Re: are my helo restrictions too strict ?
Dnia 3.12.2021 o godz. 09:14:23 Fourhundred Thecat pisze: > I have strict helo checks: > > smtpd_helo_required = yes > smtpd_helo_restrictions = reject_non_fqdn_helo_hostname, >reject_invalid_helo_hostname, >reject_unknown_helo_hostname > > now I have noticed mails being rejected: > > Helo command rejected: Host not found > > warning: hostname mail-eopbgr80085.outbound.protection.outlook.com > does not resolve to address 40.107.8.85: Name or service not known On Fri, Dec 03, 2021 at 11:08:52AM +0100, Jaroslaw Rafa wrote: reject_unknown_helo_hostname is known to produce quite a lot of false positives, and it is not recommended to use this restriction. On 05.12.21 11:38, raf wrote: If you do want to use it, you can add exceptions for any false positives that you care about. You can change it to this: /etc/postfix/main.cf: smtpd_helo_restrictions = check_helo_access hash:/etc/postfix/helo-access reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname /etc/postfix/helo-access: .outbound.protection.outlook.com OK I also have permit_mynetworks and permit_sasl_authenticated at the start of smtpd_helo_restrictions. i would recommend using check_client_access instead of check_helo_access to allow anything, so you will whitelist client IP addresses, not helo strings they provide. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. How does cat play with mouse? cat /dev/mouse
Re: are my helo restrictions too strict ?
On Fri, Dec 03, 2021 at 11:08:52AM +0100, Jaroslaw Rafa wrote: > Dnia 3.12.2021 o godz. 09:14:23 Fourhundred Thecat pisze: > > Hello, > > > > I have strict helo checks: > > > > smtpd_helo_required = yes > > smtpd_helo_restrictions = reject_non_fqdn_helo_hostname, > > reject_invalid_helo_hostname, > > reject_unknown_helo_hostname > > > > now I have noticed mails being rejected: > > > > Helo command rejected: Host not found > > > > warning: hostname mail-eopbgr80085.outbound.protection.outlook.com > > does not resolve to address 40.107.8.85: Name or service not known > > reject_unknown_helo_hostname is known to produce quite a lot of false > positives, and it is not recommended to use this restriction. > -- > Regards, >Jaroslaw Rafa >r...@rafa.eu.org If you do want to use it, you can add exceptions for any false positives that you care about. You can change it to this: /etc/postfix/main.cf: smtpd_helo_restrictions = check_helo_access hash:/etc/postfix/helo-access reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname /etc/postfix/helo-access: .outbound.protection.outlook.com OK I also have permit_mynetworks and permit_sasl_authenticated at the start of smtpd_helo_restrictions. See http://www.postfix.org/postconf.5.html#smtpd_helo_restrictions and http://www.postfix.org/access.5.html for details. Don't forget to run "postmap hash:/etc/postfix/helo-access" whenever you change the helo-access file. Another good candidate for the helo-access file is ".outbound-mail.sendgrid.net". It's a good idea to keep an eye on the false positives. You can regularly run a script to scan the logs and show the relevant information. I use something like this: #!/usr/bin/env perl use warnings; use strict; # chkhelo - Scan maillogs to check for reject_unknown_helo_hostname related errors @ARGV = ('/var/log/mail.log.1', '/var/log/mail.log') unless @ARGV; my $prev_date = ''; while (<>) { next unless /Helo command rejected: Host not found/; my ($date) = $_ =~ /^(\w+\s{1,2}\d{1,2})\s/; print("$date:\n"), $prev_date = $date unless $date eq $prev_date; my ($from, $to, $helo) = $_ =~ /from=<([^>]*)>.*to=<([^>]*)>.*helo=<([^>]*)>/; printf("helo=%-40s to=%-30s from=%s\n", $helo, $to, $from); } cheers, raf
Re: are my helo restrictions too strict ?
> "JR" == Jaroslaw Rafa writes: JR> Dnia 3.12.2021 o godz. 09:14:23 Fourhundred Thecat pisze: >> Hello, >> >> I have strict helo checks: >> >> smtpd_helo_required = yes smtpd_helo_restrictions = >> reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, >> reject_unknown_helo_hostname >> >> now I have noticed mails being rejected: >> >> Helo command rejected: Host not found >> >> warning: hostname mail-eopbgr80085.outbound.protection.outlook.com does not >> resolve to address 40.107.8.85: Name or service not known JR> reject_unknown_helo_hostname is known to produce quite a lot of false JR> positives, and it is not recommended to use this restriction. The postfix main.cf documentation says for reject_unknown_helo_hostname: "Reject the request when the HELO or EHLO hostname has no DNS A or MX record. " http://www.postfix.org/SMTPD_ACCESS_README.html has a comment # Don't talk to mail systems that don't know their own hostname. # With Postfix < 2.3, specify reject_unknown_hostname. smtpd_helo_restrictions = reject_unknown_helo_hostname I am confused care to elaborate.
Re: are my helo restrictions too strict ?
Dnia 3.12.2021 o godz. 09:14:23 Fourhundred Thecat pisze: > Hello, > > I have strict helo checks: > > smtpd_helo_required = yes > smtpd_helo_restrictions = reject_non_fqdn_helo_hostname, > reject_invalid_helo_hostname, > reject_unknown_helo_hostname > > now I have noticed mails being rejected: > > Helo command rejected: Host not found > > warning: hostname mail-eopbgr80085.outbound.protection.outlook.com > does not resolve to address 40.107.8.85: Name or service not known reject_unknown_helo_hostname is known to produce quite a lot of false positives, and it is not recommended to use this restriction. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub."
Re: are my helo restrictions too strict ?
On 03.12.21 09:14, Fourhundred Thecat wrote: I have strict helo checks: smtpd_helo_required = yes smtpd_helo_restrictions = reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname should be OK now I have noticed mails being rejected: Helo command rejected: Host not found warning: hostname mail-eopbgr80085.outbound.protection.outlook.com does not resolve to address 40.107.8.85: Name or service not known this is just a warning, not an error full log here: https://paste.ofcode.org/GK7Rnau3etXZmUsV5CbE7L what exactly happened? postfix/smtpd: NOQUEUE: reject: RCPT from mail-eopbgr80045.outbound.protection.outlook.com[40.107.8.45]: 450 4.7.1 : Helo command rejected: Host not found; from= to= proto=ESMTP helo= EUR04-VI1-obe.outbound.protection.outlook.com wasn't resolved at that time. a) Are my settings too strict? b) was there temporary interruption in DNS resolution? looks like that. % host EUR05-VI1-obe.outbound.protection.outlook.com EUR05-VI1-obe.outbound.protection.outlook.com has address 23.103.134.15 EUR05-VI1-obe.outbound.protection.outlook.com has IPv6 address 2a01:111:f400:7d00::200 c) or, is the domain really misconfigured? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease
Re: are my helo restrictions too strict ?
Fourhundred Thecat: > Hello, > > I have strict helo checks: > > smtpd_helo_required = yes > smtpd_helo_restrictions = reject_non_fqdn_helo_hostname, > reject_invalid_helo_hostname, > reject_unknown_helo_hostname Anecdotal: I used to have these exact settings but removed ‘reject_unknown_helo_hostname’ about a year ago, after I encountered a legitimate sender that had not bothered to set up DNS properly. Other than that your settings work perfectly for me.
are my helo restrictions too strict ?
Hello, I have strict helo checks: smtpd_helo_required = yes smtpd_helo_restrictions = reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname now I have noticed mails being rejected: Helo command rejected: Host not found warning: hostname mail-eopbgr80085.outbound.protection.outlook.com does not resolve to address 40.107.8.85: Name or service not known full log here: https://paste.ofcode.org/GK7Rnau3etXZmUsV5CbE7L what exactly happened? a) Are my settings too strict? b) was there temporary interruption in DNS resolution? c) or, is the domain really misconfigured? thank you,