Yahoo Groups archive

Milter-greylist

Index last updated: 2026-04-28 23:32 UTC

Thread

DNSRBL config

DNSRBL config

2006-11-13 by BERTRAND Joël

Hello,

	I'm trying to configure dnsrbl in 3.0rc7 without any success. I have 
added in configure script a -lbind to build the package with 
--enable-dnsrbl (and of course thread-safe). I have started 
milter-greylist with verbose option and I obtain :

acl 243 greylist dnsrbl "SORBS-HTTP" [delay 3600]
acl 247 greylist dnsrbl "SORBS-SOCKS" [delay 3600]
acl 251 greylist dnsrbl "SORBS-MISC" [delay 3600]
acl 255 greylist dnsrbl "SORBS-SMTP" [delay 3600]
acl 259 greylist dnsrbl "SORBS-SPAM" [delay 3600]
acl 262 greylist dnsrbl "SORBS-WEB" [delay 3600]
acl 266 greylist dnsrbl "SORBS-BLOCK" [delay 3600]
acl 270 greylist dnsrbl "SORBS-ZOMBIE" [delay 3600]
acl 274 greylist dnsrbl "SORBS-DUL" [delay 3600]
acl 276 greylist [delay 600] default

	Good. But with tcpdump, I don't see any request to sorbs zone. Delay is 
always equal to 600 s. Thus, I have added a watchpoint in dnsrbl.c :

         anslen = res_nquery(&res, req, C_IN, qtype, ans, NS_MAXMSG + 1);
         mg_log(LOG_ERR, "DNSRBL: %d\n", anslen);
         if (anslen == -1)
                 goto end;

	In the log, I can see :

Nov 13 09:40:24 rayleigh milter-greylist: DNSRBL: -1
Nov 13 09:40:28 rayleigh milter-greylist: DNSRBL: -1
Nov 13 09:40:28 rayleigh milter-greylist: DNSRBL: -1
Nov 13 09:40:28 rayleigh milter-greylist: DNSRBL: -1
Nov 13 09:42:52 rayleigh milter-greylist: DNSRBL: -1
Nov 13 09:44:51 rayleigh milter-greylist: DNSRBL: -1
Nov 13 09:45:17 rayleigh milter-greylist: DNSRBL: -1
Nov 13 09:45:59 rayleigh milter-greylist: DNSRBL: -1
Nov 13 09:46:55 rayleigh milter-greylist: DNSRBL: -1
Nov 13 09:47:50 rayleigh milter-greylist: DNSRBL: -1
Nov 13 09:49:01 rayleigh milter-greylist: DNSRBL: -1

	All returned values are -1 (and no one request to sorbs...). Any idea ?

	Regards,

	JKB

Re: [milter-greylist] DNSRBL config

2006-11-13 by BERTRAND Joël

I have tried to debug... See my code below :

         if ((ans = malloc(NS_MAXMSG + 1)) == NULL) {
                 mg_log(LOG_ERR, "malloc failed: %s", strerror(errno));
                 goto end;
         }
         anslen = res_nquery(&res, req, C_IN, qtype, ans, NS_MAXMSG + 1);
         mg_log(LOG_ERR, "DNSRBL: %d (%s, %d, %s, %d)\n", anslen, req, 
qtype, ans, NS_MAXMSG + 1);
         if (anslen == -1)
         {
                 goto end;
         }

	It comes from dnsrbl.c. When I use the so-obtained greylist-milter, I 
receive in the log :

Nov 13 22:55:46 rayleigh milter-greylist: DNSRBL: -1 
(248.28.217.196.dnsbl.sorbs.net, 1, \ufffdt\ufffd\ufffdt\ufffd, 65536)

that indicates an error. But on the server where runs milter-greylist, I 
can launch :
dig QUERY 248.28.217.196.dnsbl.sorbs.net
and this request works ! What is the difference between a dig request 
and the request sent by milter-greylist ?

	Configuration : i386, debian testing.

	Regards,

	JKB

Re: [milter-greylist] DNSRBL config

2006-11-13 by Matt Kettler

BERTRAND Jo\ufffdl wrote:
> 	I have tried to debug... See my code below :

<snip>
> 	It comes from dnsrbl.c. When I use the so-obtained greylist-milter, I 
> receive in the log :
> 
> Nov 13 22:55:46 rayleigh milter-greylist: DNSRBL: -1 
> (248.28.217.196.dnsbl.sorbs.net, 1, \ufffdt\ufffd\ufffdt\ufffd, 65536)
> 
> that indicates an error. But on the server where runs milter-greylist, I 
> can launch :
> dig QUERY 248.28.217.196.dnsbl.sorbs.net
> and this request works ! What is the difference between a dig request 
> and the request sent by milter-greylist ?

Check your /etc/resolv.conf. Are there any dead nameservers in it?

Test each and every nameserver entry running:

dig @<ip address from resolv.conf> QUERY 248.28.217.196.dnsbl.sorbs.net

Re: [milter-greylist] DNSRBL config

2006-11-14 by BERTRAND Joël

Hello,

> Check your /etc/resolv.conf. Are there any dead nameservers in it?

Resolv.conf :
rayleigh:[~] > cat /etc/resolv.conf
search systella.fr
nameserver 192.168.0.128

	This server runs a bind9 daemon.

rayleigh:[~] > ping dnsbl.sorbs.net
PING dnsbl.sorbs.net (217.160.75.23): 56 data bytes
64 bytes from 217.160.75.23: icmp_seq=0 ttl=55 time=54.3 ms
64 bytes from 217.160.75.23: icmp_seq=1 ttl=55 time=53.3 ms

--- dnsbl.sorbs.net ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 53.3/53.8/54.3 ms
rayleigh:[~] >

	And this bind9 daemon works fine (for a long time...).

> Test each and every nameserver entry running:
> 
> dig @<ip address from resolv.conf> QUERY 248.28.217.196.dnsbl.sorbs.net

rayleigh:[~] > dig @192.168.0.128 QUERY 248.28.217.196.dnsbl.sorbs.net
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 9976
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;QUERY.                         IN      A

;; AUTHORITY SECTION:
.                       10800   IN      SOA     A.ROOT-SERVERS.NET. 
NSTLD.VERISI
GN-GRS.COM. 2006111301 1800 900 604800 86400

;; Query time: 53 msec
;; SERVER: 192.168.0.128#53(192.168.0.128)
;; WHEN: Tue Nov 14 10:36:48 2006
;; MSG SIZE  rcvd: 98


; <<>> DiG 9.3.2-P1 <<>> @192.168.0.128 QUERY 248.28.217.196.dnsbl.sorbs.net
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8721
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 10, ADDITIONAL: 10

;; QUESTION SECTION:
;248.28.217.196.dnsbl.sorbs.net.        IN      A

;; ANSWER SECTION:
248.28.217.196.dnsbl.sorbs.net. 3600 IN A       127.0.0.7
248.28.217.196.dnsbl.sorbs.net. 3600 IN A       127.0.0.10

;; AUTHORITY SECTION:
dnsbl.sorbs.net.        37211   IN      NS      rbldns1.sorbs.net.
dnsbl.sorbs.net.        37211   IN      NS      rbldns2.sorbs.net.
dnsbl.sorbs.net.        37211   IN      NS      rbldns3.sorbs.net.
dnsbl.sorbs.net.        37211   IN      NS      rbldns4.sorbs.net.
dnsbl.sorbs.net.        37211   IN      NS      rbldns5.sorbs.net.
dnsbl.sorbs.net.        37211   IN      NS      rbldns6.sorbs.net.
dnsbl.sorbs.net.        37211   IN      NS      rbl1.oregonstate.edu.
dnsbl.sorbs.net.        37211   IN      NS      rbl2.oregonstate.edu.
dnsbl.sorbs.net.        37211   IN      NS      sorbs.bl.xs4all.nl.
dnsbl.sorbs.net.        37211   IN      NS      rbldns0.sorbs.net.

;; ADDITIONAL SECTION:
rbl1.oregonstate.edu.   42439   IN      A       128.193.0.30
rbl2.oregonstate.edu.   42477   IN      A       128.193.0.130
sorbs.bl.xs4all.nl.     42498   IN      A       194.109.9.11
rbldns0.sorbs.net.      3531    IN      A       203.15.51.34
rbldns1.sorbs.net.      3364    IN      A       82.165.13.243
rbldns2.sorbs.net.      3531    IN      A       209.209.1.20
rbldns3.sorbs.net.      3531    IN      A       209.142.2.10
rbldns4.sorbs.net.      74226   IN      A       64.124.52.230
rbldns5.sorbs.net.      3012    IN      A       194.134.35.168
rbldns6.sorbs.net.      3012    IN      A       194.134.35.204

;; Query time: 44 msec
;; SERVER: 192.168.0.128#53(192.168.0.128)
;; WHEN: Tue Nov 14 10:36:48 2006
;; MSG SIZE  rcvd: 479

rayleigh:[~] >

	I don't understand...

	Regards,

	JKB

Re: [milter-greylist] DNSRBL config

2006-11-14 by Oliver Fromme

BERTRAND Jo\ufffdl wrote:
 > [Problems with dnsbl.sorbs.net ...]
 > 	I don't understand...

I'm not sure if this helps, but there are quite some
differences between normal applications that use the
libresolv (usually part of the libc), such as milter-
greylist, and tools like dig, nslookup and host which
contain special resolver code.  For example, these
tools ignore /etc/hosts completely, and they always
query only the first nameserver, without falling back
to the next one if it fails.

Maybe those differences are causing the symptoms that
you are seeing.

Best regards
   Oliver

-- 
Oliver Fromme,  secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing
Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.

Perl is worse than Python because people wanted it worse.
        -- Larry Wall

Re: [milter-greylist] DNSRBL config

2006-11-14 by BERTRAND Joël

Oliver Fromme a \ufffdcrit :
> 
> 
> 
> BERTRAND Jo\ufffdl wrote:
>  > [Problems with dnsbl.sorbs.net ...]
>  > I don't understand...
> 
> I'm not sure if this helps, but there are quite some
> differences between normal applications that use the
> libresolv (usually part of the libc), such as milter-
> greylist, and tools like dig, nslookup and host which
> contain special resolver code. For example, these
> tools ignore /etc/hosts completely, and they always
> query only the first nameserver, without falling back
> to the next one if it fails.
> 
> Maybe those differences are causing the symptoms that
> you are seeing.

	Maybe. My /etc/hosts is :
rayleigh:[~] > cat /etc/hosts
127.0.0.1       localhost
192.168.254.1   rayleigh.systella.fr    rayleigh
192.168.0.128   weierstrass.systella.fr weierstrass

# The following lines are desirable for IPv6 capable hosts
# (added automatically by netbase upgrade)

::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
rayleigh:[~] >

	and I don't see any mistake :-( When I have more time, I shall test a 
simple program with a libbind resolution...

	Regards,

	JKB

Move to quarantaine

This moves the raw source file on disk only. The archive index is not changed automatically, so you still need to run a manual refresh afterward.