On 08.10.2025 18:17, Bill Cole via Postfix-users wrote:
On 2025-10-08 at 11:19:00 UTC-0400 (Wed, 8 Oct 2025 17:19:00 +0200)
Peter Milesson via Postfix-users <[email protected]>
is rumored to have said:
Hi folks,
I have noted that a dnsbl check is frequently run, even if the
pregreet conditions drop the connection. See log excerpt below.
2025-10-05T00:22:58.444975+02:00 smtpsrv postfix/postscreen[320455]:
PREGREET 11 after 0.02 from [196.251.92.11]:50682: EHLO User\r\n
2025-10-05T00:22:58.445051+02:00 smtpsrv postfix/postscreen[320455]:
DISCONNECT [196.251.92.11]:50682
2025-10-05T00:22:58.488851+02:00 smtpsrv postfix/dnsblog[320460]:
addr 196.251.92.11 listed by domain zen.spamhaus.org as 127.0.0.9
2025-10-05T00:22:58.488998+02:00 smtpsrv postfix/dnsblog[320460]:
addr 196.251.92.11 listed by domain zen.spamhaus.org as 127.0.0.2
2025-10-05T00:22:58.489045+02:00 smtpsrv postfix/dnsblog[320460]:
addr 196.251.92.11 listed by domain zen.spamhaus.org as 127.0.0.4
2025-10-05T00:22:58.489088+02:00 smtpsrv postfix/dnsblog[320460]:
addr 196.251.92.11 listed by domain zen.spamhaus.org as 127.0.0.3
2025-10-06T09:09:29.134376+02:00 smtpsrv postfix/postscreen[381257]:
PREGREET 13 after 0.02 from [93.123.109.186]:53847: EHLO tPb7ss\r\n
2025-10-06T09:09:29.134552+02:00 smtpsrv postfix/postscreen[381257]:
DISCONNECT [93.123.109.186]:53847
2025-10-06T09:09:36.125046+02:00 smtpsrv postfix/postscreen[381257]:
CONNECT from [93.123.109.186]:61379 to [192.168.0.113]:25
2025-10-06T09:09:36.126785+02:00 smtpsrv postfix/dnsblog[381263]:
addr 93.123.109.186 listed by domain zen.spamhaus.org as 127.0.0.3
2025-10-06T09:09:36.126997+02:00 smtpsrv postfix/dnsblog[381261]:
addr 93.123.109.186 listed by domain b.barracudacentral.org as 127.0.0.2
2025-10-06T09:09:36.127033+02:00 smtpsrv postfix/dnsblog[381263]:
addr 93.123.109.186 listed by domain zen.spamhaus.org as 127.0.0.2
2025-10-06T09:09:36.127061+02:00 smtpsrv postfix/dnsblog[381263]:
addr 93.123.109.186 listed by domain zen.spamhaus.org as 127.0.0.9
2025-10-06T09:09:36.127087+02:00 smtpsrv postfix/dnsblog[381263]:
addr 93.123.109.186 listed by domain zen.spamhaus.org as 127.0.0.4
IMHO, it seems a bit superfluous, as the connection is already dead
when the dnsbl results arrive. The pregreet drops the connection very
quickly, mostly within 20 - 30 ms.
Which is possibly many ms after Postfix has sent off all the DNSBL
queries.
Why not wait for the pregreet to terminate, before querying dnsbl?
As Wietse has stated here many times (and as documented) postscreen is
designed to shed the load of rapid-fire spambots, rather than to do
anything that requires maintaining a lot of per-session state or
serializing tasks that can easily be done in parallel.
This ALSO means adding multiple seconds to every connection from
non-spam senders whose IPs are not in the PASS cache. Right now they
get 8s of PREGREET pause and then get passed along to smtpd, but with
this change and DNS query speed as seen in your logs there would be an
extra 4-7s additional. That is quite noticeable on a busy server.
With respect to the short delay for the pregreet test to return, it
should be completely unnoticeable if the dnsbl tests were run after
the pregreet.
That is true for many PREGREET violators but not all, and for
NON-PREGREET spambots with DNSBL listings it would be a significant
extension of their session lifetimes since the default PREGREET
timeout is 8s, far longer than DNSBL checks should be taking.
I don't consider it a problem, but clutters the log a bit, and
increases the network traffic somewhat. I'm just curious, as
everything works great.
Since every well-run mail server has a caching DNS recursive resolver
on the same machine or at worst the same physical LAN, the network
traffic is not really a big issue. The log clutter is easily ignored.
Hi Bill,
Thanks for the explanation. It makes sense. Most spam senders seem to
have understood, that it does not pay off to break standard behavior.
Those that are trapped by the pregreet rules are however, recurring for
weeks or months. As long that they are trapped in the early stages of a
session, I'm satisfied.
Best regards,
Peter
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
