4xx when host not found

2019-09-16 Thread Helmut Schneider 

Hi,

I'm running postfix with spamassassin as a relay (before-queue). The host is
connected via OpenVPN. If the tunnel is down mails bounce:

Sep 16 06:08:09 h2786452 postfix-in/smtp[12937]: 194853E04AA: to=,
relay=none, delay=0.01, delays=0.01/0/0.01/0, dsn=5.4.4, status=bounced
(Host or domain name not found. Name service error for name=exchange01
type=: Host not found)

I already created an entry in the hosts file without success.

Where can I change the DSN to 4xx and ensure that mails are delivered when
the tunnel is up again?

helmut@h2786452:~$ postfix.sh -l
Getting Instances ... done
Instance '-': -   -   y /etc/postfix
Instance 'postfix-in': postfix-in  -   y
/etc/postfix-in
Instance 'postfix-out': postfix-out -   y
/etc/postfix-out
helmut@h2786452:~$

Thank you!

Change status code for "Host not found"

2019-09-16 Thread Helmut Schneider 
Hi,

I'm running postfix as a relay connected via VPN. If the VPN is down
mails are rejected:

relay=none, delay=0.09, delays=0.06/0.02/0.01/0, dsn=5.4.4,
status=bounced (Host or domain name not found. Name service error for
name=EXCHANGE01 type=: Host not found)

Is there a way to change the dsn to 4xx and deliver it when the VPN is
up again?

Thank you!

Re: Change status code for "Host not found"

2019-09-16 Thread Wesley Peng 

Hi

on 2019/9/12 22:01, Helmut Schneider wrote:

relay=none, delay=0.09, delays=0.06/0.02/0.01/0, dsn=5.4.4,
status=bounced (Host or domain name not found. Name service error for
name=EXCHANGE01 type=: Host not found)


This is a network issue rather than postfix problem I may think.
You should fix up the network after VPN is down.

regards.

4xx if host not found

2019-09-16 Thread Helmut Schneider 
Hi,

I'm running postfix with spamassassin as a relay (before-queue). The
host is connected via OpenVPN. If the tunnel is down mails bounce:

Sep 16 06:08:09 h2786452 postfix-in/smtp[12937]: 194853E04AA:
to=, relay=none, delay=0.01, delays=0.01/0/0.01/0, dsn=5.4.4,
status=bounced (Host or domain name not found. Name service error for
name=exchange01 type=: Host not found)

I already created an entry in the hosts file without success.

Where can I change the DSN to 4xx and ensure that mails are delivered
when the tunnel is up again?

helmut@h2786452:~$ postfix.sh -l
Getting Instances ... done
Instance '-': -   -   y /etc/postfix
Instance 'postfix-in': postfix-in  -   y
/etc/postfix-in
Instance 'postfix-out': postfix-out -   y
/etc/postfix-out
helmut@h2786452:~$

Thank you!

Refuse mail from hosts with closed port 25

2019-09-16 Thread Paul van der Vlis 
Hello,

How can I refuse mail from hosts who don't have an open port 25?

What do you think from such a check?

Is there more needed?  E.g. a list of exceptions for some big providers?

Background:
I've investigated why somebody did not receive mail from a virtual
machine, and I found out her provider (reviced.nl) refuses all mail from
a host what does not have port 25 open. I have much problems with spam
and I would like to reduce it.



-- 
Paul van der Vlis Linux systeembeheer Groningen
https://www.vandervlis.nl/

Re: Refuse mail from hosts with closed port 25

2019-09-16 Thread John Peach 

On 9/16/19 8:47 AM, Paul van der Vlis wrote:

Hello,

How can I refuse mail from hosts who don't have an open port 25?

What do you think from such a check?



DO NOT DO THIS!

A significant number of installations will use different servers for 
inbound and outbound email. What is worth checking, is that the sender 
has MX records.




Is there more needed?  E.g. a list of exceptions for some big providers?

Background:
I've investigated why somebody did not receive mail from a virtual
machine, and I found out her provider (reviced.nl) refuses all mail from
a host what does not have port 25 open. I have much problems with spam
and I would like to reduce it.








--
John
PGP Public Key: 412934AC

Re: Refuse mail from hosts with closed port 25

2019-09-16 Thread Wesley Peng 

Hi

on 2019/9/16 20:47, Paul van der Vlis wrote:

How can I refuse mail from hosts who don't have an open port 25?

What do you think from such a check?


You shouldn't.

Many email systems have delivery agent and MTA to be separated.
That's to say, they get incoming mails from MTA which has port 25 
opened, but deliver outgoing messages via another gateway who doesn't 
have port 25 enabled.


regards.

Re: Refuse mail from hosts with closed port 25

2019-09-16 Thread Jim Reid 



> On 16 Sep 2019, at 13:47, Paul van der Vlis  wrote:
> 
> How can I refuse mail from hosts who don't have an open port 25?
> 
> What do you think from such a check?

It’s a stunningly bad idea. Don’t do it.

Many enterprises and cloud-based mail providers have discrete servers/systems 
handling inbound and outbound mail. In these setups, the servers sending you 
email won’t have a listener on port 25 -- or any other port -- for inbound 
email.

> Is there more needed?  E.g. a list of exceptions for some big providers?

It’ll be impractical to maintain a workable whitelist. There will probably be 
too many false positives and negatives. And the approach probably won’t be an 
effective anti-spam measure either. But if you want to try the experiment and 
report back, go ahead. It’ll only be you and your customers who will have to 
deal with the consequences.

Re: Refuse mail from hosts with closed port 25

2019-09-16 Thread Kevin A. McGrail 
On 9/16/2019 9:03 AM, Jim Reid wrote:
> On 16 Sep 2019, at 13:47, Paul van der Vlis  wrote:
>
> How can I refuse mail from hosts who don't have an open port 25?
Paul, I wrote a module which I need to update on Perl's CPAN called
Net::validMX that we use to reject IPv4 domains that aren't properly
setup to receive mail from sending to us.  We've used it in production
with MIMEDefang.  And as a small, boutique ESP for over a decade, likely
closer to 15 years with no complaints/FPs of note.
Regards,
KAM

Re: Refuse mail from hosts with closed port 25

2019-09-16 Thread Paul van der Vlis 



Op 16-09-19 om 14:53 schreef John Peach:
> On 9/16/19 8:47 AM, Paul van der Vlis wrote:
>> Hello,
>>
>> How can I refuse mail from hosts who don't have an open port 25?
>>
>> What do you think from such a check?
> 
> 
> DO NOT DO THIS!
> 
> A significant number of installations will use different servers for
> inbound and outbound email.

I know a provider what is actually using this. I guess only the big
providers will have different servers for inbound and outbound email,
and you can make a list of them.

> What is worth checking, is that the sender has MX records.

Hmm, interesting idea!
Maybe you have some lines on how to configure this?

But, I am affraid many hosting providers will not have a MX record on
the hosting server, so you don't get your "forgotten password" from the CMS.

With regards,
Paul


-- 
Paul van der Vlis Linux systeembeheer Groningen
https://www.vandervlis.nl/

Re: Refuse mail from hosts with closed port 25

2019-09-16 Thread Jim Reid 



> On 16 Sep 2019, at 14:17, Paul van der Vlis  wrote:
> 
>> A significant number of installations will use different servers for
>> inbound and outbound email.
> 
> I know a provider what is actually using this. I guess only the big
> providers will have different servers for inbound and outbound email,

Guess again. Hint: you might be mistaken.

> and you can make a list of them.

Guess again. Hint: you might be mistaken.

Re: Refuse mail from hosts with closed port 25

2019-09-16 Thread Scott Kitterman 
On Monday, September 16, 2019 9:17:00 AM EDT Paul van der Vlis wrote:
> I know a provider what is actually using this. I guess only the big
> providers will have different servers for inbound and outbound email,
> and you can make a list of them.

This is not true.  My domain is about as tiny as they come and the inbound and 
outbound servers are different for reasons that make sense to me.  I'm sure I'm 
not the only one.

Scott K


signature.asc
Description: This is a digitally signed message part.

Re: 4xx when host not found

2019-09-16 Thread Bill Cole 

On 16 Sep 2019, at 7:44, Helmut Schneider wrote:


I already created an entry in the hosts file without success.


This (name resolution) is the ideal place to address your problem. If 
your OS name resolver is not using an entry in your hosts file, it may 
be because the entry isn't correct OR because your nsswitch.conf file 
directs the resolver to ask DNS first. If you're running a system that 
does not use nsswitch.conf and can't be made to check local files first, 
you may benefit from running a recursing/caching resolver daemon like 
Unbound which supports its own local data.


Note that hosts file entries are ONLY for A and  resolution, NOT MX 
resolution, so if you are routing m ail in Postfix via a mechanism that 
does MX resolution and you have a cached MX record from the last time 
that the VPN was up, it is possible that you are chasing a name that is 
different from what you expect.


--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)

Re: 4xx when host not found

2019-09-16 Thread Helmut Schneider 
Bill Cole wrote:

> On 16 Sep 2019, at 7:44, Helmut Schneider wrote:
> 
> > I already created an entry in the hosts file without success.
> 
> This (name resolution) is the ideal place to address your problem. If
> your OS name resolver is not using an entry in your hosts file, it
> may be because the entry isn't correct OR because your nsswitch.conf
> file directs the resolver to ask DNS first. If you're running a
> system that does not use nsswitch.conf and can't be made to check
> local files first, you may benefit from running a recursing/caching
> resolver daemon like Unbound which supports its own local data.

Ubuntu 16.

> Note that hosts file entries are ONLY for A and  resolution, NOT
> MX resolution, so if you are routing m ail in Postfix via a mechanism
> that does MX resolution and you have a cached MX record from the last
> time that the VPN was up, it is possible that you are chasing a name
> that is different from what you expect.

The transport address is static via a transport file.

I'm wondering about the "type=", is postfix trying to resolve ip6
first? The remote host does not have a static ip6 address so an entry
in /etc/hosts makes not sense.

Anyway, no way to tell postfix that resolving a remote host is a
temporary and not a permanent problem?

Re: Refuse mail from hosts with closed port 25

2019-09-16 Thread Paul van der Vlis 
Op 16-09-19 om 15:25 schreef Scott Kitterman:
> On Monday, September 16, 2019 9:17:00 AM EDT Paul van der Vlis wrote:
>> I know a provider what is actually using this. I guess only the big
>> providers will have different servers for inbound and outbound email,
>> and you can make a list of them.
> 
> This is not true.  My domain is about as tiny as they come and the inbound 
> and 
> outbound servers are different for reasons that make sense to me.  I'm sure 
> I'm 
> not the only one.

The outbound server has a closed port 25?

With regards,
Paul



-- 
Paul van der Vlis Linux systeembeheer Groningen
https://www.vandervlis.nl/



signature.asc
Description: OpenPGP digital signature

Re: Change status code for "Host not found"

2019-09-16 Thread Wietse Venema 
Helmut Schneider:
[ Charset ISO-8859-1 converted... ]
> Hi,
> 
> I'm running postfix as a relay connected via VPN. If the VPN is down
> mails are rejected:
> 
> relay=none, delay=0.09, delays=0.06/0.02/0.01/0, dsn=5.4.4,
> status=bounced (Host or domain name not found. Name service error for
> name=EXCHANGE01 type=: Host not found)

It's status=bounced (dsn=5.4.4) because Postfix received a DNS
NXDOMAIN (name does not exist) response for the name 'EXCHANGE01'.

> Is there a way to change the dsn to 4xx and deliver it when the VPN is
> up again?

http://www.postfix.org/postconf.5.html#default_delivery_status_filter
Look under the examples for smtp_delivery_status_filter. Here is
an untested variant that should work.

/etc/postfix/main.cf:
   smtp_delivery_status_filter = pcre:/etc/postfix/smtp_dsn_filter

/etc/postfix/smtp_dsn_filter:
/^5(\.\d+\.\d+ Name service error for name=EXCHANGE01/ 4$1

You can't use http://www.postfix.org/postconf.5.html#smtp_dns_reply_filter
because that feature requires that the server returns a reply, not
NXDOMAIN.

Wietse

Re: Refuse mail from hosts with closed port 25

2019-09-16 Thread Wietse Venema 
Paul van der Vlis:
> The outbound server has a closed port 25?

More likely, blocked by firewall.

Wietse

Re: Change status code for "Host not found"

2019-09-16 Thread Wietse Venema 
Wietse Venema:
> Helmut Schneider:
> [ Charset ISO-8859-1 converted... ]
> > Hi,
> > 
> > I'm running postfix as a relay connected via VPN. If the VPN is down
> > mails are rejected:
> > 
> > relay=none, delay=0.09, delays=0.06/0.02/0.01/0, dsn=5.4.4,
> > status=bounced (Host or domain name not found. Name service error for
> > name=EXCHANGE01 type=: Host not found)
> 
> It's status=bounced (dsn=5.4.4) because Postfix received a DNS
> NXDOMAIN (name does not exist) response for the name 'EXCHANGE01'.
> 
> > Is there a way to change the dsn to 4xx and deliver it when the VPN is
> > up again?
> 
> http://www.postfix.org/postconf.5.html#default_delivery_status_filter
> Look under the examples for smtp_delivery_status_filter. Here is
> an untested variant that should work.
> 
> /etc/postfix/main.cf:
>smtp_delivery_status_filter = pcre:/etc/postfix/smtp_dsn_filter
> 
> /etc/postfix/smtp_dsn_filter:
> /^5(\.\d+\.\d+ Name service error for name=EXCHANGE01/ 4$1

Should be:

/^5(\.\d+\.\d+ Name service error for name=EXCHANGE01)/ 4$1

(i.e. there was no closing ')').

Wietse
> You can't use http://www.postfix.org/postconf.5.html#smtp_dns_reply_filter
> because that feature requires that the server returns a reply, not
> NXDOMAIN.
> 
>   Wietse
>

Re: Refuse mail from hosts with closed port 25

2019-09-16 Thread Bill Cole 

On 16 Sep 2019, at 9:17, Kevin A. McGrail wrote:


On 9/16/2019 9:03 AM, Jim Reid wrote:
On 16 Sep 2019, at 13:47, Paul van der Vlis  
wrote:


How can I refuse mail from hosts who don't have an open port 25?

Paul, I wrote a module which I need to update on Perl's CPAN called
Net::validMX that we use to reject IPv4 domains that aren't properly
setup to receive mail from sending to us.  We've used it in 
production
with MIMEDefang.  And as a small, boutique ESP for over a decade, 
likely

closer to 15 years with no complaints/FPs of note.


I don't believe that Net::validMX does anything more *at the domain 
level* than Postfix's built-in reject_unknown_sender_domain restriction. 
Its check_email_validity() may be a bit more strict than Postfix's 
built-in address sanity checks.



--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)

Re: Refuse mail from hosts with closed port 25

2019-09-16 Thread Bill Cole 

On 16 Sep 2019, at 9:17, Paul van der Vlis wrote:


I guess only the big
providers will have different servers for inbound and outbound email,
and you can make a list of them.


Bad guess.

Many business email systems are architected this way for security 
purposes (e.g. Exchange is fine for sending mail out but you really 
don't want it accepting email from the Internet directly...) This is 
especially common with older businesses who got generous IPv4 
allocations decades ago, however I have worked with mail systems serving 
less than 500 employee-users of companies with /29 allocations that have 
mail going out from a shared NAT address but coming in via a dedicated 
IP.


--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)

Re: Refuse mail from hosts with closed port 25

2019-09-16 Thread Kevin A. McGrail 
Fair enough.  Maybe he should turn that feature on then :-)

On 9/16/2019 9:59 AM, Bill Cole wrote:
>
> I don't believe that Net::validMX does anything more *at the domain
> level* than Postfix's built-in reject_unknown_sender_domain
> restriction. Its check_email_validity() may be a bit more strict than
> Postfix's built-in address sanity checks. 
-- 
*Kevin A. McGrail*
CEO Emeritus

Peregrine Computer Consultants Corporation
10311 Cascade Lane
Fairfax, VA 22032

http://www.pccc.com/

703-359-9700 / 800-823-8402 (Toll-Free)
703-798-0171 (wireless)
kmcgr...@pccc.com 

https://www.linkedin.com/in/kmcgrail

Re: Refuse mail from hosts with closed port 25

2019-09-16 Thread Benny Pedersen 

Kevin A. McGrail skrev den 2019-09-16 16:19:

Fair enough.  Maybe he should turn that feature on then :-)


if you do you cant recieve email from me

validMX is strict to say domains without MX is invalid domain ?

oh and MX failback is not a rfc ?

be carefull testing with "sendmail -bv u...@example.org" and check how 
badly sendmail do it

Re: Refuse mail from hosts with closed port 25

2019-09-16 Thread Bill Cole 
On 16 Sep 2019, at 11:00, Benny Pedersen wrote:

> Kevin A. McGrail skrev den 2019-09-16 16:19:
>> Fair enough.  Maybe he should turn that feature on then :-)
>
> if you do you cant recieve email from me
>
> validMX is strict to say domains without MX is invalid domain ?

No, it does not do that.

#check_email_and_mx.pl  m...@junc.eu
Check Valid MX (Net::ValidMX v2.2.0)

m...@junc.eu
Valid MX? True - Passed

-- 
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Re: Refuse mail from hosts with closed port 25

2019-09-16 Thread Kevin A. McGrail 
On 9/16/2019 11:00 AM, Benny Pedersen wrote:
> Kevin A. McGrail skrev den 2019-09-16 16:19:
>> Fair enough.  Maybe he should turn that feature on then :-)
>
> if you do you cant recieve email from me
>
> validMX is strict to say domains without MX is invalid domain ?
>
> oh and MX failback is not a rfc ?
>
> be carefull testing with "sendmail -bv u...@example.org" and check how
> badly sendmail do it
Benny, you and I correspond and I use the netValidMX.  Not sure what you
are trying to say.

Re: Refuse mail from hosts with closed port 25

2019-09-16 Thread Benny Pedersen 

Bill Cole skrev den 2019-09-16 17:47:

On 16 Sep 2019, at 11:00, Benny Pedersen wrote:


Kevin A. McGrail skrev den 2019-09-16 16:19:

Fair enough.  Maybe he should turn that feature on then :-)


if you do you cant recieve email from me

validMX is strict to say domains without MX is invalid domain ?


No, it does not do that.

#check_email_and_mx.pl  m...@junc.eu
Check Valid MX (Net::ValidMX v2.2.0)

m...@junc.eu
Valid MX? True - Passed


good

http://mailtester.com/index.php fails

Re: Refuse mail from hosts with closed port 25

2019-09-16 Thread Benny Pedersen 

Kevin A. McGrail skrev den 2019-09-16 17:47:

Benny, you and I correspond and I use the netValidMX.  Not sure what 
you

are trying to say.


Thanks to Bill showing validMX is not broken, all good with it, but 
http://mailtester.com is not good, i like to be neutral with 
https://www.mail-tester.com/ :=)

Re: 4xx when host not found

2019-09-16 Thread Viktor Dukhovni 
On Mon, Sep 16, 2019 at 01:44:38PM +0200, Helmut Schneider wrote:

> Sep 16 06:08:09 h2786452 postfix-in/smtp[12937]: 194853E04AA: to=,
> relay=none, delay=0.01, delays=0.01/0/0.01/0, dsn=5.4.4, status=bounced
> (Host or domain name not found. Name service error for name=exchange01
> type=: Host not found)

You should explain how the name "exchange01" becomes the nexthop
destination for mail to "" (which does not look like a
valid email address).

> I already created an entry in the hosts file without success.

By default, the Postfix smtp(8) delivery agent does not consult
/etc/hosts:

http://www.postfix.org/postconf.5.html#smtp_host_lookup

> Where can I change the DSN to 4xx and ensure that mails are delivered when
> the tunnel is up again?

Normally, if a tunnel goes down, DNS lookups that require access
to a server on the far side of the tunnel tempfail, and Postfix
would automatically return 4XX.  If your system returns hard errors
when the network is partly down, then that's a configuration defect
with the system.

-- 
Viktor.

Re: Refuse mail from hosts with closed port 25

2019-09-16 Thread Stephen Satchell 
+1

Back when I was a Web Hosting monkey, I had something like 23 separate
mail servers (Plesk/qmail and CPanel/exim) trying to send mail to the
world.  After some of the servers getting blacklisted for one reason or
another, I decided to use a pair of Postfix servers to send outgoing mail.

Incoming mail was directed to another pair of Postfix servers, which
then distributed the mail internally after running it all through
Spamassassin.

The domain MX records pointed to the inbound servers.  The firewall on
the outbound servers did not allow port 25 connections from IP addresses
outside of our assigned netblocks.  I believe that the return was
"administratively prohibited", not dead air.

Why did I do this?  Traffic management and spam control to the large
mail providers -- Google, AOL, Yahoo, and about five others.  The
centralized spam control made management far easier for all outgoing
mail.  I also did traffic management based on the reports to my abuse
address.  All this work cut down on complaints, and the company fell off
a lot of DNSBLs.

The individual qmail/exim MTAs ran without my worrying about security
issues or DJB weirdness.  Oh, I also had a couple of Windows web hosts,
so they came under the umbrella, satisfying my mantra of "Never expose
Windows to the bare Internet."  (Off-topic: ACLs took care of the other
usual Windows issues.)

One other caveat: the domain names for the outbound servers were "mx1"
and "mx2", while the domain name for the inbound servers were "mail1"
and "mail2".  Reverse DNS matched.

Side note: because the hosting company sold dedicated servers, we had to
block 25 outbound from the netblocks on which those servers lived.  If
they wanted to send mail outbound, they had to use the mx1 and mx2
servers as relay.  Blocked a whole lot of spam mail from compromised web
sites.  Yes, the support people has to tell some customers how to send
up "sendmail(1)" and PHPmail to do this.  Worth the pain and trouble.

(This was more than a decade ago.  I now wrangle Cisco devices and
appliances in a lab environment -- administer only one Postfix server
now, in my home network.)

On 9/16/19 7:16 AM, Bill Cole wrote:
> On 16 Sep 2019, at 9:17, Paul van der Vlis wrote:
> 
>> I guess only the big
>> providers will have different servers for inbound and outbound email,
>> and you can make a list of them.
> 
> Bad guess.
> 
> Many business email systems are architected this way for security
> purposes (e.g. Exchange is fine for sending mail out but you really
> don't want it accepting email from the Internet directly...) This is
> especially common with older businesses who got generous IPv4
> allocations decades ago, however I have worked with mail systems serving
> less than 500 employee-users of companies with /29 allocations that have
> mail going out from a shared NAT address but coming in via a dedicated IP.
>

Re: Refuse mail from hosts with closed port 25

2019-09-16 Thread @lbutlr 
On Sep 16, 2019, at 7:17 AM, Paul van der Vlis  wrote:
> I guess only the big providers will have different servers for inbound and 
> outbound email, and you can make a list of them.

No, lots and lots of servers will have these services separated.




-- 
Today the road all runners come/Shoulder high we bring you home. And
set you at your threshold down/Townsman of a stiller town.

Re: Refuse mail from hosts with closed port 25

2019-09-16 Thread Chris Wedgwood 
> How can I refuse mail from hosts who don't have an open port 25?
>
> What do you think from such a check?

i have tried this, it's not useful, so i didn't leave the check in
place

it's very common, perhaps even the norm that the IP address which
delivers mail to me itself will not accept an incoming port 25
connection

> I've investigated why somebody did not receive mail from a virtual
> machine, and I found out her provider (reviced.nl) refuses all mail
> from a host what does not have port 25 open. I have much problems
> with spam and I would like to reduce it.

this will stop a lot of legitimate mail

and probably not stop much spam