Re: smtpd_recipient_restrictions suddenly stopping mail
Bill Cole wrote: Noel Jones wrote, On 3/15/09 4:26 PM: Sahil Tandon wrote: On Sun, 15 Mar 2009, Wietse Venema wrote: Sahil Tandon: OpenDNS will not blindly redirect DNS queries that look like DNSBL requests. Notice the difference: % dig @resolver1.opendns.com www.abcdefghijklmnop12345.com +short 208.69.32.132 % dig @resolver1.opendns.com 40.30.20.10.www.abcdefghijklmnop12345.com +short % Note, this still breaks lookups of rfc-ignorant.org and other sites that blacklist domain names instead of IP addresses. FWIW, OpenDNS appears to work with rfc-ignorant.org, but that's only because they know about it: http://www.opendns.com/support/article/33 If you must run an MX host, use a real DNS server. Agreed! If you sign up for a free account at OpenDNS you can turn off their helpful typo-correction feature. Then OpenDNS works splendidly on an MX. They do have a clue. No volume or quality of clues can trump the hard limit of the speed of light... The hardest problem with using someone else's DNS server (i.e. one many miles away across multiple router hops) for an MX host is that it will come with higher hard query latency (i.e. ultimately 'c' bound) and with less easily predicted higher latencies relative to a local cache that is dedicated to the MX host(s), which would have higher cache hit rates. Your facts are correct, your conclusion is wrong. But I'm done with this thread. -- Noel Jones
Re: smtpd_recipient_restrictions suddenly stopping mail
Noel Jones wrote, On 3/15/09 4:26 PM: Sahil Tandon wrote: On Sun, 15 Mar 2009, Wietse Venema wrote: Sahil Tandon: OpenDNS will not blindly redirect DNS queries that look like DNSBL requests. Notice the difference: % dig @resolver1.opendns.com www.abcdefghijklmnop12345.com +short 208.69.32.132 % dig @resolver1.opendns.com 40.30.20.10.www.abcdefghijklmnop12345.com +short % Note, this still breaks lookups of rfc-ignorant.org and other sites that blacklist domain names instead of IP addresses. FWIW, OpenDNS appears to work with rfc-ignorant.org, but that's only because they know about it: http://www.opendns.com/support/article/33 If you must run an MX host, use a real DNS server. Agreed! If you sign up for a free account at OpenDNS you can turn off their helpful typo-correction feature. Then OpenDNS works splendidly on an MX. They do have a clue. No volume or quality of clues can trump the hard limit of the speed of light... The hardest problem with using someone else's DNS server (i.e. one many miles away across multiple router hops) for an MX host is that it will come with higher hard query latency (i.e. ultimately 'c' bound) and with less easily predicted higher latencies relative to a local cache that is dedicated to the MX host(s), which would have higher cache hit rates.
Re: smtpd_recipient_restrictions suddenly stopping mail
Sahil Tandon wrote: On Sun, 15 Mar 2009, Wietse Venema wrote: Sahil Tandon: OpenDNS will not blindly redirect DNS queries that look like DNSBL requests. Notice the difference: % dig @resolver1.opendns.com www.abcdefghijklmnop12345.com +short 208.69.32.132 % dig @resolver1.opendns.com 40.30.20.10.www.abcdefghijklmnop12345.com +short % Note, this still breaks lookups of rfc-ignorant.org and other sites that blacklist domain names instead of IP addresses. FWIW, OpenDNS appears to work with rfc-ignorant.org, but that's only because they know about it: http://www.opendns.com/support/article/33 If you must run an MX host, use a real DNS server. Agreed! If you sign up for a free account at OpenDNS you can turn off their helpful typo-correction feature. Then OpenDNS works splendidly on an MX. They do have a clue. -- Noel Jones
Re: smtpd_recipient_restrictions suddenly stopping mail
On Sun, 15 Mar 2009, Wietse Venema wrote: > Sahil Tandon: > > OpenDNS will not blindly redirect DNS queries that look like DNSBL > > requests. Notice the difference: > > > > % dig @resolver1.opendns.com www.abcdefghijklmnop12345.com +short > > 208.69.32.132 > > % dig @resolver1.opendns.com 40.30.20.10.www.abcdefghijklmnop12345.com > > +short > > % > > Note, this still breaks lookups of rfc-ignorant.org and other sites > that blacklist domain names instead of IP addresses. FWIW, OpenDNS appears to work with rfc-ignorant.org, but that's only because they know about it: http://www.opendns.com/support/article/33 > If you must run an MX host, use a real DNS server. Agreed! -- Sahil Tandon
Re: smtpd_recipient_restrictions suddenly stopping mail
Sahil Tandon: > OpenDNS will not blindly redirect DNS queries that look like DNSBL > requests. Notice the difference: > > % dig @resolver1.opendns.com www.abcdefghijklmnop12345.com +short > 208.69.32.132 > % dig @resolver1.opendns.com 40.30.20.10.www.abcdefghijklmnop12345.com > +short > % Note, this still breaks lookups of rfc-ignorant.org and other sites that blacklist domain names instead of IP addresses. If you must run an MX host, use a real DNS server. Wietse
Re: smtpd_recipient_restrictions suddenly stopping mail
On Mar 15, 2009, at 11:27 AM, Damon Miller wrote: We changed the server to use OpenDNS servers and all's well. Thanks again for the help. Be careful with OpenDNS: They return false positives, e.g.: www.abcdefghijklmnop12345.com. Server: resolver1.opendns.com Address: 208.67.222.222 Non-authoritative answer: Name:www.abcdefghijklmnop12345.com Address: 208.67.217.132 This is intended to direct queries for non-existent URLs to OpenDNS's servers. I can't guarantee this will interfere with DNS blacklist operation, but it may. The blacklist relies on NXDOMAIN responses to indicate that a server is "safe". As a result, you may end up blacklisting every server on the Internet since OpenDNS will never indicate a lookup failure. Perhaps someone else can confirm this. Noel already addressed this false concern: http://marc.info/?l=postfix-users&m=123612736717968&w=2 OpenDNS will not blindly redirect DNS queries that look like DNSBL requests. Notice the difference: % dig @resolver1.opendns.com www.abcdefghijklmnop12345.com +short 208.69.32.132 % dig @resolver1.opendns.com 40.30.20.10.www.abcdefghijklmnop12345.com +short % -- Sahil Tandon
RE: smtpd_recipient_restrictions suddenly stopping mail
> Thanks for that and the other responses. > > We indeed tracked it to DNS problems - in this case the onsite admin > (who is a Windows only type) had set up a Smoothwall router and we were > using it as our DNS server. It seems to have been responding with bad > data. > > We changed the server to use OpenDNS servers and all's well. > > Thanks again for the help. > > Kevin Be careful with OpenDNS: They return false positives, e.g.: > www.abcdefghijklmnop12345.com. Server: resolver1.opendns.com Address: 208.67.222.222 Non-authoritative answer: Name:www.abcdefghijklmnop12345.com Address: 208.67.217.132 This is intended to direct queries for non-existent URLs to OpenDNS's servers. I can't guarantee this will interfere with DNS blacklist operation, but it may. The blacklist relies on NXDOMAIN responses to indicate that a server is "safe". As a result, you may end up blacklisting every server on the Internet since OpenDNS will never indicate a lookup failure. Perhaps someone else can confirm this. Damon
Re: smtpd_recipient_restrictions suddenly stopping mail
Sahil Tandon wrote: On Mar 3, 2009, at 1:14 PM, Kevin Bailey wrote: Hiya, We have had this setting on a mail server for a long time. smtpd_recipient_restrictions = permit_sasl_authenticated reject_non_fqdn_recipient reject_non_fqdn_sender reject_unknown_sender_domain reject_unknown_recipient_domain permit_mynetworks reject_unauth_destination reject_multi_recipient_bounce reject_non_fqdn_hostname reject_invalid_hostname reject_rbl_client bl.spamcop.net reject_rbl_client sbl.spamhaus.org reject_rhsbl_sender dsn.rfc-ignorant.org check_policy_service inet:127.0.0.1:6 permit Today, about 80% of emails started getting bounced back with: Action: failed Status: 5.7.1 Remote-MTA: dns; mail.psctraining.co.uk Diagnostic-Code: smtp; 554 5.7.1 Service unavailable; Client host [80.177.179.85] blocked using bl.spamcop.net So we commented out the spamcop line... then we got Action: failed Status: 5.7.1 Remote-MTA: dns; mail.psctraining.co.uk Diagnostic-Code: smtp; 554 5.7.1 Service unavailable; Client host [80.177.179.85] blocked using sbl.spamhaus.org So we commented out the spamhaus line... then we got : host mail.psctraining.co.uk[217.45.142.233] said: 554 5.7.1 Service unavailable; Sender address [kbai...@freewayprojects.com] blocked using dsn.rfc-ignorant.org (in reply to RCPT TO command) Then we commented out the rfc-ignorant.org line and the mail is getting through. So the restrictions line now looks like: smtpd_recipient_restrictions = permit_sasl_authenticated reject_non_fqdn_recipient reject_non_fqdn_sender reject_unknown_sender_domain reject_unknown_recipient_domain permit_mynetworks reject_unauth_destination reject_multi_recipient_bounce reject_non_fqdn_hostname reject_invalid_hostname # nstone - 03/03/2009 # commented to bypass the blacklists # reject_rbl_client bl.spamcop.net # reject_rbl_client sbl.spamhaus.org # reject_rhsbl_sender dsn.rfc-ignorant.org check_policy_service inet:127.0.0.1:6 permit OK. We don't have full access to the routers etc. We also can no longer access the web interface for their router which is on ports 81 and 445. My feeling is that something has changed with their firewall or traffic. Now, if Postfix can not connect to bl.spamcop.net would it reject the mail by default? Also, to test this connection - what port does Postfix try to connect to bl.spamcop.net on? - we could then try telnet to test the connection. Also, what port(s) does bl.spamcop.net connect back on? The RBLs are queried via DNS; you don't 'connect' or 'telnet' to them in the conventional sense. I suspect something has gone awry with your DNS resolver. Thanks for that and the other responses. We indeed tracked it to DNS problems - in this case the onsite admin (who is a Windows only type) had set up a Smoothwall router and we were using it as our DNS server. It seems to have been responding with bad data. We changed the server to use OpenDNS servers and all's well. Thanks again for the help. Kevin
Re: smtpd_recipient_restrictions suddenly stopping mail
On 3/3/2009 7:18 PM, LuKreme wrote: >> opendns works very well, as long as you disable the helper crap, >> so, no, has nothing to do with opendns. > Since one of the features of OpenDNS Is the so-called helper crap, > and is enabled by default, this can easily be a problem. For the clueless maybe, but any competent admin should do their homework, and this issue with opendns is easily discoverable... We have been using it for over 2 years with zero problems...
Re: smtpd_recipient_restrictions suddenly stopping mail
> --- Original Message --- > From: LuKreme > To: "postfix-users@postfix.org" > Sent: 03-Mar-09, 18:18:15 > Subject: Re: smtpd_recipient_restrictions suddenly stopping mail > > On Mar 3, 2009, at 15:21, Charles Marcus > wrote: > > > On 3/3/2009 2:17 PM, LuKreme wrote: > >>> host -t a 27a28250f4b7c74acc01d042687e2273.com > > > >> Perhaps they are using OpenDNS? > > > > opendns works very well, as long as you disable the helper crap, so, > > no, > > has nothing to do with opendns. > > Since one of the features of OpenDNS Is the so-called helper crap, and > is enabled by default, this can easily be a problem. No, OpenDNS actually has a clue. They automatically disable the helper crap for all RBLs they know about, which includes all the ones frequently mentioned on this list. The OP's problem is some other less-clueful service. -- Noel Jones
Re: smtpd_recipient_restrictions suddenly stopping mail
On Mar 3, 2009, at 15:21, Charles Marcus wrote: On 3/3/2009 2:17 PM, LuKreme wrote: host -t a 27a28250f4b7c74acc01d042687e2273.com Perhaps they are using OpenDNS? opendns works very well, as long as you disable the helper crap, so, no, has nothing to do with opendns. Since one of the features of OpenDNS Is the so-called helper crap, and is enabled by default, this can easily be a problem.
Re: smtpd_recipient_restrictions suddenly stopping mail
> --- Original Message --- > From: Charles Marcus > To: LuKreme > Sent: 03-Mar-09, 16:21:07 > Subject: Re: smtpd_recipient_restrictions suddenly stopping mail > > On 3/3/2009 2:17 PM, LuKreme wrote: > >> host -t a 27a28250f4b7c74acc01d042687e2273.com > > > Perhaps they are using OpenDNS? > > opendns works very well, as long as you disable the helper crap, so, no, > has nothing to do with opendns. > OpenDNS is smart enough that they will not return false results for RBLs, even with default settings. You still need to disable their "typo correction" feature to detect unknown domains, but RBLs work regardless of this setting. -- Noel Jones
Re: smtpd_recipient_restrictions suddenly stopping mail
On 3/3/2009 2:17 PM, LuKreme wrote: >> host -t a 27a28250f4b7c74acc01d042687e2273.com > Perhaps they are using OpenDNS? opendns works very well, as long as you disable the helper crap, so, no, has nothing to do with opendns.
Re: smtpd_recipient_restrictions suddenly stopping mail
On 3-Mar-2009, at 11:48, Wietse Venema wrote: host -t a 27a28250f4b7c74acc01d042687e2273.com Perhaps they are using OpenDNS? -- Hamburgers. The cornerstone of any nutritious breakfast.
Re: smtpd_recipient_restrictions suddenly stopping mail
On Tue March 3 2009 12:48:59 Wietse Venema wrote: > Kevin Bailey: > > Today, about 80% of emails started getting bounced back with: > > So we commented out the spamcop line... then we got > > So we commented out the spamhaus line... then we got > > Then we commented out the rfc-ignorant.org line and the mail is > > getting through. So the restrictions line now looks like: > > Looks like your DNS service is making up replies for names that > don't exist. > > This is easily verified. > > $ host -t a 27a28250f4b7c74acc01d042687e2273.com > $ host -t a 27a28250f4b7c74acc01d042687e2273.org > $ host -t a 27a28250f4b7c74acc01d042687e2273.net 0.0.0.0.zen.spamhaus.org. 150 IN A 205.234.170.218 (as seen at http://pastebin.ca/1352096 ) http://205.234.170.218/ appears to be affiliated with this outfit: http://www.dnsmadeeasy.com/ People who don't understand how DNS works, and yet think they can charge money for a DNS service ... -- Offlist mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header
Re: smtpd_recipient_restrictions suddenly stopping mail
Kevin Bailey: > Today, about 80% of emails started getting bounced back with: > So we commented out the spamcop line... then we got > So we commented out the spamhaus line... then we got > Then we commented out the rfc-ignorant.org line and the mail is getting > through. So the restrictions line now looks like: Looks like your DNS service is making up replies for names that don't exist. This is easily verified. $ host -t a 27a28250f4b7c74acc01d042687e2273.com $ host -t a 27a28250f4b7c74acc01d042687e2273.org $ host -t a 27a28250f4b7c74acc01d042687e2273.net Wieste
Re: smtpd_recipient_restrictions suddenly stopping mail
On Mar 3, 2009, at 1:14 PM, Kevin Bailey wrote: Hiya, We have had this setting on a mail server for a long time. smtpd_recipient_restrictions = permit_sasl_authenticated reject_non_fqdn_recipient reject_non_fqdn_sender reject_unknown_sender_domain reject_unknown_recipient_domain permit_mynetworks reject_unauth_destination reject_multi_recipient_bounce reject_non_fqdn_hostname reject_invalid_hostname reject_rbl_client bl.spamcop.net reject_rbl_client sbl.spamhaus.org reject_rhsbl_sender dsn.rfc-ignorant.org check_policy_service inet:127.0.0.1:6 permit Today, about 80% of emails started getting bounced back with: Action: failed Status: 5.7.1 Remote-MTA: dns; mail.psctraining.co.uk Diagnostic-Code: smtp; 554 5.7.1 Service unavailable; Client host [80.177.179.85] blocked using bl.spamcop.net So we commented out the spamcop line... then we got Action: failed Status: 5.7.1 Remote-MTA: dns; mail.psctraining.co.uk Diagnostic-Code: smtp; 554 5.7.1 Service unavailable; Client host [80.177.179.85] blocked using sbl.spamhaus.org So we commented out the spamhaus line... then we got : host mail.psctraining.co.uk[217.45.142.233 ] said: 554 5.7.1 Service unavailable; Sender address [kbai...@freewayprojects.com ] blocked using dsn.rfc-ignorant.org (in reply to RCPT TO command) Then we commented out the rfc-ignorant.org line and the mail is getting through. So the restrictions line now looks like: smtpd_recipient_restrictions = permit_sasl_authenticated reject_non_fqdn_recipient reject_non_fqdn_sender reject_unknown_sender_domain reject_unknown_recipient_domain permit_mynetworks reject_unauth_destination reject_multi_recipient_bounce reject_non_fqdn_hostname reject_invalid_hostname # nstone - 03/03/2009 # commented to bypass the blacklists # reject_rbl_client bl.spamcop.net # reject_rbl_client sbl.spamhaus.org # reject_rhsbl_sender dsn.rfc-ignorant.org check_policy_service inet:127.0.0.1:6 permit OK. We don't have full access to the routers etc. We also can no longer access the web interface for their router which is on ports 81 and 445. My feeling is that something has changed with their firewall or traffic. Now, if Postfix can not connect to bl.spamcop.net would it reject the mail by default? Also, to test this connection - what port does Postfix try to connect to bl.spamcop.net on? - we could then try telnet to test the connection. Also, what port(s) does bl.spamcop.net connect back on? The RBLs are queried via DNS; you don't 'connect' or 'telnet' to them in the conventional sense. I suspect something has gone awry with your DNS resolver.