First in reply to. .
... cannot find your hostname
Optional to add:
unknown_hostname_reject_code = 550
but if you have dns problems, everything gets rejected as Wiets already told
you.. .. but I think.. , so what, the sender does get the NDR, he can send
again but thats a choice. And think carefully about it.
Optional Add:
unknown_hostname_reject_code = 550
unknown_client_reject_code = 550
unknown_address_reject_code = 550
unverified_recipient_reject_code = 550
And this is the best trick if all imo.
Setup Postfix with postscreen with multiple rbls. ( make sure you use postfix
2.10+
Like :
postscreen_dnsbl_sites =
zen.spamhaus.org*3
b.barracudacentral.org*2
bl.spameatingmonkey.net*2
dnsbl.anonmails.de
dnsbl.kempt.net
dnsbl.inps.de
bl.spamcop.net
dnsbl.sorbs.net
psbl.surriel.com
bl.mailspike.net
swl.spamhaus.org*-4
bl.suomispam.net
bad.psky.me
now create a fail2ban filter postfix-dnsblog.conf with :
[INCLUDES]
before = common.conf
failregex = client \[<HOST>\] blocked using multiple DNS-based blocklists
addr <HOST> listed by domain
and enable it,
Let it trigger on 1 hit, i have set the ban time to 1 week, if they come back
this time is extended with a week.. :-)
Result, you safe cpu time, resources, offload the dns servers and reduce the
dns queries to the blocklist servers.
And optional the postscreen_dnsbl_reply_map.pcre file
!/^zen\.spamhaus\.org$/ multiple DNS-based blocklists, see
http://multirbl.valli.org/
Also i added a cacheing dns server on localhost, i have 3 forwarding dns ip
numbers with 3 different providers to reduce the chance of dns problems.
This works very very good for me, until now no errors, running a year with this
setup now.
Last one to help out agains spam.
Add this to your dns . ( make user tarbaby is the highest MX.)
MX 30 tarbaby.junkemailfilter.com.
The guys at junkeemailfilter.com check if the lower mx-s are up and so we help
in detecting spamming servers.
Read more about it here.
http://wiki.junkemailfilter.com/index.php/Project_tarbaby
The junkemailfilter is used in my spamassassin.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: [email protected] [mailto:[email protected]]
> Namens Bill Shirley
> Verzonden: vrijdag 5 februari 2016 5:21
> Aan: [email protected]
> Onderwerp: Re: Change Temporary failure in name resolution response code
>
> You might want to have a look at fail2ban. It monitors log files and
> blocks the offender by inserting an iptables DROP entry.
>
> I block a lot of spammers this way. I wouldn't think of running a mail
> server without it.
>
> Bill
>
>
> On 2/4/2016 4:10 PM, Inteq Solution - Dep. Tehnic wrote:
> > Thank you Wietse,
> >
> > 450 it is then.
> >
> >
> >
> >
> >
> >
> > Razvan Constantin
> >
> > -----Original Message-----
> > From: [email protected]
> > [mailto:[email protected]] On Behalf Of Wietse Venema
> > Sent: Thursday, February 04, 2016 11:06 PM
> > To: Postfix users
> > Subject: Re: Change Temporary failure in name resolution response code
> >
> > Inteq Solution - Dep. Tehnic:
> >> "The unknown_client_reject_code parameter specifies the response code
> >> for rejected requests (default: 450). The reply is always 450 in case
> >> the
> >> address->name or name->address lookup failed due to a temporary
> problem."
> >>
> >> But is there a way to change this behaviour to 550/554?
> > No. You would lose mail whenever DNS times out, and that would be worse
> than
> > having some client retry repeatedly. Unless you are running Postfix in a
> > very limited environment, repeated retries from one system should not be
> a
> > problem.
> >
> >> This situation is not exactly temporary and it is happening for over a
> >> month. I could just forget about it, but this server's retry is very
> >> very low.
> > Postfix considers timeouts as a temporary error. Handling them as a hard
> > error would do more harm than good. But I repeat myself.
> >
> > Wietse
> >
