On 2025-10-08 at 11:19:00 UTC-0400 (Wed, 8 Oct 2025 17:19:00 +0200)
Peter Milesson via Postfix-users <[email protected]>
is rumored to have said:
Hi folks,
I have noted that a dnsbl check is frequently run, even if the
pregreet conditions drop the connection. See log excerpt below.
2025-10-05T00:22:58.444975+02:00 smtpsrv postfix/postscreen[320455]:
PREGREET 11 after 0.02 from [196.251.92.11]:50682: EHLO User\r\n
2025-10-05T00:22:58.445051+02:00 smtpsrv postfix/postscreen[320455]:
DISCONNECT [196.251.92.11]:50682
2025-10-05T00:22:58.488851+02:00 smtpsrv postfix/dnsblog[320460]: addr
196.251.92.11 listed by domain zen.spamhaus.org as 127.0.0.9
2025-10-05T00:22:58.488998+02:00 smtpsrv postfix/dnsblog[320460]: addr
196.251.92.11 listed by domain zen.spamhaus.org as 127.0.0.2
2025-10-05T00:22:58.489045+02:00 smtpsrv postfix/dnsblog[320460]: addr
196.251.92.11 listed by domain zen.spamhaus.org as 127.0.0.4
2025-10-05T00:22:58.489088+02:00 smtpsrv postfix/dnsblog[320460]: addr
196.251.92.11 listed by domain zen.spamhaus.org as 127.0.0.3
2025-10-06T09:09:29.134376+02:00 smtpsrv postfix/postscreen[381257]:
PREGREET 13 after 0.02 from [93.123.109.186]:53847: EHLO tPb7ss\r\n
2025-10-06T09:09:29.134552+02:00 smtpsrv postfix/postscreen[381257]:
DISCONNECT [93.123.109.186]:53847
2025-10-06T09:09:36.125046+02:00 smtpsrv postfix/postscreen[381257]:
CONNECT from [93.123.109.186]:61379 to [192.168.0.113]:25
2025-10-06T09:09:36.126785+02:00 smtpsrv postfix/dnsblog[381263]: addr
93.123.109.186 listed by domain zen.spamhaus.org as 127.0.0.3
2025-10-06T09:09:36.126997+02:00 smtpsrv postfix/dnsblog[381261]: addr
93.123.109.186 listed by domain b.barracudacentral.org as 127.0.0.2
2025-10-06T09:09:36.127033+02:00 smtpsrv postfix/dnsblog[381263]: addr
93.123.109.186 listed by domain zen.spamhaus.org as 127.0.0.2
2025-10-06T09:09:36.127061+02:00 smtpsrv postfix/dnsblog[381263]: addr
93.123.109.186 listed by domain zen.spamhaus.org as 127.0.0.9
2025-10-06T09:09:36.127087+02:00 smtpsrv postfix/dnsblog[381263]: addr
93.123.109.186 listed by domain zen.spamhaus.org as 127.0.0.4
IMHO, it seems a bit superfluous, as the connection is already dead
when the dnsbl results arrive. The pregreet drops the connection very
quickly, mostly within 20 - 30 ms.
Which is possibly many ms after Postfix has sent off all the DNSBL
queries.
Why not wait for the pregreet to terminate, before querying dnsbl?
As Wietse has stated here many times (and as documented) postscreen is
designed to shed the load of rapid-fire spambots, rather than to do
anything that requires maintaining a lot of per-session state or
serializing tasks that can easily be done in parallel.
This ALSO means adding multiple seconds to every connection from
non-spam senders whose IPs are not in the PASS cache. Right now they get
8s of PREGREET pause and then get passed along to smtpd, but with this
change and DNS query speed as seen in your logs there would be an extra
4-7s additional. That is quite noticeable on a busy server.
With respect to the short delay for the pregreet test to return, it
should be completely unnoticeable if the dnsbl tests were run after
the pregreet.
That is true for many PREGREET violators but not all, and for
NON-PREGREET spambots with DNSBL listings it would be a significant
extension of their session lifetimes since the default PREGREET timeout
is 8s, far longer than DNSBL checks should be taking.
I don't consider it a problem, but clutters the log a bit, and
increases the network traffic somewhat. I'm just curious, as
everything works great.
Since every well-run mail server has a caching DNS recursive resolver on
the same machine or at worst the same physical LAN, the network traffic
is not really a big issue. The log clutter is easily ignored.
--
Bill Cole
[email protected] or [email protected]
(AKA @[email protected] and many *@billmail.scconsult.com
addresses)
Not Currently Available For Hire
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
