From: Jorey Bump (listjoreybump.com)
Date: Fri Oct 27 2006 - 13:23:08 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Charles Gregory wrote:
> Question: I tried adding 'reject_unknown_hostname' and expected that I
> would reject all those clients that come up as 'unknown'. And that works,
> just like this, and I'm happy with it:
>
> Oct 27 13:14:13 king postfix/smtpd[16575]: reject: RCPT from
> unknown[217.130.44.197]:
> 450 <din-197-44-130-217.ipcom.comunitel.net>:
> Helo command rejected: Host not found;
> from=<dlkimdsperformancefootwear.net> to=<dummyhwcn.org>
>
> BUT I also go *this* reject:
>
> Oct 27 13:13:41 king postfix/smtpd[9876]: reject: RCPT from
> mxsmfpool02.ebay.com [66.135.209.199]:
> 450 <mx4.smf.ebay.com>:
> Helo command rejected: Host not found;
> from=<savedsearchesebay.ca> to=<youdontneedtoknowhwcn.org>
>
> Incidentally, this is a legit mail server with a 'helo' name
> that does not resolve properly.

Yes, as described in the documentation:

  reject_unknown_helo_hostname (with Postfix < 2.3:
  reject_unknown_hostname)

  Reject the request when the HELO or EHLO hostname has no
  DNS A or MX record.

You've discovered why use of this feature isn't recommended in our
imperfect world.

> The question: I can see the obvious difference: One says 'unknown' and one
> doesn't. Is there a way to only catch the 'unknown' ones?

You're looking in the wrong place. After the error number, it shows the
HELO in brackets. In both cases, the hosts are unresolvable. There is no
difference, as it relates to reject_unknown_hostname.

The "unknown" in "unknown[217.130.44.197]" means that postfix looked up
the IP address to get the host name, then looked up the host name and
found that it had no associated record (NXDOMAIN). See
reject_unknown_client_hostname (formerly reject_unknown_client) and
reject_unknown_reverse_client_hostname for other options. I use neither,
because I know for certain that I will lose desirable mail. YMMV.

> Sadly, I'm stuck on Postfix 1.2 so the answer may be beyond my reach.

Hmmm, while I do run a 1.x server, it's not because I can't upgrade it.
The 2.3 series or snapshots are very nice and worth any effort you can
expend to upgrade (while sensibly upgrading your machine & OS, as well).
I assume you have your reasons, but this may turn out not to be a
problem you want to solve, if it results in false positives (a misnomer,
because the directives do what they claim to do).

> Ironically, the above example from ebay was actually addressed to
> one of my sharpest users who complains about false positives. :)
> Fortunately I was 450ing the rejects, so I just turned it off and he'll
> get his mail just a little late.... :)

You're lucky you were alerted early. For your version of postfix, you
might be stuck with RBLs (including dynamic IP lists) and some useful
check_helo_access rules. Some (header|body)_checks are good, but it soon
becomes tiresome to maintain them. You're better off spending the time
upgrading.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]