Hello Folks, I'm running a postfix (postfix-2.9.20120102-sasl2) server on OpenBSD v5.1. We have a number of anti-UCE postfix measures in place, including "reject_unknown_client_hostname", which we quite like. It's hard to believe there are so many spammers that can't overcome such a low obstacle.
At any rate, we periodically see (1-5 times per day) a "Client host rejected: cannot find your hostname" rejection, followed by a successful retry from the remote MTA. When we check the DNS records, they always appear to be in order. The remote MTAs belong to various organizations, but typically ones where one would expect the DNS config to be well-maintained. (see bottom for an example rejection and the ensuing successful retry). I've tried to configure DNS (BIND 9.4.2-P2) to log debug information, and it logs a fantastic amount, but I am unable to get it to log such queries and their results, or maybe I just haven't found the magic combination of logging settings yet, or maybe I don't understand the logging output. The Questions: 1) is it possible that we are observing a bug in postfix in conjunction with DNS-queries? Are there any such known bugs? 2) can someone give me a tip on how to configure BIND to log the information I need to figure out why DNS lookups may be failing intermittently, and how to read it properly? thanks, Rob Urban ----------------------------------------- the output below has been slightly sanitized of information directly identifying the server. [example of delivery failure] Nov 13 15:10:29 dna prefilter/smtpd[9340]: connect from unknown[8.7.42.206] Nov 13 15:10:29 dna prefilter/smtpd[9340]: NOQUEUE: reject: RCPT from unknown[8.7.42.206]: 450 4.7.1 Client host rejected: cannot find your hostname, [8.7.42.206]; from=<from-addr...@b.email.aerlingus.com> to=<u...@domain.de> proto=ESMTP helo=<mta925.email.aerlingus.com> [subsequent delivery success] Nov 13 16:10:58 dna prefilter/smtpd[3578]: connect from mta925.email.aerlingus.com[8.7.42.206] [...this get passed to amavis...] Nov 13 16:10:58 dna amavis[14323]: (14323-09) ESMTP::10024 /var/amavisd/tmp/amavis-20121113T152153-14323-ExeHjDoN:<from-addr...@b.email.aerlingus.com> -> <u...@domain.de> Received: from mail.y42.org ([127.0.0.1]) by localhost (dna.domain.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <u...@domain.de>; Tue, 13 Nov 2012 16:10:58 +0100 (MET) [...and eventually is accepted and delivered...] Nov 13 16:11:04 dna prefilter/smtpd[3578]: proxy-accept: END-OF-MESSAGE: 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 0514F2C88F; from=<from-addr...@b.email.aerlingus.com> to=<u...@domain.de> proto=ESMTP helo=<mta925.email.aerlingus.com> Nov 13 16:11:04 dna postfix/lmtp[9872]: 0514F2C88F: to=<u...@domain2.org>, orig_to=<u...@domain.de>, relay=dna.domain.de[/var/spool/lmtp_to_cyrus/lmtp_socket], delay=0.07, delays=0.01/0.01/0/0.05, dsn=2.1.5, status=sent (250 2.1.5 Ok SESSIONID=<imapd-24054-1352819464-1>) [a quick check reveals no problems...] # host 8.7.42.206 206.42.7.8.in-addr.arpa domain name pointer mta925.email.aerlingus.com. # host mta925.email.aerlingus.com mta925.email.aerlingus.com has address 8.7.42.206 [output of "postconf -n"] # postconf -n alias_database = hash:/etc/postfix/aliases alias_maps = hash:/etc/postfix/aliases broken_sasl_auth_clients = yes command_directory = /usr/local/sbin config_directory = /etc/postfix daemon_directory = /usr/local/libexec/postfix data_directory = /var/postfix debug_peer_level = 9 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 header_checks = pcre:/etc/postfix/header_checks html_directory = /usr/local/share/doc/postfix/html inet_interfaces = www.xxx.yyy.zzz, localhost inet_protocols = all lists_destination_recipient_limit = 1 local_recipient_maps = $alias_maps, hash:/etc/postfix/virtual, hash:/etc/postfix/transport, hash:/etc/postfix/cyrus_recipients, hash:/etc/postfix/local_recipients mail_owner = _postfix mailq_path = /usr/local/sbin/mailq manpage_directory = /usr/local/man masquerade_domains = domain.org message_size_limit = 40960000 mydestination = $myhostname, dna.$mydomain, mail.$mydomain, localhost.$mydomain, $mydomain, /etc/postfix/local-host-names myhostname = mail.domain.org mynetworks = www.xxx.yyy.192/29, 127.0.0.0/8 mynetworks_style = host myorigin = $mydomain newaliases_path = /usr/local/sbin/newaliases queue_directory = /var/spool/postfix readme_directory = /usr/local/share/doc/postfix/readme recipient_delimiter = + sample_directory = /etc/postfix sender_canonical_maps = hash:/etc/postfix/canonical-sender sendmail_path = /usr/local/sbin/sendmail setgid_group = _postdrop smtpd_client_restrictions = permit_sasl_authenticated permit_mynetworks check_client_access hash:/etc/postfix/client_access reject_unknown_client_hostname reject_unauth_pipelining reject_rbl_client ix.dnsbl.manitu.net reject_rbl_client zen.spamhaus.org smtpd_discard_ehlo_keywords = silent-discard, dsn smtpd_helo_required = yes smtpd_helo_restrictions = permit_sasl_authenticated permit_mynetworks check_helo_access regexp:/etc/postfix/helo_access reject_non_fqdn_helo_hostname reject_invalid_helo_hostname smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks check_recipient_access regexp:/etc/postfix/recipient_access reject_unauth_destination reject_non_fqdn_recipient permit smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = no smtpd_sasl_local_domain = dna.domain.org smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous smtpd_sender_restrictions = permit_sasl_authenticated permit_mynetworks check_sender_access hash:/etc/postfix/sender_access reject_unknown_sender_domain reject_non_fqdn_sender smtpd_tls_CAfile = /etc/postfix/certs/ca-bundle.crt smtpd_tls_cert_file = /etc/postfix/certs/domain-certificate.pem smtpd_tls_key_file = /etc/postfix/certs/domain-privkey.pem smtpd_tls_loglevel = 2 smtpd_tls_received_header = yes smtpd_tls_security_level = may transport_maps = hash:/etc/postfix/transport, hash:/etc/postfix/cyrus_recipients unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/etc/postfix/virtual
