Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. SpamAssassin>
  3. users
RNDS_NONE misfiring on legit mail, dns timeout issues?
gdt at lexort
May 11, 2021, 2:48 PM
Post #1 of 3 (404 views)
Permalink
I have a SA 3.4.6 instance that doesn't intend to be strange running on
a machine with a local named. Pretty much everything works as one
would expect.

However, I get infrequent falsing where the lookup of the peer MTA's
address fails, so I get a hit on RDNS_NONE. An example is

Received: from mail.netbsd.org (unknown [IPv6:2001:470:a085:999::25])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
(No client certificate requested)

and if I look that up, I get the name just as I'd expect. This happens
also with google and comcast servers. I would guess a message or two
per day over 100s of messages.

I wonder if something is being overly aggressive about timing out
lookups and I'm getting unlucky with packet loss, or if there's a bug
someplace else. I guess this is really a postfix question, as that
unknown was put in the Received: line by postfix.

I am also guessing that it isn't SA's place to redo the lookup.

So in closing, I wonder if anyone else is seeing occasional failures in
doing rDNS lookups at SMTP receive time.

Attached Files:

Re: RNDS_NONE misfiring on legit mail, dns timeout issues? [ In reply to ]
sausers-20150205 at billmail
May 11, 2021, 9:15 PM
Post #2 of 3 (404 views)
Permalink
On 2021-05-11 at 17:48:39 UTC-0400 (Tue, 11 May 2021 17:48:39 -0400)
Greg Troxel <gdt@lexort.com>
is rumored to have said:

> I wonder if something is being overly aggressive about timing out
> lookups and I'm getting unlucky with packet loss,

As Wietse consistently tells Postfix users, resolver problems are in the resolver.

Frequently, that means /etc/resolv.conf. If you've set tight timeouts there, that's your problem. OR, maybe your OS/distro has tight defaults. OR a squirrel has taken to gnawing your wires...

> or if there's a bug
> someplace else. I guess this is really a postfix question, as that
> unknown was put in the Received: line by postfix.
>
> I am also guessing that it isn't SA's place to redo the lookup.

Both correct. SA relies on the MTA to construct parseable and honest Received headers.

> So in closing, I wonder if anyone else is seeing occasional failures in
> doing rDNS lookups at SMTP receive time.

It happens to me whenever I update BIND and forget to turn off IPv6 resolution (because I have no IPv6 connectivity) in the freshly clobbered startup script. It's exactly that sort of failure pattern: a small number of client IPs don't get looked up properly, but it's not even every time for any of them.

--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Attached Files:

Re: RNDS_NONE misfiring on legit mail, dns timeout issues? [ In reply to ]
rwmaillists at googlemail
May 12, 2021, 6:52 AM
Post #3 of 3 (403 views)
Permalink
On Tue, 11 May 2021 17:48:39 -0400
Greg Troxel wrote:


>
> So in closing, I wonder if anyone else is seeing occasional failures
> in doing rDNS lookups at SMTP receive time.

This is the reason I continued using the Botnet plugin which does its
own lookup. My last-external received header isn't under my control, so
I can't change the timeouts. I meta the the header version with the
plugin equivalent.

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal