Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Is the reason for this "connect from unknown[65.181.123.80]" from NXDOMAIN? Is it safe to reject it always?
32 views
Skip to first unread message
lis...@tutanota.com
Apr 21, 2016, 3:46:32 PM4/21/16
to
Hola.
I added the postscreen function to my PostFix server.
I get emails now and lots of spams are blocked by it.
In the log is
Apr 21 12:33:19 tanzer postfix/postscreen[12944]: connect from unknown[65.181.123.80]
And after the email continues to be delivered okay.
What is "unknown" in this case?
I think it is the RDNS that is not there?
host 65.181.123.80
Host 80.123.181.65.in-addr.arpa. not found: 3(NXDOMAIN)
I think a good mail server must always have the RDNS, yes? I am not 100% sure that it is safe to reject this.
What is the PostFix parameter document to learn how to reject specifically this case right at postscreen?
I added the postscreen function to my PostFix server.
I get emails now and lots of spams are blocked by it.
In the log is
Apr 21 12:33:19 tanzer postfix/postscreen[12944]: connect from unknown[65.181.123.80]
And after the email continues to be delivered okay.
What is "unknown" in this case?
I think it is the RDNS that is not there?
host 65.181.123.80
Host 80.123.181.65.in-addr.arpa. not found: 3(NXDOMAIN)
I think a good mail server must always have the RDNS, yes? I am not 100% sure that it is safe to reject this.
What is the PostFix parameter document to learn how to reject specifically this case right at postscreen?
Jim Reid
Apr 21, 2016, 3:56:30 PM4/21/16
to
> On 21 Apr 2016, at 20:46, <lis...@tutanota.com> <lis...@tutanota.com> wrote:
>
> What is "unknown" in this case?
>
> I think it is the RDNS that is not there?
> host 65.181.123.80
> Host 80.123.181.65.in-addr.arpa. not found: 3(NXDOMAIN)
> I think a good mail server must always have the RDNS, yes? I am not 100% sure that it is safe to reject this.
IMO, anytbing that doesn’t have a working reverse DNS entry shouldn’t be sending email.
Wietse Venema
Apr 21, 2016, 4:03:46 PM4/21/16
to
lis...@tutanota.com:
Apr 21 00:00:17 spike postfix/postscreen[8970]: CONNECT from [185.125.4.192]:54323 to [168.100.189.2]:25
Note the differences in logging format: "CONNECT" is in uppercase,
there is no "unknown" or hostname, and the remote TCP Port is logged
after the IP address.
You appear to have copied the smtpd executable over the postscreen
executable.
smtpd logs "unknown" when the IP address has no name, or when the
name does not resolve to the remote SMTP client IP address. It also
logs a warning when that happens.
Wietse
> Hola.
>
> I added the postscreen function to my PostFix server.
>
> I get emails now and lots of spams are blocked by it.
>
> In the log is
>
> Apr 21 12:33:19 tanzer postfix/postscreen[12944]: connect from unknown[65.181.123.80]
postscreen logging looks like this:
>
> I added the postscreen function to my PostFix server.
>
> I get emails now and lots of spams are blocked by it.
>
> In the log is
>
> Apr 21 12:33:19 tanzer postfix/postscreen[12944]: connect from unknown[65.181.123.80]
Apr 21 00:00:17 spike postfix/postscreen[8970]: CONNECT from [185.125.4.192]:54323 to [168.100.189.2]:25
Note the differences in logging format: "CONNECT" is in uppercase,
there is no "unknown" or hostname, and the remote TCP Port is logged
after the IP address.
You appear to have copied the smtpd executable over the postscreen
executable.
smtpd logs "unknown" when the IP address has no name, or when the
name does not resolve to the remote SMTP client IP address. It also
logs a warning when that happens.
Wietse
lis...@tutanota.com
Apr 21, 2016, 4:04:17 PM4/21/16
to
21. Apr 2016 12:56 by j...@rfc1035.com:
You should really use dig for DNS troubleshooting. Accept no subsitutes. Well, apart from delv or drill if you’re troubleshooting Secure DNS errors.
dig I know and can use.
Those other ones are new tools to me. Ill look for them
SMTP connections from an IP address with no reverse DNS is a *very strong* indication of a spam source. But it’s not 100% foolproof, particularly for IPv6.
I am only accepting email on the IPv4 address I have. I have never seen yet an email from an IPv6 IP address. I don't think it can directly. But I am not sure there is not some gateway that makes it possible.
IMO, anytbing that doesn’t have a working reverse DNS entry shouldn’t be sending email.
What is the PostFix parameter restriction to do that rejection ? I think the default values do not do the rejection?
lis...@tutanota.com
Apr 21, 2016, 4:34:34 PM4/21/16
to
> You appear to have copied the smtpd executable over the postscreen executable.
You are right I made the same sort of bad mistake in the set up. Thanks for catching it.
I fixed it, and separated the smtpd for postscreen, and named it so I can follow it.
So now I see in log
Apr 21 13:11:21 tanzer postfix/postscreen2/smtpd[12944]: connect from unknown[46.17.102.31]
and
Apr 21 13:11:24 tanzer postfix/postscreen2/smtpd[12944]: disconnect from unknown[46.17.102.31] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Like before some of the emails "from unknown" get past the postscreen & smtpd part and continue to delivery.
I fixed it, and separated the smtpd for postscreen, and named it so I can follow it.
So now I see in log
Apr 21 13:11:21 tanzer postfix/postscreen2/smtpd[12944]: connect from unknown[46.17.102.31]
and
Apr 21 13:11:24 tanzer postfix/postscreen2/smtpd[12944]: disconnect from unknown[46.17.102.31] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Like before some of the emails "from unknown" get past the postscreen & smtpd part and continue to delivery.
> smtpd logs "unknown" when the IP address has no name, or when the name does not resolve to the remote SMTP client IP address.
Okay so the log is acting right, and recording the event.
Now I must make and control the decision when it happens for each case.
What restriction causes the rejection for each case?
So far I am using this in the main.cf file
smtpd_client_restrictions =
permit_mynetworks
reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks
reject_non_fqdn_helo_hostname
reject_invalid_helo_hostname
smtpd_sender_restrictions =
permit_mynetworks
permit_sasl_authenticated
permit_tls_clientcerts
reject_non_fqdn_sender
reject_unknown_sender_domain
smtpd_recipient_restrictions =
reject_non_fqdn_recipient
reject_unauth_pipelining
reject_non_fqdn_recipient
reject_unknown_recipient_domain
permit_sasl_authenticated
permit_mynetworks
reject_unlisted_recipient
I see these in many examples and am now going through them one by one to understand them. I do not think all are needed for me. So I am okay to change them to better ideas.
Now I must make and control the decision when it happens for each case.
What restriction causes the rejection for each case?
So far I am using this in the main.cf file
smtpd_client_restrictions =
permit_mynetworks
reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks
reject_non_fqdn_helo_hostname
reject_invalid_helo_hostname
smtpd_sender_restrictions =
permit_mynetworks
permit_sasl_authenticated
permit_tls_clientcerts
reject_non_fqdn_sender
reject_unknown_sender_domain
smtpd_recipient_restrictions =
reject_non_fqdn_recipient
reject_unauth_pipelining
reject_non_fqdn_recipient
reject_unknown_recipient_domain
permit_sasl_authenticated
permit_mynetworks
reject_unlisted_recipient
I see these in many examples and am now going through them one by one to understand them. I do not think all are needed for me. So I am okay to change them to better ideas.
Wietse Venema
Apr 21, 2016, 4:39:09 PM4/21/16
to
lis...@tutanota.com:
It may show something that you did not expect.
Wietse
> > smtpd logs "unknown" when the IP address has no name, or when the name does
> > not resolve to the remote SMTP client IP address.
>
> Okay so the log is acting right, and recording the event.
>
> Now I must make and control the decision when it happens for each case.
>
> What restriction causes the rejection for each case?
>
> So far I am using this in the main.cf file
>
None. Instead of pasting from main.cf, look at "postconf -nf" output.
> > not resolve to the remote SMTP client IP address.
>
> Okay so the log is acting right, and recording the event.
>
> Now I must make and control the decision when it happens for each case.
>
> What restriction causes the rejection for each case?
>
> So far I am using this in the main.cf file
>
It may show something that you did not expect.
Wietse
0 new messages