reject_unknown_sender_domain and DNS SERVFAIL result

Wed, 03 Oct 2012 11:15:33 -0700

I recently updated a Postfix system from 2.4 to 2.9 and I have found what I believe is a change in behavior for reject_unknown_sender_domain which is confusing. In the past, an effective means of dealing with some classes of persistent spammers was to tell the local DNS resolver (BIND 9) to "blackhole" the authoritative nameservers of spammers who cycled rapidly through changes in nearly every other easily detected aspect of their spam. In conjunction with reject_unknown_sender_domain, this rejected a lot of spam cheaply for a while but in recent years I've not paid much attention to it because there are fewer spammers using their own fixed IP space for DNS. Last week I started getting spam again that fit this tactic well, so for the first time in years I added to my DNS blackhole list. And the subsequent spam was not rejected.
Upon investigation I have determined that if a domain definitively has no A or MX records (i.e. DNS answers with NXDOMAIN or NOERR with zero answers) then Postfix rejects the mail at RCPT. However, if DNS queries garner SERVFAIL responses, as happens when authorities are blackholed, Postfix is permitting delivery. This is definitely not what I want. This may be related to the addition in version 2.6 of unknown_address_tempfail_action, but it seems to me based on the postconf manpage that since this defaults via reject_tempfail_action to "defer_if_permit" (and I have confirmed that this is so on this system) that Postfix should *at best* be sending a 4xx reply to RCPT rather than accepting mail sent from these intentionally unresolvable domains. 


I have other means of rejecting this spam (e.g. scoring up the 
SpamAssassin NO_DNS_FOR_FROM rule) but I would prefer dealing with it 
before DATA as I have in the past. Is there an explanation for what is 
letting the mail through that I'm not seeing? If I explicitly set 
unknown_address_tempfail_action to "defer" or "reject" will I get around 
whatever the loophole is?


My config:

lazarus:~# postconf -n
body_checks = regexp:/opt/local/etc/postfix/body_checks
bounce_size_limit = 10000
command_directory = /opt/local/sbin
config_directory = /opt/local/etc/postfix
daemon_directory = /opt/local/libexec/postfix
data_directory = /opt/local/var/lib/postfix
debug_peer_level = 3

debugger_command = PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo 
cont; echo where) | gdb $daemon_directory/$process_name $process_id 2>&1 
 >$config_directory/$process_name.$process_id.log & sleep 5

default_database_type = hash
default_destination_concurrency_limit = 5
disable_vrfy_command = yes
enable_long_queue_ids = yes
header_checks = regexp:/opt/local/etc/postfix/header_checks
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
mail_owner = _postfix
mailq_path = /opt/local/bin/mailq
manpage_directory = /opt/local/share/man
message_size_limit = 2000000
milter_command_timeout = 120s
milter_connect_timeout = 45s
milter_protocol = 4
mydestination = $myhostname, localhost.$mydomain
mydomain = scconsult.com
myhostname = toaster.scconsult.com
mynetworks = 192.168.254.0/24, 127.0.0.0/8, 192.168.2.0/24
mynetworks_style = subnet
myorigin = $myhostname
newaliases_path = /opt/local/bin/newaliases
postscreen_access_list = permit_mynetworks
postscreen_dnsbl_action = enforce

postscreen_dnsbl_sites = cbl.abuseat.org*2 zen.spamhaus.org=127.0.0.2*2 
zen.spamhaus.org=127.0.0.3*2 zen.spamhaus.org=127.0.0.4*2 
zen.spamhaus.org=127.0.0.5*2 zen.spamhaus.org=127.0.0.10*2 
zen.spamhaus.org=127.0.0.11*2 korea.services.net=127.0.0.2*2 
blackholes.scconsult.com=127.0.0.2*1 sbcdyn.scconsult.com=127.0.0.2*1 
psbl.surriel.com=127.0.0.2*1 ix.dnsbl.manitu.net=127.0.0.2*1

postscreen_dnsbl_threshold = 2
postscreen_dnsbl_ttl = 10m
postscreen_greet_action = enforce
postscreen_greet_wait = ${stress?3}${stress:8}s
proxy_interfaces = 66.73.230.185
queue_directory = /opt/local/var/spool/postfix
readme_directory = /opt/local/share/postfix/readme
recipient_delimiter = -
relay_domains = $mydestination $mydomain

relay_recipient_maps = 
regexp:/opt/local/etc/postfix/relay_recipients.regex

sample_directory = /opt/local/share/postfix/sample
sendmail_path = /opt/local/sbin/sendmail
setgid_group = _postdrop

sewers = check_recipient_access 
pcre:/opt/local/etc/postfix/sewer-recipients check_sender_access 
pcre:/opt/local/etc/postfix/sewer-senders

smtp_generic_maps = regexp:/opt/local/etc/postfix/generic
smtp_tls_loglevel = 1
smtpd_authorized_xclient_hosts = localhost
smtpd_client_connection_count_limit = 10
smtpd_client_connection_rate_limit = 5
smtpd_client_message_rate_limit = 15

smtpd_client_restrictions = check_client_access 
hash:/opt/local/etc/postfix/client_checks, permit
smtpd_data_restrictions = 
reject_multi_recipient_bounce,reject_unauth_pipelining,permit

smtpd_delay_open_until_valid_rcpt = no
smtpd_hard_error_limit = 7
smtpd_helo_required = yes
smtpd_milters = unix:/var/spool/MIMEDefang/mimedefang.sock

smtpd_recipient_restrictions = permit_mynetworks, check_helo_access 
regexp:/opt/local/etc/postfix/helo_checks, check_sender_access 
regexp:/opt/local/etc/postfix/senders 
reject_unknown_reverse_client_hostname reject_unknown_sender_domain, 
reject_invalid_helo_hostname, reject_non_fqdn_sender, 
reject_non_fqdn_recipient, reject_unknown_recipient_domain, 
reject_unauth_destination, check_sender_mx_access 
cidr:/opt/local/etc/postfix/bogus_mx.cidr reject_rbl_client 
cbl.abuseat.org=127.0.0.2, reject_rbl_client zen.spamhaus.org=127.0.0.2, 
reject_rbl_client zen.spamhaus.org=127.0.0.3, reject_rbl_client 
zen.spamhaus.org=127.0.0.4, reject_rbl_client 
zen.spamhaus.org=127.0.0.5, reject_rbl_client 
zen.spamhaus.org=127.0.0.10, reject_rbl_client 
zen.spamhaus.org=127.0.0.11, reject_rbl_client 
korea.services.net=127.0.0.2 check_recipient_access 
regexp:/opt/local/etc/postfix/recipient_checks.regex, reject_rbl_client 
blackholes.scconsult.com=127.0.0.2 reject_rbl_client 
sbcdyn.scconsult.com=127.0.0.2, reject_rbl_client 
ix.dnsbl.manitu.net=127.0.0.2, reject_rbl_client 
psbl.surriel.com=127.0.0.2, check_sender_access 
hash:/opt/local/etc/postfix/sender_checks, check_client_access 
hash:/opt/local/etc/postfix/client_checks, check_client_access 
regexp:/opt/local/etc/postfix/client_checks.regex, permit

smtpd_restriction_classes = sewers
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_timeout = 60s
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /private/etc/ssl/certs/dovecot.pem
smtpd_tls_key_file = /private/etc/ssl/private/dovecot.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
tls_random_source = dev:/dev/urandom
unknown_address_reject_code = 553
unknown_client_reject_code = 550
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/opt/local/etc/postfix/virtual
lazarus:~#






















					Reply via email to