All i have is : smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated I disabled the unknown restriction due to lots of customers of me are missing PTR records, which needs to be set bij the internet provider. So they got blocked, i had to remove these. The Helo check is often on the IT department can adjust them selfs. And most spammers have incorrect helo’s also. Greetz, Louis Van: Thomas Nagel [mailto:tn-postfix at saarcube.de] Verzonden: donderdag 7 januari 2016 14:40 Aan: L.P.H. van Belle Onderwerp: Re: Helo Checks not always working? Hi, thank you - that makes a lot of sense - but you can't tell from the logfile ... is it ok to put in these or is it breaking something? I would think that I need at least permit_mynetworks & permit_sasl_authenticated in the smtpd_client_restrictions or do these permits permit and therby skip all other checks? Like smtpd_recipient and smtpd_sender? Thanks, Thomas. Am 07.01.2016 um 14:35 schrieb L.P.H. van Belle: These are 2 different things. Unknow hostname is a missing PTR record For that you can use : smtpd_client_restrictions = ... "unknown" is also the name in the case of a temporary dns lookup failure. so using 5xx for all "unknown" is not a good idea. # reject_unknown_client_hostname: requires that the address->name and name->address mappings exist, but also that the two mappings reproduce the client IP address # reject_unknown_reverse_client_hostname: Reject the request when the client IP address has no address->name mapping. This is a weaker restriction than the reject_unknown_client_hostname Greetz, Louis> -----Oorspronkelijk bericht-----> Van: tn-postfix at saarcube.de [mailto:owner-postfix-users at postfix.org]> Namens Thomas Nagel> Verzonden: donderdag 7 januari 2016 14:18> Aan: Postfix users> Onderwerp: Helo Checks not always working?>> Hello,>> we encountered a strange behaviour.>> We enabled smtp_helo_restrictions:>> smtpd_helo_required = yes>> smtpd_helo_restrictions > permit_mynetworks,> permit_sasl_authenticated,> reject_unlisted_recipient,> # check_client_access hash:/etc/postfix/> check_helo_access hash:/etc/postfix/check_helo_access> reject_invalid_helo_hostname> reject_non_fqdn_helo_hostname> reject_unknown_helo_hostname>> unknown_hostname_reject_code = 550>> in the "check_helo_access" map there are only certain senders with their> special invalid HELOs whitelisted, but no "unknown" or the mentioned IP> adress.>> Most of the time connectors with invalid DNS Records are blocked like> this:>>> Jan 3 06:36:21 server postfix/smtpd[23338]: connect from> unknown[190.11.55.217]> Jan 3 06:36:22 server postfix/smtpd[23338]: NOQUEUE: reject: RCPT from> unknown[190.11.55.217]: 504 5.5.2 <190.11.55.217>: Helo command> rejected: need fully-qualified hostname; from=<>> to=<example at example.com> proto=SMTP helo=<190.11.55.217>>> - but sometimes we see this:>> Jan 5 16:43:30 server postfix/smtpd[13577]: connect from> unknown[195.22.126.188]> Jan 5 16:43:30 server postgrey[2604]: action=pass, reason=recipient> whitelist, client_name=unknown, client_address=195.22.126.188,> sender=info at gmail.com, recipient=info at example.com> Jan 5 16:43:30 server postfix/smtpd[13577]: B064010A1B5E:> client=unknown[195.22.126.188]> Jan 5 16:43:30 server postfix/cleanup[13133]: B064010A1B5E:> message-id=<20160105094329.FAB7FFC87CC25243 at gmail.com>> Jan 5 16:43:30 server postfix/qmgr[4924]: B064010A1B5E:> from=<info at gmail.com>, size=2536, nrcpt=1 (queue active)> Jan 5 16:43:30 server postfix/smtpd[13577]: disconnect from> unknown[195.22.126.188]>> Shouldn't this be blocked when the helo restrictions are applied? So the> mail shouldn't actually be passed on?>> Thanks,>> Thomas.
On 07/01/16 13:50, L.P.H. van Belle wrote:> All i have is : > > smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated > > > > I disabled the unknown restriction due to lots of customers of me are missing PTR records, which needs to be set bij the internet provider. > > So they got blocked, i had to remove these. > > > > The Helo check is often on the IT department can adjust them selfs. > > And most spammers have incorrect helo’s also. > > > > > > Greetz, > > > > Louis > > > > > > > Van: Thomas Nagel [mailto:tn-postfix at saarcube.de] > Verzonden: donderdag 7 januari 2016 14:40 > Aan: L.P.H. van Belle > Onderwerp: Re: Helo Checks not always working? > > > > > Hi, > > thank you - that makes a lot of sense - but you can't tell from the logfile ... > > is it ok to put in these or is it breaking something? I would think that I need at least permit_mynetworks & permit_sasl_authenticated in the smtpd_client_restrictions or do these permits permit and therby skip all other checks? Like smtpd_recipient and smtpd_sender? > > Thanks, > > Thomas. > > > Am 07.01.2016 um 14:35 schrieb L.P.H. van Belle: > > > These are 2 different things. > > > > Unknow hostname is a missing PTR record > > > > For that you can use : > > smtpd_client_restrictions = ... > > > > "unknown" is also the name in the case of a temporary dns lookup failure. so using 5xx for all "unknown" is not a good idea. > > > > # reject_unknown_client_hostname: requires that the address->name and name->address mappings exist, but also that the two mappings reproduce the client IP address > > # reject_unknown_reverse_client_hostname: Reject the request when the client IP address has no address->name mapping. This is a weaker restriction than the reject_unknown_client_hostname > > > > > > Greetz, > > > > Louis > > > > > > > >> -----Oorspronkelijk bericht----- >> Van: tn-postfix at saarcube.de [mailto:owner-postfix-users at postfix.org] >> Namens Thomas Nagel >> Verzonden: donderdag 7 januari 2016 14:18 >> Aan: Postfix users >> Onderwerp: Helo Checks not always working? >> Hello, >> we encountered a strange behaviour. >> We enabled smtp_helo_restrictions: >> smtpd_helo_required = yes >> smtpd_helo_restrictions >> permit_mynetworks, >> permit_sasl_authenticated, >> reject_unlisted_recipient, >> # check_client_access hash:/etc/postfix/ >> check_helo_access hash:/etc/postfix/check_helo_access >> reject_invalid_helo_hostname >> reject_non_fqdn_helo_hostname >> reject_unknown_helo_hostname >> unknown_hostname_reject_code = 550 >> in the "check_helo_access" map there are only certain senders with their >> special invalid HELOs whitelisted, but no "unknown" or the mentioned IP >> adress. >> Most of the time connectors with invalid DNS Records are blocked like >> this: >> Jan 3 06:36:21 server postfix/smtpd[23338]: connect from >> unknown[190.11.55.217] >> Jan 3 06:36:22 server postfix/smtpd[23338]: NOQUEUE: reject: RCPT from >> unknown[190.11.55.217]: 504 5.5.2 <190.11.55.217>: Helo command >> rejected: need fully-qualified hostname; from=<> >> to=<example at example.com> proto=SMTP helo=<190.11.55.217> >> - but sometimes we see this: >> Jan 5 16:43:30 server postfix/smtpd[13577]: connect from >> unknown[195.22.126.188] >> Jan 5 16:43:30 server postgrey[2604]: action=pass, reason=recipient >> whitelist, client_name=unknown, client_address=195.22.126.188, >> sender=info at gmail.com, recipient=info at example.com >> Jan 5 16:43:30 server postfix/smtpd[13577]: B064010A1B5E: >> client=unknown[195.22.126.188] >> Jan 5 16:43:30 server postfix/cleanup[13133]: B064010A1B5E: >> message-id=<20160105094329.FAB7FFC87CC25243 at gmail.com> >> Jan 5 16:43:30 server postfix/qmgr[4924]: B064010A1B5E: >> from=<info at gmail.com>, size=2536, nrcpt=1 (queue active) >> Jan 5 16:43:30 server postfix/smtpd[13577]: disconnect from >> unknown[195.22.126.188] >> Shouldn't this be blocked when the helo restrictions are applied? So the >> mail shouldn't actually be passed on? >> Thanks, >> Thomas. > > > > >Hi Louis, You really must stop using outlook, this isn't the postfix mailing list :-D :-D :-D Rowland
Yes !! you totaly right.. When i make it, its gone within 1 month, the new mail setup is ready, and tested, only the migration todo ... But first snowboarding again next week.. :-)) Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny > Verzonden: donderdag 7 januari 2016 15:00 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Helo Checks not always working? > > On 07/01/16 13:50, L.P.H. van Belle wrote: > > All i have is : > > > > smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated > > > > > > > > I disabled the unknown restriction due to lots of customers of me are > missing PTR records, which needs to be set bij the internet provider. > > > > So they got blocked, i had to remove these. > > > > > > > > The Helo check is often on the IT department can adjust them selfs. > > > > And most spammers have incorrect helo’s also. > > > > > > > > > > > > Greetz, > > > > > > > > Louis > > > > > > > > > > > > > > Van: Thomas Nagel [mailto:tn-postfix at saarcube.de] > > Verzonden: donderdag 7 januari 2016 14:40 > > Aan: L.P.H. van Belle > > Onderwerp: Re: Helo Checks not always working? > > > > > > > > > > Hi, > > > > thank you - that makes a lot of sense - but you can't tell from the > logfile ... > > > > is it ok to put in these or is it breaking something? I would think that > I need at least permit_mynetworks & permit_sasl_authenticated in the > smtpd_client_restrictions or do these permits permit and therby skip all > other checks? Like smtpd_recipient and smtpd_sender? > > > > Thanks, > > > > Thomas. > > > > > > Am 07.01.2016 um 14:35 schrieb L.P.H. van Belle: > > > > > > These are 2 different things. > > > > > > > > Unknow hostname is a missing PTR record > > > > > > > > For that you can use : > > > > smtpd_client_restrictions = ... > > > > > > > > "unknown" is also the name in the case of a temporary dns lookup > failure. so using 5xx for all "unknown" is not a good idea. > > > > > > > > # reject_unknown_client_hostname: requires that the address->name and > name->address mappings exist, but also that the two mappings reproduce the > client IP address > > > > # reject_unknown_reverse_client_hostname: Reject the request when the > client IP address has no address->name mapping. This is a weaker > restriction than the reject_unknown_client_hostname > > > > > > > > > > > > Greetz, > > > > > > > > Louis > > > > > > > > > > > > > > > >> -----Oorspronkelijk bericht----- > >> Van: tn-postfix at saarcube.de [mailto:owner-postfix-users at postfix.org] > >> Namens Thomas Nagel > >> Verzonden: donderdag 7 januari 2016 14:18 > >> Aan: Postfix users > >> Onderwerp: Helo Checks not always working? > >> Hello, > >> we encountered a strange behaviour. > >> We enabled smtp_helo_restrictions: > >> smtpd_helo_required = yes > >> smtpd_helo_restrictions > >> permit_mynetworks, > >> permit_sasl_authenticated, > >> reject_unlisted_recipient, > >> # check_client_access hash:/etc/postfix/ > >> check_helo_access hash:/etc/postfix/check_helo_access > >> reject_invalid_helo_hostname > >> reject_non_fqdn_helo_hostname > >> reject_unknown_helo_hostname > >> unknown_hostname_reject_code = 550 > >> in the "check_helo_access" map there are only certain senders with > their > >> special invalid HELOs whitelisted, but no "unknown" or the mentioned IP > >> adress. > >> Most of the time connectors with invalid DNS Records are blocked like > >> this: > >> Jan 3 06:36:21 server postfix/smtpd[23338]: connect from > >> unknown[190.11.55.217] > >> Jan 3 06:36:22 server postfix/smtpd[23338]: NOQUEUE: reject: RCPT from > >> unknown[190.11.55.217]: 504 5.5.2 <190.11.55.217>: Helo command > >> rejected: need fully-qualified hostname; from=<> > >> to=<example at example.com> proto=SMTP helo=<190.11.55.217> > >> - but sometimes we see this: > >> Jan 5 16:43:30 server postfix/smtpd[13577]: connect from > >> unknown[195.22.126.188] > >> Jan 5 16:43:30 server postgrey[2604]: action=pass, reason=recipient > >> whitelist, client_name=unknown, client_address=195.22.126.188, > >> sender=info at gmail.com, recipient=info at example.com > >> Jan 5 16:43:30 server postfix/smtpd[13577]: B064010A1B5E: > >> client=unknown[195.22.126.188] > >> Jan 5 16:43:30 server postfix/cleanup[13133]: B064010A1B5E: > >> message-id=<20160105094329.FAB7FFC87CC25243 at gmail.com> > >> Jan 5 16:43:30 server postfix/qmgr[4924]: B064010A1B5E: > >> from=<info at gmail.com>, size=2536, nrcpt=1 (queue active) > >> Jan 5 16:43:30 server postfix/smtpd[13577]: disconnect from > >> unknown[195.22.126.188] > >> Shouldn't this be blocked when the helo restrictions are applied? So > the > >> mail shouldn't actually be passed on? > >> Thanks, > >> Thomas. > > > > > > > > > > > > Hi Louis, You really must stop using outlook, this isn't the postfix > mailing list :-D :-D :-D > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On 07/01/16 14:03, L.P.H. van Belle wrote:> Yes !! you totaly right.. > > When i make it, its gone within 1 month, the new mail setup is ready, and tested, only the migration todo ... > But first snowboarding again next week.. :-)) > > Greetz, > > Louis > >OH NO! not downhill leg breaking :-D Rowland