How "safe" is reject_unknown_helo_hostname?

classic Classic list List threaded Threaded
26 messages Options
12
Reply | Threaded
Open this post in threaded view
|

How "safe" is reject_unknown_helo_hostname?

allenc
I have been looking at the configuration parameter
"reject_unknown_helo_hostname", with a view to using it to resist spam.

I know it is reasonably safe to reject an incoming email on an invalid or
non-fqdn HELO hostname, but *UNKNOWN?*

I don't receive a sufficient corpus of email to make a reasoned judgment.

Your comments would be appreciated.

Allen C

Reply | Threaded
Open this post in threaded view
|

Re: How "safe" is reject_unknown_helo_hostname?

@lbutlr
On 25 Apr 2019, at 17:56, Allen Coates <[hidden email]> wrote:
> I have been looking at the configuration parameter
> "reject_unknown_helo_hostname", with a view to using it to resist spam.

I don't think that's going to be helpful enough to make up for the legitimate messages you will lose. Not all senders have a valid hostname.

You might try it with a warn_if_reject directive and see how many hits you get, but I think you'll find it rejects too much mail you want.


--
Where there is a party, everyone is there
Everyone will leave at exactly the same time
When this party is over it will start again
But not been any different be exactly the same




Reply | Threaded
Open this post in threaded view
|

Re: How "safe" is reject_unknown_helo_hostname?

Noel Jones-2
On 4/25/2019 7:24 PM, @lbutlr wrote:
> On 25 Apr 2019, at 17:56, Allen Coates <[hidden email]> wrote:
>> I have been looking at the configuration parameter
>> "reject_unknown_helo_hostname", with a view to using it to resist spam.
>
> I don't think that's going to be helpful enough to make up for the legitimate messages you will lose. Not all senders have a valid hostname.
>
> You might try it with a warn_if_reject directive and see how many hits you get, but I think you'll find it rejects too much mail you want.
>
>


+1

Last time I tried that parameter (with warn_if_reject) it hit more
ham than spam.  But YMMV, so give it a whirl.


   -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: How "safe" is reject_unknown_helo_hostname?

Bill Cole-3
In reply to this post by allenc
On 25 Apr 2019, at 19:56, Allen Coates wrote:

> I have been looking at the configuration parameter
> "reject_unknown_helo_hostname", with a view to using it to resist
> spam.

It is not useful, unless you are willing to reject mail from hosts which
send no spam and which are impervious to behavioral influence.

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole
Reply | Threaded
Open this post in threaded view
|

Re: How "safe" is reject_unknown_helo_hostname?

Brent Clark-4
Good day Guys

I use it.

But you need to add and whitelist accordingly.

I.e.
check_helo_access hash:/etc/postfix/check_helo_access

Oddly enough, I have only ever had to whitelist

root@mail ~ # cat /etc/postfix/check_helo_access
fwd-out.cmp.livemail.co.uk OK

HTH

Regards
Brent Clark

On 2019/04/26 05:20, Bill Cole wrote:
> On 25 Apr 2019, at 19:56, Allen Coates wrote:
>
>> I have been looking at the configuration parameter
>> "reject_unknown_helo_hostname", with a view to using it to resist spam.
>
> It is not useful, unless you are willing to reject mail from hosts which
> send no spam and which are impervious to behavioral influence.
>
Reply | Threaded
Open this post in threaded view
|

Re: How "safe" is reject_unknown_helo_hostname?

Matus UHLAR - fantomas
>>On 25 Apr 2019, at 19:56, Allen Coates wrote:
>>
>>>I have been looking at the configuration parameter
>>>"reject_unknown_helo_hostname", with a view to using it to resist spam.

On 26.04.19 10:35, Brent Clark wrote:

>I use it.
>
>But you need to add and whitelist accordingly.
>
>I.e.
>check_helo_access hash:/etc/postfix/check_helo_access
>
>Oddly enough, I have only ever had to whitelist
>
>root@mail ~ # cat /etc/postfix/check_helo_access
>fwd-out.cmp.livemail.co.uk OK

The same here (multiple servers). Rarely need it.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Windows found: (R)emove, (E)rase, (D)elete
Reply | Threaded
Open this post in threaded view
|

Re: How "safe" is reject_unknown_helo_hostname?

Phil Stracchino
In reply to this post by allenc
On 4/25/19 7:56 PM, Allen Coates wrote:
> I have been looking at the configuration parameter
> "reject_unknown_helo_hostname", with a view to using it to resist spam.
>
> I know it is reasonably safe to reject an incoming email on an invalid or
> non-fqdn HELO hostname, but *UNKNOWN?*
>
> I don't receive a sufficient corpus of email to make a reasoned judgment.
>
> Your comments would be appreciated.


I don't see a fundamental risk in rejecting mail from servers claiming a
HELO hostname that doesn't resolve.  If you're already going to reject
HELO from non-fqdn or invalid hostnames, why accept it from ones that
don't resolve at all?


--
  Phil Stracchino
  Babylon Communications
  [hidden email]
  [hidden email]
  Landline: +1.603.293.8485
  Mobile:   +1.603.998.6958
Reply | Threaded
Open this post in threaded view
|

Re: How "safe" is reject_unknown_helo_hostname?

allenc
I can see that a mail-host might announce itself as "example.com" and not
"mail.example.com"   Getting DNS configuration letter-perfect can be quite tricky.

One must be tolerant of SOME mistakes - but absolute rubbish, reserved TLDs and
people claiming to be me will be thrown out (at this server) whatever the RFCs
might say.

It is getting the balance right...

Allen C


On 26/04/2019 14:46, Phil Stracchino wrote:

> On 4/25/19 7:56 PM, Allen Coates wrote:
>> I have been looking at the configuration parameter
>> "reject_unknown_helo_hostname", with a view to using it to resist spam.
>>
>> I know it is reasonably safe to reject an incoming email on an invalid or
>> non-fqdn HELO hostname, but *UNKNOWN?*
>>
>> I don't receive a sufficient corpus of email to make a reasoned judgment.
>>
>> Your comments would be appreciated.
>
>
> I don't see a fundamental risk in rejecting mail from servers claiming a
> HELO hostname that doesn't resolve.  If you're already going to reject
> HELO from non-fqdn or invalid hostnames, why accept it from ones that
> don't resolve at all?
>
>
Reply | Threaded
Open this post in threaded view
|

Re: How "safe" is reject_unknown_helo_hostname?

Phil Stracchino
On 4/26/19 10:17 AM, Allen Coates wrote:
> I can see that a mail-host might announce itself as "example.com" and not
> "mail.example.com"   Getting DNS configuration letter-perfect can be quite tricky.

Point.

I do note that unknown_hostname_reject_code defaults to 450, a tempfail.
 There is also a specific unknown_helo_hostname_tempfail_action
directive, which defaults to defer_if_permit.


--
  Phil Stracchino
  Babylon Communications
  [hidden email]
  [hidden email]
  Landline: +1.603.293.8485
  Mobile:   +1.603.998.6958
Reply | Threaded
Open this post in threaded view
|

Re: How "safe" is reject_unknown_helo_hostname?

Bill Cole-3
In reply to this post by Phil Stracchino
On 26 Apr 2019, at 9:46, Phil Stracchino wrote:

> On 4/25/19 7:56 PM, Allen Coates wrote:
>> I have been looking at the configuration parameter
>> "reject_unknown_helo_hostname", with a view to using it to resist
>> spam.
>>
>> I know it is reasonably safe to reject an incoming email on an
>> invalid or
>> non-fqdn HELO hostname, but *UNKNOWN?*
>>
>> I don't receive a sufficient corpus of email to make a reasoned
>> judgment.
>>
>> Your comments would be appreciated.
>
>
> I don't see a fundamental risk in rejecting mail from servers claiming
> a
> HELO hostname that doesn't resolve.

There have been varied interpretations (and wordings) of the *21 RFCs
that define what the HELO name should be. For example, for a long while
machines handling hotmail.com mail said simply "EHLO hotmail.com" which
almost makes sense in a RFC821 world. Preserving the tradition, today
many of the machines that handle outbound hotmail.com mail EHLO with
names that do not resolve, but look like clear transforms of the names
to which their IP PTR records point, as if someone missed the
announcement of the new way to construct a mail system outbound node
name. These issues tend to self-resolve over time, but there seems to be
an endless supply of new(?) machines using wrong forms.

If you really want to randomly reject a small unpredictable fraction of
all mail from one of the largest mail providers in the world, that is a
choice you are free to make. Or whitelist much of a half-dozen Class A
networks to be safe...

> If you're already going to reject
> HELO from non-fqdn or invalid hostnames, why accept it from ones that
> don't resolve at all?

People make typos. People misunderstand naming conventions. People miss
memos on the rollout of new naming conventions. The HELO name is
historically an entirely insignificant SMTP argument which has been
imperfectly specified and which RFCs have said should not be policed.

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole
Reply | Threaded
Open this post in threaded view
|

Re: How "safe" is reject_unknown_helo_hostname?

Phil Stracchino
On 4/26/19 5:15 PM, Bill Cole wrote:

> On 26 Apr 2019, at 9:46, Phil Stracchino wrote:
>> I don't see a fundamental risk in rejecting mail from servers claiming
>> a HELO hostname that doesn't resolve.
>
> There have been varied interpretations (and wordings) of the *21 RFCs
> that define what the HELO name should be. For example, for a long while
> machines handling hotmail.com mail said simply "EHLO hotmail.com" which
> almost makes sense in a RFC821 world. Preserving the tradition, today
> many of the machines that handle outbound hotmail.com mail EHLO with
> names that do not resolve, but look like clear transforms of the names
> to which their IP PTR records point, as if someone missed the
> announcement of the new way to construct a mail system outbound node
> name. These issues tend to self-resolve over time, but there seems to be
> an endless supply of new(?) machines using wrong forms.
>
> If you really want to randomly reject a small unpredictable fraction of
> all mail from one of the largest mail providers in the world, that is a
> choice you are free to make. Or whitelist much of a half-dozen Class A
> networks to be safe...

You know, I don't think I know *anyone* who still has a hotmail.com
email address.

>> If you're already going to reject
>> HELO from non-fqdn or invalid hostnames, why accept it from ones that
>> don't resolve at all?
>
> People make typos. People misunderstand naming conventions. People miss
> memos on the rollout of new naming conventions. The HELO name is
> historically an entirely insignificant SMTP argument which has been
> imperfectly specified and which RFCs have said should not be policed.

True.


--
  Phil Stracchino
  Babylon Communications
  [hidden email]
  [hidden email]
  Landline: +1.603.293.8485
  Mobile:   +1.603.998.6958
Reply | Threaded
Open this post in threaded view
|

Re: How "safe" is reject_unknown_helo_hostname?

Bill Cole-3
On 27 Apr 2019, at 14:20, Phil Stracchino wrote:

> On 4/26/19 5:15 PM, Bill Cole wrote:
>> On 26 Apr 2019, at 9:46, Phil Stracchino wrote:
>>> I don't see a fundamental risk in rejecting mail from servers
>>> claiming
>>> a HELO hostname that doesn't resolve.
>>
>> There have been varied interpretations (and wordings) of the *21 RFCs
>> that define what the HELO name should be. For example, for a long
>> while
>> machines handling hotmail.com mail said simply "EHLO hotmail.com"
>> which
>> almost makes sense in a RFC821 world. Preserving the tradition, today
>> many of the machines that handle outbound hotmail.com mail EHLO with
>> names that do not resolve, but look like clear transforms of the
>> names
>> to which their IP PTR records point, as if someone missed the
>> announcement of the new way to construct a mail system outbound node
>> name. These issues tend to self-resolve over time, but there seems to
>> be
>> an endless supply of new(?) machines using wrong forms.
>>
>> If you really want to randomly reject a small unpredictable fraction
>> of
>> all mail from one of the largest mail providers in the world, that is
>> a
>> choice you are free to make. Or whitelist much of a half-dozen Class
>> A
>> networks to be safe...
>
> You know, I don't think I know *anyone* who still has a hotmail.com
> email address.

Not relevant, since that sending infrastructure is not used only or even
mostly for senders with hotmail.com addresses. If you receive
substantial amounts of person-to-person business email your system
probably talks to that mega-system every day.





--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole
Reply | Threaded
Open this post in threaded view
|

Re: How "safe" is reject_unknown_helo_hostname?

@lbutlr
On 27 Apr 2019, at 13:17, Bill Cole <[hidden email]> wrote:
> Not relevant, since that sending infrastructure is not used only or even mostly for senders with hotmail.com addresses. If you receive substantial amounts of person-to-person business email your system probably talks to that mega-system every day.

Maybe. But my logs contain no mention of hotmail.com

I thought all of that was migrated over to live.com or outlook or something several years ago.

If I check the spam logs I see a few, but very few, lines like:

mail postfix/postscreen[14410]: NOQUEUE: reject: RCPT from [222.140.138.240]:9302: 550 5.7.1 Service unavailable; client [222.140.138.240] blocked using zen.spamhaus.org; from=<[hidden email]>, to=<***>, proto=ESMTP, helo=<hn.kd.ny.adsl>

mail postfix/postscreen[66150]: NOQUEUE: reject: RCPT from [117.68.192.87]:60193: 550 5.7.1 Service unavailable; client [117.68.192.87] blocked using zen.spamhaus.org; from=<[hidden email]>, to=<[hidden email]>, proto=ESMTP, helo=<hotmail.com>

(the last one I didn't bother to munge as the email too is invalid.)

Do you still see connections from hotmail.com mail servers?


--
I have a love child who sends me hate mail


Reply | Threaded
Open this post in threaded view
|

Re: How "safe" is reject_unknown_helo_hostname?

TG Servers
In reply to this post by Bill Cole-3


On 27 April 2019 21:18:14 "Bill Cole"
<[hidden email]> wrote:

> On 27 Apr 2019, at 14:20, Phil Stracchino wrote:
>
>> On 4/26/19 5:15 PM, Bill Cole wrote:
>>> On 26 Apr 2019, at 9:46, Phil Stracchino wrote:
>>>> I don't see a fundamental risk in rejecting mail from servers
>>>> claiming
>>>> a HELO hostname that doesn't resolve.
>>>
>>> There have been varied interpretations (and wordings) of the *21 RFCs
>>> that define what the HELO name should be. For example, for a long
>>> while
>>> machines handling hotmail.com mail said simply "EHLO hotmail.com"
>>> which
>>> almost makes sense in a RFC821 world. Preserving the tradition, today
>>> many of the machines that handle outbound hotmail.com mail EHLO with
>>> names that do not resolve, but look like clear transforms of the
>>> names
>>> to which their IP PTR records point, as if someone missed the
>>> announcement of the new way to construct a mail system outbound node
>>> name. These issues tend to self-resolve over time, but there seems to
>>> be
>>> an endless supply of new(?) machines using wrong forms.
>>>
>>> If you really want to randomly reject a small unpredictable fraction
>>> of
>>> all mail from one of the largest mail providers in the world, that is
>>> a
>>> choice you are free to make. Or whitelist much of a half-dozen Class
>>> A
>>> networks to be safe...
>>
>> You know, I don't think I know *anyone* who still has a hotmail.com
>> email address.
>
> Not relevant, since that sending infrastructure is not used only or even
> mostly for senders with hotmail.com addresses. If you receive
> substantial amounts of person-to-person business email your system
> probably talks to that mega-system every day.

Bill, so your suggestion is clear on that one. But you mean to keep
reject_non_fqdn_helo_hostname and reject_invalid_helo_hostname, right?


Reply | Threaded
Open this post in threaded view
|

Re: How "safe" is reject_unknown_helo_hostname?

Bill Cole-3
In reply to this post by @lbutlr
On 27 Apr 2019, at 15:23, @lbutlr wrote:

> Do you still see connections from hotmail.com mail servers?

That depends on what you mean by "hotmail.com mail servers."
I see a lot of traffic from servers authorized by the SPF record for
hotmail.com. I don't believe any of those use 'hotmail.com' in their
EHLO. I see a few per month which use unresolvable (in the moment) EHLO
names.


--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole
Reply | Threaded
Open this post in threaded view
|

Re: How "safe" is reject_unknown_helo_hostname?

@lbutlr


> On 27 Apr 2019, at 13:40, Bill Cole <[hidden email]> wrote:
>
> On 27 Apr 2019, at 15:23, @lbutlr wrote:
>
>> Do you still see connections from hotmail.com mail servers?
>
> That depends on what you mean by "hotmail.com mail servers."
> I see a lot of traffic from servers authorized by the SPF record for hotmail.com. I don't believe any of those use 'hotmail.com' in their EHLO. I see a few per month which use unresolvable (in the moment) EHLO names.

Yes, thanks for the confirmation, that's what I was checking for. I believe the hotmail.com domain has been entirely retired as a source of mail.

It was a bit of a garbage fire for many years and I knew many admins who were very angry about hotmail, enough so that even mail from a hotmail.com email address is pretty rare anymore (I have 13 emails from a hotmail address this year in my personal/list accounts, a third of them from one person).


--
We will fight for Bovine Freedom and hold our large heads high We will
run free with the Buffalo or die




Reply | Threaded
Open this post in threaded view
|

Re: How "safe" is reject_unknown_helo_hostname?

Bill Cole-3
In reply to this post by TG Servers
On 27 Apr 2019, at 15:28, TG Servers wrote:

> But you mean to keep reject_non_fqdn_helo_hostname and
> reject_invalid_helo_hostname, right?

Yes but as part of smtpd_helo_restrictions with a substantial
check_helo_access map ahead of them which has a bunch of OK entries
because Sturgeon's Law applies to the set of all mail admins.

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole
Reply | Threaded
Open this post in threaded view
|

Re: How "safe" is reject_unknown_helo_hostname?

@lbutlr
On 27 Apr 2019, at 14:28, Bill Cole <[hidden email]> wrote:
> On 27 Apr 2019, at 15:28, TG Servers wrote:
>
>> But you mean to keep reject_non_fqdn_helo_hostname and reject_invalid_helo_hostname, right?
>
> Yes but as part of smtpd_helo_restrictions with a substantial check_helo_access map ahead of them which has a bunch of OK entries

I don't have any before but permit_my_networks.

smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname,
    reject_non_fqdn_helo_hostname, check_helo_access
    pcre:/etc/postfix/helo_checks.pcre permit

grep -i reject /var/log/mail.log | grep -o "helo=<.*>" | sort -u

results in a list of servers I am pretty sure I don't want mail from, including a lion's share from the .live TLD ad some hangers-on from .top.

What sort of checks do you have ahead of reject_invalid_helo_hostname and reject_non_fqdn_helo_hostname?

> because Sturgeon's Law applies to the set of all mail admins.

Heh. There is that, I suppose.


--
Twentieth century? Why, I could pick a century out of a hat,
blindfolded, and come up with a better one.


Reply | Threaded
Open this post in threaded view
|

Re: How "safe" is reject_unknown_helo_hostname?

Bill Cole-3
On 27 Apr 2019, at 18:21, @lbutlr wrote:

> On 27 Apr 2019, at 14:28, Bill Cole
> <[hidden email]> wrote:
>> On 27 Apr 2019, at 15:28, TG Servers wrote:
>>
>>> But you mean to keep reject_non_fqdn_helo_hostname and
>>> reject_invalid_helo_hostname, right?
>>
>> Yes but as part of smtpd_helo_restrictions with a substantial
>> check_helo_access map ahead of them which has a bunch of OK entries
>
> I don't have any before but permit_my_networks.

I keep permit_my_networks out of my postfix config entirely.

> smtpd_helo_restrictions = permit_mynetworks,
> reject_invalid_helo_hostname,
>     reject_non_fqdn_helo_hostname, check_helo_access
>     pcre:/etc/postfix/helo_checks.pcre permit
>
> grep -i reject /var/log/mail.log | grep -o "helo=<.*>" | sort -u
>
> results in a list of servers I am pretty sure I don't want mail from,
> including a lion's share from the .live TLD ad some hangers-on from
> .top.
>
> What sort of checks do you have ahead of reject_invalid_helo_hostname
> and reject_non_fqdn_helo_hostname?

Just a check_helo_access with a bunch of names & a few patterns that are
unqualified or technically invalid but which I've had reason over the
space of a decade to want mail from and others which are formally valid
but have perfect records of only providing garbage (e.g. my own system's
valid hostnames and IPs, *.local,  etc.)

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole
Reply | Threaded
Open this post in threaded view
|

Re: How "safe" is reject_unknown_helo_hostname?

@lbutlr
On Apr 27, 2019, at 21:13, Bill Cole <[hidden email]> wrote:
>
> I keep permit_my_networks out of my postfix config entirely

Thanks. I keep meaning to look into doing that, but then I don’t seem to get around to it.

My mail server isn’t on a LAN IP, so that doesn’t apply. I’ll keep looking at logs to see if maybe valid-seeming servers are getting dropped.

--
This is my signature. There are many like it, but this one is mine.
12