On Wed, Mar 01, 2017 at 10:00:28PM +0000, Robert Sharp wrote: > I was prompted from reading a recent post to check whether my > postscreen set up was picking up Spamhaus responses. Quick grep > through my logs confirmed that it was not. Seems I am in a bit > of Bind (sorry for the pun). If I use Google's DNS I dont get a > response from zen.spamhaus.org.
Hi Robert, Yes, this is a known issue. Spamhaus blocks Google Public DNS and many ISP resolvers as well. > If I use my ISP's DNS I will but my ISP also hijacks NXDOMAIN > responses as I was reminded last night when postscreen blocked > everything. I am now looking at setting up my own unbound > server, but I wondered if there was a quicker solution. What's not quick? It should probably do what you need with minimal (if any) fuss. I'm more familiar with BIND, and this will do it: # mv /etc/named.conf /etc/named.conf.distrib # echo "nameserver 127.0.0.1" > /etc/resolv.conf # named Configure your OS (DHCP client if relevant) to leave resolv.conf alone, and set it up to start the BIND service at boot. I don't know the details of unbound, but I expect it is similarly trivial to set up. It really is the right solution, for a mail server, to have its own resolver. > Can I use the filter option to ignore those hijacked responses? > For example: > > postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[0..127]*3 You need clean name service for a mail server, period. And what happens when your ISP resolver gets blocked by Spamhaus? That said, your idea sort of works, until it doesn't. :) > I would just give it a go but after blocking everything I am a > little cautious today. Yes, I could add soft bounces but... -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: