For context: % postconf mail_version postscreen_dnsbl_threshold postscreen_dnsbl_action mail_version = 2.9.1 postscreen_dnsbl_threshold = 3 postscreen_dnsbl_action = enforce
I have likely missed something simple, so feel free to bludgeon me with your cluebats. Earlier today, I received some UCE from 88.23.204.109. Grepping the logs for that address AND 'postscreen' or 'dnsblog', I saw several instances of this client being rejected by postscreen(8). However, the following sequence of events confused me: May 5 15:23:41 mx1 postfix/postscreen[38500]: CONNECT from [88.23.204.109]:39722 to [69.147.83.52]:25 May 5 15:23:41 mx1 postfix/dnsblog[45216]: addr 88.23.204.109 listed by domain bl.spameatingmonkey.net as 127.0.0.3 May 5 15:23:41 mx1 postfix/dnsblog[45209]: addr 88.23.204.109 listed by domain zen.spamhaus.org as 127.0.0.4 May 5 15:23:41 mx1 postfix/dnsblog[45209]: addr 88.23.204.109 listed by domain zen.spamhaus.org as 127.0.0.11 May 5 15:23:47 mx1 postfix/postscreen[38500]: DNSBL rank 5 for [88.23.204.109]:39722 May 5 15:23:47 mx1 postfix/postscreen[38500]: NOQUEUE: reject: RCPT from [88.23.204.109]:39722: 550 5.7.1 Service unavailable; client [88.23.204.109] blocked using bl.spameatingmonkey.net; from=<axisf...@buxrud.se>, to=<freebsd-...@freebsd.org>, proto=ESMTP, helo=<109.Red-88-23-204.staticIP.rima-tde.net> May 5 15:23:48 mx1 postfix/postscreen[38500]: HANGUP after 1.1 from [88.23.204.109]:39722 in tests after SMTP handshake May 5 15:23:48 mx1 postfix/postscreen[38500]: DISCONNECT [88.23.204.109]:39722 As expected, the client was rejected because DNSBL rank 5 exceeds the threshold. Then, the same client connected a few seconds later, but presumably hung up without trying to transmit anything: May 5 15:24:07 mx1 postfix/postscreen[38500]: CONNECT from [88.23.204.109]:40294 to [69.147.83.52]:25 May 5 15:24:07 mx1 postfix/dnsblog[45237]: addr 88.23.204.109 listed by domain bl.spameatingmonkey.net as 127.0.0.3 May 5 15:24:07 mx1 postfix/dnsblog[45234]: addr 88.23.204.109 listed by domain zen.spamhaus.org as 127.0.0.11 May 5 15:24:07 mx1 postfix/dnsblog[45234]: addr 88.23.204.109 listed by domain zen.spamhaus.org as 127.0.0.4 May 5 15:24:09 mx1 postfix/postscreen[38500]: DNSBL rank 5 for [88.23.204.109]:40294 May 5 15:24:09 mx1 postfix/postscreen[38500]: HANGUP after 0.24 from [88.23.204.109]:40294 in tests after SMTP handshake May 5 15:24:09 mx1 postfix/postscreen[38500]: DISCONNECT [88.23.204.109]:40294 In this second instance, is it correct to infer that Postfix was under stress given the 2s (rather than 6s) that elapses between the last dnsblog(8) entry and when the DNSBL rank is logged by postscreen(8)? Perhaps that is irrelevant, but just something I noticed. Anyway, the oddness occurs just under a minute later, when the client connects again: May 5 15:25:08 mx1 postfix/postscreen[38500]: CONNECT from [88.23.204.109]:41253 to [69.147.83.52]:25 May 5 15:25:10 mx1 postfix/dnsblog[45304]: addr 88.23.204.109 listed by domain zen.spamhaus.org as 127.0.0.4 May 5 15:25:10 mx1 postfix/dnsblog[45304]: addr 88.23.204.109 listed by domain zen.spamhaus.org as 127.0.0.11 May 5 15:25:10 mx1 postfix/dnsblog[45300]: addr 88.23.204.109 listed by domain bl.spameatingmonkey.net as 127.0.0.3 May 5 15:25:10 mx1 postfix/postscreen[38500]: NOQUEUE: reject: RCPT from [88.23.204.109]:41253: 450 4.3.2 Service currently unavailable; from=<unlacesj...@clickz.com>, to=<freebsd-...@freebsd.org>, proto=ESMTP, helo=<109.Red-88-23-204.staticIP.rima-tde.net> May 5 15:25:11 mx1 postfix/postscreen[38500]: HANGUP after 1.1 from [88.23.204.109]:41253 in tests after SMTP handshake May 5 15:25:11 mx1 postfix/postscreen[38500]: PASS NEW [88.23.204.109]:41253 May 5 15:25:11 mx1 postfix/postscreen[38500]: DISCONNECT [88.23.204.109]:41253 ... No logging of a DNSBL rank, and the client just gets a 4xx after passing the deep protocol tests. As per design, future connections are passed on to smtpd(8) which then delivers the mail. Please let me know if any other portions of the log or a full 'postconf -n' (I'll just have to sanitize certain portions) would be useful. -- Sahil Tandon
