# Postfix and rbl name requests

## i0

Hi

I have in my resolf.conf  2 nameservers like:

nameserver 12.23.34.45

nameserver 56.67.78.89

In postfix i use

smtpd_recipient_restrictions =

      reject_rbl_client rbl.example.com

When connection comes in to server postfix should make a request to rbl.example.com to see if connecting machines ip address has A record there.

And if it has, message will be rejected.

Question:

How postfix should make this request?

My postfix does not ask directly from rbl.example.com

Instead it asks from first nameserver that is stated in resolv.conf, then that nameserver (caching) asks from rbl.example.com and gives answer back to postfix.

Is that how it supposed to work?

If so, ,why not ask directly from rbl.example.com?

Can this be done (tell postfix that for rbl.example.com requests use rbl.example.com as nameserver)

i0

----------

## John R. Graham

All your existing nameservers are doing is getting the IP address of rbl.example.com.  Without querying one of your listed name servers, Postfix has no other way of finding the IP address of rbl.example.com.

If you don't want to query the nameservers dynamically, then get the IP address of rbl.example.com statically and use the IP address in the  reject_rbl_client line.  The disadvantage of this approach is that, if the IP address of rbl.example.com changes, then your implementation will break.

I'm not completely sure what you're worrying about.  What's the problem with looking up a URL with a nameserver?  It's kind of what they're designed for.

- John

----------

## i0

No, it is not what i ment.

For example. connection comes to postfix from 1.2.3.4.

Now postfix needs to know does ip 1.2.3.4 have an A record in rbl.example.com server.

For that it makes name request: ?A 4.3.2.1.rbl.example.com

But problem is that this name request is not sent to rbl.example.com <- this is the problem part

It is sent to first nameserver in resolv.conf.

Then tis nameserver asks rbl.example.com: ?A 4.3.2.1.rbl.example.com

And gives result ABOUT 1.2.3.4 to postfix.

I would understand if postfix first made request to first nameserver to find out A or NS record for rbl.example.com and then postfix makes request ?A 4.3.2.1.rbl.example.com to rbl.example.com.

As for adding ip address to reject_rbl_client - it wont work because then postfix would make name request like that: ?A 4.3.2.1.an.ip.addr.ess, but since nameserver (rbl.example.com) uses name based zones result would be always NXDOMAIN which means that even if requested ip address has A record in rbl.example.com  mail is passed trough postfix since request was in wrong format.

(Would'nt be a problem if i reconfigured rbl server)

Also those nameservers in resolv.conf are not mine. They are my isp's. By making direct requests to rbl server i would save traffic.

But what's bothering me is: have i missed something in postfix configuration or something, or is this supposed to work like that?

Like every rbl request goes first trough primary nameserver like doing with dig: 

"dig 4.3.2.1.rbl.example.com any"

Instead i want this: "dig @rbl.example.com 4.3.2.1.rbl.example.com any"

----------

## magic919

It's just a DNS lookup.   What's the problem exactly?

Maybe you need to have a read up on how these things work.

----------

## i0

 *magic919 wrote:*   

> It's just a DNS lookup.   What's the problem exactly?
> 
> Maybe you need to have a read up on how these things work.

 

Yes, i know it is a dns lookup.

And yes maybe i should read up.

I have been google'ing for 2 days now, no luck, that is why i'm posting this here.

Hoping that maybe someone can give me an answer instead of telling me that maybe i should read something somewhere.

Can you give me a link maybe, what should i read?

What i would like to do is: make postfix to send those rbl lookups to a different nameserver than default one.

I will satisfy when somebody who knows postfix really good tells me that: there is no way to send some lookups to different nameserver in postfix!

----------

## magic919

And how will you recognise such a person I wonder.

Good luck.

----------

## i0

 *magic919 wrote:*   

> And how will you recognise such a person I wonder.
> 
> Good luck.

 

By trusting somebody who says that,

because there are probably more people who will argue against that somebody when they know that he was wrong saying that.

Btw i'm one aof those peolple. I will correct somebody if they are wrong in some issue in my opinion.

And i've noticed over years that linux community in general is very friendly and helpful.

Thank You.

So issue still is: can postfix make some lookups to a different nameserver than default one?

----------

## jmbsvicetto

Hi.

 *i0 wrote:*   

>  *magic919 wrote:*   It's just a DNS lookup.   What's the problem exactly?
> 
> Maybe you need to have a read up on how these things work. 
> 
> Yes, i know it is a dns lookup.
> ...

 

There's a saying around here that roughly translated goes as "you catch flies with honey". A different attitude might attract more and better answers.

As magic919 was saying, those are just DNS queries. You seem to be worried that the dns request for ?A 4.3.2.1.rbl.example.com crosses you DNS server. Well, that's why you have that server. If your server didn't contact the rbl.example.com nameserver directly, that means it was able to obtain an answer to the query. One of the most important points in DNS servers is that they keep in cache recently resolved or non-resolved addresses.

If you really want to read a bit more about RBLs and Postfix, I would suggest looking at the postconf man page or at the postfix documentation.

----------

## i0

"you catch flies with honey"

true!

I have never learned English so i'm probably expressing myself kinda not good.

Anyway, i was kind of hoping that magic919 says to me that it cannot be done.

He seems to know about postfix.

(i have read his posts in different threads in this forum)

As for postconf and postfix documentation, there is nothing about a way you can make different lookups to go in different servers.

Maybe that cannot be done in this way.

----------

## kashani

Postfix does what all all good system software does, hand things it's not suppose to be doing off to the OS. You don't want Postfix or anything else doing a poor job of resolving names and believe me having worked in the bad old days when many an idiot wrote his own resolving routines it's harder than it looks.

For the record blacklisting has a false positive rate of 30% or greater. I'd drop it all together and use greylisting.

kashani

----------

## gr0x0rd

I have an in-house RBL that I use for my mailserver, which worked brilliantly during my initial testing but seemed to stop working a few days ago: this was due to 127.0.0.1 being dropped from my resolv.conf. 

My thanks to this thread which resolved this issue for me promptly.

Cheers!!!

----------

