Postfix and BINARYMIME

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

Postfix and BINARYMIME

tejas sarade
Hello,

I am facing a problem where exchange server is sending mails in binary.
content-transfer-encoding: binary.
Even the postfix doesn't publish BINARYMIME as an extension.

I just wanted to confirm if postfix supports BINARYMIME extension.
rfc3030 is still a proposed standard. And I didn't see it in postfix smtpd man page.


Regards,
Tejas.

Reply | Threaded
Open this post in threaded view
|

Re: Postfix and BINARYMIME

Viktor Dukhovni
On Fri, May 30, 2014 at 10:12:38AM +0530, tejas sarade wrote:

> I am facing a problem where exchange server is sending mails in binary.
> content-transfer-encoding: binary.

Apart from mislabeling what is most-likely in fact a CTE of "8bit" rather
than binary, what problem does this actually cause?

> Even the postfix doesn't publish BINARYMIME as an extension.

The transport of true BINARYMIME content generally also requires
CHUNKED encoding, which is also not supported by Postfix.  I dimly
remember dealing with a bug in Exchange along these lines a long
time ago, and thought it was fixed not long after.  How ancient is
the Exchange system in question.

> I just wanted to confirm if postfix supports BINARYMIME extension.

No, but it does not matter, it certainly does not advertise such
support in the EHLO response, so sending system can legitimately
send such content into Postfix.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Postfix and BINARYMIME

tejas sarade


> Apart from mislabeling what is most-likely in fact a CTE of "8bit" rather
> than binary, what problem does this actually cause?

The problem is that Postfix frequently dropping connection of connection exchange server with error
502 5.5.2 Error: command not recognized
I checked from the tcpdump that headers contain the following line.
Content-Transfer-Encoding: binary
And some of the characters in the binary data causing Postfix to interpret as end of data character.
and remaining content is detected as error. 'non-compatible SMTP command'.

> The transport of true BINARYMIME content generally also requires
> CHUNKED encoding, which is also not supported by Postfix.  I dimly
> remember dealing with a bug in Exchange along these lines a long
> time ago, and thought it was fixed not long after.  How ancient is
> the Exchange system in question.

It is Exchange 2007

> No, but it does not matter, it certainly does not advertise such
> support in the EHLO response, so sending system can legitimately
> send such content into Postfix.

So, connecting client can send the data using SMTP extension which is not published by SMTP server?

Reply | Threaded
Open this post in threaded view
|

Re: Postfix and BINARYMIME

Wietse Venema
tejas sarade:
> > Apart from mislabeling what is most-likely in fact a CTE of "8bit" rather
> > than binary, what problem does this actually cause?
>
> The problem is that Postfix frequently dropping connection of connection
> exchange server with error
> 502 5.5.2 Error: command not recognized
> I checked from the tcpdump that headers contain the following line.
> Content-Transfer-Encoding: binary

Fix the SMTP client configuration, or file a bug report with the
SMTP client vendor. The SMTP client must not send BINARYMIME content
unless the server announces it.

This is a basic principle of ESMTP, which is now almost 20 years
old, so someone should have learned to read in the meantime.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Postfix and BINARYMIME

Viktor Dukhovni
In reply to this post by tejas sarade
On Fri, May 30, 2014 at 11:15:09AM +0530, tejas sarade wrote:

> > Apart from mislabeling what is most-likely in fact a CTE of "8bit" rather
> > than binary, what problem does this actually cause?
>
> The problem is that Postfix frequently dropping connection of connection
> exchange server with error
> 502 5.5.2 Error: command not recognized
> I checked from the tcpdump that headers contain the following line.
> Content-Transfer-Encoding: binary
> And some of the characters in the binary data causing Postfix to interpret
> as end of data character.
> and remaining content is detected as error. 'non-compatible SMTP command'.
>
> > The transport of true BINARYMIME content generally also requires
> > CHUNKED encoding, which is also not supported by Postfix.  I dimly
> > remember dealing with a bug in Exchange along these lines a long
> > time ago, and thought it was fixed not long after.  How ancient is
> > the Exchange system in question.
>
> It is Exchange 2007

I think you're too many patches behind.  Don't recall whether this
was fixed in a patch (aka hotfix) or a later release.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Postfix and Generic rDNS

Klaipedaville on Google
In reply to this post by Viktor Dukhovni
Hello there,
 
I have a quick question / request for clarification. I’ll try to be concise.
 
My ISP has a generic rDNS. For clarity I’ll say that it is defined as follows, "Generic rDNS means that a DNS query on the IP address resolves to something like: 123-45-67-8.your.isp.com. The opposite of generic rDNS is a "unique reverse pointer" which is usually something like mail.your-domain.com."
 
Now my postfix always warns me due to this generic rDNS of my ISP.
 
Postfix says, "hostname verification errors in FCrDNS:
Does not resolve to address
123.45.67.8    123-45-67-8.my.isp.com”
 
Any free FCrDNS online service also shows and says the same thing, that is that rDNS is not forward confirmed or PTR is generic. The IP address is static.
 
Postfix is working OK but this warning is simply always there as I have no control over my ISP. Would appreciate any suggestions / advices / pointers on how do I fix it? Many thanks in advance!
 
Regards,
Dennis.
 
 
 
 
 
 
 
 
Reply | Threaded
Open this post in threaded view
|

Re: Postfix and Generic rDNS

DTNX Postmaster
On 27 Jun 2014, at 10:53, Klaipedaville on Google <[hidden email]> wrote:

> I have a quick question / request for clarification. I’ll try to be concise.
>  
> My ISP has a generic rDNS. For clarity I’ll say that it is defined as follows, "Generic rDNS means that a DNS query on the IP address resolves to something like: 123-45-67-8.your.isp.com. The opposite of generic rDNS is a "unique reverse pointer" which is usually something like mail.your-domain.com."
>  
> Now my postfix always warns me due to this generic rDNS of my ISP.
>  
> Postfix says, "hostname verification errors in FCrDNS:
> Does not resolve to address
> 123.45.67.8    123-45-67-8.my.isp.com”
>  
> Any free FCrDNS online service also shows and says the same thing, that is that rDNS is not forward confirmed or PTR is generic. The IP address is static.
>  
> Postfix is working OK but this warning is simply always there as I have no control over my ISP. Would appreciate any suggestions / advices / pointers on how do I fix it? Many thanks in advance!

First off, for the best assistance, post the actual log entries for the warning, instead of a generic description. Too much information tends to get lost if people 'translate' :-)

And if you do use domain names in your examples, make sure they are the actual values, or something appropriate for example use, like 'example.com'. As documented here;

http://tools.ietf.org/html/rfc2606#page-2

As for a fix, check whether your ISP supports setting the reverse DNS for your IP address. This may be a feature that comes with a 'business' type account, or they may not support it at all. If it's not supported, the general advice is to send outgoing mail via the SMTP servers provided by your ISP, to avoid issues with delivery.

Mvg,
Joni

Reply | Threaded
Open this post in threaded view
|

Re: Postfix and Generic rDNS

lists@rhsoft.net
In reply to this post by Klaipedaville on Google


Am 27.06.2014 10:53, schrieb Klaipedaville on Google:
> My ISP has a generic rDNS. For clarity I’ll say that it is defined as follows, "Generic rDNS means that a DNS query
> on the IP address resolves to something like: 123-45-67-8.your.isp.com. The opposite of generic rDNS is a "unique
> reverse pointer" which is usually something like mail.your-domain.com."

in general bad - i tend to block such PTR's because the postmaster
finds not worth to care about a clean reputation and if i face
too much spam from other "*.your.isp.com", well you have to bite it

if your IP is from a eastern country i don't hestitate a second
and place the whole /16 subnet of your ISP on the RBL in case
of spam delivery

> Now my postfix always warns me due to this generic rDNS of my ISP.
>  
> Postfix says, "hostname verification errors in FCrDNS:
> Does not resolve to address
> 123.45.67.8    123-45-67-8.my.isp.com”

PTR and A don't match

> Postfix is working OK but this warning is simply always there as
> I have no control over my ISP

then switch to a different ISP or move your mailserver
somewhere in a datacenter (rootserver, VPS....)
Reply | Threaded
Open this post in threaded view
|

Re: Postfix and Generic rDNS

Klaipedaville on Google
In reply to this post by DTNX Postmaster
Hello Joni,
 
Thank you for your suggestion and quick reply.
 
Well, my actual log entry has been posted in my first message. I only changed the actual IP address. The log is:
 
Postfix says, "hostname verification errors in FCrDNS:
Does not resolve to address
123.45.67.8    123-45-67-8.my.isp.com”
 
Now here is the exact copy-paste if it wasn’t really clear for you from the first time:
 
---------------Hostname verification errors (FCRDNS) ------------------
Does not resolve to address
123.45.67.8    123-45-67-8.my.isp.com
---------------------------------------------------------------------------------------
 
The domain names were not required in my question therefore I did not use any of them such as example.com and so on so there isn’t much for you to translate Smile.
 
I have a "business" type account and the reverse DNS is available. In fact, It even works OK but only one way. The thing that is not working as per my log entry is the other way around, that is the FCrDNS. I’ll double-check it with my ISP one more time on that though.
 
However, my question was if I could possibly solve it using only postfix without getting my ISP involved because as I have already said in my previous message Postfix has been working absolutely fine without any problems with delivery or anything else. I’ve been trying to fix it using check_reverse_client_hostname_access but this does not seem to solve the issue.
 
Would highly appreciate any other / more options, comments, assistance. Many thanks!
 
Regards,
Dennis.
 
 
>

>
>First off, for the best assistance, post the actual log entries for the warning, instead of a generic description. Too much information tends to get lost if people 'translate' :-)
>
>And if you do use domain names in your examples, make sure they are the actual values, or something appropriate for example use, like 'example.com'. As documented here;
>
>http://tools.ietf.org/html/rfc2606#page-2
>
>As for a fix, check whether your ISP supports setting the reverse DNS for your IP address. This may be a feature that comes with a 'business' type account, or they may not support it at all. If it's not supported, the general >advice is to send outgoing mail via the SMTP servers provided by your ISP, to avoid issues with delivery.
>
>Mvg,
>Joni

 
Sent: Friday, June 27, 2014 12:12
Subject: Re: Postfix and Generic rDNS
 
On 27 Jun 2014, at 10:53, Klaipedaville on Google <[hidden email]> wrote:

> I have a quick question / request for clarification. I’ll try to be concise.

> My ISP has a generic rDNS. For clarity I’ll say that it is defined as follows, "Generic rDNS means that a DNS query on the IP address resolves to something like: 123-45-67-8.your.isp.com. The opposite of generic rDNS is a "unique reverse pointer" which is usually something like mail.your-domain.com."

> Now my postfix always warns me due to this generic rDNS of my ISP.

> Postfix says, "hostname verification errors in FCrDNS:
> Does not resolve to address
> 123.45.67.8    123-45-67-8.my.isp.com”

> Any free FCrDNS online service also shows and says the same thing, that is that rDNS is not forward confirmed or PTR is generic. The IP address is static.

> Postfix is working OK but this warning is simply always there as I have no control over my ISP. Would appreciate any suggestions / advices / pointers on how do I fix it? Many thanks in advance!
Reply | Threaded
Open this post in threaded view
|

Re: Postfix and Generic rDNS

lists@rhsoft.net

Am 27.06.2014 11:52, schrieb Klaipedaville on Google:

> Thank you for your suggestion and quick reply.
>  
> Well, my actual log entry has been posted in my first message. I only changed the actual IP address. The log is:
>  
> Postfix says, "hostname verification errors in FCrDNS:
> Does not resolve to address
> 123.45.67.8    123-45-67-8.my.isp.com”
>  
> Now here is the exact copy-paste if it wasn’t really clear for you from the first time:
>  
> ---------------Hostname verification errors (FCRDNS) ------------------
> Does not resolve to address
> 123.45.67.8    123-45-67-8.my.isp.com
> ---------------------------------------------------------------------------------------
>  
> The domain names were not required in my question therefore I did not use any of them such as
> example.com and so on so there isn’t much for you to translate Smile.

well, with "I only changed the actual IP address" and "isn’t much for you to translate"
why don't you just leaves us in peace and solve your problem for your own - nobody
can take a look on DNS relevant things if you mask the IP
Reply | Threaded
Open this post in threaded view
|

Re: Postfix and Generic rDNS

Klaipedaville on Google
In reply to this post by lists@rhsoft.net
Than you for your message.
 
Well, this is all true to the fact. I agree with you almost 100%.
 
>PTR and A don't match.
They actually do because it resolves OK one way, it does not resolve the other way around FCrDNS (forward confirmed DNS) because it’s generic PTR...
>then switch to a different ISP or move your mailserver
>somewhere in a datacenter (rootserver, VPS....)
There are not too many providers to choose from where I am at. Then again if I moved to a datacenter then I would need my "first point of access" to be made through the same local two ISPs (only two of them here)...
It’s a virtual server.
 


Am 27.06.2014 10:53, schrieb Klaipedaville on Google:
> My ISP has a generic rDNS. For clarity I’ll say that it is defined as follows, "Generic rDNS means that a DNS query
> on the IP address resolves to something like: 123-45-67-8.your.isp.com. The opposite of generic rDNS is a "unique
> reverse pointer" which is usually something like mail.your-domain.com."

in general bad - i tend to block such PTR's because the postmaster
finds not worth to care about a clean reputation and if i face
too much spam from other "*.your.isp.com", well you have to bite it

if your IP is from a eastern country i don't hestitate a second
and place the whole /16 subnet of your ISP on the RBL in case
of spam delivery

> Now my postfix always warns me due to this generic rDNS of my ISP.

> Postfix says, "hostname verification errors in FCrDNS:
> Does not resolve to address
> 123.45.67.8    123-45-67-8.my.isp.com”

PTR and A don't match

> Postfix is working OK but this warning is simply always there as
> I have no control over my ISP

then switch to a different ISP or move your mailserver
somewhere in a datacenter (rootserver, VPS....)
Reply | Threaded
Open this post in threaded view
|

Re: Postfix and Generic rDNS

lists@rhsoft.net
first:

* don't post HTML
* don't reply-all on mailing-lists

Am 27.06.2014 12:15, schrieb Klaipedaville on Google:
> Than you for your message.
>  
> Well, this is all true to the fact. I agree with you almost 100%.
>  
>>PTR and A don't match
>
> They actually do because it resolves OK one way, it does not resolve the
> other way around FCrDNS (forward confirmed DNS)

than they don't - period

> because it’s generic PTR...

don't matter, call your ISP names - as you can see it's possible:
85.103.178.62.in-addr.arpa. 1849 IN     PTR     chello062178103085.7.12.vie.surfer.at.
chello062178103085.7.12.vie.surfer.at. 3600 IN A 62.178.103.85

at that is a homeinternet access and has FCrDNS
frankly even my home guest-range has FCrDNS

>>then switch to a different ISP or move your mailserver
>>somewhere in a datacenter (rootserver, VPS....)
> There are _not_ too many providers to choose from where I am at.

then fight with them - they control the in-addr.arpa. and they
*can* set a PTR, they only don't care

> Then again if I moved to a datacenter then I would
> need my "first point of access" to be made through the same
> local two ISPs (only two of them here)... It’s a virtual server

the difference is that datacenter IP's have a sane PTR
what you are talking about the whole time looks like
a home-IP and will get treatet by other mailservers
like that -> reject
Reply | Threaded
Open this post in threaded view
|

Re: Postfix and Generic rDNS

DTNX Postmaster
In reply to this post by Klaipedaville on Google
On 27 Jun 2014, at 11:52, Klaipedaville on Google <[hidden email]> wrote:

> Thank you for your suggestion and quick reply.
>  
> Well, my actual log entry has been posted in my first message. I only changed the actual IP address. The log is:
>  
> Postfix says, "hostname verification errors in FCrDNS:
> Does not resolve to address
> 123.45.67.8    123-45-67-8.my.isp.com”
>  
> Now here is the exact copy-paste if it wasn’t really clear for you from the first time:
>  
> ---------------Hostname verification errors (FCRDNS) ------------------
> Does not resolve to address
> 123.45.67.8    123-45-67-8.my.isp.com
> ---------------------------------------------------------------------------------------
>  
> The domain names were not required in my question therefore I did not use any of them such as example.com and so on so there isn’t much for you to translate <wlEmoticon-smile[1].png>.
>  
> I have a "business" type account and the reverse DNS is available. In fact, It even works OK but only one way. The thing that is not working as per my log entry is the other way around, that is the FCrDNS. I’ll double-check it with my ISP one more time on that though.
>  
> However, my question was if I could possibly solve it using only postfix without getting my ISP involved because as I have already said in my previous message Postfix has been working absolutely fine without any problems with delivery or anything else. I’ve been trying to fix it using check_reverse_client_hostname_access but this does not seem to solve the issue.

Please do not top-post, and try to avoid HTML messages.

As for what you supplied as an error message; perhaps you copied it from a bounce message, or from some online testing tool, but it is not from the Postfix logs. If you want help with Postfix, follow the instructions here;

http://www.postfix.org/DEBUG_README.html

Show us the problem that you are trying to solve. If you do not provide actual, real-world logs, with data that can be tested by people on this list, don't expect much more help.

Mvg,
Joni

Reply | Threaded
Open this post in threaded view
|

Re: Postfix and Generic rDNS

Stan Hoeppner
In reply to this post by Klaipedaville on Google
On 6/27/2014 3:53 AM, Klaipedaville on Google wrote:
...
> Now my postfix always warns me due to this generic rDNS of my ISP.
>
> Postfix says, "hostname verification errors in FCrDNS:
> Does not resolve to address
> 123.45.67.8    123-45-67-8.my.isp.com

You should only see these warnings for mismatched hosts that connect to
your Postfix SMTPD server.  Do you have a NAT router in front of the
Postfix server?  Do your logs show all inbound connections coming from
only one IP, your public IP address?  Do you get this warning for every
connection?  If so you might try setting

http://www.postfix.org/postconf.5.html#proxy_interfaces

If all connections are from that one IP, get a different NAT router that
doesn't rewrite the source address.

Cheers,

Stan
Reply | Threaded
Open this post in threaded view
|

Re: Postfix and Generic rDNS

Bill Cole-3
In reply to this post by Klaipedaville on Google
On 27 Jun 2014, at 5:52, Klaipedaville on Google wrote:

> Hello Joni,
>
> Thank you for your suggestion and quick reply.
>
> Well, my actual log entry has been posted in my first message. I only
> changed the actual IP address.

There is no reason to do that, which makes it impossible for us to
figure out precisely what your problem is.  Your problem seems to be
entirely distinct from the use of "generic" rDNS records, but your
obfuscation of the specific details makes that hard to state with
certainty.

> The log is:
>
> Postfix says, "hostname verification errors in FCrDNS:
> Does not resolve to address
> 123.45.67.8    123-45-67-8.my.isp.com”
>
>
> Now here is the exact copy-paste if it wasn’t really clear for you
> from the first time:
>
> ---------------Hostname verification errors (FCRDNS)
> ------------------
> Does not resolve to address
> 123.45.67.8    123-45-67-8.my.isp.com
> ---------------------------------------------------------------------------------------

Postfix generates no messages in any form like that. It does sometimes
generate log entries like this:

Jun 17 12:44:39 toaster postfix/smtpd[11867]: warning: hostname
br16.srvmatrix.info does not resolve to address 177.11.51.78: nodename
nor servname provided, or not known

That was the result of some spammer using 177.11.51.78 trying to relay
through my server. The same warning would  have been generated if they
had been trying to send mail to me. There'sa PTR record  for
177.11.51.78  pointing  to br16.srvmatrix.info but there's no A or CNAME
record for br16.srvmatrix.info. That DNS error is common enough that it
would be unsafe to have Postfix do anything more that warn about it, but
the warning is good to have in the log because it illuminates why
related log messages refer to the client as "unknown".

It requires no effort on my part to avoid seeing such log messages when
I don't want to, because I don't normally look for them. Whatever is
translating the messages in your Postfix logs into messages like the one
you've included is causing pointless worry.

> The domain names were not required in my question therefore I did not
> use any of them such as example.com and so on so there isn’t much
> for you to translate .

Not so. If you had included an actual Postfix log entry, it would have
been much more clear what your difficulty is.

> I have a "business" type account and the reverse DNS is available. In
> fact, It even works OK but only one way. The thing that is not working
> as per my log entry is the other way around, that is the FCrDNS.
> I’ll double-check it with my ISP one more time on that though.

Here's an example of a not-so-random real case of bad DNS that might be
very similar to whatever problem you are trying to solve. First a
"reverse" resolution of an IP address to a name:

   # dig +noauth +noadd +nocmd +nostats  -x 86.100.96.251
   ;; Got answer:
   ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18478
   ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4

   ;; OPT PSEUDOSECTION:
   ; EDNS: version: 0, flags:; udp: 4096
   ;; QUESTION SECTION:
   ;251.96.100.86.in-addr.arpa.  IN    PTR

   ;; ANSWER SECTION:
   251.96.100.86.in-addr.arpa. 31261 IN      PTR  
86-100-96-251.klp.balticum.lt.

That's "generic" rDNS: a PTR whose value is clearly derived from the IP
address. Nothing wrong with that, if the only rational alternative is no
PTR at all. However, any name used as a PTR value should have forward (A
  or CNAME) resolution, but this generic name does not:

   # dig  +noadd +nocmd +nostats 86-100-96-251.klp.balticum.lt.
   ;; Got answer:
   ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 46734
   ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

   ;; OPT PSEUDOSECTION:
   ; EDNS: version: 0, flags:; udp: 4096
   ;; QUESTION SECTION:
   ;86-100-96-251.klp.balticum.lt.     IN    A

   ;; AUTHORITY SECTION:
   balticum.lt.            6016  IN    SOA   ns1.balticum.lt.
hostmaster.balticum-tv.lt. 2014050801 10800 1800 604800 86400


And who runs the reverse DNS?

   # dig +short 96.100.86.in-addr.arpa. SOA
   ns1.balticum.lt. hostmaster.balticum-tv.lt. 2011021402 43200 7200
1728000 7200

The same entity that is running the forward DNS. So this isn't
miscommunication between an ISP and customer, this is an ISP that is
simply incompetent. They could make the generic rDNS name resolve, but
they don't. Simple stupidity, and entirely outside what anyone else can
fix, even the unfortunate person using 86.100.96.251.

> However, my question was if I could possibly solve it using only
> postfix without getting my ISP involved because as I have already said
> in my previous message Postfix has been working absolutely fine
> without any problems with delivery or anything else. I’ve been
> trying to fix it using check_reverse_client_hostname_access but this
> does not seem to solve the issue.
>
> Would highly appreciate any other / more options, comments,
> assistance. Many thanks!

If the problem is only with one address, you might be able to quiet the
noise with an entry in your /etc/hosts file to create the missing
IP<->name mapping symmetrically. Most (but not all) systems still check
there first before or in addition to DNS. That will hide the bad DNS
from Postfix.