reject mail if dns and rdns differ
Hello all! Received: from mail.namase.de (s1.bomberg.city [62.173.139.77]) I would like to reject incoming email if dns- and rdns-entries differ. Does this make sense and how could I achieve this? Kind regards Andreas
Re: Problems with header checks
On Fr, Nov 08, 2019 at 03:31:05 +0100, Jaroslaw Rafa wrote: But in that case probably LDA is the best place to do such change. Some time ago I was doing something similar via procmail. Yes, I could do the same with procmail. But procmail will probably like postfix use the encoded subject, so I don’t know how to handle subjects like =?UTF-8?Q?Aw=3A_Weinprobe_gut_=C3=BCberstanden=3F?= Shade and sweet water! Stephan -- |If your life was a horse, you'd have to shoot it.|
Re: reject mail if dns and rdns differ
On 11.11.19 14:27, ratatouille wrote: Received: from mail.namase.de (s1.bomberg.city [62.173.139.77]) I would like to reject incoming email if dns- and rdns-entries differ. Does this make sense and how could I achieve this? they do not differ above. The IP 62.173.139.77, rDNS is s1.bomberg.city and points back to 62.173.139.77. If the 62.173.139.77 did not have reverse name, or its reverse name (s1.bomberg.city here) would not point back to 62.173.139.77, you'd see unknown instead of s1.bomberg.city (the DNS name). You can reject those cases by reject_unknown_client_hostname (either fails) or reject_unknown_reverse_client_hostname (IP has no reverse DNS, no matter if it points back). mail.namase.de is the HELO (EHLO) name. You must not reject mail when helo name differs from DNS name (RFC violation). -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Depression is merely anger without enthusiasm.
Re: Problems with header checks
Stephan Seitz:
> On Fr, Nov 08, 2019 at 03:31:05 +0100, Jaroslaw Rafa wrote:
> >But in that case probably LDA is the best place to do such change. Some
> >time ago I was doing something similar via procmail.
>
> Yes, I could do the same with procmail. But procmail will probably like
> postfix use the encoded subject, so I don?t know how to handle subjects
> like =?UTF-8?Q?Aw=3A_Weinprobe_gut_=C3=BCberstanden=3F?=
In the header_checks file:
/^(Subject:\s*=\?UTF-8\?Q\?)Aw([:=].+)/ REPLACE ${1}Re${2}
Or use some pattern that also captures strings other than UTF-8?Q.
I am lazy.
Wietse
Re: reject mail if dns and rdns differ
Hello! I believe you can achieve that by this restriction from "smtpd_client_restrictions" that can be included into the main.cf file: *reject_unknown_client_hostname* /(with Postfix < 2.3:// // reject_unknown_client)// // Reject the request when 1) the client IP address->name mapping// // fails, or 2) the name->address mapping fails, or 3) the// // name->address mapping does not match the client IP address.// // This is a stronger restriction than the// // reject_unknown_reverse_client_hostname feature, which triggers// // only under condition 1) above.// // The unknown_client_reject_code parameter specifies the response// // code for rejected requests (default: 450). The reply is always// // 450 in case the address->name or name->address lookup failed due// // to a temporary problem./ Please note that you can use several different restrictions, and besides client restrictions, there are also helo restrictions, recipient restrictions and sender restrictions that apply during their corresponding phases of the SMTP relation, so careful study of "man 5 postconf" or other documentation and examples is highly recommended. -- S pozdravem, Daniel Ryšlink System Administrator Dial Telecom a. s. Křižíkova 36a/237 186 00 Praha 3, Česká Republika Tel.:+420.226204627 daniel.rysl...@dialtelecom.cz --- www.dialtelecom.cz Dial Telecom, a.s. Jednoduše se připojte --- On 11. 11. 19 14:27, ratatouille wrote: Hello all! Received: from mail.namase.de (s1.bomberg.city [62.173.139.77]) I would like to reject incoming email if dns- and rdns-entries differ. Does this make sense and how could I achieve this? Kind regards Andreas
Re: reject mail if dns and rdns differ
On 11 Nov 2019, at 8:47, Matus UHLAR - fantomas wrote: On 11.11.19 14:27, ratatouille wrote: Received: from mail.namase.de (s1.bomberg.city [62.173.139.77]) I would like to reject incoming email if dns- and rdns-entries differ. Does this make sense and how could I achieve this? they do not differ above. The IP 62.173.139.77, rDNS is s1.bomberg.city and points back to 62.173.139.77. If the 62.173.139.77 did not have reverse name, or its reverse name (s1.bomberg.city here) would not point back to 62.173.139.77, you'd see unknown instead of s1.bomberg.city (the DNS name). You can reject those cases by reject_unknown_client_hostname (either fails) Which is unsafe, if you care about not rejecting even small amounts of legitimate mail from some systems that transport large amounts of legitimate mail. or reject_unknown_reverse_client_hostname (IP has no reverse DNS, no matter if it points back). The 2nd clause inside the parentheses is redundant. :) reject_unknown_reverse_client_hostname is much safer than reject_unknown_client_hostname. In many years of using it I have only seen a handful of undesirable rejections due to it or its analogs with other MTAs. In every case, those have been due to objectively and transiently broken DNS. mail.namase.de is the HELO (EHLO) name. You must not reject mail when helo name differs from DNS name (RFC violation). True. However, being a RFC violation is not by itself a sound reason to reject any particular mail security tactic. RFC821, RFC822, and their descendants are strongly influenced by the Postel's Robustness Principle. Unfortunately, that has historically meant that MTA implementations tolerate practices that are useful for spammers or are simply wrong and idiosyncratic to particular spammers or spamming tools. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
Re: reject mail if dns and rdns differ
I (mostly) concur with what Bill Cole says (maybe I'd quibble with the "2nd clause" part). Here's a shopworn blade which is in my list of things to rewrite in Python one day: http://athena.m3047.net/pub/perl/mail-processing/realmailer.pl.txt You call it from e.g. procmail, or in other words it expects a mail message on STDIN and writes it back out with changes on STDOUT. It makes a bunch of DNS queries. It adds a bunch of headers; it's up to you to do with them as you wish. It does a crappy job with SPF, oh well. There are lots of reasons not to run this, and mitigations for most of the reasons. I would strongly recommend pointing it at a local caching resolver which is also used by the MTA. On the plus side, it runs on Perl 5.26.1. -- Fred Morris
postfix startup sequence
Hello, I am trying to understand the postfix startup sequence. I am using postfix 3.4.5 on Debian. /etc/init.d/postfix, the init script that is used to start postfix does not start master directly, but calls: /usr/sbin/postfix quiet-quick-start which in turn calls postfix-script. And than, postfix-script, after some checks and housekeeping (post-install), starts master: /usr/lib/postfix/sbin/master & At first sight, this looks very complicated. Especially mysterious is, why post-install needs to be run at each start to "create missing queue directories", and check if permissions correspond to those defined in /etc/postfix/postfix-files Why should queue directories be missing ? Other than somebody deliberately deleting them, are there situations where this might happen? If I am using simplest possible setup (single instance, no chroot), and I don't delete queue directories, can I simply skip postfix-script and post-install and start master directly from /etc/init.d/postfix, ie ? /usr/lib/postfix/sbin/master & What exactly will I miss ? I tried comparing running instances (one started in the standard way, the other by calling "master &" directly). postconf prints identical info in both cases. thanks,
