Re: are my helo restrictions too strict ?

2021-12-05 Thread Matus UHLAR - fantomas 

Dnia  3.12.2021 o godz. 09:14:23 Fourhundred Thecat pisze:
> I have strict helo checks:
>
>   smtpd_helo_required = yes
>   smtpd_helo_restrictions = reject_non_fqdn_helo_hostname,
>reject_invalid_helo_hostname,
>reject_unknown_helo_hostname
>
> now I have noticed mails being rejected:
>
>   Helo command rejected: Host not found
>
>   warning: hostname mail-eopbgr80085.outbound.protection.outlook.com
> does not resolve to address 40.107.8.85: Name or service not known



On Fri, Dec 03, 2021 at 11:08:52AM +0100, Jaroslaw Rafa  
wrote:

reject_unknown_helo_hostname is known to produce quite a lot of false
positives, and it is not recommended to use this restriction.


On 05.12.21 11:38, raf wrote:

If you do want to use it, you can add exceptions for any
false positives that you care about. You can change it to
this:

 /etc/postfix/main.cf:
 smtpd_helo_restrictions =
   check_helo_access hash:/etc/postfix/helo-access
   reject_non_fqdn_helo_hostname,
   reject_invalid_helo_hostname,
   reject_unknown_helo_hostname

 /etc/postfix/helo-access:
 .outbound.protection.outlook.com OK

I also have permit_mynetworks and permit_sasl_authenticated
at the start of smtpd_helo_restrictions.


i would recommend using check_client_access instead of check_helo_access to
allow anything, so you will whitelist client IP addresses, not helo strings
they provide.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
How does cat play with mouse? cat /dev/mouse

Re: are my helo restrictions too strict ?

2021-12-04 Thread raf 
On Fri, Dec 03, 2021 at 11:08:52AM +0100, Jaroslaw Rafa  
wrote:

> Dnia  3.12.2021 o godz. 09:14:23 Fourhundred Thecat pisze:
> > Hello,
> > 
> > I have strict helo checks:
> > 
> >   smtpd_helo_required = yes
> >   smtpd_helo_restrictions = reject_non_fqdn_helo_hostname,
> > reject_invalid_helo_hostname,
> > reject_unknown_helo_hostname
> > 
> > now I have noticed mails being rejected:
> > 
> >   Helo command rejected: Host not found
> > 
> >   warning: hostname mail-eopbgr80085.outbound.protection.outlook.com
> > does not resolve to address 40.107.8.85: Name or service not known
> 
> reject_unknown_helo_hostname is known to produce quite a lot of false
> positives, and it is not recommended to use this restriction.
> -- 
> Regards,
>Jaroslaw Rafa
>r...@rafa.eu.org

If you do want to use it, you can add exceptions for any
false positives that you care about. You can change it to
this:

  /etc/postfix/main.cf:
  smtpd_helo_restrictions =
check_helo_access hash:/etc/postfix/helo-access
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,
reject_unknown_helo_hostname

  /etc/postfix/helo-access:
  .outbound.protection.outlook.com OK

I also have permit_mynetworks and permit_sasl_authenticated
at the start of smtpd_helo_restrictions.

See http://www.postfix.org/postconf.5.html#smtpd_helo_restrictions
and http://www.postfix.org/access.5.html for details. Don't forget
to run "postmap hash:/etc/postfix/helo-access" whenever you change
the helo-access file.

Another good candidate for the helo-access file is
".outbound-mail.sendgrid.net".

It's a good idea to keep an eye on the false positives. You can regularly
run a script to scan the logs and show the relevant information.
I use something like this:

  #!/usr/bin/env perl
  use warnings;
  use strict;

  # chkhelo - Scan maillogs to check for reject_unknown_helo_hostname related 
errors

  @ARGV = ('/var/log/mail.log.1', '/var/log/mail.log') unless @ARGV;
  my $prev_date = '';

  while (<>)
  {
  next unless /Helo command rejected: Host not found/;
  my ($date) = $_ =~ /^(\w+\s{1,2}\d{1,2})\s/;
  print("$date:\n"), $prev_date = $date unless $date eq $prev_date;
  my ($from, $to, $helo) = $_ =~ 
/from=<([^>]*)>.*to=<([^>]*)>.*helo=<([^>]*)>/;
  printf("helo=%-40s to=%-30s from=%s\n", $helo, $to, $from);
  }

cheers,
raf

Re: are my helo restrictions too strict ?

2021-12-03 Thread Togan Muftuoglu 
> "JR" == Jaroslaw Rafa  writes:

JR> Dnia 3.12.2021 o godz. 09:14:23 Fourhundred Thecat pisze:
>> Hello,
>>
>> I have strict helo checks:
>>
>> smtpd_helo_required = yes smtpd_helo_restrictions =
>> reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname,
>> reject_unknown_helo_hostname
>>
>> now I have noticed mails being rejected:
>>
>> Helo command rejected: Host not found
>>
>> warning: hostname mail-eopbgr80085.outbound.protection.outlook.com does not
>> resolve to address 40.107.8.85: Name or service not known

JR> reject_unknown_helo_hostname is known to produce quite a lot of false
JR> positives, and it is not recommended to use this restriction.

The postfix main.cf documentation says for reject_unknown_helo_hostname:

"Reject the request when the HELO or EHLO hostname has no DNS A or MX record. "

http://www.postfix.org/SMTPD_ACCESS_README.html has a comment

 # Don't talk to mail systems that don't know their own hostname.
 # With Postfix < 2.3, specify reject_unknown_hostname.
 smtpd_helo_restrictions = reject_unknown_helo_hostname


I am confused care to elaborate.

Re: are my helo restrictions too strict ?

2021-12-03 Thread Jaroslaw Rafa 
Dnia  3.12.2021 o godz. 09:14:23 Fourhundred Thecat pisze:
> Hello,
> 
> I have strict helo checks:
> 
>   smtpd_helo_required = yes
>   smtpd_helo_restrictions = reject_non_fqdn_helo_hostname,
>   reject_invalid_helo_hostname,
>   reject_unknown_helo_hostname
> 
> now I have noticed mails being rejected:
> 
>   Helo command rejected: Host not found
> 
>   warning: hostname mail-eopbgr80085.outbound.protection.outlook.com
> does not resolve to address 40.107.8.85: Name or service not known

reject_unknown_helo_hostname is known to produce quite a lot of false
positives, and it is not recommended to use this restriction.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."

Re: are my helo restrictions too strict ?

2021-12-03 Thread Matus UHLAR - fantomas 

On 03.12.21 09:14, Fourhundred Thecat wrote:

I have strict helo checks:

 smtpd_helo_required = yes
 smtpd_helo_restrictions = reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,
reject_unknown_helo_hostname


should be OK


now I have noticed mails being rejected:

 Helo command rejected: Host not found

 warning: hostname mail-eopbgr80085.outbound.protection.outlook.com
does not resolve to address 40.107.8.85: Name or service not known


this is just a warning, not an error


full log here:
https://paste.ofcode.org/GK7Rnau3etXZmUsV5CbE7L




what exactly happened?



postfix/smtpd:  NOQUEUE: reject: RCPT from
mail-eopbgr80045.outbound.protection.outlook.com[40.107.8.45]: 450 4.7.1
: Helo command rejected: Host
not found; from= to= proto=ESMTP
helo=


EUR04-VI1-obe.outbound.protection.outlook.com wasn't resolved at that time.


a) Are my settings too strict?
b) was there temporary interruption in DNS resolution?


looks like that.

% host EUR05-VI1-obe.outbound.protection.outlook.com
EUR05-VI1-obe.outbound.protection.outlook.com has address 23.103.134.15
EUR05-VI1-obe.outbound.protection.outlook.com has IPv6 address 
2a01:111:f400:7d00::200



c) or, is the domain really misconfigured?



--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease

Re: are my helo restrictions too strict ?

2021-12-03 Thread David Bürgin 
Fourhundred Thecat:
> Hello,
> 
> I have strict helo checks:
> 
>   smtpd_helo_required = yes
>   smtpd_helo_restrictions = reject_non_fqdn_helo_hostname,
>     reject_invalid_helo_hostname,
>     reject_unknown_helo_hostname

Anecdotal: I used to have these exact settings but removed
‘reject_unknown_helo_hostname’ about a year ago, after I encountered a
legitimate sender that had not bothered to set up DNS properly.

Other than that your settings work perfectly for me.

are my helo restrictions too strict ?

2021-12-03 Thread Fourhundred Thecat 

Hello,

I have strict helo checks:

  smtpd_helo_required = yes
  smtpd_helo_restrictions = reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,
reject_unknown_helo_hostname

now I have noticed mails being rejected:

  Helo command rejected: Host not found

  warning: hostname mail-eopbgr80085.outbound.protection.outlook.com
does not resolve to address 40.107.8.85: Name or service not known

full log here:
https://paste.ofcode.org/GK7Rnau3etXZmUsV5CbE7L

what exactly happened?

a) Are my settings too strict?
b) was there temporary interruption in DNS resolution?
c) or, is the domain really misconfigured?

thank you,