On Tue, Nov 13, 2012 at 09:55:11PM +0100, IMAP List Administration wrote: > I'm running a postfix (postfix-2.9.20120102-sasl2) server on
That's a pre-release snapshot. Postfix 2.9 is up to patchlevel 4. > OpenBSD v5.1. We have a number of anti-UCE postfix measures in > place, including "reject_unknown_client_hostname", which we quite > like. It's hard to believe there are so many spammers that can't > overcome such a low obstacle. Most spam comes from botnets, and spammers have no control over the reverse DNS of a gazzilion zombies. > At any rate, we periodically see (1-5 times per day) a "Client > host rejected: cannot find your hostname" rejection, followed > by a successful retry from the remote MTA. When we check the > DNS records, they always appear to be in order. The remote MTAs > belong to various organizations, but typically ones where one > would expect the DNS config to be well-maintained. (see bottom > for an example rejection and the ensuing successful retry). > > I've tried to configure DNS (BIND 9.4.2-P2) to log debug That's very old. 9.4.3 was EOL almost three years ago. > information, and it logs a fantastic amount, but I am unable to get > it to log such queries and their results, or maybe I just haven't > found the magic combination of logging settings yet, or maybe I "rndc querylog" toggles query logging. Beware: query logging plus debugging can easily cause a DoS. Don't do this over an extended period. > don't understand the logging output. > > The Questions: > 1) is it possible that we are observing a bug in postfix in I have no idea why you would think that. Postfix simply reports what was obtained from the DNS. Nothing here looks bug-like. > conjunction with DNS-queries? Are there any such known bugs? If there were known bugs, they would be fixed. Some bugs indeed have been fixed since the 2.9.20120102 snapshot, including the final release and four patchlevels. Look at this, done at home on my low-speed ADSL: $ for X in 1 2 ; do time host 8.7.42.206 ; done 206.42.7.8.in-addr.arpa domain name pointer mta925.email.aerlingus.com. real 0m2.032s user 0m0.003s sys 0m0.005s 206.42.7.8.in-addr.arpa domain name pointer mta925.email.aerlingus.com. real 0m0.009s user 0m0.001s sys 0m0.006s The first time took two seconds. The second time, the cached result from localhost was supplied immediately. A complete lookup also requires that the PTR corresponds to an A record. So *after* that two seconds, I could look up "mta925.email.aerlingus.com./IN/A". > 2) can someone give me a tip on how to configure BIND to log the > information I need to figure out why DNS lookups may be failing > intermittently, and how to read it properly? Beyond the hints already given, I suggest following up with this on bind-us...@lists.isc.org. I think that might still be gated to Usenet, news://comp.protocols.dns.bind , if you prefer NNTP. https://lists.isc.org/mailman/listinfo/bind-users You should also consider upgrading to a supported version before reporting what could be a bug. (I suspect it's either your configuration or one of those networking flukes.) http://www.isc.org/software/bind/versions > ----------------------------------------- > the output below has been slightly sanitized of information > directly identifying the server. > > [example of delivery failure] > Nov 13 15:10:29 dna prefilter/smtpd[9340]: connect from > unknown[8.7.42.206] > Nov 13 15:10:29 dna prefilter/smtpd[9340]: NOQUEUE: reject: RCPT > from unknown[8.7.42.206]: 450 4.7.1 Client host rejected: cannot > find your hostname, [8.7.42.206]; > from=<from-addr...@b.email.aerlingus.com> to=<u...@domain.de> > proto=ESMTP helo=<mta925.email.aerlingus.com> The timeout takes place before the logging of the connection. Postfix wants to be able to tell you who it was, not just "unknown[IP]" if possible. [snip] -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
