1 (edited by Ange7 2018-05-15 21:28:52)

Topic: Mail error without any notifications

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.8
- Linux/BSD distribution name and version: Debian 9
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Someone tried to send me one important e-mail but i never receive it cause of this :

May 15 11:39:22 joseph postfix/smtpd[31598]: NOQUEUE: reject: RCPT from unknown[145.131.1.101]: 450 4.7.1 <AHV-ID-6111.localdomain>: Helo command rejected: Host not found; from=<****@invoiceplane.com> to=<****> proto=ESMTP helo=<AHV-ID-6111.localdomain>

May 15 11:44:31 joseph postfix/smtpd[31709]: NOQUEUE: reject: RCPT from unknown[145.131.1.101]: 450 4.7.1 <AHV-ID-6111.localdomain>: Helo command rejected: Host not found; from=<****@invoiceplane.com> to=<*****> proto=ESMTP helo=<AHV-ID-6111.localdomain>

Hum ok, i think the problem is from the sender (i hope)

But i would like to know how to give one notification when this problem appear ! cause maybe other people try to send me e-mail and i never receive them.

Thank you.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Mail error without any notifications

Just a remark about the error itself.
In the logfile you see that the sending mailserver is IP address 145.131.1.101], and the "from" address is "someone"@invoiceplane.com

When the sending mailserver connecrs to Your server, the procedure is to first say "EHLO  servername.domain".
In this case, the sending mailserver introduce it self as <AHV-ID-6111.localdomain>

The receiving mailserver then checks that the name and IP adress matches by doing a DNS name resolution. Since this name can't be found, the e-mail is rejected.

How to fix:  The sending mailserver MUST use an existing name as sender. In this case, the correct name is " invoiceplane.com".  This must be fiexd by the mail admin at invoiceplane.com.
Using LOCALDOMAIN as part of its name is NOT considered as a valid mail hostname on the internet.

How to check:
# host invoiceplane.com
invoiceplane.com has address 145.131.1.101
invoiceplane.com mail is handled by 10 invoiceplane.com.

PS: The only way to cope with this on the receiving end, is to lower the "antispam fence" The risk though is that your mailserver will be floded by spam. Check in the postfix configuration, in the area: smtpd_helo_restrictions.
in the /etc/postfix/main.cf file, and /etc/postfix/helo_access.pcre
see http://www.postfix.org/postconf.5.html# … trictions, and test carefully
NOTE do not allow <something>@localdomain

3 (edited by Ange7 2018-05-16 23:47:45)

Re: Mail error without any notifications

Thank you Swejun,

I understand why this e-mail was blocked but i want to know how to be notify when one e-mail is blocked... cause if i don't check my error.log, I would never have seen the email, for example :

If mail blocked cause bad DNS configuration :
  move this mail to : spam@myemail.com

or other solution maybe ?

4

Re: Mail error without any notifications

Ange7,
In this specific case, the sending server does not behave like a legitimate internet connected mailserver, so the sender is blocked before the e-mail is transmitted.
Actually it behaves like a hijackted PC, imposing to be a sending from @valid.domain.com.

There is no bounce message send back to the sender (like it would do if the recipient address is wrong, or if it got trapped in the virus check). It's just dropped without further notice.
 
In order to catch this, I would create a script checking the logfile, and send an e-mail when it occurs.
On my "not so busy"  mailserver, I just checked the amount of dropped entries the past three days, and found about 300
So if you would be hit by a mail DDOS attack, spoofing senders, and all of them rejected + sending an e-mail to You to inform about it..... Not a good idea.
# grep NOQUEUE maillog* |grep 450 |wc -l

/I/

5

Re: Mail error without any notifications

For a quick check, do:

 sudo grep NOQUE /var/log/maillog |grep -o 'from=.*' |cut -f1,2 -d " " 

6

Re: Mail error without any notifications

Or even better, find all NOQUE, sort them and count uniq to/from pairs

grep NOQUE /var/log/maillog | grep -e from= |grep -o 'from=.*' |cut -f1,2 -d " " |sort |uniq -c 

7

Re: Mail error without any notifications

Thank you swejun for all answers !