?????? #15592 ?????? ???????? SIMS@stalker.com
?? ????: Stefan Jeglinski <jeglin@4pi.com>
????: Re: postfix and zen vs sbl-xbl
????: Tue, 29 Apr 2008 17:41:03 -0400
????: SIMS Discussions <SIMS@mail.stalker.com>
What do you get if you do a DNS lookup, i.e. 'dig'  in a terminal session?

;        IN      A

;; ANSWER SECTION: 300 IN  A 300 IN  A 300 IN  A 300 IN  A 300 IN  A 300 IN  A

So.... an A record is being returned, but none are the expected answer (either or nothing). According to the postfix docs, if I do not specify, for example, reject_rbl_client zen.spamhaus.org=, I will get a reject if any A record is returned.

But what are those A records? Ah-ha - barefruit, the bastards. Because I'm using an earthlink upstream resolver.

The other possibility is that you may be forwarding your DNS queries to a server that plays games with them.


I would say this may be what is happening. I used to run djbdns on my Linux box but that's fallen by the wayside at the moment with OSX. Looks like I might need to return.

You may get around ISP DNS injection by specifying the Spamhaus return codes in your postfix config:

smtpd_client_restrictions = reject_rbl_client zen.spamhaus.org=,
   reject_rbl_client zen.spamhaus.org=,
   reject_rbl_client zen.spamhaus.org=,
   reject_rbl_client zen.spamhaus.org=,
   reject_rbl_client zen.spamhaus.org=

Otherwise, reject_rbl_client will catch on any answer from the DNS query, and since DNS injection is done to inject bogus A records pointing at real IP's, it will make reject_rbl_client catch if you don't specify the lookup result.

Yep, there you go. Haven't tried it yet, but I will bet that's what's going on.

Bill, you are still a lifesaver. My roughly 5-yr-old (?) offer of dinner and a beer in the RTP NC area if you ever make it here is still good!

Stefan Jeglinski

??????????? (?????) ??????????? (????????) ??????????? (??????????) ?????????? ???????? Listmaster-?