On Tue, Jul 14, 2009 at 09:04:15AM -0400, Wietse Venema wrote: > Wietse Venema: > > Keld J_rn Simonsen: > > > > OK, here goes: > > > > > > > > 1) The server replies with "good news". Postfix replies with good news. > > > > > > > > 2) The server replies with "bad news". Postfix replies with 5xx. > > > > > > > > 3) No server reply. Postfix replies with 4xx. > > > > > > > > Is this finally clear? > > > > > > Yes, thanks. But it seems that my postfix reacts differently on > > > a NXDOMAIN and SVRFAIL, although they both should lead to 5xx error codes. > > NXDOMAIN is an example of case 1).
You mean case 2) ? > SERVFAIL (not SVRFAIL) is an > example of case 3): the server is unable to provide an answer. It > is not appropriate to treat all SERVFAIL results as if the domain > is illegitimate. OK, I see. Actually NXDOMAIN and SERVFAIL are the only two error statuses that DNS gives (according to some googeling I just did), So I was misled by treating one DNS error in one way, and the only other DNS error in another way, when you said "2) The server replies with "bad news". Postfix replies with 5xx.". The DNS server that is being queried does give an answer, namely SERVFAIL. But on the other hand that reflects an error in responding from the partners of the queried DNS server. Maybe this distinction could be clarified in TFM. I did have: unknown_address_reject_code = 550 in my main.cf (and I did do some RTFM before asking) but was not aware that SERVFAIL was considered a temporary DNS error. I would have thought that SERVFAIL was a permanent DNS error, at least it seems a bit more permanent than just a timeout. And in my case it is predominantly spam, but then more than 99 % of the mail handled by postfix here is spam. SERVFAIL means that there is data for the domain in the root servers, but that the servers giving authorative answers do not answer. The latter may be due to timeouts, perhaps? Or it may be misconfiguration, or nonavailablilty. An aside: would it then be possible to ask for a non-authorative answer and rely on that in postfix? > If you have a problem with particular DNS servers, use > check_sender_ns_access, possibly in the form of a dynamically-updated > blacklist, or suggest a reject_rbl_xxx feature that targets the > DNS operator of the sender or client domain. Well, it is spam, so the servers would change all the time. A hand-coded setup is not feasible. I am not aware of dynamic blacklists for this, whould the be a tutorial for handling this somewhere? Best regards keld
