Mailing List SIMS@mail.stalker.com Message #15593
From: Bill Cole <listbill@scconsult.com>
Subject: Re: postfix and zen vs sbl-xbl
Date: Tue, 29 Apr 2008 21:57:09 -0400
To: SIMS Discussions <SIMS@mail.stalker.com>
At 5:41 PM -0400 4/29/08, Stefan Jeglinski  imposed structure on a stream of electrons, yielding:
What do you get if you do a DNS lookup, i.e. 'dig 17.165.202.64.zen.spamhaus.org'  in a terminal session?


;; QUESTION SECTION:
;17.165.202.64.zen.spamhaus.org.        IN      A

;; ANSWER SECTION:
17.165.202.64.zen.spamhaus.org. 300 IN  A       209.86.66.92
17.165.202.64.zen.spamhaus.org. 300 IN  A       209.86.66.93
17.165.202.64.zen.spamhaus.org. 300 IN  A       209.86.66.94
17.165.202.64.zen.spamhaus.org. 300 IN  A       209.86.66.95
17.165.202.64.zen.spamhaus.org. 300 IN  A       209.86.66.90
17.165.202.64.zen.spamhaus.org. 300 IN  A       209.86.66.91


So.... an A record is being returned, but none are the expected answer (either 127.0.0.2-11 or nothing). According to the postfix docs, if I do not specify, for example, reject_rbl_client zen.spamhaus.org=127.0.0.2, I will get a reject if any A record is returned.

But what are those A records? Ah-ha - barefruit, the bastards. Because I'm using an earthlink upstream resolver.

Yep.

Earthlink is telling you lies in DNS. You should not trust their DNS.

The other possibility is that you may be forwarding your DNS queries to a server that plays games with them.

<snip>

I would say this may be what is happening. I used to run djbdns on my Linux box but that's fallen by the wayside at the moment with OSX. Looks like I might need to return.

I don't know about djbdns, but BIND runs just fine on OSX.

You can get significant performance improvement generally from running a local nameserver for a mail server, beyond the advantage of avoiding an ISP that will tell you a lie for a fraction of a cent.

You may get around ISP DNS injection by specifying the Spamhaus return codes in your postfix config:

smtpd_client_restrictions = reject_rbl_client zen.spamhaus.org=127.0.0.2,
   reject_rbl_client zen.spamhaus.org=127.0.0.4,
   reject_rbl_client zen.spamhaus.org=127.0.0.5,
   reject_rbl_client zen.spamhaus.org=127.0.0.10,
   reject_rbl_client zen.spamhaus.org=127.0.0.11

Otherwise, reject_rbl_client will catch on any answer from the DNS query, and since DNS injection is done to inject bogus A records pointing at real IP's, it will make reject_rbl_client catch if you don't specify the lookup result.

Yep, there you go. Haven't tried it yet, but I will bet that's what's going on.

Bill, you are still a lifesaver. My roughly 5-yr-old (?) offer of dinner and a beer in the RTP NC area if you ever make it here is still good!

If I ever make it down there, I will take you up on it. I tend not to travel much due to family circumstances, but since I am back on the job market and Detroit is not exactly overflowing with opportunities, I could well end up passing through in coming weeks.

--
Bill Cole                                  bill@scconsult.com

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster