Re: warning: psc_dnsbl_request: connect to private/dnsblog service: Connection refused
Sahil Tandon: > Just following up to close this discussion. > > On Sun, 2012-05-06 at 09:35:24 -0400, Wietse Venema wrote: > > > Sahil Tandon: > > > May 5 10:00:26 mx1 postfix/postscreen[38500]: warning: > > > psc_dnsbl_request: connect to private/dnsblog service: Connection refused > > > May 5 10:00:26 mx1 last message repeated 8 times > > dnsblog results. > > ... > > Whatever this problem may be, it should be easy enough to re-create > > with "smtp-source -A" by setting up a dummy postfix instance with: > > > > - pregreet turned off > > - the smallest-possible greet-wait > > - sending dnsbl queries to a wild-card local DNS server > > > > This will reduce sharing of DNSBL results between multiple SMTP > > sesssions (and thus increase the DNSBL lookup rate). > > ... > > I could not reproduce the warning with smtp-source, but FWIW it recurs > daily -- with varying frequency -- on the production MX. I enabled > verbose logging for dnsblog(8) and postscreen(8) for a few hours, and > could not[*] glean anything useful from the logging that precedes the > warning. Which OS? The same one that causes DNSBL lookups to go astray so that a client isn't blocked as expected? I can put it in a VM and hammer it until eternity. Please send your master.cf off-list. Wietse Wietse
Re: warning: psc_dnsbl_request: connect to private/dnsblog service: Connection refused
Just following up to close this discussion. On Sun, 2012-05-06 at 09:35:24 -0400, Wietse Venema wrote: > Sahil Tandon: > > May 5 10:00:26 mx1 postfix/postscreen[38500]: warning: psc_dnsbl_request: > > connect to private/dnsblog service: Connection refused > > May 5 10:00:26 mx1 last message repeated 8 times > dnsblog results. > ... > Whatever this problem may be, it should be easy enough to re-create > with "smtp-source -A" by setting up a dummy postfix instance with: > > - pregreet turned off > - the smallest-possible greet-wait > - sending dnsbl queries to a wild-card local DNS server > > This will reduce sharing of DNSBL results between multiple SMTP > sesssions (and thus increase the DNSBL lookup rate). > ... I could not reproduce the warning with smtp-source, but FWIW it recurs daily -- with varying frequency -- on the production MX. I enabled verbose logging for dnsblog(8) and postscreen(8) for a few hours, and could not[*] glean anything useful from the logging that precedes the warning. Anyway, this is not a major problem for me, but rather something that aroused curiosity. So, we needn't waste any more time on it. :) However, if someone else happens to experience a similar issue in the future, I'd be happy to compare logs (both verbose and otherwise) off-list. [*] This is likely due to lack of clue. -- Sahil Tandon
Re: warning: psc_dnsbl_request: connect to private/dnsblog service: Connection refused
On Sun, 6 May 2012 03:39:19 -0400 Sahil Tandon articulated: >I could not find references to this issue in the archives, and I know >others manage much higher-volume sites, so I suspect it just indicates >a severely borked system (FreeBSD 8.3) on my side. Ever since updating to FreeBSD-8.3 STABLE, I have noticed some strange things happening also; although not so much with Postfix due to its excellent design. Have you tried on a FreeBSD-9.x system to confirm it is not localized to the 8.3 branch? -- Jerry ✌ postfix-u...@seibercom.net _ TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html
Re: warning: psc_dnsbl_request: connect to private/dnsblog service: Connection refused
Sahil Tandon: > May 5 10:00:26 mx1 postfix/postscreen[38500]: warning: psc_dnsbl_request: > connect to private/dnsblog service: Connection refused > May 5 10:00:26 mx1 last message repeated 8 times When does FreeBSD report ECONNREFUSED on an open socket? I thought it would do that only when there is no listener. [these are logged amidst records that show dnsblog(8) does receive and respond to queries]. > I could not find references to this issue in the archives, and I know > others manage much higher-volume sites, so I suspect it just indicates a > severely borked system (FreeBSD 8.3) on my side. I suppose they also don't have a two-second delay in their dnsblog results. Whatever this problem may be, it should be easy enough to re-create with "smtp-source -A" by setting up a dummy postfix instance with: - pregreet turned off - the smallest-possible greet-wait - sending dnsbl queries to a wild-card local DNS server This will reduce sharing of DNSBL results between multiple SMTP sesssions (and thus increase the DNSBL lookup rate). BTW have you found out why DNSBL results arrive after two seconds? Wietse
Re: warning: psc_dnsbl_request: connect to private/dnsblog service: Connection refused
On May 6, 2012, at 09:39, Sahil Tandon wrote: > Is there anything I should/could do to prevent these type of > occurrences? My understanding is that postscreen(8) temporarily > struggles to contact dnsblog(8) and in the meantime, > postscreen_greet_wait elapses before DNSBL lookup results are available > for this client. > > May 5 10:00:26 mx1 postfix/postscreen[38500]: CONNECT from > [83.59.10.37]:12954 to [69.147.83.52]:25 > May 5 10:00:26 mx1 postfix/postscreen[38500]: warning: psc_dnsbl_request: > connect to private/dnsblog service: Connection refused > May 5 10:00:26 mx1 last message repeated 8 times > ... > May 5 10:00:32 mx1 postfix/postscreen[38500]: NOQUEUE: reject: RCPT > from [83.59.10.37]:12954: 450 4.3.2 Service currently unavailable; > from=, to=, proto=ESMTP, > helo=<37.red-83-59-10.dynamicip.rima-tde.net> > ... > May 5 10:00:33 mx1 postfix/postscreen[38500]: HANGUP after 1.1 from > [83.59.10.37]:12954 in tests after SMTP handshake > May 5 10:00:33 mx1 postfix/postscreen[38500]: PASS NEW [83.59.10.37]:12954 > > These psc_dnsbl_request warnings appear throughout my logs, and are > interleaved with 'normal' dnsblog(8) logging that shows it is still > working just fine in response to other client CONNECTs. > > I could not find references to this issue in the archives, and I know > others manage much higher-volume sites, so I suspect it just indicates a > severely borked system (FreeBSD 8.3) on my side. Is it running into limits somewhere? Have you perhaps set 'maxproc' for dnsblog in master.cf to a lower value than what it needs at peak times? We are running it with maxproc at zero for dnsblog, and have a local resolver cache on the server itself to minimize the impact of slowdowns elsewhere. Only been running postscreen for about five weeks though, so our experience with it is still fairly limited. Perhaps these are obvious things you have already thought about. HTH, Jona
warning: psc_dnsbl_request: connect to private/dnsblog service: Connection refused
Is there anything I should/could do to prevent these type of occurrences? My understanding is that postscreen(8) temporarily struggles to contact dnsblog(8) and in the meantime, postscreen_greet_wait elapses before DNSBL lookup results are available for this client. May 5 10:00:26 mx1 postfix/postscreen[38500]: CONNECT from [83.59.10.37]:12954 to [69.147.83.52]:25 May 5 10:00:26 mx1 postfix/postscreen[38500]: warning: psc_dnsbl_request: connect to private/dnsblog service: Connection refused May 5 10:00:26 mx1 last message repeated 8 times ... May 5 10:00:32 mx1 postfix/postscreen[38500]: NOQUEUE: reject: RCPT from [83.59.10.37]:12954: 450 4.3.2 Service currently unavailable; from=, to=, proto=ESMTP, helo=<37.red-83-59-10.dynamicip.rima-tde.net> ... May 5 10:00:33 mx1 postfix/postscreen[38500]: HANGUP after 1.1 from [83.59.10.37]:12954 in tests after SMTP handshake May 5 10:00:33 mx1 postfix/postscreen[38500]: PASS NEW [83.59.10.37]:12954 These psc_dnsbl_request warnings appear throughout my logs, and are interleaved with 'normal' dnsblog(8) logging that shows it is still working just fine in response to other client CONNECTs. I could not find references to this issue in the archives, and I know others manage much higher-volume sites, so I suspect it just indicates a severely borked system (FreeBSD 8.3) on my side. -- Sahil Tandon
