Re: postfix blocking yahoo and gmail
On Sun, Feb 08, 2009 at 03:37:20PM +0800, jan gestre wrote: On Sun, Feb 8, 2009 at 3:05 PM, Victor Duchovni victor.ducho...@morganstanley.com wrote: On Sun, Feb 08, 2009 at 02:55:28PM +0800, jan gestre wrote: Where is the best place to put the DNS caching resolver? in the NAT device? or in the Mail Server itself? What kind of NAT device is this? Is it capable of running a non-forwarding DNS cache? If the cache in question has sufficiently good port randomization, by all means run on the NAT device, otherwise run it on the Postfix server, and hope the NAT device port selection is not too predictable. It's a lightweight FreeBSD based firewall called pfSense, it also has an installable TinyDNS package. TinyDNS is an authoritative DNS server, you need a cache, is Dnscache also available? If so, that would be perfect, otherwise, you just install a DNS cache on your Postfix server. See: http://forum.pfsense.org/index.php?topic=10431.0 Anyway, this question is best asked on the pfSense lists, I know nothing more about this than what Google turns up... http://www.google.com/search?q=pfSense+Kaminsky+DNS -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: postfix blocking yahoo and gmail
On Fri, Feb 6, 2009 at 10:39 PM, Noel Jones njo...@megan.vbhcs.org wrote: jan gestre wrote: Additional info: I have four mail servers running identical configurations and it's now exhibiting the same problem, I've disabled MailScanner in one of the server coz I thought it might be the culprit but after I did that, postfix keeps on rejecting emails even if the ip address it came from is not listed in sbl-xbl list so I've removed all reject parameters If postfix is rejecting mail it will log the reason. grep 'reject: ' /var/log/maillog If you have trouble interpreting the postfix logs, show them here. http://www.postfix.org/DEBUG_README.html#mail -- Noel Jones New logs with reject_rbl_client sbl-xbl.spamhaus.org added to main.cf eb 8 12:49:52 kartero postfix/smtpd[6465]: NOQUEUE: reject: RCPT from web57902.mail.re3.yahoo.com[68.142.236.95]: 554 5.7.1 Service unavailable; Client host [68.142.236.95] blocked using sbl-xbl.spamhaus.org; from=jan.ges...@yahoo.com to=jan.ges...@ddbphil.com proto=SMTP helo=web57902.mail.re3.yahoo.com Feb 8 12:49:52 kartero postfix/smtpd[6468]: NOQUEUE: reject: RCPT from web57902.mail.re3.yahoo.com[68.142.236.95]: 554 5.7.1 Service unavailable; Client host [68.142.236.95] blocked using sbl-xbl.spamhaus.org; from=jan.ges...@yahoo.com to=jan.ges...@ddb.com.ph proto=SMTP helo=web57902.mail.re3.yahoo.com Feb 8 12:49:52 kartero postfix/smtpd[6465]: disconnect from web57902.mail.re3.yahoo.com[68.142.236.95] As you can see it treats legitimate email as spam at the smtp level and I have this identical configuration in my other server but it does not behave like this. I have no idea how to fix this, with this parameter off I have lots of spam but if it's turned on I have no incoming mails.
Re: postfix blocking yahoo and gmail
On Sun, Feb 08, 2009 at 01:01:49PM +0800, jan gestre wrote: New logs with reject_rbl_client sbl-xbl.spamhaus.org added to main.cf eb 8 12:49:52 kartero postfix/smtpd[6465]: NOQUEUE: reject: RCPT from web57902.mail.re3.yahoo.com[68.142.236.95]: 554 5.7.1 Service unavailable; Client host [68.142.236.95] blocked using sbl-xbl.spamhaus.org; from=jan.ges...@yahoo.com to=jan.ges...@ddbphil.com proto=SMTP helo=web57902.mail.re3.yahoo.com Your DNS server is fabricating A records for non-existent hosts. The real spamhaus would have also returned a TXT record with a URL for looking up the reason for the block. Don't use ISP DNS servers that fabricate A records. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: postfix blocking yahoo and gmail
On Sun, Feb 8, 2009 at 1:17 PM, Victor Duchovni victor.ducho...@morganstanley.com wrote: On Sun, Feb 08, 2009 at 01:01:49PM +0800, jan gestre wrote: New logs with reject_rbl_client sbl-xbl.spamhaus.org added to main.cf eb 8 12:49:52 kartero postfix/smtpd[6465]: NOQUEUE: reject: RCPT from web57902.mail.re3.yahoo.com[68.142.236.95]: 554 5.7.1 Service unavailable; Client host [68.142.236.95] blocked using sbl-xbl.spamhaus.org; from=jan.ges...@yahoo.com to=jan.ges...@ddbphil.com proto=SMTP helo=web57902.mail.re3.yahoo.com Your DNS server is fabricating A records for non-existent hosts. The real spamhaus would have also returned a TXT record with a URL for looking up the reason for the block. Don't use ISP DNS servers that fabricate A records. I'm not using our ISP's DNS , I'm using OpenDNS, I'm using OpenDNS since way back it's only now that I'm getting this strange behavior in my SMTP server.
Re: postfix blocking yahoo and gmail
On Sun, Feb 08, 2009 at 01:23:43PM +0800, jan gestre wrote: Don't use ISP DNS servers that fabricate A records. I'm not using our ISP's DNS , I'm using OpenDNS, I'm using OpenDNS since way back it's only now that I'm getting this strange behavior in my SMTP server. You should not use OpenDNS or any similar external DNS forwarder with Postfix. Especially, when doing RBL lookups. Just run a stand-alone DNS cache on your system (127.0.0.1). If you are behind a NAT device that de-randomizes UDP query ports, you are likely vulnerable to the Kaminsky attack... Running a SOHO incoming mail server is getting increasingly difficult, you may need a real SMTP server at a hosting facility. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: postfix blocking yahoo and gmail
On Sun, Feb 8, 2009 at 1:35 PM, Victor Duchovni victor.ducho...@morganstanley.com wrote: On Sun, Feb 08, 2009 at 01:23:43PM +0800, jan gestre wrote: Don't use ISP DNS servers that fabricate A records. I'm not using our ISP's DNS , I'm using OpenDNS, I'm using OpenDNS since way back it's only now that I'm getting this strange behavior in my SMTP server. You should not use OpenDNS or any similar external DNS forwarder with Postfix. Especially, when doing RBL lookups. Just run a stand-alone DNS cache on your system (127.0.0.1). If you are behind a NAT device that de-randomizes UDP query ports, you are likely vulnerable to the Kaminsky attack... Running a SOHO incoming mail server is getting increasingly difficult, you may need a real SMTP server at a hosting facility. Postfix is behind a NAT device (pfSense) that does dnsmasq (dns forwarder), no machine is allowed to connect to port 53 except the NAT device. The initial configuration is NAT Firewall Untangle in bridge mode postfix, but since telnet to postfix's smtp port produces an odd result when it's behind the Untangle box so I took Untangle out.
Re: postfix blocking yahoo and gmail
On Sun, 08 Feb 2009, jan gestre wrote: On Sun, Feb 8, 2009 at 1:35 PM, Victor Duchovni victor.ducho...@morganstanley.com wrote: On Sun, Feb 08, 2009 at 01:23:43PM +0800, jan gestre wrote: Don't use ISP DNS servers that fabricate A records. I'm not using our ISP's DNS , I'm using OpenDNS, I'm using OpenDNS since way back it's only now that I'm getting this strange behavior in my SMTP server. You should not use OpenDNS or any similar external DNS forwarder with Postfix. Especially, when doing RBL lookups. Just run a stand-alone DNS cache on your system (127.0.0.1). If you are behind a NAT device that de-randomizes UDP query ports, you are likely vulnerable to the Kaminsky attack... Running a SOHO incoming mail server is getting increasingly difficult, you may need a real SMTP server at a hosting facility. Postfix is behind a NAT device (pfSense) that does dnsmasq (dns forwarder), no machine is allowed to connect to port 53 except the NAT device. The initial configuration is NAT Firewall Untangle in bridge mode postfix, but since telnet to postfix's smtp port produces an odd result when it's behind the Untangle box so I took Untangle out. Thanks but all of this is missing the point. Re-read Viktor's email and stop using OpenDNS with Postfix. -- Sahil Tandon sa...@tandon.net
Re: postfix blocking yahoo and gmail
On Sun, Feb 8, 2009 at 2:18 PM, Victor Duchovni victor.ducho...@morganstanley.com wrote: On Sun, Feb 08, 2009 at 02:02:14PM +0800, jan gestre wrote: You should not use OpenDNS or any similar external DNS forwarder with Postfix. Especially, when doing RBL lookups. Just run a stand-alone DNS cache on your system (127.0.0.1). If you are behind a NAT device that de-randomizes UDP query ports, you are likely vulnerable to the Kaminsky attack... Running a SOHO incoming mail server is getting increasingly difficult, you may need a real SMTP server at a hosting facility. Postfix is behind a NAT device (pfSense) that does dnsmasq (dns forwarder), no machine is allowed to connect to port 53 except the NAT device. This does not protect you from the Kaminsky attack. A cryptographically strong port-randomizing NAT is required. Most consumer NAT devices probably don't measure up... In any case, it is still likely that your RBL hits are a result of your DNS configuration. Good luck. Where is the best place to put the DNS caching resolver? in the NAT device? or in the Mail Server itself? TIA
Re: postfix blocking yahoo and gmail
On Sun, Feb 08, 2009 at 02:55:28PM +0800, jan gestre wrote: Where is the best place to put the DNS caching resolver? in the NAT device? or in the Mail Server itself? What kind of NAT device is this? Is it capable of running a non-forwarding DNS cache? If the cache in question has sufficiently good port randomization, by all means run on the NAT device, otherwise run it on the Postfix server, and hope the NAT device port selection is not too predictable. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: postfix blocking yahoo and gmail
On Sun, Feb 8, 2009 at 3:05 PM, Victor Duchovni victor.ducho...@morganstanley.com wrote: On Sun, Feb 08, 2009 at 02:55:28PM +0800, jan gestre wrote: Where is the best place to put the DNS caching resolver? in the NAT device? or in the Mail Server itself? What kind of NAT device is this? Is it capable of running a non-forwarding DNS cache? If the cache in question has sufficiently good port randomization, by all means run on the NAT device, otherwise run it on the Postfix server, and hope the NAT device port selection is not too predictable. It's a lightweight FreeBSD based firewall called pfSense, it also has an installable TinyDNS package.
Re: postfix blocking yahoo and gmail
On Fri, Feb 6, 2009 at 2:20 PM, jan gestre ipcopper...@gmail.com wrote: On Fri, Feb 6, 2009 at 12:34 PM, Sahil Tandon sa...@tandon.net wrote: On Fri, 06 Feb 2009, jan gestre wrote: Why is it that whenever I send emails using yahoo/gmail from a connection that uses dynamic ip address to the company's smtp server, postfix blocks them and say it comes from a dynamic ip address using sbl-xbl, and whenever I send emails using the same yahoo/gmail account in the office that has a public static ip address, the mail is received. Show some logs of the rejection(s) to help diagnose the problem. Here's some logs taken when I tried to send an email: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))??(No client certificate requested)??by kartero.ddbphil.com (Postfix) with ESMTP id 5E7 from unknown[122.52.174.26]; from=jan.ges...@ddbphil.com to=jan.ges...@yahoo.com proto=ESMTP helo=[127.0.0.1] Feb 6 13:45:30 kartero postfix/cleanup[22234]: 5E7A3148098: message-id=498bcf46.3000...@ddbphil.com Feb 6 13:45:30 kartero postfix/smtpd[22001]: disconnect from unknown[122.52.174.26] Feb 6 13:45:33 kartero MailScanner[16982]: Spam Checks: Found 1 spam messages Feb 6 13:45:33 kartero MailScanner[16982]: Virus and Content Scanning: Starting Feb 6 13:45:34 kartero MailScanner[16982]: Uninfected: Delivered 1 messages Feb 6 13:45:34 kartero postfix/qmgr[21997]: ED26E14809B: from=jan.ges...@ddbphil.com, size=3473, nrcpt=1 (queue active) Feb 6 13:45:34 kartero postfix/pipe[22250]: ED26E14809B: to=postmas...@ddbphil.com, relay=dovecot, delay=4.2, delays=4.2/0/0/0.02, dsn=5.1.1, status=bounced (user unknown) Feb 6 13:45:34 kartero postfix/cleanup[22234]: 8D83C14809C: message-id=20090206054534.8d83c148...@kartero.ddbphil.com Feb 6 13:45:34 kartero postfix/qmgr[21997]: 8D83C14809C: from=, size=6054, nrcpt=1 (queue active) Feb 6 13:45:34 kartero postfix/bounce[22339]: ED26E14809B: sender non-delivery notification: 8D83C14809C Feb 6 13:45:34 kartero postfix/qmgr[21997]: ED26E14809B: removed Feb 6 13:45:34 kartero postfix/pipe[22250]: 8D83C14809C: to=jan.ges...@ddbphil.com, relay=dovecot, delay=0.12, delays=0.01/0/0/0.12, dsn=2.0.0, status=sent (delivered via dovecot service) Additional info: I have four mail servers running identical configurations and it's now exhibiting the same problem, I've disabled MailScanner in one of the server coz I thought it might be the culprit but after I did that, postfix keeps on rejecting emails even if the ip address it came from is not listed in sbl-xbl list so I've removed all reject parameters and so far it's holding up, I know it's a lousy temporary solution, I would greatly appreciate your suggestions. Thanks in advance. Jan
Re: postfix blocking yahoo and gmail
jan gestre wrote: On Fri, Feb 6, 2009 at 12:34 PM, Sahil Tandon sa...@tandon.net wrote: On Fri, 06 Feb 2009, jan gestre wrote: Why is it that whenever I send emails using yahoo/gmail from a connection that uses dynamic ip address to the company's smtp server, postfix blocks them and say it comes from a dynamic ip address using sbl-xbl, and whenever I send emails using the same yahoo/gmail account in the office that has a public static ip address, the mail is received. Show some logs of the rejection(s) to help diagnose the problem. Here's some logs taken when I tried to send an email: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))??(No client certificate requested)??by kartero.ddbphil.com (Postfix) with ESMTP id 5E7 from unknown[122.52.174.26]; from=jan.ges...@ddbphil.com to=jan.ges...@yahoo.com proto=ESMTP helo=[127.0.0.1] What's this? Maybe a fragment of a /^Received/ HOLD in header_checks? Also, this shows mail going TO yahoo. The problem you describe is receiving mail sent from yahoo. Either describe your problem better or show logging related to the problem. Feb 6 13:45:30 kartero postfix/cleanup[22234]: 5E7A3148098: message-id=498bcf46.3000...@ddbphil.com Feb 6 13:45:30 kartero postfix/smtpd[22001]: disconnect from unknown[122.52.174.26] Many log entries are missing, but it appears postfix has accepted something. Feb 6 13:45:33 kartero MailScanner[16982]: Spam Checks: Found 1 spam messages MailScanner thinks something is spam. Is there any way to correlate this with postfix QUEUEID 5E7A3148098 above? or any QUEUEID? Feb 6 13:45:33 kartero MailScanner[16982]: Virus and Content Scanning: Starting Feb 6 13:45:34 kartero MailScanner[16982]: Uninfected: Delivered 1 messages MailScanner says it delivered something, but doesn't say what or who. Feb 6 13:45:34 kartero postfix/qmgr[21997]: ED26E14809B: from=jan.ges...@ddbphil.com, size=3473, nrcpt=1 (queue active) Postfix processes mail with a different QUEUEID. Is there any way to tell if this the same message after MailScanner processing? Feb 6 13:45:34 kartero postfix/pipe[22250]: ED26E14809B: to=postmas...@ddbphil.com, relay=dovecot, delay=4.2, delays=4.2/0/0/0.02, dsn=5.1.1, status=bounced (user unknown) Dovecot doesn't know how to deliver postmas...@ddbphil.com. Feb 6 13:45:34 kartero postfix/cleanup[22234]: 8D83C14809C: message-id=20090206054534.8d83c148...@kartero.ddbphil.com Feb 6 13:45:34 kartero postfix/qmgr[21997]: 8D83C14809C: from=, size=6054, nrcpt=1 (queue active) Feb 6 13:45:34 kartero postfix/bounce[22339]: ED26E14809B: sender non-delivery notification: 8D83C14809C Feb 6 13:45:34 kartero postfix/qmgr[21997]: ED26E14809B: removed Postfix creates and sends a bounce due to the dovecot error. Feb 6 13:45:34 kartero postfix/pipe[22250]: 8D83C14809C: to=jan.ges...@ddbphil.com, relay=dovecot, delay=0.12, delays=0.01/0/0/0.12, dsn=2.0.0, status=sent (delivered via dovecot service) Dovecot successfully delivers the NDN. The above doesn't show postfix rejecting anything. Looks like a MailScanner problem. MailScanner is not supported on this list. -- Noel Jones
Re: postfix blocking yahoo and gmail
jan gestre wrote: Additional info: I have four mail servers running identical configurations and it's now exhibiting the same problem, I've disabled MailScanner in one of the server coz I thought it might be the culprit but after I did that, postfix keeps on rejecting emails even if the ip address it came from is not listed in sbl-xbl list so I've removed all reject parameters If postfix is rejecting mail it will log the reason. grep 'reject: ' /var/log/maillog If you have trouble interpreting the postfix logs, show them here. http://www.postfix.org/DEBUG_README.html#mail -- Noel Jones
RE: postfix blocking yahoo and gmail
-Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of jan gestre Sent: Friday, 6 February 2009 12:16 PM To: postfix users list Subject: postfix blocking yahoo and gmail Hi Guys, Why is it that whenever I send emails using yahoo/gmail from a connection that uses dynamic ip address to the company's smtp server, postfix blocks them and say it comes from a dynamic ip address using sbl-xbl, and whenever I send emails using the same yahoo/gmail account in the office that has a public static ip address, the mail is received. TIA Jan Here's my postconf -n: reject_rbl_client sbl-xbl.spamhaus.org reject_rbl_client zen.spamhaus.org reject_rhsbl_sender dsn.rfc-ignorant.org reject_rbl_client bl.spamcop.net Because the dynamic address you're relaying from is on the Spamhaus list, and the static address is not? You should also not have *both* zen.spamhaus.org AND sbl-xbl.spamhaus.org - the Zen list includes sbl-xbl. You can query the zen list for your dynamic host by running dig rev.erse.IP.addr.zen.spamhaus.org and seeing if there are any entries. Show some logs for your rejected emails, if that doesn't seem to be the problem.
Re: postfix blocking yahoo and gmail
On Fri, 06 Feb 2009, jan gestre wrote: Why is it that whenever I send emails using yahoo/gmail from a connection that uses dynamic ip address to the company's smtp server, postfix blocks them and say it comes from a dynamic ip address using sbl-xbl, and whenever I send emails using the same yahoo/gmail account in the office that has a public static ip address, the mail is received. Show some logs of the rejection(s) to help diagnose the problem. -- Sahil Tandon sa...@tandon.net
Re: postfix blocking yahoo and gmail
On Fri, Feb 6, 2009 at 12:34 PM, Sahil Tandon sa...@tandon.net wrote: On Fri, 06 Feb 2009, jan gestre wrote: Why is it that whenever I send emails using yahoo/gmail from a connection that uses dynamic ip address to the company's smtp server, postfix blocks them and say it comes from a dynamic ip address using sbl-xbl, and whenever I send emails using the same yahoo/gmail account in the office that has a public static ip address, the mail is received. Show some logs of the rejection(s) to help diagnose the problem. Here's some logs taken when I tried to send an email: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))??(No client certificate requested)??by kartero.ddbphil.com (Postfix) with ESMTP id 5E7 from unknown[122.52.174.26]; from=jan.ges...@ddbphil.com to=jan.ges...@yahoo.com proto=ESMTP helo=[127.0.0.1] Feb 6 13:45:30 kartero postfix/cleanup[22234]: 5E7A3148098: message-id=498bcf46.3000...@ddbphil.com Feb 6 13:45:30 kartero postfix/smtpd[22001]: disconnect from unknown[122.52.174.26] Feb 6 13:45:33 kartero MailScanner[16982]: Spam Checks: Found 1 spam messages Feb 6 13:45:33 kartero MailScanner[16982]: Virus and Content Scanning: Starting Feb 6 13:45:34 kartero MailScanner[16982]: Uninfected: Delivered 1 messages Feb 6 13:45:34 kartero postfix/qmgr[21997]: ED26E14809B: from=jan.ges...@ddbphil.com, size=3473, nrcpt=1 (queue active) Feb 6 13:45:34 kartero postfix/pipe[22250]: ED26E14809B: to=postmas...@ddbphil.com, relay=dovecot, delay=4.2, delays=4.2/0/0/0.02, dsn=5.1.1, status=bounced (user unknown) Feb 6 13:45:34 kartero postfix/cleanup[22234]: 8D83C14809C: message-id=20090206054534.8d83c148...@kartero.ddbphil.com Feb 6 13:45:34 kartero postfix/qmgr[21997]: 8D83C14809C: from=, size=6054, nrcpt=1 (queue active) Feb 6 13:45:34 kartero postfix/bounce[22339]: ED26E14809B: sender non-delivery notification: 8D83C14809C Feb 6 13:45:34 kartero postfix/qmgr[21997]: ED26E14809B: removed Feb 6 13:45:34 kartero postfix/pipe[22250]: 8D83C14809C: to=jan.ges...@ddbphil.com, relay=dovecot, delay=0.12, delays=0.01/0/0/0.12, dsn=2.0.0, status=sent (delivered via dovecot service)
