Re: dig reports NXDOMAIN but Postfix thinks otherwiese
On Tue, Dec 06, 2022 at 12:58:40PM +0100, Ralf Hildebrandt wrote: > * Wietse Venema : > > > Look in $queue_directory/etc/resolv.conf or /etc/resolv.conf. > > nameserver 127.0.0.1 > search DOMAINS > In addition to that error, your real mistake is enabling "native" in smtp_host_lookup. DO NOT DO THAT (unless running in an environment that is disconnected from the public Internet). Postfix does not use RES_DNSRCH or RES_DEFNAMES, but native lookp via nsswitch.conf does. MX hostnames that came in via DNS SHOULD NOT be subject to random tampering via native lookup. -- Viktor.
Re: dig reports NXDOMAIN but Postfix thinks otherwiese
Am 06.12.22 um 19:06 schrieb Fred Morris: This is a good use for DNS Response Policy Zones (RPZ) to prevent leakage, as well as an illustration of why doing some broad brush statistical monitoring of DNS traffic is a useful practice. it's easier to consequent avoid 'search' in /etc/resolv.conf on servers ... Andreas
Re: dig reports NXDOMAIN but Postfix thinks otherwiese
On Tue, 6 Dec 2022, Ralf Hildebrandt wrote: [...] nameserver 127.0.0.1 search DOMAINS Interesting side effect. I need to check all my systems for this :( This is a good use for DNS Response Policy Zones (RPZ) to prevent leakage, as well as an illustration of why doing some broad brush statistical monitoring of DNS traffic is a useful practice. -- Fred Morris, internet plumber
Re: remailer for alias lists?
raf wrote: > Dan Mahoney wrote: > > Or the perl-based one written for perl 4 with the last release > > sometime in 2000 (majordomo)? > > Assuming that wasn't a rhetorical question, :-) > I'd consider majordomo. It probably does > what you need without being a hassle. > It works in Perl 5 too, you know. :-) > And it doesn't need a database or a web server. There is at least one bug for very large messages such as large image attachments which causes problems. But, sure, whatever. > If memory serves, you need to set up enough aliases > for each mailing list that it's worth automating > their addition, but if it's a single list, you > wouldn't need to. This is what I used to have in > aliases for each list. > > # Majordomo template > # (e.g. (LIST, DOMAIN, DOM, ME) = (firewall-users, fwup.org, fwup, raf)) Seems oddly... *specific*. :-) > # LIST: "| /opt/majordomo/wrapper resend -C /opt/majordomo/DOMAIN.cf -l > LIST -h DOMAIN LIST-outgoing" > # LIST-outgoing: :include:/opt/majordomo/lists/DOMAIN/LIST, If someone knows that LIST-outgoing exists then it can be abused by sending there directly. Suggestion: Attempt to avoid that possibility by using a random string in replacement for "outgoing" in LIST-outgoing making that abuse more difficult. LIST-zcSoC90h: :include:/opt/majordomo/lists/DOMAIN/LIST, This is not perfect because it shows up in Delivered-To: but it prevents a blind guessing attack of a well known address. And it can always be spun and rotated at any time if it becomes abused since it is not a public interface. > # "| /opt/majordomo/wrapper digest -c /opt/majordomo/DOMAIN.cf -r -C -l > LIST-digest LIST-digest-outgoing", > # "| /opt/majordomo/wrapper archive2.pl -C /opt/majordomo/DOMAIN.cf -a -m > -f /opt/majordomo/lists/DOMAIN/LIST.archive" > # LIST-digest-outgoing: :include:/opt/majordomo/lists/DOMAIN/LIST-digest > # LIST-digest: LIST Personally I also hate that users today do not know how to handle digests. It almost always results in users responding to the list from the digest subject rather than from the individual message in the digest. Very few users these days know how to deal with digests. Therefore I would also recommend avoiding setting up digests at all. Help users out by not allowing them to make poor choices. > Oh, actually majordomo.pl shouldn't work in perl5 since 5.10. > It uses $* which was removed then (2007). That's wierd. It > was still working for me in 2015. Only a few changes are needed for perl 5.10. Needed since 2008 or so! https://www.mail-archive.com/misc@openbsd.org/msg69481.html Bob
Re: uceprotect.wtf (was: Send email to one @domain.com via authenticated relay?)
Dnia 6.12.2022 o godz. 10:27:36 Joachim Lindenberg pisze: > Of course I looked at the page, and my understanding is, it describes very > good, what UCEPROTECT does. Thus if it is a parody, then it is a good > one. Do you have insights on that question? Under "In the news" section on uceprotect.wtf page, there is a link to article "UCEPROTECT Extortion Service: All Your Mails Are Belong To Us!" ( https://www.aaroncake.net/misc/showthought.asp?thought=57 ). One of the comments under that article (dated March 23, 2021) is from a person who stated that he/she has just created the uceprotect.wtf page. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub."
Re: dig reports NXDOMAIN but Postfix thinks otherwiese
* Wietse Venema : > Look in $queue_directory/etc/resolv.conf or /etc/resolv.conf. nameserver 127.0.0.1 search DOMAINS Interesting side effect. I need to check all my systems for this :( -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG, 80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: dig reports NXDOMAIN but Postfix thinks otherwiese
2022. 12. 06. 12:51 keltezéssel, Ralf Hildebrandt írta: But what is appending ".DOMAINS."? Interesting domain :) $ dig soa kompetenznetz-darmerkrankungen.com.DOMAINS. @8.8.8.8 ; <<>> DiG 9.18.1-1ubuntu1.2-Ubuntu <<>> soa kompetenznetz-darmerkrankungen.com.DOMAINS. @8.8.8.8 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36168 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;kompetenznetz-darmerkrankungen.com.DOMAINS. IN SOA ;; AUTHORITY SECTION: com.DOMAINS. 900 IN SOA ns-1541.awsdns-00.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400 ;; Query time: 35 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP) ;; WHEN: Tue Dec 06 12:55:08 CET 2022 ;; MSG SIZE rcvd: 158 -- [Varadi Gabor]
Re: dig reports NXDOMAIN but Postfix thinks otherwiese
Ralf Hildebrandt: > Dec 6 12:46:49 mail-cvk-int unbound: [1147087:5] info: 127.0.0.1 > kompetenznetz-darmerkrankungen.com.DOMAINS. A IN > > And alas, kompetenznetz-darmerkrankungen.com.DOMAINS. resolves to: > > # host kompetenznetz-darmerkrankungen.com.DOMAINS. > kompetenznetz-darmerkrankungen.com.DOMAINS has address 18.64.79.37 > kompetenznetz-darmerkrankungen.com.DOMAINS has address 18.64.79.121 > kompetenznetz-darmerkrankungen.com.DOMAINS has address 18.64.79.28 > kompetenznetz-darmerkrankungen.com.DOMAINS has address 18.64.79.17 > > But what is appending ".DOMAINS."? Look in $queue_directory/etc/resolv.conf or /etc/resolv.conf. Wietse
Re: dig reports NXDOMAIN but Postfix thinks otherwiese
Ralf Hildebrandt: > * Wietse Venema : > > > > >From my queue: > > > == > > > > > > 4NRDBY1xyHz1Z1SX286400 Tue Dec 6 09:30:29 sen...@charite.de > > > (connect to kompetenznetz-darmerkrankungen.com[18.64.79.37]:25: > > > Connection timed out) > > > > > > recipi...@kompetenznetz-darmerkrankungen.com > > > > Is the SMTP client chrooted? Try: postconf -F "*/*/chroot" > > smtp/unix/chroot = y > > > You have "smtp_host_lookup = dns, native" which means that the > > Postfix SMTP client will use nsswitch.conf if a name is not found > > in DNS. > > Yes, but I don't have kompetenznetz-darmerkrankungen.com in my hosts > file. What lookups does does your nsswitch confoguration make? Wietse > # grep hosts /etc/nsswitch.conf > hosts: files dns > > But anyway, I'll simply un-chroot smtp, stop & start postfix and see > what's happening: > > Dec 6 12:41:02 mail-cvk-int postfix/smtp[1145453]: connect to > kompetenznetz-darmerkrankungen.com[18.64.79.37]:25: Connection timed out > Dec 6 12:41:32 mail-cvk-int postfix/smtp[1145453]: connect to > kompetenznetz-darmerkrankungen.com[18.64.79.121]:25: Connection timed out > > WTF? I'll try query logging in unbound to see what is happening here. > > -- > [*] sys4 AG > > https://sys4.de, +49 (89) 30 90 46 64 > Schlei?heimer Stra?e 26/MG, 80333 M?nchen > > Sitz der Gesellschaft: M?nchen, Amtsgericht M?nchen: HRB 199263 > Vorstand: Patrick Ben Koetter, Marc Schiffbauer > Aufsichtsratsvorsitzender: Florian Kirstein >
Re: dig reports NXDOMAIN but Postfix thinks otherwiese
> Dec 6 12:41:02 mail-cvk-int postfix/smtp[1145453]: connect to > kompetenznetz-darmerkrankungen.com[18.64.79.37]:25: Connection timed out > Dec 6 12:41:32 mail-cvk-int postfix/smtp[1145453]: connect to > kompetenznetz-darmerkrankungen.com[18.64.79.121]:25: Connection timed out > > WTF? I'll try query logging in unbound to see what is happening here. Dec 6 12:46:49 mail-cvk-int unbound: [1147087:6] info: 127.0.0.1 kompetenznetz-darmerkrankungen.com. MX IN Dec 6 12:46:49 mail-cvk-int unbound: [1147087:5] info: 127.0.0.1 . NS IN Dec 6 12:46:49 mail-cvk-int unbound: [1147087:7] info: 127.0.0.1 kompetenznetz-darmerkrankungen.com. A IN Dec 6 12:46:49 mail-cvk-int unbound: [1147087:7] info: 127.0.0.1 kompetenznetz-darmerkrankungen.com. A IN Dec 6 12:46:49 mail-cvk-int unbound: [1147087:5] info: 127.0.0.1 kompetenznetz-darmerkrankungen.com.DOMAINS. A IN And alas, kompetenznetz-darmerkrankungen.com.DOMAINS. resolves to: # host kompetenznetz-darmerkrankungen.com.DOMAINS. kompetenznetz-darmerkrankungen.com.DOMAINS has address 18.64.79.37 kompetenznetz-darmerkrankungen.com.DOMAINS has address 18.64.79.121 kompetenznetz-darmerkrankungen.com.DOMAINS has address 18.64.79.28 kompetenznetz-darmerkrankungen.com.DOMAINS has address 18.64.79.17 But what is appending ".DOMAINS."? -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG, 80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: dig reports NXDOMAIN but Postfix thinks otherwiese
* Wietse Venema : > > >From my queue: > > == > > > > 4NRDBY1xyHz1Z1SX286400 Tue Dec 6 09:30:29 sen...@charite.de > > (connect to kompetenznetz-darmerkrankungen.com[18.64.79.37]:25: Connection > > timed out) > > > > recipi...@kompetenznetz-darmerkrankungen.com > > Is the SMTP client chrooted? Try: postconf -F "*/*/chroot" smtp/unix/chroot = y > You have "smtp_host_lookup = dns, native" which means that the > Postfix SMTP client will use nsswitch.conf if a name is not found > in DNS. Yes, but I don't have kompetenznetz-darmerkrankungen.com in my hosts file. # grep hosts /etc/nsswitch.conf hosts: files dns But anyway, I'll simply un-chroot smtp, stop & start postfix and see what's happening: Dec 6 12:41:02 mail-cvk-int postfix/smtp[1145453]: connect to kompetenznetz-darmerkrankungen.com[18.64.79.37]:25: Connection timed out Dec 6 12:41:32 mail-cvk-int postfix/smtp[1145453]: connect to kompetenznetz-darmerkrankungen.com[18.64.79.121]:25: Connection timed out WTF? I'll try query logging in unbound to see what is happening here. -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG, 80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: dig reports NXDOMAIN but Postfix thinks otherwiese
Ralf Hildebrandt: > >From my queue: > == > > 4NRDBY1xyHz1Z1SX286400 Tue Dec 6 09:30:29 sen...@charite.de > (connect to kompetenznetz-darmerkrankungen.com[18.64.79.37]:25: Connection > timed out) > > recipi...@kompetenznetz-darmerkrankungen.com Is the SMTP client chrooted? Try: postconf -F "*/*/chroot" You have "smtp_host_lookup = dns, native" which means that the Postfix SMTP client will use nsswitch.conf if a name is not found in DNS. Wietse > and dig says: > = > > # host kompetenznetz-darmerkrankungen.com > Host kompetenznetz-darmerkrankungen.com not found: 3(NXDOMAIN) > # host -t mx kompetenznetz-darmerkrankungen.com > Host kompetenznetz-darmerkrankungen.com not found: 3(NXDOMAIN) > > I restarted the local "unbound" process. Same result. > > Relevant options ( postconf |egrep "(resolv|dns)" ): > > > disable_dns_lookups = no > dns_ncache_ttl_fix_enable = no > smtp_dns_reply_filter = > smtp_dns_resolver_options = > smtp_dns_support_level = dnssec > smtp_host_lookup = dns, native > > What am I doing wrong here? > Why is this mail not bouncing? > > -- > [*] sys4 AG > > https://sys4.de, +49 (89) 30 90 46 64 > Schlei?heimer Stra?e 26/MG, 80333 M?nchen > > Sitz der Gesellschaft: M?nchen, Amtsgericht M?nchen: HRB 199263 > Vorstand: Patrick Ben Koetter, Marc Schiffbauer > Aufsichtsratsvorsitzender: Florian Kirstein >
dig reports NXDOMAIN but Postfix thinks otherwiese
>From my queue: == 4NRDBY1xyHz1Z1SX286400 Tue Dec 6 09:30:29 sen...@charite.de (connect to kompetenznetz-darmerkrankungen.com[18.64.79.37]:25: Connection timed out) recipi...@kompetenznetz-darmerkrankungen.com and dig says: = # host kompetenznetz-darmerkrankungen.com Host kompetenznetz-darmerkrankungen.com not found: 3(NXDOMAIN) # host -t mx kompetenznetz-darmerkrankungen.com Host kompetenznetz-darmerkrankungen.com not found: 3(NXDOMAIN) I restarted the local "unbound" process. Same result. Relevant options ( postconf |egrep "(resolv|dns)" ): disable_dns_lookups = no dns_ncache_ttl_fix_enable = no smtp_dns_reply_filter = smtp_dns_resolver_options = smtp_dns_support_level = dnssec smtp_host_lookup = dns, native What am I doing wrong here? Why is this mail not bouncing? -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG, 80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
AW: uceprotect.wtf (was: Send email to one @domain.com via authenticated relay?)
Hello Rob, Of course I looked at the page, and my understanding is, it describes very good, what UCEPROTECT does. Thus if it is a parody, then it is a good one. Do you have insights on that question? Btw, I was on UCEPROTECT black list for some time, and really, there is no channel you can complain to them, which for sure violates GDPR. I got onto their black list because I did some tests on email security of authorities, and therefore also have some suspects w.r.t. which authorities might be using UCEPROTECT, but I didn´t spend the time required to track it down as I didn´t have a real need to communicate to them. Regards, Joachim -Ursprüngliche Nachricht- Von: owner-postfix-us...@postfix.org Im Auftrag von Rob McGee Gesendet: Montag, 5. Dezember 2022 23:14 An: postfix-users@postfix.org Betreff: uceprotect.wtf (was: Send email to one @domain.com via authenticated relay?) On 12/2/2022 3:27 PM, Joachim Lindenberg wrote: > UCEProtect are gangsters, even the founder admits: > https://uceprotect.wtf/ > You don´t want to do anything about it, > except you are located in Europe> and can complain to their customers and authorities violating GDPR. Excuse me, Joachim, but did you look at uceprotect.wtf and think that site is in any way affiliated with the UCEPROTECT DNSBLs? It is very clearly a parody, put up by someone else who falsely believed that a UCEPROTECT listing was the cause of email delivery problems. This person went to a lot of effort to portray Dirk Lautenschlager in the worst possible light. It was not worth the effort! Just ignore UCEPROTECT, as any serious email administrator does. Being listed there will not cause any significant email problems. The only sites who use it are run by very inexperienced people and/or those who don't care about receiving email. That is to say, not serious sites. -- http://rob0.nodns4.us/
