At 5:41 PM -0400 4/29/08, Stefan Jeglinski imposed structure on a
stream of electrons, yielding:
What do you get if you do a DNS lookup, i.e. 'dig
17.165.202.64.zen.spamhaus.org' in a terminal session?
;; QUESTION SECTION:
;17.165.202.64.zen.spamhaus.org. IN A
;; ANSWER SECTION:
17.165.202.64.zen.spamhaus.org. 300 IN A 209.86.66.92
17.165.202.64.zen.spamhaus.org. 300 IN A 209.86.66.93
17.165.202.64.zen.spamhaus.org. 300 IN A 209.86.66.94
17.165.202.64.zen.spamhaus.org. 300 IN A 209.86.66.95
17.165.202.64.zen.spamhaus.org. 300 IN A 209.86.66.90
17.165.202.64.zen.spamhaus.org. 300 IN A 209.86.66.91
So.... an A record is being returned, but none are the expected
answer (either 127.0.0.2-11 or nothing). According to the postfix
docs, if I do not specify, for example, reject_rbl_client
zen.spamhaus.org=127.0.0.2, I will get a reject if any A record is
returned.
But what are those A records? Ah-ha - barefruit, the bastards.
Because I'm using an earthlink upstream resolver.
Yep.
Earthlink is telling you lies in DNS. You should not trust their DNS.
The other possibility is that you may be forwarding your DNS
queries to a server that plays games with them.
<snip>
I would say this may be what is happening. I used to run djbdns on
my Linux box but that's fallen by the wayside at the moment with
OSX. Looks like I might need to return.
I don't know about djbdns, but BIND runs just fine on OSX.
You can get significant performance improvement generally from
running a local nameserver for a mail server, beyond the advantage of
avoiding an ISP that will tell you a lie for a fraction of a cent.
You may get around ISP DNS injection by specifying the Spamhaus
return codes in your postfix config:
smtpd_client_restrictions = reject_rbl_client zen.spamhaus.org=127.0.0.2,
reject_rbl_client zen.spamhaus.org=127.0.0.4,
reject_rbl_client zen.spamhaus.org=127.0.0.5,
reject_rbl_client zen.spamhaus.org=127.0.0.10,
reject_rbl_client zen.spamhaus.org=127.0.0.11
Otherwise, reject_rbl_client will catch on any answer from the DNS
query, and since DNS injection is done to inject bogus A records
pointing at real IP's, it will make reject_rbl_client catch if you
don't specify the lookup result.
Yep, there you go. Haven't tried it yet, but I will bet that's
what's going on.
Bill, you are still a lifesaver. My roughly 5-yr-old (?) offer of
dinner and a beer in the RTP NC area if you ever make it here is
still good!
If I ever make it down there, I will take you up on it. I tend not to
travel much due to family circumstances, but since I am back on the
job market and Detroit is not exactly overflowing with opportunities,
I could well end up passing through in coming weeks.
--
Bill Cole
[EMAIL PROTECTED]
#############################################################
This message is sent to you because you are subscribed to
the mailing list <SIMS@mail.stalker.com>.
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to <[EMAIL PROTECTED]>
