Re: How to reject generic FCrDNS clients
On 2021-11-11 at 14:53:01 UTC-0500 (Thu, 11 Nov 2021 20:53:01 +0100) Togan Muftuoglu is rumored to have said: "Matus" == Matus UHLAR <- fantomas > writes: Matus> you can check hostnames by using pcre map in Matus> check_reverse_client_hostname_access. e.g. refuse regex Matus> /(\d+)[.-](\d+)[.-](\d+)[.-](\d+)./ REJECT "generic DNS refused" Matus> (trailing . should avoid matching IP Addresses) I tried it with the as smtpd_client_restrictions = usual stuff check_client_access pcre: /etc/postfix/check_reverse_client_hostname_access.pcre Unfortunately the regex matches legitimate senders as well. As such a check always will. Legitimate senders, particularly large ones, frequently use generic names. Simplistic patterns will match hosts sending wanted mail. I had INFO instead of REJECT and that save the situation and the mails arrived. Have I placed the check in the wrong place or am I back to square one. Seems fine to me. Assuming you did not make an error in /etc/postfix/check_reverse_client_hostname_access.pcre, check_client_access in smtpd_client_restrictions would be the first place you can do the check. If you put it in a later restriction list you can use 2021-11-11T19:10:01.014343+01:00 myserver postfix/smtpd[3837]: Anonymous TLS connection established from mx1.goodserver.org[172.31.12.175]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256 2021-11-11T19:10:01.062736+01:00 myserver postfix/smtpd[3837]: NOQUEUE: info: RCPT from mx1.goodserver.org[172.31.12.175]: "generic RDNS"; from= to= proto=ESMTP helo= The munging of all the IPs and hostnames in those log lines makes them entirely pointless. For all we know from that, the pattern match was correct. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
Re: How to reject generic FCrDNS clients
On 2021-11-12 at 06:57:14 UTC-0500 (Fri, 12 Nov 2021 12:57:14 +0100) Togan Muftuoglu is rumored to have said: "DMO" == Demi Marie Obenour writes: DMO> On 11/11/21 10:28 AM, Bill Cole wrote: On 2021-11-11 at 06:06:45 UTC-0500 (Thu, 11 Nov 2021 12:06:45 +0100) Togan Muftuoglu is rumored to have said: Hi, How can I reject connections from generic Forward Confirmed Reverse DNS (FCrDNS) like “123-45-67-8.your.isp.com”. For the most cases spamhaus is able to block it but with the cloud providers with FCrDNS as follows not all of them are not blocked. 123-45-67-89.ip.linodeusercontent.com ec2-12-34-56-789.us-west-2.compute.amazonaws.com How can I reject these connections DMO> Do all of the major mail service providers have valid DMARC? If so, one DMO> approach would be to reject (or, more likely, quarantine) mail from such DMO> hosts *unless* DMARC matches. That would require an external tool, DMO> though. When there is dmarc = none it doesn't work, and I would rather stop the connection request at the very beginning, meaning if your rDNS is not who you are claiming to be then sorry. The rDNS being generic is very different from rDNS being wrong. Generic rDNS is lazy, but it's not inherently deceptive. Postfix has long had simple reject_* directives for shunning clients with no PTR record and for those with a rDNS name that doesn't resolve back to the client IP. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
Re: How to reject generic FCrDNS clients
> "DMO" == Demi Marie Obenour writes: DMO> On 11/11/21 10:28 AM, Bill Cole wrote: >> On 2021-11-11 at 06:06:45 UTC-0500 (Thu, 11 Nov 2021 12:06:45 +0100) Togan >> Muftuoglu is rumored to have said: >> >>> Hi, >>> >>> How can I reject connections from generic Forward Confirmed Reverse DNS >>> (FCrDNS) like “123-45-67-8.your.isp.com”. >>> >>> >>> For the most cases spamhaus is able to block it but with the cloud >>> providers with FCrDNS as follows not all of them are not blocked. >>> >>> 123-45-67-89.ip.linodeusercontent.com >>> >>> ec2-12-34-56-789.us-west-2.compute.amazonaws.com >>> >>> >>> How can I reject these connections >> DMO> Do all of the major mail service providers have valid DMARC? If so, one DMO> approach would be to reject (or, more likely, quarantine) mail from such DMO> hosts *unless* DMARC matches. That would require an external tool, DMO> though. When there is dmarc = none it doesn't work, and I would rather stop the connection request at the very beginning, meaning if your rDNS is not who you are claiming to be then sorry.
Re: How to reject generic FCrDNS clients
On 11/11/21 10:28 AM, Bill Cole wrote: > On 2021-11-11 at 06:06:45 UTC-0500 (Thu, 11 Nov 2021 12:06:45 +0100) > Togan Muftuoglu > is rumored to have said: > >> Hi, >> >> How can I reject connections from generic Forward Confirmed Reverse >> DNS >> (FCrDNS) like “123-45-67-8.your.isp.com”. >> >> >> For the most cases spamhaus is able to block it but with the cloud >> providers >> with FCrDNS as follows not all of them are not blocked. >> >> 123-45-67-89.ip.linodeusercontent.com >> >> ec2-12-34-56-789.us-west-2.compute.amazonaws.com >> >> >> How can I reject these connections > > The canonical answer is "check_client_access with a pcre table" but if > you want something comprehensive that you don't need to actively manage > yourself you should consider the "Enemies List" service: > http://enemieslist.com. They use a rich set of non-obvious name patterns > and important exceptions. You likely do NOT want to arbitrarily reject > all mail from all hosts with programmatically IP-derived names, unless > you are intending to engage in a secondary boycott of major mail service > providers' (e.g. Microsoft) customers. > > (and no, I'm not affiliated with them in any way.) Do all of the major mail service providers have valid DMARC? If so, one approach would be to reject (or, more likely, quarantine) mail from such hosts *unless* DMARC matches. That would require an external tool, though. Sincerely, Demi Marie Obenour (she/her/hers) OpenPGP_0xB288B55FFF9C22C1.asc Description: OpenPGP public key OpenPGP_signature Description: OpenPGP digital signature
Re: How to reject generic FCrDNS clients
On Thu, Nov 11, 2021 at 08:53:01PM +0100, Togan Muftuoglu wrote: > Matus> /(\d+)[.-](\d+)[.-](\d+)[.-](\d+)./ REJECT "generic DNS refused" > > Matus> (trailing . should avoid matching IP Addresses) That "." would need to be a "[.]" (or "\."), otherwise it'll match the last digit, of a 2 or 3 decimal digit IP octet. But I think that Matus intended to also allow other non-digit charaters, therefore the correct regular expression is: /(\d+)[.-](\d+)[.-](\d+)[.-](\d+)\D/ REJECT "generic DNS refused" Broken: $ postmap -q "172.31.12.175" pcre:<( printf '%s\n/^/ DUNNO\n' '/(\d+)[.-](\d+)[.-](\d+)[.-](\d+)./ REJECT "generic DNS refused"' ) REJECT "generic DNS refused" Working: $ postmap -q "172.31.12.175" pcre:<( printf '%s\n/^/ DUNNO\n' '/(\d+)[.-](\d+)[.-](\d+)[.-](\d+)\D/ REJECT "generic DNS refused"' ) DUNNO I must some day stop being surprised about all the sloppy regular expressions I run into. Regular expressions are programs for a suitable automaton, pay attention to detail! -- Viktor.
Re: How to reject generic FCrDNS clients
> "toganm" == Togan Muftuoglu writes: > "Matus" == Matus UHLAR <- fantomas > writes: Matus> you can check hostnames by using pcre map in Matus> check_reverse_client_hostname_access. e.g. refuse regex ^ Matus> /(\d+)[.-](\d+)[.-](\d+)[.-](\d+)./ REJECT "generic DNS refused" Matus> (trailing . should avoid matching IP Addresses) toganm> I tried it with the as toganm> smtpd_client_restrictions = usual stuff toganm> check_client_access pcre: ^^ Mea culpa, I should have double checked what I typed. Currently testing with DUNNO
Re: How to reject generic FCrDNS clients
> "Matus" == Matus UHLAR <- fantomas > writes: Matus> you can check hostnames by using pcre map in Matus> check_reverse_client_hostname_access. e.g. refuse regex Matus> /(\d+)[.-](\d+)[.-](\d+)[.-](\d+)./ REJECT "generic DNS refused" Matus> (trailing . should avoid matching IP Addresses) I tried it with the as smtpd_client_restrictions = usual stuff check_client_access pcre: /etc/postfix/check_reverse_client_hostname_access.pcre Unfortunately the regex matches legitimate senders as well. I had INFO instead of REJECT and that save the situation and the mails arrived. Have I placed the check in the wrong place or am I back to square one. 2021-11-11T19:10:01.014343+01:00 myserver postfix/smtpd[3837]: Anonymous TLS connection established from mx1.goodserver.org[172.31.12.175]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256 2021-11-11T19:10:01.062736+01:00 myserver postfix/smtpd[3837]: NOQUEUE: info: RCPT from mx1.goodserver.org[172.31.12.175]: "generic RDNS"; from= to= proto=ESMTP helo=
Re: How to reject generic FCrDNS clients
On 2021-11-11 at 06:06:45 UTC-0500 (Thu, 11 Nov 2021 12:06:45 +0100) Togan Muftuoglu is rumored to have said: Hi, How can I reject connections from generic Forward Confirmed Reverse DNS (FCrDNS) like “123-45-67-8.your.isp.com”. For the most cases spamhaus is able to block it but with the cloud providers with FCrDNS as follows not all of them are not blocked. 123-45-67-89.ip.linodeusercontent.com ec2-12-34-56-789.us-west-2.compute.amazonaws.com How can I reject these connections The canonical answer is "check_client_access with a pcre table" but if you want something comprehensive that you don't need to actively manage yourself you should consider the "Enemies List" service: http://enemieslist.com. They use a rich set of non-obvious name patterns and important exceptions. You likely do NOT want to arbitrarily reject all mail from all hosts with programmatically IP-derived names, unless you are intending to engage in a secondary boycott of major mail service providers' (e.g. Microsoft) customers. (and no, I'm not affiliated with them in any way.) -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
Re: How to reject generic FCrDNS clients
> "Matus" == Matus UHLAR <- fantomas > writes: Matus> you can check hostnames by using pcre map in Matus> check_reverse_client_hostname_access. e.g. refuse regex Matus> /(\d+)[.-](\d+)[.-](\d+)[.-](\d+)./ REJECT "generic DNS refused" Matus> (trailing . should avoid matching IP Addresses) Thank you Togan
Re: How to reject generic FCrDNS clients
> "ptld" == postfix writes: >> How can I reject connections from generic Forward Confirmed Reverse DNS >> (FCrDNS) like “123-45-67-8.your.isp.com”. ptld> I do not know if there is an easier way but you could make a script using ptld> check_policy_service or a milter to check if client name contains client ptld> IP. However i wonder how complicated the filter rules would be ptld> considering IPv6 and the different ways an address could be abbreviated. ptld> I have also seen some providers reverse the IPv4 in the FQDN. Also some ptld> legit mailers include the last part of the servers IP in the FQDN for ptld> large companies with many servers like gmail/google. I am interested only in IPv4. I know with Spamhaus some ISPs, Cloud Service Providers are blocked with policy block lists. Funny I discovered this when I wanted to register to barracudacentral.org rbl. It was blocked by Spamhaus. Now they have cleared their AWS ip from Spamhaus and this time their DMARC policy is rejected them.
Re: How to reject generic FCrDNS clients
> "Ludi" == Ludi Cree writes: Ludi> Root Servers / IPs at datacenters often also get a default RDNS in that Ludi> style. Greets, Ludi Yes but if you own the domain you can ask the datacenters/cloud centers for the RDNS and your helo will match your RDNS. I am using AWS and it was done in a couple of minutes via the console. So it is possible Togan
Re: How to reject generic FCrDNS clients
On 11.11.21 12:06, Togan Muftuoglu wrote: >How can I reject connections from generic Forward Confirmed Reverse DNS (FCrDNS) like “123-45-67-8.your.isp.com”. For the most cases spamhaus is able to block it but with the cloud providers with FCrDNS as follows not all of them are not blocked. 123-45-67-89.ip.linodeusercontent.com ec2-12-34-56-789.us-west-2.compute.amazonaws.com How can I reject these connections you can check hostnames by using pcre map in check_reverse_client_hostname_access. e.g. refuse regex /(\d+)[.-](\d+)[.-](\d+)[.-](\d+)./ REJECT "generic DNS refused" (trailing . should avoid matching IP Addresses) -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Nothing is fool-proof to a talented fool.
AW: How to reject generic FCrDNS clients
Root Servers / IPs at datacenters often also get a default RDNS in that style. Greets, Ludi -Ursprüngliche Nachricht- Von: owner-postfix-us...@postfix.org Im Auftrag von post...@ptld.com Gesendet: Donnerstag, 11. November 2021 14:56 An: postfix-users@postfix.org Betreff: Re: How to reject generic FCrDNS clients > How can I reject connections from generic Forward Confirmed Reverse DNS > (FCrDNS) like “123-45-67-8.your.isp.com”. I do not know if there is an easier way but you could make a script using check_policy_service or a milter to check if client name contains client IP. However i wonder how complicated the filter rules would be considering IPv6 and the different ways an address could be abbreviated. I have also seen some providers reverse the IPv4 in the FQDN. Also some legit mailers include the last part of the servers IP in the FQDN for large companies with many servers like gmail/google.
Re: How to reject generic FCrDNS clients
> How can I reject connections from generic Forward Confirmed Reverse DNS > (FCrDNS) like “123-45-67-8.your.isp.com”. I do not know if there is an easier way but you could make a script using check_policy_service or a milter to check if client name contains client IP. However i wonder how complicated the filter rules would be considering IPv6 and the different ways an address could be abbreviated. I have also seen some providers reverse the IPv4 in the FQDN. Also some legit mailers include the last part of the servers IP in the FQDN for large companies with many servers like gmail/google.
How to reject generic FCrDNS clients
Hi, How can I reject connections from generic Forward Confirmed Reverse DNS (FCrDNS) like “123-45-67-8.your.isp.com”. For the most cases spamhaus is able to block it but with the cloud providers with FCrDNS as follows not all of them are not blocked. 123-45-67-89.ip.linodeusercontent.com ec2-12-34-56-789.us-west-2.compute.amazonaws.com How can I reject these connections Thanks Togan