Problem with reject_rbl_client when a wildcard entry for mydomain exists

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

Problem with reject_rbl_client when a wildcard entry for mydomain exists

s.small
Hi,

We experience problems when using reject_rbl_client if a wildcard entry for
mydomain exists. It appears that a DNS lookup is first made with [ip].[rbl]
and than with [ip].[rbl].[mydomain] if no entry has been found.
This leads to false positives if a DNS wildcard entry for xxx.[mydomain]
exists.

Example:

18:19:10.976007 mail.mydomain.com.17363 > postfix.local-prod.local.domain:
9896+ PTR? 21.17.227.212.in-addr.arpa. (44)
18:19:11.004248 postfix.local-prod.local.domain > mail.mydomain.com.17363:
9896 1/0/0 PTR mout.gmx.net. (70)
18:19:11.004394 mail.mydomain.com.20184 > postfix.local-prod.local.domain:
58856+ A? mout.gmx.net. (30)
18:19:11.004725 postfix.local-prod.local.domain > mail.mydomain.com.20184:
58856 6/0/0 A mout.gmx.net, A mout.gmx.net, A[|domain] (DF)
18:19:11.354892 mail.mydomain.com.35558 > postfix.local-prod.local.domain:
50868+ A? 21.17.227.212.zen.spamhaus.org. (48)
18:19:11.542972 postfix.local-prod.local.domain > mail.mydomain.com.35558:
50868 NXDomain 0/1/0 (112) (DF)
18:19:11.543002 mail.mydomain.com.2259 > postfix.local-prod.local.domain:
11912+ A? 21.17.227.212.zen.spamhaus.org.mydomain.com. (60)  -----> If a A
record for *.mydomain.com exists this leads to a false positive
18:19:11.643002 postfix.local-prod.local.domain > mail.mydomain.com.2259:
11912 NXDomain 0/1/0 (121) (DF)
18:19:11.643030 mail.mydomain.com.35352 > postfix.local-prod.local.domain:
32908+ A? 21.17.227.212.zen.spamhaus.org. (48)
18:19:11.643385 postfix.local-prod.local.domain > mail.mydomain.com.35352:
32908 NXDomain 0/1/0 (112) (DF)
18:19:11.643475 mail.mydomain.com.44535 > postfix.local-prod.local.domain:
10940+ MX? gmx.ch. (24)
18:19:11.673154 postfix.local-prod.local.domain > mail.mydomain.com.44535:
10940 2/0/4 MX mx00.emig.gmx.net. 10, MX[|domain] (DF)
18:19:11.904275 mail.mydomain.com.5803 > postfix.local-prod.local.domain:
29132+ PTR? 100.10.168.192.in-addr.arpa. (45)
18:19:11.904731 postfix.local-prod.local.domain > mail.mydomain.com.5803:
29132* 1/0/0 PTR[|domain] (DF)
18:19:11.905085 mail.mydomain.com.39746 > postfix.local-prod.local.domain:
36015+ PTR? 18.15.227.212.in-addr.arpa. (44)
18:19:11.949389 postfix.local-prod.local.domain > mail.mydomain.com.39746:
36015 1/0/0 PTR mout.gmx.net. (70) (DF)
18:19:11.949511 mail.mydomain.com.40551 > postfix.local-prod.local.domain:
57004+ PTR? 22.17.227.212.in-addr.arpa. (44)
18:19:11.949858 postfix.local-prod.local.domain > mail.mydomain.com.40551:
57004 1/0/0 PTR mout.gmx.net. (70) (DF)

cheers,
Stefan

Reply | Threaded
Open this post in threaded view
|

Re: Problem with reject_rbl_client when a wildcard entry for mydomain exists

Wietse Venema
[hidden email]:
> Hi,
>
> We experience problems when using reject_rbl_client if a wildcard entry for
> mydomain exists. It appears that a DNS lookup is first made with [ip].[rbl]
> and than with [ip].[rbl].[mydomain] if no entry has been found.
> This leads to false positives if a DNS wildcard entry for xxx.[mydomain]
> exists.

Postfix does not enable RES_DNSRCH or RES_DEFNAMES for DNSBL lookups.
I suspect that you have some too-helpful DNS proxy.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Problem with reject_rbl_client when a wildcard entry for mydomain exists

A. Schulze
In reply to this post by s.small

s.small:

> It appears that a DNS lookup is first made with [ip].[rbl] and
> than with [ip].[rbl].[mydomain] if no entry has been found.

general advise: check your /etc/resolv.conf
usually there is no need for other lines then "nameserver $NAMESERVER_IP"
especially check if "searchdomain" is present and needed and should be  
removed.

If you run any service chroot don't forget these copies.

Andrreas

Reply | Threaded
Open this post in threaded view
|

Re: Problem with reject_rbl_client when a wildcard entry for mydomain exists

Viktor Dukhovni
On Thu, Dec 04, 2014 at 07:31:42PM +0100, A. Schulze wrote:

> >It appears that a DNS lookup is first made with [ip].[rbl] and
> >than with [ip].[rbl].[mydomain] if no entry has been found.

Postfix explicitly disables "RES_DNSRCH | RES_DEFNAMES" in the
resolver options when doing MX, rbl and other lookups where these
would be inappropriate.  If someone maintaining libresolv or libc
"helpfully" broke the interface, then complain to your OS distribution
maintainer.

> general advice: check your /etc/resolv.conf
> usually there is no need for other lines then "nameserver $NAMESERVER_IP"
> especially check if "searchdomain" is present and needed and should be
> removed.

This advice is not right,  Postfix works (on platforms with a
libresolv that has not been "improved") even when default domains
and search paths are specified in libresolv.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Problem with reject_rbl_client when a wildcard entry for mydomain exists

A. Schulze

Viktor Dukhovni:

>> general advice: check your /etc/resolv.conf
>> usually there is no need for other lines then "nameserver $NAMESERVER_IP"
>> especially check if "searchdomain" is present and needed and should be
>> removed.
>
> This advice is not right,  Postfix works ...

Yes, BUT:

I had not only postfix in mind. Other server software does not so many things
right as postfix does. For that reason "general" ...

A server should generally be well configured to use only fully  
qualified domainnames.
As a consequence a server does not need a searchdomain in /etc/resolv.conf
and therefor it could be removed.
I do so for many years and saw some strange things went away.
That's simply my experience running numerous different server over the years.

Andreas


Reply | Threaded
Open this post in threaded view
|

Re: Problem with reject_rbl_client when a wildcard entry for mydomain exists

Wietse Venema
A. Schulze:

>
> Viktor Dukhovni:
>
> >> general advice: check your /etc/resolv.conf
> >> usually there is no need for other lines then "nameserver $NAMESERVER_IP"
> >> especially check if "searchdomain" is present and needed and should be
> >> removed.
> >
> > This advice is not right,  Postfix works ...
>
> Yes, BUT:
>
> I had not only postfix in mind. Other server software does not so many things
> right as postfix does. For that reason "general" ...
>
> A server should generally be well configured to use only fully  
> qualified domainnames.
> As a consequence a server does not need a searchdomain in /etc/resolv.conf
> and therefor it could be removed.
> I do so for many years and saw some strange things went away.
> That's simply my experience running numerous different server over the years.

If some vendor appends domains despite Postfix turning that off,
please file a complaint.  That vendor is not helping.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Problem with reject_rbl_client when a wildcard entry for mydomain exists

s.small
Hi all,

I can reproduce this on a "stock" openBSD 5.6 with default main.cf (except
for the smtpd_client_restrictions, of course).

/var/spool/postfix/etc/resolv.conf contains

lookup file bind
nameserver 172.16.161.2

and  /var/spool/postfix/etc/hosts contains

#       $OpenBSD: hosts,v 1.12 2009/03/10 00:42:13 deraadt Exp $
#
# Host Database
#
# RFC 1918 specifies that these networks are "internal".
# 10.0.0.0      10.255.255.255
# 172.16.0.0    172.31.255.255
# 192.168.0.0   192.168.255.255
#
127.0.0.1       localhost
::1             localhost

But NOT on a stock Ubuntu with the same config.

I guess this means that I have to ak openBSD?

cheers
Steven


-----Urspr√ľngliche Nachricht-----
From: Wietse Venema
Sent: Thursday, December 4, 2014 8:01 PM
To: A. Schulze
Cc: [hidden email]
Subject: Re: Problem with reject_rbl_client when a wildcard entry for
mydomain exists

A. Schulze:

>
> Viktor Dukhovni:
>
> >> general advice: check your /etc/resolv.conf
> >> usually there is no need for other lines then "nameserver
> >> $NAMESERVER_IP"
> >> especially check if "searchdomain" is present and needed and should be
> >> removed.
> >
> > This advice is not right,  Postfix works ...
>
> Yes, BUT:
>
> I had not only postfix in mind. Other server software does not so many
> things
> right as postfix does. For that reason "general" ...
>
> A server should generally be well configured to use only fully
> qualified domainnames.
> As a consequence a server does not need a searchdomain in /etc/resolv.conf
> and therefor it could be removed.
> I do so for many years and saw some strange things went away.
> That's simply my experience running numerous different server over the
> years.

If some vendor appends domains despite Postfix turning that off,
please file a complaint.  That vendor is not helping.

Wietse

Reply | Threaded
Open this post in threaded view
|

Re: Problem with reject_rbl_client when a wildcard entry for mydomain exists

Wietse Venema
[hidden email]:
> Hi all,
>
> I can reproduce this on a "stock" openBSD 5.6 with default main.cf (except
> for the smtpd_client_restrictions, of course).
>
> /var/spool/postfix/etc/resolv.conf contains
>
> lookup file bind
> nameserver 172.16.161.2

Does the problem go away with:

    lookup bind

i.e. remove "file" lookups.

        Wietse

> and  /var/spool/postfix/etc/hosts contains
>
> #       $OpenBSD: hosts,v 1.12 2009/03/10 00:42:13 deraadt Exp $
> #
> # Host Database
> #
> # RFC 1918 specifies that these networks are "internal".
> # 10.0.0.0      10.255.255.255
> # 172.16.0.0    172.31.255.255
> # 192.168.0.0   192.168.255.255
> #
> 127.0.0.1       localhost
> ::1             localhost
>
> But NOT on a stock Ubuntu with the same config.
>
> I guess this means that I have to ak openBSD?
>
> cheers
> Steven
>
>
> -----Urspr?ngliche Nachricht-----
> From: Wietse Venema
> Sent: Thursday, December 4, 2014 8:01 PM
> To: A. Schulze
> Cc: [hidden email]
> Subject: Re: Problem with reject_rbl_client when a wildcard entry for
> mydomain exists
>
> A. Schulze:
> >
> > Viktor Dukhovni:
> >
> > >> general advice: check your /etc/resolv.conf
> > >> usually there is no need for other lines then "nameserver
> > >> $NAMESERVER_IP"
> > >> especially check if "searchdomain" is present and needed and should be
> > >> removed.
> > >
> > > This advice is not right,  Postfix works ...
> >
> > Yes, BUT:
> >
> > I had not only postfix in mind. Other server software does not so many
> > things
> > right as postfix does. For that reason "general" ...
> >
> > A server should generally be well configured to use only fully
> > qualified domainnames.
> > As a consequence a server does not need a searchdomain in /etc/resolv.conf
> > and therefor it could be removed.
> > I do so for many years and saw some strange things went away.
> > That's simply my experience running numerous different server over the
> > years.
>
> If some vendor appends domains despite Postfix turning that off,
> please file a complaint.  That vendor is not helping.
>
> Wietse
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Problem with reject_rbl_client when a wildcard entry for mydomain exists

Viktor Dukhovni
On Mon, Dec 08, 2014 at 11:01:57AM -0500, Wietse Venema wrote:

> > /var/spool/postfix/etc/resolv.conf contains
> >
> > lookup file bind
> > nameserver 172.16.161.2
>
> Does the problem go away with:
>
>     lookup bind
>
> i.e. remove "file" lookups.

I would expect not, though this is in /etc/resolv.conf (I am assuming
the OP runs the smtp(8) delivery agent chrooted), it is document
to only affect gethostby*().

Perhaps this thread is relevant:

    http://osdir.com/ml/os.openbsd.bugs/2005-07/msg00091.html
    http://comments.gmane.org/gmane.os.openbsd.bugs/6290

Is the OP's Postfix linked with "-lpthread" perchance?

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Problem with reject_rbl_client when a wildcard entry for mydomain exists

Wietse Venema
In reply to this post by Wietse Venema
Wietse Venema:

> [hidden email]:
> > Hi all,
> >
> > I can reproduce this on a "stock" openBSD 5.6 with default main.cf (except
> > for the smtpd_client_restrictions, of course).
> >
> > /var/spool/postfix/etc/resolv.conf contains
> >
> > lookup file bind
> > nameserver 172.16.161.2
>
> Does the problem go away with:
>
>     lookup bind
>
> i.e. remove "file" lookups.

Never mind. According to the OpenBSD 5.6 resolv.conf manpage, the
"lookup" option is used by gethostbyxxxx() (and presumably also by
getxxxxinfo()). Postfix uses res_search() when it queries a DNSBL
server.

        Wietse

> > and  /var/spool/postfix/etc/hosts contains
> >
> > #       $OpenBSD: hosts,v 1.12 2009/03/10 00:42:13 deraadt Exp $
> > #
> > # Host Database
> > #
> > # RFC 1918 specifies that these networks are "internal".
> > # 10.0.0.0      10.255.255.255
> > # 172.16.0.0    172.31.255.255
> > # 192.168.0.0   192.168.255.255
> > #
> > 127.0.0.1       localhost
> > ::1             localhost
> >
> > But NOT on a stock Ubuntu with the same config.
> >
> > I guess this means that I have to ak openBSD?
> >
> > cheers
> > Steven
> >
> >
> > -----Urspr?ngliche Nachricht-----
> > From: Wietse Venema
> > Sent: Thursday, December 4, 2014 8:01 PM
> > To: A. Schulze
> > Cc: [hidden email]
> > Subject: Re: Problem with reject_rbl_client when a wildcard entry for
> > mydomain exists
> >
> > A. Schulze:
> > >
> > > Viktor Dukhovni:
> > >
> > > >> general advice: check your /etc/resolv.conf
> > > >> usually there is no need for other lines then "nameserver
> > > >> $NAMESERVER_IP"
> > > >> especially check if "searchdomain" is present and needed and should be
> > > >> removed.
> > > >
> > > > This advice is not right,  Postfix works ...
> > >
> > > Yes, BUT:
> > >
> > > I had not only postfix in mind. Other server software does not so many
> > > things
> > > right as postfix does. For that reason "general" ...
> > >
> > > A server should generally be well configured to use only fully
> > > qualified domainnames.
> > > As a consequence a server does not need a searchdomain in /etc/resolv.conf
> > > and therefor it could be removed.
> > > I do so for many years and saw some strange things went away.
> > > That's simply my experience running numerous different server over the
> > > years.
> >
> > If some vendor appends domains despite Postfix turning that off,
> > please file a complaint.  That vendor is not helping.
> >
> > Wietse
> >
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: Problem with reject_rbl_client when a wildcard entry for mydomain exists

s.small
In reply to this post by Viktor Dukhovni
Hi,

I recompiled postfix without "-lpthread", same effect...

Steven


Reply | Threaded
Open this post in threaded view
|

Re: Problem with reject_rbl_client when a wildcard entry for mydomain exists

Viktor Dukhovni
On Fri, Dec 12, 2014 at 09:38:51AM +0100, [hidden email] wrote:

> I recompiled postfix without "-lpthread", same effect...

Might not help if other libraries Postfix uses are linked
with -lpthread.

Post the output of ldd for $daemon_directory/smtpd.

And of course the problem might lie elsewhere, though the possibility
that OpenBSD breaks the legacy _res.options semantics for
single-threaded programs that happen to be linked with -lpthread
through no fault of their own would have made for a tidy explanation.

Are there enough OpenBSD Postfix users to warrant real effort to
tackle the problem?  I thought that generally OpenBSD (or perhaps
at least Theo) was antagonistic to Postfix for some sort of licensing
reasons, or perhaps for some other convenient reason.

The patch will be OpenBSD specific, and is perhaps best developed
and maintained by whoever maintains the Postfix build for OpenBSD.

A more systematic solution, that might even be beneficial for other
BSD-like systems, might be to add support for res_ninit(),
res_nsearch() and friends.  This would not be a bugfix, rather a
noticeable new bit of plumbing in the DNS library.  So it won't
be in 2.12, not sure about the next release after that.

If the Linux glibc folks also got of theire behinds and implemented
the res_ninit() API, then it would be a lot more compelling.

Instead we're likely to get the "getdnsapi" monstrosity foisted on
us at some point.  (Apologies to folks I respect who worked on it,
I still respect you, even though I do think getdnsapi is rather
unwieldy).

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Problem with reject_rbl_client when a wildcard entry for mydomain exists

Wietse Venema
Viktor Dukhovni:

> On Fri, Dec 12, 2014 at 09:38:51AM +0100, [hidden email] wrote:
>
> > I recompiled postfix without "-lpthread", same effect...
>
> Might not help if other libraries Postfix uses are linked
> with -lpthread.
>
> Post the output of ldd for $daemon_directory/smtpd.
>
> And of course the problem might lie elsewhere, though the possibility
> that OpenBSD breaks the legacy _res.options semantics for
> single-threaded programs that happen to be linked with -lpthread
> through no fault of their own would have made for a tidy explanation.
>
> Are there enough OpenBSD Postfix users to warrant real effort to
> tackle the problem?  I thought that generally OpenBSD (or perhaps
> at least Theo) was antagonistic to Postfix for some sort of licensing
> reasons, or perhaps for some other convenient reason.

This would affect their default MTA Sendmail, too, according to
http://permalink.gmane.org/gmane.os.openbsd.bugs/6298

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Problem with reject_rbl_client when a wildcard entry for mydomain exists

Wietse Venema
Wietse Venema:
> > Are there enough OpenBSD Postfix users to warrant real effort to
> > tackle the problem?  I thought that generally OpenBSD (or perhaps
> > at least Theo) was antagonistic to Postfix for some sort of licensing
> > reasons, or perhaps for some other convenient reason.
>
> This would affect their default MTA Sendmail, too, according to
> http://permalink.gmane.org/gmane.os.openbsd.bugs/6298

sendmail 8.15.1, released a few days ago, has 37 references to
_res.options.

The _res.options interface is supported on FreeBSD and with (Linux)
glibc, so it is not a rogue API as some people suggest:

     Global configuration and state information that is used by the resolver
     routines is kept in the structure _res.  Most of the values have reason-
     able defaults and can be ignored.  Options stored in _res.options are
     defined in <resolv.h> and are as follows.  Options are stored as a simple
     bit mask containing the bitwise ``or'' of the options enabled.

       The  resolver  routines  use global configuration and state information
       contained in the structure _res, which is defined in  <resolv.h>.   The
       only  field  that  is normally manipulated by the user is _res.options.
       This field can contain the bitwise "OR" of the following options:

If OpenBSD decides not to support this, then someone would have to
write a (post)fix for OpenBSD.

        Wietse