Client host rejected

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Client host rejected

siefke_listen@web.de
Hello,

I try to run postfix, rspamd and dovecot. The 3 stars :)

Now I try to send mail to box and what happen:

Nov 18 17:12:35 netcup.silviosiefke.com postfix/smtpd[6215]: NOQUEUE: reject: RCPT from unknown[81.91.160.182]: 450 4.7.25 Client host rejected: cannot find your hostname, [81.91.160.182]; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<list-2.denic.de>

This is example and this happen with Gmail and Mail.ru.

postconf -n
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 1h
inet_interfaces = 127.0.0.1, 195.128.103.214
local_recipient_maps = $virtual_mailbox_maps
mailbox_size_limit = 0
maximal_backoff_time = 15m
maximal_queue_lifetime = 1h
message_size_limit = 52428800
milter_default_action = accept
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
milter_protocol = 6
minimal_backoff_time = 5m
mua_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject
mua_relay_restrictions = reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject
mua_sender_restrictions = permit_mynetworks,reject_non_fqdn_sender,reject_sender_login_mismatch,permit_sasl_authenticated,reject
mydestination =
myhostname = netcup.silviosiefke.com
mynetworks = 127.0.0.0/8
non_smtpd_milters = inet:127.0.0.1:11332
postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access
postscreen_blacklist_action = drop
postscreen_dnsbl_action = drop
postscreen_dnsbl_sites = ix.dnsbl.manitu.net*2 zen.spamhaus.org*2
postscreen_dnsbl_threshold = 2
postscreen_greet_action = drop
queue_run_delay = 5m
recipient_delimiter = +
smtp_dns_support_level = dnssec
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_ciphers = high
smtp_tls_policy_maps = mysql:/etc/postfix/sql/tls-policy.cf
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_client_restrictions = permit_mynetworks check_client_access hash:/etc/postfix/without_ptr reject_unknown_client_hostname
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks reject_invalid_helo_hostname reject_non_fqdn_helo_hostname reject_unknown_helo_hostname
smtpd_milters = inet:127.0.0.1:11332
smtpd_recipient_restrictions = check_recipient_access mysql:/etc/postfix/sql/recipient-access.cf
smtpd_relay_restrictions = reject_non_fqdn_recipient reject_unknown_recipient_domain permit_mynetworks reject_unauth_destination
smtpd_tls_cert_file = /etc/letsencrypt/live/netcup.silviosiefke.com/fullchain.pem
smtpd_tls_ciphers = high
smtpd_tls_key_file = /etc/letsencrypt/live/netcup.silviosiefke.com/privkey.pem
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
tls_preempt_cipherlist = yes
tls_ssl_options = NO_COMPRESSION
virtual_alias_maps = mysql:/etc/postfix/sql/aliases.cf
virtual_mailbox_domains = mysql:/etc/postfix/sql/domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/sql/accounts.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp

Have here someone a idea what goes wrong? If need more infos ask.

Thank you
Silvio
Reply | Threaded
Open this post in threaded view
|

Re: Client host rejected

Matus UHLAR - fantomas
On 18.11.19 17:16, [hidden email] wrote:
>Now I try to send mail to box and what happen:
>
>Nov 18 17:12:35 netcup.silviosiefke.com postfix/smtpd[6215]: NOQUEUE: reject: RCPT from unknown[81.91.160.182]: 450 4.7.25 Client host rejected: cannot find your hostname, [81.91.160.182]; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<list-2.denic.de>

>smtpd_client_restrictions = permit_mynetworks check_client_access hash:/etc/postfix/without_ptr reject_unknown_client_hostname

cannot find your hostname indicated reject_unknown_client_hostname hit.

182.160.91.81.in-addr.arpa. 86294 IN    PTR     office.denic.de.
office.denic.de.        3480    IN      A       81.91.160.182

seems something is wrong with your (or maybe their) reverse DNS
resolution...

however that's temporary error (4xx) and the client should try again.
--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Spam is for losers who can't get business any other way.
Reply | Threaded
Open this post in threaded view
|

Re: Client host rejected

siefke_listen@web.de
On Mon, 18 Nov 2019 17:23:43 +0100
Matus UHLAR - fantomas <[hidden email]> wrote:

> cannot find your hostname indicated reject_unknown_client_hostname hit.

Ah thank you this what I had search.

> seems something is wrong with your (or maybe their) reverse DNS
> resolution...

This is what I had:

[siefke@sisi-dell ~]$ nslookup 195.128.103.214
214.103.128.195.in-addr.arpa name = netcup.silviosiefke.com.

Authoritative answers can be found from:

[siefke@sisi-dell ~]$ dig mx silvio-siefke.de

; <<>> DiG 9.14.7 <<>> mx silvio-siefke.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54615
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;silvio-siefke.de. IN MX

;; ANSWER SECTION:
silvio-siefke.de. 12745 IN MX 20 asia.silviosiefke.com.
silvio-siefke.de. 12745 IN MX 10 netcup.silviosiefke.com.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mo Nov 18 18:34:50 CET 2019
;; MSG SIZE  rcvd: 105

Thank you for help & Nice day
Silvio
--
Silvio Siefke <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Client host rejected

Bernardo Reino
On Mon, 18 Nov 2019, [hidden email] wrote:

> On Mon, 18 Nov 2019 17:23:43 +0100
> Matus UHLAR - fantomas <[hidden email]> wrote:
>
>> cannot find your hostname indicated reject_unknown_client_hostname hit.
>
> Ah thank you this what I had search.
>
>> seems something is wrong with your (or maybe their) reverse DNS
>> resolution...
>
> This is what I had:
>
> [siefke@sisi-dell ~]$ nslookup 195.128.103.214
> 214.103.128.195.in-addr.arpa name = netcup.silviosiefke.com.
>

The question is whether your resolver can reverse-resolve the IP address
where the message was coming from, i.e. 81.91.160.182, and not your own
(of your mail server).

$ dig -x 81.91.160.182
office.denic.de. 3600 IN A 81.91.160.182

$ dig office.denic.de
office.denic.de. 3508 IN A 81.91.160.182

which looks OK. See if your resolver also produces the above results.

Cheers.

Reply | Threaded
Open this post in threaded view
|

Re: Client host rejected

Gregory Heytings
In reply to this post by siefke_listen@web.de

>
> Now I try to send mail to box and what happen:
>
> Nov 18 17:12:35 netcup.silviosiefke.com postfix/smtpd[6215]: NOQUEUE:
> reject: RCPT from unknown[81.91.160.182]: 450 4.7.25 Client host
> rejected: cannot find your hostname, [81.91.160.182];
> from=<[hidden email]> to=<[hidden email]>
> proto=ESMTP helo=<list-2.denic.de>
>

This means that a reverse lookup of 81.91.160.182 on
netcup.silviosiefke.com fails.  Log into netcup.silviosiefke.com, try "dig
-x 81.91.160.182", and see what happens.

My guess is that if you replace the contents of /etc/resolv.conf by:

nameserver 8.8.8.8
nameserver 8.8.4.4

your problem will likely be solved.

Gregory
Reply | Threaded
Open this post in threaded view
|

Re: Client host rejected

Bill Cole-3
On 18 Nov 2019, at 15:38, Gregory Heytings wrote:
> replace the contents of /etc/resolv.conf by:
>
> nameserver 8.8.8.8
> nameserver 8.8.4.4
>
> your problem will likely be solved.

Note that doing this (using Google's public DNS service) will kill the
effectiveness of DNSBLs and of anti-spam tools like SpamAssassin that
use DNSBLs for scoring. The most common effectiveness problem people
report to us on the Apache SpamAssassin project is the de facto non-use  
of the many DNSBLs (including URIBLs and RHSBLs) SA normally uses,
resulting from the use of shared public and ISP DNS resolvers.
Generally, a mail server should have a caching recursive resolver
running locally: either on the same machine or the same truly local
network. If you have to cross a router and/or a WAN link of some sort
for every DNS lookup, performance will suffer (in addition to the issue
with DNSBLs.) If you use one of the shared resolvers that hijack
NXDOMAIN results or otherwise bowdlerize DNS to suit web browsing,
security is at risk.

Between some distributions adopting Unbound and others changing their
standard BIND configs to be simple caching resolvers, the excuses for
not running a local caching recursive resolver on a mail server have
become quite weak.

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Reply | Threaded
Open this post in threaded view
|

Re: Client host rejected

Viktor Dukhovni
On Tue, Nov 19, 2019 at 09:21:23AM -0500, Bill Cole wrote:

> Generally, a mail server should have a caching recursive resolver
> running locally: either on the same machine or the same truly local
> network.

+1, especially for running on the MTA host itself, on the loopback
interface, with only 127.0.0.1 listed in /etc/resolv.conf.  Make
that a DNSSEC validating resolver,  and enabled DANE outbound:

    smtp_dns_support_level = dnssec
    smtp_tls_security_level = dane

If you want to share cache hits with other nearby MTAs, the loopback
resolver can forward queries to a shared nearby forwarder.

> Between some distributions adopting Unbound and others changing their
> standard BIND configs to be simple caching resolvers, the excuses for
> not running a local caching recursive resolver on a mail server have
> become quite weak.

Indeed.

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Client host rejected

siefke_listen@web.de
In reply to this post by Bernardo Reino
On Mon, 18 Nov 2019 21:08:47 +0100 (CET)
Bernardo Reino <[hidden email]> wrote:

> $ dig -x 81.91.160.182
> office.denic.de. 3600 IN A 81.91.160.182
>
> $ dig office.denic.de
> office.denic.de. 3508 IN A 81.91.160.182
>
> which looks OK. See if your resolver also produces the above results.

dig -x 81.91.160.182
182.160.91.81.in-addr.arpa. 14400 IN PTR office.denic.de.

dig office.denic.de
office.denic.de. 3600 IN A 81.91.160.182

I use unbound.

I have stop unbound an use the dns direct with resolv.conf.

cat /etc/resolv.conf
nameserver 46.182.19.48
nameserver 80.241.218.68
nameserver 2a03:b0c0:0:1010::e9a:3001
nameserver 127.0.0.1
search silviosiefke.com

Test mail and result.

Nov 19 19:58:20 netcup.silviosiefke.com postfix/smtpd[11593]: NOQUEUE:
reject: RCPT from unknown[212.227.15.4]: 450 4.7.25 Client host rejected:
cannot find your hostname, [212.227.15.4]; from=<[hidden email]>
to=<[hidden email]> proto=ESMTP helo=<mout.web.de>

dig-x 212.227.15.4
4.15.227.212.in-addr.arpa. 14109 IN PTR mout.web.de.

dig mout.web.de
mout.web.de. 1800 IN A 212.227.15.5
mout.web.de. 1800 IN A 212.227.15.4
mout.web.de. 1800 IN A 212.227.15.14
mout.web.de. 1800 IN A 212.227.17.12
mout.web.de. 1800 IN A 217.72.192.78
mout.web.de. 1800 IN A 212.227.15.6
mout.web.de. 1800 IN A 212.227.17.11
mout.web.de. 1800 IN A 212.227.15.3

Self with direct dns contact it will not work. There is a big mistake.


--
Nice Day & Thank you
--
Silvio Siefke <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Client host rejected

Viktor Dukhovni
On Tue, Nov 19, 2019 at 08:13:49PM +0100, [hidden email] wrote:

> I use unbound.
>
> I have stop unbound an use the dns direct with resolv.conf.

Why did you stop unbound?  Presumably it provides the recursive
service on 127.0.0.1, which is listed below...

> $ cat /etc/resolv.conf
> nameserver 46.182.19.48
> nameserver 80.241.218.68
> nameserver 2a03:b0c0:0:1010::e9a:3001
> nameserver 127.0.0.1
> search silviosiefke.com

What are all those other nameservers?  You should not need anything
other than 127.0.0.1.

> Nov 19 19:58:20 netcup.silviosiefke.com postfix/smtpd[11593]: NOQUEUE:
> reject: RCPT from unknown[212.227.15.4]: 450 4.7.25 Client host rejected:
> cannot find your hostname, [212.227.15.4]; from=<[hidden email]>
> to=<[hidden email]> proto=ESMTP helo=<mout.web.de>

Is smtpd(8) chrooted?  It may be using a different set of nameservers.

> dig-x 212.227.15.4
> 4.15.227.212.in-addr.arpa. 14109 IN PTR mout.web.de.
>
> dig mout.web.de
> mout.web.de. 1800 IN A 212.227.15.4

This should normally result in a "known" name of mout.web.de.

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Client host rejected

siefke_listen@web.de
On Tue, 19 Nov 2019 14:20:43 -0500
Viktor Dukhovni <[hidden email]> wrote:

> Why did you stop unbound?  Presumably it provides the recursive
> service on 127.0.0.1, which is listed below...

It work not. That's why so a line direct to nameserver and it work
also not.

> > Nov 19 19:58:20 netcup.silviosiefke.com postfix/smtpd[11593]: NOQUEUE:
> > reject: RCPT from unknown[212.227.15.4]: 450 4.7.25 Client host rejected:
> > cannot find your hostname, [212.227.15.4]; from=<[hidden email]>
> > to=<[hidden email]> proto=ESMTP helo=<mout.web.de>
>
> Is smtpd(8) chrooted?  It may be using a different set of nameservers.

Yes sure I change nothing in master.cf only auth stuff. So maybe this was it.

Nov 19 20:34:13 netcup.silviosiefke.com postfix/lmtp[16735]: 5180881406: to=<[hidden email]>, relay=netcup.silviosiefke.com[private/dovecot-lmtp], delay=1, delays=0.91/0.02/0.02/0.05, dsn=2.0.0, status=sent (250 2.0.0 <[hidden email]> J/VlD7VD1F1gQQAAJFpQ3g Saved)

So one question I have. Why I must change this on this server, but my
master mail server running Debian need this change not.


Thank you & Nice day
Silvio
Reply | Threaded
Open this post in threaded view
|

Re: Client host rejected

Viktor Dukhovni
On Tue, Nov 19, 2019 at 08:38:53PM +0100, [hidden email] wrote:

> > Why did you stop unbound?  Presumably it provides the recursive
> > service on 127.0.0.1, which is listed below...
>
> It work not.

Then figure out how to make it work.  That should be your one and
only nameserver.

> > > Nov 19 19:58:20 netcup.silviosiefke.com postfix/smtpd[11593]: NOQUEUE:
> > > reject: RCPT from unknown[212.227.15.4]: 450 4.7.25 Client host rejected:
> > > cannot find your hostname, [212.227.15.4]; from=<[hidden email]>
> > > to=<[hidden email]> proto=ESMTP helo=<mout.web.de>
> >
> > Is smtpd(8) chrooted?  It may be using a different set of nameservers.
>
> Yes sure I change nothing in master.cf only auth stuff. So maybe this was it.

There's no "maybe", check.  With a sufficiently recent version of Postfix you
can use:

    $ postconf -F smtp/inet/chroot
 or
    $ postconf -Mf smtp/inet

otherwise, read master.cf.  Then if chrooted (explicitly, or by default), check
the resolv.conf file in the chroot jail.  Running:

    # postfix check

may report whether some files in the chroot differ from those outside.

> Nov 19 20:34:13 netcup.silviosiefke.com postfix/lmtp[16735]: 5180881406:
>   to=<[hidden email]>,
>   relay=netcup.silviosiefke.com[private/dovecot-lmtp], delay=1,
>   delays=0.91/0.02/0.02/0.05, dsn=2.0.0, status=sent (250 2.0.0
>   <[hidden email]> J/VlD7VD1F1gQQAAJFpQ3g Saved)

Not at all clear why logging from the LMTP delivery agent is relevant.

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Client host rejected

Matus UHLAR - fantomas
In reply to this post by siefke_listen@web.de
>>On Mon, 18 Nov 2019 17:23:43 +0100 Matus UHLAR - fantomas
>><[hidden email]> wrote:
>>>seems something is wrong with your (or maybe their) reverse DNS
>>>resolution...

>On Mon, 18 Nov 2019, [hidden email] wrote:
>>This is what I had:
>>
>>[siefke@sisi-dell ~]$ nslookup 195.128.103.214
>>214.103.128.195.in-addr.arpa name = netcup.silviosiefke.com.

On 18.11.19 21:08, Bernardo Reino wrote:
>The question is whether your resolver can reverse-resolve the IP
>address where the message was coming from, i.e. 81.91.160.182, and not
>your own (of your mail server).
>
>$ dig -x 81.91.160.182
>office.denic.de. 3600 IN A 81.91.160.182
>
>$ dig office.denic.de
>office.denic.de. 3508 IN A 81.91.160.182

and this is, why Silvio (the OP) should not remove important content from
mail replied. I have posted exactly these ;-)
https://marc.info/?l=postfix-users&m=157409426700743&w=2

On 19.11.19 20:13, [hidden email] wrote:

>I use unbound.
>
>I have stop unbound an use the dns direct with resolv.conf.
>
>cat /etc/resolv.conf
>nameserver 46.182.19.48
>nameserver 80.241.218.68
>nameserver 2a03:b0c0:0:1010::e9a:3001
>nameserver 127.0.0.1
>search silviosiefke.com

1. unbound aka 127.0.0.1 should be the first server in resolv.conf, not the
last one. I think some resolvers don't use more than 3 servers.

2. what are those other IPs? Are they recursive servers provided by your ISP?

>Nov 19 19:58:20 netcup.silviosiefke.com postfix/smtpd[11593]: NOQUEUE:
>reject: RCPT from unknown[212.227.15.4]: 450 4.7.25 Client host rejected:
>cannot find your hostname, [212.227.15.4]; from=<[hidden email]>
>to=<[hidden email]> proto=ESMTP helo=<mout.web.de>


>dig-x 212.227.15.4
>4.15.227.212.in-addr.arpa. 14109 IN PTR mout.web.de.

>dig mout.web.de
...
>mout.web.de. 1800 IN A 212.227.15.4
...
>Self with direct dns contact it will not work. There is a big mistake.

>On Tue, 19 Nov 2019 14:20:43 -0500
>Viktor Dukhovni <[hidden email]> wrote:
>> Why did you stop unbound?  Presumably it provides the recursive
>> service on 127.0.0.1, which is listed below...

On 19.11.19 20:38, [hidden email] wrote:
>It work not. That's why so a line direct to nameserver and it work
>also not.

sure? "dig -x 212.227.15.4 @127.0.0.1" should show (with running unbound, of
course)

>> > Nov 19 19:58:20 netcup.silviosiefke.com postfix/smtpd[11593]: NOQUEUE:
>> > reject: RCPT from unknown[212.227.15.4]: 450 4.7.25 Client host rejected:
>> > cannot find your hostname, [212.227.15.4]; from=<[hidden email]>
>> > to=<[hidden email]> proto=ESMTP helo=<mout.web.de>

>> Is smtpd(8) chrooted?  It may be using a different set of nameservers.
>
>Yes sure I change nothing in master.cf only auth stuff. So maybe this was it.

"maybe" is not enough. if your system uses chorooted smtpd, the
/etc/resolv.conf within that chroot should contain proper

>Nov 19 20:34:13 netcup.silviosiefke.com postfix/lmtp[16735]: 5180881406:
> to=<[hidden email]>,
> relay=netcup.silviosiefke.com[private/dovecot-lmtp], delay=1,
> delays=0.91/0.02/0.02/0.05, dsn=2.0.0, status=sent (250 2.0.0
> <[hidden email]> J/VlD7VD1F1gQQAAJFpQ3g Saved)

this is lmtp client, not smtp server, completely unrelated.

>So one question I have. Why I must change this on this server, but my
>master mail server running Debian need this change not.

perhaps your master mail server running debian has different configuration.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95