On 30.01.24 20:20, Israel britto via Postfix-users wrote:
hello, I'm having a problem with spamhaus that I don't know how to
solve.
Today I have 1 domain that uses 2 exclusive IPs 1.1.1.1 and 2.2.2.2
The PTR and rDNS entries are correctly configured:
1.1.1.1 > a1.domain.com
2.2.2.2 > a2.domain.com
a1.domain.com -> 1.1.1.1
a2.domain.com -> 2.2.2.2
My Postfix is behind a load balance, which performs round-robin
balancing between these 2 IPs, however, my server is configured
with the helo -> xpto.com.br
That's almost certainly wrong. The HELO argument should be the
resolvable primary name associated with the actual client IP as it
connects to the server. In this case, that would be the outward-facing
IP of the load balancer.
# host xpto.com.br
xpto.com.br has address 186.202.157.79
xpto.com.br mail is handled by 20 mx.jk.locaweb.com.br.
xpto.com.br mail is handled by 10 mx.core.locaweb.com.br.
xpto.com.br mail is handled by 20 mx.a.locaweb.com.br.
xpto.com.br mail is handled by 20 mx.b.locaweb.com.br.
# host 186.202.157.79
Host 79.157.202.186.in-addr.arpa. not found: 3(NXDOMAIN)
On 31.01.24 09:43, Bill Cole via Postfix-users wrote:
So if your load balancer isn't at 186.202.157.79, the hosts behind it
should not be announcing themselves as xpto.com.br.
how did you get to this? xpto.com.br exists and has addres, so there's no
reason why it could not be used in HELO.
If that is your
load balancer, you should fix its reverse DNS (i.e. a PTR record at
79.157.202.186.in-addr.arpa.)
this is needed if e-mail comes from that IP.
On 2024-01-31 at 03:32:20 UTC-0500 (Wed, 31 Jan 2024 09:32:20 +0100)
Matus UHLAR - fantomas via Postfix-users <uh...@fantomas.sk>
is rumored to have said:
In fact, refusing mail because of HELO inconsistence is against all
SMTP RFCs issued so far.
That's a very narrow prohibition, technically only against simplistic
requirement that HELO must use a name that resolves to the client IP
with a matching PTR resolving the IP to the HELO name.
precisely, it's a very simple provision and easy not to break.
Since you did not provide us with your real address nor the error
message spamhaus provides when you check for your IPs, it's really
hard to help you.
Spamhaus doesn't control error messages...
some mail servers can use contents of dnsbl's TXT records in error messages
I assume that anyone obfuscating IPs when seeking support on issues
directly related to specific IPs being blocklisted is trying to get
their spambots working. There's absolutely no excuse for it in 99% of
cases and it leads to random pointless speculation.
quite possible.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I wonder how much deeper the ocean would be without sponges.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
