You're right about the first one (164.177.131.207) -- the rDNS name exists, so
the "reject-empty-rdns" filter doesn't stop it. But the rDNS name doesn't have
an A record, so the "reject-unresolvable-rdns" filter blocks it. Unless I'm
missing something, this is how those filters are supposed to work.
From my testing, the second example you gave (38.127.167.2) seems to work.
spamdyke chases down the CNAME correctly and finds "rodan.lastpass.com". That
name has an A record, so it should work. Was that scenario a one-time
rejection or does it happen every time?
If you want an easy way to see exactly what spamdyke's doing, you can run these
tests from the command line without having to wait for those servers to
reconnect. First, recompile spamdyke with excessive output:
./configure --with-excessive-output
make
(You don't have to install the new binary, you can just run it where it is.)
Then, set your IP address to the one you want to test (assuming a bash shell
here):
export TCPREMOTEIP=164.177.131.207
Then start the recompiled spamdyke from the command line. It'll do all of its
rDNS lookups before it expects any input, so you can just hit CTRL-C when you
see the "220" greeting from qmail:
./spamdyke --log-target stderr -lexcessive -r -R
/var/qmail/bin/qmail-smtpd
Most of the output will be from the DNS code -- you should be able to see
exactly what packets spamdyke sends to which nameservers and what the responses
are.
-- Sam Clippinger
On Feb 3, 2014, at 7:09 AM, Lawrence <spamdyke.ad...@freeman.me.uk> wrote:
> Gents.
> I have also been troubleshooting a couple of legitimate hosts that are being
> blocked.
>
> Just to clarify my process can I test the following with the group?
>
> Scenario A
> I think this is a valid denied.
>
> LOG section:
> Jan 28 12:01:35 flobix spamdyke[1841]: FILTER_RDNS_RESOLVE ip:
> 164.177.131.207 rdns: 398878-prod-batch01.oyster.tfl.gov.uk
> Jan 28 12:01:35 flobix spamdyke[1841]: DENIED_RDNS_RESOLVE from:
> autorespo...@tfl.gov.uk to: xxxremove...@freeman.me.uk origin_ip:
> 164.177.131.207 origin_rdns: 398878-prod-batch01.oyster.tfl.gov.uk auth:
> (unknown) encryption: (none) reason: (empty)
>
> Here are the results of the test done manually;
> Reverse test
> >nslookup 164.177.131.207 RESULT 207.131.177.164.in-addr.arpa
> name = 398878-prod-batch01.Oyster.tfl.gov.uk. OKAY
> Forward test
> >nslookup 398878-prod-batch01.Oyster.tfl.gov.uk RESULT ** server can't find
> >398878-prod-batch01.Oyster.tfl.gov.uk: NXDOMAIN FAILED
>
> So I assume the denied was the follup forward after reverse? (I have email
> tfl and rackspace about their missing a records)
> I have temporarily whitelisted the server to receive this mail....
>
> Scenario B
> I think this is a false positive.
>
> Log Section:
> Jan 28 21:46:05 flobix spamdyke[8024]: DENIED_RDNS_MISSING from:
> www-d...@lastpass.com to: xxxremove...@freeman.me.uk origin_ip: 38.127.167.2
> origin_rdns: (unknown) auth: (unknown) encryption: (none) reason: (empty)
>
> Results of manual testing;
> >nslookup 38.127.167.2
> RESULT
> Non-authoritative answer:
> 2.167.127.38.in-addr.arpa canonical name = 38.127.167.2.LastPass.com.
> 38.127.167.2.LastPass.com name = rodan.LastPass.com.
>
> >nslookup rodan.LastPass.com
> RESULT
> Non-authoritative answer:
> Name: rodan.LastPass.com
> Address: 38.127.167.2
>
> Now this dies resolve but to a cname record but that is quite common these
> days for telplate based dns services and might also be the case if you have a
> load balance mail server setup that has 2 nodes but uses a cnmae of
> mail.blablabla.com
> So why is this failing?
>
>
> My Config:
> filter-level=normal
> greeting-delay-secs=2
> max-recipients=5
> reject-empty-rdns
> reject-ip-in-cc-rdns
> reject-sender=no-mx
> reject-unresolvable-rdns
> dns-level=normal
> log-level=verbose
> #config-dir=/etc/spamdyke.d
> idle-timeout-secs=120
> reject-recipient=same-as-sender
> ip-blacklist-file=/etc/spamdyke/blacklist_ip
> recipient-blacklist-file=/etc/spamdyke/recipient_blacklist
> sender-blacklist-file=/etc/spamdyke/sender_blacklist
> ip-in-rdns-keyword-blacklist-entry=dynamic
> ip-whitelist-entry=80.177.27.115
> ip-whitelist-entry=83.244.151.218
> ip-whitelist-file=/etc/spamdyke/whitelist_ip
> dns-blacklist-entry=zen.spamhaus.org
> dns-blacklist-entry=bl.spamcop.net
> qmail-rcpthosts-file=/var/qmail/control/rcpthosts
> dns-max-retries-primary=5
> ip-relay-entry=80.177.27.115
>
> p.s. I have a new addition of tailling the maillog, is this normal, will it
> pass? :)
>
> Regards
> Lawrence
>
> _______________________________________________
> spamdyke-users mailing list
> spamdyke-users@spamdyke.org
> http://www.spamdyke.org/mailman/listinfo/spamdyke-users
_______________________________________________
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users
