reverse hostname (ok) -> fw dns query (ko) -> unknow
in [Postfix]
|
From: Amedeo Rinaldo on 13 Jul 2010 22:50 (I apologize for my terrible English) In order to minimize dnsbl queries and, globally, to decrease external services dependency i started to test some pcre rules (check_client_access on various stages) in which i'm trying to 'whitelist' properly configured dns hosts and to slow down/rate limit bad ones. First i must say this is only a my lab test :-) I'm basing my test rules on Matthew Sullivan's DRAFT "Suggested Generic DNS Naming Schemes" (http://tools.ietf.org/html/draft-msullivan-dnsop-generic-naming-schemes-00). In my personal experience, i can say that lots of ISP are considering it. (testing on debian lenny/squeeze postfix 2.5.5-1.1 / 2.7.1-1) --- Some very simple examples (pcre are not perfect, i know): # RFC Draft OK -> 'whitelist' (no limits, no slamming, etc..) # samples: smtp254.example.com. mail-88.colo.example.com. /^smtp[-.0-9a-z]*\.[-a-z0-9]+\.[a-z][a-z]+\.?$/ OK /^mail[-.0-9a-z]*\.[-a-z0-9]+\.[a-z][a-z]+\.?$/ OK /^mx[-.0-9a-z]*\.[-a-z0-9]+\.[a-z][a-z]+\.?$/ OK And.. to be more aggressive.. :-) .. some samples: # sample: reject 'unassigned.example.com.' /.*\.unassigned\..*\.[-a-z0-9]+\.[a-z][a-z]+\.?$/ REJECT Your hostname seems to indicates an 'unassigned' network # sample: reject '0.0.0.10.dynamic.example.com.' /.*\.dynamic\..*\.[-a-z0-9]+\.[a-z][a-z]+\.?$/ REJECT Your hostname seems to indicate an end user connection - Please use your ISP's SMTP --- I know it's very crude, but i have some time to spend now and the real goal is to increase my postfix knowledge .. anyway .. It's already 4 week i'm testing this 'monster' on some (personal) domains to whom i'm really not concerned about mails loss. Results? ..awesome! Test (little) numbers: Total incoming connections: about 50000 Ham messages: about 5000 False positive: about 50 (based on what i can know) Ok, about 90% of total incoming messages were spam.. but: 85% blocked by pcre rules 14% blocked by dnsbl 1% quarantined by message tests (amavis,sa) Previously dnsbl contributed 80% of total! --- And now.. finally.. the 'subject' issue: when a client has a reverse hostname but the corresponding fw dns query doesn't exists .. here a sample.. 94.96.8.3 -> reverse lookup -> 94.96.8.3.dynamic.saudi.net.sa. 94.96.8.3.dynamic.saudi.net.sa. -> fw lookup -> NXDOMAIN ...postfix pass to me 'unknown[94.96.8.3]' and i cannot parse the existent reverse hostname in the PCREs rules. Is there a simple way to get the reverse hostname back ? I thank you in advance for your patience and any help. --- Amedeo Rinaldo *La vita � un biscotto ma se piove si scioglie*
From: Sahil Tandon on 13 Jul 2010 22:57 On Wed, 2010-07-14 at 04:50:11 +0200, Amedeo Rinaldo wrote: > when a client has a reverse hostname but the corresponding fw dns > query doesn't exists .. here a sample.. > > 94.96.8.3 -> reverse lookup -> 94.96.8.3.dynamic.saudi.net.sa. > 94.96.8.3.dynamic.saudi.net.sa. -> fw lookup -> NXDOMAIN > > ..postfix pass to me 'unknown[94.96.8.3]' and i cannot parse the > existent reverse hostname in the PCREs rules. > > Is there a simple way to get the reverse hostname back ? http://www.postfix.org/postconf.5.html#check_reverse_client_hostname_access -- Sahil Tandon <sahil(a)FreeBSD.org>
From: Amedeo Rinaldo on 14 Jul 2010 11:21 Il 14/07/2010 04:57, Sahil Tandon ha scritto: > On Wed, 2010-07-14 at 04:50:11 +0200, Amedeo Rinaldo wrote: > >> ..[CUT].. >> Is there a simple way to get the reverse hostname back ? > > http://www.postfix.org/postconf.5.html#check_reverse_client_hostname_access ...so simple :) Thank you Sahil .. But.. now i remember.. the reason i 'skipped' that restriction type is that i'm testing on debian lenny (so .. postfix 2.5.5-1.1 ) and that feature is only available in Postfix 2.6 and later. It's only 2-3 days i'm testing postfix 2.7.1: it works like a charm :) Is there a way to get the rDSN also in Postfix < 2.6 ? Have a nice day.. --- Amedeo Rinaldo *La vita � un biscotto ma se piove si scioglie*
From: Noel Jones on 14 Jul 2010 12:12 On 7/14/2010 10:21 AM, Amedeo Rinaldo wrote: > Il 14/07/2010 04:57, Sahil Tandon ha scritto: >> On Wed, 2010-07-14 at 04:50:11 +0200, Amedeo Rinaldo wrote: >> >>> ..[CUT].. >>> Is there a simple way to get the reverse hostname back ? >> >> http://www.postfix.org/postconf.5.html#check_reverse_client_hostname_access >> > > > ..so simple :) Thank you Sahil .. > > But.. now i remember.. the reason i 'skipped' that restriction > type is that i'm testing on debian lenny (so .. postfix > 2.5.5-1.1 ) and that feature is only available in Postfix 2.6 > and later. > It's only 2-3 days i'm testing postfix 2.7.1: it works like a > charm :) > > Is there a way to get the rDSN also in Postfix < 2.6 ? The other option is to use a policy service; they have access to the unverified rDNS hostname. You can probably convince postfwd to do this for you. http://www.postfix.org/SMTPD_POLICY_README.html http://postfwd.org/ Or you can patch the postfix source manually to add the feature. The patch has been posted to this list and should work without too much trouble on 2.5. -- Noel Jones
|
Pages: 1 Prev: PATCH: defer when pipe command dies Next: Negation in header_checks doesn't work as expected? |