Loading ...
Sorry, an error occurred while loading the content.

Expected behaviour for rbl's when DNS is slow.

Expand Messages
  • Guy
    Hi guys, I had a problem earlier today when our local DNS server s forwarding servers were slow to respond. I had a number of emails from various sources
    Message 1 of 5 , Apr 2, 2009
    • 0 Attachment
      Hi guys,

      I had a problem earlier today when our local DNS server's forwarding
      servers were slow to respond.

      I had a number of emails from various sources rejected as blocked by
      zen.spamhaus.org. The IPs I checked weren't on the list according to
      the spamhaus website.
      I did notice that doing a "dig @... zen.spamhaus.org"
      didn't always return an answer. After changing the forwarding servers
      in bind the problem seems to have cleared up.

      Is this the expected behaviour from Postfix if an rbl cannot be
      reached? Is it possible to have Postfix pass the mail rather than
      reject if the server cannot find the rbl? Or would that be a bad idea
      even if it can be done?

      Thanks
      Guy

      --
      Don't just do something...sit there!
    • Wietse Venema
      ... Postfix WILL BLOCK MAIL ONLY when a blacklist server responds.
      Message 2 of 5 , Apr 2, 2009
      • 0 Attachment
        Guy:
        > Hi guys,
        >
        > I had a problem earlier today when our local DNS server's forwarding
        > servers were slow to respond.
        >
        > I had a number of emails from various sources rejected as blocked by
        > zen.spamhaus.org. The IPs I checked weren't on the list according to
        > the spamhaus website.
        > I did notice that doing a "dig @... zen.spamhaus.org"
        > didn't always return an answer. After changing the forwarding servers
        > in bind the problem seems to have cleared up.
        >
        > Is this the expected behaviour from Postfix if an rbl cannot be
        > reached? Is it possible to have Postfix pass the mail rather than
        > reject if the server cannot find the rbl? Or would that be a bad idea
        > even if it can be done?

        Postfix WILL BLOCK MAIL ONLY when a blacklist server responds.
      • Wietse Venema
        ... If you believe this is not true, then you MUST provide the evidence in the form of mail logging that Postfix falsely rejected mail after a failed
        Message 3 of 5 , Apr 2, 2009
        • 0 Attachment
          Wietse Venema:
          > Guy:
          > > Hi guys,
          > >
          > > I had a problem earlier today when our local DNS server's forwarding
          > > servers were slow to respond.
          > >
          > > I had a number of emails from various sources rejected as blocked by
          > > zen.spamhaus.org. The IPs I checked weren't on the list according to
          > > the spamhaus website.
          > > I did notice that doing a "dig @... zen.spamhaus.org"
          > > didn't always return an answer. After changing the forwarding servers
          > > in bind the problem seems to have cleared up.
          > >
          > > Is this the expected behaviour from Postfix if an rbl cannot be
          > > reached? Is it possible to have Postfix pass the mail rather than
          > > reject if the server cannot find the rbl? Or would that be a bad idea
          > > even if it can be done?
          >
          > Postfix WILL BLOCK MAIL ONLY when a blacklist server responds.

          If you believe this is not true, then you MUST provide the evidence
          in the form of mail logging that Postfix falsely rejected mail
          after a failed zen.spamhaus.org lookup.

          But of course it is much easier to post rumors on this mailing list
          that Postfix is buggy, then doing the due diligence.

          Wietse
        • Noel Jones
          ... No, this is false. Postfix will log a warning and pass the mail when an RBL query times out. The only ill effect is a pause of the mail processing while
          Message 4 of 5 , Apr 2, 2009
          • 0 Attachment
            Guy wrote:
            > Hi guys,
            >
            > I had a problem earlier today when our local DNS server's forwarding
            > servers were slow to respond.
            >
            > I had a number of emails from various sources rejected as blocked by
            > zen.spamhaus.org. The IPs I checked weren't on the list according to
            > the spamhaus website.

            No, this is false. Postfix will log a warning and pass the
            mail when an RBL query times out.

            The only ill effect is a pause of the mail processing while
            postfix waits for the DNS response. It's possible some
            impatient senders will disconnect during this pause, but that
            seems rare, and they should retry later.

            > I did notice that doing a "dig @... zen.spamhaus.org"
            > didn't always return an answer. After changing the forwarding servers
            > in bind the problem seems to have cleared up.
            >
            > Is this the expected behaviour from Postfix if an rbl cannot be
            > reached? Is it possible to have Postfix pass the mail rather than
            > reject if the server cannot find the rbl?

            Postfix does not reject mail due to an RBL failure. Either
            you misread the evidence or your DNS server falsified the
            response.

            For further analysis, you'll need to show unaltered log
            entries of the unexpected rejects.

            > Or would that be a bad idea
            > even if it can be done?

            RBL queries timeout often enough that it would be insane to
            reject mail because of a timeout.

            (I suppose some very strict folks might 450 defer mail after
            an RBL timeout, but even that seems extreme. Anyway, postfix
            can't do this either without a custom policy service.)

            -- Noel Jones
          • Wietse Venema
            ... He was using reject_RHSBL_client zen.spamhaus.org . I speculate that his ISP was making some money by redirecting non-existent name lookups. Usually such
            Message 5 of 5 , Apr 2, 2009
            • 0 Attachment
              Noel Jones:
              > Guy wrote:
              > > Hi guys,
              > >
              > > I had a problem earlier today when our local DNS server's forwarding
              > > servers were slow to respond.
              > >
              > > I had a number of emails from various sources rejected as blocked by
              > > zen.spamhaus.org. The IPs I checked weren't on the list according to
              > > the spamhaus website.
              >
              > No, this is false. Postfix will log a warning and pass the
              > mail when an RBL query times out.

              He was using "reject_RHSBL_client zen.spamhaus.org". I speculate
              that his ISP was making some money by redirecting non-existent name
              lookups. Usually such ISPs are smart enough not to do this with
              reject_RBL_client lookups.

              Wietse
            Your message has been successfully submitted and would be delivered to recipients shortly.