Re: SOLVED: rbl check being skipped - Postfix logs no error on NXDOMAIN, does on SERVFAIL

Fri, 22 Jan 2010 08:01:20 -0800 

On 1/22/2010 6:18 AM, Stan Hoeppner wrote:


1.  Spamhaus has banned Google Public DNS resolver queries.  I didn't know this
until today.  If Postfix is using Google Public DNS resolvers, rbl queries to
zen.spamhaus.org fail but Postfix (Debian Lenny 2.5.5-1.1) logs NOTHING about
it.  Not the query attempt, not the failure, zilch, nut'n.



Nothing is logged because the DNS server gives an authoritive 
"does not exist" answer.  That's not an error, it is the 
expected response when a client is not listed in an RBL.



It would be silly to log such events except under debug 
conditions.  At any rate, the log for this would look 
completely normal; lookup performed, host not listed.  The 
logs would be indistinguishable from any other successful RBL 
lookup of an unlisted client.



2.  For other dns resolvers that Spamhaus doesn't like, such as a few under the
CenturyLink umbrella (former Embarq/Sprint resolvers) an error is logged, such 
as:

Jan 22 05:27:53 greer postfix/smtpd[19251]: warning:
50.211.118.82.zen.spamhaus.org: RBL lookup error: Host or domain name not found.
Name service error for name=50.211.118.82.zen.spamhaus.org type=A: Host not
found, try again


An error is logged because this DNS server returned an error.


Obviously this DNS server is configured differently WRT 
spamhaus lookups.



I'm glad I got this solved.  I really wish that when I was using the Google
resolvers that Postfix would have been logging some kind of errors.  If it had,
I'd have known I had a real problem much sooner.  The total lack of log entries
for ~3 months is what finally jolted me to look into this.  This is a sad state
of affairs.  So the question at this point is, why didn't Postfix log any errors
when NXDOMAIN domain was returned, but did log errors when SERVFAIL is returned?





Test RBL lookups with the published test address. 127.0.0.1 
should never be listed, 127.0.0.2 should always be listed.


$ host 1.0.0.127.zen.spamhaus.org
Host 1.0.0.127.zen.spamhaus.org not found: 3(NXDOMAIN)

$ host 2.0.0.127.zen.spamhaus.org
2.0.0.127.zen.spamhaus.org has address 127.0.0.2
2.0.0.127.zen.spamhaus.org has address 127.0.0.4
2.0.0.127.zen.spamhaus.org has address 127.0.0.10



 -- Noel Jones






















					Reply via email to