Receiving mail from a host without a valid rDNS

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Receiving mail from a host without a valid rDNS

@lbutlr
I have a mail host that I want to receive mail from that dies not have a valid rDNS (it recently moved and their ISP is comcast and it seems to be taking a stupidly long time). Anyway, I first tried this:

   check_sender_access pcre:$config_directory/sender_access.pcre

/@name.of.host/ OK

This did not work. I also tried putting that into the check_helo_access file,

/name.of.host/ OK

still did not work, which makes sense as the helo check passes.

I then tried commenting out

reject_unknown_reverse_client_hostname

Which also did not work.

The mail server passes the first check for valid host name, and I though it would be the reverse check that was blocking it.

Jun 24 07:39:38 mail postfix/smtpd[59684]: NOQUEUE: permit: RCPT from unknown[50.208.139.244]: action=permit for Helo command=*protectTheGuilty* ; from=<bounces@*protectTheGuiltyAlt*> to=<[hidden email]> proto=ESMTP helo=<*protectTheGuilty*>
Jun 24 07:39:38 mail postfix/smtpd[59684]: NOQUEUE: reject: RCPT from unknown[xx.xx.xx.xx]: 550 5.7.25 Client host rejected: cannot find your hostname, [xx.xx.xx.xx]; from=<bounces@*protectTheGuiltyAlt*> to=<[hidden email]> proto=ESMTP helo=<*protectTheGuilty*>

The host name in question does resolve properly for a dig, but the reverse resolves to a comcast.net static pool address in the form xx-xx-xx-xx-static.hfc.comcastbusiness.net.



smtpd_data_restrictions = reject_unauth_pipelining,
    reject_multi_recipient_bounce,
    permit
smtpd_helo_restrictions = reject_invalid_helo_hostname,
    reject_non_fqdn_helo_hostname,
    check_helo_access pcre:/etc/postfix/helo_checks.pcre
    permit
smtpd_recipient_restrictions = reject_unauth_destination
    reject_non_fqdn_sender
    reject_non_fqdn_recipient
    reject_unverified_recipient
    reject_unknown_sender_domain
    reject_invalid_hostname
    reject_unlisted_recipient
    reject_unlisted_sender
    reject_unknown_client_hostname
    check_sender_access pcre:$config_directory/sender_access.pcre
    reject_unknown_reverse_client_hostname
    permit

Reply | Threaded
Open this post in threaded view
|

Re: Receiving mail from a host without a valid rDNS

Wietse Venema
@lbutlr:
> Jun 24 07:39:38 mail postfix/smtpd[59684]: NOQUEUE: reject: RCPT from =
> unknown[xx.xx.xx.xx]: 550 5.7.25 Client host rejected: cannot find your =
> hostname, [xx.xx.xx.xx]; from=<bounces@*protectTheGuiltyAlt*> =
> to=<[hidden email]> proto=ESMTP helo=<*protectTheGuilty*>

Blocked by reject_unknown_client_hostname.

> smtpd_recipient_restrictions = reject_unauth_destination
>     ...
>     reject_unknown_client_hostname
>     check_sender_access pcre:$config_directory/sender_access.pcre
>     reject_unknown_reverse_client_hostname
>     permit

reject_unknown_reverse_client_hostname has no effect when placed
after reject_unknown_client_hostname.

Delete reject_unknown_client_hostname, or add

    check_client_access inline:{1.2.3.4:ok}

before reject_unknown_client_hostname.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Receiving mail from a host without a valid rDNS

@lbutlr
On 24 Jun 2019, at 08:56, Wietse Venema <[hidden email]> wrote:
> elete reject_unknown_client_hostname, or add
>
>    check_client_access inline:{1.2.3.4:ok}

Thank you.


--
Belief is one of the most powerful organic forces in the multiverse. It
may not be able to move mountains, exactly. But it can create someone
who can.


Reply | Threaded
Open this post in threaded view
|

Re: Receiving mail from a host without a valid rDNS

@lbutlr
On 24 Jun 2019, at 18:51, @lbutlr <[hidden email]> wrote:
> On 24 Jun 2019, at 08:56, Wietse Venema <[hidden email]> wrote:
>> elete reject_unknown_client_hostname, or add
>>
>>   check_client_access inline:{1.2.3.4:ok}
>
> Thank you.

A note that I just noticed while making sure all was working (it was with the issue I posted about) but I saw:

mail postfix/smtpd[87533]: NOQUEUE: reject: RCPT from hermes.apache.org[207.244.88.153]: 451 4.3.5 <hermes.apache.org[207.244.88.153]>: Client host rejected: Server configuration error; from=<users-return-120745-kremels=[hidden email]> to=<[hidden email]> proto=SMTP helo=<mail.apache.org>      

(I did the inline{ip:ok} to whitelist the server I wanted). I a lack of rDNS becoming more common?

Is removing reject_unknown_client_hostname reasonable?



--
How do you feel? I'm lonely What do you think? Cant take it all Whatcha
gonna do? Gonna live my life


Reply | Threaded
Open this post in threaded view
|

Re: Receiving mail from a host without a valid rDNS

Wietse Venema
In reply to this post by @lbutlr
@lbutlr:
> On 24 Jun 2019, at 08:56, Wietse Venema <[hidden email]> wrote:
> > elete reject_unknown_client_hostname, or add
> >
> >    check_client_access inline:{1.2.3.4:ok}

Should be:

    check_client_access inline:{1.2.3.4=ok}

Argh.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Receiving mail from a host without a valid rDNS

joao


"Wietse Venema" <[hidden email]> – 25 de Junho de 2019 às 07:56

> @lbutlr:
> > On 24 Jun 2019, at 08:56, Wietse Venema <[hidden email]> wrote:
> > > elete reject_unknown_client_hostname, or add
> > >
> > > check_client_access inline:{1.2.3.4:ok}
>
> Should be:
>
> check_client_access inline:{1.2.3.4=ok}
>
> Argh.
>
> Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Receiving mail from a host without a valid rDNS

Matus UHLAR - fantomas
In reply to this post by @lbutlr
On 24.06.19 08:04, @lbutlr wrote:

>I have a mail host that I want to receive mail from that dies not have a
> valid rDNS (it recently moved and their ISP is comcast and it seems to be
> taking a stupidly long time).  Anyway, I first tried this:
>
>   check_sender_access pcre:$config_directory/sender_access.pcre
>
>/@name.of.host/ OK
>
>This did not work. I also tried putting that into the check_helo_access file,
>
>/name.of.host/ OK

do you really need pcre?
simple check_helo_access and check_sender_access should be able to reject
"name.of.host" or ".domain.of.host" etc


--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Christian Science Programming: "Let God Debug It!".