Mailing List Message #15592
From: Stefan Jeglinski <>
Subject: Re: postfix and zen vs sbl-xbl
Date: Tue, 29 Apr 2008 17:41:03 -0400
To: SIMS Discussions <>
What do you get if you do a DNS lookup, i.e. 'dig'  in a terminal session?

;        IN      A

;; ANSWER SECTION: 300 IN  A 300 IN  A 300 IN  A 300 IN  A 300 IN  A 300 IN  A

So.... an A record is being returned, but none are the expected answer (either or nothing). According to the postfix docs, if I do not specify, for example, reject_rbl_client, I will get a reject if any A record is returned.

But what are those A records? Ah-ha - barefruit, the bastards. Because I'm using an earthlink upstream resolver.

The other possibility is that you may be forwarding your DNS queries to a server that plays games with them.


I would say this may be what is happening. I used to run djbdns on my Linux box but that's fallen by the wayside at the moment with OSX. Looks like I might need to return.

You may get around ISP DNS injection by specifying the Spamhaus return codes in your postfix config:

smtpd_client_restrictions = reject_rbl_client,

Otherwise, reject_rbl_client will catch on any answer from the DNS query, and since DNS injection is done to inject bogus A records pointing at real IP's, it will make reject_rbl_client catch if you don't specify the lookup result.

Yep, there you go. Haven't tried it yet, but I will bet that's what's going on.

Bill, you are still a lifesaver. My roughly 5-yr-old (?) offer of dinner and a beer in the RTP NC area if you ever make it here is still good!

Stefan Jeglinski

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster