Hostname verification like in postfix?
Hello, while reading through my logfiles I found this: Oct 22 05:51:41 mail postfix/smtpd[10412]: warning: 60.52.87.69: hostname tm.net.my verification failed: Name or service not known Oct 22 05:51:41 mail postfix/smtpd[10412]: connect from unknown[60.52.87.69] Oct 22 05:51:57 mail postfix/policyd-weight[20658]: weighted check: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 NOT_IN_BL_NJABL=-1.5 IX_MANITU=ERR CL_IP_NE_HELO=1.5 REV_IP_EQ_HELO=-1.25 (check from: .verbe. - helo: .tm.net.) FROM_MATCHES_NOT_UNVR_HELO=1.6 client=60.52.87.69 helo=tm.net.my [EMAIL PROTECTED] [EMAIL PROTECTED], rate: -2.65 For postfix it's a unknown host, but for policyd-weight it is not. As far as I understand it, postfix does a forward lookup on the sender IP and a reverse lookup on the result. If they match, everything is fine. If not, hostname verification fails. Is that right? policyd-weight seems to use just the reverse lookup on the IP for its helo-checks. Wouldn't it be better to do it the postfix way? Btw, I seem to get IX_MANITU=ERR very often. Is that normal for that zone? Or does IX_MANITU=ERR mean NOT_IN_IX_MANITU (which I've never seen)? Greetings, Tom Policyd-weight Mailinglist - http://www.policyd-weight.org/
Re: Hostname verification like in postfix?
No, no, no. Because of poorly managed DNS setups, this change would reject valid mail from many, many systems. If you need to reject based on this criteria, let postfix do it. Postfix finally included an optional more relaxed criteria in the newer releases which allowed us to re-enable the functionality. Policyd is doing it right. Ken On Tue, Oct 24, 2006 at 02:49:56PM +0200, Thomas Bange wrote: Hello, while reading through my logfiles I found this: Oct 22 05:51:41 mail postfix/smtpd[10412]: warning: 60.52.87.69: hostname tm.net.my verification failed: Name or service not known Oct 22 05:51:41 mail postfix/smtpd[10412]: connect from unknown[60.52.87.69] Oct 22 05:51:57 mail postfix/policyd-weight[20658]: weighted check: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 NOT_IN_BL_NJABL=-1.5 IX_MANITU=ERR CL_IP_NE_HELO=1.5 REV_IP_EQ_HELO=-1.25 (check from: .verbe. - helo: .tm.net.) FROM_MATCHES_NOT_UNVR_HELO=1.6 client=60.52.87.69 helo=tm.net.my [EMAIL PROTECTED] [EMAIL PROTECTED], rate: -2.65 For postfix it's a unknown host, but for policyd-weight it is not. As far as I understand it, postfix does a forward lookup on the sender IP and a reverse lookup on the result. If they match, everything is fine. If not, hostname verification fails. Is that right? policyd-weight seems to use just the reverse lookup on the IP for its helo-checks. Wouldn't it be better to do it the postfix way? Btw, I seem to get IX_MANITU=ERR very often. Is that normal for that zone? Or does IX_MANITU=ERR mean NOT_IN_IX_MANITU (which I've never seen)? Greetings, Tom Policyd-weight Mailinglist - http://www.policyd-weight.org/ Policyd-weight Mailinglist - http://www.policyd-weight.org/
Re: Hostname verification like in postfix?
On Tue, Oct 24, 2006 at 02:49:56PM +0200, Thomas Bange wrote: Hello, while reading through my logfiles I found this: Oct 22 05:51:41 mail postfix/smtpd[10412]: warning: 60.52.87.69: hostname tm.net.my verification failed: Name or service not known Oct 22 05:51:41 mail postfix/smtpd[10412]: connect from unknown[60.52.87.69] Oct 22 05:51:57 mail postfix/policyd-weight[20658]: weighted check: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 NOT_IN_BL_NJABL=-1.5 IX_MANITU=ERR CL_IP_NE_HELO=1.5 REV_IP_EQ_HELO=-1.25 (check from: .verbe. - helo: .tm.net.) FROM_MATCHES_NOT_UNVR_HELO=1.6 client=60.52.87.69 helo=tm.net.my [EMAIL PROTECTED] [EMAIL PROTECTED], rate: -2.65 For postfix it's a unknown host, but for policyd-weight it is not. As far as I understand it, postfix does a forward lookup on the sender IP and a reverse lookup on the result. If they match, everything is fine. If not, hostname verification fails. Is that right? policyd-weight seems to use just the reverse lookup on the IP for its helo-checks. Wouldn't it be better to do it the postfix way? Actually unknown host to postfix means CL_IP_NE_HELO in policyd-weight. But as this postfix restriction is troublesome we weight it. If you trust reject_unknown_client then place it into main.cf. An alternative would be to set #BAD(failure) #GOOD(success) @client_ip_eq_helo_score = (1.5, -1.25 ); to @client_ip_eq_helo_score = (2.5, -1.25 ); or similiar via your policyd-weight.conf. I do not suggest to do so (neither reject_unknown_* nor rejecting them with too high scores). Policyd-weight uses reverse records as a last resort to get some client/helo/sender DNS correlation to avoid rejecting not fully misconfigured MTAs/DNS. Btw, I seem to get IX_MANITU=ERR very often. Is that normal for that zone? Or does IX_MANITU=ERR mean NOT_IN_IX_MANITU (which I've never seen)? ERR means that there was some timeout or no responible servers could be reached. The IX DNSBL seems to have some troubles. You may read: http://www.heise.de/ix/foren/go.shtml?read=1msg_id=11442568forum_id=48292 And wait for some answer of Bert Ungerer. -- Robert Felber (PGP: 896CF30B) Munich, Germany Policyd-weight Mailinglist - http://www.policyd-weight.org/
Re: Hostname verification like in postfix?
On Tue, Oct 24, 2006 at 03:56:14PM +0200, Thomas Bange wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Robert Felber Sent: Tuesday, October 24, 2006 3:48 PM To: policyd-weight-list@ek-muc.de Subject: Re: Hostname verification like in postfix? [...] I will rethink about it, as it wouldn't require extra DNS lookups. (currently I see no proper way to include it, but that doesn't mean anything). Well, that explains why CL_IP_NE_HELO is not always scored, even with a (postfix) unknown host: Oct 22 15:41:40 mail postfix/smtpd[4257]: warning: 158.75.241.14: hostname host14.smgr.pl verification failed: Name or service not known Oct 22 15:41:40 mail postfix/smtpd[4257]: connect from unknown[158.75.241.14] Oct 22 15:41:56 mail postfix/policyd-weight[20658]: weighted check: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 NOT_IN_BL_NJABL=-1.5 HELO_IP_IN_CL_SUBNET=-1.2 (check from: .valleyesp. - helo: .host14.smgr.) FROM_MATCHES_NOT_HELO=1 client=158.75.241.14 helo=host14.smgr.pl [EMAIL PROTECTED] [EMAIL PROTECTED], rate: -4.7 Right, lets investigate this client: % host host14.smgr.pl host14.smgr.pl does not exist, try again % host 158.75.241.14 Name: host14.smgr.pl % host smgr.pl smgr.pl A 158.75.241.6 I.e. the client is in the /24 subnet of 158.75.241. Thus we totally ignore the fact that it is an postfix unknown client but lay more attention on whether what the client tells us with his HELO is true or partially misconfigured. Unfortunately that is a good example of may be legitime - may be spam - not even an evaluation of unknown client would tell us, whether it is spam or not. But - if we would score unknown clients against RBLs in *certain* other constellations then making use of unknown clients *might* help. Allthough (currently) it is not clear to me in *which* constellations we should score unknown against RBLs. -- Robert Felber (PGP: 896CF30B) Munich, Germany Policyd-weight Mailinglist - http://www.policyd-weight.org/
