Re: ot: SPF/DKIM woes
- Message from Viktor Dukhovni - Date: Sat, 17 Sep 2022 23:26:34 -0400 From: Viktor Dukhovni Reply-To: postfix-users@postfix.org Subject: Re: ot: SPF/DKIM woes To: postfix-users@postfix.org On Sat, Sep 17, 2022 at 10:39:46AM -0400, Viktor Dukhovni wrote: If this domain was in fact served by netregistry.net, that could well have been the problem. There is an ongoing over 24hour DNS outage at netregistry.net (where, e.g., they seem to be dropping all DNS queries from most Google DNS resolvers). https://status.webcentral.au/ So any domains (mostly Australian) served by netregistry.net (directly, or indirectly, when e.g. the A records of nameservers for a domain are in turn served by netregistry, ...) fail to resolve from Google's perspective. DNS service at netregistry.net is gradually returning to normal. The majority of locations (though not yet all) where queries were previously failing now appear to be working. - End message from Viktor Dukhovni - I used Netregistry for many years for Australia-based domains, and had repeated DNS issues over several of those years - ranging from complete outage to individual record issues. I reached the point after trying to interact with their "technical" support one too many times that I did the equivalent of a table-flip and transitioned about 20 x domains to another provider in one go... life is too short for bad coffee, cheap wine and/or Netregistry tech support. YMMV. Simon. -- Simon Wilson M: 0400 12 11 16
Re: Bad command startup on DNS lookup error for auth socket
Wietse Venema: > Sorry, my initial diagnosis was incorrect. > > Stefan Foerster: > > postfix/submission/smtpd[156]: warning: host or service dovecot:12345 not > > found: Name does not resolve > > postfix/submission/smtpd[156]: warning: SASL: Connect to Dovecot auth > > socket 'inet:dovecot:12345' failed: Address not available > > You already have the fix 20220404. That fix changed a fatal error > into a warning, and returns an EADDRNOTAVAIL error. > > > postfix/submission/smtpd[156]: fatal: no SASL authentication mechanisms > > The server needs to announce the SASL mechanisms in the EHLO response. > If it cannot reply to EHLO, then I don't see what good it does if > we make this a non-fatal error. If an SMTP client does not need to authenticate with SASL, then the usual practice is to connect to the MTA service on port 25, instead of the MUA service on the submission port. Wietse
Re: Bad command startup on DNS lookup error for auth socket
Sorry, my initial diagnosis was incorrect. Stefan Foerster: > postfix/submission/smtpd[156]: warning: host or service dovecot:12345 not > found: Name does not resolve > postfix/submission/smtpd[156]: warning: SASL: Connect to Dovecot auth socket > 'inet:dovecot:12345' failed: Address not available You already have the fix 20220404. That fix changed a fatal error into a warning, and returns an EADDRNOTAVAIL error. > postfix/submission/smtpd[156]: fatal: no SASL authentication mechanisms The server needs to announce the SASL mechanisms in the EHLO response. If it cannot reply to EHLO, then I don't see what good it does if we make this a non-fatal error. Wietse
Re: Bad command startup on DNS lookup error for auth socket
Stefan Foerster: > Hello world, > > in a containerized setup I noticed a bad command startup if the AUTH > socket is not available (i.e. the container is down): > > $ postconf smtpd_sasl_path > smtpd_sasl_path = inet:dovecot:12345 > > #v+ > postfix/submission/smtpd[156]: connect from > client.example.com[:xxx:xx:::3] > postfix/submission/smtpd[156]: Anonymous TLS connection established from > pharmakeia.incertum.net[:xxx:xx:::x]: TLSv1.3 with cipher > TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature > ECDSA (P-256) server-digest SHA256 > postfix/submission/smtpd[156]: warning: host or service dovecot:12345 not > found: Name does not resolve > postfix/submission/smtpd[156]: warning: SASL: Connect to Dovecot auth socket > 'inet:dovecot:12345' failed: Address not available > postfix/submission/smtpd[156]: fatal: no SASL authentication mechanisms > postfix/master[1]: warning: process /usr/libexec/postfix/smtpd pid 156 exit > status 1 > postfix/master[1]: warning: /usr/libexec/postfix/smtpd: bad command startup > -- throttling > #v- > > I'm not sure if that's intentional behaviour, if so, please ignore me. > > But even the submission service might have e.g. an IP whitelist which > would mean the service could accept mails without needing to contact > dovecot at all, so perhaps a runtime error would be a better bet here. This is likely solved in Postfix 3.7.1. Wietse 20220404 Bugfix: in an internal client module, "host or service not found" was a fatal error, causing the milter_default_action setting to be ignored. It is now a non-fatal error. The same client is used by many Postfix clients (smtpd_proxy, dovecot auth, tcp_table, memcache, socketmap, and so on). Problem reported by Christian Degenkolb. File: util/inet_connect.c.
Re: Limit Application mail strategy
On Sun, Sep 18, 2022 at 06:03:47PM +0200, Matteo Cazzador wrote: > If a device is in alarm it send one mail every 5 minutes using my > postfix smtp (customer can define is own mail address and receive this > email), > > The risk is to reach limit and to be consider an abuse from customer > mail server or ISP. The only way to reduce the volume of junk mail from a device that stays in an alert state, or flaps often between alert and normal is to selectively reject or discard some or most of the messages, based on recent deliveries of similar messages. > Is there some strategy that I can apply on my smtp server without manage > the code on device? You'll need a content filter or milter to detect essentially duplicate messages, and either quarantine or reject them. > I read about > > smtpd_client_message_rate_limit = 2 > anvil_rate_time_unit = 60s These reject messages with a 4XX error, and won't help if the device retries. Also no reasonable interval will quench a steady stream of duplicate events. You need a deduplication filter, I don't know of a stock one you can use. You can probably write something using the Python milter libraries based in part on matching envelope data or content in sample messages. -- Viktor.
Limit Application mail strategy
Hi, i've a problem, i need to limit outgoing mail sendend by Industry device. If a device is in alarm it send one mail every 5 minutes using my postfix smtp (customer can define is own mail address and receive this email), The risk is to reach limit and to be consider an abuse from customer mail server or ISP. There si some strategy that i can apply on my smtp server without manage the code on device? I read about smtpd_client_message_rate_limit = 2 anvil_rate_time_unit = 60s But i can using only for particoular receiver domain? Something like if receiver is "@gmail.com" or "@other.com" send only 10 mail for hour? I know that send mail for Alert is not the best choice, but i need more time to change my alert strategy. thanks -- Rispetta l'ambiente: se non ti è necessario, non stampare questa mail. Le informazioni contenute in questa e-mail e nei files eventualmente allegati sono destinate unicamente ai destinatari della stessa e sono da considerarsi strettamente riservate. E' proibito copiare, salvare, utilizzare, inoltrare a terzi e diffondere il contenuto della presente senza il preventivo consenso, ai sensi dell'articolo 616 c.p. e della Legge n. 196/2003. Se avete ricevuto questo messaggio per errore siete pregati di comunicarlo immediatamente all'indirizzo mittente, nonché di cancellarne il contenuto senza procedere ad ulteriore o differente trattamento. ** Ing. Matteo Cazzador NetLite snc di Cazzador Gagliardi Corso Vittorio Emanuele II, 188 37069 Villafranca di Verona VR Tel 0454856656 Fax 0454856655 Email: mat...@netlite.it Web: http://www.netlite.it **
Re: ot: SPF/DKIM woes
On Sun, Sep 18, 2022 at 06:34:11PM +1000, li...@sbt.net.au wrote: > I'll try to summarize how it went: The summary largely misses the point. Your DNS provider had a major outage (plausibly a DDoS, though they haven't said so outright). DNS queries from many sources were consequently dropped. DNS resolution of your domain was consequently significantly degraded. That's all. > > DNS service at netregistry.net is gradually returning to normal. The > > majority of locations (though not yet all) where queries were previously > > failing now appear to be working. > > Viktor, > > does this shows up on the https://status.webcentral.au/ somewhere, or how > do you assess that ? couldn't find such ? I assessed it by making DNS queries from multiple (over 100) locations, almost all of which were previously failing, but a majority are now working. The problem does not appear to be entirely resolved, some locations are still unable to reach netregistry.net nameservers. Speculatively, perhaps this is related to the upcoming open availability of 2LD .au domains, in which case it could be a rather brazen anti-competitive action. https://www.webcentral.au/domain-names/au-domain-name/social/ -- Viktor.
Re: ot: SPF/DKIM woes
raf skrev den 2022-09-18 01:47: The logfile message showed that the envelope sender domain was sbt.net.au, not geko.sbt.net.au. fair, but spamassassin should say spf_helo_pass on this subdomain i have lost ip now, but myhostname in postfix should be spf helo pass dig mx.junc.eu txt dig junc.eu txt one.com says i have to many :=) Maybe that's needed when sending emails from gmail. definaly no, when sending from gmail its not the above envelope sender only include is need if mx is at google, with geko is imho not Either way, it shouldn't have any bearing on the problem. Unless I'm missing something. one cop of coffee maybe ?
Re: Bad command startup on DNS lookup error for auth socket
On 18.09.22 14:00, Stefan Foerster wrote: in a containerized setup I noticed a bad command startup if the AUTH socket is not available (i.e. the container is down): $ postconf smtpd_sasl_path smtpd_sasl_path = inet:dovecot:12345 #v+ postfix/submission/smtpd[156]: connect from client.example.com[:xxx:xx:::3] postfix/submission/smtpd[156]: Anonymous TLS connection established from pharmakeia.incertum.net[:xxx:xx:::x]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256 postfix/submission/smtpd[156]: warning: host or service dovecot:12345 not found: Name does not resolve postfix/submission/smtpd[156]: warning: SASL: Connect to Dovecot auth socket 'inet:dovecot:12345' failed: Address not available this looks like "dovecot" host is not resolvable. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I don't have lysdexia. The Dog wouldn't allow that.
Bad command startup on DNS lookup error for auth socket
Hello world, in a containerized setup I noticed a bad command startup if the AUTH socket is not available (i.e. the container is down): $ postconf smtpd_sasl_path smtpd_sasl_path = inet:dovecot:12345 #v+ postfix/submission/smtpd[156]: connect from client.example.com[:xxx:xx:::3] postfix/submission/smtpd[156]: Anonymous TLS connection established from pharmakeia.incertum.net[:xxx:xx:::x]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256 postfix/submission/smtpd[156]: warning: host or service dovecot:12345 not found: Name does not resolve postfix/submission/smtpd[156]: warning: SASL: Connect to Dovecot auth socket 'inet:dovecot:12345' failed: Address not available postfix/submission/smtpd[156]: fatal: no SASL authentication mechanisms postfix/master[1]: warning: process /usr/libexec/postfix/smtpd pid 156 exit status 1 postfix/master[1]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling #v- I'm not sure if that's intentional behaviour, if so, please ignore me. But even the submission service might have e.g. an IP whitelist which would mean the service could accept mails without needing to contact dovecot at all, so perhaps a runtime error would be a better bet here. Kind regards Stefan
Re: ot: SPF/DKIM woes
thank you, everyone, much appreciate advice and testing! I'll try to summarize how it went: user is India complained he couldn't access geko.sbt.net.au mail server as there was an issue with some 'links' at data centre reported few hours earlier, I assumed it was related and didn't try to test next day I had reported, from same TLD users: - SPF rejects at gmail (original post here) - silent loss of gmail sent to the user (saw similar report on the list) - user in India still can't access mail server noticed that user in India can not resolve geko.sbt.net.au BUT can ping IP address name resolution not working ?? but, working everywhere else as a workaround I've told user in India to create hosts entry for geko.sbt.net.au - that worked question - could the name resolution fail from India be at all related to my name server timeouts/web central outages ? could the name resolution fail from India be at all related to some malware/virus hijacking of domain name resolution ? on users laptop ? though, before entering/editing host name in hosts file, geko just wouldn't resolve, but, could ping IP On Sat, September 17, 2022 7:30 pm, raf wrote: > So unless you added ip4:103.106.168.106 to the SPF > record after the bounce, I can't see what's wrong. Raf, thanks, no, haven't edited SPF record lately On Sat, September 17, 2022 7:54 pm, Matus UHLAR - fantomas wrote: > your domain is registered to ns1.netregistry.net. nameservers: > > Name Server: NS1.NETREGISTRY.NET > > however, NS records say otherwise: > > sbt.net.au. 3600IN NS ns1.yourdnshost.net. Matus, I checked with registrar, was advised I should be using NSx.PARTNERCONSOLE.NET, so shortly after I've edited the records as advised On Sun, September 18, 2022 1:26 pm, Viktor Dukhovni wrote: >> https://status.webcentral.au/ > DNS service at netregistry.net is gradually returning to normal. The > majority of locations (though not yet all) where queries were previously > failing now appear to be working. Viktor, does this shows up on the https://status.webcentral.au/ somewhere, or how do you assess that ? couldn't find such ? thanks again to everyone, much appreciated Voytek
