Question regarding smtpd DNS resolution

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Question regarding smtpd DNS resolution

J Doe
Hello,

I had a question about Postfix’s smtpd DNS resolution.

In my logs (generally from spam sources), I see the following:

Feb 4 15:05:46 server postfix/smptd[718]: warning: hostname 1-2-3-4.dyn.isp.net does not resolve to address 1.2.3.4: Name or service not known

Does this mean that:

1. smtpd receives a connection from an smtp client and does a reverse DNS lookup
2. smtpd performs a forward DNS lookup on the result and compares the resulting IP address to the initial IP
3. If the IP addresses don’t match it reports this error

... or is some other logic used to generate the error message ?

Thanks,

- J
Reply | Threaded
Open this post in threaded view
|

Re: Question regarding smtpd DNS resolution

Viktor Dukhovni


> On Feb 4, 2018, at 5:46 PM, J Doe <[hidden email]> wrote:
>
> Feb 4 15:05:46 server postfix/smptd[718]: warning: hostname 1-2-3-4.dyn.isp.net does not resolve to address 1.2.3.4: Name or service not known
>
> Does this mean that:
>
> 1. smtpd receives a connection from an smtp client and does a reverse DNS lookup
> 2. smtpd performs a forward DNS lookup on the result and compares the resulting IP address to the initial IP
> 3. If the IP addresses don’t match it reports this error
>
> ... or is some other logic used to generate the error message?

The message happens when the hostname obtained from 1 fails to resolve
to an IP address that can be compared in 2.  The error is a hard error
(NXDomain).

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Question regarding smtpd DNS resolution

allenc


On 05/02/18 00:12, Viktor Dukhovni wrote:

>
>
>> On Feb 4, 2018, at 5:46 PM, J Doe <[hidden email]> wrote:
>>
>> Feb 4 15:05:46 server postfix/smptd[718]: warning: hostname 1-2-3-4.dyn.isp.net does not resolve to address 1.2.3.4: Name or service not known
>>
>> Does this mean that:
>>
>> 1. smtpd receives a connection from an smtp client and does a reverse DNS lookup
>> 2. smtpd performs a forward DNS lookup on the result and compares the resulting IP address to the initial IP
>> 3. If the IP addresses don’t match it reports this error
>>
>> ... or is some other logic used to generate the error message?
>
> The message happens when the hostname obtained from 1 fails to resolve
> to an IP address that can be compared in 2.  The error is a hard error
> (NXDomain).
>

Is this a reliable bad-host detector?   The last three instances in my
log were subsequently rejected by a DNSBL

Allen C
Reply | Threaded
Open this post in threaded view
|

Re: Question regarding smtpd DNS resolution

Karol Augustin
On 2018-02-05 12:26, Allen Coates wrote:

> On 05/02/18 00:12, Viktor Dukhovni wrote:
>>
>>
>>> On Feb 4, 2018, at 5:46 PM, J Doe <[hidden email]> wrote:
>>>
>>> Feb 4 15:05:46 server postfix/smptd[718]: warning: hostname 1-2-3-4.dyn.isp.net does not resolve to address 1.2.3.4: Name or service not known
>>>
>>> Does this mean that:
>>>
>>> 1. smtpd receives a connection from an smtp client and does a reverse DNS lookup
>>> 2. smtpd performs a forward DNS lookup on the result and compares the resulting IP address to the initial IP
>>> 3. If the IP addresses don’t match it reports this error
>>>
>>> ... or is some other logic used to generate the error message?
>>
>> The message happens when the hostname obtained from 1 fails to resolve
>> to an IP address that can be compared in 2.  The error is a hard error
>> (NXDomain).
>>
>
> Is this a reliable bad-host detector?   The last three instances in my
> log were subsequently rejected by a DNSBL
>
> Allen C

It is a good indicator. All well configured mail servers should have
correct PTR records (full circle DNS). A lot of spam sending machines
have this problem as usually spammer can't control PTR records of the IP
that they are spamming from. Unfortunately a lot of legitimate mail
comes from badly configured servers and outright rejecting mail coming
from hosts with bad PTR/no PTR might prevent you from receiving
legitimate e-mail as well. But, as usual, it depends on your user base
and YMMV.

I've heard that gmail is rejecting / spam tagging email from such hosts
but never confirmed that myself. Maybe in some foreseeable future it
will be safe to reject bad PTR hosts but, in my opinion, not yet.

k.


--
Karol Augustin
[hidden email]
http://karolaugustin.pl/
+353 85 775 5312
Reply | Threaded
Open this post in threaded view
|

Re: Question regarding smtpd DNS resolution

@lbutlr
In reply to this post by allenc
On Feb 5, 2018, at 05:26, Allen Coates <[hidden email]> wrote:
>
> Is this a reliable bad-host detector?

It is a very good indicator of spam. It is also an indicator of a misconfigured mail server (in the case of spammers, intentionally so). Anyone kitting this error on your postfix is going to be unable to send mail to the majority of mail servers.

OT: I'd love an option to split these kinds of errors into a separate log file. I keep maillogs for a long time, but this Gary age I'd love to dump after a day or two).

--
This is my signature. There are many like it, but this one is mine.
Reply | Threaded
Open this post in threaded view
|

Re: Question regarding smtpd DNS resolution

Matus UHLAR - fantomas
>On Feb 5, 2018, at 05:26, Allen Coates <[hidden email]> wrote:
>> Is this a reliable bad-host detector?

On 05.02.18 12:20, LuKreme wrote:
>It is a very good indicator of spam. It is also an indicator of a
> misconfigured mail server (in the case of spammers, intentionally so).

I would say "ignored" rather than "intentionally". Many admins either do not
know, or do not care (in case of spammers), since it's time consuming (when
you have less than /24).

> Anyone kitting this error on your postfix is going to be unable to send
> mail to the majority of mail servers.

it's quite funny when they blame others for rejecting mail from servers
without fcrdns.

>OT: I'd love an option to split these kinds of errors into a separate log
> file.  I keep maillogs for a long time, but this Gary age I'd love to dump
> after a day or two).

yeah, filtering logs to different files is outta postfix scope :)
use syslog-ng...


--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Nothing is fool-proof to a talented fool.