Does postfix cache RBL queries

email-serverpostfixrbl

This is driving me nuts… Linux Debian + postfix…
/etc/postfix/main.cf has the following lines:

smtpd_recipient_restrictions =
    check_recipient_access hash:/etc/postfix/access,
    reject_invalid_hostname,
    reject_non_fqdn_recipient,
    reject_non_fqdn_sender,
    reject_unauth_destination,
    reject_unauth_pipelining,
    reject_unknown_recipient_domain,
    reject_rbl_client cbl.abuseat.org,
    reject_rbl_client sbl-xbl.spamhaus.org,
    check_policy_service unix:private/policyd-spf,
    check_policy_service inet:127.0.0.1:10023,
    permit_auth_destination,
    reject

These days postfix is rejecting incoming messages from one single IP:

 info@domain.ext
   SMTP error from remote mail server after RCPT TO:<info@domain.ext>:
   host mail.server.ext [123.123.123.123]: 554 5.7.1 Service unavailable; Client host [234.234.234.234] blocked using cbl.abuseat.org; Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=234.234.234.234

Well… http://cbl.abuseat.org/lookup.cgi?ip=234.234.234.234 reports no blacklisting of 234.234.234.234 (obviously the IP 234.234.234.234 is not the real one).

Dozen emails have been blocked so far for the same reason, but each time I manually query the RBL, the IP is reported as clean.

Is postfix caching queries to RBLs?
What am I missing?

Thanks in advance for your time.

Best Answer

From the top layer perspective, Postfix relies on libc resolver to do DNS lookup (including RBL), so the the behaviour would depends on the library. For example, postfix will alwasy do lookup via NS server defined in /etc/resolv.conf.

If the NS server has caching mechanism, then postfix will get the cache result too. This is also happen if your provider has "DNS hijacking" (the diverted DNS packet into their NS server). In this event, you will also hit their cache (if they enable it).

To check what's the output of DNS lookup, you can use dig command. For example check if IP address 216.154.195.36 was listed in cbl.abuseat.org.

$  dig  36.195.154.216.cbl.abuseat.org

; <<>> DiG 9.10.1-P1 <<>> 36.195.154.216.cbl.abuseat.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 48609
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

If the return is NXDOMAIN, the IP address wasn't listed.

From the bottom layer perspective, each smtpd process has cached its own DNSBL lookup results. Those results are not shared with other Postfix processes. Each smtpd process will be reused until max_use or max_idle reached. When smtpd process dies, the RBL cache will lost too. When new smtpd process was create by master daemon, it will pickup new configuration on main.cf (including max_idle and max_use. So actually no need to restart postfix.

Related Solutions

Postfix rejects all incoming mail (Client host rejected: Access denied)

I think you need to put mydestination = mydomain.com in your config.

Next guess: We know the domain is right and that SASL works... so what I now suspect is that we're seeing an error in your restrictions. I'd start with recipient_restrictions and remove every rejection after permit_sasl_authenticated. If that works, add them back one at a time. If not, your next test is sender_restrictions.

SquirrelMail inbox blank, emails not being stored correctly

As documented, in order to deliver in maildir format, the mailbox location must end with a slash:

joe@example.com  example.com/joe/

This, and this only, tells postfix to deliver to a maildir.

Of course, there could be other problems preventing it from working, but we don't know.

Best Answer

Related Solutions

Postfix rejects all incoming mail (Client host rejected: Access denied)

SquirrelMail inbox blank, emails not being stored correctly

Related Topic