[pfx] Re: Problems with round-robin outbound emails
On 2024-01-31 at 10:12:06 UTC-0500 (Wed, 31 Jan 2024 16:12:06 +0100) Matus UHLAR - fantomas via Postfix-users is rumored to have said: On 30.01.24 20:20, Israel britto via Postfix-users wrote: hello, I'm having a problem with spamhaus that I don't know how to solve. Today I have 1 domain that uses 2 exclusive IPs 1.1.1.1 and 2.2.2.2 The PTR and rDNS entries are correctly configured: 1.1.1.1 > a1.domain.com 2.2.2.2 > a2.domain.com a1.domain.com -> 1.1.1.1 a2.domain.com -> 2.2.2.2 My Postfix is behind a load balance, which performs round-robin balancing between these 2 IPs, however, my server is configured with the helo -> xpto.com.br That's almost certainly wrong. The HELO argument should be the resolvable primary name associated with the actual client IP as it connects to the server. In this case, that would be the outward-facing IP of the load balancer. # host xpto.com.br xpto.com.br has address 186.202.157.79 xpto.com.br mail is handled by 20 mx.jk.locaweb.com.br. xpto.com.br mail is handled by 10 mx.core.locaweb.com.br. xpto.com.br mail is handled by 20 mx.a.locaweb.com.br. xpto.com.br mail is handled by 20 mx.b.locaweb.com.br. # host 186.202.157.79 Host 79.157.202.186.in-addr.arpa. not found: 3(NXDOMAIN) On 31.01.24 09:43, Bill Cole via Postfix-users wrote: So if your load balancer isn't at 186.202.157.79, the hosts behind it should not be announcing themselves as xpto.com.br. how did you get to this? xpto.com.br exists and has addres, so there's no reason why it could not be used in HELO. The purpose of HELO is identification of the client system to receiving systems. A HELO name that authoritatively resolves to an IP unrelated to the client IP is a confusion and confounding of that purpose. It should not be done. (I use 'should' here in the secular sense, not its tight RFC meaning) -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Problems with round-robin outbound emails
On 30.01.24 20:20, Israel britto via Postfix-users wrote: hello, I'm having a problem with spamhaus that I don't know how to solve. Today I have 1 domain that uses 2 exclusive IPs 1.1.1.1 and 2.2.2.2 The PTR and rDNS entries are correctly configured: 1.1.1.1 > a1.domain.com 2.2.2.2 > a2.domain.com a1.domain.com -> 1.1.1.1 a2.domain.com -> 2.2.2.2 My Postfix is behind a load balance, which performs round-robin balancing between these 2 IPs, however, my server is configured with the helo -> xpto.com.br That's almost certainly wrong. The HELO argument should be the resolvable primary name associated with the actual client IP as it connects to the server. In this case, that would be the outward-facing IP of the load balancer. # host xpto.com.br xpto.com.br has address 186.202.157.79 xpto.com.br mail is handled by 20 mx.jk.locaweb.com.br. xpto.com.br mail is handled by 10 mx.core.locaweb.com.br. xpto.com.br mail is handled by 20 mx.a.locaweb.com.br. xpto.com.br mail is handled by 20 mx.b.locaweb.com.br. # host 186.202.157.79 Host 79.157.202.186.in-addr.arpa. not found: 3(NXDOMAIN) On 31.01.24 09:43, Bill Cole via Postfix-users wrote: So if your load balancer isn't at 186.202.157.79, the hosts behind it should not be announcing themselves as xpto.com.br. how did you get to this? xpto.com.br exists and has addres, so there's no reason why it could not be used in HELO. If that is your load balancer, you should fix its reverse DNS (i.e. a PTR record at 79.157.202.186.in-addr.arpa.) this is needed if e-mail comes from that IP. On 2024-01-31 at 03:32:20 UTC-0500 (Wed, 31 Jan 2024 09:32:20 +0100) Matus UHLAR - fantomas via Postfix-users is rumored to have said: In fact, refusing mail because of HELO inconsistence is against all SMTP RFCs issued so far. That's a very narrow prohibition, technically only against simplistic requirement that HELO must use a name that resolves to the client IP with a matching PTR resolving the IP to the HELO name. precisely, it's a very simple provision and easy not to break. Since you did not provide us with your real address nor the error message spamhaus provides when you check for your IPs, it's really hard to help you. Spamhaus doesn't control error messages... some mail servers can use contents of dnsbl's TXT records in error messages I assume that anyone obfuscating IPs when seeking support on issues directly related to specific IPs being blocklisted is trying to get their spambots working. There's absolutely no excuse for it in 99% of cases and it leads to random pointless speculation. quite possible. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I wonder how much deeper the ocean would be without sponges. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Problems with round-robin outbound emails
On 2024-01-31 at 03:32:20 UTC-0500 (Wed, 31 Jan 2024 09:32:20 +0100) Matus UHLAR - fantomas via Postfix-users is rumored to have said: On 30.01.24 20:20, Israel britto via Postfix-users wrote: hello, I'm having a problem with spamhaus that I don't know how to solve. Today I have 1 domain that uses 2 exclusive IPs 1.1.1.1 and 2.2.2.2 The PTR and rDNS entries are correctly configured: 1.1.1.1 > a1.domain.com 2.2.2.2 > a2.domain.com a1.domain.com -> 1.1.1.1 a2.domain.com -> 2.2.2.2 My Postfix is behind a load balance, which performs round-robin balancing between these 2 IPs, however, my server is configured with the helo -> xpto.com.br That's almost certainly wrong. The HELO argument should be the resolvable primary name associated with the actual client IP as it connects to the server. In this case, that would be the outward-facing IP of the load balancer. # host xpto.com.br xpto.com.br has address 186.202.157.79 xpto.com.br mail is handled by 20 mx.jk.locaweb.com.br. xpto.com.br mail is handled by 10 mx.core.locaweb.com.br. xpto.com.br mail is handled by 20 mx.a.locaweb.com.br. xpto.com.br mail is handled by 20 mx.b.locaweb.com.br. # host 186.202.157.79 Host 79.157.202.186.in-addr.arpa. not found: 3(NXDOMAIN) So if your load balancer isn't at 186.202.157.79, the hosts behind it should not be announcing themselves as xpto.com.br. If that is your load balancer, you should fix its reverse DNS (i.e. a PTR record at 79.157.202.186.in-addr.arpa.) Spamhaus is listing my IPs because it says that my HELO address is not aligned with the rDNS of my IPs. Has anyone had this type of problem and could help me with how to resolve it? I have never seen anyone having this problem, also I have never see spamhaus list IP address because of this. Neither have I, having used Spamhaus for their whole existence. However, I am fairly sure that some of the signals that feed XBL (former CBL) listings include signature HELO behaviors. It's not implausible that using a HELO which looks like an intentional impersonation effort will generate a XBL listing. I have no special knowledge of precisely how that could happen, but I do see pure spam sources playing fraudulent games with HELO. In fact, refusing mail because of HELO inconsistence is against all SMTP RFCs issued so far. That's a very narrow prohibition, technically only against simplistic requirement that HELO must use a name that resolves to the client IP with a matching PTR resolving the IP to the HELO name. It does not prohibit blocking mail because of a HELO name which is formally invalid (e.g. illegal name or authoritatively resolving otherwise) or a HELO name that identifies a known bad actor. Beyond that formal language issue, it is a simple fact that essentially all systems doing effective spam control 'violate' RFCs in some ways. Spam control is in conflict with the fundamental RFC purpose of maximal interoperability. However, if your HELO string is invalid or not existing, it's somehow common for some servers to refuse mail from you. Right. If you say "HELO ylmf-pc" or "EHLO USER" or various other signature introductions to arbitrary MXs, your mail will not be delivered in many places. Since you did not provide us with your real address nor the error message spamhaus provides when you check for your IPs, it's really hard to help you. Spamhaus doesn't control error messages... I assume that anyone obfuscating IPs when seeking support on issues directly related to specific IPs being blocklisted is trying to get their spambots working. There's absolutely no excuse for it in 99% of cases and it leads to random pointless speculation. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Problems with round-robin outbound emails
On 30.01.24 20:20, Israel britto via Postfix-users wrote: hello, I'm having a problem with spamhaus that I don't know how to solve. Today I have 1 domain that uses 2 exclusive IPs 1.1.1.1 and 2.2.2.2 The PTR and rDNS entries are correctly configured: 1.1.1.1 > a1.domain.com 2.2.2.2 > a2.domain.com a1.domain.com -> 1.1.1.1 a2.domain.com -> 2.2.2.2 My Postfix is behind a load balance, which performs round-robin balancing between these 2 IPs, however, my server is configured with the helo -> xpto.com.br Spamhaus is listing my IPs because it says that my HELO address is not aligned with the rDNS of my IPs. Has anyone had this type of problem and could help me with how to resolve it? I have never seen anyone having this problem, also I have never see spamhaus list IP address because of this. In fact, refusing mail because of HELO inconsistence is against all SMTP RFCs issued so far. However, if your HELO string is invalid or not existing, it's somehow common for some servers to refuse mail from you. Since you did not provide us with your real address nor the error message spamhaus provides when you check for your IPs, it's really hard to help you. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Honk if you love peace and quiet. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Problems with round-robin outbound emails
Israel britto via Postfix-users: > My server is configured with the helo -> xpto.com.br Presumably, you are talking about SENDING email. > Spamhaus is listing my IPs because it says that my HELO address > is not aligned with the rDNS of my IPs. Has anyone had this type > of problem and could help me with how to resolve it? Your SMTP client's HELO argument should match the IP address that a REMOTE SMTP server sees when your Postfix connects to them. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org