Re: Question regarding DNSBL behaviour

[J Doe]

> On Sep 10, 2019, at 4:41 PM, Bill Cole 
>  wrote:
> 
>> Hello,
>> 
>> I have a question regarding DNSBL usage with the main.cf 
>> smtpd_client_restrictions parameter.
>> 
>> I have a server configured to check SpamHaus:
>> 
>> main.cf
>>  . . .
>>  smtpd_client_restrictions = reject_rbl_client 
>> zen.spamhaus.org=127.0.0.[2..11],
>>  . . .
>> 
>> This has been working very well, although I noticed the following error in 
>> my syslog:
>> 
>> Sep  7 16:13:08 server postfix/smtpd[28363]: warning: 
>> 188.50.102.94.zen.spamhaus.org: RBL lookup error: Host or domain name not 
>> found. Name service error for name=188.50.102.94.zen.spamhaus.org type=A: 
>> Host not found, try again
> 
> A common cause of this is is if your DNS resolver thinks that you have IPv6 
> connectivity (e.g. because you have an autoconfigured interface or a VPN with 
> an IPv6 address) but you really do not. The extensive collection of DNS 
> servers handling the zen.spamhaus.org  zone 
> includes many names that have as many  records as they do A records and 
> if your resolvers tries one of those, you get a message as above.

Hi Bill,

Thanks for your reply.  Interesting.  In this case, the DNS resolver I use is 
one that I run on the mailserver itself, which has IPv4/IPv6 connectivity.  I 
know this host can successfully access both as we send and receive Gmail mostly 
over IPv6 whereas most other traffic is delivered over IPv4.  With the SMTP 
traffic handling both ok I would assume that my DNS resolver is also ok (I 
haven’t made any configuration changes to Bind to make it prefer IPv4 or IPv6 
when it performs recursive lookups) ?

Thanks,

- J

Re: Question regarding DNSBL behaviour

[Bill Cole]

On 10 Sep 2019, at 14:44, J Doe wrote:


Hello,

I have a question regarding DNSBL usage with the main.cf 
smtpd_client_restrictions parameter.


I have a server configured to check SpamHaus:

main.cf
. . .
	smtpd_client_restrictions = reject_rbl_client 
zen.spamhaus.org=127.0.0.[2..11],

. . .

This has been working very well, although I noticed the following 
error in my syslog:


Sep  7 16:13:08 server postfix/smtpd[28363]: warning: 
188.50.102.94.zen.spamhaus.org: RBL lookup error: Host or domain name 
not found. Name service error for name=188.50.102.94.zen.spamhaus.org 
type=A: Host not found, try again


A common cause of this is is if your DNS resolver thinks that you have 
IPv6 connectivity (e.g. because you have an autoconfigured interface or 
a VPN with an IPv6 address) but you really do not. The extensive 
collection of DNS servers handling the zen.spamhaus.org zone includes 
many names that have as many  records as they do A records and if 
your resolvers tries one of those, you get a message as above.


--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)

Re: Question regarding DNSBL behaviour

[J Doe]

>> Sep  7 16:13:08 server postfix/smtpd[28363]: warning: 
>> 188.50.102.94.zen.spamhaus.org: RBL lookup error: Host or domain name not 
>> found. Name service error for name=188.50.102.94.zen.spamhaus.org type=A: 
>> Host not found, try again
>> 
>> I am wondering - in normal checks against SpamHaus, if a host is not listed 
>> and the result is NXDOMAIN, I am assuming that Postfix interprets that the 
>> host is ?ok? and does not log any information.  In this case, though, it has 
>> logged the information and I am wondering if this is because Postfix was 
>> unable to contact SpamHaus at all, not just regarding the record: 
>> 188.50.102.94.zen.spamhaus.org ?
>> 
> 
> This service is free for low-volume clients only. If you send your
> Spamhaus queries through a shared DNS resolver (like an ISP), then
> you may exceed their 'free service' limits. You may be better off
> using your own DNS resolver.
> 
>   Wietse

Hi Wietse,

Yes, that is a good point.  I believe I’m ok regarding query limits - I do run 
my own resolver for this server and the amount of e-mail that transits this 
particular server is very low.

- J

Re: Question regarding DNSBL behaviour

[Benny Pedersen]

J Doe skrev den 2019-09-10 21:09:


Thanks for your reply.  Ok, that’s what I was thinking - that it was a
temporary DNS error for contacting SpamHaus, not SpamHaus saying that
address was not listed.  Just wanted to double-check.


http://multirbl.valli.org/lookup/94.102.50.188.html

no PTR, no problem

Re: Question regarding DNSBL behaviour

[Wietse Venema]

J Doe:
> Sep  7 16:13:08 server postfix/smtpd[28363]: warning: 
> 188.50.102.94.zen.spamhaus.org: RBL lookup error: Host or domain name not 
> found. Name service error for name=188.50.102.94.zen.spamhaus.org type=A: 
> Host not found, try again
> 
> I am wondering - in normal checks against SpamHaus, if a host is not listed 
> and the result is NXDOMAIN, I am assuming that Postfix interprets that the 
> host is ?ok? and does not log any information.  In this case, though, it has 
> logged the information and I am wondering if this is because Postfix was 
> unable to contact SpamHaus at all, not just regarding the record: 
> 188.50.102.94.zen.spamhaus.org ?
> 

This service is free for low-volume clients only. If you send your
Spamhaus queries through a shared DNS resolver (like an ISP), then
you may exceed their 'free service' limits. You may be better off
using your own DNS resolver.

Wietse

Re: Question regarding DNSBL behaviour

[J Doe]

>> Hello,
>> I have a question regarding DNSBL usage with the main.cf 
>> smtpd_client_restrictions parameter.
>> I have a server configured to check SpamHaus:
>> main.cf
>>  . . .
>>  smtpd_client_restrictions = reject_rbl_client 
>> zen.spamhaus.org=127.0.0.[2..11],
>>  . . .
>> This has been working very well, although I noticed the following error in 
>> my syslog:
>> Sep  7 16:13:08 server postfix/smtpd[28363]: warning: 
>> 188.50.102.94.zen.spamhaus.org: RBL lookup error: Host or domain name not 
>> found. Name service error for name=188.50.102.94.zen.spamhaus.org type=A: 
>> Host not found, try again
>> I am wondering - in normal checks against SpamHaus, if a host is not listed 
>> and the result is NXDOMAIN, I am assuming that Postfix interprets that the 
>> host is “ok” and does not log any information.  In this case, though, it has 
>> logged the information and I am wondering if this is because Postfix was 
>> unable to contact SpamHaus at all, not just regarding the record: 
>> 188.50.102.94.zen.spamhaus.org ?
>> Thanks,
>> - J
> 
> 
> Lookup error: means something didn't work; your DNS told postfix it couldn't 
> find spamhaus at all, but it was a temporary error so try again.  Postfix 
> will ignore the result.
> 
> If you get this rarely, it's nothing to worry about.  If it happens often, 
> there may be a problem with your DNS server or network connection.
> 
>  -- Noel Jones

Hi Noel,

Thanks for your reply.  Ok, that’s what I was thinking - that it was a 
temporary DNS error for contacting SpamHaus, not SpamHaus saying that address 
was not listed.  Just wanted to double-check.

- J

Re: Question regarding DNSBL behaviour

[Noel Jones]

On 9/10/2019 1:44 PM, J Doe wrote:

Hello,

I have a question regarding DNSBL usage with the main.cf 
smtpd_client_restrictions parameter.

I have a server configured to check SpamHaus:

main.cf
. . .
smtpd_client_restrictions = reject_rbl_client 
zen.spamhaus.org=127.0.0.[2..11],
. . .

This has been working very well, although I noticed the following error in my 
syslog:

Sep  7 16:13:08 server postfix/smtpd[28363]: warning: 
188.50.102.94.zen.spamhaus.org: RBL lookup error: Host or domain name not 
found. Name service error for name=188.50.102.94.zen.spamhaus.org type=A: Host 
not found, try again

I am wondering - in normal checks against SpamHaus, if a host is not listed and 
the result is NXDOMAIN, I am assuming that Postfix interprets that the host is 
“ok” and does not log any information.  In this case, though, it has logged the 
information and I am wondering if this is because Postfix was unable to contact 
SpamHaus at all, not just regarding the record: 188.50.102.94.zen.spamhaus.org ?

Thanks,

- J




Lookup error: means something didn't work; your DNS told postfix it 
couldn't find spamhaus at all, but it was a temporary error so try 
again.  Postfix will ignore the result.


If you get this rarely, it's nothing to worry about.  If it happens 
often, there may be a problem with your DNS server or network 
connection.




  -- Noel Jones