Hostname RBL Questions
- reject_rhsbl_client rbl_domain=d.d.d.d reject_rhsbl_helo rbl_domain=d.d.d.d How does postfix submit the query to the rbl_domain? If the PTR for the client IP is mx.example.com does postfix query mx.example.com.rbl_domain or example.com.rbl_domain? Or both or other? Same for HELO hostname? - When using both: reject_rhsbl_client rbl_domain=d.d.d.d reject_rhsbl_helo rbl_domain=d.d.d.d If the PTR and HELO are the same hostname like mx.example.com and the same rbl_domain is used does postfix query twice? Or does it use one query and match the result against both restriction conditions? - reject_rhsbl_reverse_client rbl_domain=d.d.d.d Does this mean when a client has a hostname different than what the DNS PTR record shows it queries the hostname that didn't resolve back to the IP? If you are using smtpd_client_restrictions = reject_unknown_client_hostname then reject_rhsbl_reverse_client would never get used? - In the manual maps_rbl_reject_code references: reject_rbl_client, reject_rhsbl_client, reject_rhsbl_reverse_client, reject_rhsbl_sender and reject_rhsbl_recipient restrictions. reject_rhsbl_helo is not listed. Does rbl reject code setting not effect the helo reject or is it just omitted from the manual? -
Re: Hostname RBL Questions
On 7/20/2021 12:56 PM, post...@ptld.com wrote: - reject_rhsbl_client rbl_domain=d.d.d.d reject_rhsbl_helo rbl_domain=d.d.d.d How does postfix submit the query to the rbl_domain? If the PTR for the client IP is mx.example.com does postfix query mx.example.com.rbl_domain or example.com.rbl_domain? Or both or other? Same for HELO hostname? hostnames are submitted as host.example.com.rbl.example.com, as per customary RBL operation. - When using both: reject_rhsbl_client rbl_domain=d.d.d.d reject_rhsbl_helo rbl_domain=d.d.d.d If the PTR and HELO are the same hostname like mx.example.com and the same rbl_domain is used does postfix query twice? Or does it use one query and match the result against both restriction conditions? Postfix will perform each query. If the query ends up being the exact same, it will be in your cache. - reject_rhsbl_reverse_client rbl_domain=d.d.d.d Does this mean when a client has a hostname different than what the DNS PTR record shows it queries the hostname that didn't resolve back to the IP? Postfix queries the PTR hostname returned. For this query, it doesn't matter if the client PTR and A record match FCrDNS. If you are using smtpd_client_restrictions = reject_unknown_client_hostname then reject_rhsbl_reverse_client would never get used? Only if the client is labeled "unknown". Known clients will still be queried. - In the manual maps_rbl_reject_code references: reject_rbl_client, reject_rhsbl_client, reject_rhsbl_reverse_client, reject_rhsbl_sender and reject_rhsbl_recipient restrictions. reject_rhsbl_helo is not listed. Does rbl reject code setting not effect the helo reject or is it just omitted from the manual? RHS refers to the right hand side - the host.domain part - of an email address. Since HELO is already a hostname and not an email address, rhs of helo is nonsense. - -- Noel Jones
Re: Hostname RBL Questions
post...@ptld.com: > - > > reject_rhsbl_client rbl_domain=d.d.d.d > reject_rhsbl_helo rbl_domain=d.d.d.d > > How does postfix submit the query to the rbl_domain? Prepend the reversed client IP address to the provider's domain (without =d.d.d.d). See RFC5782 or https://en.wikipedia.org/wiki/DNSBL. Postfix was implemented long before these documents were written, but the basic principle hasn't changed. Wietse
Re: Hostname RBL Questions
reject_rhsbl_client rbl_domain=d.d.d.d reject_rhsbl_helo rbl_domain=d.d.d.d How does postfix submit the query to the rbl_domain? Prepend the reversed client IP address to the provider's domain (without =d.d.d.d). See RFC5782 or https://en.wikipedia.org/wiki/DNSBL. Postfix was implemented long before these documents were written, but the basic principle hasn't changed. But this is the hostname version reject_rhsbl_*, wouldn't it submit hostname and not an IP?
Re: Hostname RBL Questions
Postfix will perform each query. If the query ends up being the exact same, it will be in your cache. Oh yeah, i didn't think about that. reject_rhsbl_reverse_client rbl_domain=d.d.d.d Postfix queries the PTR hostname returned. For this query, it doesn't matter if the client PTR and A record match FCrDNS. If that is the case, then what is the difference between reject_rhsbl_client and reject_rhsbl_reverse_client? My assumption is reject_rhsbl_client is for the PTR hostname returned. And reject_rhsbl_reverse_client is for the hostname given that did not resolve back to the IP, no PTR. If you are using smtpd_client_restrictions = reject_unknown_client_hostname then reject_rhsbl_reverse_client would never get used? Only if the client is labeled "unknown". Known clients will still be queried. Still don't have my head around this one. The manual says "unverified reverse client hostname". Isn't the PTR record known/verified? If that is the case, then wouldn't the client have already been rejected under reject_unknown_client_hostname? And if the client passed reject_unknown_client_hostname then the hostname is known, so would reject_rhsbl_reverse_client even get checked? Or am i misunderstanding what "unverified reverse client hostname" means?
Re: Hostname RBL Questions
> But this is the hostname version reject_rhsbl_*, wouldn't it submit > hostname and not an IP? In that case it prepends a domain name (client hostname, email address domain, depending on context). Wietse
Re: Hostname RBL Questions
On 7/20/2021 1:49 PM, post...@ptld.com wrote: Postfix queries the PTR hostname returned. For this query, it doesn't matter if the client PTR and A record match FCrDNS. If that is the case, then what is the difference between reject_rhsbl_client and reject_rhsbl_reverse_client? reject_rhsbl_client uses the FCrDNS hostname, which is also included in the postfix logs. reject_rhsbl_reverse_client uses the client PTR regardless of FCrDNS confirmation. These clients may be labeled as "unknown" in postfix logs. If the client has no PTR at all, there is no hostname to check and the query is skipped. If you are using smtpd_client_restrictions = reject_unknown_client_hostname then reject_rhsbl_reverse_client would never get used? Only if the client is labeled "unknown". Known clients will still be queried. Still don't have my head around this one. The manual says "unverified reverse client hostname". Isn't the PTR record known/verified? The hostname isn't verified until it passes the FCrDNS checks in postfix. Once it's verified, the hostname is logged and is available for use in various postfix hostname based restrictions. If that is the case, then wouldn't the client have already been rejected under reject_unknown_client_hostname? Only if you use reject_unknown_client_hostname and you've specified that check before the rbl check. Warning: reject_unknown_client_hostname a very strict check known to reject good mail, and is generally not recommended. And if the client passed reject_unknown_client_hostname then the hostname is known, so would reject_rhsbl_reverse_client even get checked? Of course it would. The client still has a reverse hostname. It would be kinda silly to name it reject_rhsbl_reverse_client_hostname_verified_or_unknown_as_long_as_the_client_has_any_ptr_whatsoever Maybe you're confusing "known" with "verified". Postfix generally uses "unknown" and "verified" to prevent confusion. Postfix might know the PTR hostname lookup result, but it considers it "unknown" until it's been verified with FCrDNS. Or am i misunderstanding what "unverified reverse client hostname" means? Apparently yes. Unverified PTR hostnames are easily forged, so postfix tries to warn you (by the feature name) when you're using a potentially forged hostname. -- Noel Jones
Re: Hostname RBL Questions
On 07-20-2021 3:58 pm, Noel Jones wrote: reject_rhsbl_reverse_client uses the client PTR regardless of FCrDNS confirmation. These clients may be labeled as "unknown" in postfix logs. If the client has no PTR at all, there is no hostname to check and the query is skipped. The hostname isn't verified until it passes the FCrDNS checks in postfix. Once it's verified, the hostname is logged and is available for use in various postfix hostname based restrictions. I think we have the same understanding, i guess im using the wrong terminology to explain myself. If i understand all of this correctly then using reject_unknown_client_hostname means after that point the client hostname and the reverse client hostname are the same hostname value, otherwise the client would have been rejected already. (Not considering the delayed reject setting.) Also meaning if a client passed reject_unknown_client_hostname then it would be procedurally pointless to check both reject_rhsbl_client and reject_rhsbl_reverse_client, right?
Re: Hostname RBL Questions
On 7/20/2021 3:31 PM, post...@ptld.com wrote: Also meaning if a client passed reject_unknown_client_hostname then it would be procedurally pointless to check both reject_rhsbl_client and reject_rhsbl_reverse_client, right? It's ALWAYS pointless to check both. -- Noel Jones
