1 (edited by kuadhual 2017-01-10 09:35:46)

Topic: redirected/blocked DNS leads to postscreen rejection

======== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.5-1
- Linux/BSD distribution name and version: Debian Jessie 64bit
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx): NginX
- Manage mail accounts with iRedAdmin-Pro? Yes
- Related log if you're reporting an issue:
====

I encountered the same problem in two different iredmail installation. These installations are on different servers, using a different ISP and use a different DNS servers. Both can not receive mail from some of the major email providers such as Yahoo and many other organizations email servers.

Example log when an error occurs:

Dec 21 15:44:55 mail postfix/postscreen[14814]: NOQUEUE: reject: RCPT from [aaa.bbb.ccc.ddd]:54059: 550 5.7.1 Service unavailable; client [aaa.bbb.ccc.ddd] blocked using b.barracudacentral.org; from=<noreply@xxxxxx.id>, to=<admin@yyyyyy.id>, proto=ESMTP, helo=<web.xxxxxx.id>
Dec 22 09:33:43 mail postfix/postscreen[25529]: NOQUEUE: reject: RCPT from [aaa.bbb.ccc.ddd]:55271: 550 5.7.1 Service unavailable; client [aaa.bbb.ccc.ddd] blocked using zen.spamhaus.org; from=<noreply@xxxxxx.id>, to=<rrrrrr@yyyyyy.id>, proto=ESMTP, helo=<web.xxxxxx.id>
Dec 22 10:25:02 mail postfix/postscreen[26117]: NOQUEUE: reject: RCPT from [aaa.bbb.ccc.ddd]:55478: 550 5.7.1 Service unavailable; client [aaa.bbb.ccc.ddd] blocked using zen.spamhaus.org; from=<noreply@xxxxxx.id>, to=<admin@yyyyyy.id>, proto=ESMTP, helo=<web.xxxxxx.id>
Dec 22 10:25:02 mail postfix/postscreen[26117]: NOQUEUE: reject: RCPT from [aaa.bbb.ccc.ddd]:55481: 550 5.7.1 Service unavailable; client [aaa.bbb.ccc.ddd] blocked using zen.spamhaus.org; from=<noreply@xxxxxx.id>, to=<admin@yyyyyy.id>, proto=ESMTP, helo=<web.xxxxxx.id>

Search on google gave hints  that the problems is linked to strange behaviour  in DNS response.
http://www.iredmail.org/forum/topic1036 … email.html
http://www.iredmail.org/forum/topic1076 … oblem.html
http://www.iredmail.org/forum/topic1059 … ceive.html

In my country, access to the Internet is restricted via DNS. Each ISP will response with different IP addresses if the request are blacklisted sites. Each ISP will redirect request to an open DNS server such as Google 8.8.8.8 or OpenDNS  to local DNS Server.

For now, I overcome this problem by installing DNSCrypt and change the DNS settings on email servers to DNSCrypt. The problem is the use of DNSCrypt itself are either in grey area or even violates the laws.

Is there another way to solve this problem?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: redirected/blocked DNS leads to postscreen rejection

Yes. Update Postfix main.cf:

postscreen_dnsbl_sites =
    zen.spamhaus.org=127.0.0.[2..11]*3
    b.barracudacentral.org*2=127.0.0.[2..11]

If DNS result is not 127.0.0.2 - 127.0.0.11, postfix won't reject the client.

3

Re: redirected/blocked DNS leads to postscreen rejection

ZhangHuangbin wrote:

Yes. Update Postfix main.cf:

postscreen_dnsbl_sites =
    zen.spamhaus.org=127.0.0.[2..11]*3
    b.barracudacentral.org*2=127.0.0.[2..11]

If DNS result is not 127.0.0.2 - 127.0.0.11, postfix won't reject the client.

Thank you for your swift answer.

This made me curious about how  this works.

The postscreen_dnsbl_sites parameter (default: empty) specifies a list of DNS blocklist servers with optional filters and weight factors (positive weights for blacklisting, negative for whitelisting). These servers will be queried in parallel with the reverse client IP address. This test is disabled by default.

My question is why this is disabled by default. What is the demerit of enabling this?

4

Re: redirected/blocked DNS leads to postscreen rejection

It will be enabled by default in upcoming iRedMail release (0.9.6).