Testing reject_unknown_client_hostname

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Testing reject_unknown_client_hostname

mrobti
Hello, in Postfix v3.1 I'm having a hard time getting
reject_unknown_client_hostname to bounce test messages.

I set an external host's Postfix myhostname to be purposefully
incorrect, like nosuchhost.example.com and sent a message to the test
system. If I have reject_unknown_helo_hostname enabled, it will reject
such messages. But reject_unknown_client_hostname won't, I don't
understand why.

smtpd_helo_required = yes
smtpd_helo_restrictions =
  reject_invalid_helo_hostname
  reject_non_fqdn_helo_hostname
  reject_unknown_helo_hostname
smtpd_client_restrictions =
  reject_unauth_pipelining
  reject_unknown_client_hostname
smtpd_sender_restrictions =
  reject_non_fqdn_sender
  reject_unknown_sender_domain
smtpd_relay_restrictions =
  permit_mynetworks
  permit_sasl_authenticated
  reject_unauth_destination
smtpd_recipient_restrictions =
  reject_non_fqdn_recipient
  reject_unknown_recipient_domain
  permit_sasl_authenticated
Reply | Threaded
Open this post in threaded view
|

Re: Testing reject_unknown_client_hostname

Noel Jones-2
On 3/9/2017 2:58 PM, MRob wrote:
> Hello, in Postfix v3.1 I'm having a hard time getting
> reject_unknown_client_hostname to bounce test messages.

See the docs for what this rejects.
http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname

Warning: this is a very strict test likely to reject legit mail.

See also: FCrDNS


> I set an external host's Postfix myhostname to be purposefully
> incorrect, like nosuchhost.example.com and sent a message to the
> test system. If I have reject_unknown_helo_hostname enabled, it will
> reject such messages. But reject_unknown_client_hostname won't, I
> don't understand why.

Settings in postfix do not control the client hostname; the client
hostname is set in DNS.



  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Testing reject_unknown_client_hostname

mrobti
On 2017-03-09 13:06, Noel Jones wrote:
> On 3/9/2017 2:58 PM, MRob wrote:
>> Hello, in Postfix v3.1 I'm having a hard time getting
>> reject_unknown_client_hostname to bounce test messages.
>
> See the docs for what this rejects.
> http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname
>
> Warning: this is a very strict test likely to reject legit mail.

I'm aware of that, but wanted to test it and see how we did. Definitely,
anecdotes about what type of mail will be rejected are appreciated.

> See also: FCrDNS
>
>
>> I set an external host's Postfix myhostname to be purposefully
>> incorrect, like nosuchhost.example.com and sent a message to the
>> test system. If I have reject_unknown_helo_hostname enabled, it will
>> reject such messages. But reject_unknown_client_hostname won't, I
>> don't understand why.
>
> Settings in postfix do not control the client hostname; the client
> hostname is set in DNS.

Yes, that's for the address->name mapping part of the check. Isn't the
hostname for the name->address mapping part of the check obtained by
HELO? Is there something in the tcp connection that identifies the
hostname? Sorry if I misunderstood this part.
Reply | Threaded
Open this post in threaded view
|

Re: Testing reject_unknown_client_hostname

Noel Jones-2
On 3/9/2017 3:16 PM, MRob wrote:

> obtained by HELO? Is there something in the tcp connection that
> identifies the hostname? Sorry if I misunderstood this part.

The HELO name is not related to and doesn't matter for
reject_unknown_client_hostname.  Perhaps you were confused by the
different context of hostname; client (rDNS) vs. HELO (SMTP).

The client hostname is determined by an rDNS lookup of the
connecting IP.  The resulting rDNS hostname is then looked up, and
must resolve to the connecting IP.  This is also referred to as
Forward Confirmed reverse DNS.

You can test reject_unknown_client_hostname and other features using
the XCLIENT command to simulate some IP that fails FCrDNS.
http://www.postfix.org/XCLIENT_README.html

Alternately, you can use "warn_if_reject
reject_unknown_client_hostname" and watch the log for warnings.
http://www.postfix.org/postconf.5.html#warn_if_reject




  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Testing reject_unknown_client_hostname

mrobti
On 2017-03-09 13:41, Noel Jones wrote:

> On 3/9/2017 3:16 PM, MRob wrote:
>
>> obtained by HELO? Is there something in the tcp connection that
>> identifies the hostname? Sorry if I misunderstood this part.
>
> The HELO name is not related to and doesn't matter for
> reject_unknown_client_hostname.  Perhaps you were confused by the
> different context of hostname; client (rDNS) vs. HELO (SMTP).
>
> The client hostname is determined by an rDNS lookup of the
> connecting IP.  The resulting rDNS hostname is then looked up, and
> must resolve to the connecting IP.  This is also referred to as
> Forward Confirmed reverse DNS.
>
> You can test reject_unknown_client_hostname and other features using
> the XCLIENT command to simulate some IP that fails FCrDNS.
> http://www.postfix.org/XCLIENT_README.html
>
> Alternately, you can use "warn_if_reject
> reject_unknown_client_hostname" and watch the log for warnings.
> http://www.postfix.org/postconf.5.html#warn_if_reject

Thank you once again, Noel.
Reply | Threaded
Open this post in threaded view
|

Re: Testing reject_unknown_client_hostname

mrobti
In reply to this post by Noel Jones-2
On 2017-03-09 13:41, Noel Jones wrote:

> On 3/9/2017 3:16 PM, MRob wrote:
>
>> obtained by HELO? Is there something in the tcp connection that
>> identifies the hostname? Sorry if I misunderstood this part.
>
> The HELO name is not related to and doesn't matter for
> reject_unknown_client_hostname.  Perhaps you were confused by the
> different context of hostname; client (rDNS) vs. HELO (SMTP).
>
> The client hostname is determined by an rDNS lookup of the
> connecting IP.  The resulting rDNS hostname is then looked up, and
> must resolve to the connecting IP.  This is also referred to as
> Forward Confirmed reverse DNS.

So is there any restriction that compares the client IP mapping with the
HELO hostname? Is that a bad idea?
Reply | Threaded
Open this post in threaded view
|

Re: Testing reject_unknown_client_hostname

Viktor Dukhovni

> On Mar 9, 2017, at 8:22 PM, MRob <[hidden email]> wrote:
>
> So is there any restriction that compares the client IP mapping with the HELO hostname?

Nothing built-in

> Is that a bad idea?

Yes.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Testing reject_unknown_client_hostname

Richard James Salts
On 10/03/17 12:44, Viktor Dukhovni wrote:
On Mar 9, 2017, at 8:22 PM, MRob [hidden email] wrote:

So is there any restriction that compares the client IP mapping with the HELO hostname?
Nothing built-in

Is that a bad idea?
Yes.

Unless the system you're receiving email from publishes a CSA record. You would need to write a policy daemon to check for the presence of CSA records, and I don't believe it's widely deployed so it would be of little benefit. There is also reference to the helo name in SPF specification, although I believe this is usually as a fallback for bounces (i.e. apply spf on the helo name when you see mail from:<>) and I wouldn't be surprised if many sites didn't have their spf records set up correctly in regards to helo/ehlo.