Daniel Gehriger
gehriger@linkcad.com
Wed, 28 Feb 2007 09:29:00 +0100
This is a multi-part message in MIME format.
--------------030208080205020600020701
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Vernon Schryver wrote:
>> From: Daniel Gehriger
>
>>> The complaints about DNS timeouts are not good. Is something wrong
>>> with your DNS system? Dccifd should have at least received NXDOMAIN
>>> for 86.59.190.206.zen.spamhaus.org from your local caching DNS server.
>
>> There shouldn't be any issues with
>> the DNS system. Most of the time, dccifd doesn't complain about timeouts
>> but then I get waves of those messages until a new DCC DNS helper is
>> started.
>
> I suspect that is turned around and that extra dns-helper processes
> are not started until enough of the current helpers have gone missing in
> action (and generated complaints) to convince dccifd to start more.
>
> Dccifd (and dccm) keep track of the numbers of active and free dns-helper
> processes and try to keep at least one spare, inactive. If according
> to the numbers, another helper is needed, it is created before an
> attempt is made to talk to the herd of helpers. If the resolver library
> timeouts are working, then the helpers don't get stuck in the resolver
> library code, and there should never be a problem. If the BIND timeout
> hooks are not present or not working, helpers can be busy waiting
> while dccifd thinks they are idle. Dccifd should eventually realize
> as much and create more helpers, not immediately.
> So I suspect that your system does not have a normal BIND resolver
> library. Does it have the "improved" Linux version?
I have bind 9.2.2:
Name : bind
Version : 9.2.2
Vendor : SuSE Linux AG, Nuernberg, Germany
Release : 31
Build Date : Thu Oct 2 23:15:13 2003
Install date: Wed Mar 1 21:37:35 2006
Group : Productivity/Networking/DNS/Servers
Source RPM : bind-9.2.2-31.src.rpm
Size : 5359971
Packager : http://www.suse.de/feedback
URL : http://www.isc.org/products/BIND/bind9.html
Summary : BIND - Domain Name Server
>
> What messages do you see in the system log from the dns-helper processes?
There are only the initial startup messages in the syslog. The mail log
contains, for instance:
> Feb 28 09:20:14 vps183 dccifd[28510]: DNSBL helper about to exec /var/dcc/libexec/dns-helper -B set:debug=5 -B relays.ordb.org,any -B zen.spamhaus.org,any -B set:helper=4,13,1
> Feb 28 09:20:25 vps183 dccifd[27955]: no DNSBL helper answer
> Feb 28 09:20:25 vps183 dccifd[27955]: 2AORSc DNSBL failed for davecarlson.com, 3.0 msg-secs remaining
> Feb 28 09:20:36 vps183 dccifd[27955]: no DNSBL helper answer
> Feb 28 09:20:36 vps183 dccifd[27955]: 2AORSc DNSBL exhausted 25 msg-secs for bls.hz5mnbmbnpm8wzzonzz6nhhz.acushlagc.com
> Feb 28 09:21:04 vps183 dccifd[29867]: 2AORSe DNSBL answer SMTP client hit for sender 202.54.78.195
> Feb 28 09:21:04 vps183 dccifd[29867]: DNSBL client hit 195.78.54.202.zen.spamhaus.org
> Feb 28 09:21:16 vps183 dccifd[29914]: 2AORSg DNSBL answer SMTP client hit for sender 202.54.78.195
> Feb 28 09:21:16 vps183 dccifd[29914]: DNSBL client hit 195.78.54.202.zen.spamhaus.org
> Feb 28 09:24:04 vps183 dccifd[32522]: no DNSBL helper answer
> Feb 28 09:24:04 vps183 dccifd[32522]: 2AORSi DNSBL failed for sender 206.190.52.120, 14.0 msg-secs remaining
> Feb 28 09:24:15 vps183 dccifd[32522]: no DNSBL helper answer
> Feb 28 09:24:15 vps183 dccifd[32522]: restart DNSBL helpers
> Feb 28 09:24:15 vps183 dccifd[32522]: 2AORSi DNSBL failed for r.leadmailing.com, 3.0 msg-secs remaining
> Feb 28 09:24:15 vps183 dccifd[32764]: DNSBL helper about to exec /var/dcc/libexec/dns-helper -B set:debug=5 -B relays.ordb.org,any -B zen.spamhaus.org,any -B set:helper=4,13,0
>>> However, none of that is not relevant to this case, because dccifd says
>>> that it got no answers from your DNS resolver. Besides, "DCC-->spam"
>
>> /var/dcc/libexec/dccifd -Ivscan -tREP,10 -tCMN,50,50 -Bset:debug=5
>> -Brelays.ordb.org,any -Bzen.spamhaus.org,any -llog -wwhiteclnt
>> -Uuserdirs -GIPmask/24 -p 127.0.0.1,10023 127.0.0.1/32 -o
>> 127.0.0.1,10026 -SHELO -Smail_host -SSender -SList-ID
>
> Is fact is there a comma instead of a blank between "127.0.0.1,10023"
> and "127.0.0.1/32"?
Not in the output of 'ps', but in the config file, yes. I attached the
dcc_conf file.
>
> Are you sure those are all of dccifd's args? The rejection message
> for the problematic messages was
> 550 5.7.1 Service unavailable; Mail rejected as SPAM
> That could have been produced with a -B or -r arg, but not otherwise.
You are correct of course. I removed those arguments for clarity.
>
> I have tried a bunch of things, but failed to duplicate anything
> like the problem.
I'll try installing a newer 'bind' library and we'll see if this changes
anything.
- Daniel
--------------030208080205020600020701
Content-Type: text/plain;
name="dcc_conf"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="dcc_conf"
#! /bin/sh
# set parameters for DCC start and cron scripts
# from Rhyolite Software DCC 1.3.51-1.57 $Revision$
DCC_CONF_VERSION=3
# don't set DCC_HOMEDIR since if we got here, it must be set
DCC_LIBEXEC=/var/dcc/libexec
DCC_RUNDIR=/var/run/dcc
# DCC user name
DCCUID=vscan
DCCD_ENABLE=off
# DCC server-IDs must be globally unique.
SRVR_ID=
# BRAND can be any short alphanumeric string that hints about the identity
# of the server.
BRAND=
# args used to start dccd such as -6
DCCD_ARGS=
# GREY_CLIENT_ARGS contains "on", "-GnoIP", etc. to turn on greylisting
# in the dccm and dccifd DCC clients.
# Also turns on the local greylist dccd server unless GREY_ENABLE=off
GREY_CLIENT_ARGS=-GIPmask/24
# GREY_ENABLE turns local greylist server 'on' or 'off',
# but does not effect dccm, dccifd
GREY_ENABLE=on
# GREY_SRVR_ID DCC server-IDs must be globally unique, but greylisting dccd
# servers are usually isolated. If you have more than one greylist server,
# ensure that they use distinct server-IDs and that they flood each other
# with entries in /var/dcc/flod
GREY_SRVR_ID=$SRVR_ID
# Start dccd for grey listing or set server options such as -Gweak-IP.
# See also GREY_ENABLE.
GREY_DCCD_ARGS=
# dccm and dccifd client reputation parameters such as -tREP,20
REP_ARGS="-tREP,10"
# DNS blacklist -B parameters for dccifd and dccm
# For example
#DNSBL_ARGS="'-Bset:rej-msg=5.7.1 550 mail %s from %s rejected; see http://www.spamhaus.org/xbl/' -Bsbl-xbl.spamhaus.org,any"
# checks SMTP envelope senders and URLs in mail message bodies in the XBL.
DNSBL_ARGS="-Bset:debug=5 '-Bset:rej-msg=5.7.1 554 Service unavailable; Message (id: %s) blocked using relays.ordb.org; http://ordb.org/lookup/?host=%s' -Brelays.ordb.org,any '-Bset:rej-msg=5.7.1 554 Service unavailable; Message (id: %s) blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=%s' -Bzen.spamhaus.org,any"
DCCM_ENABLE=off
# used to start dccm
# a common value is
# DCCM_ARGS="-SHELO -Smail_host -SSender -SList-ID"
# Note the use of single quotes in
# DCCM_ARGS="-SHELO '-r5.7.1 550 mail %s from %s rejected with DCC'"
DCCM_ARGS="-SHELO -Smail_host -SSender -SList-ID"
DCCM_LOGDIR=log
DCCM_WHITECLNT=whiteclnt
DCCM_USERDIRS=userdirs
# set DCCM_LOG_AT to a number that determines "bulk mail" for your situation.
# 50 is a typical value.
# Leave DCCM_REJECT_AT blank until you are confident that most sources of
# solicited bulk mail have been white-listed. Then set it to the number
# that defines "bulk mail" for your site. This rejection or "bulk" threshold
# does not affect the blacklisting of the DCCM_WHITECLNT whitelist file.
# Add '-aIGNORE' to DCCM_ARGS to ignore the bulkiness of mail except to
# add X-DCC headers.
DCCM_LOG_AT=50
DCCM_REJECT_AT=50
# override basic list of DCC server checksums controlling rejections or logging
DCCM_CKSUMS=
# additional DCC server checksums worthy of rejections or logging
DCCM_XTRA_CKSUMS=
DCCIFD_ENABLE=on
# used to start dccifd
# a common value is
# DCCIFD_ARGS="-SHELO -Smail_host -SSender -SList-ID"
DCCIFD_ARGS="-p 127.0.0.1,10023,127.0.0.1/32 -o 127.0.0.1,10026 -SHELO -Smail_host -SSender -SList-ID '-r5.7.1 550 Service unavailable; Mail rejected as SPAM' '-r4.2.1 452 Mail temporarily blocked; Please resend in ten minutes'"
DCCIFD_LOGDIR="$DCCM_LOGDIR"
DCCIFD_WHITECLNT="$DCCM_WHITECLNT"
DCCIFD_USERDIRS="$DCCM_USERDIRS"
DCCIFD_LOG_AT="$DCCM_LOG_AT"
DCCIFD_REJECT_AT="$DCCM_REJECT_AT"
# override basic list of checksums controlling rejections or logging
DCCIFD_CKSUMS="$DCCM_CKSUMS"
# additional DCC server checksums worthy of rejections or logging
DCCIFD_XTRA_CKSUMS="$DCCM_XTRA_CKSUMS"
# days to keep files in DCC log directories
DBCLEAN_LOGDAYS=2
# used to start dbclean, including -e and -E
DBCLEAN_ARGS=
# optionally set to something like "local5" or "local5.notice" for
# dccd, dbclean, and dccm
DCC_INFO_LOG_FACILITY=
DCC_ERROR_LOG_FACILITY=
# ensure that the log facilities include levels and that $DCC_LOGGER
# has a default.
if test -n "$DCC_INFO_LOG_FACILITY"; then
if expr "X$DCC_INFO_LOG_FACILITY" : 'X.*\..*' >/dev/null; then
:
else
DCC_INFO_LOG_FACILITY="$DCC_INFO_LOG_FACILITY.notice"
fi
DCC_LOG_ARGS="$DCC_LOG_ARGS -Linfo,$DCC_INFO_LOG_FACILITY"
fi
if test -z "$DCC_ERROR_LOG_FACILITY"; then
# for $DCC_LOGGER
DCC_ERROR_LOG_FACILITY=mail.err
else
if expr "X$DCC_ERROR_LOG_FACILITY" : 'X.*\..*' >/dev/null; then
:
else
DCC_ERROR_LOG_FACILITY="$DCC_ERROR_LOG_FACILITY.err"
fi
DCC_LOG_ARGS="$DCC_LOG_ARGS -Lerror,$DCC_ERROR_LOG_FACILITY"
fi
DCC_LOGGER="logger -s -p ${DCC_ERROR_LOG_FACILITY-mail.err} -t ${LOGGER_TAG-DCC}"
# do not change the following lines which capture ./configure values
# for make-dcc_conf
Configure_DCC_LIBEXEC=/var/dcc/libexec
Configure_DCC_RUNDIR=/var/run/dcc
Configure_DCCUID=vscan
Configure_DCC_LOGGER="logger -s -p ${DCC_ERROR_LOG_FACILITY-mail.err} -t ${LOGGER_TAG-DCC}"
--------------030208080205020600020701--