> On 06 Apr 2016, at 13:52, Michiel van Es <m...@pragmasec.nl> wrote:
>
>
>> On 06 Apr 2016, at 13:38, Joerg Jung <m...@umaxx.net> wrote:
>>
>>
>>
>>> Am 06.04.2016 um 13:08 schrieb Michiel van Es <m...@pragmasec.nl>:
>>>
>>> Hello,
>>>
>>> I also posted this as an issue to the OpenSMTPD github repo but somebody
>>> told me that the mailinglist would be more accurate to post this question
>>> to (I will remove the github issue if preferred).
>>>
>>> it seems whenever I use filter-dnbl with several hostnames, the lookups
>>> always fail.
>>> I tried using ipv6 lookups (although this is something opensmtpd does
>>> right?) and have the latest version of the master branch of
>>> OpenSMTPD-Extras (where this ipv4/ipv6 problem was solved with an earlier
>>> similar issue?).
>>
>> All v6 addresses are just accepted by filter-dnsbl.
>> There is no lookup happening for v6 addresses
>> (just not implemented).
>
> ok, then I won’t use IPv6 for now :)
>
>>
>>> The error I get is:
>>> smtp-in: New session 81cf3e1a4d9ef916 from host pro-mail-smtp-001.bol.com
>>> [185.14.168.222] filter-pause[1337]: debug: on_connect: sleeping 5
>>> filter-dnsbl-spamhaus[1336]: debug: on_connect: checking
>>> 222.168.14.185.zen.spamhaus.org. filter-dnsbl-spamhaus[1336]: warn: session
>>> 81cf3e1a4d9ef916: event_dispatch: REJECT address smtp-in: Failed command on
>>> session 81cf3e1a4d9ef916: "" => 554 5.7.1 Address in DNSBL smtp-in: Closing
>>> session 81cf3e1a4d9ef916 debug: smtp: 0x24460a0: deleting session: done
>>
>> This looks legit.
>> Have you tried to lookup/verify the IP manually
>> at the time this happened, was it listed?
>
> No and I know this ip (its the MX for my company and they/we do checks via
> Nagios on most DNSBL’s)
> A lookup shows:
>
> 185.14.168.222 is not listed in the SBL
> 185.14.168.222 is not listed in the PBL
> 185.14.168.222 is not listed in the XBL
>
> or PTR
>
> 222.168.14.185.zen.spamhaus.org is not listed in the DBL
>
> I tried this config with the Google DNS servers and using a caching localhost
> dns (with forwarders to OpenNIC servers) - no difference
Also tried with some more debugging and now tried the default SORBS dnsbl, the
result (with strace and smtpctl trace all):
r_session@0x1fc28a0[datalen=0,eom=(nil),ofile=(nil)]]
mproc: pony -> filter-proc : 100 IMSG_CTL_FAIL
filter: waiting for running query 511e5d1fe40dcd9c[QUERY_CONNECT=178.21.114.197
<->
185.14.169.222(pro-mail-smtp-002.bol.com),filter_session@0x1fc28a0[datalen=0,eom=(nil),ofile=(nil)]]
filter-pause[9835]: debug: on_connect: sleeping 5
filter: imsg IMSG_FILTER_RESPONSE from procfilter
filter-pause[hooks=0xffffffff,flags=0x0000]
filter: filter_drain_query 511e5d1fe40dcd9c[QUERY_CONNECT=178.21.114.197 <->
185.14.169.222(pro-mail-smtp-002.bol.com),filter_session@0x1fc28a0[datalen=0,eom=(nil),ofile=(nil)]]
filter: running filter filter:filter-regex[hooks=0xffffffff,flags=0x0000] for
query 511e5d1fe40dcd9c[QUERY_CONNECT=178.21.114.197 <->
185.14.169.222(pro-mail-smtp-002.bol.com),filter_session@0x1fc28a0[datalen=0,eom=(nil),ofile=(nil)]]
mproc: pony -> filter-proc : 100 IMSG_CTL_FAIL
filter: waiting for running query 511e5d1fe40dcd9c[QUERY_CONNECT=178.21.114.197
<->
185.14.169.222(pro-mail-smtp-002.bol.com),filter_session@0x1fc28a0[datalen=0,eom=(nil),ofile=(nil)]]
filter: imsg IMSG_FILTER_RESPONSE from procfilter
filter-regex[hooks=0xffffffff,flags=0x0000]
filter: filter_drain_query 511e5d1fe40dcd9c[QUERY_CONNECT=178.21.114.197 <->
185.14.169.222(pro-mail-smtp-002.bol.com),filter_session@0x1fc28a0[datalen=0,eom=(nil),ofile=(nil)]]
filter: running filter filter:filter-dnsbl-sorbs[hooks=0xffffffff,flags=0x0000]
for query 511e5d1fe40dcd9c[QUERY_CONNECT=178.21.114.197 <->
185.14.169.222(pro-mail-smtp-002.bol.com),filter_session@0x1fc28a0[datalen=0,eom=(nil),ofile=(nil)]]
mproc: pony -> filter-proc : 100 IMSG_CTL_FAIL
filter: waiting for running query 511e5d1fe40dcd9c[QUERY_CONNECT=178.21.114.197
<->
185.14.169.222(pro-mail-smtp-002.bol.com),filter_session@0x1fc28a0[datalen=0,eom=(nil),ofile=(nil)]]
filter-dnsbl-sorbs[9834]: debug: on_connect: checking
222.169.14.185.dnsbl.sorbs.net.
filter-dnsbl-sorbs[9834]: warn: session 511e5d1ea5ee10d1: event_dispatch:
REJECT address
filter: imsg IMSG_FILTER_RESPONSE from procfilter
filter-dnsbl-sorbs[hooks=0xffffffff,flags=0x0000]
filter: filter_drain_query 511e5d1fe40dcd9c[QUERY_CONNECT=178.21.114.197 <->
185.14.169.222(pro-mail-smtp-002.bol.com),filter_session@0x1fc28a0[datalen=0,eom=(nil),ofile=(nil)]]
filter: filter_end_query 511e5d1fe40dcd9c[QUERY_CONNECT=178.21.114.197 <->
185.14.169.222(pro-mail-smtp-002.bol.com),filter_session@0x1fc28a0[datalen=0,eom=(nil),ofile=(nil)]]
filter: query 511e5d1fe40dcd9c done: status=FILTER_CLOSE code=554
response="5.7.1 Address in DNSBL"
smtp: 0x20ae090: >>> 554 5.7.1 Address in DNSBL
smtp-in: Failed command on session 511e5d1ea5ee10d1: "" => 554 5.7.1 Address in
DNSBL
smtp: 0x20ae090: STATE_CONNECTED -> STATE_QUIT
smtp: 0x20ae090: IO_LOWAT <io:0x20ae0d8 fd=4 to=300000 fl=W ib=0 ob=0>
smtp-in: Closing session 511e5d1ea5ee10d1
debug: smtp: 0x20ae090: deleting session: done
The hostname is interesting, it seems to do a lookup of
222.169.14.185.dnsbl.sorbs.net. => on_connect: checking
222.169.14.185.dnsbl.sorbs.net.
Off course the . at the end makes it an invalid hostname and a check on SORBS
tells me the same: Bad host/domain 222.169.14.185.dnsbl.sorbs.net.
Using without the . at then end I get: [222.169.14.185.dnsbl.sorbs.net] Not
found in the database
Trying the ip and the hostname of the MX: [185.14.169.222/32] Not found in the
database & [pro-mail-smtp-002.bol.com] Not found in the database
So I am a little bit lost here what is going wrong with the lookups..
Can I have more debugging of the filter-dnsbl option?
>
>>
>>> My (sniplet of relevant) config is:
>>>
>>> # filters
>>> filter filter-pause pause
>>> filter filter-regex regex
>>> #filter filter-dnsbl-sorbs dnsbl
>>> #filter filter-dnsbl-surriel dnsbl "-dv" "-h psbl.surriel.com"
>>> #filter filter-dnsbl-spamhaus dnsbl "-h" "zen.spamhaus.org"
>>> filter filter-spamassassin spamassassin "-s accept"
>>> filter filter-clamav clamav
>>> #filter all chain filter-pause filter-regex filter-dnsbl-surriel
>>> filter-dnsbl-spamhaus filter-spamassassin filter-clamav
>>> filter all chain filter-pause filter-regex filter-spamassassin filter-clamav
>>> #filter all chain filter-pause filter-regex filter-dnsbl-spamhaus
>>> filter-spamassassin filter-clamav
>>> filter sub chain filter-pause filter-spamassassin filter-clamav
>>> # pki/ssl/certs
>>> pki server.pragmasec.nl key
>>> "/etc/letsencrypt/archive/server.pragmasec.nl/privkey1.pem"
>>> pki server.pragmasec.nl certificate
>>> "/etc/letsencrypt/archive/server.pragmasec.nl/fullchain1.pem"
>>> # listen
>>> listen on lo
>>> listen on eth0 port 25 filter all hostname server.pragmasec.nl tls pki
>>> server.pragmasec.nl
>>> listen on eth0 port 587 filter sub hostname server.pragmasec.nl tls-require
>>> pki server.pragmasec.nl auth mask-source
>>> # queue expiry
>>> expire 7d
>>> # virtual domains and users
>>> table vdomains "/usr/local/etc/vdomains"
>>> table vusers "/usr/local/etc/vusers"
>>> # our accepted relays
>>> accept from any for domain <vdomains> virtual <vusers> deliver to mda
>>> "/usr/lib/dovecot/dovecot-lda -f %{sender} -a %{rcpt}"
>>> accept from local for any relay
>>>
>>> Using Ubuntu 14.04.3 LTS with git branch of opensmtpd (OpenSMTPD 5.9.1p1)
>>>
>>> What can I do to troubleshoot or further investigate this?
>>
>> Validate manually with a listed and non-listed IP.
>> Try to rule-out local resolving problems.
>
> It seems everything is listed through the filter rule..even using Gmail or
> other big mail servers.
>
>>
>>> Are there any other spam filters that I can use or might be handy to follow
>>> RFC’s? for example I do use some HELO checks but I think there might be
>>> more then the ones I have:
>>>
>>> # reject helo with leading or trailing dot, and without dots (non-FQDN)
>>> # skipping address literals
>>> helo ! ^\[
>>> helo ^\.
>>> helo \.$
>>> helo ^[^\.]*$
>>
>> In general OpenSMTPD is RFC conform.
>> This helo check is just an additional hard restriction.
>>
>> There are other restrictions possible like enforcing
>> line lengths or forcing valid reverse lookups, but
>> these might not help but likely break legit mails.
>
> Hmm then I keep it as is, thanks for the feedback!
>
>>
>>> Michiel
>>> --
>>> You received this mail because you are subscribed to misc@opensmtpd.org
>>> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
>>>
>>
>
>
> --
> You received this mail because you are subscribed to misc@opensmtpd.org
> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
>
--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
