patpro--- via Postfix-users:
> Hello,
>
> I'm surprised to see that dnsblog can issue up to 40 absolutely
> identical DNS requests per seconds, for postscreen, when my setup
> reads:
postscreen does not duplicate DNS caching. DNS lookup results are
already cached in a non-Postfix DNS resolver (see /etc/resolv.conf).
When postscreen receives multiple connections, then there can be
multiple dnsblog queries.
Normally, postscreen will combine multiplw dnsblog queries for the
same IP address into one query for that IP address, when connections
from that IP address overlap in time during the PREGREET delay,
but this client pregreets immediately (after 0.07s).
postscreen terminates the PREGREET delay as soon as the client
pregreets and all dnsblog queries for that IP address have completed.
That helps to get rid of spambots as quickly as possible.
But that also reduces the opportunities for connections to overlap,
and thus, for multiplednsblog queries to be combined into one.
Wietse
> postscreen_dnsbl_action = enforce
> postscreen_dnsbl_sites = MY-API-KEY.combined.mail.abusix.zone
> postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_rbl_reply_map
> postscreen_dnsbl_threshold = 1
> postscreen_dnsbl_min_ttl = 10m
> postscreen_dnsbl_max_ttl = 1h
> postscreen_dnsbl_whitelist_threshold = 0
>
>
> short sample of postfix logs:
>
> Sep 29 04:18:43 hostname postfix/postscreen[819832]: DNSBL rank 1 for
> [109.237.98.134]:19599
> Sep 29 04:18:43 hostname postfix/postscreen[819832]: CONNECT from
> [109.237.98.134]:17535 to [IP.AD.DR.ESS]:25
> Sep 29 04:18:43 hostname postfix/dnsblog[847724]: addr 109.237.98.134 listed
> by domain MY-API-KEY.combined.mail.abusix.zone as 127.0.0.3
> Sep 29 04:18:43 hostname postfix/dnsblog[847724]: addr 109.237.98.134 listed
> by domain MY-API-KEY.combined.mail.abusix.zone as 127.0.0.4
> Sep 29 04:18:43 hostname postfix/dnsblog[847724]: addr 109.237.98.134 listed
> by domain MY-API-KEY.combined.mail.abusix.zone as 127.0.0.12
> Sep 29 04:18:43 hostname postfix/dnsblog[847724]: addr 109.237.98.134 listed
> by domain MY-API-KEY.combined.mail.abusix.zone as 127.0.0.2
> Sep 29 04:18:43 hostname postfix/postscreen[819832]: CONNECT from
> [109.237.98.134]:19610 to [IP.AD.DR.ESS]:25
> Sep 29 04:18:43 hostname postfix/dnsblog[849643]: addr 109.237.98.134 listed
> by domain MY-API-KEY.combined.mail.abusix.zone as 127.0.0.3
> Sep 29 04:18:43 hostname postfix/dnsblog[849643]: addr 109.237.98.134 listed
> by domain MY-API-KEY.combined.mail.abusix.zone as 127.0.0.2
> Sep 29 04:18:43 hostname postfix/dnsblog[849643]: addr 109.237.98.134 listed
> by domain MY-API-KEY.combined.mail.abusix.zone as 127.0.0.4
> Sep 29 04:18:43 hostname postfix/dnsblog[849643]: addr 109.237.98.134 listed
> by domain MY-API-KEY.combined.mail.abusix.zone as 127.0.0.12
> Sep 29 04:18:43 hostname postfix/postscreen[819832]: CONNECT from
> [109.237.98.134]:62338 to [IP.AD.DR.ESS]:25
> Sep 29 04:18:43 hostname postfix/dnsblog[847724]: addr 109.237.98.134 listed
> by domain MY-API-KEY.combined.mail.abusix.zone as 127.0.0.4
> Sep 29 04:18:43 hostname postfix/dnsblog[847724]: addr 109.237.98.134 listed
> by domain MY-API-KEY.combined.mail.abusix.zone as 127.0.0.2
> Sep 29 04:18:43 hostname postfix/dnsblog[847724]: addr 109.237.98.134 listed
> by domain MY-API-KEY.combined.mail.abusix.zone as 127.0.0.3
> Sep 29 04:18:43 hostname postfix/dnsblog[847724]: addr 109.237.98.134 listed
> by domain MY-API-KEY.combined.mail.abusix.zone as 127.0.0.12
> Sep 29 04:18:43 hostname postfix/postscreen[819832]: HANGUP after 0.07 from
> [109.237.98.134]:17514 in tests after SMTP handshake
> Sep 29 04:18:43 hostname postfix/postscreen[819832]: DISCONNECT
> [109.237.98.134]:17514
> Sep 29 04:18:43 hostname postfix/postscreen[819832]: PREGREET 15 after 0.07
> from [109.237.98.134]:17526: EHLO fGsQUClE\r\n
> Sep 29 04:18:43 hostname postfix/postscreen[819832]: DNSBL rank 1 for
> [109.237.98.134]:17526
> Sep 29 04:18:43 hostname postfix/postscreen[819832]: PREGREET 15 after 0.08
> from [109.237.98.134]:42608: EHLO 7ubytEm5\r\n
> Sep 29 04:18:43 hostname postfix/postscreen[819832]: DNSBL rank 1 for
> [109.237.98.134]:42608
> Sep 29 04:18:43 hostname postfix/postscreen[819832]: CONNECT from
> [109.237.98.134]:62347 to [IP.AD.DR.ESS]:25
> Sep 29 04:18:43 hostname postfix/dnsblog[849643]: addr 109.237.98.134 listed
> by domain MY-API-KEY.combined.mail.abusix.zone as 127.0.0.2
>
>
> short sample of DNS logs:
>
> 29-Sep-2023 04:18:47.970 client @0x7f66fc0bf1c0 127.0.0.1#38245
> (134.98.237.109.MY-API-KEY.combined.mail.abusix.zone): query:
> 134.98.237.109.MY-API-KEY.combined.mail.abusix.zone IN A + (127.0.0.1)
> 29-Sep-2023 04:18:47.973 client @0x7f66fc0bf1c0 127.0.0.1#40840
> (134.98.237.109.MY-API-KEY.combined.mail.abusix.zone): query:
> 134.98.237.109.MY-API-KEY.combined.mail.abusix.zone IN A + (127.0.0.1)
> 29-Sep-2023 04:18:47.974 client @0x7f66fc0bf1c0 127.0.0.1#60298
> (134.98.237.109.MY-API-KEY.combined.mail.abusix.zone): query:
> 134.98.237.109.MY-API-KEY.combined.mail.abusix.zone IN A + (127.0.0.1)
> 29-Sep-2023 04:18:47.997 client @0x7f66fc0bf1c0 127.0.0.1#41691
> (134.98.237.109.MY-API-KEY.combined.mail.abusix.zone): query:
> 134.98.237.109.MY-API-KEY.combined.mail.abusix.zone IN A + (127.0.0.1)
>
>
> What am I missing?
>
> patpro
> _______________________________________________
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org
>
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
