Loading ...
Sorry, an error occurred while loading the content.

293209Re: Tweaking DNS timeouts

Expand Messages
  • /dev/rob0
    May 17, 2013
    • 0 Attachment
      On Thu, May 16, 2013 at 07:48:24PM -0400, Wietse Venema wrote:
      > /dev/rob0:
      > > In the time since I've been running this, I saw the first thing
      > > that might be seen as a problem: dnsblog timing out on one of
      > > the DNSBL lookups:
      > >
      > > May 16 21:51:44 harrier postfix/postscreen[29502]: CONNECT from [208.66.205.36]:53814 to [207.223.116.211]:25
      > > May 16 21:51:44 harrier postfix/dnsblog[29507]: addr 208.66.205.36 listed by domain list.dnswl.org as 127.0.15.0
      > >
      > > This gives it a -2 so far, but when the greet pause is finished,
      > > postscreen proceeds anyway:
      >
      > All postscreen versions work that way. When the DNSBL score is not
      > final before the pregreet test completes, the DNSBL test remains
      > undecided, and the test will be repeated the next time the client
      > connects.
      >
      > Increasing the greet-wait to 10+ seconds could result in
      > legitimate clients hanging up, so I would not recommend that.

      Do we have any testing to validate this? I'm pretty sure I recall
      from a few years back on the old original SPAM-L list that some
      Sendmail people[1] were saying they used greet pauses in excess of 30
      seconds.

      > You can try to change the DNS resolver timeout/retry behavior:

      Thanks for all that. As it happens, I have a quick fix for this:

      $ grep 'dnsblog.*timeout' /var/log/maillog | wc
      35 420 3731
      $ grep 'dnsblog.*timeout' /var/log/maillog | grep -v surriel | wc
      0 0 0

      PSBL seems to be a bit slow for me. I've taken it out of my
      postscreen_dnsbl_sites; I had only recently added it.

      What this shows is that there's no good, risk-free way to test
      potential new DNSBLs. No great harm done: at the most, 35 delayed
      mails. But could a site which is consistently timing out cause
      positive scores to be ignored? Apparently not here:

      May 12 05:05:39 harrier postfix/postscreen[17895]: CONNECT from [24.227.47.42]:1362 to [207.223.116.211]:25
      May 12 05:05:39 harrier postfix/postscreen[17895]: PREGREET 21 after 0.03 from [24.227.47.42]:1362: EHLO [192.168.2.33]\r\n
      May 12 05:05:39 harrier postfix/dnsblog[17901]: addr 24.227.47.42 listed by domain dnsbl.sorbs.net as 127.0.0.7
      May 12 05:05:39 harrier postfix/dnsblog[17897]: addr 24.227.47.42 listed by domain b.barracudacentral.org as 127.0.0.2
      May 12 05:05:40 harrier postfix/dnsblog[17900]: addr 24.227.47.42 listed by domain zen.spamhaus.org as 127.0.0.4
      May 12 05:05:45 harrier postfix/postscreen[17895]: DNSBL rank 6 for [24.227.47.42]:1362
      May 12 05:05:45 harrier postfix/postscreen[17895]: NOQUEUE: reject: RCPT from [24.227.47.42]:1362: 550 5.7.1 Service unavailable; client [24.227.47.42] blocked using zen.spamhaus.org; from=<test@...>, to=<therichsheickc@...>, proto=ESMTP, helo=<[192.168.2.33]>
      May 12 05:05:45 harrier postfix/postscreen[17895]: DISCONNECT [24.227.47.42]:1362
      May 12 05:05:49 harrier postfix/postscreen[17895]: warning: dnsblog reply timeout 10s for psbl.surriel.com
      May 12 05:05:59 harrier postfix/dnsblog[17902]: warning: dnsblog_query: lookup error for DNS query 42.47.227.24.psbl.surriel.com: Host or domain name not found. Name service error for name=42.47.227.24.psbl.surriel.com type=A: Host not found, try again

      I guess this says that postscreen_dnsbl_action fires at the end of
      the greet pause when postscreen_dnsbl_threshold is met, but
      postscreen_dnsbl_whitelist_threshold is not calculated. Here's the
      same botnet from a different zombie, which does not meet the
      threshold, rejected for protocol error:

      May 12 05:43:09 harrier postfix/postscreen[19787]: CONNECT from [80.24.21.133]:23652 to [207.223.116.211]:25
      May 12 05:43:09 harrier postfix/dnsblog[19790]: addr 80.24.21.133 listed by domain bl.spameatingmonkey.net as 127.0.0.2
      May 12 05:43:09 harrier postfix/postscreen[19787]: PREGREET 21 after 0.22 from [80.24.21.133]:23652: EHLO [192.168.2.33]\r\n
      May 12 05:43:19 harrier postfix/postscreen[19787]: warning: dnsblog reply timeout 10s for psbl.surriel.com
      May 12 05:43:20 harrier postfix/postscreen[19787]: NOQUEUE: reject: RCPT from [80.24.21.133]:23652: 550 5.5.1 Protocol error; from=<test@...>, to=<therichsheickc@...>, proto=ESMTP, helo=<[192.168.2.33]>
      May 12 05:43:21 harrier postfix/postscreen[19787]: DISCONNECT [80.24.21.133]:23652

      Here's one without the pregreet:

      May 13 06:21:09 harrier postfix/postscreen[3805]: CONNECT from [89.121.129.184]:43448 to [207.223.116.211]:25
      May 13 06:21:09 harrier postfix/dnsblog[3807]: addr 89.121.129.184 listed by domain b.barracudacentral.org as 127.0.0.2
      May 13 06:21:09 harrier postfix/dnsblog[3813]: addr 89.121.129.184 listed by domain zen.spamhaus.org as 127.0.0.11
      May 13 06:21:09 harrier postfix/dnsblog[3813]: addr 89.121.129.184 listed by domain zen.spamhaus.org as 127.0.0.4
      May 13 06:21:09 harrier postfix/dnsblog[3808]: addr 89.121.129.184 listed by domain bl.mailspike.net as 127.0.0.12
      May 13 06:21:15 harrier postfix/postscreen[3805]: DNSBL rank 6 for [89.121.129.184]:43448
      May 13 06:21:16 harrier postfix/postscreen[3805]: NOQUEUE: reject: RCPT from [89.121.129.184]:43448: 550 5.7.1 Service unavailable; client [89.121.129.184] blocked using zen.spamhaus.org; from=<watcheslz@...>, to=<mungeduser@...>, proto=ESMTP, helo=<89-121-129-184.romtelecom.net>
      May 13 06:21:16 harrier postfix/postscreen[3805]: HANGUP after 0.68 from [89.121.129.184]:43448 in tests after SMTP handshake
      May 13 06:21:16 harrier postfix/postscreen[3805]: DISCONNECT [89.121.129.184]:43448
      May 13 06:21:19 harrier postfix/postscreen[3805]: warning: dnsblog reply timeout 10s for psbl.surriel.com


      [Snip all the good resolver(5) information]


      [1] Specifically I am thinking of the late Bruce Gingery, a true
      master spamfighter. I will ask about this on SDLU[2] also.
      [2] http://spammers.dontlike.us/
      --
      http://rob0.nodns4.us/ -- system administration and consulting
      Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
    • Show all 25 messages in this topic