Liste de diffusion Message #15591
De: Bill Cole <>
Sujet: Re: postfix and zen vs sbl-xbl
Date: Tue, 29 Apr 2008 16:34:03 -0400
A: SIMS Discussions <>
At 3:06 PM -0400 4/29/08, Stefan Jeglinski  imposed structure on a stream of electrons, yielding:
Not sure this list is still even on-line... but wondering if the collective wisdom of those that know postfix can help me out understanding this.

I'm using postfix, and if I use

smtpd_client_restrictions = reject_rbl_client

I get virtually 100% rejection, whereas sbl-xbl seems to work more in accordance with my expectations (blocks spam, not every_one). The difference is that zen includes the PBL, which is not a blacklist per se. Of course, you find it everywhere said that you should replace sbl-xbl with zen.

However, when I query any number of the connecting IPs that are rejected, spamhaus claims that those IPs are not listed on either SBL, XBL, or PBL.

What do you get if you do a DNS lookup, i.e. 'dig'  in a terminal session?

FWIW, seems to be on at least one DNSBL, the SORBS 'they sent us spam' zone. I will not risk promoting the use of that list by including the zone name...

And yet, the rejection occurs anyway. For example:


and then the sender gets this back: does not like recipient.
Remote host said: 554 5.7.1 Service unavailable; Client host
[] blocked using
Giving up on


I'm certain this is due to a misunderstanding on my part of how the PBL works or is intended to work. Or perhaps postfix?

The other possibility is that you may be forwarding your DNS queries to a server that plays games with them. Many ISP's have been doing this. If you are using any DNSBL's with a mail server these days, it is important to make sure that you run your own full-recursion DNS resolver that never forwards queries to your upstream ISP's resolvers. See for an explanation of what some slimeball ISP's are doing and how it creates security problems.

You also might get more info from the postfix log, e.g. /var/log/mail.log

You may get around ISP DNS injection by specifying the Spamhaus return codes in your postfix config:

smtpd_client_restrictions = reject_rbl_client,

Otherwise, reject_rbl_client will catch on any answer from the DNS query, and since DNS injection is done to inject bogus A records pointing at real IP's, it will make reject_rbl_client catch if you don't specify the lookup result.

I read the spamhaus discussion on when not to use zen:

a) if you are doing "deep" header analysis

b) if you are using a smarthost or provide SMTP AUTH outbound

My server is not an ISP - it's just the mail server for my company. As such, it does do SMTP AUTH outbound for my users, but I seemed to not have any issues with that and zen. I do no relaying, so I'm not a smarthost, AFAICT. I accept connections from authenticated users, and then of course any MTA that is trying to send me mail. How is it that the latter is at cross-purposes with the PBL?

This can't be that hard, because googling seems not to find a lot of what I am describing.

Feeling Duncey,

Bill Cole                        

S'abonner aux messages S'abonner aux sommaires S'abonner aux indexes Se désabonner Ecrire un email au responsable de la liste