First in reply to. .
...  cannot find your hostname 

Optional to add: 
unknown_hostname_reject_code = 550

but if you have dns problems, everything gets rejected as Wiets already told 
you.. .. but I think.. , so what, the sender does get the NDR, he can send 
again but thats a choice. And think carefully about it.

Optional Add: 
unknown_hostname_reject_code = 550
unknown_client_reject_code = 550
unknown_address_reject_code = 550
unverified_recipient_reject_code = 550


And this is the best trick if all imo.

Setup Postfix with postscreen with multiple rbls. ( make sure you use postfix 
2.10+  

Like : 
postscreen_dnsbl_sites =
        zen.spamhaus.org*3
        b.barracudacentral.org*2
        bl.spameatingmonkey.net*2
        dnsbl.anonmails.de
        dnsbl.kempt.net
        dnsbl.inps.de
        bl.spamcop.net
        dnsbl.sorbs.net
        psbl.surriel.com
        bl.mailspike.net
        swl.spamhaus.org*-4
        bl.suomispam.net
        bad.psky.me

now create a fail2ban filter postfix-dnsblog.conf  with : 

[INCLUDES]
before = common.conf
failregex = client \[<HOST>\] blocked using multiple DNS-based blocklists
            addr <HOST> listed by domain

and enable it, 
Let it trigger on 1 hit, i have set the ban time to 1 week, if they come back 
this time is extended with a week..  :-) 

Result, you safe cpu time, resources, offload the dns servers and reduce the 
dns queries to the blocklist servers. 

And optional the postscreen_dnsbl_reply_map.pcre  file
!/^zen\.spamhaus\.org$/         multiple DNS-based blocklists, see 
http://multirbl.valli.org/

Also i added a cacheing dns server on localhost, i have 3 forwarding dns ip 
numbers with 3 different providers to reduce the chance of dns problems. 

This works very very good for me, until now no errors, running a year with this 
setup now. 


Last one to help out agains spam. 
Add this to your dns . ( make user tarbaby is the highest MX.) 
MX      30 tarbaby.junkemailfilter.com.

The guys at junkeemailfilter.com check if the lower mx-s are up and so we help 
in detecting spamming servers. 
Read more about it here. 
http://wiki.junkemailfilter.com/index.php/Project_tarbaby 

The junkemailfilter is used in my spamassassin. 

Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: b...@knoxvillechristian.org [mailto:owner-postfix-us...@postfix.org]
> Namens Bill Shirley
> Verzonden: vrijdag 5 februari 2016 5:21
> Aan: postfix-users@postfix.org
> Onderwerp: Re: Change Temporary failure in name resolution response code
> 
> You might want to have a look at fail2ban.  It monitors log files and
> blocks the offender by inserting an iptables DROP entry.
> 
> I block a lot of spammers this way.  I wouldn't think of running a mail
> server without it.
> 
> Bill
> 
> 
> On 2/4/2016 4:10 PM, Inteq Solution - Dep. Tehnic wrote:
> > Thank you Wietse,
> >
> > 450 it is then.
> >
> >
> >
> >
> >
> >
> > Razvan Constantin
> >
> > -----Original Message-----
> > From: owner-postfix-us...@postfix.org
> > [mailto:owner-postfix-us...@postfix.org] On Behalf Of Wietse Venema
> > Sent: Thursday, February 04, 2016 11:06 PM
> > To: Postfix users
> > Subject: Re: Change Temporary failure in name resolution response code
> >
> > Inteq Solution - Dep. Tehnic:
> >> "The unknown_client_reject_code parameter specifies the response code
> >> for rejected requests (default: 450). The reply is always 450 in case
> >> the
> >> address->name or name->address lookup failed due to a temporary
> problem."
> >>
> >> But is there a way to change this behaviour to 550/554?
> > No. You would lose mail whenever DNS times out, and that would be worse
> than
> > having some client retry repeatedly. Unless you are running Postfix in a
> > very limited environment, repeated retries from one system should not be
> a
> > problem.
> >
> >> This situation is not exactly temporary and it is happening for over a
> >> month. I could just forget about it, but this server's retry is very
> >> very low.
> > Postfix considers timeouts as a temporary error. Handling them as a hard
> > error would do more harm than good. But I repeat myself.
> >
> >     Wietse
> >


Reply via email to