Loading ...
Sorry, an error occurred while loading the content.
 

Re: Expected behaviour for rbl's when DNS is slow.

Expand Messages
  • Wietse Venema
    ... Postfix WILL BLOCK MAIL ONLY when a blacklist server responds.
    Message 1 of 5 , Apr 2, 2009
      Guy:
      > Hi guys,
      >
      > I had a problem earlier today when our local DNS server's forwarding
      > servers were slow to respond.
      >
      > I had a number of emails from various sources rejected as blocked by
      > zen.spamhaus.org. The IPs I checked weren't on the list according to
      > the spamhaus website.
      > I did notice that doing a "dig @... zen.spamhaus.org"
      > didn't always return an answer. After changing the forwarding servers
      > in bind the problem seems to have cleared up.
      >
      > Is this the expected behaviour from Postfix if an rbl cannot be
      > reached? Is it possible to have Postfix pass the mail rather than
      > reject if the server cannot find the rbl? Or would that be a bad idea
      > even if it can be done?

      Postfix WILL BLOCK MAIL ONLY when a blacklist server responds.
    • Wietse Venema
      ... If you believe this is not true, then you MUST provide the evidence in the form of mail logging that Postfix falsely rejected mail after a failed
      Message 2 of 5 , Apr 2, 2009
        Wietse Venema:
        > Guy:
        > > Hi guys,
        > >
        > > I had a problem earlier today when our local DNS server's forwarding
        > > servers were slow to respond.
        > >
        > > I had a number of emails from various sources rejected as blocked by
        > > zen.spamhaus.org. The IPs I checked weren't on the list according to
        > > the spamhaus website.
        > > I did notice that doing a "dig @... zen.spamhaus.org"
        > > didn't always return an answer. After changing the forwarding servers
        > > in bind the problem seems to have cleared up.
        > >
        > > Is this the expected behaviour from Postfix if an rbl cannot be
        > > reached? Is it possible to have Postfix pass the mail rather than
        > > reject if the server cannot find the rbl? Or would that be a bad idea
        > > even if it can be done?
        >
        > Postfix WILL BLOCK MAIL ONLY when a blacklist server responds.

        If you believe this is not true, then you MUST provide the evidence
        in the form of mail logging that Postfix falsely rejected mail
        after a failed zen.spamhaus.org lookup.

        But of course it is much easier to post rumors on this mailing list
        that Postfix is buggy, then doing the due diligence.

        Wietse
      • Noel Jones
        ... No, this is false. Postfix will log a warning and pass the mail when an RBL query times out. The only ill effect is a pause of the mail processing while
        Message 3 of 5 , Apr 2, 2009
          Guy wrote:
          > Hi guys,
          >
          > I had a problem earlier today when our local DNS server's forwarding
          > servers were slow to respond.
          >
          > I had a number of emails from various sources rejected as blocked by
          > zen.spamhaus.org. The IPs I checked weren't on the list according to
          > the spamhaus website.

          No, this is false. Postfix will log a warning and pass the
          mail when an RBL query times out.

          The only ill effect is a pause of the mail processing while
          postfix waits for the DNS response. It's possible some
          impatient senders will disconnect during this pause, but that
          seems rare, and they should retry later.

          > I did notice that doing a "dig @... zen.spamhaus.org"
          > didn't always return an answer. After changing the forwarding servers
          > in bind the problem seems to have cleared up.
          >
          > Is this the expected behaviour from Postfix if an rbl cannot be
          > reached? Is it possible to have Postfix pass the mail rather than
          > reject if the server cannot find the rbl?

          Postfix does not reject mail due to an RBL failure. Either
          you misread the evidence or your DNS server falsified the
          response.

          For further analysis, you'll need to show unaltered log
          entries of the unexpected rejects.

          > Or would that be a bad idea
          > even if it can be done?

          RBL queries timeout often enough that it would be insane to
          reject mail because of a timeout.

          (I suppose some very strict folks might 450 defer mail after
          an RBL timeout, but even that seems extreme. Anyway, postfix
          can't do this either without a custom policy service.)

          -- Noel Jones
        • Wietse Venema
          ... He was using reject_RHSBL_client zen.spamhaus.org . I speculate that his ISP was making some money by redirecting non-existent name lookups. Usually such
          Message 4 of 5 , Apr 2, 2009
            Noel Jones:
            > Guy wrote:
            > > Hi guys,
            > >
            > > I had a problem earlier today when our local DNS server's forwarding
            > > servers were slow to respond.
            > >
            > > I had a number of emails from various sources rejected as blocked by
            > > zen.spamhaus.org. The IPs I checked weren't on the list according to
            > > the spamhaus website.
            >
            > No, this is false. Postfix will log a warning and pass the
            > mail when an RBL query times out.

            He was using "reject_RHSBL_client zen.spamhaus.org". I speculate
            that his ISP was making some money by redirecting non-existent name
            lookups. Usually such ISPs are smart enough not to do this with
            reject_RBL_client lookups.

            Wietse
          Your message has been successfully submitted and would be delivered to recipients shortly.