Hi,
I enabled postscreen deep protocol tests in postfix 2.11.1 and found this
problem with Amazon. I see these entries in the log:
Sep 14 12:41:45 ti74 postfix/postscreen[18143]: [ID info] CONNECT from
[54.240.13.2]:36074 to [38.76.0.61]:25
Sep 14 12:41:51 ti74 postfix/postscreen[18143]: [ID info] NOQUEUE: reject: RCPT
from [54.240.13.2]:36074: 450 4.3.2 Service currently unavailable;
from=<2014091416414306531411d1354e8fb388268666764...@bounces.amazon.com>,
to=<X@Y>, proto=ESMTP, helo=<a13-2.smtp-out.amazonses.com>
Sep 14 12:46:52 ti74 postfix/postscreen[18143]: [ID info] COMMAND TIME LIMIT
from [54.240.13.2]:36074 after RSET
Sep 14 12:46:52 ti74 postfix/postscreen[18143]: [ID info] PASS NEW
[54.240.13.2:36074
Sep 14 12:46:52 ti74 postfix/postscreen[18143]: [ID info] DISCONNECT
[54.240.13.2]:36074
For some reason that is not clear to me, the session does not disconnect by
itself, and postscreen times it out after the postscreen_command_time_limit
expires 5 minutes later. As you can see, postscreen does not add it to
the temporary whitelist ("PASS NEW") until the session times out. The
problem is that Amazon retried from the same IP address before 5 minutes had
passed, and so it was rejected because that IP address had not yet been
added to the whitelist:
Sep 14 12:42:21 ti74 postfix/postscreen[18143]: [ID info] CONNECT from
[54.240.13.2]:36150 to [38.76.0.61]:25
...
Sep 14 12:46:46 ti74 postfix/postscreen[18143]: [ID info] CONNECT from
[54.240.13.2]:36686 to [38.76.0.61]:25
...
After the 5-minute window expired, Amazon started retrying from different
IP addresses each time. The email could not get through until I added
more whitelist servers:
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_sites = zen.spamhaus.org*2 bl.spamcop.net*1
b.barracudacentral.org*1 list.dnswl.org=127.0.[0..255].[1..3]*-2
swl.spamhaus.org*-2 hostkarma.junkemailfilter.com=127.0.0.1*-2
wl.mailspike.net*-2
postscreen_dnsbl_whitelist_threshold = -1
The Amazon servers have a neutral (0) rating in list.dnswl.org, so that
wasn't passing them. And they are not in swl.spamhaus.org.
I also reduced the postscreen_command_time_limit to 4 minutes.
Why does postscreen wait until session disconnect before adding the IP address
to the temporary whitelist? If it had added the IP address when it sent
the reject "Service currently unavailable" message, then everything would
have worked fine. Is there a good reason to wait until the session
disconnects? Is there any other solution than adding more whitelist
servers as I have done? And does anybody have a recommendation for
a better postscreen_dnsbl_sites setting?
Thanks,
Andy
