[SOLVED] Quick question about Reject unknown and SPF

killmasta93

Active Member
Aug 13, 2017
695
37
33
26
HI
I was wondering if someone could clear up the difference from
Reject unknown clients
and
Reject unknown senders

From what i understood
Reject unknown senders, will reject if the user that sends an email does not match the same MX record?

and
Reject unknown clients would only reject if the email does not exist on my side?

And is it possible to instead of reject emails that dont have SPF that could be quarantined?

Thank you
 

killmasta93

Active Member
Aug 13, 2017
695
37
33
26
Thanks for the reply,
So in theory im correct the reject unknown senders rejects senders that do not match the MX record that publicly shows though their Domain provider?
Postfix SMTP server uses smtpd_dns_reply_filter only to look up MX, A, AAAA, and TXT records to implement the features reject_unknown_helo_hostname, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_rbl_*, and reject_rhsbl_*.

and the reject unknown clients
Could not find that on the link that you gave me

Also not sure if its possible to quarantine the SPF rejects instead of rejecting it?

Thank you
 

hata_ph

Active Member
Nov 13, 2019
222
41
28
41
Sorry, is reject_unknown_client_hostname

Code:
reject_unknown_client_hostname (with Postfix < 2.3: reject_unknown_client)
    Reject the request when 1) the client IP address->name mapping fails, or 2) the name->address mapping fails, or 3) the name->address mapping does not match the client IP address.
    This is a stronger restriction than the reject_unknown_reverse_client_hostname feature, which triggers only under condition 1) above.
    The unknown_client_reject_code parameter specifies the response code for rejected requests (default: 450). The reply is always 450 in case the address->name or name->address lookup failed due to a temporary problem.
 

killmasta93

Active Member
Aug 13, 2017
695
37
33
26
Thanks for the reply
so if the email that they send does not match on the mx record it gets rejected?

the name->address mapping does not match the client IP address.
this applies if i checkmark the reject unknown clients?

Thank you
 

killmasta93

Active Member
Aug 13, 2017
695
37
33
26
Thanks for the reply, so Reject unknown senders will reject if there is not email that actually exist?
and reject unknown clients will reject senders if they dont match the mx record, so my question is if someone sends an email though SMTP relay will it get rejected?
maybe possible instead of rejecting possible to quarantine it?
Thank you
 

hata_ph

Active Member
Nov 13, 2019
222
41
28
41
If you enable reject unknown client, PMG/postfix will reject any client's IP/hostname that cannot be resolved.
If you enable reject unknown sender, PMG/postfix will reject any sender/relay domain's IP/hostname that cannot be resolved.

Both 2 are optional settings, you may encounter some false positive if you enable both settings.

maybe possible instead of rejecting possible to quarantine it?
I am not sure can be done, maybe @Stoiko Ivanov or others can help to answer you.
 
Last edited:
  • Like
Reactions: killmasta93

Stoiko Ivanov

Proxmox Staff Member
Staff member
May 2, 2018
3,849
466
88
maybe possible instead of rejecting possible to quarantine it?
This is not possible since those 2 options work on smtp-proxy (a.k.a postfix) level and are not subject to the rule-system (where quarantine is available).

Reject unknown senders will reject if there is not email that actually exist?
to be precise it does enable the reject_unknown_sender_domain acl in postfix - see http://www.postfix.org/postconf.5.html#reject_unknown_sender_domain for the explanation
and reject unknown clients will reject senders if they dont match the mx record,
not quite - see
http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname

so my question is if someone sends an email though SMTP relay will it get rejected?
not in general (depends on whether the relay has sensible DNS forward an reverse records

Put shortly: In most environments, if you use the internal port for internal mail and the external port for external mail these settings work well. Some domains might not be well configured and will get rejected - you can whitelist those in the Mail Proxy whitelist (GUI->Configuration->Mail Proxy-> Whitelist)

I would suggest you enable them and check your logs for a few days - that should give you a good idea of how it works

I hope this helps!
 
  • Like
Reactions: killmasta93

killmasta93

Active Member
Aug 13, 2017
695
37
33
26
@hata_ph Thanks for the reply, i remember back then i had both check marks which did give me the false positives just cant remember which one i disabled. But because im seeing lots of emails coming from domains that dont match the MX record. I need to find a way to block or do a reverse lookup maybe at the postfix level?
from what i understood neither of those two options would work for me?
As one only block domains if they dont have a hostname.

@Stoiko Ivanov Thanks for the reply, from that i did understand much better
 
  • Like
Reactions: Stoiko Ivanov

hata_ph

Active Member
Nov 13, 2019
222
41
28
41
In the beginning, I did enable both reject unknown client and sender in my PMG setup. Then I notice some false positive but mainly is due to the sender did not setup their DNS properly.
So now I disable both option, instead use greylisting, DNSBL and mail filter to quarantine spam/suspicious mails. This combination work fine on my own environment.
 

killmasta93

Active Member
Aug 13, 2017
695
37
33
26
quick question on greylisting i was reading a bit

is a spam reduction technique that can be very effective. It works by temporarily rejecting from client machines that are unknown to the server's greylisting service.
But how does it determine or does it determine on the initial HELO greet?

This article seems really interesting going to try out a few things and post back

https://www.linuxbabe.com/mail-server/block-email-spam-postfix

Greylisting can result in bad experience for the end user, as the user has to wait another several minute for the email to arrive. To minimize this bad experience, you can create a whitelist, and use a second MX record that points to the same host.
 
Last edited:

hata_ph

Active Member
Nov 13, 2019
222
41
28
41
Greylisting is a very effective way to combat spam mails as most spam bot will only send out spams once. But it do come with it own pro and cons. Check out below link on greylisting.

https://en.wikipedia.org/wiki/Greylisting_(email)

Once you have enable gresylisting, it will apply to all incoming emails or you can whitelist IP/domain/hostname to bypass greylisting under Mail Proxy -> Whitelist.
 
  • Like
Reactions: killmasta93

Stoiko Ivanov

Proxmox Staff Member
Staff member
May 2, 2018
3,849
466
88
But how does it determine or does it determine on the initial HELO greet?
It does determine if the triple <sending-ip-network, sender-email, recipient-email> is new (is the first e-mail matching that triple) and then replies with 450(try again later)
on the other hand if there has been a mail in the past matching that triple the mail is directly accepted.
So the delay is only there for new triples.

A description of the technical workings in PMG can be found in the reference documentation:
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_mail_proxy_configuration (section 4.6.6)

I hope this helps!
 
  • Like
Reactions: killmasta93

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE and Proxmox Mail Gateway. We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!