We've just started testing EFA. It's a great product, but I believe the default inclusion for zen in postfix's main.cf file is such that it can easily lead to the full rejection of all email when spamhaus spits their dummy as they tend to do of late.
EFA correctly provides a solution for local DNS resolution, which is essential for using zen, but the configuration in postfix for lookups in the zen DNSBL is simply included as...
Code: Select all
smtpd_client_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_rbl_client zen.spamhaus.org
As per the spamhaus documentation, their system isn't limited to the basic return values in the range 127.0.0.[2..11] for listed IPs. They can also return a value of 127.255.255.0/24.
The 127.255.255.0/24 values are used to signify a rejection of the actual request itself for a few different reasons - excessive request rate, perceived public DNS server traits, open resolvers, and more. Rejecting email based on a return value in that range is simply wrong and will result in rejecting all email while spamhaus are returning their 127.255.255.0/24 values.
Point number 1 covers this in the spamhaus documentation at...
https://www.spamhaus.com/product/help-f ... ror-users/
The correct method of inclusion for zen should be along the lines of...
Code: Select all
smtpd_client_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_rbl_client zen.spamhaus.org=127.0.0.[2..11]
Code: Select all
... b.barracudacentral.org=127.0.0.2
Code: Select all
... b.barracudacentral.org