On 6/30/2013 3:12 AM, LuKreme wrote: > When reject_unknown_client_hostname triggers on an NXDOMAIN it returns a 550 > error, which is great. When it triggers because there is no PTR record, it > returns a 450 error, which is also great… except.
What you're seeing is the PTR lookup fails with a temporary DNS lookup error, which always results in a 450 deferral. > > What I see is servers that connect hundreds of times, getting 450 errors and > ignoring them and trying to send their spam again and again and again. > > I have some IPs that have tried to connect hundreds of times to send a > message that is always going to generate a 450 error since the host does not > have a PTR record and never will. I have over 10,000 of these failures on an > average day. > > Does anyone have any suggestions? I am thinking about writing a fail2ban > action for them that triggers after 5 or 10 attempts with a long ban, but I > am not sure that's a good idea. > > Or should I just stop worrying and figure the amount of resources being used > is insignificant? Just ignore them is usually the best action. but if their DNS is slow to fail and they make lots of parallel connections, they can tie up all your smtpd processes. If that happens, fail2ban is a good solution. -- Noel Jones
