Re: temporary errors for DNS
On Thu, 16 Jul 2009 12:25:52 -0400 Victor Duchovni victor.ducho...@morganstanley.com wrote: On Wed, Jul 15, 2009 at 11:07:00PM +0200, mouss wrote: Well, a DNS NXDOMAIN error seems a good reason for discarding mail. even NXDOMAIN may be a temporary error that the admin can fix. This borders on sophistry. NXDOMAIN is not a transient error that resuls from failure to obtain the right answer. It is a correctly obtained, best available answer. ...unless the zone admin forgot to update the serial number, and the nameservers do not have identical copies of the zone. Although a bit of a stretch, this IS a case where a temporary reject on an NXDOMAIN could result in the message being accepted later with no user action. -- Ben Winslow winsl...@pa.net
Re: temporary errors for DNS
On Wed, Jul 15, 2009 at 11:07:00PM +0200, mouss wrote: Well, a DNS NXDOMAIN error seems a good reason for discarding mail. even NXDOMAIN may be a temporary error that the admin can fix. This borders on sophistry. NXDOMAIN is not a transient error that resuls from failure to obtain the right answer. It is a correctly obtained, best available answer. discarding mail is bad. reject is ok. No dispute with that. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: temporary errors for DNS
On Tue, Jul 14, 2009 at 07:57:27PM -0400, John Peach wrote: On Tue, 14 Jul 2009 17:49:13 -0600 LuKreme krem...@kreme.com wrote: On 13-Jul-2009, at 16:24, Keld J__rn Simonsen wrote: Is there a way to disambiguate between DNS timeouts and DNS errors, and discard the latter? Why the devil would you want to discard mail based on a DNS error? DNS errors have a habit of being quite transient. The OP seems determined to shoot himself in the head, never mind the foot. Well, a DNS NXDOMAIN error seems a good reason for discarding mail. I am not so sure about the SERVFAIL error, so I would leave that for now. Thanks to everybody that helped soved my problems here. Best regards Keld
Re: temporary errors for DNS
Keld Jørn Simonsen a écrit : On Tue, Jul 14, 2009 at 07:57:27PM -0400, John Peach wrote: On Tue, 14 Jul 2009 17:49:13 -0600 LuKreme krem...@kreme.com wrote: On 13-Jul-2009, at 16:24, Keld J__rn Simonsen wrote: Is there a way to disambiguate between DNS timeouts and DNS errors, and discard the latter? Why the devil would you want to discard mail based on a DNS error? DNS errors have a habit of being quite transient. The OP seems determined to shoot himself in the head, never mind the foot. Well, a DNS NXDOMAIN error seems a good reason for discarding mail. even NXDOMAIN may be a temporary error that the admin can fix. discarding mail is bad. reject is ok. (that said, I stopped using this check since a long time, because I saw it defer mail from good senders, without much benefits (it didn't stop spam that wasn't blocked by other safer rules, or at worst by spamassassin). note that the envelope sender may be wrong (misconfiguration) while the From: header be good, which means the sender is reachable. I am not so sure about the SERVFAIL error, so I would leave that for now. Thanks to everybody that helped soved my problems here. Best regards Keld
Re: temporary errors for DNS
On Mon, Jul 13, 2009 at 06:58:28PM -0400, Wietse Venema wrote: Keld Jørn Simonsen: Is there a way to disambiguate between DNS timeouts and DNS errors, and discard the latter? Postfix is only the messenger of the bad news. When the server responds, Postfix acts accordingly. When the server does not reply, Postfix assumes that this is a temporary error, because assuming otherwise would cause a lot of mail to fail. Yes, but there are two types of bad news: one is that we do not know if everything is fine, timeout, and the other that we positively know something is wrong. I understand that in both cases postfix gives a 450 code, and that there is no way in postfix to change this code. Is that so? Best regards keld
Re: temporary errors for DNS
Keld J?rn Simonsen: On Mon, Jul 13, 2009 at 06:58:28PM -0400, Wietse Venema wrote: Keld J?rn Simonsen: Is there a way to disambiguate between DNS timeouts and DNS errors, and discard the latter? Postfix is only the messenger of the bad news. When the server responds, Postfix acts accordingly. When the server does not reply, Postfix assumes that this is a temporary error, because assuming otherwise would cause a lot of mail to fail. Yes, but there are two types of bad news: one is that we do not know if everything is fine, timeout, and the other that we positively know something is wrong. I understand that in both cases postfix gives a 450 code, and that there is no way in postfix to change this code. Is that so? Some people are thick enough that they need everything spelled out. OK, here goes: 1) The server replies with good news. Postfix replies with good news. 2) The server replies with bad news. Postfix replies with 5xx. 3) No server reply. Postfix replies with 4xx. Is this finally clear? Wietse
Re: temporary errors for DNS
On Tue, Jul 14, 2009 at 06:37:30AM -0400, Wietse Venema wrote: Keld Jørn Simonsen: On Mon, Jul 13, 2009 at 06:58:28PM -0400, Wietse Venema wrote: Keld J?rn Simonsen: Is there a way to disambiguate between DNS timeouts and DNS errors, and discard the latter? Postfix is only the messenger of the bad news. When the server responds, Postfix acts accordingly. When the server does not reply, Postfix assumes that this is a temporary error, because assuming otherwise would cause a lot of mail to fail. Yes, but there are two types of bad news: one is that we do not know if everything is fine, timeout, and the other that we positively know something is wrong. I understand that in both cases postfix gives a 450 code, and that there is no way in postfix to change this code. Is that so? Some people are thick enough that they need everything spelled out. Oh, you mean me? No, I am bright, so that can't be:-) But I see that you did say that it reacts differnetly on timeouts and error codes. Still there is something that I do not understand, and which gives me problems, see below. OK, here goes: 1) The server replies with good news. Postfix replies with good news. 2) The server replies with bad news. Postfix replies with 5xx. 3) No server reply. Postfix replies with 4xx. Is this finally clear? Yes, thanks. But it seems that my postfix reacts differently on a NXDOMAIN and SVRFAIL, although they both should lead to 5xx error codes. That is why I am so thick to not understand. From my previous post: Jul 14 00:11:58 rap postfix/smtpd[1054]: NOQUEUE: reject: RCPT from rap.rap.dk[127.0.0.1]: 450 4.1.8 jets...@server30.reverya.com: Sender address +rejected: Domain not found; from=jets...@server30.reverya.com to=k...@localhost proto=ESMTP helo=rap.rap.dk Jul 14 00:11:58 rap postfix/smtpd[1054]: + rap.rap.dk[127.0.0.1]: 450 4.1.8 jets...@server30.reverya.com: Sender address rejected: Domain not found here there is a 450 response to a name server error. You said above: 2) The server replies with bad news. Postfix replies with 5xx. 5xx is not 450, so what is happening? And thanks for you patience with me. Best regards keld
Re: temporary errors for DNS
On 14/7/09 12:10, Keld Jørn Simonsen wrote: OK, here goes: 1) The server replies with good news. Postfix replies with good news. 2) The server replies with bad news. Postfix replies with 5xx. 3) No server reply. Postfix replies with 4xx. Is this finally clear? Yes, thanks. But it seems that my postfix reacts differently on a NXDOMAIN and SVRFAIL, although they both should lead to 5xx error codes. That is why I am so thick to not understand. I think the distinction here is between a DNS server (what you're referring to) and an SMTP server (what Wietse is referring to). DNS server response failure implies no SMTP server reply, thus 4xx. seem reasonable? - Mark
Re: temporary errors for DNS
Wietse Venema: Keld J_rn Simonsen: OK, here goes: 1) The server replies with good news. Postfix replies with good news. 2) The server replies with bad news. Postfix replies with 5xx. 3) No server reply. Postfix replies with 4xx. Is this finally clear? Yes, thanks. But it seems that my postfix reacts differently on a NXDOMAIN and SVRFAIL, although they both should lead to 5xx error codes. NXDOMAIN is an example of case 1). SERVFAIL (not SVRFAIL) is an example of case 3): the server is unable to provide an answer. It is not appropriate to treat all SERVFAIL results as if the domain is illegitimate. If you have a problem with particular DNS servers, use check_sender_ns_access, possibly in the form of a dynamically-updated blacklist, or suggest a reject_rbl_xxx feature that targets the DNS operator of the sender or client domain. Wietse
Re: temporary errors for DNS
On Tue, Jul 14, 2009 at 09:04:15AM -0400, Wietse Venema wrote: Wietse Venema: Keld J_rn Simonsen: OK, here goes: 1) The server replies with good news. Postfix replies with good news. 2) The server replies with bad news. Postfix replies with 5xx. 3) No server reply. Postfix replies with 4xx. Is this finally clear? Yes, thanks. But it seems that my postfix reacts differently on a NXDOMAIN and SVRFAIL, although they both should lead to 5xx error codes. NXDOMAIN is an example of case 1). You mean case 2) ? SERVFAIL (not SVRFAIL) is an example of case 3): the server is unable to provide an answer. It is not appropriate to treat all SERVFAIL results as if the domain is illegitimate. OK, I see. Actually NXDOMAIN and SERVFAIL are the only two error statuses that DNS gives (according to some googeling I just did), So I was misled by treating one DNS error in one way, and the only other DNS error in another way, when you said 2) The server replies with bad news. Postfix replies with 5xx.. The DNS server that is being queried does give an answer, namely SERVFAIL. But on the other hand that reflects an error in responding from the partners of the queried DNS server. Maybe this distinction could be clarified in TFM. I did have: unknown_address_reject_code = 550 in my main.cf (and I did do some RTFM before asking) but was not aware that SERVFAIL was considered a temporary DNS error. I would have thought that SERVFAIL was a permanent DNS error, at least it seems a bit more permanent than just a timeout. And in my case it is predominantly spam, but then more than 99 % of the mail handled by postfix here is spam. SERVFAIL means that there is data for the domain in the root servers, but that the servers giving authorative answers do not answer. The latter may be due to timeouts, perhaps? Or it may be misconfiguration, or nonavailablilty. An aside: would it then be possible to ask for a non-authorative answer and rely on that in postfix? If you have a problem with particular DNS servers, use check_sender_ns_access, possibly in the form of a dynamically-updated blacklist, or suggest a reject_rbl_xxx feature that targets the DNS operator of the sender or client domain. Well, it is spam, so the servers would change all the time. A hand-coded setup is not feasible. I am not aware of dynamic blacklists for this, whould the be a tutorial for handling this somewhere? Best regards keld
Re: temporary errors for DNS
Keld J?rn Simonsen: Jul 14 00:11:58 rap postfix/smtpd[1054]: NOQUEUE: reject: RCPT from rap.rap.dk[127.0.0.1]: 450 4.1.8 jets...@server30.reverya.com: Sender address rejected: Domain not found; from=jets...@server30.reverya.com to=k...@localhost proto=ESMTP helo=rap.rap.dk Jul 14 00:11:58 rap postfix/smtpd[1054]: rap.rap.dk[127.0.0.1]: 450 4.1.8 jets...@server30.reverya.com: Sender address rejected: Domain not found Your DNS is still screwed up, that's why it can't find out that server30.reverya.com has an A record, and that is why Postfix receives a temporary error. Wietse
Re: temporary errors for DNS
Keld Jørn Simonsen a écrit : On Tue, Jul 14, 2009 at 12:24:10AM +0200, Keld Jørn Simonsen wrote: Well, still problems, but of the more understandable type. Jul 14 00:11:58 rap postfix/smtpd[1054]: NOQUEUE: reject: RCPT from rap.rap.dk[127.0.0.1]: 450 4.1.8 jets...@server30.reverya.com: Sender address rejected: Domain not found; from=jets...@server30.reverya.com to=k...@localhost proto=ESMTP helo=rap.rap.dk Jul 14 00:11:58 rap postfix/smtpd[1054]: rap.rap.dk[127.0.0.1]: 450 4.1.8 jets...@server30.reverya.com: Sender address rejected: Domain not found host server30.reverya.com gives: Host server30.reverya.com not found: 2(SERVFAIL) So this would probably never resolve, but fail with a 450 error. I would like to discard it. I had 3 mails like that earlier today, with a nonresolvable domain, and they will keep lying in my IMAP box till I do special things to delete them. Is there a way to disambiguate between DNS timeouts and DNS errors, and discard the latter? I did have in main.cf: unknown_address_reject_code = 550 Now I also have: reject_tempfail_action = discard Still postfix respond with a 450 to fetchmail: Jul 14 18:52:43 rap postfix/smtpd[17637]: NOQUEUE: reject: RCPT from rap.rap.dk[127.0.0.1]: 450 4.1.8 jets...@server30.reverya.com: Sender address rejected : Domain not found; from=jets...@server30.reverya.com to=k...@localhost proto=ESMTP helo=rap.rap.dk the client is 127.0.0.1, why do you reject/defer mail from localhost? are you using a transparent proxy in front of postfix? if not, you should not reject mail as it has already been accepted by your server. your only choice is to discard, quarantine or deliver. otherwise, you'll be a backscatter source. and if you had the real IP, you would have other means of blocking the junk. something is borked in your setup. I now have 6 of such email in my IMAP folder. can you show the headers? (feel free to hide private infos, but do so coherently). I noticed anther thing: another of my domain not found emails really times out. sys...@doremo.jp - And then I don't understand why this is not a SERVFAIL. This happens repededly. And acces to the .jp domain should be readily available, and then the .jp root server should be able to tell if it did have any info in the second level domain. But then .jp has sectoral domains on the 2nd level, like ac.jp and or.jo. An arbitrary abdjd.jp yields a NXDOMAIN, The query times out after 30 secs. So in my humble eyes it seems like a DNS timeout is actually a timeout on the authoriative server, and that SERVFAIL is not at timeout, and it does not reflect a timeout at the authoritative server. Consequently it should be handled by the unknown_address_reject_code statement. nah. the domain is unknown if its DNS server SAYS that the domain does not exist. in this case, there is NO ERROR. If you ask my whether I have seen Joe in the crime scene, then yes is positive, no is negative, and anything else (such as me running away or shooting you with a gun) is nor positive nor negative. Hmm, also tried to do reject_tempfail_action = accept To get the mail thru, and hope that razor/spamassassin would kill them, eventually I would had to delete it by hand. But still I get the 450 response code from postfix... Any ideas on how to get rid of the 450 code, or other actions?
Re: temporary errors for DNS
On Tue, Jul 14, 2009 at 01:55:39PM -0400, Wietse Venema wrote: Keld Jørn Simonsen: Jul 14 00:11:58 rap postfix/smtpd[1054]: NOQUEUE: reject: RCPT from rap.rap.dk[127.0.0.1]: 450 4.1.8 jets...@server30.reverya.com: Sender address rejected: Domain not found; from=jets...@server30.reverya.com to=k...@localhost proto=ESMTP helo=rap.rap.dk Jul 14 00:11:58 rap postfix/smtpd[1054]: rap.rap.dk[127.0.0.1]: 450 4.1.8 jets...@server30.reverya.com: Sender address rejected: Domain not found Your DNS is still screwed up, that's why it can't find out that server30.reverya.com has an A record, and that is why Postfix receives a temporary error. I changed the nameserver and it resolved the problem. Thanks for your help! Best regards keld
Re: temporary errors for DNS
On 13-Jul-2009, at 16:24, Keld Jørn Simonsen wrote: Is there a way to disambiguate between DNS timeouts and DNS errors, and discard the latter? Why the devil would you want to discard mail based on a DNS error? DNS errors have a habit of being quite transient. -- Lithium will no longer be available on credit
Re: temporary errors for DNS
On Mon, July 13, 2009 10:30, Keld Jørn Simonsen wrote: Hi I have a few problems with my changed postfix configuration, maybe somebody could help me? I am using fetchmail in cooperation with postfix, and I repededly get the following error: fetchmail: SMTP error: 450 4.1.8 onfnp...@ezbck.parteitv.com: Sender address rejected: Domain not found reading message k...@sia.dkuug.dk:2 of 4 (950 header octets) not flushed http://moensted.dk/spam/?addr=ezbck.ParteiTv.comSubmit=Submit you got the email from a diff ip ? unknown domain is here sia.dkuug.dk so dig sia.dkuug.d A or dig sia.dkuug.dk MX it exists ? When I query my nameserver everything resolves fine. maybe wrong nameserver or bad config ? So that is one problem, why does postfix say Domain not found? becurse its not found in a A rr, or MX rr Another problem is the 450 response. I would like it to be 550. 450 indicates a temporary dns error, and I have set unknown_address_reject_code = 550 this is imho full email as recipient that does not exists not just the recipient domain Can I change some respons code for the temporary dns error so to check on the mail fails on this? better use mda in fetchmail if you get so much problems with postfix :) How could I best debug the communication between postfix and my named? rndc querylog see logs what happend now -- xpoint
Re: temporary errors for DNS
On Mon, Jul 13, 2009 at 11:10:18AM +0200, Benny Pedersen wrote: On Mon, July 13, 2009 10:30, Keld Jørn Simonsen wrote: Hi I have a few problems with my changed postfix configuration, maybe somebody could help me? I am using fetchmail in cooperation with postfix, and I repededly get the following error: fetchmail: SMTP error: 450 4.1.8 onfnp...@ezbck.parteitv.com: Sender address rejected: Domain not found reading message k...@sia.dkuug.dk:2 of 4 (950 header octets) not flushed http://moensted.dk/spam/?addr=ezbck.ParteiTv.comSubmit=Submit Yes, it is spam. you got the email from a diff ip ? I am getting it via fetchmail from one of my mail servers, the one at sia.dkuug.dk unknown domain is here sia.dkuug.dk Why is it not ezbck.ParteiTv.com ? fetchmail reports: onfnp...@ezbck.parteitv.com: Sender address rejected: Domain not found so dig sia.dkuug.d A or dig sia.dkuug.dk MX it exists ? Yes, the A record exists (in the .dk domain, you missed the k there), but MX sia.dkuug.dk does not exist. Should it? There is a MX for dkuug.dk When I query my nameserver everything resolves fine. maybe wrong nameserver or bad config ? Hmm, I think postfix on my system uses the nameservers as recorded in /etc/resolv.conf? So it is the same nameserver set. So that is one problem, why does postfix say Domain not found? becurse its not found in a A rr, or MX rr The A RR of sia.dkuug.dk is found. I get most of my mail from that server. Another problem is the 450 response. I would like it to be 550. 450 indicates a temporary dns error, and I have set unknown_address_reject_code = 550 this is imho full email as recipient that does not exists not just the recipient domain Can I change some respons code for the temporary dns error so to check on the mail fails on this? better use mda in fetchmail if you get so much problems with postfix :) How could I best debug the communication between postfix and my named? rndc querylog see logs what happend now my named log says: 13-Jul-2009 12:52:25.615 client 127.0.0.1#33692: query: mail.dkuug.dk IN A + 13-Jul-2009 12:52:25.833 client 127.0.0.1#33692: query: ezbck.ParteiTv.com IN MX + 13-Jul-2009 12:52:25.833 client 127.0.0.1#33692: query: ezbck.ParteiTv.com IN MX + 13-Jul-2009 12:52:25.834 client 127.0.0.1#33692: query: ezbck.parteitv.com IN MX + 13-Jul-2009 12:52:25.834 client 127.0.0.1#33692: query: ezbck.parteitv.com IN MX + 13-Jul-2009 12:52:25.835 client 127.0.0.1#33692: query: ezbck.parteitv.com IN A + 13-Jul-2009 12:52:25.835 client 127.0.0.1#33692: query: ezbck.parteitv.com IN A + 13-Jul-2009 12:52:25.835 client 127.0.0.1#33692: query: ezbck.parteitv.com IN + 13-Jul-2009 12:52:25.837 client 127.0.0.1#33692: query: ezbck.parteitv.com IN + So it finds bot an A and an MX record for ezbck.ParteiTv.com - why does fetchmail/my postfix (SMTP) then say: onfnp...@ezbck.parteitv.com: Sender address rejected: Domain not found Best regards keld
Re: temporary errors for DNS
On 7/13/2009, Keld Jørn Simonsen (k...@dkuug.dk) wrote: I am getting it via fetchmail snip If you are getting it through fetchmail, then the message has already been delivered... so you MUST NOT reject it later, *especially* if it is spam - unless of course you really *want* to end up blacklisted... -- Best regards, Charles
Re: temporary errors for DNS
Keld J?rn Simonsen: 450 indicates a temporary dns error, and I have set unknown_address_reject_code = 550 unknown_address_reject_code is for permanent errors. In your case, the system library getnameinfo() returns a temporary error, therefore Postfix will reply with 450. Since you also can't look up the name for my own server 168.100.189.2, I suspect one or more of the following: - Incorrect system permissions of / /etc /etc/resolv.conf /etc/nsswitch.conf or the files and directories referenced by /etc/nsswitch.conf. Files must be world readable, and directories must have world read-execute permission. - Running Postfix chrooted without providing the necessary files in the chroot jail. Wietse
Re: temporary errors for DNS
On Mon, Jul 13, 2009 at 07:18:03AM -0400, Wietse Venema wrote: Keld Jørn Simonsen: 450 indicates a temporary dns error, and I have set unknown_address_reject_code = 550 unknown_address_reject_code is for permanent errors. In your case, the system library getnameinfo() returns a temporary error, therefore Postfix will reply with 450. Since you also can't look up the name for my own server 168.100.189.2, I suspect one or more of the following: - Incorrect system permissions of / /etc /etc/resolv.conf /etc/nsswitch.conf or the files and directories referenced by /etc/nsswitch.conf. Files must be world readable, and directories must have world read-execute permission. They look ok. And postfix does get answers from named. I receive all my mail via my local postfix, and I could not have done this email without postfix/named working - which it does most of the time. - Running Postfix chrooted without providing the necessary files in the chroot jail. Postfix is not chrooted. best regards keld
Re: temporary errors for DNS
Wietse Venema: [ Charset UNKNOWN-8BIT unsupported, converting... ] Keld J_rn Simonsen: 450 indicates a temporary dns error, and I have set unknown_address_reject_code = 550 unknown_address_reject_code is for permanent errors. In your case, the system library getnameinfo() returns a temporary error, therefore Postfix will reply with 450. Since you also can't look up the name for my own server 168.100.189.2, I suspect one or more of the following: - Incorrect system permissions of / /etc /etc/resolv.conf /etc/nsswitch.conf or the files and directories referenced by /etc/nsswitch.conf. Files must be world readable, and directories must have world read-execute permission. - Running Postfix chrooted without providing the necessary files in the chroot jail. For this one, see also: http://www.postfix.org/DEBUG_README.html#no_chroot Wietse
Re: temporary errors for DNS
On Mon, Jul 13, 2009 at 07:07:01AM -0400, Charles Marcus wrote: On 7/13/2009, Keld Jørn Simonsen (k...@dkuug.dk) wrote: I am getting it via fetchmail snip If you are getting it through fetchmail, then the message has already been delivered... so you MUST NOT reject it later, *especially* if it is spam - unless of course you really *want* to end up blacklisted... OK, I want to DISCARD it then. Is that possible? And why would I end up being blacklisted for rejecting spam, already received at one of my mailboxes? Best regards keld
Re: temporary errors for DNS
Keld J?rn Simonsen: [ Charset ISO-8859-1 unsupported, converting... ] On Mon, Jul 13, 2009 at 07:18:03AM -0400, Wietse Venema wrote: Keld J?rn Simonsen: 450 indicates a temporary dns error, and I have set unknown_address_reject_code = 550 unknown_address_reject_code is for permanent errors. In your case, the system library getnameinfo() returns a temporary error, therefore Postfix will reply with 450. Since you also can't look up the name for my own server 168.100.189.2, I suspect one or more of the following: - Incorrect system permissions of / /etc /etc/resolv.conf /etc/nsswitch.conf or the files and directories referenced by /etc/nsswitch.conf. Files must be world readable, and directories must have world read-execute permission. They look ok. If you are not willing to show the evidence, then we cannot help you find the mistake. And postfix does get answers from named. I receive all my mail via my local postfix, and I could not have done this email without postfix/named working - which it does most of the time. Postfix does not need named to RECEIVE email. - Running Postfix chrooted without providing the necessary files in the chroot jail. Postfix is not chrooted. If you are not willing to show the evidence, then we cannot help you find the mistake. Wietse
Re: temporary errors for DNS
On Mon, 13 Jul 2009 14:25:01 +0200 Keld J__rn Simonsen k...@dkuug.dk wrote: On Mon, Jul 13, 2009 at 07:07:01AM -0400, Charles Marcus wrote: On 7/13/2009, Keld J__rn Simonsen (k...@dkuug.dk) wrote: I am getting it via fetchmail snip If you are getting it through fetchmail, then the message has already been delivered... so you MUST NOT reject it later, *especially* if it is spam - unless of course you really *want* to end up blacklisted... OK, I want to DISCARD it then. Is that possible? And why would I end up being blacklisted for rejecting spam, already received at one of my mailboxes? http://lmgtfy.com/?q=backscatter -- John
Re: temporary errors for DNS
On Mon, Jul 13, 2009 at 08:28:16AM -0400, Wietse Venema wrote: Keld Jørn Simonsen: [ Charset ISO-8859-1 unsupported, converting... ] On Mon, Jul 13, 2009 at 07:18:03AM -0400, Wietse Venema wrote: Keld J?rn Simonsen: 450 indicates a temporary dns error, and I have set unknown_address_reject_code = 550 unknown_address_reject_code is for permanent errors. In your case, the system library getnameinfo() returns a temporary error, therefore Postfix will reply with 450. Since you also can't look up the name for my own server 168.100.189.2, I suspect one or more of the following: - Incorrect system permissions of / /etc /etc/resolv.conf /etc/nsswitch.conf or the files and directories referenced by /etc/nsswitch.conf. Files must be world readable, and directories must have world read-execute permission. They look ok. If you are not willing to show the evidence, then we cannot help you find the mistake. Sorry, I am new on this list and not fully aware of your conventions. So here they are: drwxr-xr-x 20 root root 4096 jul 10 09:32 / drwxr-xr-x 113 root root 12288 jul 13 14:09 /etc -rw-r--r-- 2 root root 1277 jun 24 2007 /etc/nsswitch.conf -rw-r--r-- 1 root root47 jul 13 14:09 /etc/resolv.conf And postfix does get answers from named. I receive all my mail via my local postfix, and I could not have done this email without postfix/named working - which it does most of the time. Postfix does not need named to RECEIVE email. I think postfix does need DNS assistance to check a number of thins. I understand that I don't need to run named on my own machine, as I just could use any nameserver, but running named here gives me greater control, and I can poke into logs etc. - Running Postfix chrooted without providing the necessary files in the chroot jail. Postfix is not chrooted. If you are not willing to show the evidence, then we cannot help you find the mistake. OK, here are the relevant lines of master.cf. I adderd the -v option to get more debugging. Still it does not show me communication with the name server. The name server log does show some communication, that stems from postfix, but it does not show me the responses. I would like to see what named tells postfix. # == # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # == smtpinetn - y - - smtpd -v best regards keld
Re: temporary errors for DNS
On Mon, 13 Jul 2009 15:24:04 +0200 Keld J__rn Simonsen k...@dkuug.dk wrote: [snip] # == # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # == smtpinetn - y - - smtpd -v It is chrooted. -- John
Re: temporary errors for DNS
On Mon, Jul 13, 2009 at 08:29:28AM -0400, John Peach wrote: On Mon, 13 Jul 2009 14:25:01 +0200 Keld J__rn Simonsen k...@dkuug.dk wrote: On Mon, Jul 13, 2009 at 07:07:01AM -0400, Charles Marcus wrote: On 7/13/2009, Keld J__rn Simonsen (k...@dkuug.dk) wrote: I am getting it via fetchmail snip If you are getting it through fetchmail, then the message has already been delivered... so you MUST NOT reject it later, *especially* if it is spam - unless of course you really *want* to end up blacklisted... OK, I want to DISCARD it then. Is that possible? And why would I end up being blacklisted for rejecting spam, already received at one of my mailboxes? http://lmgtfy.com/?q=backscatter OK, I know, I did some filters for postfix for such things, available from my homepage. at http://dkuug.dk/keld Still would it be possible to discard such mail. best regards keld
Re: temporary errors for DNS
On Mon, Jul 13, 2009 at 09:26:44AM -0400, John Peach wrote: On Mon, 13 Jul 2009 15:24:04 +0200 Keld J__rn Simonsen k...@dkuug.dk wrote: [snip] # == # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # == smtpinetn - y - - smtpd -v It is chrooted. Thanks for spelling it out. I was just building on the defalt configuration of my distro. There were many other chroot services in the master file, I changed them and now I will see if that helps. Best regards keld
Re: temporary errors for DNS
# == # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # == smtpinetn - y - - smtpd -v The SMTP server runs chrooted. Don't do that, unless you know how to set up and maintain a chroot jail with all the appropriate files. Wietse
Re: temporary errors for DNS
On Mon, Jul 13, 2009 at 03:39:57PM +0200, Keld Jørn Simonsen wrote: On Mon, Jul 13, 2009 at 09:26:44AM -0400, John Peach wrote: On Mon, 13 Jul 2009 15:24:04 +0200 Keld J__rn Simonsen k...@dkuug.dk wrote: [snip] # == # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # == smtpinetn - y - - smtpd -v It is chrooted. Thanks for spelling it out. I was just building on the defalt configuration of my distro. There were many other chroot services in the master file, I changed them and now I will see if that helps. This seems to have solved most of my problems with postfix/named. Even te problem sending mail to Wietse was solved. Are there distros that are known to have a postfix package that is set up correctly wrt chroot? best regards Keld
Re: temporary errors for DNS
On Monday, July 13, 2009, 17:49:10, Keld Jørn Simonsen wrote: ... Are there distros that are known to have a postfix package that is set up correctly wrt chroot? OpenBSD -- r...@polylogics.com The avalanche has already started, it is too Rod Dorman late for the pebbles to vote. - Ambassador Kosh
Re: temporary errors for DNS
On Mon, Jul 13, 2009 at 11:49:10PM +0200, Keld Jørn Simonsen wrote: On Mon, Jul 13, 2009 at 03:39:57PM +0200, Keld Jørn Simonsen wrote: It is chrooted. Thanks for spelling it out. I was just building on the defalt configuration of my distro. There were many other chroot services in the master file, I changed them and now I will see if that helps. This seems to have solved most of my problems with postfix/named. Even te problem sending mail to Wietse was solved. Well, still problems, but of the more understandable type. Jul 14 00:11:58 rap postfix/smtpd[1054]: NOQUEUE: reject: RCPT from rap.rap.dk[127.0.0.1]: 450 4.1.8 jets...@server30.reverya.com: Sender address rejected: Domain not found; from=jets...@server30.reverya.com to=k...@localhost proto=ESMTP helo=rap.rap.dk Jul 14 00:11:58 rap postfix/smtpd[1054]: rap.rap.dk[127.0.0.1]: 450 4.1.8 jets...@server30.reverya.com: Sender address rejected: Domain not found host server30.reverya.com gives: Host server30.reverya.com not found: 2(SERVFAIL) So this would probably never resolve, but fail with a 450 error. I would like to discard it. I hade 3 mails like that earlier today, with a nonresolvable domain, and they will keep lying in my IMAP box till I do special things to delete tem. Is there a way to disambiguate between DNS timeouts and DNS errors, and discard the latter? best regards keld
Re: temporary errors for DNS
On Mon, Jul 13, 2009 at 06:19:40PM -0400, Rod Dorman wrote: On Monday, July 13, 2009, 17:49:10, Keld Jørn Simonsen wrote: ... Are there distros that are known to have a postfix package that is set up correctly wrt chroot? OpenBSD Well, I confine myself to Linux, as I am doing some kernel work, and other system work there, so I was wondering if there were any Linux distros, and preferaably rpm based, which does correct packaging of a chrooted postfix? best regards keld
Re: temporary errors for DNS
Keld Jørn Simonsen wrote: On Mon, Jul 13, 2009 at 06:19:40PM -0400, Rod Dorman wrote: On Monday, July 13, 2009, 17:49:10, Keld Jørn Simonsen wrote: ... Are there distros that are known to have a postfix package that is set up correctly wrt chroot? OpenBSD Well, I confine myself to Linux, as I am doing some kernel work, and other system work there, so I was wondering if there were any Linux distros, and preferaably rpm based, which does correct packaging of a chrooted postfix? I use suse (rpm based) and ubuntu (deb based) and they both work nicely out of the box as chrooted postfix servers. Joe
Re: temporary errors for DNS
Keld J?rn Simonsen: Is there a way to disambiguate between DNS timeouts and DNS errors, and discard the latter? Postfix is only the messenger of the bad news. When the server responds, Postfix acts accordingly. When the server does not reply, Postfix assumes that this is a temporary error, because assuming otherwise would cause a lot of mail to fail. Wietse
Re: temporary errors for DNS
Keld Jørn Simonsen wrote: Jul 14 00:11:58 rap postfix/smtpd[1054]: NOQUEUE: reject: RCPT from rap.rap.dk[127.0.0.1]: 450 4.1.8 jets...@server30.reverya.com: Sender address rejected: Domain not found; from=jets...@server30.reverya.com to=k...@localhost proto=ESMTP helo=rap.rap.dk Jul 14 00:11:58 rap postfix/smtpd[1054]: rap.rap.dk[127.0.0.1]: 450 4.1.8 jets...@server30.reverya.com: Sender address rejected: Domain not found host server30.reverya.com gives: Host server30.reverya.com not found: 2(SERVFAIL) So this would probably never resolve, but fail with a 450 error. I would like to discard it. I hade 3 mails like that earlier today, with a nonresolvable domain, and they will keep lying in my IMAP box till I do special things to delete tem. Is there a way to disambiguate between DNS timeouts and DNS errors, and discard the latter? No. Probably the best choice for you is to add SpamAssassin and let it decide which mail to discard. I suppose you could use a sufficiently flexible postfix policy service - maybe postfwd - to discard mail with DNS SERVFAIL. I also expect that will eventually bite you in the buttocks. -- Noel Jones