Hello,
I would like to ask your help to find out how to best resolve the
following warnings. We are having a lot of such warnings; here is a sample:
...
Jun 29 06:07:33 mailgw1 postfix/smtpd[471365]: warning: hostname
chg.server1.ideacentral.com does not resolve to address 173.236.106.135
Jun 29 06:07:35 mailgw1 postfix/smtpd[471363]: warning: hostname
chg.server1.ideacentral.com does not resolve to address 173.236.106.135
Jun 29 06:07:35 mailgw1 postfix/smtpd[471355]: warning: hostname
chg.server1.ideacentral.com does not resolve to address 173.236.106.135
Jun 29 06:07:51 mailgw1 postfix/smtpd[471355]: warning: hostname
chg.server1.ideacentral.com does not resolve to address 173.236.106.135
Jun 29 06:07:54 mailgw1 postfix/postscreen[469582]: warning: dnsblog
reply timeout 10s for dnsbl.sorbs.net
Jun 29 06:15:15 mailgw1 postfix/smtpd[471389]: warning: TLS library
problem: error:14209102:SSL
routines:tls_early_post_process_client_hello:unsupported
protocol:ssl/statem/statem_srvr.c:1686:
Jun 29 07:00:02 mailgw1 postfix/smtpd[472286]: warning: TLS library
problem: error:14209102:SSL
routines:tls_early_post_process_client_hello:unsupported
protocol:ssl/statem/statem_srvr.c:1686:
Jun 29 07:15:13 mailgw1 postfix/smtpd[472304]: warning: TLS library
problem: error:14209102:SSL
routines:tls_early_post_process_client_hello:unsupported
protocol:ssl/statem/statem_srvr.c:1686:
Jun 29 07:31:16 mailgw1 postfix/tlsproxy[473032]: warning: TLS library
problem: error:14209102:SSL
routines:tls_early_post_process_client_hello:unsupported
protocol:ssl/statem/statem_srvr.c:1686:
Jun 29 07:43:27 mailgw1 postfix/smtpd[473022]: warning: hostname
list.paperssubmt.com does not resolve to address 185.227.110.51
Jun 29 08:00:02 mailgw1 postfix/smtpd[473096]: warning: TLS library
problem: error:14209102:SSL
routines:tls_early_post_process_client_hello:unsupported
protocol:ssl/statem/statem_srvr.c:1686:
...
My question: How should I best configure postfix to get rid of these
warnings?
1. Is it normal/acceptable to have hostnames not resolving to the IP
Address? Should we drop such connections? If so, how?
2. The TLS errors are caused by clients with older TLS protocols (as we
allow only TLS 1.2 or 1.3) or we should investigate some OpenSSL library
misbehavior? In any case, which TLS settings would you advise from
experience?
Below I add details about the system.
Please kindly provide your advice on the above.
Thanks a lot,
Nick
# cat /etc/redhat-release
Rocky Linux release 8.8 (Green Obsidian)
# rpm -qa | grep ssl
openssl-1.1.1k-9.el8_7.x86_64
openssl-pkcs11-0.4.10-3.el8.x86_64
openssl-libs-1.1.1k-9.el8_7.x86_64
====================================================================================
[root@mailgw1 postfix]# postconf -n
allowed_list1 = reject
allowed_list2 = reject
command_directory = /usr/sbin
compatibility_level = 3.6
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id & sleep 5
default_process_limit = 100
disable_vrfy_command = yes
enable_long_queue_ids = yes
header_checks = pcre:/etc/postfix/blacklisted_maillists
html_directory = no
inet_interfaces = all
inet_protocols = ipv4, ipv6
local_recipient_maps =
local_transport = error:local mail delivery is disabled
mail_name = NOA MAIL ICXC-NIKA
mail_owner = postfix
maillog_file = /var/log/postfix.log
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 15728640
meta_directory = /etc/postfix
mydestination =
mynetworks = 127.0.0.1/32 [::1]/128
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
postscreen_access_list = permit_mynetworks,
cidr:/etc/postfix/postscreen_exceptions.cidr
postscreen_blacklist_action = enforce
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2
bl.spameatingmonkey.net*2 bl.spamcop.net dnsbl.sorbs.net
psbl.surriel.com bl.mailspike.net list.dnswl.org=127.0.[0..255].0*-2
list.dnswl.org=127.0.[0..255].1*-3 list.dnswl.org=127.0.[0..255].[2..3]*-4
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_whitelist_threshold = -1
postscreen_greet_action = enforce
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix3-3.8.1/README_FILES
relay_domains = $transport_maps
relay_recipient_maps =
sample_directory = /usr/share/doc/postfix3-3.8.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
shlib_directory = /usr/lib/postfix
smtp_tls_mandatory_protocols = >=TLSv1.2
smtp_tls_protocols = >=TLSv1.2
smtp_tls_security_level = may
smtpd_helo_required = yes
smtpd_recipient_restrictions = check_client_access
hash:/etc/postfix/blacklisted_clients check_client_access
hash:/etc/postfix/amavis_bypass_clients check_sender_access
hash:/etc/postfix/amavis_bypass_senders check_sender_access
hash:/etc/postfix/blacklisted_senders check_sender_access
pcre:/etc/postfix/blacklisted_maillists reject_unverified_recipient
reject_unauth_destination check_recipient_access
hash:/etc/postfix/protected_destinations permit_mynetworks
reject_invalid_hostname reject_unauth_pipelining reject_non_fqdn_sender
reject_unknown_sender_domain reject_non_fqdn_recipient
reject_unknown_recipient_domain reject_unknown_client_hostname
reject_rbl_client b.barracudacentral.org reject_rbl_client
zen.spamhaus.org reject_rbl_client psbl.surriel.com reject_rbl_client
bl.spamcop.net reject_rhsbl_client dbl.spamhaus.org reject_rhsbl_sender
dbl.spamhaus.org reject_rhsbl_helo dbl.spamhaus.org permit
smtpd_restriction_classes = allowed_list1,allowed_list2
smtpd_tls_CAfile = /etc/pki/tls/certs/GeantChain.crt
smtpd_tls_cert_file = /etc/pki/tls/certs/star_noa_gr_cert-1349832009.crt
smtpd_tls_exclude_ciphers = DES,3DES,MD5,aNULL,AES128,CAMELLIA128
smtpd_tls_key_file = /etc/pki/tls/private/star_noa_gr-1243437.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = >=TLSv1.2
smtpd_tls_protocols = >=TLSv1.2
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
transport_maps = hash:/etc/postfix/transportmap
unknown_local_recipient_reject_code = 550
unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtualmap
=================================================================================================
======================
master.cf
=================================================================================================
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
#smtp inet n - n - - smtpd -v
smtp inet n - n - 1 postscreen
smtpd pass - - n - - smtpd
dnsblog unix - - n - 0 dnsblog
tlsproxy unix - - n - 0 tlsproxy
#submission inet n - n - - smtpd
# -o smtpd_enforce_tls=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#smtps inet n - n - - smtpd
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#628 inet n - n - - qmqpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - n 300 1 oqmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - n - - smtp
-o smtp_fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
retry unix - - n - - error
proxywrite unix - - n - 1 proxymap
postlog unix-dgram n - n - 1 postlogd
smtp-amavis unix - - n - 2 lmtp
# -o smtp_data_done_timeout=1200
# -o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
================================================================================
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org