postfix mailserver (sometimes) blocked
Hi all,
I run a postfix mailserver under FreeBSD on a small SoHo server/gateway under my own domain name. Last week I switched ISPs. For my new fixed IP number, one of the first things I did was request rDNS pointing to my domain. Done. However, over the past few days, I've encountered three mailservers which bounce my outoing message back: Code:
Diagnostic-Code: smtp; 554 5.7.1 Rejected Code:
550 Administrative prohibition (in reply to RCPT TO command) Code:
Recipient not authorized, your IP has been found on a block list (in reply The error messages above are kind of vague. :( I ran my IP number through a database check: http://www.dnsbl.info/dnsbl-database-check.php, but it came up clean. I am wondering if I am missing some obscure Postfix setting or something... but I have a fairly standard installation and I have no problems with the bulk of my outgoing mail traffic. Any ideas? Thanks |
Quote:
Code:
X.7.1 Delivery not authorized, message refused |
Quote:
Thanks. |
Nothing is absolute in practice, but it should work. You might also check the error msg / mail logs for a URL containing contact instructions, or the whois database for a technical contact.
|
Well, that was an interesting experiment. I decided to tackle the first two.
#1: checked the whois record, found the name of the technical contact and corresponding email address, postmaster@.. Mailed error message. That bounced, so I Googled the name and found another email address for the technical contact. That bounced as well. #2: web host is not mail host, so I looked up whois record for mail host, found the name of the technical contact and corresponding email address, also postmaster@.. Mailed error message. My message was forwarded to another account, and it also bounced. Score: 0/2 It is by no means a representative sample :), but if I may nonetheless be permitted a simple generalisation, it would seem that some organisations are not very diligent about keeping their domain records up-to-date. In both these cases, the original technical contact no longer appears to be with the organisation. Just to satisfy my curiosity, rfc 2821 does require a postmaster mailbox: Quote:
This whole business reminds me why I don't like blacklists. They are too rigid and non-transparent. They stifle communication, which is really the soul of the Internet. I use greylisting for incoming mail on my smtp server, and that works brilliantly. Most spambots don't retry. Those that get greytrapped, only get blocked for 24-hours. Between that and Thunderbird's Bayesian filter, very little spam makes it to my inbox, and I get very, very few false positives. |
Bummer. If the receiving domain has a website, it may be worth checking there for contact info.
Quote:
One last thing you can try with 'postmaster' is telnetting to the MX and manually submitting mail to the bare postmaster address: Code:
RCPT TO:<postmaster> |
update: SOLVED
I finally found out which list was blocking my IP: it was the SORBS Dynamic User and Host List (DUHL). This is a list of IP ranges which have been determined to be allocated dynamically, hence, apparently, prone to misuse, presumably by bot networks. It would seem that the IP range in which my IP number falls was once allocated dynamically (this is obviously no longer the case).
One of the mailserver error messages that got bounced back at me indicated this. For some reason, the DNSBL database check I mentioned above didn't include this, perhaps because it is not a true spam blacklist. It was easy enough to fix. There is a kind of (semi-)automated system for requesting delisting from that list on the SORBS site, which requires that you have a correct rDNS entry, which I did. It took about four days, but my IP is now delisted. This is something my ISP should be on top of, but that is another matter. So, it appears that there are various mailserver configurations which use the SORBS DUHL. Most just block you with a generic error message, but some at least say why. Here is my humble wish: If people configure their mailservers to use a list like this, make sure that, when a message gets bounced, the error message explicitly indicates the reason. I don't use any blacklists on my mailserver. I find greylisting catches most spam, and Thunderbird's bayesian filters catch almost all the rest. Actually, that is not 100% true: I also block all IPs in China and South Korea. OK, I am not perfect either.... ;) |
Heh, this is why SORBS sucks. If you search for it on the web you'll find no end of grievances. The list is maintained by a well-known anti-social jerk with very antagonistic views. There are many freely-available DNSBLs that are much higher quality than SORBS. Any time you run into a site using SORBS, recommend that they do a web search and use something better instead.
|
A Google search did indeed turn up some controversies surrounding SORBS.
To be fair though, the delisting procedure for the dynamic host list (DUHL) is fairly straightforward and reasonably quick. Also, my main complaint is not so much with the list itself as with the implementations in spam traps which don't indicate on the basis of which list a mail is being bounced. As I mentioned above, some mail systems properly indicate this, with an URL to the list's host, but many just return a generic error message. |
All times are GMT -5. The time now is 07:48 PM. |