postscreen randomly ignore blacklisted IP

[hata_ph]

show output of less /var/log/mail.log | grep combined.mail.abusix.zone

 

[koby]

show output of less /var/log/mail.log | grep combined.mail.abusix.zone

Oct  4 00:06:16 smg01 postfix/dnsblog[30244]: addr 94.102.56.238 listed by domain 69e6d1a2cee5f01150efd8e0b17c4c3e.combined.mail.abusix.zone as 127.0.0.4
Oct  4 00:06:16 smg01 postfix/dnsblog[30244]: addr 94.102.56.238 listed by domain 69e6d1a2cee5f01150efd8e0b17c4c3e.combined.mail.abusix.zone as 127.0.0.12
Oct  4 01:08:39 smg01 postfix/dnsblog[30607]: addr 180.127.108.224 listed by domain 69e6d1a2cee5f01150efd8e0b17c4c3e.combined.mail.abusix.zone as 127.0.0.4
Oct  4 01:08:39 smg01 postfix/dnsblog[30607]: addr 180.127.108.224 listed by domain 69e6d1a2cee5f01150efd8e0b17c4c3e.combined.mail.abusix.zone as 127.0.0.3
Oct  4 01:08:39 smg01 postfix/dnsblog[30607]: addr 180.127.108.224 listed by domain 69e6d1a2cee5f01150efd8e0b17c4c3e.combined.mail.abusix.zone as 127.0.0.12
Oct  4 03:35:57 smg01 postfix/dnsblog[31546]: addr 66.206.0.122 listed by domain 69e6d1a2cee5f01150efd8e0b17c4c3e.combined.mail.abusix.zone as 127.0.0.3
Oct  4 03:35:57 smg01 postfix/dnsblog[31546]: addr 66.206.0.122 listed by domain 69e6d1a2cee5f01150efd8e0b17c4c3e.combined.mail.abusix.zone as 127.0.0.12
Oct  4 03:35:57 smg01 postfix/dnsblog[31546]: addr 66.206.0.122 listed by domain 69e6d1a2cee5f01150efd8e0b17c4c3e.combined.mail.abusix.zone as 127.0.0.2
Oct  4 03:58:33 smg01 postfix/dnsblog[31670]: addr 95.181.155.38 listed by domain 69e6d1a2cee5f01150efd8e0b17c4c3e.combined.mail.abusix.zone as 127.0.0.2
Oct  4 03:58:33 smg01 postfix/dnsblog[31670]: addr 95.181.155.38 listed by domain 69e6d1a2cee5f01150efd8e0b17c4c3e.combined.mail.abusix.zone as 127.0.0.3
Oct  4 05:13:36 smg01 postfix/dnsblog[32187]: addr 162.243.61.162 listed by domain 69e6d1a2cee5f01150efd8e0b17c4c3e.combined.mail.abusix.zone as 127.0.0.2
Oct  4 05:13:36 smg01 postfix/dnsblog[32187]: addr 162.243.61.162 listed by domain 69e6d1a2cee5f01150efd8e0b17c4c3e.combined.mail.abusix.zone as 127.0.0.3
Oct  4 05:53:07 smg01 postfix/dnsblog[338]: addr 37.49.225.199 listed by domain 69e6d1a2cee5f01150efd8e0b17c4c3e.combined.mail.abusix.zone as 127.0.0.3
Oct  4 05:53:07 smg01 postfix/dnsblog[338]: addr 37.49.225.199 listed by domain 69e6d1a2cee5f01150efd8e0b17c4c3e.combined.mail.abusix.zone as 127.0.0.4
Oct  4 05:53:07 smg01 postfix/dnsblog[338]: addr 37.49.225.199 listed by domain 69e6d1a2cee5f01150efd8e0b17c4c3e.combined.mail.abusix.zone as 127.0.0.2
Oct  4 05:53:07 smg01 postfix/dnsblog[338]: addr 37.49.225.199 listed by domain 69e6d1a2cee5f01150efd8e0b17c4c3e.combined.mail.abusix.zone as 127.0.0.12
Oct  4 07:25:30 smg01 postfix/dnsblog[1131]: addr 114.237.109.37 listed by domain 69e6d1a2cee5f01150efd8e0b17c4c3e.combined.mail.abusix.zone as 127.0.0.12
Oct  4 07:25:30 smg01 postfix/dnsblog[1131]: addr 114.237.109.37 listed by domain 69e6d1a2cee5f01150efd8e0b17c4c3e.combined.mail.abusix.zone as 127.0.0.4
Oct  4 07:25:30 smg01 postfix/dnsblog[1131]: addr 114.237.109.37 listed by domain 69e6d1a2cee5f01150efd8e0b17c4c3e.combined.mail.abusix.zone as 127.0.0.3
Oct  4 08:42:27 smg01 postfix/dnsblog[5629]: addr 89.33.192.71 listed by domain 69e6d1a2cee5f01150efd8e0b17c4c3e.combined.mail.abusix.zone as 127.0.0.2
Oct  4 08:42:27 smg01 postfix/dnsblog[5629]: addr 89.33.192.71 listed by domain 69e6d1a2cee5f01150efd8e0b17c4c3e.combined.mail.abusix.zone as 127.0.0.12
Oct  4 10:28:46 smg01 postfix/dnsblog[14856]: addr 84.94.225.136 listed by domain 69e6d1a2cee5f01150efd8e0b17c4c3e.combined.mail.abusix.zone as 127.0.0.3
Oct  4 10:51:39 smg01 postfix/dnsblog[15633]: addr 194.90.76.225 listed by domain 69e6d1a2cee5f01150efd8e0b17c4c3e.combined.mail.abusix.zone as 127.0.0.12
Oct  4 11:35:11 smg01 postfix/dnsblog[15974]: addr 83.97.20.31 listed by domain 69e6d1a2cee5f01150efd8e0b17c4c3e.combined.mail.abusix.zone as 127.0.0.11
Oct  4 12:51:32 smg01 postfix/dnsblog[16939]: addr 118.27.33.96 listed by domain 69e6d1a2cee5f01150efd8e0b17c4c3e.combined.mail.abusix.zone as 127.0.0.3
Oct  4 12:51:32 smg01 postfix/dnsblog[16939]: addr 118.27.33.96 listed by domain 69e6d1a2cee5f01150efd8e0b17c4c3e.combined.mail.abusix.zone as 127.0.0.2
Oct  4 12:53:56 smg01 postfix/dnsblog[16977]: addr 212.29.237.111 listed by domain 69e6d1a2cee5f01150efd8e0b17c4c3e.combined.mail.abusix.zone as 127.0.0.3

 

[hata_ph]

Pls show output grep 66.206.0.122 /var/log/mail.log

 

[koby]

Pls show output grep 66.206.0.122 /var/log/mail.log

Here you go...

root@smg01:/var/log# grep 66.206.0.122 /var/log/mail.log
Oct  4 03:35:57 smg01 postfix/postscreen[31540]: CONNECT from [66.206.0.122]:41926 to [207.154.215.33]:25
Oct  4 03:35:57 smg01 postfix/dnsblog[31546]: addr 66.206.0.122 listed by domain 69e6d1a2cee5f01150efd8e0b17c4c3e.combined.mail.abusix.zone as 127.0.0.3
Oct  4 03:35:57 smg01 postfix/dnsblog[31546]: addr 66.206.0.122 listed by domain 69e6d1a2cee5f01150efd8e0b17c4c3e.combined.mail.abusix.zone as 127.0.0.12
Oct  4 03:35:57 smg01 postfix/dnsblog[31546]: addr 66.206.0.122 listed by domain 69e6d1a2cee5f01150efd8e0b17c4c3e.combined.mail.abusix.zone as 127.0.0.2
Oct  4 03:36:03 smg01 postfix/postscreen[31540]: PASS NEW [66.206.0.122]:41926
Oct  4 03:36:03 smg01 postfix/smtpd[31553]: connect from unknown[66.206.0.122]
Oct  4 03:36:06 smg01 postfix/smtpd[31553]: NOQUEUE: client=unknown[66.206.0.122]
Oct  4 03:36:10 smg01 postfix/smtpd[31553]: proxy-accept: END-OF-MESSAGE: 250 2.5.0 OK (610A85F7918F6E3965); from=<support@jabalierty.net> to=<meir@mksoft.co.il> proto=ESMTP helo=<66-206-0-122.cprapid.com>
Oct  4 03:36:10 smg01 postfix/smtpd[31553]: disconnect from unknown[66.206.0.122] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Oct  4 03:39:30 smg01 postfix/anvil[31555]: statistics: max connection rate 1/60s for (smtpd:66.206.0.122) at Oct  4 03:36:03
Oct  4 03:39:30 smg01 postfix/anvil[31555]: statistics: max connection count 1 for (smtpd:66.206.0.122) at Oct  4 03:36:03

 

[hata_ph]

Can your PMG ping 122.0.206.66.dnsbl.sorbs.net?

 

[koby]

Can your PMG ping 122.0.206.66.dnsbl.sorbs.net?

Here it is ...

root@smg01:/var/log# ping 122.0.206.66.dnsbl.sorbs.net
PING 122.0.206.66.dnsbl.sorbs.net (127.0.0.6) 56(84) bytes of data.
64 bytes from 127.0.0.6 (127.0.0.6): icmp_seq=1 ttl=64 time=0.022 ms
64 bytes from 127.0.0.6 (127.0.0.6): icmp_seq=2 ttl=64 time=0.040 ms
64 bytes from 127.0.0.6 (127.0.0.6): icmp_seq=3 ttl=64 time=0.034 ms
^C
--- 122.0.206.66.dnsbl.sorbs.net ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 32ms
rtt min/avg/max/mdev = 0.022/0.032/0.040/0.007 ms
root@smg01:/var/log#

 

[hata_ph]

Show output of grep dnsbl.sorbs.net /var/log/mail.log

 

[koby]

Show output of grep dnsbl.sorbs.net /var/log/mail.log

root@smg01:/var/log# grep dnsbl.sorbs.net /var/log/mail.log
Oct  4 03:58:36 smg01 postfix/dnsblog[31674]: addr 95.181.155.38 listed by domain dnsbl.sorbs.net as 127.0.0.6
Oct  4 05:13:38 smg01 postfix/dnsblog[32188]: addr 162.243.61.162 listed by domain dnsbl.sorbs.net as 127.0.0.6
Oct  4 07:25:30 smg01 postfix/dnsblog[1135]: addr 114.237.109.37 listed by domain dnsbl.sorbs.net as 127.0.0.7
Oct  4 08:08:00 smg01 postfix/dnsblog[3387]: addr 209.85.219.178 listed by domain dnsbl.sorbs.net as 127.0.0.6
Oct  4 12:19:42 smg01 postfix/dnsblog[16558]: addr 54.240.52.186 listed by domain dnsbl.sorbs.net as 127.0.0.6
Oct  4 12:44:44 smg01 postfix/postscreen[16887]: warning: dnsblog reply timeout 10s for dnsbl.sorbs.net
Oct  4 12:51:32 smg01 postfix/dnsblog[16959]: addr 118.27.33.96 listed by domain dnsbl.sorbs.net as 127.0.0.6

 

[hata_ph]

Oct 4 12:44:44 smg01 postfix/postscreen[16887]: warning: dnsblog reply timeout 10s for dnsbl.sorbs.net

I suspect this is the problem. You PMG having timeout when query dnsbl.sorbs.net. Does it happen frequently? Are you using google DNS for DNS resolution?

 

[koby]

I suspect this is the problem. You PMG having timeout when query dnsbl.sorbs.net. Does it happen frequently? Are you using google DNS for DNS resolution?

No,
I do not see it very often , The vm is Digital Ocean VM , no google dns.

My dns is :
nameserver 67.207.67.3

I think that I will do a close follow up on this and update accordingly.
Thanks for you help.