gmail reverse host issue

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

gmail reverse host issue

lists@lazygranch.com
Some gmail gets through, some doesn't. Is there a time limit on the DNS
check? A google search finds several timers, but nothing specific to
DNS.

Log:

Feb 17 06:18:10 mydomain postfix/smtpd[2619]: connect from unknown[209.85.219.177]
Feb 17 06:18:10 mydomain postfix/smtpd[2619]: Anonymous TLS connection established from unknown[209.85.219.177]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Feb 17 06:18:10 mydomain postfix/smtpd[2619]: NOQUEUE: reject: RCPT from unknown[209.85.219.177]: 550 5.7.1 Client host rejected: cannot find your reverse hostname, [209.85.219.177]; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<mail-yb1-f177.google.com>
Feb 17 06:18:10 mydomain postfix/smtpd[2619]: disconnect from unknown[209.85.219.177] ehlo=2 starttls=1 mail=1 rcpt=0/1 bdat=0/1 quit=1 commands=5/7

Clearly the server is legit.
https://bgp.he.net/ip/209.85.219.177
AS15169 IRR Valid 209.85.128.0/17 Google LLC
 
Reply | Threaded
Open this post in threaded view
|

Re: gmail reverse host issue

Bernardo Reino
On Sun, 16 Feb 2020, [hidden email] wrote:

> Some gmail gets through, some doesn't. Is there a time limit on the DNS
> check? A google search finds several timers, but nothing specific to
> DNS.
>
> Log:
>
> Feb 17 06:18:10 mydomain postfix/smtpd[2619]: connect from unknown[209.85.219.177]
> Feb 17 06:18:10 mydomain postfix/smtpd[2619]: Anonymous TLS connection established from unknown[209.85.219.177]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
> Feb 17 06:18:10 mydomain postfix/smtpd[2619]: NOQUEUE: reject: RCPT from unknown[209.85.219.177]: 550 5.7.1 Client host rejected: cannot find your reverse hostname, [209.85.219.177]; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<mail-yb1-f177.google.com>
> Feb 17 06:18:10 mydomain postfix/smtpd[2619]: disconnect from unknown[209.85.219.177] ehlo=2 starttls=1 mail=1 rcpt=0/1 bdat=0/1 quit=1 commands=5/7
>
> Clearly the server is legit.
> https://bgp.he.net/ip/209.85.219.177
> AS15169 IRR Valid 209.85.128.0/17 Google LLC

Are you using your own local DNS server (unbound or such) or a public one?

If your DNS resolving is so unreliable, I would suggest not rejecting
e-mails merely because you can't find/verify the rDNS.

Cheers.
Reply | Threaded
Open this post in threaded view
|

Re: gmail reverse host issue

Jaroslaw Rafa
Dnia 17.02.2020 o godz. 12:33:54 Bernardo Reino pisze:
> If your DNS resolving is so unreliable, I would suggest not
> rejecting e-mails merely because you can't find/verify the rDNS.

Or reject with 4xx instead of 5xx.
--
Regards,
   Jaroslaw Rafa
   [hidden email]
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
Reply | Threaded
Open this post in threaded view
|

Re: gmail reverse host issue

Wietse Venema
In reply to this post by Bernardo Reino
> Feb 17 06:18:10 mydomain postfix/smtpd[2619]: NOQUEUE: reject:
> RCPT from unknown[209.85.219.177]: 550 5.7.1 Client host rejected:
> cannot find your reverse hostname, [209.85.219.177];
> from=<[hidden email]> to=<[hidden email]> proto=ESMTP
> helo=<mail-yb1-f177.google.com>

What you see IS NOT the result of Postfix timeout while it looks
up a hostname with the getnameinfo() system library routine.

Postfix will reply with 450 if the hostname could not be looked up
(which is different from a "DOES NOT EXIST" result), as shown in
the code fragment below. Postfix is very careful to avoid making
that mistake.

More likely your system library (see nsswitch.conf) makes the basic
mistake of confusing "lookup error" with "does not exist" (solution:
use a better OS), or less likely some DNS resolver is making that
mistake (solution: use a better DNS resolver).

        Wietse

static int reject_unknown_reverse_name(SMTPD_STATE *state)
{
    const char *myname = "reject_unknown_reverse_name";

    if (msg_verbose)
        msg_info("%s: %s", myname, state->reverse_name);

    if (state->reverse_name_status != SMTPD_PEER_CODE_OK)
        return (smtpd_check_reject(state, MAIL_ERROR_POLICY,
                        state->reverse_name_status == SMTPD_PEER_CODE_PERM ?
                                   var_unk_client_code : 450, "4.7.1",
            "Client host rejected: cannot find your reverse hostname, [%s]",
                                   state->addr));
    return (SMTPD_CHECK_DUNNO);
}

Reply | Threaded
Open this post in threaded view
|

Re: gmail reverse host issue

lists@lazygranch.com
Thanks. I appreciate that postfix would kick out a different error.




  Original Message  


From: [hidden email]
Sent: February 17, 2020 6:55 AM
To: [hidden email]
Reply-to: [hidden email]
Subject: Re: gmail reverse host issue


> Feb 17 06:18:10 mydomain postfix/smtpd[2619]: NOQUEUE: reject:
> RCPT from unknown[209.85.219.177]: 550 5.7.1 Client host rejected:
> cannot find your reverse hostname, [209.85.219.177];
> from=<[hidden email]> to=<[hidden email]> proto=ESMTP
> helo=<mail-yb1-f177.google.com>

What you see IS NOT the result of Postfix timeout while it looks
up a hostname with the getnameinfo() system library routine.

Postfix will reply with 450 if the hostname could not be looked up
(which is different from a "DOES NOT EXIST" result), as shown in
the code fragment below. Postfix is very careful to avoid making
that mistake.

More likely your system library (see nsswitch.conf) makes the basic
mistake of confusing "lookup error" with "does not exist" (solution:
use a better OS), or less likely some DNS resolver is making that
mistake (solution: use a better DNS resolver).

Wietse

static int reject_unknown_reverse_name(SMTPD_STATE *state)
{
    const char *myname = "reject_unknown_reverse_name";

    if (msg_verbose)
        msg_info("%s: %s", myname, state->reverse_name);

    if (state->reverse_name_status != SMTPD_PEER_CODE_OK)
        return (smtpd_check_reject(state, MAIL_ERROR_POLICY,
                        state->reverse_name_status == SMTPD_PEER_CODE_PERM ?
                                   var_unk_client_code : 450, "4.7.1",
            "Client host rejected: cannot find your reverse hostname, [%s]",
                                   state->addr));
    return (SMTPD_CHECK_DUNNO);
}