I decided to go with the folowing option: Setup "check_client_access hash:/etc/postfix/client_access" in main.cf In "client_access" add: "1.2.3.4 REJECT Message" This way I will reject with 554 (custom setup in main.cf) only for specific IPs and get rid of the log spam. This is only valid for "proper" MTAs that actualy obey 554/550 vs 450.
Thank you all for your input. Razvan Constantin -----Original Message----- From: L.P.H. van Belle [mailto:be...@bazuin.nl] Sent: Friday, February 05, 2016 10:14 AM To: postfix users Cc: t...@inteq.ro Subject: RE: Change Temporary failure in name resolution response code First in reply to. . ... cannot find your hostname Optional to add: unknown_hostname_reject_code = 550 but if you have dns problems, everything gets rejected as Wiets already told you.. .. but I think.. , so what, the sender does get the NDR, he can send again but thats a choice. And think carefully about it. Optional Add: unknown_hostname_reject_code = 550 unknown_client_reject_code = 550 unknown_address_reject_code = 550 unverified_recipient_reject_code = 550 And this is the best trick if all imo. Setup Postfix with postscreen with multiple rbls. ( make sure you use postfix 2.10+ Like : postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2 bl.spameatingmonkey.net*2 dnsbl.anonmails.de dnsbl.kempt.net dnsbl.inps.de bl.spamcop.net dnsbl.sorbs.net psbl.surriel.com bl.mailspike.net swl.spamhaus.org*-4 bl.suomispam.net bad.psky.me now create a fail2ban filter postfix-dnsblog.conf with : [INCLUDES] before = common.conf failregex = client \[<HOST>\] blocked using multiple DNS-based blocklists addr <HOST> listed by domain and enable it, Let it trigger on 1 hit, i have set the ban time to 1 week, if they come back this time is extended with a week.. :-) Result, you safe cpu time, resources, offload the dns servers and reduce the dns queries to the blocklist servers. And optional the postscreen_dnsbl_reply_map.pcre file !/^zen\.spamhaus\.org$/ multiple DNS-based blocklists, see http://multirbl.valli.org/ Also i added a cacheing dns server on localhost, i have 3 forwarding dns ip numbers with 3 different providers to reduce the chance of dns problems. This works very very good for me, until now no errors, running a year with this setup now. Last one to help out agains spam. Add this to your dns . ( make user tarbaby is the highest MX.) MX 30 tarbaby.junkemailfilter.com. The guys at junkeemailfilter.com check if the lower mx-s are up and so we help in detecting spamming servers. Read more about it here. http://wiki.junkemailfilter.com/index.php/Project_tarbaby The junkemailfilter is used in my spamassassin. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: b...@knoxvillechristian.org > [mailto:owner-postfix-us...@postfix.org] > Namens Bill Shirley > Verzonden: vrijdag 5 februari 2016 5:21 > Aan: postfix-users@postfix.org > Onderwerp: Re: Change Temporary failure in name resolution response > code > > You might want to have a look at fail2ban. It monitors log files and > blocks the offender by inserting an iptables DROP entry. > > I block a lot of spammers this way. I wouldn't think of running a > mail server without it. > > Bill > > > On 2/4/2016 4:10 PM, Inteq Solution - Dep. Tehnic wrote: > > Thank you Wietse, > > > > 450 it is then. > > > > > > > > > > > > > > Razvan Constantin > > > > -----Original Message----- > > From: owner-postfix-us...@postfix.org > > [mailto:owner-postfix-us...@postfix.org] On Behalf Of Wietse Venema > > Sent: Thursday, February 04, 2016 11:06 PM > > To: Postfix users > > Subject: Re: Change Temporary failure in name resolution response > > code > > > > Inteq Solution - Dep. Tehnic: > >> "The unknown_client_reject_code parameter specifies the response > >> code for rejected requests (default: 450). The reply is always 450 > >> in case the > >> address->name or name->address lookup failed due to a temporary > problem." > >> > >> But is there a way to change this behaviour to 550/554? > > No. You would lose mail whenever DNS times out, and that would be > > worse > than > > having some client retry repeatedly. Unless you are running Postfix > > in a very limited environment, repeated retries from one system > > should not be > a > > problem. > > > >> This situation is not exactly temporary and it is happening for > >> over a month. I could just forget about it, but this server's retry > >> is very very low. > > Postfix considers timeouts as a temporary error. Handling them as a > > hard error would do more harm than good. But I repeat myself. > > > > Wietse > >
