On a postfix MTA MX setup, I have a spam mail pass two checks which it definitely shouldn't.
The postfix/smtpd
process logs these warnings, which should be a hard fail in this setup:
hostname * does not resolve to address *: No address associated with hostname
Unable to look up MX host * for Helo command *: No address associated with hostname
The relevant mail log is this:
postfix/smtpd: warning: hostname peggy-langley.colormemobile.com does not resolve to address 45.58.139.69: No address associated with hostname
postfix/smtpd: connect from unknown[45.58.139.69]
postfix/smtpd: warning: Unable to look up MX host mail.intrcomm.net for Helo command eldoark.com: No address associated with hostname
policyd-spf: prepend Received-SPF: Neutral (mailfrom) identity=mailfrom; client-ip=45.58.139.69; helo=eldoark.com; [email protected]; receiver=<UNKNOWN>
postgrey: action=greylist, reason=new, client_name=unknown, client_address=45.58.139.69, [email protected], recipient=<hidden>
postfix/smtpd: NOQUEUE: reject: RCPT from unknown[45.58.139.69]: 450 4.2.0 <hidden>: Recipient address rejected: Greylisted, try again later; from=<[email protected]> to=<hidden> proto=ESMTP helo=<eldoark.com>
This should not even hit greylisting, or the further checks which would block it later.
Here is why:
45.58.139.69
has a PTR recordpeggy-langley.colormemobile.com
, but this domain has no A/AAAA IP record (nor an MX record).- The HELO of
eldoark.com
has an MX record ofmail.intrcomm.net
, but this subdomain has no A/AAAA IP records.
I can't find any postconf setting that would turn these warnings into errors, and I wonder if I'd have to write my own check there.
postfix
does log warnings, it is aware of the issues, so hopefully I'm simply missing something?
The MTA config has
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions =
[...]
reject_unknown_helo_hostname,
[...]
permit
and
smtpd_sender_restrictions =
[...]
reject_unknown_sender_domain,
[...]
permit
and I would have thought that either one or both should nuke this connection, but on closer look, those checks seem to be insufficient here:
reject_unknown_helo_hostname: Reject the request when the HELO or EHLO hostname has no DNS A or MX record.
Clearly, the HELO domain has an A and MX record (only the MX fails to resolve). So this seems to pass.
reject_unknown_sender_domain: Reject the request when Postfix is not final destination for the sender address, and the MAIL FROM domain has 1) no DNS MX and no DNS A record, or 2) a malformed MX record such as a record with a zero-length MX hostname
MAIL FROM ([email protected]
) is clearly spoofed, so this doesn't help at all?
edit: Added requested SMTP transcript, for what's it worth
Out: 220 my.domain.name ESMTP Postfix
In: EHLO eldoark.com
Out: 250-my.domain.name
Out: 250-PIPELINING
Out: 250-ETRN
Out: 250-STARTTLS
Out: 250-ENHANCEDSTATUSCODES
Out: 250-8BITMIME
Out: 250-DSN
Out: 250 SMTPUTF8
In: MAIL FROM:<[email protected]> BODY=8BITMIME
Out: 250 2.1.0 Ok
In: RCPT TO:<hidden>
Out: 450 4.2.0 <hidden>: Recipient address rejected:
Greylisted, try again later
In: QUIT
Out: 221 2.0.0 Bye