intermittent "cannot find your reverse hostname" for outbound.protection.outlook.com senders. Best workaround?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

intermittent "cannot find your reverse hostname" for outbound.protection.outlook.com senders. Best workaround?

PGNet Dev
I run postfix 3.4.5.

I typically reject on unknown reverse hostname; it's a policy I'm comfortable with.

For a number of correspondents that use outlook.com for outbound, I occasionally see failures crop up for the same sender, then just 'automagically' resolve.

E.g., for a single sender, here "them @theirdomain.com", in my logs

        postfix.log:Apr 24 13:18:19 mx postfix/postscreen-internal/smtpd[6816]: NOQUEUE: client=mail-eopbgr770049.outbound.protection.outlook.com[40.107.77.49]
        postfix.log:Apr 26 11:15:00 mx postfix/postscreen-internal/smtpd[18428]: NOQUEUE: client=mail-eopbgr790080.outbound.protection.outlook.com[40.107.79.80]
        postfix.log:May  4 22:45:01 mx postfix/postscreen-internal/smtpd[6790]: NOQUEUE: client=mail-eopbgr790083.outbound.protection.outlook.com[40.107.79.83]
        postfix.log:May  6 08:22:44 mx postfix/postscreen-internal/smtpd[45305]: NOQUEUE: client=mail-eopbgr680058.outbound.protection.outlook.com[40.107.68.58]
        postfix.log:May  9 10:19:32 mx postfix/postscreen-internal/smtpd[51399]: NOQUEUE: client=mail-eopbgr810078.outbound.protection.outlook.com[40.107.81.78]
        postfix.log:May 16 11:36:11 mx postfix/postscreen-internal/smtpd[19036]: NOQUEUE: client=mail-eopbgr790048.outbound.protection.outlook.com[40.107.79.48]
?? postfix.log:May 17 9:41:37 mx postfix/postscreen-internal/smtpd[58594]: NOQUEUE: reject: RCPT from unknown[40.107.72.40]: 550 5.7.1 Client host rejected: cannot find your reverse hostname, [40.107.72.40]; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<NAM05-CO1-obe.outbound.protection.outlook.com>
?? postfix.log:May 17 10:22:22 mx postfix/postscreen-internal/smtpd[58594]: NOQUEUE: reject: RCPT from unknown[40.107.81.79]: 550 5.7.1 Client host rejected: cannot find your reverse hostname, [40.107.81.79]; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<NAM01-BY2-obe.outbound.protection.outlook.com>
?? postfix.log:May 17 13:19:52 mx postfix/postscreen-internal/smtpd[58644]: NOQUEUE: reject: RCPT from unknown[40.107.82.59]: 550 5.7.1 Client host rejected: cannot find your reverse hostname, [40.107.82.59]; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<NAM01-SN1-obe.outbound.protection.outlook.com>
        postfix.log:May 18 22:14:14 mx postfix/postscreen-internal/smtpd[42996]: NOQUEUE: client=mail-eopbgr770125.outbound.protection.outlook.com[40.107.77.125]
        postfix.log:May 19 08:09:01 mx postfix/postscreen-internal/smtpd[18025]: NOQUEUE: client=mail-eopbgr80095.outbound.protection.outlook.com[40.107.8.95]

Checking around those fail times, there's no other legit/expected messages rejected for reverse hostname; as such, I'm assuming that there's no blip in my _own_ DNS resolver.

It seems to my this is possibly Microsoft/Outlook-specific ...

What's a reasonable way to make this more resilient -- without completely disabling reverse hostname checks?
A DNS re-check before reject?
A whitelist for outlook.com?
Reply | Threaded
Open this post in threaded view
|

Re: intermittent "cannot find your reverse hostname" for outbound.protection.outlook.com senders. Best workaround?

PGNet Dev
currently, my config does include

  smtpd_helo_required = yes
  smtpd_helo_restrictions =
    permit_mynetworks
    check_helo_access pcre:${config_directory}/helo_access.pcre
    reject_invalid_helo_hostname
    reject_non_fqdn_helo_hostname
    permit

is adding to head of helo_access.pcre

   /.*\.outbound\.protection\.outlook\.com/  OK

sane/safe?
Reply | Threaded
Open this post in threaded view
|

Re: intermittent "cannot find your reverse hostname" for outbound.protection.outlook.com senders. Best workaround?

Wietse Venema
PGNet Dev:

> currently, my config does include
>
>   smtpd_helo_required = yes
>   smtpd_helo_restrictions =
>     permit_mynetworks
>     check_helo_access pcre:${config_directory}/helo_access.pcre
>     reject_invalid_helo_hostname
>     reject_non_fqdn_helo_hostname
>     permit
>
> is adding to head of helo_access.pcre
>
>    /.*\.outbound\.protection\.outlook\.com/  OK

That should be safe, because the OK here cannot affect how a recipient
will be evaluated.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: intermittent "cannot find your reverse hostname" for outbound.protection.outlook.com senders. Best workaround?

PGNet Dev
> That should be safe, because the OK here cannot affect how a recipient
> will be evaluated.

Do you have any reasonable advice as to a better approach to share?

Reply | Threaded
Open this post in threaded view
|

Re: intermittent "cannot find your reverse hostname" for outbound.protection.outlook.com senders. Best workaround?

Wietse Venema
PGNet Dev:
> > That should be safe, because the OK here cannot affect how a recipient
> > will be evaluated.
>
> Do you have any reasonable advice as to a better approach to share?

Well you can drop the initial .* and you may want to end the pattern
in '$' as in

    /\.outbound\.protection\.outlook\.com$/  OK

Alternatively, you can suck the helo policy into the map:

   /\.outbound\.protection\.outlook\.com$/  OK
   /some other site/ reject_blah
   /./ reject_blah reject_foo

        Wietse