On 1/22/2010 10:58 AM, Stan Hoeppner wrote:
Noel Jones put forth on 1/22/2010 10:00 AM:
Nothing is logged because the DNS server gives an authoritive "does not
exist" answer. That's not an error, it is the expected response when a
client is not listed in an RBL.
Hi Noel,
I was not venting at Postfix, or Wietse, or any of the devs for that matter, as
much as I was venting at the situation. Vietse, Victor, my apologies if it
seemed I was venting at you. I was not.
My venting should be aimed at Spamhaus. What they've done here is the opposite
of transparency. In the case of Google DNS, Spamhaus has pulled something a bit
underhanded in my estimation. They don't want people using Google DNS to query
Spamhaus zones. That's fine. I have no problem with that. But the way in
which they have blocked access creates a silent discard on mail servers using
Google DNS, or at least Postfix (I can't speak for other MTAs in this regard).
First remember how RBLs work. An authoritive NXDOMAIN means
the site is not listed, any other answer means the site is
listed. No answer (timeout) is an error that can only mean
"try again". That doesn't leave any option for an automatic
"you're blacklisted" code.
When spamhaus blacklists a site, they answer that every host
is not listed via the normal NXDOMAIN. There are good reasons
to do this, but it doesn't make the job any easier from this
side of the fence.
Since they return the normal "not listed", no MTA or filter
will log anything unusual -- you just won't see any hits.
The up side is that it's unlikely that any MTA or filter will
mistakenly reject or delay mail. If spamhaus just didn't
answer, you would get timeouts in your log but high volume
sites could experience a denial of service if every mail
transaction suddenly took 30-60 seconds longer than normal.
If they list everyone, that creates a worse problem.
I suspect your other provider did something manually to return
timeouts. While this logged the errors that finally brought
this to your attention, this has the very real potential to
cause problems, although it's unlikely that anyone with high
enough volume to suffer from this uses an external DNS. So
while it would be wrong for spamhaus to timeout on everyone,
it's not so bad for an ISP's DNS to return timeouts.
What they should have done is reply with a code that actually generates a
visible log error, so an admin, such as myself, can actually see that something
is wrong.
As you see now, this is simply not possible with the current
implementation of RBLs. This isn't a postfix (or any MTA
specific) problem, but rather the way that *all* RBLs are
implemented since their invention.
For this to change, there would need to be an invention of an
agreed-upon method to signal the client that their query
succeeded, but is not honored for some reason. This is
unlikely to happen anytime soon since there is no obvious
technical solution, and it's not a problem the RBL operators
are particularly concerned about.
Instead, all I got from my logs was silence. Multiple months of that
deafening silence finally prompted my action as I knew there had to be something
wrong.
If you're concerned, hack up a cron script to probe the test
addresses and mail yourself the output.
I think we've spent enough time on this.
-- Noel Jones
