On 10/3/2012 1:15 PM, Bill Cole wrote: > I recently updated a Postfix system from 2.4 to 2.9 and I have found > what I believe is a change in behavior for > reject_unknown_sender_domain which is confusing. In the past, an > effective means of dealing with some classes of persistent spammers > was to tell the local DNS resolver (BIND 9) to "blackhole" the > authoritative nameservers of spammers who cycled rapidly through > changes in nearly every other easily detected aspect of their spam. > In conjunction with reject_unknown_sender_domain, this rejected a > lot of spam cheaply for a while but in recent years I've not paid > much attention to it because there are fewer spammers using their > own fixed IP space for DNS. Last week I started getting spam again > that fit this tactic well, so for the first time in years I added to > my DNS blackhole list. And the subsequent spam was not rejected. > > Upon investigation I have determined that if a domain definitively > has no A or MX records (i.e. DNS answers with NXDOMAIN or NOERR with > zero answers) then Postfix rejects the mail at RCPT. However, if DNS > queries garner SERVFAIL responses, as happens when authorities are > blackholed, Postfix is permitting delivery.
This is not normal postfix behavior, and suggests either your DNS is giving some sort of unintended answer, or the client is getting an OK/permit somewhere prior to the unknown domain check. > This is definitely not > what I want. This may be related to the addition in version 2.6 of > unknown_address_tempfail_action, but it seems to me based on the > postconf manpage that since this defaults via reject_tempfail_action > to "defer_if_permit" (and I have confirmed that this is so on this > system) that Postfix should *at best* be sending a 4xx reply to RCPT > rather than accepting mail sent from these intentionally > unresolvable domains. Postfix has always deferred upon DNS failure, and that behavior has not changed. The *_tempfail_action defaults duplicate previous behavior. At any rate, the tool to reject spammer-haven DNS is a check_sender_ns_access map. http://www.postfix.org/postconf.5.html#check_sender_ns_access -- Noel Jones
