On Fri, 22 Jan 2010, Stan Hoeppner wrote:
My venting should be aimed at Spamhaus. What they've done here is the opposite of transparency. In the case of Google DNS, Spamhaus has pulled something a bit underhanded in my estimation. They don't want people using Google DNS to query Spamhaus zones. That's fine. I have no problem with that. But the way in which they have blocked access creates a silent discard on mail servers using Google DNS, or at least Postfix (I can't speak for other MTAs in this regard).
What they should have done is reply with a code that actually generates a visible log error, so an admin, such as myself, can actually see that something is wrong. Instead, all I got from my logs was silence. Multiple months of that deafening silence finally prompted my action as I knew there had to be something wrong.
This is getting away from Postfix so I'll keep this part short but I'll take the opposite side. For Spamhaus to reply with anything other than NXDOMAIN risked some MTA rejecting the mail. For those resolvers they, for whatever reason, do not want to serve, a response that says "accept the mail" is the only logical response. Anything other than that or a specific reject reason (as encoded in a NXDOMAIN response) is undefined and could cause some MTA to incorrectly reject the mail.
When I first set up asking RBL lists, I periodically checked the logs to make sure they were working. Even today, I have a weekly cron job that gives me a report of RBL effectiveness (it's real crude - a simple grep piped to wc -l) and mails it to me. I don't trust that I have anything setup correctly until I see proof in my logs.
-- Larry Stone lston...@stonejongleux.com
