Rejecting Reverse Hostname in Logs

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Rejecting Reverse Hostname in Logs

Carlwill
I have someone telling me that they can't send email to my mail
server. I checked the logs and it appears that Postfix is not happy
with the way their client or server is sending the message to me. I
want to understand what is causing this. I would like to know if
anyone can please help me understand what is at fault here. I am
guessing that this is being caused by:

smtpd_sender_restrictions = reject_unknown_reverse_client_hostname

Can someone please help me understand? Should I have the noted above
restriction in my main.cf or is this being too restrictive? Is that
even the correct parameter that is causing the delivery failure? I
removed the senders user name and my recipients full email address for
privacy.

Sep 22 18:11:55 mail postfix/smtpd[6052]: NOQUEUE: reject: RCPT from
unknown[204.117.196.2]: 450 4.7.1 Client host rejected: cannot find
your reverse hostname, [204.117.196.2];
from=<**********@pmcatt-ppss.com> to=<*************@***.com>
proto=ESMTP helo=<mail.pmcatt-ppss.com>

**Postconf -n*

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = amavisfeed:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, $mydomain, mail.$mydomain
mydomain = iamghost.com
myhostname = mail.iamghost.com
mynetworks = $config_directory/mynetworks
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
recipient_delimiter = +
relay_domains =
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,
permit_sasl_authenticated,    reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,    permit
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,   reject_unauth_pipelining,
reject_non_fqdn_recipient,   reject_unknown_recipient_domain,
reject_unauth_destination,   reject_unlisted_recipient,
check_policy_service unix:postgrey/socket,   check_sender_access
 hash:/etc/postfix/sender_access,   reject_rbl_client
zen.spamhaus.org,   reject_rbl_client bl.spamcop.net,   permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks,
permit_sasl_authenticated,    reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unknown_reverse_client_hostname,     permit
smtpd_tls_CAfile = /etc/ssl/intermediate.crt
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/mail.crt
smtpd_tls_key_file = /etc/ssl/mail.key
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
Reply | Threaded
Open this post in threaded view
|

Re: Rejecting Reverse Hostname in Logs

Martijn de Munnik-2
Hi Carlos,

On Thu, 2009-09-24 at 09:08 -0400, Carlos Williams wrote:
> I have someone telling me that they can't send email to my mail
> server. I checked the logs and it appears that Postfix is not happy
> with the way their client or server is sending the message to me. I
> want to understand what is causing this. I would like to know if
> anyone can please help me understand what is at fault here. I am
> guessing that this is being caused by:
>
> smtpd_sender_restrictions = reject_unknown_reverse_client_hostname

I think this is not too restrictive and the sending mailserver should
fix their rdns, YMMV. We use a policy server (policyd-weight) which
gives scores for things like no rdns, dailup ip, ip in dnsbl etc.

>
> Can someone please help me understand? Should I have the noted above
> restriction in my main.cf or is this being too restrictive? Is that
> even the correct parameter that is causing the delivery failure? I
> removed the senders user name and my recipients full email address for
> privacy.
>
> Sep 22 18:11:55 mail postfix/smtpd[6052]: NOQUEUE: reject: RCPT from
> unknown[204.117.196.2]: 450 4.7.1 Client host rejected: cannot find
> your reverse hostname, [204.117.196.2];
> from=<**********@pmcatt-ppss.com> to=<*************@***.com>
> proto=ESMTP helo=<mail.pmcatt-ppss.com>
>
> **Postconf -n*
>
> alias_database = hash:/etc/aliases
> alias_maps = hash:/etc/aliases
> broken_sasl_auth_clients = yes
> command_directory = /usr/sbin
> config_directory = /etc/postfix
> content_filter = amavisfeed:[127.0.0.1]:10024
> daemon_directory = /usr/libexec/postfix
> home_mailbox = Maildir/
> html_directory = no
> inet_interfaces = all
> mail_owner = postfix
> mailq_path = /usr/bin/mailq.postfix
> manpage_directory = /usr/share/man
> mydestination = $myhostname, $mydomain, mail.$mydomain
> mydomain = iamghost.com
> myhostname = mail.iamghost.com
> mynetworks = $config_directory/mynetworks
> myorigin = $mydomain
> newaliases_path = /usr/bin/newaliases.postfix
> queue_directory = /var/spool/postfix
> readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
> recipient_delimiter = +
> relay_domains =
> sample_directory = /usr/share/doc/postfix-2.3.3/samples
> sendmail_path = /usr/sbin/sendmail.postfix
> setgid_group = postdrop
> smtpd_banner = $myhostname ESMTP
> smtpd_delay_reject = yes
> smtpd_helo_required = yes
> smtpd_helo_restrictions = permit_mynetworks,
> permit_sasl_authenticated,    reject_non_fqdn_helo_hostname,
> reject_invalid_helo_hostname,    permit
> smtpd_recipient_restrictions = permit_mynetworks,
> permit_sasl_authenticated,   reject_unauth_pipelining,
> reject_non_fqdn_recipient,   reject_unknown_recipient_domain,
> reject_unauth_destination,   reject_unlisted_recipient,
> check_policy_service unix:postgrey/socket,   check_sender_access
>  hash:/etc/postfix/sender_access,   reject_rbl_client
> zen.spamhaus.org,   reject_rbl_client bl.spamcop.net,   permit
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_path = private/auth
> smtpd_sasl_security_options = noanonymous
> smtpd_sasl_type = dovecot
> smtpd_sender_restrictions = permit_mynetworks,
> permit_sasl_authenticated,    reject_non_fqdn_sender,
> reject_unknown_sender_domain,
> reject_unknown_reverse_client_hostname,     permit
> smtpd_tls_CAfile = /etc/ssl/intermediate.crt
> smtpd_tls_auth_only = yes
> smtpd_tls_cert_file = /etc/ssl/mail.crt
> smtpd_tls_key_file = /etc/ssl/mail.key
> smtpd_tls_loglevel = 1
> smtpd_tls_security_level = may
> smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
> smtpd_tls_session_cache_timeout = 3600s
> tls_random_source = dev:/dev/urandom
> unknown_local_recipient_reject_code = 550
>

Met vriendelijke groet,

Martijn de Munnik

--
YoungGuns
Kasteleinenkampweg 7b
5222 AX 's-Hertogenbosch
T. 073 623 56 40
F. 073 623 56 39
www.youngguns.nl
KvK 18076568

Reply | Threaded
Open this post in threaded view
|

Re: Rejecting Reverse Hostname in Logs

Carlwill
On Thu, Sep 24, 2009 at 9:16 AM, Martijn de Munnik <[hidden email]> wrote:
> I think this is not too restrictive and the sending mailserver should
> fix their rdns, YMMV. We use a policy server (policyd-weight) which
> gives scores for things like no rdns, dailup ip, ip in dnsbl etc.

So the problem then is that the servers reverse DNS is not resolving
to their sending IP, correct?
When I do a RDNS on the server, I get the following:

204.117.196.2 resolves to
"mail.pmcatt-ppss.com"
Top Level Domain: "pmcatt-ppss.com"

Is that not correct? I am still confused as to trying to simply
understand why the message was rejected.
Reply | Threaded
Open this post in threaded view
|

Re: Rejecting Reverse Hostname in Logs

Martijn de Munnik-2

On Thu, 2009-09-24 at 15:48 +0200, Martijn de Munnik wrote:

> On Thu, 2009-09-24 at 09:41 -0400, Carlos Williams wrote:
> > On Thu, Sep 24, 2009 at 9:16 AM, Martijn de Munnik <[hidden email]> wrote:
> > > I think this is not too restrictive and the sending mailserver should
> > > fix their rdns, YMMV. We use a policy server (policyd-weight) which
> > > gives scores for things like no rdns, dailup ip, ip in dnsbl etc.
> >
> > So the problem then is that the servers reverse DNS is not resolving
> > to their sending IP, correct?
> > When I do a RDNS on the server, I get the following:
> >
> > 204.117.196.2 resolves to
> > "mail.pmcatt-ppss.com"
> > Top Level Domain: "pmcatt-ppss.com"
>
> 204.117.196.2 has a reverse dns entry: 2.196.117.204.in-addr.arpa domain
> name pointer mail.pmcatt-ppss.com.
>
> So the problem is on your postfix box. Postfix replied a 450 temporary
> failure, the sending mailserver should try again later. Check if you can
> resolve the ip on your postfix box.
>
> >
> > Is that not correct? I am still confused as to trying to simply
> > understand why the message was rejected.
> >
>
>

Met vriendelijke groet,

Martijn de Munnik

--
YoungGuns
Kasteleinenkampweg 7b
5222 AX 's-Hertogenbosch
T. 073 623 56 40
F. 073 623 56 39
www.youngguns.nl
KvK 18076568

Reply | Threaded
Open this post in threaded view
|

Re: Rejecting Reverse Hostname in Logs

Noel Jones-2
On 9/24/2009 9:08 AM, Martijn de Munnik wrote:

>
> On Thu, 2009-09-24 at 15:48 +0200, Martijn de Munnik wrote:
>> On Thu, 2009-09-24 at 09:41 -0400, Carlos Williams wrote:
>>> On Thu, Sep 24, 2009 at 9:16 AM, Martijn de Munnik<[hidden email]>  wrote:
>>>> I think this is not too restrictive and the sending mailserver should
>>>> fix their rdns, YMMV. We use a policy server (policyd-weight) which
>>>> gives scores for things like no rdns, dailup ip, ip in dnsbl etc.
>>>
>>> So the problem then is that the servers reverse DNS is not resolving
>>> to their sending IP, correct?
>>> When I do a RDNS on the server, I get the following:
>>>
>>> 204.117.196.2 resolves to
>>> "mail.pmcatt-ppss.com"
>>> Top Level Domain: "pmcatt-ppss.com"
>>
>> 204.117.196.2 has a reverse dns entry: 2.196.117.204.in-addr.arpa domain
>> name pointer mail.pmcatt-ppss.com.
>>
>> So the problem is on your postfix box. Postfix replied a 450 temporary
>> failure, the sending mailserver should try again later. Check if you can
>> resolve the ip on your postfix box.

The client has slightly broken rDNS.  From my box:

$ host 204.117.196.2
Host 2.196.117.204.in-addr.arpa not found: 2(SERVFAIL)

and a few minutes later...
$ host 204.117.196.2
2.196.117.204.in-addr.arpa domain name pointer
mail.pmcatt-ppss.com.

Note that postfix rejected the mail with a 450 "defer" code
since this was a temporary error; the client should retry
later.  Hopefully the rDNS will work on a later attempt.

At any rate, if you need to consistently receive mail from
that client, you will need to either remove
reject_unknown_reverse_client_hostname (a useful and generally
safe restriction) or add that client to a check_client_access
whitelist.

   -- Noel Jones