Postscreen DNSBL Sites

On 2013-05-06 01:10:59 -0500, Stan Hoeppner wrote:
AFAIK, there's no requirement in the RFCs that the HELO name point
to the client IP, and there are good reasons to allow a mismatch, e.g.
due to several machines sharing the same IP with NAT, or a machine
having several interfaces (with several IPs), or a laptop that can
move between various networks.

I just meant that
  * his mail config is probably sane (the fact that the IP doesn't
    have a rDNS is not his fault, but the ISP's);
  * one can lose rather important mail (e.g. related to work).

Anyway one should be able to configure *client*-side mail software
without being a specialist of SMTP RFCs and things like that...

--
Vincent Lefèvre <[hidden email]> - Web: <http://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Am 06.05.2013 23:13, schrieb Vincent Lefevre:
>> Being a Debian developer carries zero weight here.
>
> I just meant that
>   * his mail config is probably sane (the fact that the IP doesn't
>     have a rDNS is not his fault, but the ISP's)

no, it's clearly his fault

how should the ISP smell which PTR he needs?
anybody who setups a mailsever where a-record and PTR does not
match is a fool and if your ISP does not provide a way to
get a mathcing PTR you simply can't have a mailserver
on this IP

On Mon, May 06, 2013 at 11:13:20PM +0200, Vincent Lefevre wrote:
It's not usual, and definitely not ideal, to use NAT on a mail
exchanger, although a load balancer (which is more common and
sensible) can have similar effects. Also, a laptop as you describe
would usually not be in the role of mail exchanger, so its HELO
should only matter to its MSA.

So while you are right, strictly speaking, you should consider what's
best practice for mail exchangers. Ideally they should have HELO
matching FCrDNS. FCrDNS itself is not just a best practice, it is a
requirement.

> > > and this is from a Debian developer.
> >
snip
>
> I just meant that
>   * his mail config is probably sane (the fact that the IP doesn't
>     have a rDNS is not his fault, but the ISP's);

Don't try to run a mail exchanger on a dynamic IP address or one
lacking FCrDNS. It's definitely his fault for doing so.

>   * one can lose rather important mail (e.g. related to work).

Yes. Reread Noel's post upthread. I was the one who originally said
reject_unknown_reverse_client_hostname is safe, and Noel explained
why: the mail you reject is also being rejected by most major
receivers. Your would-be correspondent has trouble corresponding with
everyone. Eventually he should figure out that he can't run a mail
server on a dynamic IP address.

Sure, you might choose to open your floodgates to these clients. I
guarantee the vast majority of them are spam zombies.

> Anyway one should be able to configure *client*-side mail software
> without being a specialist of SMTP RFCs and things like that...

Absolutely. You would have your MUA submit to a MSA. Your MSA would
not care about FCrDNS.

This isn't about MUAs, this is about MTAs.
--
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

On 2013-05-06 18:54:57 -0500, /dev/rob0 wrote:
There's no mail exchanger here. The machine in question
(carotte.tilapin.org) just sends the mail.

Except that the machine is just the client, not a mail exchanger.

> >   * one can lose rather important mail (e.g. related to work).
>
> Yes. Reread Noel's post upthread. I was the one who originally said
> reject_unknown_reverse_client_hostname is safe, and Noel explained
> why: the mail you reject is also being rejected by most major
> receivers.

I don't think this is really true. This may depend on the country
and the people one communicates with. If users still send mail from
an IP without rDNS, there may be a reason...

Moreover some major receivers may support IPv4 only for their MX,
so that if the IPv4 address of the sender has a reverse hostname
but not the IPv6 address, this user may not notice the problem.
For instance, for two majors receivers in France:

$ host -t mx free.fr
free.fr mail is handled by 20 mx2.free.fr.
free.fr mail is handled by 10 mx1.free.fr.
$ host mx1.free.fr
mx1.free.fr has address 212.27.48.7
mx1.free.fr has address 212.27.48.6
$ host mx2.free.fr
mx2.free.fr has address 212.27.42.59
mx2.free.fr has address 212.27.42.58

$ host -t mx wanadoo.fr
wanadoo.fr mail is handled by 10 smtp-in.orange.fr.
$ host smtp-in.orange.fr
smtp-in.orange.fr has address 80.12.242.9
smtp-in.orange.fr has address 193.252.22.65

$ host -t mx vinc17.net
vinc17.net mail is handled by 10 ioooi.vinc17.net.
$ host ioooi.vinc17.net
ioooi.vinc17.net has address 92.243.22.117
ioooi.vinc17.net has IPv6 address 2001:4b98:dc0:45:216:3eff:fe9b:eb2f

So, the sender mentioned above would see no problems with the majors
receivers (free.fr, wanadoo.fr), where IPv4 will be used, but if I
configure Postfix with reject_unknown_reverse_client_hostname on my
domain, the sender in question will see his mail rejected because
IPv6 would be used and his IPv6 address doesn't have a reverse
hostname.

> Your would-be correspondent has trouble corresponding with
> everyone. Eventually he should figure out that he can't run a mail
> server on a dynamic IP address.
>
> Sure, you might choose to open your floodgates to these clients. I
> guarantee the vast majority of them are spam zombies.

This is what I can observe, but I was thinking about using
reject_unknown_reverse_client_hostname-like filter with scoring.

> > Anyway one should be able to configure *client*-side mail software
> > without being a specialist of SMTP RFCs and things like that...
>
> Absolutely. You would have your MUA submit to a MSA. Your MSA would
> not care about FCrDNS.

I could do that since I have my own server.

But I don't see this as a final solution since most users use a
shared MSA and the outgoing mail server may be blacklisted more
or less often (this is the case of my ISP, which is frequently
blacklisted by spamcop) or not reliable (e.g. at my lab, which
has also been blacklisted several times due to some users with
compromised machines). And running a local MSA would yield the
same problems as not using a MSA.

--
Vincent Lefèvre <[hidden email]> - Web: <http://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Am 07.05.2013 03:05, schrieb Vincent Lefevre:
> There's no mail exchanger here. The machine in question
> (carotte.tilapin.org) just sends the mail.

and in this case it needs a vaild PTR

>> Don't try to run a mail exchanger on a dynamic IP address or one
>> lacking FCrDNS. It's definitely his fault for doing so.
>
> Except that the machine is just the client, not a mail exchanger.

has to do WHAT with the topic?
it is true

face it or live with mails from you rejected

On 2013-05-07 10:18:21 +0200, Reindl Harald wrote:
> Am 07.05.2013 03:05, schrieb Vincent Lefevre:
> > There's no mail exchanger here. The machine in question
> > (carotte.tilapin.org) just sends the mail.
>
> and in this case it needs a vaild PTR

Perhaps (any quote from the RFC's?). But anyway I can't do anything
about it. I receive important mail from users whose IP doesn't have
a reverse hostname. Not one user, several ones.

> > I don't think this is really true. This may depend on the country
> > and the people one communicates with. If users still send mail from
> > an IP without rDNS, there may be a reason...
>
> it is true

No, I've shown that this is wrong.

--
Vincent Lefèvre <[hidden email]> - Web: <http://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Am 07.05.2013 10:40, schrieb Vincent Lefevre: the world is not turning around you

it is common practice to not accept mails from hosts without a
valid PTR and you can ignore this but you also need to understand
the the rules from which machines i and many others accept mail
are not up to you

it is also common pratice to not accept mail from dynamic IPs
hence if you are coming with a PTR starting with "dyndsl-23..."
you have godd chances to get also blocked

* it is common practice
* it is widely accepted
* everybody who has the knowledge to maintain a mailserver knows this
* a valid PTR is not rocket science

and so if you want a relieable mail-service accept it or
continue whining, but not here

Am 07.05.2013 10:54, schrieb Reindl Harald:
> about it. I receive important mail from users whose IP doesn't have
>> a reverse hostname. Not one user, several ones

then use some whitelist ...,should be enough i.e

smtpd_client_restrictions = permit_sasl_authenticated,
                            permit_mynetworks,
                            check_client_access
hash:/etc/postfix/white_client_access,
                            reject_unknown_reverse_client_hostname,


Best Regards
MfG Robert Schetterer

--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

On 2013-05-07 10:54:06 +0200, Reindl Harald wrote:
Yes, and that's precisely why I consider how *other users* send
their mail.

> it is common practice to not accept mails from hosts without a
> valid PTR

A PTR is not associated with a host, but with an IP address. That's
important because mail may be sent from different IP addresses,
depending on the recipient or other factors. And it seems that
some users forget to set up a PTR for all their IPv6 addresses.
This apparently includes Debian's mailing-list server.

> and you can ignore this but you also need to understand the the
> rules from which machines i and many others accept mail are not up
> to you

I agree, but I repeat that I cannot change the config of other
users. From what I can see in my mail archive, it is *not* safe
to blindly reject mail from IPs without a valid PTR. At least
currently.

--
Vincent Lefèvre <[hidden email]> - Web: <http://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

On 2013-05-07 13:15:01 +0200, Robert Schetterer wrote:
A whitelist is not possible as in general, I don't know who
sends me such mail: most of it concerned Debian bugs, and mail
came from various developers (and users).

Is it possible to use reject_unknown_reverse_client_hostname-like
feature as part of scoring with blacklist checking? I think
policyd-weight supported that. I consider using postfwd.

--
Vincent Lefèvre <[hidden email]> - Web: <http://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Am 07.05.2013 14:02, schrieb Vincent Lefevre:
> On 2013-05-07 10:54:06 +0200, Reindl Harald wrote:
>> it is common practice to not accept mails from hosts without a
>> valid PTR
>
> A PTR is not associated with a host, but with an IP address. That's
> important because mail may be sent from different IP addresses

and nay IP address has a A-Record and a PTR
period

> depending on the recipient or other factors. And it seems that
> some users forget to set up a PTR for all their IPv6 addresses.
> This apparently includes Debian's mailing-list server.

that's their problem

>> and you can ignore this but you also need to understand the the
>> rules from which machines i and many others accept mail are not up
>> to you
>
> I agree, but I repeat that I cannot change the config of other
> users. From what I can see in my mail archive, it is *not* safe
> to blindly reject mail from IPs without a valid PTR. At least
> currently

and because this attitude they are not enforced to fix their
setups - if any MTA would reject the mails the problem would
not exist since years because even the dumbest admin would
realize it if any outgoing message fails

On 05/07/2013 02:02 PM, Vincent Lefevre wrote:
[snip]
> A PTR is not associated with a host, but with an IP address. That's
> important because mail may be sent from different IP addresses,
> depending on the recipient or other factors. And it seems that
> some users forget to set up a PTR for all their IPv6 addresses.
> This apparently includes Debian's mailing-list server.

It does not matter who sends the email. The sending MTA host should have
a proper PTR (yes for the IP address). Forgetting to set a PTR is not an
excuse. Would you accept it if a gas station forgot to label their fuel
properly causing possible damage to your car's engine? If Debian's
mailing-list server does not have a PTR set then they should fix that.
You can probably file a bug somewhere or poke some Debian infra person
on irc. And if they are not totally clueless then their mail admin
should see a bunch of bounces in their logs due to the absence of a PTR
which hopefully rings a bell.

>> and you can ignore this but you also need to understand the the
>> rules from which machines i and many others accept mail are not up
>> to you
>
> I agree, but I repeat that I cannot change the config of other
> users. From what I can see in my mail archive, it is *not* safe
> to blindly reject mail from IPs without a valid PTR. At least
> currently.

So you basically accept that a mail admin of another system is clueless
or lazy? Please don't let them get away with that, even if it could be
legitimate email. They should do a proper job. For years it has been
working great for my domains. Up to a point where the relation between
spam attempts and legitimate email is more than 100:1 and yet at best 1
or 2 spam emails get through per week which are then grabbed by other
anti-spam measures (spamhaus, dspam). It's up to you but all this time I
have had so little trouble from it that I strongly recommend it.
Together with Stan's dynamic host list it should reject a ton of spam
attempts.

Regards,
Patrick

Am 07.05.2013 14:14, schrieb Vincent Lefevre:
> A whitelist is not possible as in general, I don't know who
> sends me such mail

it is possible
what about reading logs and/or mail headers ?
if you cant do that , forget about hosting email services, and asking
here for help



Best Regards
MfG Robert Schetterer

--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

On 5/6/2013 6:54 PM, /dev/rob0 wrote:
> FCrDNS itself is not just a best practice, it is a
> requirement.

It is preferred, but optional, not required.  If it was a *requirement*
then Postfix would have neither of these two restrictions, and the first
would simply be hard coded into postscreen and smtpd.

reject_unknown_client_hostname
reject_unkown_reverse_client_hostname

Obviously it is not.

In addition, if FCrDNS was indeed a requirement, then nobody would
accept mail from my SOHO Postfix server, nor any mail servers behind the
tens of thousands of "business class" ADSL circuits in the US which
offer static IPs but not custom rDNS.  You yourself accept mail from my
outbound, so obviously you're not strictly enforcing FCrDNS.  That or
you've manually whitelisted my IP.

--
Stan

On 5/6/2013 8:05 PM, Vincent Lefevre wrote:

> But I don't see this as a final solution since most users use a
> shared MSA and the outgoing mail server may be blacklisted more
> or less often (this is the case of my ISP, which is frequently
> blacklisted by spamcop) or not reliable (e.g. at my lab, which
> has also been blacklisted several times due to some users with
> compromised machines). And running a local MSA would yield the
> same problems as not using a MSA.

You're looking for a technical solution to the problems with the email
infrastructure in France.  There is no technical solution, only a social
one.  Until your countrymen are fed up with the status quo and demand
change, you will forever have these problems.  You live there.  You know
this.

--
Stan

On 5/7/2013 7:02 AM, Vincent Lefevre wrote:
> And it seems that
> some users forget to set up a PTR for all their IPv6 addresses.
> This apparently includes Debian's mailing-list server.

Seems to have IPv6 rDNS:

~$ host bendel.debian.org
bendel.debian.org has address 82.195.75.100
bendel.debian.org has IPv6 address 2001:41b8:202:deb:216:36ff:fe40:4002

~$ host 2001:41b8:202:deb:216:36ff:fe40:4002
2.0.0.4.0.4.e.f.f.f.6.3.6.1.2.0.b.e.d.0.2.0.2.0.8.b.1.4.1.0.0.2.ip6.arpa
domain name pointer bendel.debian.org.


Is the French language users list hosted on a different server?  If so,
server name please?

--
Stan

> Is it possible to use reject_unknown_reverse_client_hostname-like
> feature as part of scoring with blacklist checking? I think
> policyd-weight supported that. I consider using postfwd.

Yes this is possible with postfwd. The policy delegation protocol
contains reverse_client_name and client_name, which can be used within
postfwd rulesets.

Example:

id=COMBO01
    reverse_client_name==unknown
    rbl=bl.spamcop.net,pbl.spamhaus.org
    action=REJECT due to no valid rDNS and blacklisting

On 05/08/2013 08:12 AM, Stan Hoeppner wrote:
> In addition, if FCrDNS was indeed a requirement, then nobody would
> accept mail from my SOHO Postfix server, nor any mail servers behind the
> tens of thousands of "business class" ADSL circuits in the US which
> offer static IPs but not custom rDNS.  You yourself accept mail from my
> outbound, so obviously you're not strictly enforcing FCrDNS.  That or
> you've manually whitelisted my IP.

Actually (1) it's the mailing list mx that needs to accept your server,
and (2) your IP *does* actually pass fcrdns:

greer.hardwarefreak.com. 3448 IN A 65.41.216.221

221.216.41.65.in-addr.arpa. 86176 IN PTR mo-65-41-216-221.sta.embarqhsd.net.

mo-65-41-216-221.sta.embarqhsd.net. 86166 IN A 65.41.216.221


Peter

I'm going to take this chance to pipe into this thread that I am
confused about Vincent's issue. He says that the client which lacked
PTR (the one run by a Debianista) was not a mail exchanger, or not
exchanging mail.

Why, then, would reject_unknown_reverse_client_hostname be an issue?
Obviously one must never apply this against one's own submitting
users. Or was Vincent confused about the distinction between mail
exchanging clients and submission clients?

On Tue, May 07, 2013 at 03:12:58PM -0500, Stan Hoeppner wrote:
> On 5/6/2013 6:54 PM, /dev/rob0 wrote:
> > FCrDNS itself is not just a best practice, it is a
> > requirement.
>
> It is preferred, but optional, not required.  If it was a

I was speaking in a functional sense. In the real world, you either
have FCrDNS for your outbound, or you have massive deliverability
issues.

> *requirement* then Postfix would have neither of these two
> restrictions, and the first would simply be hard coded into
> postscreen and smtpd.

Nitpick there: postscreen does not look up rDNS. :)

> reject_unknown_client_hostname
> reject_unkown_reverse_client_hostname
>
> Obviously it is not.
>
> In addition, if FCrDNS was indeed a requirement, then nobody would
> accept mail from my SOHO Postfix server, nor any mail servers
> behind the tens of thousands of "business class" ADSL circuits in
> the US which offer static IPs but not custom rDNS.

Peter has explained this: you indeed seem to have FCrDNS, just not
"good" FCrDNS with a custom PTR. You have generic-looking FCrDNS of
the kind that your famous PCRE file is designed to block. :)

> You yourself accept mail from my outbound, so obviously you're
> not strictly enforcing FCrDNS.

I do use reject_unknown_reverse_client_hostname for most recipient
domains. I do not use reject_unknown_client_hostname much. Neither do
I use reject_unknown_helo_hostname; and no policy daemon whereby the
HELO and PTR are required to match. If you're not on Zen (PBL) you're
fine by me. :)

> That or you've manually whitelisted my IP.

Perish the thought! I would do no such thing! ;)
--
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

On 2013-05-07 15:38:44 -0500, Stan Hoeppner wrote:
> On 5/7/2013 7:02 AM, Vincent Lefevre wrote:
> > And it seems that
> > some users forget to set up a PTR for all their IPv6 addresses.
> > This apparently includes Debian's mailing-list server.

I've reported a Debian bug, and one developer claimed it was "fixed".
But...

> Seems to have IPv6 rDNS:
>
> ~$ host bendel.debian.org
> bendel.debian.org has address 82.195.75.100
> bendel.debian.org has IPv6 address 2001:41b8:202:deb:216:36ff:fe40:4002
>
> ~$ host 2001:41b8:202:deb:216:36ff:fe40:4002
> 2.0.0.4.0.4.e.f.f.f.6.3.6.1.2.0.b.e.d.0.2.0.2.0.8.b.1.4.1.0.0.2.ip6.arpa
> domain name pointer bendel.debian.org.

This is confirmed by my mail archive, *except* for one mail,
where the IP address was:

2001:41b8:202:deb:216:38ff:fe0e:1ca7

Let's see the difference:

2001:41b8:202:deb:216:36ff:fe40:4002
2001:41b8:202:deb:216:38ff:fe0e:1ca7
                      ^^     ^^ ^^^^

I suspect that they temporarily changed the Ethernet card without
updating their DNS config, as only the last 6 bytes of the IPv6
address changed for this particular mail.

I fear that they could do the same mistake in the future...

--
Vincent Lefèvre <[hidden email]> - Web: <http://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)