reject_non_fqdn_helo_hostname usefulness, safety

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

reject_non_fqdn_helo_hostname usefulness, safety

Steve Fatula-2
This check says that the RFC requires a fully qualified hostname for HELO. Most internet searches show this to be a "safe" check that shouldn't really kill any real mail. Lately, noticed no ebay mail was coming through, looked through the logs and see entires like:

Nov  9 20:30:58 host2 postfix/smtpd[16167]: NOQUEUE: reject: RCPT from mxpool19.ebay.com[66.135.197.25]: 504 5.5.2 <mx88>: Helo command rejected: need fully-qualified hostname; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<mx88>

mx88 is of course not a FQDN. So, it was correctly rejected per the setting. Obviously, I can try and whitelist all the ebay servers, but, it's a slight pain. Could be a moving target, etc. This would allow me to keep the setting, but....

Since this did block mail from a rather well known common mailer, I am starting to wonder how safe this check really is. Perhaps it's not so safe. Yes, that is a configuration error on ebays part, but, I don't think you really want to block ebay mail.

Are you finding this is not as safe a check as it should be, since presumably the RFC requires it, still, people make mistakes? Is it really of much use these days anyway for blocking spam?


Reply | Threaded
Open this post in threaded view
|

Re: reject_non_fqdn_helo_hostname usefulness, safety

Jeroen Geilman
On 2011-11-11 00:45, Steve Fatula wrote:
This check says that the RFC requires a fully qualified hostname for HELO. Most internet searches show this to be a "safe" check that shouldn't really kill any real mail. Lately, noticed no ebay mail was coming through, looked through the logs and see entires like:

Nov  9 20:30:58 host2 postfix/smtpd[16167]: NOQUEUE: reject: RCPT from mxpool19.ebay.com[66.135.197.25]: 504 5.5.2 <mx88>: Helo command rejected: need fully-qualified hostname; from=[hidden email] to=[hidden email] proto=ESMTP helo=<mx88>

mx88 is of course not a FQDN. So, it was correctly rejected per the setting. Obviously, I can try and whitelist all the ebay servers, but, it's a slight pain. Could be a moving target, etc. This would allow me to keep the setting, but....

Since this did block mail from a rather well known common mailer, I am starting to wonder how safe this check really is. Perhaps it's not so safe. Yes, that is a configuration error on ebays part, but, I don't think you really want to block ebay mail.

Are you finding this is not as safe a check as it should be, since presumably the RFC requires it, still, people make mistakes? Is it really of much use these days anyway for blocking spam?


I have seen it too, on bulk mailer software (as ebay's probably is), but my logs from the past 6 weeks do not contain a single reject from this rule, so usefulness is debatable (or YMMV).

If you want to use it but exclude a known whitelist of domains from the check, use a client access check in your smtpd_helo_restrictions - and move the helo checks there, too:

        smtpd_helo_restrictions = reject_invalid_helo_hostname, check_client_access hash:/etc/postfix/helo_whitelist, reject_non_fqdn_helo_hostname

And in /etc/postfix/helo_whitelist:

        .ebay.com    OK

Don't forget to postmap that file.

-- 
J.
Reply | Threaded
Open this post in threaded view
|

Re: reject_non_fqdn_helo_hostname usefulness, safety

Steve Fatula-2
From: Jeroen Geilman <[hidden email]>
To: [hidden email]
Sent: Thursday, November 10, 2011 6:13 PM
Subject: Re: reject_non_fqdn_helo_hostname usefulness, safety

I have seen it too, on bulk mailer software (as ebay's probably is), but my logs from the past 6 weeks do not contain a single reject from this rule, so usefulness is debatable (or YMMV).


Just for fun, I reported this to the ebay folks via their network contact info. It'll be interesting to see if they even reply. Documented it for them, gave them link to RFC, etc. I wouldn't bet on them fixing it of course.

I searched my logs and found quite a few rejects each day, all of them bogus, but, ebay. So, I will probably try and keep the restriction.



Reply | Threaded
Open this post in threaded view
|

Re: reject_non_fqdn_helo_hostname usefulness, safety

/dev/rob0
In reply to this post by Steve Fatula-2
On Thursday 10 November 2011 17:45:18 Steve Fatula wrote:

> This check says that the RFC requires a fully qualified hostname
> for HELO. Most internet searches show this to be a "safe" check
> that shouldn't really kill any real mail. Lately, noticed no ebay
> mail was coming through, looked through the logs and see entires
> like:
>
> Nov  9 20:30:58 host2 postfix/smtpd[16167]: NOQUEUE: reject: RCPT
> from mxpool19.ebay.com[66.135.197.25]: 504 5.5.2 <mx88>: Helo
> command rejected: need fully-qualified hostname;
> from=<[hidden email]> to=<[hidden email]> proto=ESMTP
> helo=<mx88>
>
>
> mx88 is of course not a FQDN. So, it was correctly rejected per the
> setting. Obviously, I can try and whitelist all the ebay servers,
> but, it's a slight pain. Could be a moving target, etc. This would
> allow me to keep the setting, but....
>
> Since this did block mail from a rather well known common mailer, I
> am starting to wonder how safe this check really is. Perhaps it's
> not so safe. Yes, that is a configuration error on ebays part,
> but, I don't think you really want to block ebay mail.

This is news to me, as I often sing the praises of
reject_non_fqdn_helo_hostname as both safe and effective. I have
received ebay mail in the past, so this must be a recent SNAFU on
their part.

> Are you finding this is not as safe a check as it should be, since
> presumably the RFC requires it, still, people make mistakes? Is it

The way they will take notice of their mistake is when most of the
junk they send out bounces! You are NOT alone in rejecting these, I
can assure you.

> really of much use these days anyway for blocking spam?

Several times I have looked and seen that it takes out ~25% of all
connections. Of course nowadays most of those are failing against
postscreen, so the HELO rejections are rare for me now.
--
    Offlist mail to this address is discarded unless
    "/dev/rob0" or "not-spam" is in Subject: header
Reply | Threaded
Open this post in threaded view
|

Re: reject_non_fqdn_helo_hostname usefulness, safety

Simon Brereton-2
In reply to this post by Steve Fatula-2
On 10 November 2011 18:45, Steve Fatula <[hidden email]> wrote:

> This check says that the RFC requires a fully qualified hostname for HELO.
> Most internet searches show this to be a "safe" check that shouldn't really
> kill any real mail. Lately, noticed no ebay mail was coming through, looked
> through the logs and see entires like:
> Nov  9 20:30:58 host2 postfix/smtpd[16167]: NOQUEUE: reject: RCPT from
> mxpool19.ebay.com[66.135.197.25]: 504 5.5.2 <mx88>: Helo command rejected:
> need fully-qualified hostname; from=<[hidden email]> to=<[hidden email]>
> proto=ESMTP helo=<mx88>
>
> mx88 is of course not a FQDN. So, it was correctly rejected per the setting.
> Obviously, I can try and whitelist all the ebay servers, but, it's a slight
> pain. Could be a moving target, etc. This would allow me to keep the
> setting, but....
> Since this did block mail from a rather well known common mailer, I am
> starting to wonder how safe this check really is. Perhaps it's not so safe.
> Yes, that is a configuration error on ebays part, but, I don't think you
> really want to block ebay mail.
> Are you finding this is not as safe a check as it should be, since
> presumably the RFC requires it, still, people make mistakes? Is it really of
> much use these days anyway for blocking spam?

This check alone is responsible for blocking up to 85% of the spam
attempts on our system.  Verify that the HELO is not localhost,
mydomain.tld or ip.add.re.ss takes care of another 5% and rejecting
invalid destinations takes care of the rest.  Amavis ends up finding
less than 1% of what makes it through that and that in itself is 1% of
the total attempts.

Write them a note with the RFC I say.  Standards are no good if you
let yours slip because it's Ebay.  or Google.  or InsetBrandnamehere.

Simon
Reply | Threaded
Open this post in threaded view
|

Re: reject_non_fqdn_helo_hostname usefulness, safety

Steve Fatula-2
From: Simon Brereton <[hidden email]>
To: postfix users <[hidden email]>
Sent: Thursday, November 10, 2011 9:26 PM
Subject: Re: reject_non_fqdn_helo_hostname usefulness, safety



Write them a note with the RFC I say.  Standards are no good if you
let yours slip because it's Ebay.  or Google.  or InsetBrandnamehere.


I did exactly that. Have not heard back yet, if I ever will. I included some sample log messages so they could see some of the servers with the bad HELO name, not all of them have it, and of course the relevant RFC section. They had some Paypal/Ebay troubles today as well (some payments could not be made via Ebay checkout), and, I see they are making announced website changes starting tonight as well. Perhaps it was a lot of work and they just screwed up. Hopefully, some one who knows something will read the email and actually do something! I did whitelist them in the meantime to avoid the check. 


Reply | Threaded
Open this post in threaded view
|

RE: reject_non_fqdn_helo_hostname usefulness, safety

Murray S. Kucherawy-2

I’ve forwarded this to some standards and practices compliance people inside eBay/PayPal.  I bet they’ll be quite interested.   I know that they were planning to do some work on their DK/DKIM infrastructure at some point.  Maybe this was a side-effect.

 

Will advise when they reply.

 

-MSK

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Steve Fatula
Sent: Thursday, November 10, 2011 9:04 PM
To: [hidden email]; postfix users
Subject: Re: reject_non_fqdn_helo_hostname usefulness, safety

 

From: Simon Brereton <[hidden email]>
To: postfix users <[hidden email]>
Sent: Thursday, November 10, 2011 9:26 PM
Subject: Re: reject_non_fqdn_helo_hostname usefulness, safety



Write them a note with the RFC I say.  Standards are no good if you
let yours slip because it's Ebay.  or Google.  or InsetBrandnamehere.

I did exactly that. Have not heard back yet, if I ever will. I included some sample log messages so they could see some of the servers with the bad HELO name, not all of them have it, and of course the relevant RFC section. They had some Paypal/Ebay troubles today as well (some payments could not be made via Ebay checkout), and, I see they are making announced website changes starting tonight as well. Perhaps it was a lot of work and they just screwed up. Hopefully, some one who knows something will read the email and actually do something! I did whitelist them in the meantime to avoid the check. 

 

 

Reply | Threaded
Open this post in threaded view
|

RE: reject_non_fqdn_helo_hostname usefulness, safety

Murray S. Kucherawy-2

Just heard back from them:

 

“Murray, FYI, I was just notified by the correct person within eBay that this is being fixed now.  Thank you again for forwarding it along.”

 

-MSK

 

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Murray S. Kucherawy
Sent: Friday, November 11, 2011 11:47 PM
To: Steve Fatula; [hidden email]; postfix users
Subject: RE: reject_non_fqdn_helo_hostname usefulness, safety

 

I’ve forwarded this to some standards and practices compliance people inside eBay/PayPal.  I bet they’ll be quite interested.   I know that they were planning to do some work on their DK/DKIM infrastructure at some point.  Maybe this was a side-effect.

 

Will advise when they reply.

 

-MSK

 

From: [hidden email] [[hidden email]] On Behalf Of Steve Fatula
Sent: Thursday, November 10, 2011 9:04 PM
To: [hidden email]; postfix users
Subject: Re: reject_non_fqdn_helo_hostname usefulness, safety

 

From: Simon Brereton <[hidden email]>
To: postfix users <[hidden email]>
Sent: Thursday, November 10, 2011 9:26 PM
Subject: Re: reject_non_fqdn_helo_hostname usefulness, safety



Write them a note with the RFC I say.  Standards are no good if you
let yours slip because it's Ebay.  or Google.  or InsetBrandnamehere.

I did exactly that. Have not heard back yet, if I ever will. I included some sample log messages so they could see some of the servers with the bad HELO name, not all of them have it, and of course the relevant RFC section. They had some Paypal/Ebay troubles today as well (some payments could not be made via Ebay checkout), and, I see they are making announced website changes starting tonight as well. Perhaps it was a lot of work and they just screwed up. Hopefully, some one who knows something will read the email and actually do something! I did whitelist them in the meantime to avoid the check. 

 

 

Reply | Threaded
Open this post in threaded view
|

Re: reject_non_fqdn_helo_hostname usefulness, safety

Steve Fatula-2
From: Murray S. Kucherawy <[hidden email]>
To: Steve Fatula <[hidden email]>; "[hidden email]" <[hidden email]>; postfix users <[hidden email]>
Sent: Tuesday, November 15, 2011 3:19 PM
Subject: RE: reject_non_fqdn_helo_hostname usefulness, safety

Just heard back from them:
 
“Murray, FYI, I was just notified by the correct person within eBay that this is being fixed now.  Thank you again for forwarding it along.”
 
-MSK
 
  You must know the right guy! They ignored me. Feeling insignificant. ;-)
Reply | Threaded
Open this post in threaded view
|

Re: reject_non_fqdn_helo_hostname usefulness, safety

mouss-4
In reply to this post by Steve Fatula-2
Le 11/11/2011 00:45, Steve Fatula a écrit :

> This check says that the RFC requires a fully qualified hostname for HELO. Most internet searches show this to be a "safe" check that shouldn't really kill any real mail. Lately, noticed no ebay mail was coming through, looked through the logs and see entires like:
>
> Nov  9 20:30:58 host2 postfix/smtpd[16167]: NOQUEUE: reject: RCPT from mxpool19.ebay.com[66.135.197.25]: 504 5.5.2 <mx88>: Helo command rejected: need fully-qualified hostname; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<mx88>
>
>
> mx88 is of course not a FQDN. So, it was correctly rejected per the setting. Obviously, I can try and whitelist all the ebay servers, but, it's a slight pain. Could be a moving target, etc. This would allow me to keep the setting, but....
>
> Since this did block mail from a rather well known common mailer, I am starting to wonder how safe this check really is. Perhaps it's not so safe. Yes, that is a configuration error on ebays part, but, I don't think you really want to block ebay mail.
>
> Are you finding this is not as safe a check as it should be, since presumably the RFC requires it, still, people make mistakes? Is it really of much use these days anyway for blocking spam?


AFAICT, the check is safe. wait for some time and see if they don't fix
their setup.

A lot of "write a web app that sends mail" sites get into such problems
when they upgrade their web apps. (yep, the solution is easy: use an
outbound relay that detects issues and either rejects or fixes the
problems. unfortunately, many sites send directly or they configure
their outbound relay too lazily...).


if they get many errors, they notice the problem and fix it. so keep
rejecting them. (if they don't notice or fix the problem quickly, that's
a different matter. post here and/or on spam-l so that someone gets a
contact there...).