Issue DNS blackhole lists not working on Google Cloud Server

[G J Piper]

I'm running the CentOS7/Plesk Onyx Google Cloud server. I configured the Mail settings in the GUI to use these DNS blackhole lists: sbl.spamhaus.org;xbl.spamhaus.org

However, in the mail logs I never see any filtering being done by them. I can see the appropriate setting in the /etc/postfix/main.cf file:
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client sbl.spamhaus.org, reject_rbl_client xbl.spamhaus.org

I'm running postfix sending smtp through sendgrid email service since Google doesn't allow traffic on the normal outgoing smtp ports, as they recommend.

I turned selinux to "permissive" to see if that was causing anything... no change. It just doesn't seem to "go".

See my sig below for app versions.

Any ideas?

 

[IgorG]

Please check this The Spamhaus Project - Frequently Asked Questions (FAQ)
Maybe it is your case?

 

[G J Piper]

Please check this The Spamhaus Project - Frequently Asked Questions (FAQ)
Maybe it is your case?

I did look into that. The problem exists with both spamassassin and the postfix RBL's -- any of them. So I looked into using /etc/resolv.conf but Google Compute Engine won't let you modify it (it reverts back every time their internal DHCP refreshes), and the only name server listed in it does not seem to resolve anything. Here is what my message log looks like if I manually specify dns server in spamassassin's configs:

Jan 31 16:21:15 pcs-plesk-centos7-web-vm named[17304]: error (network unreachable) resolving 'q.ns.spamhaus.org/AAAA/IN': 2001:610:510:188:192:16:188:181#53
Jan 31 16:21:15 pcs-plesk-centos7-web-vm named[17304]: error (network unreachable) resolving 't.ns.spamhaus.org/A/IN': 2001:610:510:188:192:16:188:181#53
Jan 31 16:21:15 pcs-plesk-centos7-web-vm named[17304]: error (network unreachable) resolving 'x.ns.spamhaus.org/A/IN': 2400:cb00:2049:1::a29f:191b#53
Jan 31 16:21:15 pcs-plesk-centos7-web-vm named[17304]: error (network unreachable) resolving 't.ns.spamhaus.org/AAAA/IN': 2400:cb00:2049:1::a29f:191b#53
Jan 31 16:21:15 pcs-plesk-centos7-web-vm named[17304]: error (network unreachable) resolving 'x.ns.spamhaus.org/AAAA/IN': 2400:cb00:2049:1::a29f:191b#53
Jan 31 16:21:15 pcs-plesk-centos7-web-vm named[17304]: error (network unreachable) resolving 'q.ns.spamhaus.org/A/IN': 2400:cb00:2049:1::a29f:191b#53
Jan 31 16:21:15 pcs-plesk-centos7-web-vm named[17304]: error (network unreachable) resolving 'q.ns.spamhaus.org/AAAA/IN': 2400:cb00:2049:1::a29f:191b#53

If I specify OpenDNS's name server in spamassassin's configs directly (using dns_server 208.67.222.222), spamassassin begins working perfectly (using URIBL checks, etc) However, I can't specify a DNS server to postfix in its own settings I don't think. However, it all just reveals the main problem, that this /etc/resolv.conf settings file is not resolving for anything:

# cat /etc/resolv.conf
# Generated by NetworkManager
search c.api-project-1046983702557.internal google.internal
nameserver 169.254.169.254

At this point, I'm looking down these paths to try and find one that'll work:

• Fix bind/named to actually function for resolving, although this may just be a symptom of the internal nameserver IP address not actually resolving too.
  
• Get a new nameserver listed in /etc/resolv.conf that actually resolves!
• Specify a different DNS server directly in postfix somehow, surviving reboots, probably using NetworkManager if it is even possible.
  
• Maybe get spamassassin to check the spamhaus lists instead of postfix if I can't get anything else to work.

I have to say, this Google Cloud server is extremely fast, and is incredibly easy to scale, with just the slide of a setting to choose processors, memory, and storage. Plesk runs http2 in it beautifully, getting A+ scores in all the website security screens.

However, there are a few things I don't like, like this /etc/resolv.conf file that can't be directly modified, and the fact they don't allow outgoing email directly from their servers (I'm using SendGrid as the mail relay like their instructions suggest)

This is just a bit beyond my comfort level trying to fix this...

 

[G J Piper]

I may be getting closer... Bind is running and can be restarted successfully in Plesk GUI, but look at this and advise please:

# systemctl status named.service
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Wed 2018-01-31 23:31:22 PST; 3min 50s ago
Process: 814 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=1/FAILURE)

Jan 31 23:31:22 pcs-plesk-centos7-web-vm systemd[1]: Starting Berkeley Internet Name Domain (DNS)...
Jan 31 23:31:22 pcs-plesk-centos7-web-vm bash[814]: zone 0.0.127.IN-ADDR.ARPA/IN: loading from master file localhost.rev failed: file not found
Jan 31 23:31:22 pcs-plesk-centos7-web-vm bash[814]: zone 0.0.127.IN-ADDR.ARPA/IN: not loaded due to errors.
Jan 31 23:31:22 pcs-plesk-centos7-web-vm bash[814]: _default/0.0.127.IN-ADDR.ARPA/IN: file not found
Jan 31 23:31:22 pcs-plesk-centos7-web-vm systemd[1]: named.service: control process exited, code=exited status=1
Jan 31 23:31:22 pcs-plesk-centos7-web-vm systemd[1]: Failed to start Berkeley Internet Name Domain (DNS).
Jan 31 23:31:22 pcs-plesk-centos7-web-vm systemd[1]: Unit named.service entered failed state.
Jan 31 23:31:22 pcs-plesk-centos7-web-vm systemd[1]: named.service failed.

 

[G J Piper]

I just tried the instructions on this page, and it got a chroot version of named running again, but it still hasn't totally fixed the problem with the RBLs:
Unable to start BIND on CentOS 7: "loading from master file: file not found"

 

[G J Piper]

I am observing that Spamassassin is successfully checking email against the spamhaus RBLs (XBL & SBL) but I still am not seeing postfix check the RBLs even though it is set in the Plesk mail settings. Any ideas?

 

[MarkM]

What about editing resolv.conf and then using chattr to set an immutable flag?

Edit (forgot something) - what about setting DNS in the eth interface config;

DNS1=208.67.222.222
DNS2=208.67.220.220

 

[G J Piper]

What about editing resolv.conf and then using chattr to set an immutable flag?

Edit (forgot something) - what about setting DNS in the eth interface config;

DNS1=208.67.222.222
DNS2=208.67.220.220

I was finally able to successfully (and permenantly) add the OpenDNS IP addresses to the /etc/resolv.conf file without locking it. It didn't seem to help postfix's RBL checks (which don't even have any log entries) but it did fix Spamassassin's lookup problems it was having. The problem is I need to check the RBL in postfix not Spamassassin because Spamassassin is limited to emails below a certain size while the postfix RBL checks are not.

 

[MarkM]

That really makes zero sense. Have you maybe tried reinstalling Postfix to see if it's a Postfix related issue? The no log entries comment is having me think it's a Postfix issue.

 

[G J Piper]

That really makes zero sense. Have you maybe tried reinstalling Postfix to see if it's a Postfix related issue? The no log entries comment is having me think it's a Postfix issue.

Oh, there are plenty of postfix log entries, but no entries showing a connection to the RBLs when an email comes in that should trigger it.
I am extremely hesitant to attempt a reinstall of postfix when it is functioning in all other ways. (nor do I know how)

 

[MarkM]

Welp, I'll throw out an alternative. How about using a policy manager (cluebringer) which can RBL check before messages are even queued up.

 

[G J Piper]

Ok so it looks like spamhaus is blocking my queries (and so postfix doesn't bother to log them?! wth?) as if I use just dnsbl.sorbs.net it works fine.
Now, how to get my server unblocked? This apparently might have everything to do with using a Google Compute Engine IP addy?

 

[Brujo]

Well since you figured out your dns issue, did you concider to check out the free/paid version of magicspam extension for Plesk and for example to register for free at barracudacentral.org for the Barracuda Reputation Block List (BRBL)? I use this combo on several Servers and with barracuda RBL enabled spamhouse block very very rarely because the most get done by barracuda....

 

[MarkM]

I’d go for Barracuda alone, personally I didn’t see MagicSpam that useful.

 

[G J Piper]

I am now using Barracuda alone in fact, and it seems to work ok so far. I hope to find a Spamhaus solution eventually...

 

[Brujo]

Hey G J Piper, in my use case barracuda due his job very well as you can see on the stats pic from magicspam extension.