[pfx] Warnings related to TLS and hostnames not resolving to IP

Thu, 29 Jun 2023 05:30:59 -0700 

Hello,
I would like to ask your help to find out how to best resolve the following warnings. We are having a lot of such warnings; here is a sample: 

...

Jun 29 06:07:33 mailgw1 postfix/smtpd[471365]: warning: hostname 
chg.server1.ideacentral.com does not resolve to address 173.236.106.135
Jun 29 06:07:35 mailgw1 postfix/smtpd[471363]: warning: hostname 
chg.server1.ideacentral.com does not resolve to address 173.236.106.135
Jun 29 06:07:35 mailgw1 postfix/smtpd[471355]: warning: hostname 
chg.server1.ideacentral.com does not resolve to address 173.236.106.135
Jun 29 06:07:51 mailgw1 postfix/smtpd[471355]: warning: hostname 
chg.server1.ideacentral.com does not resolve to address 173.236.106.135
Jun 29 06:07:54 mailgw1 postfix/postscreen[469582]: warning: dnsblog 
reply timeout 10s for dnsbl.sorbs.net
Jun 29 06:15:15 mailgw1 postfix/smtpd[471389]: warning: TLS library 
problem: error:14209102:SSL 
routines:tls_early_post_process_client_hello:unsupported 
protocol:ssl/statem/statem_srvr.c:1686:
Jun 29 07:00:02 mailgw1 postfix/smtpd[472286]: warning: TLS library 
problem: error:14209102:SSL 
routines:tls_early_post_process_client_hello:unsupported 
protocol:ssl/statem/statem_srvr.c:1686:
Jun 29 07:15:13 mailgw1 postfix/smtpd[472304]: warning: TLS library 
problem: error:14209102:SSL 
routines:tls_early_post_process_client_hello:unsupported 
protocol:ssl/statem/statem_srvr.c:1686:
Jun 29 07:31:16 mailgw1 postfix/tlsproxy[473032]: warning: TLS library 
problem: error:14209102:SSL 
routines:tls_early_post_process_client_hello:unsupported 
protocol:ssl/statem/statem_srvr.c:1686:
Jun 29 07:43:27 mailgw1 postfix/smtpd[473022]: warning: hostname 
list.paperssubmt.com does not resolve to address 185.227.110.51
Jun 29 08:00:02 mailgw1 postfix/smtpd[473096]: warning: TLS library 
problem: error:14209102:SSL 
routines:tls_early_post_process_client_hello:unsupported 
protocol:ssl/statem/statem_srvr.c:1686:

...


My question: How should I best configure postfix to get rid of these 
warnings?



1. Is it normal/acceptable to have hostnames not resolving to the IP 
Address? Should we drop such connections? If so, how?



2. The TLS errors are caused by clients with older TLS protocols (as we 
allow only TLS 1.2 or 1.3) or we should investigate some OpenSSL library 
misbehavior? In any case, which TLS settings would you advise from 
experience?


Below I add details about the system.

Please kindly provide your advice on the above.

Thanks a lot,
Nick


# cat /etc/redhat-release
Rocky Linux release 8.8 (Green Obsidian)

# rpm -qa | grep ssl
openssl-1.1.1k-9.el8_7.x86_64
openssl-pkcs11-0.4.10-3.el8.x86_64
openssl-libs-1.1.1k-9.el8_7.x86_64

====================================================================================
[root@mailgw1 postfix]# postconf -n
allowed_list1 = reject
allowed_list2 = reject
command_directory = /usr/sbin
compatibility_level = 3.6
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix

debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin 
xxgdb $daemon_directory/$process_name $process_id & sleep 5

default_process_limit = 100
disable_vrfy_command = yes
enable_long_queue_ids = yes
header_checks = pcre:/etc/postfix/blacklisted_maillists
html_directory = no
inet_interfaces = all
inet_protocols = ipv4, ipv6
local_recipient_maps =
local_transport = error:local mail delivery is disabled
mail_name = NOA MAIL ICXC-NIKA
mail_owner = postfix
maillog_file = /var/log/postfix.log
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 15728640
meta_directory = /etc/postfix
mydestination =
mynetworks = 127.0.0.1/32 [::1]/128
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix

postscreen_access_list = permit_mynetworks, 
cidr:/etc/postfix/postscreen_exceptions.cidr

postscreen_blacklist_action = enforce
postscreen_dnsbl_action = enforce

postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2 
bl.spameatingmonkey.net*2 bl.spamcop.net dnsbl.sorbs.net 
psbl.surriel.com bl.mailspike.net list.dnswl.org=127.0.[0..255].0*-2 
list.dnswl.org=127.0.[0..255].1*-3 list.dnswl.org=127.0.[0..255].[2..3]*-4

postscreen_dnsbl_threshold = 3
postscreen_dnsbl_whitelist_threshold = -1
postscreen_greet_action = enforce
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix3-3.8.1/README_FILES
relay_domains = $transport_maps
relay_recipient_maps =
sample_directory = /usr/share/doc/postfix3-3.8.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
shlib_directory = /usr/lib/postfix
smtp_tls_mandatory_protocols = >=TLSv1.2
smtp_tls_protocols = >=TLSv1.2
smtp_tls_security_level = may
smtpd_helo_required = yes

smtpd_recipient_restrictions = check_client_access 
hash:/etc/postfix/blacklisted_clients check_client_access 
hash:/etc/postfix/amavis_bypass_clients check_sender_access 
hash:/etc/postfix/amavis_bypass_senders check_sender_access 
hash:/etc/postfix/blacklisted_senders check_sender_access 
pcre:/etc/postfix/blacklisted_maillists reject_unverified_recipient 
reject_unauth_destination check_recipient_access 
hash:/etc/postfix/protected_destinations permit_mynetworks 
reject_invalid_hostname reject_unauth_pipelining reject_non_fqdn_sender 
reject_unknown_sender_domain reject_non_fqdn_recipient 
reject_unknown_recipient_domain reject_unknown_client_hostname 
reject_rbl_client b.barracudacentral.org reject_rbl_client 
zen.spamhaus.org reject_rbl_client psbl.surriel.com reject_rbl_client 
bl.spamcop.net reject_rhsbl_client dbl.spamhaus.org reject_rhsbl_sender 
dbl.spamhaus.org reject_rhsbl_helo dbl.spamhaus.org permit

smtpd_restriction_classes = allowed_list1,allowed_list2
smtpd_tls_CAfile = /etc/pki/tls/certs/GeantChain.crt
smtpd_tls_cert_file = /etc/pki/tls/certs/star_noa_gr_cert-1349832009.crt
smtpd_tls_exclude_ciphers = DES,3DES,MD5,aNULL,AES128,CAMELLIA128
smtpd_tls_key_file = /etc/pki/tls/private/star_noa_gr-1243437.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = >=TLSv1.2
smtpd_tls_protocols = >=TLSv1.2
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
transport_maps = hash:/etc/postfix/transportmap
unknown_local_recipient_reject_code = 550
unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtualmap
=================================================================================================

======================
master.cf
=================================================================================================
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
#smtp      inet  n       -       n       -       -       smtpd -v
smtp      inet  n       -       n       -       1       postscreen
smtpd     pass  -       -       n       -       -       smtpd
dnsblog   unix  -       -       n       -       0       dnsblog
tlsproxy  unix  -       -       n       -       0       tlsproxy
#submission inet n       -       n       -       -       smtpd
#  -o smtpd_enforce_tls=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#smtps     inet  n       -       n       -       -       smtpd
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#628      inet  n       -       n       -       -       qmqpd
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       - trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       n       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       n       -       -       smtp
        -o smtp_fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache
retry     unix  -       -       n       -       -       error
proxywrite unix -       -       n       -       1       proxymap
postlog   unix-dgram n  -       n       -       1       postlogd

smtp-amavis unix -      -       n       -       2       lmtp
#    -o smtp_data_done_timeout=1200
#    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
    -o max_use=20
================================================================================
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org






















					Reply via email to