On 1/22/2010 10:58 AM, Stan Hoeppner wrote:
Noel Jones put forth on 1/22/2010 10:00 AM:

Nothing is logged because the DNS server gives an authoritive "does not
exist" answer.  That's not an error, it is the expected response when a
client is not listed in an RBL.

Hi Noel,

I was not venting at Postfix, or Wietse, or any of the devs for that matter, as
much as I was venting at the situation.  Vietse, Victor, my apologies if it
seemed I was venting at you.  I was not.

My venting should be aimed at Spamhaus.  What they've done here is the opposite
of transparency.  In the case of Google DNS, Spamhaus has pulled something a bit
underhanded in my estimation.  They don't want people using Google DNS to query
Spamhaus zones.  That's fine.  I have no problem with that.  But the way in
which they have blocked access creates a silent discard on mail servers using
Google DNS, or at least Postfix (I can't speak for other MTAs in this regard).

First remember how RBLs work. An authoritive NXDOMAIN means the site is not listed, any other answer means the site is listed. No answer (timeout) is an error that can only mean "try again". That doesn't leave any option for an automatic "you're blacklisted" code.

When spamhaus blacklists a site, they answer that every host is not listed via the normal NXDOMAIN. There are good reasons to do this, but it doesn't make the job any easier from this side of the fence.

Since they return the normal "not listed", no MTA or filter will log anything unusual -- you just won't see any hits.

The up side is that it's unlikely that any MTA or filter will mistakenly reject or delay mail. If spamhaus just didn't answer, you would get timeouts in your log but high volume sites could experience a denial of service if every mail transaction suddenly took 30-60 seconds longer than normal. If they list everyone, that creates a worse problem.

I suspect your other provider did something manually to return timeouts. While this logged the errors that finally brought this to your attention, this has the very real potential to cause problems, although it's unlikely that anyone with high enough volume to suffer from this uses an external DNS. So while it would be wrong for spamhaus to timeout on everyone, it's not so bad for an ISP's DNS to return timeouts.

What they should have done is reply with a code that actually generates a
visible log error, so an admin, such as myself, can actually see that something
is wrong.

As you see now, this is simply not possible with the current implementation of RBLs. This isn't a postfix (or any MTA specific) problem, but rather the way that *all* RBLs are implemented since their invention.

For this to change, there would need to be an invention of an agreed-upon method to signal the client that their query succeeded, but is not honored for some reason. This is unlikely to happen anytime soon since there is no obvious technical solution, and it's not a problem the RBL operators are particularly concerned about.

Instead, all I got from my logs was silence.  Multiple months of that
deafening silence finally prompted my action as I knew there had to be something

If you're concerned, hack up a cron script to probe the test addresses and mail yourself the output.

I think we've spent enough time on this.

  -- Noel Jones

Reply via email to