Vernon Schryver wrote:
From: Daniel Gehriger
The complaints about DNS timeouts are not good. Is something wrong
with your DNS system? Dccifd should have at least received NXDOMAIN
for 86.59.190.206.zen.spamhaus.org from your local caching DNS server.
There shouldn't be any issues with
the DNS system. Most of the time, dccifd doesn't complain about timeouts
but then I get waves of those messages until a new DCC DNS helper is
started.
I suspect that is turned around and that extra dns-helper processes
are not started until enough of the current helpers have gone missing in
action (and generated complaints) to convince dccifd to start more.
Dccifd (and dccm) keep track of the numbers of active and free dns-helper
processes and try to keep at least one spare, inactive. If according
to the numbers, another helper is needed, it is created before an
attempt is made to talk to the herd of helpers. If the resolver library
timeouts are working, then the helpers don't get stuck in the resolver
library code, and there should never be a problem. If the BIND timeout
hooks are not present or not working, helpers can be busy waiting
while dccifd thinks they are idle. Dccifd should eventually realize
as much and create more helpers, not immediately.
So I suspect that your system does not have a normal BIND resolver
library. Does it have the "improved" Linux version?
I have bind 9.2.2:
Name : bind
Version : 9.2.2
Vendor : SuSE Linux AG, Nuernberg, Germany
Release : 31
Build Date : Thu Oct 2 23:15:13 2003
Install date: Wed Mar 1 21:37:35 2006
Group : Productivity/Networking/DNS/Servers
Source RPM : bind-9.2.2-31.src.rpm
Size : 5359971
Packager : http://www.suse.de/feedback
URL : http://www.isc.org/products/BIND/bind9.html
Summary : BIND - Domain Name Server
What messages do you see in the system log from the dns-helper processes?
There are only the initial startup messages in the syslog. The mail log
contains, for instance:
Feb 28 09:20:14 vps183 dccifd[28510]: DNSBL helper about to exec
/var/dcc/libexec/dns-helper -B set:debug=5 -B relays.ordb.org,any -B
zen.spamhaus.org,any -B set:helper=4,13,1
Feb 28 09:20:25 vps183 dccifd[27955]: no DNSBL helper answer
Feb 28 09:20:25 vps183 dccifd[27955]: 2AORSc DNSBL failed for davecarlson.com,
3.0 msg-secs remaining
Feb 28 09:20:36 vps183 dccifd[27955]: no DNSBL helper answer
Feb 28 09:20:36 vps183 dccifd[27955]: 2AORSc DNSBL exhausted 25 msg-secs for
bls.hz5mnbmbnpm8wzzonzz6nhhz.acushlagc.com
Feb 28 09:21:04 vps183 dccifd[29867]: 2AORSe DNSBL answer SMTP client hit for
sender 202.54.78.195
Feb 28 09:21:04 vps183 dccifd[29867]: DNSBL client hit
195.78.54.202.zen.spamhaus.org
Feb 28 09:21:16 vps183 dccifd[29914]: 2AORSg DNSBL answer SMTP client hit for
sender 202.54.78.195
Feb 28 09:21:16 vps183 dccifd[29914]: DNSBL client hit
195.78.54.202.zen.spamhaus.org
Feb 28 09:24:04 vps183 dccifd[32522]: no DNSBL helper answer
Feb 28 09:24:04 vps183 dccifd[32522]: 2AORSi DNSBL failed for sender
206.190.52.120, 14.0 msg-secs remaining
Feb 28 09:24:15 vps183 dccifd[32522]: no DNSBL helper answer
Feb 28 09:24:15 vps183 dccifd[32522]: restart DNSBL helpers
Feb 28 09:24:15 vps183 dccifd[32522]: 2AORSi DNSBL failed for
r.leadmailing.com, 3.0 msg-secs remaining
Feb 28 09:24:15 vps183 dccifd[32764]: DNSBL helper about to exec
/var/dcc/libexec/dns-helper -B set:debug=5 -B relays.ordb.org,any -B
zen.spamhaus.org,any -B set:helper=4,13,0
However, none of that is not relevant to this case, because dccifd says
that it got no answers from your DNS resolver. Besides, "DCC-->spam"
/var/dcc/libexec/dccifd -Ivscan -tREP,10 -tCMN,50,50 -Bset:debug=5
-Brelays.ordb.org,any -Bzen.spamhaus.org,any -llog -wwhiteclnt
-Uuserdirs -GIPmask/24 -p 127.0.0.1,10023 127.0.0.1/32 -o
127.0.0.1,10026 -SHELO -Smail_host -SSender -SList-ID
Is fact is there a comma instead of a blank between "127.0.0.1,10023"
and "127.0.0.1/32"?
Not in the output of 'ps', but in the config file, yes. I attached the
dcc_conf file.
Are you sure those are all of dccifd's args? The rejection message
for the problematic messages was
550 5.7.1 Service unavailable; Mail rejected as SPAM
That could have been produced with a -B or -r arg, but not otherwise.
You are correct of course. I removed those arguments for clarity.
I have tried a bunch of things, but failed to duplicate anything
like the problem.
I'll try installing a newer 'bind' library and we'll see if this changes
anything.
- Daniel
#! /bin/sh
# set parameters for DCC start and cron scripts
# from Rhyolite Software DCC 1.3.51-1.57 $Revision$
DCC_CONF_VERSION=3
# don't set DCC_HOMEDIR since if we got here, it must be set
DCC_LIBEXEC=/var/dcc/libexec
DCC_RUNDIR=/var/run/dcc
# DCC user name
DCCUID=vscan
DCCD_ENABLE=off
# DCC server-IDs must be globally unique.
SRVR_ID=
# BRAND can be any short alphanumeric string that hints about the identity
# of the server.
BRAND=
# args used to start dccd such as -6
DCCD_ARGS=
# GREY_CLIENT_ARGS contains "on", "-GnoIP", etc. to turn on greylisting
# in the dccm and dccifd DCC clients.
# Also turns on the local greylist dccd server unless GREY_ENABLE=off
GREY_CLIENT_ARGS=-GIPmask/24
# GREY_ENABLE turns local greylist server 'on' or 'off',
# but does not effect dccm, dccifd
GREY_ENABLE=on
# GREY_SRVR_ID DCC server-IDs must be globally unique, but greylisting dccd
# servers are usually isolated. If you have more than one greylist server,
# ensure that they use distinct server-IDs and that they flood each other
# with entries in /var/dcc/flod
GREY_SRVR_ID=$SRVR_ID
# Start dccd for grey listing or set server options such as -Gweak-IP.
# See also GREY_ENABLE.
GREY_DCCD_ARGS=
# dccm and dccifd client reputation parameters such as -tREP,20
REP_ARGS="-tREP,10"
# DNS blacklist -B parameters for dccifd and dccm
# For example
#DNSBL_ARGS="'-Bset:rej-msg=5.7.1 550 mail %s from %s rejected; see
http://www.spamhaus.org/xbl/' -Bsbl-xbl.spamhaus.org,any"
# checks SMTP envelope senders and URLs in mail message bodies in the XBL.
DNSBL_ARGS="-Bset:debug=5 '-Bset:rej-msg=5.7.1 554 Service unavailable; Message
(id: %s) blocked using relays.ordb.org; http://ordb.org/lookup/?host=%s'
-Brelays.ordb.org,any '-Bset:rej-msg=5.7.1 554 Service unavailable; Message
(id: %s) blocked using zen.spamhaus.org;
http://www.spamhaus.org/query/bl?ip=%s' -Bzen.spamhaus.org,any"
DCCM_ENABLE=off
# used to start dccm
# a common value is
# DCCM_ARGS="-SHELO -Smail_host -SSender -SList-ID"
# Note the use of single quotes in
# DCCM_ARGS="-SHELO '-r5.7.1 550 mail %s from %s rejected with DCC'"
DCCM_ARGS="-SHELO -Smail_host -SSender -SList-ID"
DCCM_LOGDIR=log
DCCM_WHITECLNT=whiteclnt
DCCM_USERDIRS=userdirs
# set DCCM_LOG_AT to a number that determines "bulk mail" for your situation.
# 50 is a typical value.
# Leave DCCM_REJECT_AT blank until you are confident that most sources of
# solicited bulk mail have been white-listed. Then set it to the number
# that defines "bulk mail" for your site. This rejection or "bulk" threshold
# does not affect the blacklisting of the DCCM_WHITECLNT whitelist file.
# Add '-aIGNORE' to DCCM_ARGS to ignore the bulkiness of mail except to
# add X-DCC headers.
DCCM_LOG_AT=50
DCCM_REJECT_AT=50
# override basic list of DCC server checksums controlling rejections or logging
DCCM_CKSUMS=
# additional DCC server checksums worthy of rejections or logging
DCCM_XTRA_CKSUMS=
DCCIFD_ENABLE=on
# used to start dccifd
# a common value is
# DCCIFD_ARGS="-SHELO -Smail_host -SSender -SList-ID"
DCCIFD_ARGS="-p 127.0.0.1,10023,127.0.0.1/32 -o 127.0.0.1,10026 -SHELO
-Smail_host -SSender -SList-ID '-r5.7.1 550 Service unavailable; Mail rejected
as SPAM' '-r4.2.1 452 Mail temporarily blocked; Please resend in ten minutes'"
DCCIFD_LOGDIR="$DCCM_LOGDIR"
DCCIFD_WHITECLNT="$DCCM_WHITECLNT"
DCCIFD_USERDIRS="$DCCM_USERDIRS"
DCCIFD_LOG_AT="$DCCM_LOG_AT"
DCCIFD_REJECT_AT="$DCCM_REJECT_AT"
# override basic list of checksums controlling rejections or logging
DCCIFD_CKSUMS="$DCCM_CKSUMS"
# additional DCC server checksums worthy of rejections or logging
DCCIFD_XTRA_CKSUMS="$DCCM_XTRA_CKSUMS"
# days to keep files in DCC log directories
DBCLEAN_LOGDAYS=2
# used to start dbclean, including -e and -E
DBCLEAN_ARGS=
# optionally set to something like "local5" or "local5.notice" for
# dccd, dbclean, and dccm
DCC_INFO_LOG_FACILITY=
DCC_ERROR_LOG_FACILITY=
# ensure that the log facilities include levels and that $DCC_LOGGER
# has a default.
if test -n "$DCC_INFO_LOG_FACILITY"; then
if expr "X$DCC_INFO_LOG_FACILITY" : 'X.*\..*' >/dev/null; then
:
else
DCC_INFO_LOG_FACILITY="$DCC_INFO_LOG_FACILITY.notice"
fi
DCC_LOG_ARGS="$DCC_LOG_ARGS -Linfo,$DCC_INFO_LOG_FACILITY"
fi
if test -z "$DCC_ERROR_LOG_FACILITY"; then
# for $DCC_LOGGER
DCC_ERROR_LOG_FACILITY=mail.err
else
if expr "X$DCC_ERROR_LOG_FACILITY" : 'X.*\..*' >/dev/null; then
:
else
DCC_ERROR_LOG_FACILITY="$DCC_ERROR_LOG_FACILITY.err"
fi
DCC_LOG_ARGS="$DCC_LOG_ARGS -Lerror,$DCC_ERROR_LOG_FACILITY"
fi
DCC_LOGGER="logger -s -p ${DCC_ERROR_LOG_FACILITY-mail.err} -t
${LOGGER_TAG-DCC}"
# do not change the following lines which capture ./configure values
# for make-dcc_conf
Configure_DCC_LIBEXEC=/var/dcc/libexec
Configure_DCC_RUNDIR=/var/run/dcc
Configure_DCCUID=vscan
Configure_DCC_LOGGER="logger -s -p ${DCC_ERROR_LOG_FACILITY-mail.err} -t
${LOGGER_TAG-DCC}"
