Postfix Postfix Users

unknown client error

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
14 messages Options
Shanmuga sundaram Krishnasamy
Reply | Threaded
Open this post in threaded view
|

unknown client error

Shanmuga sundaram Krishnasamy
Hi,

I've following restriction

smtpd_client_restrictions = permit_mynetworks,
                            check_client_access
hash:$config_directory/access_client,
                            warn_if_reject
                            reject_unknown_client

And I received an email with unknown in the internet header as below

"Received: from mx1.mastermindpro.com (unknown [66.199.187.23]) by"

Would any one let me know why I'm getting "unknown" here? I would be
interest in known the reason why postfix should say "unknown"

The PTR record seems to be okay

:; host -t ptr 66.199.187.23
23.187.199.66.in-addr.arpa domain name pointer mail1.mastermindpro.com.

And I believe  mx1.mastermindpro.com is the HELO'ed name and I did not
enable smtpd_helo restriction.

Thanks for the hints.

- Shanmuga
Rob Sterenborg-2
Reply | Threaded
Open this post in threaded view
|

RE: unknown client error

Rob Sterenborg-2
> Hi,
>
> I've following restriction
>
> smtpd_client_restrictions = permit_mynetworks,
>                             check_client_access
> hash:$config_directory/access_client,
>                             warn_if_reject
>                             reject_unknown_client
>
> And I received an email with unknown in the internet header as below
>
> "Received: from mx1.mastermindpro.com (unknown [66.199.187.23]) by"
>
> Would any one let me know why I'm getting "unknown" here? I would be
> interest in known the reason why postfix should say "unknown"
>
> The PTR record seems to be okay
>
> :; host -t ptr 66.199.187.23
> 23.187.199.66.in-addr.arpa domain name pointer
> mail1.mastermindpro.com.
>
> And I believe  mx1.mastermindpro.com is the HELO'ed name and I did not
> enable smtpd_helo restriction.
>
> Thanks for the hints.

Postfix cannot do a DNS lookup because you're probably running postfix
chroot.

http://www.postfix.org/BASIC_CONFIGURATION_README.html#chroot_setup
Also, if you installed from source, there's an examples/chroot directory
containing some scripts.


Grts,
Rob
Shanmuga sundaram Krishnasamy
Reply | Threaded
Open this post in threaded view
|

Re: unknown client error

Shanmuga sundaram Krishnasamy
Sorry,

I'm not running postfix in a chroot jail.

Thanks,

Shanmuga

On 5/5/08, Rob Sterenborg <[hidden email]> wrote:

> > Hi,
> >
> > I've following restriction
> >
> > smtpd_client_restrictions = permit_mynetworks,
> >                             check_client_access
> > hash:$config_directory/access_client,
> >                             warn_if_reject
> >                             reject_unknown_client
> >
> > And I received an email with unknown in the internet header as below
> >
> > "Received: from mx1.mastermindpro.com (unknown [66.199.187.23]) by"
> >
> > Would any one let me know why I'm getting "unknown" here? I would be
> > interest in known the reason why postfix should say "unknown"
> >
> > The PTR record seems to be okay
> >
> > :; host -t ptr 66.199.187.23
> > 23.187.199.66.in-addr.arpa domain name pointer
> > mail1.mastermindpro.com.
> >
> > And I believe  mx1.mastermindpro.com is the HELO'ed name and I did not
> > enable smtpd_helo restriction.
> >
> > Thanks for the hints.
>
> Postfix cannot do a DNS lookup because you're probably running postfix
> chroot.
>
> http://www.postfix.org/BASIC_CONFIGURATION_README.html#chroot_setup
> Also, if you installed from source, there's an examples/chroot directory
> containing some scripts.
>
>
> Grts,
> Rob
>
Rob Sterenborg-2
Reply | Threaded
Open this post in threaded view
|

RE: unknown client error

Rob Sterenborg-2
>>> Hi,
>>>
>>> I've following restriction
>>>
>>> smtpd_client_restrictions = permit_mynetworks,
>>>                             check_client_access
>>> hash:$config_directory/access_client,
>>>                             warn_if_reject
>>>                             reject_unknown_client
>>>
>>> And I received an email with unknown in the internet header as below
>>>
>>> "Received: from mx1.mastermindpro.com (unknown [66.199.187.23]) by"
>>>
>>> Would any one let me know why I'm getting "unknown" here? I would be
>>> interest in known the reason why postfix should say "unknown"
>>>
>>> The PTR record seems to be okay
>>>
>>> :; host -t ptr 66.199.187.23
>>> 23.187.199.66.in-addr.arpa domain name pointer
>>> mail1.mastermindpro.com.
>>>
>>> And I believe  mx1.mastermindpro.com is the HELO'ed name and I did
>>> not enable smtpd_helo restriction.
>>>
>>> Thanks for the hints.
>>
>> Postfix cannot do a DNS lookup because you're probably running
>> postfix chroot.
>>
>> http://www.postfix.org/BASIC_CONFIGURATION_README.html#chroot_setup
>> Also, if you installed from source, there's an examples/chroot
>> directory containing some scripts.
>
> Sorry,
>
> I'm not running postfix in a chroot jail.

Still, for some reason postfix seems to be unable to do a DNS lookup
because otherwise it wouldn't say "unknown". The restriction Can you
perform the DNS query as user "postfix"?

Anyway, what version Postfix are you running? According to the
documentation reject_unknown_client is a pre-2.3 configuration
parameter. Since 2.3+ you can use reject_unknown_client_hostname but
maybe you want to use reject_unknown_reverse_client_hostname instead.


Grts,
Rob
Randy Ramsdell
Reply | Threaded
Open this post in threaded view
|

Re: unknown client error

Randy Ramsdell
In reply to this post by Shanmuga sundaram Krishnasamy
Shanmuga sundaram Krishnasamy wrote:

> Hi,
>
> I've following restriction
>
> smtpd_client_restrictions = permit_mynetworks,
>                             check_client_access
> hash:$config_directory/access_client,
>                             warn_if_reject
>                             reject_unknown_client
>
> And I received an email with unknown in the internet header as below
>
> "Received: from mx1.mastermindpro.com (unknown [66.199.187.23]) by"
>
> Would any one let me know why I'm getting "unknown" here? I would be
> interest in known the reason why postfix should say "unknown"
>
> The PTR record seems to be okay
>
> :; host -t ptr 66.199.187.23
> 23.187.199.66.in-addr.arpa domain name pointer mail1.mastermindpro.com.
>
> And I believe  mx1.mastermindpro.com is the HELO'ed name and I did not
> enable smtpd_helo restriction.
>
> Thanks for the hints.
>
> - Shanmuga
>  
A guess:

nslookup mail1.mastermindpro.comName:  

mail1.mastermindpro.com
Address: 66.199.187.23

nslookup mx1 .mastermindpro.com
Name:   mx1.mastermindpro.com
Address: 66.199.187.26

It connects with 66.199.187.23 but says it is  mx1.mastermindpro.com.
mouss-2
Reply | Threaded
Open this post in threaded view
|

Re: unknown client error

mouss-2
Randy Ramsdell wrote:

> Shanmuga sundaram Krishnasamy wrote:
>> Hi,
>>
>> I've following restriction
>>
>> smtpd_client_restrictions = permit_mynetworks,
>>                             check_client_access
>> hash:$config_directory/access_client,
>>                             warn_if_reject
>>                             reject_unknown_client
>>
>> And I received an email with unknown in the internet header as below
>>
>> "Received: from mx1.mastermindpro.com (unknown [66.199.187.23]) by"
>>
>> Would any one let me know why I'm getting "unknown" here? I would be
>> interest in known the reason why postfix should say "unknown"
>>
>> The PTR record seems to be okay
>>
>> :; host -t ptr 66.199.187.23
>> 23.187.199.66.in-addr.arpa domain name pointer mail1.mastermindpro.com.
>>
>> And I believe  mx1.mastermindpro.com is the HELO'ed name and I did not
>> enable smtpd_helo restriction.
>>
>> Thanks for the hints.
>>
>> - Shanmuga
>>  
> A guess:
>
> nslookup mail1.mastermindpro.comName:
> mail1.mastermindpro.com
> Address: 66.199.187.23
>
> nslookup mx1 .mastermindpro.com
> Name:   mx1.mastermindpro.com
> Address: 66.199.187.26
>
> It connects with 66.199.187.23 but says it is  mx1.mastermindpro.com.

This does not explain "unknown".
$ host 66.199.187.23
23.187.199.66.in-addr.arpa domain name pointer mail1.mastermindpro.com.
$ host mail1.mastermindpro.com
mail1.mastermindpro.com has address 66.199.187.23

so the rDNS is ok.

OP has a DNS lookup problem. this may be because his DNS server is too
slow. it is recommended to run a caching DNS server not far from the
postfix server, and not to rely on "toy" DNS servers.


Zbigniew Szalbot-9
Reply | Threaded
Open this post in threaded view
|

Re: unknown client error

Zbigniew Szalbot-9
Hello,

mouss pisze:

> Randy Ramsdell wrote:
>> Shanmuga sundaram Krishnasamy wrote:
>>> Hi,
>>>
>>> I've following restriction
>>>
>>> smtpd_client_restrictions = permit_mynetworks,
>>>                             check_client_access
>>> hash:$config_directory/access_client,
>>>                             warn_if_reject
>>>                             reject_unknown_client
>>>
>>> And I received an email with unknown in the internet header as below
>>>
>>> "Received: from mx1.mastermindpro.com (unknown [66.199.187.23]) by"
>>>
>>> Would any one let me know why I'm getting "unknown" here? I would be
>>> interest in known the reason why postfix should say "unknown"
>>>
>>> The PTR record seems to be okay
>>>
>>> :; host -t ptr 66.199.187.23
>>> 23.187.199.66.in-addr.arpa domain name pointer mail1.mastermindpro.com.
>>>
>>> And I believe  mx1.mastermindpro.com is the HELO'ed name and I did not
>>> enable smtpd_helo restriction.
>>>
>>> Thanks for the hints.
>>>
>>> - Shanmuga
>>>  
>> A guess:
>>
>> nslookup mail1.mastermindpro.comName:
>> mail1.mastermindpro.com
>> Address: 66.199.187.23
>>
>> nslookup mx1 .mastermindpro.com
>> Name:   mx1.mastermindpro.com
>> Address: 66.199.187.26
>>
>> It connects with 66.199.187.23 but says it is  mx1.mastermindpro.com.
>
> This does not explain "unknown".
> $ host 66.199.187.23
> 23.187.199.66.in-addr.arpa domain name pointer mail1.mastermindpro.com.
> $ host mail1.mastermindpro.com
> mail1.mastermindpro.com has address 66.199.187.23
>
> so the rDNS is ok.
>
> OP has a DNS lookup problem. this may be because his DNS server is too
> slow. it is recommended to run a caching DNS server not far from the
> postfix server, and not to rely on "toy" DNS servers.
 

Sorry to jump in - but I was thinking about this issue today. Which
caching dns server would you recommend (I'd be especially interested if
it were something in the FreeBSD ports system... :)? I think Bind is a
bit of an overkill for that?

Many thanks!

--
Zbigniew Szalbot
www.lc-words.com

smime.p7s (3K) Download Attachment
/dev/rob0
Reply | Threaded
Open this post in threaded view
|

Re: unknown client error

/dev/rob0
On Mon May 5 2008 10:57:10 Zbigniew Szalbot wrote:
> > OP has a DNS lookup problem. this may be because his DNS server is
> > too slow. it is recommended to run a caching DNS server not far
> > from the postfix server, and not to rely on "toy" DNS servers.
>
> Sorry to jump in - but I was thinking about this issue today. Which
> caching dns server would you recommend (I'd be especially interested
> if it were something in the FreeBSD ports system... :)? I think Bind
> is a bit of an overkill for that?

Overkill, how so? BIND named is by far the leading choice. I run it on
systems large and small. The setup for a caching-only system is very
simple, probably already done for you by your distributor.

Whilst you might get useful suggestions here, your FBSD questions are
more appropriate in a FBSD forum.
--
    Offlist mail to this address is discarded unless
    "/dev/rob0" or "not-spam" is in Subject: header
mouss-2
Reply | Threaded
Open this post in threaded view
|

DNS server [Was: unknown client error]

mouss-2
In reply to this post by Zbigniew Szalbot-9
Zbigniew Szalbot wrote:
> [snip]
>
> Sorry to jump in - but I was thinking about this issue today. Which
> caching dns server would you recommend (I'd be especially interested
> if it were something in the FreeBSD ports system... :)? I think Bind
> is a bit of an overkill for that?

BIND comes with the base system (at least on *BSD, and when it is not,
it's easy to install it as a package) and configuring a "caching-only"
server is not that difficult.
ktm@rice.edu
Reply | Threaded
Open this post in threaded view
|

Re: DNS server [Was: unknown client error]

ktm@rice.edu
I would recommend pdns-recursor v3.1.6 which was just released.
It is very easy to use, secure, performant and functional:

http://www.powerdns.com

Hopefully, there is a ports version.

Ken

On Mon, May 05, 2008 at 06:17:18PM +0200, mouss wrote:

> Zbigniew Szalbot wrote:
>> [snip]
>>
>> Sorry to jump in - but I was thinking about this issue today. Which
>> caching dns server would you recommend (I'd be especially interested if it
>> were something in the FreeBSD ports system... :)? I think Bind is a bit of
>> an overkill for that?
>
> BIND comes with the base system (at least on *BSD, and when it is not, it's
> easy to install it as a package) and configuring a "caching-only" server is
> not that difficult.
>
mouss-2
Reply | Threaded
Open this post in threaded view
|

Re: DNS server [Was: unknown client error]

mouss-2
Kenneth Marshall wrote:
> I would recommend pdns-recursor v3.1.6 which was just released.
> It is very easy to use, secure, performant and functional:
>
> http://www.powerdns.com
>
> Hopefully, there is a ports version.
>  

it is.  That said,
    http://www.maradns.org/advocacy.html#powerdns
says
<cite>
PowerDNS has more features, but does not have as strong of a security
history as MaraDNS. For example, the 3.0.1 release had an update fixing
a bug where "Certain malformed packets could crash the recursor", and
which could potentially lead to a buffer overflow.
</cite>

anyway, this is off topic. so let's move the discussion elsewhere...

Sahil Tandon
Reply | Threaded
Open this post in threaded view
|

Re: unknown client error

Sahil Tandon
In reply to this post by Zbigniew Szalbot-9
Zbigniew Szalbot wrote:

>> OP has a DNS lookup problem. this may be because his DNS server is too
>> slow. it is recommended to run a caching DNS server not far from the
>> postfix server, and not to rely on "toy" DNS servers.
>
>
> Sorry to jump in - but I was thinking about this issue today. Which
> caching dns server would you recommend (I'd be especially interested if
> it were something in the FreeBSD ports system... :)? I think Bind is a
> bit of an overkill for that?

djbdns.  There is a FreeBSD port.

--
Sahil Tandon <[hidden email]>
Shanmuga sundaram Krishnasamy
Reply | Threaded
Open this post in threaded view
|

Re: unknown client error

Shanmuga sundaram Krishnasamy
In reply to this post by Randy Ramsdell
Hi Randy,

Could you elaborate more on what do you mean by here 'It connects with
66.199.187.23 but says it is  mx1.mastermindpro.com.'

Does mx1.mastermindpro.com HELO/EHLO name?

I think I failed to understand the 3rd point in

http://www.postfix.org/postconf.5.html,


reject_unknown_client_hostname (with Postfix < 2.3: reject_unknown_client)
Reject the request when 1) the client IP address->name mapping fails,
2) the name->address mapping fails, or 3) the name->address mapping
does not match the client IP address.
This is a stronger restriction than the
reject_unknown_reverse_client_hostname feature, which triggers only
under condition 1) above.

If the third ponit is okay and only one option I could think of having
a DNS cache server.

And yes, i run postfix 2.1.5 and in the path of upgrading it.

And also, Mouss, you are right, I dont have a DNS caching server.

Thanks for your posting.

Kind regards,

Shanmuga


On 5/5/08, Randy Ramsdell <[hidden email]> wrote:

> Shanmuga sundaram Krishnasamy wrote:
> > Hi,
> >
> > I've following restriction
> >
> > smtpd_client_restrictions = permit_mynetworks,
> >                            check_client_access
> > hash:$config_directory/access_client,
> >                            warn_if_reject
> >                            reject_unknown_client
> >
> > And I received an email with unknown in the internet header as below
> >
> > "Received: from mx1.mastermindpro.com (unknown [66.199.187.23]) by"
> >
> > Would any one let me know why I'm getting "unknown" here? I would be
> > interest in known the reason why postfix should say "unknown"
> >
> > The PTR record seems to be okay
> >
> > :; host -t ptr 66.199.187.23
> > 23.187.199.66.in-addr.arpa domain name pointer mail1.mastermindpro.com.
> >
> > And I believe  mx1.mastermindpro.com is the HELO'ed name and I did not
> > enable smtpd_helo restriction.
> >
> > Thanks for the hints.
> >
> > - Shanmuga
> >
> >
> A guess:
>
> nslookup mail1.mastermindpro.comName:
> mail1.mastermindpro.com
> Address: 66.199.187.23
>
> nslookup mx1 .mastermindpro.com
> Name:   mx1.mastermindpro.com
> Address: 66.199.187.26
>
> It connects with 66.199.187.23 but says it is  mx1.mastermindpro.com.
>
mouss-2
Reply | Threaded
Open this post in threaded view
|

Re: unknown client error

mouss-2
Shanmuga sundaram Krishnasamy wrote:
> Hi Randy,
>
> Could you elaborate more on what do you mean by here 'It connects with
> 66.199.187.23 but says it is  mx1.mastermindpro.com.'
>  

Ignore this. This doesn't result in an "unknown" client
(reject_unknown_client doesn't care about helo).

> Does mx1.mastermindpro.com HELO/EHLO name?
>
> I think I failed to understand the 3rd point in
>
> http://www.postfix.org/postconf.5.html,
>
>
> reject_unknown_client_hostname (with Postfix < 2.3: reject_unknown_client)
> Reject the request when 1) the client IP address->name mapping fails,
> 2) the name->address mapping fails, or 3) the name->address mapping
> does not match the client IP address.
> This is a stronger restriction than the
> reject_unknown_reverse_client_hostname feature, which triggers only
> under condition 1) above.
>
> If the third ponit is okay and only one option I could think of having
> a DNS cache server.
>  

As I said,
$ host 66.199.187.23
23.187.199.66.in-addr.arpa domain name pointer mail1.mastermindpro.com.
$ host mail1.mastermindpro.com
mail1.mastermindpro.com has address 66.199.187.23

so the rDNS is ok.

but for some reason, at the time of the connection, postfix couldn't
find these results.

> And yes, i run postfix 2.1.5 and in the path of upgrading it.
>
> And also, Mouss, you are right, I dont have a DNS caching server.
>  

It is recommended to have a _real_ (not a toy) DNS server installed on
or "near" ther box. Also, using an ISP as a forwarder sometimes create
problems.

Free forum by Nabble Edit this page