Re: reject_non_fqdn_helo_hostname usefulness, safety
Le 11/11/2011 00:45, Steve Fatula a écrit : This check says that the RFC requires a fully qualified hostname for HELO. Most internet searches show this to be a safe check that shouldn't really kill any real mail. Lately, noticed no ebay mail was coming through, looked through the logs and see entires like: Nov 9 20:30:58 host2 postfix/smtpd[16167]: NOQUEUE: reject: RCPT from mxpool19.ebay.com[66.135.197.25]: 504 5.5.2 mx88: Helo command rejected: need fully-qualified hostname; from=e...@ebay.com to=m...@hiddendomain.com proto=ESMTP helo=mx88 mx88 is of course not a FQDN. So, it was correctly rejected per the setting. Obviously, I can try and whitelist all the ebay servers, but, it's a slight pain. Could be a moving target, etc. This would allow me to keep the setting, but Since this did block mail from a rather well known common mailer, I am starting to wonder how safe this check really is. Perhaps it's not so safe. Yes, that is a configuration error on ebays part, but, I don't think you really want to block ebay mail. Are you finding this is not as safe a check as it should be, since presumably the RFC requires it, still, people make mistakes? Is it really of much use these days anyway for blocking spam? AFAICT, the check is safe. wait for some time and see if they don't fix their setup. A lot of write a web app that sends mail sites get into such problems when they upgrade their web apps. (yep, the solution is easy: use an outbound relay that detects issues and either rejects or fixes the problems. unfortunately, many sites send directly or they configure their outbound relay too lazily...). if they get many errors, they notice the problem and fix it. so keep rejecting them. (if they don't notice or fix the problem quickly, that's a different matter. post here and/or on spam-l so that someone gets a contact there...).
RE: reject_non_fqdn_helo_hostname usefulness, safety
Just heard back from them: Murray, FYI, I was just notified by the correct person within eBay that this is being fixed now. Thank you again for forwarding it along. -MSK From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Murray S. Kucherawy Sent: Friday, November 11, 2011 11:47 PM To: Steve Fatula; simon.brere...@buongiorno.com; postfix users Subject: RE: reject_non_fqdn_helo_hostname usefulness, safety I've forwarded this to some standards and practices compliance people inside eBay/PayPal. I bet they'll be quite interested. I know that they were planning to do some work on their DK/DKIM infrastructure at some point. Maybe this was a side-effect. Will advise when they reply. -MSK From: owner-postfix-us...@postfix.orgmailto:owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Steve Fatula Sent: Thursday, November 10, 2011 9:04 PM To: simon.brere...@buongiorno.commailto:simon.brere...@buongiorno.com; postfix users Subject: Re: reject_non_fqdn_helo_hostname usefulness, safety From: Simon Brereton simon.brere...@buongiorno.commailto:simon.brere...@buongiorno.com To: postfix users postfix-users@postfix.orgmailto:postfix-users@postfix.org Sent: Thursday, November 10, 2011 9:26 PM Subject: Re: reject_non_fqdn_helo_hostname usefulness, safety Write them a note with the RFC I say. Standards are no good if you let yours slip because it's Ebay. or Google. or InsetBrandnamehere. I did exactly that. Have not heard back yet, if I ever will. I included some sample log messages so they could see some of the servers with the bad HELO name, not all of them have it, and of course the relevant RFC section. They had some Paypal/Ebay troubles today as well (some payments could not be made via Ebay checkout), and, I see they are making announced website changes starting tonight as well. Perhaps it was a lot of work and they just screwed up. Hopefully, some one who knows something will read the email and actually do something! I did whitelist them in the meantime to avoid the check.
Re: reject_non_fqdn_helo_hostname usefulness, safety
From: Murray S. Kucherawy m...@cloudmark.com To: Steve Fatula compconsult...@yahoo.com; simon.brere...@buongiorno.com simon.brere...@buongiorno.com; postfix users postfix-users@postfix.org Sent: Tuesday, November 15, 2011 3:19 PM Subject: RE: reject_non_fqdn_helo_hostname usefulness, safety Just heard back from them: “Murray, FYI, I was just notified by the correct person within eBay that this is being fixed now. Thank you again for forwarding it along.” -MSK You must know the right guy! They ignored me. Feeling insignificant. ;-)
RE: reject_non_fqdn_helo_hostname usefulness, safety
I've forwarded this to some standards and practices compliance people inside eBay/PayPal. I bet they'll be quite interested. I know that they were planning to do some work on their DK/DKIM infrastructure at some point. Maybe this was a side-effect. Will advise when they reply. -MSK From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Steve Fatula Sent: Thursday, November 10, 2011 9:04 PM To: simon.brere...@buongiorno.com; postfix users Subject: Re: reject_non_fqdn_helo_hostname usefulness, safety From: Simon Brereton simon.brere...@buongiorno.commailto:simon.brere...@buongiorno.com To: postfix users postfix-users@postfix.orgmailto:postfix-users@postfix.org Sent: Thursday, November 10, 2011 9:26 PM Subject: Re: reject_non_fqdn_helo_hostname usefulness, safety Write them a note with the RFC I say. Standards are no good if you let yours slip because it's Ebay. or Google. or InsetBrandnamehere. I did exactly that. Have not heard back yet, if I ever will. I included some sample log messages so they could see some of the servers with the bad HELO name, not all of them have it, and of course the relevant RFC section. They had some Paypal/Ebay troubles today as well (some payments could not be made via Ebay checkout), and, I see they are making announced website changes starting tonight as well. Perhaps it was a lot of work and they just screwed up. Hopefully, some one who knows something will read the email and actually do something! I did whitelist them in the meantime to avoid the check.
Re: reject_non_fqdn_helo_hostname usefulness, safety
On 2011-11-11 00:45, Steve Fatula wrote: This check says that the RFC requires a fully qualified hostname for HELO. Most internet searches show this to be a safe check that shouldn't really kill any real mail. Lately, noticed no ebay mail was coming through, looked through the logs and see entires like: Nov 9 20:30:58 host2 postfix/smtpd[16167]: NOQUEUE: reject: RCPT from mxpool19.ebay.com[66.135.197.25]: 504 5.5.2 mx88: Helo command rejected: need fully-qualified hostname; from=e...@ebay.com to=m...@hiddendomain.com proto=ESMTP helo=mx88 mx88 is of course not a FQDN. So, it was correctly rejected per the setting. Obviously, I can try and whitelist all the ebay servers, but, it's a slight pain. Could be a moving target, etc. This would allow me to keep the setting, but Since this did block mail from a rather well known common mailer, I am starting to wonder how safe this check really is. Perhaps it's not so safe. Yes, that is a configuration error on ebays part, but, I don't think you really want to block ebay mail. Are you finding this is not as safe a check as it should be, since presumably the RFC requires it, still, people make mistakes? Is it really of much use these days anyway for blocking spam? I have seen it too, on bulk mailer software (as ebay's probably is), but my logs from the past 6 weeks do not contain a single reject from this rule, so usefulness is debatable (or YMMV). If you want to use it but exclude a known whitelist of domains from the check, use a client access check in your smtpd_helo_restrictions - and move the helo checks there, too: smtpd_helo_restrictions = reject_invalid_helo_hostname, check_client_access hash:/etc/postfix/helo_whitelist, reject_non_fqdn_helo_hostname And in /etc/postfix/helo_whitelist: .ebay.comOK Don't forget to postmap that file. -- J.
Re: reject_non_fqdn_helo_hostname usefulness, safety
From: Jeroen Geilman jer...@adaptr.nl To: postfix-users@postfix.org Sent: Thursday, November 10, 2011 6:13 PM Subject: Re: reject_non_fqdn_helo_hostname usefulness, safety I have seen it too, on bulk mailer software (as ebay's probably is), but my logs from the past 6 weeks do not contain a single reject from this rule, so usefulness is debatable (or YMMV). Just for fun, I reported this to the ebay folks via their network contact info. It'll be interesting to see if they even reply. Documented it for them, gave them link to RFC, etc. I wouldn't bet on them fixing it of course. I searched my logs and found quite a few rejects each day, all of them bogus, but, ebay. So, I will probably try and keep the restriction.
Re: reject_non_fqdn_helo_hostname usefulness, safety
On Thursday 10 November 2011 17:45:18 Steve Fatula wrote: This check says that the RFC requires a fully qualified hostname for HELO. Most internet searches show this to be a safe check that shouldn't really kill any real mail. Lately, noticed no ebay mail was coming through, looked through the logs and see entires like: Nov 9 20:30:58 host2 postfix/smtpd[16167]: NOQUEUE: reject: RCPT from mxpool19.ebay.com[66.135.197.25]: 504 5.5.2 mx88: Helo command rejected: need fully-qualified hostname; from=e...@ebay.com to=m...@hiddendomain.com proto=ESMTP helo=mx88 mx88 is of course not a FQDN. So, it was correctly rejected per the setting. Obviously, I can try and whitelist all the ebay servers, but, it's a slight pain. Could be a moving target, etc. This would allow me to keep the setting, but Since this did block mail from a rather well known common mailer, I am starting to wonder how safe this check really is. Perhaps it's not so safe. Yes, that is a configuration error on ebays part, but, I don't think you really want to block ebay mail. This is news to me, as I often sing the praises of reject_non_fqdn_helo_hostname as both safe and effective. I have received ebay mail in the past, so this must be a recent SNAFU on their part. Are you finding this is not as safe a check as it should be, since presumably the RFC requires it, still, people make mistakes? Is it The way they will take notice of their mistake is when most of the junk they send out bounces! You are NOT alone in rejecting these, I can assure you. really of much use these days anyway for blocking spam? Several times I have looked and seen that it takes out ~25% of all connections. Of course nowadays most of those are failing against postscreen, so the HELO rejections are rare for me now. -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Re: reject_non_fqdn_helo_hostname usefulness, safety
On 10 November 2011 18:45, Steve Fatula compconsult...@yahoo.com wrote: This check says that the RFC requires a fully qualified hostname for HELO. Most internet searches show this to be a safe check that shouldn't really kill any real mail. Lately, noticed no ebay mail was coming through, looked through the logs and see entires like: Nov 9 20:30:58 host2 postfix/smtpd[16167]: NOQUEUE: reject: RCPT from mxpool19.ebay.com[66.135.197.25]: 504 5.5.2 mx88: Helo command rejected: need fully-qualified hostname; from=e...@ebay.com to=m...@hiddendomain.com proto=ESMTP helo=mx88 mx88 is of course not a FQDN. So, it was correctly rejected per the setting. Obviously, I can try and whitelist all the ebay servers, but, it's a slight pain. Could be a moving target, etc. This would allow me to keep the setting, but Since this did block mail from a rather well known common mailer, I am starting to wonder how safe this check really is. Perhaps it's not so safe. Yes, that is a configuration error on ebays part, but, I don't think you really want to block ebay mail. Are you finding this is not as safe a check as it should be, since presumably the RFC requires it, still, people make mistakes? Is it really of much use these days anyway for blocking spam? This check alone is responsible for blocking up to 85% of the spam attempts on our system. Verify that the HELO is not localhost, mydomain.tld or ip.add.re.ss takes care of another 5% and rejecting invalid destinations takes care of the rest. Amavis ends up finding less than 1% of what makes it through that and that in itself is 1% of the total attempts. Write them a note with the RFC I say. Standards are no good if you let yours slip because it's Ebay. or Google. or InsetBrandnamehere. Simon
Re: reject_non_fqdn_helo_hostname usefulness, safety
From: Simon Brereton simon.brere...@buongiorno.com To: postfix users postfix-users@postfix.org Sent: Thursday, November 10, 2011 9:26 PM Subject: Re: reject_non_fqdn_helo_hostname usefulness, safety Write them a note with the RFC I say. Standards are no good if you let yours slip because it's Ebay. or Google. or InsetBrandnamehere. I did exactly that. Have not heard back yet, if I ever will. I included some sample log messages so they could see some of the servers with the bad HELO name, not all of them have it, and of course the relevant RFC section. They had some Paypal/Ebay troubles today as well (some payments could not be made via Ebay checkout), and, I see they are making announced website changes starting tonight as well. Perhaps it was a lot of work and they just screwed up. Hopefully, some one who knows something will read the email and actually do something! I did whitelist them in the meantime to avoid the check.