Re: DNS RBL error
Original-Nachricht Datum: Mon, 19 Apr 2010 20:52:57 -0500 Von: Noel Jones njo...@megan.vbhcs.org An: postfix-users@postfix.org Betreff: Re: DNS RBL error On 4/19/2010 8:22 PM, Steve wrote: Original-Nachricht Datum: Mon, 19 Apr 2010 21:03:51 -0400 Von: donovan jeffrey jdono...@beth.k12.pa.us An: Ralf Hildebrandtralf.hildebra...@charite.de CC: Postfix userspostfix-users@postfix.org Betreff: Re: DNS RBL error On Apr 19, 2010, at 3:07 PM, Ralf Hildebrandt wrote: Rather test with: 2.0.0.127.zen.spamhaus.org which should return: 2.0.0.127.zen.spamhaus.org has address 127.0.0.2 2.0.0.127.zen.spamhaus.org has address 127.0.0.4 2.0.0.127.zen.spamhaus.org has address 127.0.0.10 yes this is working now. question on my setup. my primary MX server sits inside my network, with a NATed IP. my postfix config references only the inside network. should i move this MX server outside and use it's public address in the config ? inbound mail gets checked and relayed to a content filter on another server. mynetworks = 127.0.0.1/32,192.168.0.10/32,10.135.0.0/16 or am i fine leaving it behind the NAT ? to help fix the dns problem i want to run a cache only dns on the primary mx. Not sure i wanted that inside or outside. i'm leaning to outside. tips flames welcome You can run that caching DNS where ever you want as long as you secure that DNS. If you use BIND and are using forwarders to your ISP name servers then that caching will not necessarily help much if your ISP's NS are the problem. If this would be the case then instruct your BIND to forward queries for spamhaus.org directly to their name servers instead going over your ISP's name servers. Something like that here below might be helpful to you: -- zone spamhaus.org in { type forward; allow-query { 127.0.0.1; }; forwarders { 82.94.216.239; // ns8.spamhaus.org 194.82.174.6;// ns20.ja.net 149.20.58.65;// ns.dns-oarc.net 194.109.9.101; // ns3.xs4all.nl 207.241.224.5; // ns2.spamhaus.org 192.150.94.200; // ns3.spamhaus.org 195.169.124.71; // ns3.surfnet.nl }; -- Much simpler to just turn off forwarding for that zone. Bind can figure it out itself without you having to update manually. zone spamhaus.org in { type forward; forwarders {}; }; That is right. I just wanted to be extra verbose. You remember the time when spamhaus.org got removed from some big DNS servers because of some obscure juristic thing going against them in the states? Well way back then one of the ways to still use spamhaus.org was to directly hardwire those forwarders into the zone definition. Off course omitting those forwarders inside the zone definition will force BIND to figure out the name servers of the domain and use that. Just yesterday I had one user on a mailing list that is hosted on SourceForge and where I have admin rights complaining that he could not send mail to the list. He was claiming that he has subscribed weeks ago and that out of the blue he is not able to send mails to the list. He was able but he needs to subscribe in order to be able to post. Anyway... to make the story short: He got removed by mailman after a bunch of NDR. Looking at his name servers showed a (in my viewpoint catastrophic) mess. This is a part of the mail text from me to him: = I see as well that your domain is on the DNS level not set up correctly. Maybe on purpose? If I query the NS entries of your domain from my infrastructure then I get (I masked his domain with XxXxX): --- theia ~ # dig +short in ns XxXxXxX.com ns1.setupsite.com. ns5.eapps.com. ns1.eapps.com. ns2.eapps.com. ns6.eapps.com. theia ~ # --- Doing the same from an cable provider in Switzerland I get: --- netbox ~ # dig +short in ns XxXxXxX.com ns1.setupsite.com. ns2.setupsite.com. netbox ~ # --- Doing the same from an hoster in Germany I get: --- janosch ~ # dig +short in ns XxXxXxX.com ns2.setupsite.com. ns1.setupsite.com. ns1.eapps.com. janosch ~ # --- Even their serial is not in sync (from my system): --- theia ~ # dig +short in ns XxXxXxX.com|sed s:\.$::|while read foo;do echo ${foo}: $(dig @${foo} +short in soa XxXxXxX.com);done ns6.eapps.com: ns1.eapps.com. root.cp.eapps.com. 2009050101 7200 3600 604800 3600 ns1.setupsite.com: ns1.setupsite.com. admin.setupsite.com. 2007010130 3600 600 1209600 3600 ns2.eapps.com: ns1.eapps.com. root.cp.eapps.com. 2009050101 7200 3600 604800 3600 ns1.eapps.com: ns1.eapps.com. root.cp.eapps.com. 2009050101
DNS RBL error
Greetings i have been seeing tons of errors coming from spamhaus, it seems it's not resolving. at least for me. is anyone else having any problems ? Apr 19 08:21:48 mail2 postfix/smtpd[21485]: warning: 130.60.141.41.zen.spamhaus.org: RBL lookup error: Host or domain name not found. Name service error for name=130.60.141.41.zen.spamhaus.org type=A: Host not found, try again Apr 19 08:21:49 mail2 postfix/smtpd[21433]: warning: 70.195.122.178.zen.spamhaus.org: RBL lookup error: Host or domain name not found. Name service error for name=70.195.122.178.zen.spamhaus.org type=A: Host not found, try again Apr 19 08:21:50 mail2 postfix/smtpd[21427]: warning: 26.125.83.80.zen.spamhaus.org: RBL lookup error: Host or domain name not found. Name service error for name=26.125.83.80.zen.spamhaus.org type=A: Host not found, try again Apr 19 08:21:50 mail2 postfix/smtpd[21324]: warning: 163.152.43.91.zen.spamhaus.org: RBL lookup error: Host or domain name not found. Name service error for name=163.152.43.91.zen.spamhaus.org type=A: Host not found, try again Apr 19 08:21:51 mail2 postfix/smtpd[21397]: warning: 23.118.201.117.zen.spamhaus.org: RBL lookup error: Host or domain name not found. Name service error for name=23.118.201.117.zen.spamhaus.org type=A: Host not found, try again postconf -n | grep zen maps_rbl_domains = zen.spamhaus.org,bl.spamcop.net smtpd_client_restrictions = permit_mynetworks, check_client_access hash:/etc/postfix/access, hash:/etc/postfix/smtpdreject reject_rbl_client zen.spamhaus.org reject_rbl_client cbl.abuseat.org reject_rbl_client bl.spamcop.net permit smtpd_recipient_restrictions = permit_mynetworks, check_recipient_access hash:/etc/postfix/recipient_access check_sender_mx_access cidr:/etc/postfix/reject_private_mx.cidr warn_if_reject reject_unknown_client, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_invalid_hostname,reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_destination, reject_unlisted_recipient, reject_unlisted_sender, reject_unauth_pipelining, reject_rbl_client cbl.abuseat.org, reject_rbl_client zen.spamhaus.org, permit abuseat.org is working fine. I'm only having trouble with zen. Apr 19 08:29:12 mail2 postfix/smtpd[21642]: NOQUEUE: reject: RCPT from unknown[117.201.68.108]: 554 Service unavailable; Client host [117.201.68.108] blocked using cbl.abuseat.org; Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=117.201.68.108; from=du...@beth.k12.pa.us to=du...@beth.k12.pa.us proto=ESMTP helo=[117.201.69.50] any ideas ? -jeff
Re: DNS RBL error
* donovan jeffrey j dono...@beth.k12.pa.us: Greetings i have been seeing tons of errors coming from spamhaus, it seems it's not resolving. at least for me. is anyone else having any problems ? You might have been blocked because you exceeded the limits for free usage. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: DNS RBL error
On Apr 19, 2010, at 8:41 AM, Ralf Hildebrandt wrote: * donovan jeffrey j dono...@beth.k12.pa.us: Greetings i have been seeing tons of errors coming from spamhaus, it seems it's not resolving. at least for me. is anyone else having any problems ? You might have been blocked because you exceeded the limits for free usage. i did not know there was such a thing. I may be having some type of dns issue with zen. My local dns server does not resolve zen, but google public dns does. i found this ins2:~ root# nslookup zen.spamhaus.org Server: 207.172.3.20 Address:207.172.3.20#53 ** server can't find zen.spamhaus.org: REFUSED ins2:~ root# nslookup zen.spamhaus.com Server: 10.135.1.2 Address:10.135.1.2#53 Non-authoritative answer: Name: zen.spamhaus.com Address: 208.87.33.151 I certainly do not want to exceed any limits, how do i avoid that ? -jeff
Re: DNS RBL error
* donovan jeffrey j dono...@beth.k12.pa.us: I certainly do not want to exceed any limits, how do i avoid that ? Well, how big is your server? -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: DNS RBL error
On Mon, 19 Apr 2010 08:53:03 -0400 donovan jeffrey j dono...@beth.k12.pa.us wrote: On Apr 19, 2010, at 8:41 AM, Ralf Hildebrandt wrote: * donovan jeffrey j dono...@beth.k12.pa.us: Greetings i have been seeing tons of errors coming from spamhaus, it seems it's not resolving. at least for me. is anyone else having any problems ? You might have been blocked because you exceeded the limits for free usage. i did not know there was such a thing. I may be having some type of dns issue with zen. My local dns server does not resolve zen, but google public dns does. i found this http://www.spamhaus.org/organization/dnsblusage.html -- John
Re: DNS RBL error
On Apr 19, 2010, at 8:54 AM, Ralf Hildebrandt wrote: * donovan jeffrey j dono...@beth.k12.pa.us: I certainly do not want to exceed any limits, how do i avoid that ? Well, how big is your server? oh it's about this high - - - j/k this system in question picks up mail ( primary MX ) for about 2000 users. -j
Re: DNS RBL error
* donovan jeffrey j dono...@beth.k12.pa.us: this system in question picks up mail ( primary MX ) for about 2000 users. This should well be within the limits. We're execeeding the limit at about 30k users. Maybe you're using your ISPs DNS forwarder? -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: DNS RBL error
On Apr 19, 2010, at 8:58 AM, John Peach wrote: On Mon, 19 Apr 2010 08:53:03 -0400 donovan jeffrey j dono...@beth.k12.pa.us wrote: On Apr 19, 2010, at 8:41 AM, Ralf Hildebrandt wrote: * donovan jeffrey j dono...@beth.k12.pa.us: Greetings i have been seeing tons of errors coming from spamhaus, it seems it's not resolving. at least for me. is anyone else having any problems ? You might have been blocked because you exceeded the limits for free usage. i did not know there was such a thing. I may be having some type of dns issue with zen. My local dns server does not resolve zen, but google public dns does. i found this http://www.spamhaus.org/organization/dnsblusage.html -- John thanks John, okay,.. 100,000 smtp a day or 300,000 queries,... i have no idea if i reach either of these.sigh:: I've been running this for years. -j
Re: DNS RBL error
On Apr 19, 2010, at 9:03 AM, Ralf Hildebrandt wrote: * donovan jeffrey j dono...@beth.k12.pa.us: this system in question picks up mail ( primary MX ) for about 2000 users. This should well be within the limits. We're execeeding the limit at about 30k users. Maybe you're using your ISPs DNS forwarder? Im not sure i understand. I know my isp pulls zone files from me, and runs a secondary dns server. -j
Re: DNS RBL error
* donovan jeffrey j dono...@beth.k12.pa.us: On Apr 19, 2010, at 9:03 AM, Ralf Hildebrandt wrote: * donovan jeffrey j dono...@beth.k12.pa.us: this system in question picks up mail ( primary MX ) for about 2000 users. This should well be within the limits. We're execeeding the limit at about 30k users. Maybe you're using your ISPs DNS forwarder? Im not sure i understand. I know my isp pulls zone files from me, and runs a secondary dns server. Show your /etc/resolv.conf -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: DNS RBL error
On Mon, 19 Apr 2010 09:09:38 -0400 donovan jeffrey j dono...@beth.k12.pa.us wrote: On Apr 19, 2010, at 9:03 AM, Ralf Hildebrandt wrote: * donovan jeffrey j dono...@beth.k12.pa.us: this system in question picks up mail ( primary MX ) for about 2000 users. This should well be within the limits. We're execeeding the limit at about 30k users. Maybe you're using your ISPs DNS forwarder? Im not sure i understand. I know my isp pulls zone files from me, and runs a secondary dns server. -j Your nslookup shows you using 207.172.3.20 as a nameserver: 20.3.172.207.in-addr.arpa name = auth1.dns.rcn.net Your ISP's nameserver. You need to run your own, so that you query spamhaus directly. They are counting all the hits from RCN. -- John
Re: DNS RBL error
On Apr 19, 2010, at 9:15 AM, Ralf Hildebrandt wrote: * donovan jeffrey j dono...@beth.k12.pa.us: On Apr 19, 2010, at 9:03 AM, Ralf Hildebrandt wrote: * donovan jeffrey j dono...@beth.k12.pa.us: this system in question picks up mail ( primary MX ) for about 2000 users. This should well be within the limits. We're execeeding the limit at about 30k users. Maybe you're using your ISPs DNS forwarder? Im not sure i understand. I know my isp pulls zone files from me, and runs a secondary dns server. Show your /etc/resolv.conf ins2:~ root# cat /etc/resolv.conf search beth.k12.pa.us nameserver 10.135.1.2 nameserver 209.96.96.2 nameserver 207.172.3.20 ins2:~ root# nslookup zen.spamhaus.org Server: 207.172.3.20 Address:207.172.3.20#53 ** server can't find zen.spamhaus.org: REFUSED okay,.. Ill have to check this. to make sure my queries to zen are directly from my mail system does that sound right ? -j
Re: DNS RBL error
* John Peach post...@johnpeach.com: Your nslookup shows you using 207.172.3.20 as a nameserver: 20.3.172.207.in-addr.arpa name = auth1.dns.rcn.net Your ISP's nameserver. You need to run your own, so that you query spamhaus directly. They are counting all the hits from RCN. apt-get install pdns-recursor -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: DNS RBL error
* donovan jeffrey j dono...@beth.k12.pa.us: ins2:~ root# cat /etc/resolv.conf search beth.k12.pa.us nameserver 10.135.1.2 nameserver 209.96.96.2 nameserver 207.172.3.20 ins2:~ root# nslookup zen.spamhaus.org Server: 207.172.3.20 Address:207.172.3.20#53 ** server can't find zen.spamhaus.org: REFUSED okay,.. Ill have to check this. to make sure my queries to zen are directly from my mail system does that sound right ? Yes. Install a local caching DNS which directly queries the internet ... -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: DNS RBL error
On 19 Apr 2010, at 14:53, donovan jeffrey j wrote: On Apr 19, 2010, at 8:41 AM, Ralf Hildebrandt wrote: * donovan jeffrey j dono...@beth.k12.pa.us: Greetings i have been seeing tons of errors coming from spamhaus, it seems it's not resolving. at least for me. is anyone else having any problems ? You might have been blocked because you exceeded the limits for free usage. i did not know there was such a thing. I may be having some type of dns issue with zen. My local dns server does not resolve zen Note that ZEN is an NS zone, not a host. You can not resolve ZEN to a host/IP. http://www.spamhaus.org/faq/answers.lasso?section=DNSBL%20Usage#122 You should however be able to resolve the test address: 2.0.0.127.zen.spamhaus.org If you can't resolve the test address, it may be that the DNS server you are using has exceeded Spamhaus's free usage limit. In that case, running your own NS resolver will normally solve that (unless your actual mail traffic is higher than the free use limits). but google public dns does. Google public DNS is probably giving you a custom (bad) answer in place of 'host not found'. ins2:~ root# nslookup zen.spamhaus.com Non-authoritative answer: Name: zen.spamhaus.com Address: 208.87.33.151 spamhaus.com != spamhaus.org. The domain squatter who operates spamhaus.com has a wildcard pointing *.spamhaus.com at his adverts server. (spamhaus.com was registered by a spammer some years ago to joe us, it was then grabbed by a domain squatter) Steve Linford The Spamhaus Project http://www.spamhaus.org
Re: DNS RBL error
On Mon, Apr 19, 2010 at 08:31:19AM -0400, donovan jeffrey j wrote: abuseat.org is working fine. I'm only having trouble with zen. Apr 19 08:29:12 mail2 postfix/smtpd[21642]: NOQUEUE: reject: RCPT from unknown[117.201.68.108]: 554 Service unavailable; Client host [117.201.68.108] blocked using cbl.abuseat.org; Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=117.201.68.108; from=du...@beth.k12.pa.us to=du...@beth.k12.pa.us proto=ESMTP Whilst it appears that the DNS problem has been sorted, I'm going to suggest a different approach to this one. helo=[117.201.69.50] any ideas ? The bracketed IP address is a valid HELO, commonly seen from your authenticating clients. There is no reason why a real MTA should be using such a HELO. I block these with a pcre: map. !/[[:alpha:]]/ 502 5.5.4 We find that all-numeric EHLO/HELO greetings are usually spam. If not, please ask your postmaster to correct the server's EHLO/HELO greeting. !/\./ 502 5.5.4 We find that non-qualified EHLO/HELO greetings are usually spam. If not, please ask your postmaster to correct the server's EHLO/HELO greeting. This would fall under the first condition, a helo which contains no alpha characters. The second condition is my own reimplementation of Postfix's built-in reject_non_fqdn_helo_hostname restriction. Obviously these MUST NOT be applied to authenticating users, same as with Zen. Precede this lookup with your permit_* restrictions for relaying users (and move submission off of port 25, if applicable.) -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Re: DNS RBL error
On Apr 19, 2010, at 12:36 PM, /dev/rob0 wrote: On Mon, Apr 19, 2010 at 08:31:19AM -0400, donovan jeffrey j wrote: abuseat.org is working fine. I'm only having trouble with zen. Apr 19 08:29:12 mail2 postfix/smtpd[21642]: NOQUEUE: reject: RCPT from unknown[117.201.68.108]: 554 Service unavailable; Client host [117.201.68.108] blocked using cbl.abuseat.org; Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=117.201.68.108; from=du...@beth.k12.pa.us to=du...@beth.k12.pa.us proto=ESMTP Whilst it appears that the DNS problem has been sorted, I'm going to suggest a different approach to this one. helo=[117.201.69.50] any ideas ? The bracketed IP address is a valid HELO, commonly seen from your authenticating clients. There is no reason why a real MTA should be using such a HELO. I block these with a pcre: map. !/[[:alpha:]]/ 502 5.5.4 We find that all-numeric EHLO/HELO greetings are usually spam. If not, please ask your postmaster to correct the server's EHLO/HELO greeting. !/\./ 502 5.5.4 We find that non-qualified EHLO/HELO greetings are usually spam. If not, please ask your postmaster to correct the server's EHLO/HELO greeting. This would fall under the first condition, a helo which contains no alpha characters. The second condition is my own reimplementation of Postfix's built-in reject_non_fqdn_helo_hostname restriction. Obviously these MUST NOT be applied to authenticating users, same as with Zen. Precede this lookup with your permit_* restrictions for relaying users (and move submission off of port 25, if applicable.) -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header thanks rob, I will chew on this for weeks Im sure. right now im trying to figure out why my dns server won't speak to spamhaus. -- oh wait., by the time i typed this email. i got an authoritative answer; dns:~ root# nslookup 2.0.0.127.zen.spamhaus.org Server: 209.96.96.2 Address:209.96.96.2#53 Non-authoritative answer: Name: 2.0.0.127.zen.spamhaus.org Address: 127.0.0.2 Name: 2.0.0.127.zen.spamhaus.org Address: 127.0.0.4 Name: 2.0.0.127.zen.spamhaus.org Address: 127.0.0.10 i removed the rbl from main.cf and kicked postfix. now dns can at least query. I don't know what was up with that. do i dare put it back now? some strange foo. -j
Re: DNS RBL error
donovan jeffrey j: by the time i typed this email. i got an authoritative answer; dns:~ root# nslookup 2.0.0.127.zen.spamhaus.org Server: 209.96.96.2 Address:209.96.96.2#53 You should do such tests as a non-root user. Postfix does not query the DNS as root. Wietse
Re: DNS RBL error ::solved::
On Apr 19, 2010, at 12:58 PM, Wietse Venema wrote: donovan jeffrey j: by the time i typed this email. i got an authoritative answer; dns:~ root# nslookup 2.0.0.127.zen.spamhaus.org Server: 209.96.96.2 Address:209.96.96.2#53 You should do such tests as a non-root user. Postfix does not query the DNS as root. Wietse thank you, rbl seems to be working again. dns seemed to be stuck some where. snip from logblocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=24.15.115.211; a little time and a few kicks here and there. and whala. :~ foo# nslookup 2.0.0.127.zen.spamhaus.org Server: 209.96.96.2 Address:209.96.96.2#53 Non-authoritative answer: Name: 2.0.0.127.zen.spamhaus.org Address: 127.0.0.10 Name: 2.0.0.127.zen.spamhaus.org Address: 127.0.0.2 Name: 2.0.0.127.zen.spamhaus.org Address: 127.0.0.4 i don't think I did anything other than stop lookups for a bit. thanks for your assistance. -j
Re: DNS RBL error ::solved::
On Mon, Apr 19, 2010 at 01:09:28PM -0400, donovan jeffrey j wrote: i don't think I did anything other than stop lookups for a bit. thanks for your assistance. Give thanks to the LORD[1], perhaps. He works in mysterious ways, or so I hear. :) [1] LinfORD PS: Seriously. I doubt this is solved. Ensure that none of the nameservers on which your Postfix relies is using any upstream forwarders. Many OS distributors think that this is a good idea, but that's wrong; especially so in the case of a MTA querying Spamhaus lists. A caching-only nameserver using BIND named(8) is very simple. The BIND 9 ARM chapter 3 has an example. This is something that might even work out-of-the-box, no named.conf(5) at all. -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Re: DNS RBL error
Ralf Hildebrandt put forth on 4/19/2010 8:29 AM: * John Peach post...@johnpeach.com: Your nslookup shows you using 207.172.3.20 as a nameserver: 20.3.172.207.in-addr.arpa name = auth1.dns.rcn.net Your ISP's nameserver. You need to run your own, so that you query spamhaus directly. They are counting all the hits from RCN. apt-get install pdns-recursor A while back I was having issues with my ISP resolvers choking on certain sending domains, so I switched to Google public DNS, which fixed that issue but broke my Spamhaus lookups. I installed pdns-recursor on my Postfix MX (Debian Lenny) and it solved all the problems. -- Stan
Re: DNS RBL error
On Apr 19, 2010, at 3:07 PM, Ralf Hildebrandt wrote: Rather test with: 2.0.0.127.zen.spamhaus.org which should return: 2.0.0.127.zen.spamhaus.org has address 127.0.0.2 2.0.0.127.zen.spamhaus.org has address 127.0.0.4 2.0.0.127.zen.spamhaus.org has address 127.0.0.10 yes this is working now. question on my setup. my primary MX server sits inside my network, with a NATed IP. my postfix config references only the inside network. should i move this MX server outside and use it's public address in the config ? inbound mail gets checked and relayed to a content filter on another server. mynetworks = 127.0.0.1/32,192.168.0.10/32,10.135.0.0/16 or am i fine leaving it behind the NAT ? to help fix the dns problem i want to run a cache only dns on the primary mx. Not sure i wanted that inside or outside. i'm leaning to outside. tips flames welcome -j
Re: DNS RBL error
Original-Nachricht Datum: Mon, 19 Apr 2010 21:03:51 -0400 Von: donovan jeffrey j dono...@beth.k12.pa.us An: Ralf Hildebrandt ralf.hildebra...@charite.de CC: Postfix users postfix-users@postfix.org Betreff: Re: DNS RBL error On Apr 19, 2010, at 3:07 PM, Ralf Hildebrandt wrote: Rather test with: 2.0.0.127.zen.spamhaus.org which should return: 2.0.0.127.zen.spamhaus.org has address 127.0.0.2 2.0.0.127.zen.spamhaus.org has address 127.0.0.4 2.0.0.127.zen.spamhaus.org has address 127.0.0.10 yes this is working now. question on my setup. my primary MX server sits inside my network, with a NATed IP. my postfix config references only the inside network. should i move this MX server outside and use it's public address in the config ? inbound mail gets checked and relayed to a content filter on another server. mynetworks = 127.0.0.1/32,192.168.0.10/32,10.135.0.0/16 or am i fine leaving it behind the NAT ? to help fix the dns problem i want to run a cache only dns on the primary mx. Not sure i wanted that inside or outside. i'm leaning to outside. tips flames welcome You can run that caching DNS where ever you want as long as you secure that DNS. If you use BIND and are using forwarders to your ISP name servers then that caching will not necessarily help much if your ISP's NS are the problem. If this would be the case then instruct your BIND to forward queries for spamhaus.org directly to their name servers instead going over your ISP's name servers. Something like that here below might be helpful to you: -- zone spamhaus.org in { type forward; allow-query { 127.0.0.1; }; forwarders { 82.94.216.239; // ns8.spamhaus.org 194.82.174.6;// ns20.ja.net 149.20.58.65;// ns.dns-oarc.net 194.109.9.101; // ns3.xs4all.nl 207.241.224.5; // ns2.spamhaus.org 192.150.94.200; // ns3.spamhaus.org 195.169.124.71; // ns3.surfnet.nl }; -- Keep in mind that the NS list for spamhaus.org could change in the future. If that happens then you need to update that forwarders list from above. Keep in mind that if you put out that server on the net that you update the list of IPs allowed to query that zone by updating allow-query. Most likely you will not need to do anything because you are not authoritative for that domain/zone but god only knows what else you will add to your named.conf so limiting additionally inside the zone will not do any harm. -j // Steve -- GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT! Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01
Re: DNS RBL error
On Apr 19, 2010, at 9:22 PM, Steve wrote: You can run that caching DNS where ever you want as long as you secure that DNS. If you use BIND and are using forwarders to your ISP name servers then that caching will not necessarily help much if your ISP's NS are the problem. thanks for the reply. this is where i get upside down. if im caching only on localhost 127.0.0.1, and I point my OS to use local dns, it will query root servers correct ? but sitting on the inside behind aNATed ip , how then does it resolv internal hosts if Im resolving from root servers ? i guess i could pull secondary from internal dns server, but I do not want addresses to bleed over.- sorry i know not a postfix thread issue. just trying make sure my requests are coming out correctly. -j If this would be the case then instruct your BIND to forward queries for spamhaus.org directly to their name servers instead going over your ISP's name servers. Something like that here below might be helpful to you: -- zone spamhaus.org in { type forward; allow-query { 127.0.0.1; }; forwarders { 82.94.216.239; // ns8.spamhaus.org 194.82.174.6;// ns20.ja.net 149.20.58.65;// ns.dns-oarc.net 194.109.9.101; // ns3.xs4all.nl 207.241.224.5; // ns2.spamhaus.org 192.150.94.200; // ns3.spamhaus.org 195.169.124.71; // ns3.surfnet.nl }; -- i will keep this handy. i could have used this snippit this morning. :) Keep in mind that the NS list for spamhaus.org could change in the future. If that happens then you need to update that forwarders list from above. as in most things these days. thanks. Keep in mind that if you put out that server on the net that you update the list of IPs allowed to query that zone by updating allow-query. Most likely you will not need to do anything because you are not authoritative for that domain/zone but god only knows what else you will add to your named.conf so limiting additionally inside the zone will not do any harm.
Re: DNS RBL error
On 4/19/2010 8:22 PM, Steve wrote: Original-Nachricht Datum: Mon, 19 Apr 2010 21:03:51 -0400 Von: donovan jeffrey jdono...@beth.k12.pa.us An: Ralf Hildebrandtralf.hildebra...@charite.de CC: Postfix userspostfix-users@postfix.org Betreff: Re: DNS RBL error On Apr 19, 2010, at 3:07 PM, Ralf Hildebrandt wrote: Rather test with: 2.0.0.127.zen.spamhaus.org which should return: 2.0.0.127.zen.spamhaus.org has address 127.0.0.2 2.0.0.127.zen.spamhaus.org has address 127.0.0.4 2.0.0.127.zen.spamhaus.org has address 127.0.0.10 yes this is working now. question on my setup. my primary MX server sits inside my network, with a NATed IP. my postfix config references only the inside network. should i move this MX server outside and use it's public address in the config ? inbound mail gets checked and relayed to a content filter on another server. mynetworks = 127.0.0.1/32,192.168.0.10/32,10.135.0.0/16 or am i fine leaving it behind the NAT ? to help fix the dns problem i want to run a cache only dns on the primary mx. Not sure i wanted that inside or outside. i'm leaning to outside. tips flames welcome You can run that caching DNS where ever you want as long as you secure that DNS. If you use BIND and are using forwarders to your ISP name servers then that caching will not necessarily help much if your ISP's NS are the problem. If this would be the case then instruct your BIND to forward queries for spamhaus.org directly to their name servers instead going over your ISP's name servers. Something like that here below might be helpful to you: -- zone spamhaus.org in { type forward; allow-query { 127.0.0.1; }; forwarders { 82.94.216.239; // ns8.spamhaus.org 194.82.174.6;// ns20.ja.net 149.20.58.65;// ns.dns-oarc.net 194.109.9.101; // ns3.xs4all.nl 207.241.224.5; // ns2.spamhaus.org 192.150.94.200; // ns3.spamhaus.org 195.169.124.71; // ns3.surfnet.nl }; -- Much simpler to just turn off forwarding for that zone. Bind can figure it out itself without you having to update manually. zone spamhaus.org in { type forward; forwarders {}; }; -- Noel Jones
Re: DNS RBL error
On 4/19/2010 8:03 PM, donovan jeffrey j wrote: question on my setup. my primary MX server sits inside my network, with a NATed IP. my postfix config references only the inside network. should i move this MX server outside and use it's public address in the config ? inbound mail gets checked and relayed to a content filter on another server. mynetworks = 127.0.0.1/32,192.168.0.10/32,10.135.0.0/16 or am i fine leaving it behind the NAT ? Postfix will work just dandy behind a NAT device, assuming a sane NAT configuration that allows postfix to log the real remote client IP and not the NAT device IP You should add your external IP to the proxy_interfaces parameter. Postfix uses that for loop detection and to accept mail to postmas...@[external.ip] http://www.postfix.org/postconf.5.html#proxy_interfaces # main.cf proxy_interfaces = public.ip.address.here -- Noel Jones