Mailing List SIMS@mail.stalker.com Message #15591
From: Bill Cole <listbill@scconsult.com>
Subject: Re: postfix and zen vs sbl-xbl
Date: Tue, 29 Apr 2008 16:34:03 -0400
To: SIMS Discussions <SIMS@mail.stalker.com>
At 3:06 PM -0400 4/29/08, Stefan Jeglinski  imposed structure on a stream of electrons, yielding:
Not sure this list is still even on-line... but wondering if the collective wisdom of those that know postfix can help me out understanding this.

I'm using postfix, and if I use

smtpd_client_restrictions = reject_rbl_client zen.spamhaus.org

I get virtually 100% rejection, whereas sbl-xbl seems to work more in accordance with my expectations (blocks spam, not every_one). The difference is that zen includes the PBL, which is not a blacklist per se. Of course, you find it everywhere said that you should replace sbl-xbl with zen.

However, when I query any number of the connecting IPs that are rejected, spamhaus claims that those IPs are not listed on either SBL, XBL, or PBL.


What do you get if you do a DNS lookup, i.e. 'dig 17.165.202.64.zen.spamhaus.org'  in a terminal session?

FWIW, 64.202.165.17 seems to be on at least one DNSBL, the SORBS 'they sent us spam' zone. I will not risk promoting the use of that list by including the zone name...



And yet, the rejection occurs anyway. For example:

============

http://www.spamhaus.org/query/bl?ip=64.202.165.17

and then the sender gets this back:

24.172.19.59 does not like recipient.
Remote host said: 554 5.7.1 Service unavailable; Client host
[64.202.165.17] blocked using zen.spamhaus.org
Giving up on 24.172.19.59.

============

I'm certain this is due to a misunderstanding on my part of how the PBL works or is intended to work. Or perhaps postfix?

The other possibility is that you may be forwarding your DNS queries to a server that plays games with them. Many ISP's have been doing this. If you are using any DNSBL's with a mail server these days, it is important to make sure that you run your own full-recursion DNS resolver that never forwards queries to your upstream ISP's resolvers. See http://blog.wired.com/27bstroke6/2008/04/isps-error-page.html for an explanation of what some slimeball ISP's are doing and how it creates security problems.

You also might get more info from the postfix log, e.g. /var/log/mail.log

You may get around ISP DNS injection by specifying the Spamhaus return codes in your postfix config:

smtpd_client_restrictions = reject_rbl_client zen.spamhaus.org=127.0.0.2,
   reject_rbl_client zen.spamhaus.org=127.0.0.4,
   reject_rbl_client zen.spamhaus.org=127.0.0.5,
   reject_rbl_client zen.spamhaus.org=127.0.0.10,
   reject_rbl_client zen.spamhaus.org=127.0.0.11

Otherwise, reject_rbl_client will catch on any answer from the DNS query, and since DNS injection is done to inject bogus A records pointing at real IP's, it will make reject_rbl_client catch if you don't specify the lookup result.


I read the spamhaus discussion on when not to use zen:

a) if you are doing "deep" header analysis

b) if you are using a smarthost or provide SMTP AUTH outbound


My server is not an ISP - it's just the mail server for my company. As such, it does do SMTP AUTH outbound for my users, but I seemed to not have any issues with that and zen. I do no relaying, so I'm not a smarthost, AFAICT. I accept connections from authenticated users, and then of course any MTA that is trying to send me mail. How is it that the latter is at cross-purposes with the PBL?

This can't be that hard, because googling seems not to find a lot of what I am describing.

Feeling Duncey,




--
Bill Cole                                  bill@scconsult.com

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster