1 Topic by pbf343

  • pbf343
  • Member
  • Offline
  • Registered: 2013-05-30
  • Posts: 243

Topic: Mail rejected & white list fails

==== Required information ====
- iRedMail version (check /etc/iredmail-release):   0.9.7
- Linux/BSD distribution name and version:    CentOS 6.9
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):   MySQL
- Web server (Apache or Nginx):  Nginx
- Manage mail accounts with iRedAdmin-Pro?  yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
/var/log/maillog
====


Mail rejected -- white list fails in Admin-Pro

Mail rejected with multiple entries of following in logs.  Appear bad DNS on their system but white listing the IP in our control panel did not open up for acceptance.   

Jan 30 11:53:27 mail02 postfix/smtpd[461]: NOQUEUE: reject: RCPT from mail2.navyfederal.org[199.204.166.208]: 450 4.7.1 <wch-ironmail-ce.navyfederal.org>: Helo command rejected: Host not found; from=<some_user@navyfederal.org> to=<local_user@hosted_iredmail_system> proto=ESMTP helo=<wch-ironmail-ce.navyfederal.org>

Jan 30 12:22:42 mail02 postfix/smtpd[1874]: NOQUEUE: reject: RCPT from anchor.navyfederal.org[199.204.164.208]: 450 4.7.1 <gunwale.navyfederal.org>: Helo command rejected: Host not found; from=<some_user@navyfederal.org> to=<local_user@hosted_iredmail_system> proto=ESMTP helo=<gunwale.navyfederal.org>

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,792

Re: Mail rejected & white list fails

This is blocked due to not resolvable DNS hostname used in HELO identity (helo=<xxx>).
You have to whitelist them in file /etc/postfix/helo_access.pcre.

3 Reply by pbf343 (edited by pbf343 2018-02-04 01:39:14)

  • pbf343
  • Member
  • Offline
  • Registered: 2013-05-30
  • Posts: 243

Re: Mail rejected & white list fails

ZhangHuangbin wrote:

This is blocked due to not resolvable DNS hostname used in HELO identity (helo=<xxx>).

As suspected thank you for confirming. 

ZhangHuangbin wrote:

You have to whitelist them in file /etc/postfix/helo_access.pcre.

Is this the only file where they need to be whitelisted?
Has iRedMail/APD changed in that it is no longer recommended to add a second pcre file like your example here:
    https://forum.iredmail.org/post55260.html#p55260

Should the syntax be:  /^gunwale\.navyfederal\.org$/ OK
as this example uses braces: /(speedyterra\.com\.br)$/


What is the function of the Admin-Pro panel whitelist textfield box?  Note: saw the above thread and this comment: "iRedAPD doesn't support HELO white/blacklisting yet."  This is not clear in the interface and one would think adding an IP or domain as the valid record formats states would allow the system to accept the e-mail, regardless of the hello_check. 



Would adding the actual IP address into the mynetworks variable allow email delivery?   Are there any risks to this option?

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,792

Re: Mail rejected & white list fails

pbf343 wrote:

Is this the only file where they need to be whitelisted?

Yes.

5 Reply by pbf343

  • pbf343
  • Member
  • Offline
  • Registered: 2013-05-30
  • Posts: 243

Re: Mail rejected & white list fails

ZhangHuangbin wrote:
pbf343 wrote:

Is this the only file where they need to be whitelisted?

Yes.

Thank you! 

What is the impact, particuarly regarding upgrades, to have done it with by following the older thread instructions with a:
    /etc/postfix/helo_access_weblist.pcre
file created and adding to it? 


Are you willing to exlain the difference in the syntax?   I assume this would be regular expressions as it pertains to bash but was not sure if that is correct or possibly related to Python/iRedAPD. 

/(speedyterra\.com\.br)$/
vs
/^gunwale\.navyfederal\.org$/ OK
/^wch-ironmail-ce\.navyfederal\.org$/ OK
vs
/^DESHUBCAS\.dorriseaton\.com$/ DUNNO

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,792

Re: Mail rejected & white list fails

pbf343 wrote:

What is the impact, particuarly regarding upgrades, to have done it with by following the older thread instructions with a:
    /etc/postfix/helo_access_weblist.pcre
file created and adding to it? 

The purpose of old thread has SAME purpose: whitelist the ones you want to whitelist BEFORE the rules to block it.

pbf343 wrote:

Are you willing to exlain the difference in the syntax?

Check this Postfix document, it's very detailed:
http://www.postfix.org/pcre_table.5.html

7 Reply by pbf343 (edited by pbf343 2018-02-10 18:31:21)

  • pbf343
  • Member
  • Offline
  • Registered: 2013-05-30
  • Posts: 243

Re: Mail rejected & white list fails

ZhangHuangbin wrote:
pbf343 wrote:

What is the impact, particuarly regarding upgrades, to have done it with by following the older thread instructions with a:
    /etc/postfix/helo_access_weblist.pcre
file created and adding to it? 

The purpose of old thread has SAME purpose: whitelist the ones you want to whitelist BEFORE the rules to block it.

pbf343 wrote:

Are you willing to exlain the difference in the syntax?

Check this Postfix document, it's very detailed:
http://www.postfix.org/pcre_table.5.html


So in the case below -- a 450 error -- but states a domain not found instead of the host not found.  Is this a total separate error not in the smtpd_helo_restrictions?   
450 4.1.8 <SHM@uxhpvm21.sdc.sentara.com>: Sender address rejected: Domain not found; from=<SHM@uxhpvm21.sdc.sentara.com>

Should this syntax work in the pcre file for a Domain not found error?
    /^uxhpvm21\.sdc\.sentara\.com$/ OK

Reading through this (http://www.postfix.org/pcre_table.5.html) somewhat is appears to be Perl based.  Does the ^ at start of the string negate the value or does it mean something else like the start of the line?
In other words is this *Nix Globbing?   ^ start line      $ End line instead of Perl RegExp.?