[pfx] behavior of postscreen_dnsbl_min_ttl

Thu, 28 Sep 2023 23:44:35 -0700 

Hello,

I’m surprised to see that dnsblog can issue up to 40 absolutely identical DNS 
requests per seconds, for postscreen, when my setup reads:

postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = MY-API-KEY.combined.mail.abusix.zone
postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_rbl_reply_map
postscreen_dnsbl_threshold = 1
postscreen_dnsbl_min_ttl = 10m
postscreen_dnsbl_max_ttl = 1h
postscreen_dnsbl_whitelist_threshold = 0


short sample of postfix logs:

Sep 29 04:18:43 hostname postfix/postscreen[819832]: DNSBL rank 1 for 
[109.237.98.134]:19599
Sep 29 04:18:43 hostname postfix/postscreen[819832]: CONNECT from 
[109.237.98.134]:17535 to [IP.AD.DR.ESS]:25
Sep 29 04:18:43 hostname postfix/dnsblog[847724]: addr 109.237.98.134 listed by 
domain MY-API-KEY.combined.mail.abusix.zone as 127.0.0.3
Sep 29 04:18:43 hostname postfix/dnsblog[847724]: addr 109.237.98.134 listed by 
domain MY-API-KEY.combined.mail.abusix.zone as 127.0.0.4
Sep 29 04:18:43 hostname postfix/dnsblog[847724]: addr 109.237.98.134 listed by 
domain MY-API-KEY.combined.mail.abusix.zone as 127.0.0.12
Sep 29 04:18:43 hostname postfix/dnsblog[847724]: addr 109.237.98.134 listed by 
domain MY-API-KEY.combined.mail.abusix.zone as 127.0.0.2
Sep 29 04:18:43 hostname postfix/postscreen[819832]: CONNECT from 
[109.237.98.134]:19610 to [IP.AD.DR.ESS]:25
Sep 29 04:18:43 hostname postfix/dnsblog[849643]: addr 109.237.98.134 listed by 
domain MY-API-KEY.combined.mail.abusix.zone as 127.0.0.3
Sep 29 04:18:43 hostname postfix/dnsblog[849643]: addr 109.237.98.134 listed by 
domain MY-API-KEY.combined.mail.abusix.zone as 127.0.0.2
Sep 29 04:18:43 hostname postfix/dnsblog[849643]: addr 109.237.98.134 listed by 
domain MY-API-KEY.combined.mail.abusix.zone as 127.0.0.4
Sep 29 04:18:43 hostname postfix/dnsblog[849643]: addr 109.237.98.134 listed by 
domain MY-API-KEY.combined.mail.abusix.zone as 127.0.0.12
Sep 29 04:18:43 hostname postfix/postscreen[819832]: CONNECT from 
[109.237.98.134]:62338 to [IP.AD.DR.ESS]:25
Sep 29 04:18:43 hostname postfix/dnsblog[847724]: addr 109.237.98.134 listed by 
domain MY-API-KEY.combined.mail.abusix.zone as 127.0.0.4
Sep 29 04:18:43 hostname postfix/dnsblog[847724]: addr 109.237.98.134 listed by 
domain MY-API-KEY.combined.mail.abusix.zone as 127.0.0.2
Sep 29 04:18:43 hostname postfix/dnsblog[847724]: addr 109.237.98.134 listed by 
domain MY-API-KEY.combined.mail.abusix.zone as 127.0.0.3
Sep 29 04:18:43 hostname postfix/dnsblog[847724]: addr 109.237.98.134 listed by 
domain MY-API-KEY.combined.mail.abusix.zone as 127.0.0.12
Sep 29 04:18:43 hostname postfix/postscreen[819832]: HANGUP after 0.07 from 
[109.237.98.134]:17514 in tests after SMTP handshake
Sep 29 04:18:43 hostname postfix/postscreen[819832]: DISCONNECT 
[109.237.98.134]:17514
Sep 29 04:18:43 hostname postfix/postscreen[819832]: PREGREET 15 after 0.07 
from [109.237.98.134]:17526: EHLO fGsQUClE\r\n
Sep 29 04:18:43 hostname postfix/postscreen[819832]: DNSBL rank 1 for 
[109.237.98.134]:17526
Sep 29 04:18:43 hostname postfix/postscreen[819832]: PREGREET 15 after 0.08 
from [109.237.98.134]:42608: EHLO 7ubytEm5\r\n
Sep 29 04:18:43 hostname postfix/postscreen[819832]: DNSBL rank 1 for 
[109.237.98.134]:42608
Sep 29 04:18:43 hostname postfix/postscreen[819832]: CONNECT from 
[109.237.98.134]:62347 to [IP.AD.DR.ESS]:25
Sep 29 04:18:43 hostname postfix/dnsblog[849643]: addr 109.237.98.134 listed by 
domain MY-API-KEY.combined.mail.abusix.zone as 127.0.0.2


short sample of DNS logs:

29-Sep-2023 04:18:47.970 client @0x7f66fc0bf1c0 127.0.0.1#38245 
(134.98.237.109.MY-API-KEY.combined.mail.abusix.zone): query: 
134.98.237.109.MY-API-KEY.combined.mail.abusix.zone IN A + (127.0.0.1)
29-Sep-2023 04:18:47.973 client @0x7f66fc0bf1c0 127.0.0.1#40840 
(134.98.237.109.MY-API-KEY.combined.mail.abusix.zone): query: 
134.98.237.109.MY-API-KEY.combined.mail.abusix.zone IN A + (127.0.0.1)
29-Sep-2023 04:18:47.974 client @0x7f66fc0bf1c0 127.0.0.1#60298 
(134.98.237.109.MY-API-KEY.combined.mail.abusix.zone): query: 
134.98.237.109.MY-API-KEY.combined.mail.abusix.zone IN A + (127.0.0.1)
29-Sep-2023 04:18:47.997 client @0x7f66fc0bf1c0 127.0.0.1#41691 
(134.98.237.109.MY-API-KEY.combined.mail.abusix.zone): query: 
134.98.237.109.MY-API-KEY.combined.mail.abusix.zone IN A + (127.0.0.1)


What am I missing?

patpro
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to