to zen.spamhaus.org fail but Postfix
> (Debian Lenny 2.5.5-1.1) logs NOTHING about it. Not the query
> attempt, not the failure, zilch, nut'n. This explains why I

The query returns NXDOMAIN. No-one has asked me to log all the
NXDOMAIN results for DNSBL queries.

Wietse

With query through Google DNS the host is "not listed" in zen.spamhaus.org:

% dig @8.8.8.8 a 105.49.136.89.zen.spamhaus.org

; <<>> DiG 9.6.1-P1 <<>> @8.8.8.8 a 105.49.136.89.zen.spamhaus.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 50578
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;105.49.136.89.zen.spamhaus.org. IN A

;; AUTHORITY SECTION:
zen.spamhaus.org. 150 IN SOA need.to.know.only. hostmaster.spamhaus.org. 1001221345 3600 600 432000 150

;; Query time: 169 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Jan 22 08:48:32 2010
;; MSG SIZE rcvd: 112

With direct query, the host is listed as you can see for yourself.

From: Stan Hoeppner on 22 Jan 2010 09:34
Mikael Bak put forth on 1/22/2010 7:50 AM:
> Stan Hoeppner wrote:
>>
>> 1. Spamhaus has banned Google Public DNS resolver queries.
>
> Stan,
> Do you have a good enough reason to not run your own name resolver on
> your front MX machine?
>
> IMO relying on third parties for DNS on an MX is bad design.

Due to this fiasco I'm already looking into it. I'd never really considered it
an issue until now since it's such a light duty box. Not sure if I have enough
memory on the box right now to run a caching resolver. I may need to grab a
stick or two. It wouldn't be an issue except for the fact I recently added a
bunch of daemons to this box so I could decommission a _really old_ machine
(dual P166) that housed the mail store and file shares. That increased the
memory footprint quite a bit.

Suggestions for a lightweight local resolver daemon on Debian Lenny are welcome.
I've never actually used bind before and I've never been a dns admin. I have a
vague hazy memory of reading grumblings that bind may be a bit too "heavy" for
using as a local machine resolver.

--
Stan

From: Noel Jones on 22 Jan 2010 11:00
On 1/22/2010 6:18 AM, Stan Hoeppner wrote:
>
> 1. Spamhaus has banned Google Public DNS resolver queries. I didn't know this
> until today. If Postfix is using Google Public DNS resolvers, rbl queries to
> zen.spamhaus.org fail but Postfix (Debian Lenny 2.5.5-1.1) logs NOTHING about
> it. Not the query attempt, not the failure, zilch, nut'n.

Nothing is logged because the DNS server gives an authoritive
"does not exist" answer. That's not an error, it is the
expected response when a client is not listed in an RBL.

It would be silly to log such events except under debug
conditions. At any rate, the log for this would look
completely normal; lookup performed, host not listed. The
logs would be indistinguishable from any other successful RBL
lookup of an unlisted client.

> 2. For other dns resolvers that Spamhaus doesn't like, such as a few under the
> CenturyLink umbrella (former Embarq/Sprint resolvers) an error is logged, such as:
>
> Jan 22 05:27:53 greer postfix/smtpd[19251]: warning:
> 50.211.118.82.zen.spamhaus.org: RBL lookup error: Host or domain name not found.
> Name service error for name=50.211.118.82.zen.spamhaus.org type=A: Host not
> found, try again

An error is logged because this DNS server returned an error.

Obviously this DNS server is configured differently WRT
spamhaus lookups.

> I'm glad I got this solved. I really wish that when I was using the Google
> resolvers that Postfix would have been logging some kind of errors. If it had,
> I'd have known I had a real problem much sooner. The total lack of log entries
> for ~3 months is what finally jolted me to look into this. This is a sad state
> of affairs. So the question at this point is, why didn't Postfix log any errors
> when NXDOMAIN domain was returned, but did log errors when SERVFAIL is returned?
>


Test RBL lookups with the published test address. 127.0.0.1
should never be listed, 127.0.0.2 should always be listed.

$ host 1.0.0.127.zen.spamhaus.org
Host 1.0.0.127.zen.spamhaus.org not found: 3(NXDOMAIN)

$ host 2.0.0.127.zen.spamhaus.org
2.0.0.127.zen.spamhaus.org has address 127.0.0.2
2.0.0.127.zen.spamhaus.org has address 127.0.0.4
2.0.0.127.zen.spamhaus.org has address 127.0.0.10



-- Noel Jones

 |  Next  |  Last
Pages: 1 2
Prev: mail for mx2.youngguns.nl loops back to myself
Next: Timeout of SMTP servers