Loading ...
Sorry, an error occurred while loading the content.

email from comcast.net is bouncing

Expand Messages
  • Grant
    I ve had a long-running problem with messages sent from comcast.net addresses bouncing back to the sender. I thought this could be due to the postscreen deep
    Message 1 of 23 , Aug 25, 2013
    • 0 Attachment
      I've had a long-running problem with messages sent from comcast.net
      addresses bouncing back to the sender. I thought this could be due to
      the postscreen deep protocol checks I use with postfix-2.11_pre*, but
      I added the following to main.cf on August 15th and yesterday I
      received a message from someone with a comcast.net address who says
      their email bounced:

      postscreen_dnsbl_sites = zen.spamhaus.org list.dnswl.org*-1
      postscreen_dnsbl_whitelist_threshold = -1

      I grep'ed my mail logs for his address and found only this:

      Aug 18 * 450 4.3.2 Service currently unavailable

      I've searched my inbox and trash and I do not see his message so I
      don't think Comcast retried.

      I do have one of these bounced messages that was forwarded to me about
      9 weeks ago but there is no indication of what the problem was.
      Besides headers, the message includes no more information than this:

      SUBJECT: Delivery status notification
      This is an automatically generated Delivery Status Notification.
      Delivery to the following recipients was aborted after 7 second(s):
      MASKED@...

      - Grant
    • Wietse Venema
      ... If you want that mail, whitelist them, Wietse
      Message 2 of 23 , Aug 25, 2013
      • 0 Attachment
        Grant:
        > SUBJECT: Delivery status notification
        > This is an automatically generated Delivery Status Notification.
        > Delivery to the following recipients was aborted after 7 second(s):
        > MASKED@...

        If you want that mail, whitelist them,

        Wietse
      • Grant
        ... They should already be whitelisted through my use of list.dnswl.org. The sending mail server s IP was 76.96.62.48 which is listed:
        Message 3 of 23 , Aug 25, 2013
        • 0 Attachment
          >> SUBJECT: Delivery status notification
          >> This is an automatically generated Delivery Status Notification.
          >> Delivery to the following recipients was aborted after 7 second(s):
          >> MASKED@...
          >
          > If you want that mail, whitelist them,

          They should already be whitelisted through my use of list.dnswl.org.
          The sending mail server's IP was 76.96.62.48 which is listed:

          http://dnswl.org/s?s=76.96.62.48

          Searching my mail logs, I can see several comcast.net messages were
          450'ed since I implemented list.dnswl.org and each sending IP does
          appear in dnswl.org/s.

          I also have several of these:

          lost connection with mx1.comcast.net[68.87.26.147] while receiving the
          initial server greeting
          conversation with mx1.comcast.net[68.87.26.147] timed out while
          receiving the initial server greeting

          - Grant
        • Wietse Venema
          ... Your SMTP server replied with 450. Either your configuration is wrong, or some DNS lookups time out. Note the above text says: Delivery to the following
          Message 4 of 23 , Aug 26, 2013
          • 0 Attachment
            Grant:
            > >> SUBJECT: Delivery status notification
            > >> This is an automatically generated Delivery Status Notification.
            > >> Delivery to the following recipients was aborted after 7 second(s):
            > >> MASKED@...
            > >
            > > If you want that mail, whitelist them,
            >
            > They should already be whitelisted through my use of list.dnswl.org.

            Your SMTP server replied with 450. Either your configuration is
            wrong, or some DNS lookups time out. Note the above text says:

            Delivery to the following recipients was aborted after 7 second(s)

            This could be a symptom of DNS lookup timeout.

            > I also have several of these:
            >
            > lost connection with mx1.comcast.net[68.87.26.147] while receiving the
            > initial server greeting
            > conversation with mx1.comcast.net[68.87.26.147] timed out while
            > receiving the initial server greeting

            Your SMTP *client* also has problems. Consider monitoring your
            packet loss rate. I run "mtr" from a cron job.

            Wietse
          • Grant
            ... Something must be wrong with my config. In my log I can see that postfix is returning 450 to many more comcast.net messages than it s delivering. It
            Message 5 of 23 , Aug 26, 2013
            • 0 Attachment
              >> >> SUBJECT: Delivery status notification
              >> >> This is an automatically generated Delivery Status Notification.
              >> >> Delivery to the following recipients was aborted after 7 second(s):
              >> >> MASKED@...
              >> >
              >> > If you want that mail, whitelist them,
              >>
              >> They should already be whitelisted through my use of list.dnswl.org.
              >
              > Your SMTP server replied with 450. Either your configuration is
              > wrong, or some DNS lookups time out. Note the above text says:
              >
              > Delivery to the following recipients was aborted after 7 second(s)
              >
              > This could be a symptom of DNS lookup timeout.

              Something must be wrong with my config. In my log I can see that
              postfix is returning 450 to many more comcast.net messages than it's
              delivering. It doesn't make sense for DNS to be timing out the vast
              majority of the time. I use a reputable DNS provider. Should the
              whitelist be indicated anywhere in the log? I'm on
              postfix-2.11_pre20130818. Here's my config:

              main.cf:
              smtpd_recipient_restrictions =
              reject_unauth_destination,
              permit
              postscreen_greet_action = enforce
              postscreen_pipelining_enable = yes
              postscreen_pipelining_action = enforce
              postscreen_non_smtp_command_enable = yes
              postscreen_non_smtp_command_action = enforce
              postscreen_bare_newline_enable = yes
              postscreen_bare_newline_action = enforce
              postscreen_dnsbl_sites = zen.spamhaus.org list.dnswl.org*-1
              postscreen_dnsbl_whitelist_threshold = -1
              smtpd_tls_security_level = may
              smtpd_tls_auth_only = yes

              master.cf:
              smtp inet n - n - 1 postscreen
              smtpd pass - - n - - smtpd
              tlsproxy unix - - n - 0 tlsproxy
              submission inet n - n - - smtpd
              -o smtpd_sasl_auth_enable=yes
              -o smtpd_recipient_restrictions=
              -o smtpd_relay_restrictions=permit_mynetworks,permit_sasl_authenticated,reject

              >> I also have several of these:
              >>
              >> lost connection with mx1.comcast.net[68.87.26.147] while receiving the
              >> initial server greeting
              >> conversation with mx1.comcast.net[68.87.26.147] timed out while
              >> receiving the initial server greeting
              >
              > Your SMTP *client* also has problems. Consider monitoring your
              > packet loss rate. I run "mtr" from a cron job.

              Is it the sender's SMTP client that has problems?

              - Grant
            • Grant
              ... Something must be wrong with my config. In my log I can see that postfix is returning 450 to many more comcast.net messages than it s delivering. It
              Message 6 of 23 , Aug 26, 2013
              • 0 Attachment
                >> >> SUBJECT: Delivery status notification
                >> >> This is an automatically generated Delivery Status Notification.
                >> >> Delivery to the following recipients was aborted after 7 second(s):
                >> >> MASKED@...
                >> >
                >> > If you want that mail, whitelist them,
                >>
                >> They should already be whitelisted through my use of list.dnswl.org.
                >
                > Your SMTP server replied with 450. Either your configuration is
                > wrong, or some DNS lookups time out. Note the above text says:
                >
                > Delivery to the following recipients was aborted after 7 second(s)
                >
                > This could be a symptom of DNS lookup timeout.

                Something must be wrong with my config. In my log I can see that
                postfix is returning 450 to many more comcast.net messages than it's
                delivering. It doesn't make sense for DNS to be timing out the vast
                majority of the time. I use a reputable DNS provider. Should the
                whitelist be indicated anywhere in the log? I'm on
                postfix-2.11_pre20130818. Here's my config:

                main.cf:
                smtpd_recipient_restrictions =
                reject_unauth_destination,
                permit
                postscreen_greet_action = enforce
                postscreen_pipelining_enable = yes
                postscreen_pipelining_action = enforce
                postscreen_non_smtp_command_enable = yes
                postscreen_non_smtp_command_action = enforce
                postscreen_bare_newline_enable = yes
                postscreen_bare_newline_action = enforce
                postscreen_dnsbl_sites = zen.spamhaus.org list.dnswl.org*-1
                postscreen_dnsbl_whitelist_threshold = -1
                smtpd_tls_security_level = may
                smtpd_tls_auth_only = yes

                master.cf:
                smtp inet n - n - 1 postscreen
                smtpd pass - - n - - smtpd
                tlsproxy unix - - n - 0 tlsproxy
                submission inet n - n - - smtpd
                -o smtpd_sasl_auth_enable=yes
                -o smtpd_recipient_restrictions=
                -o smtpd_relay_restrictions=permit_mynetworks,permit_sasl_authenticated,reject

                >> I also have several of these:
                >>
                >> lost connection with mx1.comcast.net[68.87.26.147] while receiving the
                >> initial server greeting
                >> conversation with mx1.comcast.net[68.87.26.147] timed out while
                >> receiving the initial server greeting
                >
                > Your SMTP *client* also has problems. Consider monitoring your
                > packet loss rate. I run "mtr" from a cron job.

                Is it the sender's SMTP client that has problems?

                - Grant
              • Wietse Venema
                ... Please show postconf -n command output (not cut-and-paste from main.cf). Please show one complete logfile record from connect from until reject that
                Message 7 of 23 , Aug 26, 2013
                • 0 Attachment
                  Grant:
                  > >> >> SUBJECT: Delivery status notification
                  > >> >> This is an automatically generated Delivery Status Notification.
                  > >> >> Delivery to the following recipients was aborted after 7 second(s):
                  > >> >> MASKED@...
                  > >> >
                  > >> > If you want that mail, whitelist them,
                  > >>
                  > >> They should already be whitelisted through my use of list.dnswl.org.
                  > >
                  > > Your SMTP server replied with 450. Either your configuration is
                  > > wrong, or some DNS lookups time out. Note the above text says:
                  > >
                  > > Delivery to the following recipients was aborted after 7 second(s)
                  > >
                  > > This could be a symptom of DNS lookup timeout.
                  >
                  > Something must be wrong with my config. In my log I can see that
                  > postfix is returning 450 to many more comcast.net messages than it's

                  Please show "postconf -n" command output (not cut-and-paste from
                  main.cf).

                  Please show one complete logfile record from "connect from" until
                  "reject" that demonstrates the problem (you may anonymize the email
                  address).

                  > >> I also have several of these:
                  > >>
                  > >> lost connection with mx1.comcast.net[68.87.26.147] while receiving the
                  > >> initial server greeting
                  > >> conversation with mx1.comcast.net[68.87.26.147] timed out while
                  > >> receiving the initial server greeting
                  > >
                  > > Your SMTP *client* also has problems. Consider monitoring your
                  > > packet loss rate. I run "mtr" from a cron job.
                  >
                  > Is it the sender's SMTP client that has problems?

                  Please show one complete logfile record (you may anonymize the email
                  address).

                  Wietse
                • Grant
                  ... # postconf -n command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix
                  Message 8 of 23 , Aug 27, 2013
                  • 0 Attachment
                    >> >> >> SUBJECT: Delivery status notification
                    >> >> >> This is an automatically generated Delivery Status Notification.
                    >> >> >> Delivery to the following recipients was aborted after 7 second(s):
                    >> >> >> MASKED@...
                    >> >> >
                    >> >> > If you want that mail, whitelist them,
                    >> >>
                    >> >> They should already be whitelisted through my use of list.dnswl.org.
                    >> >
                    >> > Your SMTP server replied with 450. Either your configuration is
                    >> > wrong, or some DNS lookups time out. Note the above text says:
                    >> >
                    >> > Delivery to the following recipients was aborted after 7 second(s)
                    >> >
                    >> > This could be a symptom of DNS lookup timeout.
                    >>
                    >> Something must be wrong with my config. In my log I can see that
                    >> postfix is returning 450 to many more comcast.net messages than it's
                    >
                    > Please show "postconf -n" command output (not cut-and-paste from
                    > main.cf).

                    # postconf -n
                    command_directory = /usr/sbin
                    config_directory = /etc/postfix
                    daemon_directory = /usr/libexec/postfix
                    data_directory = /var/lib/postfix
                    debug_peer_level = 2
                    debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
                    ddd $daemon_directory/$process_name $process_id & sleep 5
                    home_mailbox = .maildir/
                    html_directory = no
                    inet_protocols = ipv4
                    mail_owner = postfix
                    mailq_path = /usr/bin/mailq
                    manpage_directory = /usr/share/man
                    message_size_limit = 40960000
                    mydestination = MASKED.com MASKED.com
                    myhostname = MASKED.com
                    mynetworks_style = host
                    newaliases_path = /usr/bin/newaliases
                    postscreen_bare_newline_action = enforce
                    postscreen_bare_newline_enable = yes
                    postscreen_dnsbl_sites = zen.spamhaus.org list.dnswl.org*-1
                    postscreen_dnsbl_whitelist_threshold = -1
                    postscreen_greet_action = enforce
                    postscreen_non_smtp_command_action = enforce
                    postscreen_non_smtp_command_enable = yes
                    postscreen_pipelining_action = enforce
                    postscreen_pipelining_enable = yes
                    queue_directory = /var/spool/postfix
                    readme_directory = no
                    sample_directory = /etc/postfix
                    sendmail_path = /usr/sbin/sendmail
                    setgid_group = postdrop
                    smtpd_recipient_restrictions = reject_unauth_destination, permit
                    smtpd_tls_CAfile = /etc/ssl/postfix/cacert.pem
                    smtpd_tls_auth_only = yes
                    smtpd_tls_cert_file = /etc/ssl/postfix/newcert.pem
                    smtpd_tls_key_file = /etc/ssl/postfix/newkey.pem
                    smtpd_tls_security_level = may
                    smtpd_tls_session_cache_timeout = 3600s
                    tls_random_source = dev:/dev/urandom
                    unknown_local_recipient_reject_code = 550
                    virtual_alias_maps = hash:/etc/postfix/virtual

                    > Please show one complete logfile record from "connect from" until
                    > "reject" that demonstrates the problem (you may anonymize the email
                    > address).

                    Aug 26 21:21:35 [postfix/tlsproxy] CONNECT from [209.85.219.51]:41193
                    Aug 26 21:21:36 [postfix/postscreen] NOQUEUE: reject: RCPT from
                    [209.85.219.51]:41193: 450 4.3.2 Service currently unavailable;
                    from=<MASKED@...>, to=<MASKED@...>, proto=ESMTP,
                    helo=<mail-oa0-f51.google.com>
                    Aug 26 21:21:36 [postfix/tlsproxy] DISCONNECT [209.85.219.51]:41193

                    The IP is whitelisted:

                    http://dnswl.org/s?s=209.85.219.51

                    >> >> I also have several of these:
                    >> >>
                    >> >> lost connection with mx1.comcast.net[68.87.26.147] while receiving the
                    >> >> initial server greeting
                    >> >> conversation with mx1.comcast.net[68.87.26.147] timed out while
                    >> >> receiving the initial server greeting
                    >> >
                    >> > Your SMTP *client* also has problems. Consider monitoring your
                    >> > packet loss rate. I run "mtr" from a cron job.
                    >>
                    >> Is it the sender's SMTP client that has problems?
                    >
                    > Please show one complete logfile record (you may anonymize the email
                    > address).

                    Aug 23 06:35:11 [postfix/smtp] 72A0E5C801E: conversation with
                    mx1.comcast.net[68.87.26.147] timed out while receiving the initial
                    server greeting
                    Aug 23 09:04:03 [postfix/smtp] 80A8A5C801E: lost connection with
                    mx1.comcast.net[68.87.26.147] while receiving the initial server
                    greeting

                    - Grant
                  • Wietse Venema
                    ... As documented, the above settings will cause Postfix to reject mail with 4XX: http://www.postfix.org/POSTSCREEN_README.html#after_220 ... This feature
                    Message 9 of 23 , Aug 27, 2013
                    • 0 Attachment
                      Grant:
                      > Aug 26 21:21:35 [postfix/tlsproxy] CONNECT from [209.85.219.51]:41193
                      > Aug 26 21:21:36 [postfix/postscreen] NOQUEUE: reject: RCPT from
                      > [209.85.219.51]:41193: 450 4.3.2 Service currently unavailable;
                      > from=<MASKED@...>, to=<MASKED@...>, proto=ESMTP,
                      > helo=<mail-oa0-f51.google.com>
                      > Aug 26 21:21:36 [postfix/tlsproxy] DISCONNECT [209.85.219.51]:41193
                      ...
                      > postscreen_bare_newline_enable = yes
                      > postscreen_non_smtp_command_enable = yes
                      > postscreen_pipelining_enable = yes

                      As documented, the above settings will cause Postfix to reject mail
                      with 4XX:

                      http://www.postfix.org/POSTSCREEN_README.html#after_220

                      > postscreen_dnsbl_sites = zen.spamhaus.org list.dnswl.org*-1
                      > postscreen_dnsbl_whitelist_threshold = -1

                      This feature requires Postfix 2.11 snapshot 20130512 or later.
                      You can find out which version you have with:

                      postconf mail_version

                      > Aug 23 06:35:11 [postfix/smtp] 72A0E5C801E: conversation with
                      > mx1.comcast.net[68.87.26.147] timed out while receiving the initial
                      > server greeting
                      > Aug 23 09:04:03 [postfix/smtp] 80A8A5C801E: lost connection with
                      > mx1.comcast.net[68.87.26.147] while receiving the initial server
                      > greeting

                      These warnings are from your Postfix SMTP client.

                      Wietse
                    • /dev/rob0
                      ... Indeed! ... Check again. Is the logging complete? Where are the dnsblog(8) log entries? If this is in fact all the logging you got from this connection,
                      Message 10 of 23 , Aug 27, 2013
                      • 0 Attachment
                        On Tue, Aug 27, 2013 at 12:56:42AM -0700, Grant wrote:
                        > >> >> >> SUBJECT: Delivery status notification
                        > >> >> >> This is an automatically generated Delivery Status
                        > >> >> >> Notification. Delivery to the following recipients was
                        > >> >> >> aborted after 7 second(s): MASKED@...
                        > >> >> >
                        > >> >> > If you want that mail, whitelist them,
                        > >> >>
                        > >> >> They should already be whitelisted through my use of
                        > >> >> list.dnswl.org.
                        > >> >
                        > >> > Your SMTP server replied with 450. Either your configuration
                        > >> > is wrong, or some DNS lookups time out. Note the above text
                        > >> > says:
                        > >> >
                        > >> > Delivery to the following recipients was aborted after 7
                        > >> > second(s)
                        > >> >
                        > >> > This could be a symptom of DNS lookup timeout.

                        Indeed!

                        > > Please show one complete logfile record from "connect from"
                        > > until "reject" that demonstrates the problem (you may anonymize
                        > > the email address).
                        >
                        > Aug 26 21:21:35 [postfix/tlsproxy] CONNECT from
                        > [209.85.219.51]:41193
                        > Aug 26 21:21:36 [postfix/postscreen] NOQUEUE: reject: RCPT from
                        > [209.85.219.51]:41193: 450 4.3.2 Service currently unavailable;
                        > from=<MASKED@...>, to=<MASKED@...>, proto=ESMTP,
                        > helo=<mail-oa0-f51.google.com>
                        > Aug 26 21:21:36 [postfix/tlsproxy] DISCONNECT [209.85.219.51]:41193
                        >
                        > The IP is whitelisted:
                        >
                        > http://dnswl.org/s?s=209.85.219.51

                        Check again. Is the logging complete? Where are the dnsblog(8) log
                        entries? If this is in fact all the logging you got from this
                        connection, you're not getting your list.dnswl.org lookup.
                        --
                        http://rob0.nodns4.us/ -- system administration and consulting
                        Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
                      • Wietse Venema
                        ... Good point. dnsblog will be silent ONLY when list.dnswl.org replies that the IP address is not listed (and perhaps when you send more queries than your
                        Message 11 of 23 , Aug 27, 2013
                        • 0 Attachment
                          /dev/rob0:
                          > > Aug 26 21:21:35 [postfix/tlsproxy] CONNECT from
                          > > [209.85.219.51]:41193
                          > > Aug 26 21:21:36 [postfix/postscreen] NOQUEUE: reject: RCPT from
                          > > [209.85.219.51]:41193: 450 4.3.2 Service currently unavailable;
                          > > from=<MASKED@...>, to=<MASKED@...>, proto=ESMTP,
                          > > helo=<mail-oa0-f51.google.com>
                          > > Aug 26 21:21:36 [postfix/tlsproxy] DISCONNECT [209.85.219.51]:41193
                          > >
                          > > The IP is whitelisted:
                          > >
                          > > http://dnswl.org/s?s=209.85.219.51
                          >
                          > Check again. Is the logging complete? Where are the dnsblog(8) log
                          > entries? If this is in fact all the logging you got from this
                          > connection, you're not getting your list.dnswl.org lookup.

                          Good point. dnsblog will be silent ONLY when list.dnswl.org replies
                          that the IP address is not listed (and perhaps when you send more
                          queries than your dnswl.org subscription allows).

                          Also the logging above is incomplete. You left out the CONNECT
                          logging from postscreen (and perhaps more).

                          For the complete postscreen/tlsproxy log:

                          grep '\[209.85.219.51\]:41193' the-maillog-file

                          for the dnsblog log

                          grep 'Aug 26 21:21.*dnsblog.*209.85.219.51'

                          Wietse
                        • Grant
                          ... Yes but the issue is that the whitelist doesn t seem to be working. ... # postconf mail_version mail_version = 2.11-20130818 ... Do they necessarily
                          Message 12 of 23 , Aug 30, 2013
                          • 0 Attachment
                            >> Aug 26 21:21:35 [postfix/tlsproxy] CONNECT from [209.85.219.51]:41193
                            >> Aug 26 21:21:36 [postfix/postscreen] NOQUEUE: reject: RCPT from
                            >> [209.85.219.51]:41193: 450 4.3.2 Service currently unavailable;
                            >> from=<MASKED@...>, to=<MASKED@...>, proto=ESMTP,
                            >> helo=<mail-oa0-f51.google.com>
                            >> Aug 26 21:21:36 [postfix/tlsproxy] DISCONNECT [209.85.219.51]:41193
                            > ...
                            >> postscreen_bare_newline_enable = yes
                            >> postscreen_non_smtp_command_enable = yes
                            >> postscreen_pipelining_enable = yes
                            >
                            > As documented, the above settings will cause Postfix to reject mail
                            > with 4XX:
                            >
                            > http://www.postfix.org/POSTSCREEN_README.html#after_220

                            Yes but the issue is that the whitelist doesn't seem to be working.

                            >> postscreen_dnsbl_sites = zen.spamhaus.org list.dnswl.org*-1
                            >> postscreen_dnsbl_whitelist_threshold = -1
                            >
                            > This feature requires Postfix 2.11 snapshot 20130512 or later.
                            > You can find out which version you have with:
                            >
                            > postconf mail_version

                            # postconf mail_version
                            mail_version = 2.11-20130818

                            >> Aug 23 06:35:11 [postfix/smtp] 72A0E5C801E: conversation with
                            >> mx1.comcast.net[68.87.26.147] timed out while receiving the initial
                            >> server greeting
                            >> Aug 23 09:04:03 [postfix/smtp] 80A8A5C801E: lost connection with
                            >> mx1.comcast.net[68.87.26.147] while receiving the initial server
                            >> greeting
                            >
                            > These warnings are from your Postfix SMTP client.

                            Do they necessarily indicate a problem with my postfix or could they
                            be due to a problem with the server on the other end?

                            - Grant
                          • Grant
                            ... # grep [209.85.219.51 ]:41193 -R /var/log/mail Aug 26 21:21:29 [postfix/postscreen] CONNECT from [209.85.219.51]:41193 to [MASKED]:25 Aug 26 21:21:35
                            Message 13 of 23 , Aug 30, 2013
                            • 0 Attachment
                              >> > Aug 26 21:21:35 [postfix/tlsproxy] CONNECT from
                              >> > [209.85.219.51]:41193
                              >> > Aug 26 21:21:36 [postfix/postscreen] NOQUEUE: reject: RCPT from
                              >> > [209.85.219.51]:41193: 450 4.3.2 Service currently unavailable;
                              >> > from=<MASKED@...>, to=<MASKED@...>, proto=ESMTP,
                              >> > helo=<mail-oa0-f51.google.com>
                              >> > Aug 26 21:21:36 [postfix/tlsproxy] DISCONNECT [209.85.219.51]:41193
                              >> >
                              >> > The IP is whitelisted:
                              >> >
                              >> > http://dnswl.org/s?s=209.85.219.51
                              >>
                              >> Check again. Is the logging complete? Where are the dnsblog(8) log
                              >> entries? If this is in fact all the logging you got from this
                              >> connection, you're not getting your list.dnswl.org lookup.
                              >
                              > Good point. dnsblog will be silent ONLY when list.dnswl.org replies
                              > that the IP address is not listed (and perhaps when you send more
                              > queries than your dnswl.org subscription allows).
                              >
                              > Also the logging above is incomplete. You left out the CONNECT
                              > logging from postscreen (and perhaps more).
                              >
                              > For the complete postscreen/tlsproxy log:
                              >
                              > grep '\[209.85.219.51\]:41193' the-maillog-file

                              # grep '\[209.85.219.51\]:41193' -R /var/log/mail
                              Aug 26 21:21:29 [postfix/postscreen] CONNECT from
                              [209.85.219.51]:41193 to [MASKED]:25
                              Aug 26 21:21:35 [postfix/tlsproxy] CONNECT from [209.85.219.51]:41193
                              Aug 26 21:21:36 [postfix/postscreen] NOQUEUE: reject: RCPT from
                              [209.85.219.51]:41193: 450 4.3.2 Service currently unavailable;
                              from=<MASKED@...>, to=<MASKED@...>, proto=ESMTP,
                              helo=<mail-oa0-f51.google.com>
                              Aug 26 21:21:36 [postfix/tlsproxy] DISCONNECT [209.85.219.51]:41193
                              Aug 26 21:21:36 [postfix/postscreen] HANGUP after 0.1 from
                              [209.85.219.51]:41193 in tests after SMTP handshake
                              Aug 26 21:21:36 [postfix/postscreen] PASS NEW [209.85.219.51]:41193
                              Aug 26 21:21:36 [postfix/postscreen] DISCONNECT [209.85.219.51]:41193

                              > for the dnsblog log
                              >
                              > grep 'Aug 26 21:21.*dnsblog.*209.85.219.51'

                              # grep '.*dnsblog.*209.85.219.51' -R /var/log/mail
                              #

                              I grep'ed the mail logs for dnsblog and got a huge number of these:

                              [postfix/postscreen] warning: psc_dnsbl_request: connect to
                              private/dnsblog service: No such file or directory

                              - Grant
                            • Noel Jones
                              ... Looks as if you ve found the problem. Make sure your master.cf has an entry like: dnsblog unix - - n - 0 dnsblog -- Noel
                              Message 14 of 23 , Aug 30, 2013
                              • 0 Attachment
                                On 8/30/2013 3:44 AM, Grant wrote:
                                >
                                > I grep'ed the mail logs for dnsblog and got a huge number of these:
                                >
                                > [postfix/postscreen] warning: psc_dnsbl_request: connect to
                                > private/dnsblog service: No such file or directory

                                Looks as if you've found the problem.

                                Make sure your master.cf has an entry like:

                                dnsblog unix - - n - 0 dnsblog




                                -- Noel Jones
                              • Wietse Venema
                                ... Where is the dnsblog logging? dnsblog will complain if the reply does not arrive, or if it arrives too late. grep 209.85.219.51 the-maillog-file Where is
                                Message 15 of 23 , Aug 30, 2013
                                • 0 Attachment
                                  Grant:
                                  > >> Aug 26 21:21:35 [postfix/tlsproxy] CONNECT from [209.85.219.51]:41193
                                  > >> Aug 26 21:21:36 [postfix/postscreen] NOQUEUE: reject: RCPT from
                                  > >> [209.85.219.51]:41193: 450 4.3.2 Service currently unavailable;
                                  > >> from=<MASKED@...>, to=<MASKED@...>, proto=ESMTP,
                                  > >> helo=<mail-oa0-f51.google.com>
                                  > >> Aug 26 21:21:36 [postfix/tlsproxy] DISCONNECT [209.85.219.51]:41193
                                  > > ...
                                  > >> postscreen_bare_newline_enable = yes
                                  > >> postscreen_non_smtp_command_enable = yes
                                  > >> postscreen_pipelining_enable = yes
                                  > >
                                  > > As documented, the above settings will cause Postfix to reject mail
                                  > > with 4XX:
                                  > >
                                  > > http://www.postfix.org/POSTSCREEN_README.html#after_220
                                  >
                                  > Yes but the issue is that the whitelist doesn't seem to be working.

                                  Where is the dnsblog logging? dnsblog will complain if the reply
                                  does not arrive, or if it arrives too late.

                                  grep 209.85.219.51 the-maillog-file

                                  Where is the postscreen logging *before* tlsproxy's CONNECT event?

                                  grep 209.85.219.51.:41193 the maillog file

                                  Why don't provide the information that you have been asked for?

                                  Wietse
                                • Grant
                                  ... Thank you. I added it and restarted postfix and started to get errors like these: [postfix/dnsblog] warning: dnsblog_query: lookup error for DNS query
                                  Message 16 of 23 , Aug 30, 2013
                                  • 0 Attachment
                                    >> I grep'ed the mail logs for dnsblog and got a huge number of these:
                                    >>
                                    >> [postfix/postscreen] warning: psc_dnsbl_request: connect to
                                    >> private/dnsblog service: No such file or directory
                                    >
                                    > Looks as if you've found the problem.
                                    >
                                    > Make sure your master.cf has an entry like:
                                    >
                                    > dnsblog unix - - n - 0 dnsblog

                                    Thank you. I added it and restarted postfix and started to get errors
                                    like these:

                                    [postfix/dnsblog] warning: dnsblog_query: lookup error for DNS query
                                    MASKED.list.dnswl.org: Host or domain name not found. Name service
                                    error for name=MASKED.list.dnswl.org type=A: Host not found, try again

                                    I did some searching and I think this was due to my use of Google's
                                    DNS resolvers (8.8.8.8 and 8.8.4.4). I added my host's DNS resolver
                                    first in the list and the errors seem to have stopped. Is that a good
                                    config?

                                    I also read a recommendation to set up a caching nameserver like
                                    unbound on the same machine as postfix. Is that the right thing to
                                    do?

                                    Is there a way to verify that everything is working properly?

                                    - Grant
                                  • Noel Jones
                                    ... Postfix always add missing master.cf entries automatically as part of the upgrade procedure. You can break this by restoring an old file after the
                                    Message 17 of 23 , Aug 30, 2013
                                    • 0 Attachment
                                      On 8/30/2013 2:27 PM, Grant wrote:
                                      >>> I grep'ed the mail logs for dnsblog and got a huge number of these:
                                      >>>
                                      >>> [postfix/postscreen] warning: psc_dnsbl_request: connect to
                                      >>> private/dnsblog service: No such file or directory
                                      >>
                                      >> Looks as if you've found the problem.
                                      >>
                                      >> Make sure your master.cf has an entry like:
                                      >>
                                      >> dnsblog unix - - n - 0 dnsblog
                                      >
                                      > Thank you. I added it and restarted postfix and started to get errors
                                      > like these:

                                      Postfix always add missing master.cf entries automatically as part
                                      of the upgrade procedure. You can break this by restoring an old
                                      file after the upgrade.


                                      >
                                      > [postfix/dnsblog] warning: dnsblog_query: lookup error for DNS query
                                      > MASKED.list.dnswl.org: Host or domain name not found. Name service
                                      > error for name=MASKED.list.dnswl.org type=A: Host not found, try again
                                      >
                                      > I did some searching and I think this was due to my use of Google's
                                      > DNS resolvers (8.8.8.8 and 8.8.4.4). I added my host's DNS resolver
                                      > first in the list and the errors seem to have stopped. Is that a good
                                      > config?

                                      Yes, good. Many public DNS servers are denied access by RBL
                                      providers due to excessive query load.

                                      Using your own DNS is the proper solution.

                                      >
                                      > I also read a recommendation to set up a caching nameserver like
                                      > unbound on the same machine as postfix. Is that the right thing to
                                      > do?

                                      A local caching nameserver is highly recommended. If you already
                                      have one that's working OK, there's no pressing need to replace it.


                                      >
                                      > Is there a way to verify that everything is working properly?

                                      Watch the logs for errors or unexpected behavior.




                                      -- Noel Jones
                                    • James Griffin
                                      ... using a local DNS server has worked brilliantly for me. It s trivial to set up and provides excellent benefits. -- James Griffin: jmz at kontrol.kode5.net
                                      Message 18 of 23 , Aug 31, 2013
                                      • 0 Attachment
                                        !-- On Fri 30.Aug'13 at 20:27:43 BST, Grant (emailgrant@...), wrote:
                                        > >> I grep'ed the mail logs for dnsblog and got a huge number of these:
                                        > >>
                                        > >> [postfix/postscreen] warning: psc_dnsbl_request: connect to
                                        > >> private/dnsblog service: No such file or directory
                                        > >
                                        > > Looks as if you've found the problem.
                                        > >
                                        > > Make sure your master.cf has an entry like:
                                        > >
                                        > > dnsblog unix - - n - 0 dnsblog
                                        >
                                        > Thank you. I added it and restarted postfix and started to get errors
                                        > like these:
                                        >
                                        > [postfix/dnsblog] warning: dnsblog_query: lookup error for DNS query
                                        > MASKED.list.dnswl.org: Host or domain name not found. Name service
                                        > error for name=MASKED.list.dnswl.org type=A: Host not found, try again
                                        >
                                        > I did some searching and I think this was due to my use of Google's
                                        > DNS resolvers (8.8.8.8 and 8.8.4.4). I added my host's DNS resolver
                                        > first in the list and the errors seem to have stopped. Is that a good
                                        > config?
                                        >
                                        > I also read a recommendation to set up a caching nameserver like
                                        > unbound on the same machine as postfix. Is that the right thing to
                                        > do?
                                        >
                                        > Is there a way to verify that everything is working properly?
                                        >
                                        > - Grant


                                        using a local DNS server has worked brilliantly for me. It's trivial to
                                        set up and provides excellent benefits.

                                        --


                                        James Griffin: jmz at kontrol.kode5.net

                                        A4B9 E875 A18C 6E11 F46D B788 BEE6 1251 1D31 DC38
                                      • Grant
                                        ... I m on Gentoo and I use the etc-update script to update config files after upgrading. Should dnsblog be uncommented in a default master.cf? If so I may
                                        Message 19 of 23 , Sep 1, 2013
                                        • 0 Attachment
                                          >>>> I grep'ed the mail logs for dnsblog and got a huge number of these:
                                          >>>>
                                          >>>> [postfix/postscreen] warning: psc_dnsbl_request: connect to
                                          >>>> private/dnsblog service: No such file or directory
                                          >>>
                                          >>> Looks as if you've found the problem.
                                          >>>
                                          >>> Make sure your master.cf has an entry like:
                                          >>>
                                          >>> dnsblog unix - - n - 0 dnsblog
                                          >>
                                          >> Thank you. I added it and restarted postfix and started to get errors
                                          >> like these:
                                          >
                                          > Postfix always add missing master.cf entries automatically as part
                                          > of the upgrade procedure. You can break this by restoring an old
                                          > file after the upgrade.

                                          I'm on Gentoo and I use the etc-update script to update config files
                                          after upgrading. Should dnsblog be uncommented in a default
                                          master.cf? If so I may need to file a Gentoo bug.

                                          >> Is there a way to verify that everything is working properly?
                                          >
                                          > Watch the logs for errors or unexpected behavior.

                                          I see that the following message received a 450. The IP is not listed
                                          at dnswl.org and when I look it up it appears to come from China. Is
                                          this a spoof?

                                          NOQUEUE: reject: RCPT from [183.8.195.26]:3302: 450 4.3.2 Service
                                          currently unavailable; from=<MASKED@...>,
                                          to=<MASKED@...>, proto=ESMTP, helo=<gmail.com>

                                          - Grant
                                        • James Griffin
                                          ... The ip 183.8.195.26 is certainly a spammer. Just looked it up using whois nad host(1). -- James Griffin: jmz at kontrol.kode5.net A4B9 E875 A18C 6E11 F46D
                                          Message 20 of 23 , Sep 1, 2013
                                          • 0 Attachment
                                            !-- On Sun 1.Sep'13 at 9:52:50 BST, Grant (emailgrant@...), wrote:
                                            > >>>> I grep'ed the mail logs for dnsblog and got a huge number of these:
                                            > >>>>
                                            > >>>> [postfix/postscreen] warning: psc_dnsbl_request: connect to
                                            > >>>> private/dnsblog service: No such file or directory
                                            > >>>
                                            > >>> Looks as if you've found the problem.
                                            > >>>
                                            > >>> Make sure your master.cf has an entry like:
                                            > >>>
                                            > >>> dnsblog unix - - n - 0 dnsblog
                                            > >>
                                            > >> Thank you. I added it and restarted postfix and started to get errors
                                            > >> like these:
                                            > >
                                            > > Postfix always add missing master.cf entries automatically as part
                                            > > of the upgrade procedure. You can break this by restoring an old
                                            > > file after the upgrade.
                                            >
                                            > I'm on Gentoo and I use the etc-update script to update config files
                                            > after upgrading. Should dnsblog be uncommented in a default
                                            > master.cf? If so I may need to file a Gentoo bug.
                                            >
                                            > >> Is there a way to verify that everything is working properly?
                                            > >
                                            > > Watch the logs for errors or unexpected behavior.
                                            >
                                            > I see that the following message received a 450. The IP is not listed
                                            > at dnswl.org and when I look it up it appears to come from China. Is
                                            > this a spoof?
                                            >
                                            > NOQUEUE: reject: RCPT from [183.8.195.26]:3302: 450 4.3.2 Service
                                            > currently unavailable; from=<MASKED@...>,
                                            > to=<MASKED@...>, proto=ESMTP, helo=<gmail.com>

                                            The ip 183.8.195.26 is certainly a spammer. Just looked it up using whois
                                            nad host(1).

                                            --


                                            James Griffin: jmz at kontrol.kode5.net

                                            A4B9 E875 A18C 6E11 F46D B788 BEE6 1251 1D31 DC38
                                          • Grant
                                            ... Thanks James. This is all very cool. A blacklist (zen.spamhaus.org), a whitelist (list.dnswl.org), and a greylist . 2.11 looks to be a fantastic
                                            Message 21 of 23 , Sep 1, 2013
                                            • 0 Attachment
                                              >> >>>> I grep'ed the mail logs for dnsblog and got a huge number of these:
                                              >> >>>>
                                              >> >>>> [postfix/postscreen] warning: psc_dnsbl_request: connect to
                                              >> >>>> private/dnsblog service: No such file or directory
                                              >> >>>
                                              >> >>> Looks as if you've found the problem.
                                              >> >>>
                                              >> >>> Make sure your master.cf has an entry like:
                                              >> >>>
                                              >> >>> dnsblog unix - - n - 0 dnsblog
                                              >> >>
                                              >> >> Thank you. I added it and restarted postfix and started to get errors
                                              >> >> like these:
                                              >> >
                                              >> > Postfix always add missing master.cf entries automatically as part
                                              >> > of the upgrade procedure. You can break this by restoring an old
                                              >> > file after the upgrade.
                                              >>
                                              >> I'm on Gentoo and I use the etc-update script to update config files
                                              >> after upgrading. Should dnsblog be uncommented in a default
                                              >> master.cf? If so I may need to file a Gentoo bug.
                                              >>
                                              >> >> Is there a way to verify that everything is working properly?
                                              >> >
                                              >> > Watch the logs for errors or unexpected behavior.
                                              >>
                                              >> I see that the following message received a 450. The IP is not listed
                                              >> at dnswl.org and when I look it up it appears to come from China. Is
                                              >> this a spoof?
                                              >>
                                              >> NOQUEUE: reject: RCPT from [183.8.195.26]:3302: 450 4.3.2 Service
                                              >> currently unavailable; from=<MASKED@...>,
                                              >> to=<MASKED@...>, proto=ESMTP, helo=<gmail.com>
                                              >
                                              > The ip 183.8.195.26 is certainly a spammer. Just looked it up using whois
                                              > nad host(1).

                                              Thanks James. This is all very cool. A blacklist (zen.spamhaus.org),
                                              a whitelist (list.dnswl.org), and a "greylist". 2.11 looks to be a
                                              fantastic release for easily-configured anti-spam measures. I'm just
                                              not getting spam anymore and I don't think I'm rejecting legitimate
                                              mail either.

                                              Thanks to all,
                                              Grant
                                            • Wietse Venema
                                              ... As distributed by me, the inet smtpd service is active, and all postscreen-related services are commented out. smtp inet n - n -
                                              Message 22 of 23 , Sep 1, 2013
                                              • 0 Attachment
                                                Grant:
                                                > I'm on Gentoo and I use the etc-update script to update config files
                                                > after upgrading. Should dnsblog be uncommented in a default
                                                > master.cf? If so I may need to file a Gentoo bug.

                                                As distributed by me, the 'inet' smtpd service is active, and all
                                                postscreen-related services are commented out.

                                                smtp inet n - n - - smtpd
                                                #smtp inet n - n - 1 postscreen
                                                #smtpd pass - - n - - smtpd
                                                #dnsblog unix - - n - 0 dnsblog
                                                #tlsproxy unix - - n - 0 tlsproxy

                                                As documented, when you turn on postcreen you turn off the 'inet'
                                                smtpd service and turn on all the postscreen-related services:

                                                #smtp inet n - n - - smtpd
                                                smtp inet n - n - 1 postscreen
                                                smtpd pass - - n - - smtpd
                                                dnsblog unix - - n - 0 dnsblog
                                                tlsproxy unix - - n - 0 tlsproxy

                                                Details in http://www.postfix.org/POSTSCREEN_README.html#config

                                                Wietse
                                              • Grant
                                                ... Understood. In that case I don t think Gentoo s config updater is meant to handle this sort of thing (conditionals) and no bug report there is necessary.
                                                Message 23 of 23 , Sep 1, 2013
                                                • 0 Attachment
                                                  > Grant:
                                                  >> I'm on Gentoo and I use the etc-update script to update config files
                                                  >> after upgrading. Should dnsblog be uncommented in a default
                                                  >> master.cf? If so I may need to file a Gentoo bug.
                                                  >
                                                  > As distributed by me, the 'inet' smtpd service is active, and all
                                                  > postscreen-related services are commented out.
                                                  >
                                                  > smtp inet n - n - - smtpd
                                                  > #smtp inet n - n - 1 postscreen
                                                  > #smtpd pass - - n - - smtpd
                                                  > #dnsblog unix - - n - 0 dnsblog
                                                  > #tlsproxy unix - - n - 0 tlsproxy
                                                  >
                                                  > As documented, when you turn on postcreen you turn off the 'inet'
                                                  > smtpd service and turn on all the postscreen-related services:
                                                  >
                                                  > #smtp inet n - n - - smtpd
                                                  > smtp inet n - n - 1 postscreen
                                                  > smtpd pass - - n - - smtpd
                                                  > dnsblog unix - - n - 0 dnsblog
                                                  > tlsproxy unix - - n - 0 tlsproxy
                                                  >
                                                  > Details in http://www.postfix.org/POSTSCREEN_README.html#config

                                                  Understood. In that case I don't think Gentoo's config updater is
                                                  meant to handle this sort of thing (conditionals) and no bug report
                                                  there is necessary.

                                                  - Grant
                                                Your message has been successfully submitted and would be delivered to recipients shortly.