|
|
What do you get if you do a DNS lookup, i.e. 'dig 17.165.202.64.zen.spamhaus.org' in a terminal session?
;; QUESTION SECTION:
;17.165.202.64.zen.spamhaus.org. IN A
;; ANSWER SECTION:
17.165.202.64.zen.spamhaus.org. 300 IN A 209.86.66.92
17.165.202.64.zen.spamhaus.org. 300 IN A 209.86.66.93
17.165.202.64.zen.spamhaus.org. 300 IN A 209.86.66.94
17.165.202.64.zen.spamhaus.org. 300 IN A 209.86.66.95
17.165.202.64.zen.spamhaus.org. 300 IN A 209.86.66.90
17.165.202.64.zen.spamhaus.org. 300 IN A 209.86.66.91
So.... an A record is being returned, but none are the expected answer (either 127.0.0.2-11 or nothing). According to the postfix docs, if I do not specify, for example, reject_rbl_client zen.spamhaus.org=127.0.0.2, I will get a reject if any A record is returned.
But what are those A records? Ah-ha - barefruit, the bastards. Because I'm using an earthlink upstream resolver.
The other possibility is that you may be forwarding your DNS queries to a server that plays games with them.
<snip>
I would say this may be what is happening. I used to run djbdns on my Linux box but that's fallen by the wayside at the moment with OSX. Looks like I might need to return.
You may get around ISP DNS injection by specifying the Spamhaus return codes in your postfix config:
smtpd_client_restrictions = reject_rbl_client zen.spamhaus.org=127.0.0.2,
reject_rbl_client zen.spamhaus.org=127.0.0.4,
reject_rbl_client zen.spamhaus.org=127.0.0.5,
reject_rbl_client zen.spamhaus.org=127.0.0.10,
reject_rbl_client zen.spamhaus.org=127.0.0.11
Otherwise, reject_rbl_client will catch on any answer from the DNS query, and since DNS injection is done to inject bogus A records pointing at real IP's, it will make reject_rbl_client catch if you don't specify the lookup result.
Yep, there you go. Haven't tried it yet, but I will bet that's what's going on.
Bill, you are still a lifesaver. My roughly 5-yr-old (?) offer of dinner and a beer in the RTP NC area if you ever make it here is still good!
Stefan Jeglinski
|
|