[SOLVED] Quick question about Reject unknown and SPF

K

killmasta93

Renowned Member
Aug 13, 2017
973
58
68
31
HI
I was wondering if someone could clear up the difference from
Reject unknown clients
and
Reject unknown senders

From what i understood
Reject unknown senders, will reject if the user that sends an email does not match the same MX record?

and
Reject unknown clients would only reject if the email does not exist on my side?

And is it possible to instead of reject emails that dont have SPF that could be quarantined?

Thank you
 
Thanks for the reply,
So in theory im correct the reject unknown senders rejects senders that do not match the MX record that publicly shows though their Domain provider?
Postfix SMTP server uses smtpd_dns_reply_filter only to look up MX, A, AAAA, and TXT records to implement the features reject_unknown_helo_hostname, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_rbl_*, and reject_rhsbl_*.
Click to expand...


and the reject unknown clients
Could not find that on the link that you gave me

Also not sure if its possible to quarantine the SPF rejects instead of rejecting it?

Thank you
 
Sorry, is reject_unknown_client_hostname

Code: 
reject_unknown_client_hostname (with Postfix < 2.3: reject_unknown_client)
    Reject the request when 1) the client IP address->name mapping fails, or 2) the name->address mapping fails, or 3) the name->address mapping does not match the client IP address.
    This is a stronger restriction than the reject_unknown_reverse_client_hostname feature, which triggers only under condition 1) above.
    The unknown_client_reject_code parameter specifies the response code for rejected requests (default: 450). The reply is always 450 in case the address->name or name->address lookup failed due to a temporary problem.
 
Thanks for the reply
so if the email that they send does not match on the mx record it gets rejected?

the name->address mapping does not match the client IP address.
Click to expand...

this applies if i checkmark the reject unknown clients?

Thank you
 
Thanks for the reply, so Reject unknown senders will reject if there is not email that actually exist?
and reject unknown clients will reject senders if they dont match the mx record, so my question is if someone sends an email though SMTP relay will it get rejected?
maybe possible instead of rejecting possible to quarantine it?
Thank you
 
If you enable reject unknown client, PMG/postfix will reject any client's IP/hostname that cannot be resolved.
If you enable reject unknown sender, PMG/postfix will reject any sender/relay domain's IP/hostname that cannot be resolved.

Both 2 are optional settings, you may encounter some false positive if you enable both settings.

maybe possible instead of rejecting possible to quarantine it?
Click to expand...

I am not sure can be done, maybe @Stoiko Ivanov or others can help to answer you.
 
Last edited:
  • Like
Reactions: killmasta93
killmasta93 said:
maybe possible instead of rejecting possible to quarantine it?
Click to expand...
This is not possible since those 2 options work on smtp-proxy (a.k.a postfix) level and are not subject to the rule-system (where quarantine is available).

killmasta93 said:
Reject unknown senders will reject if there is not email that actually exist?
Click to expand...
to be precise it does enable the reject_unknown_sender_domain acl in postfix - see http://www.postfix.org/postconf.5.html#reject_unknown_sender_domain for the explanation
killmasta93 said:
and reject unknown clients will reject senders if they dont match the mx record,
Click to expand...
not quite - see
http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname

killmasta93 said:
so my question is if someone sends an email though SMTP relay will it get rejected?
Click to expand...
not in general (depends on whether the relay has sensible DNS forward an reverse records

Put shortly: In most environments, if you use the internal port for internal mail and the external port for external mail these settings work well. Some domains might not be well configured and will get rejected - you can whitelist those in the Mail Proxy whitelist (GUI->Configuration->Mail Proxy-> Whitelist)

I would suggest you enable them and check your logs for a few days - that should give you a good idea of how it works

I hope this helps!
 
  • Like
Reactions: killmasta93
@hata_ph Thanks for the reply, i remember back then i had both check marks which did give me the false positives just cant remember which one i disabled. But because im seeing lots of emails coming from domains that dont match the MX record. I need to find a way to block or do a reverse lookup maybe at the postfix level?
from what i understood neither of those two options would work for me?
As one only block domains if they dont have a hostname.

@Stoiko Ivanov Thanks for the reply, from that i did understand much better
 
  • Like
Reactions: Stoiko Ivanov
In the beginning, I did enable both reject unknown client and sender in my PMG setup. Then I notice some false positive but mainly is due to the sender did not setup their DNS properly.
So now I disable both option, instead use greylisting, DNSBL and mail filter to quarantine spam/suspicious mails. This combination work fine on my own environment.
 
  • Like
Reactions: killmasta93 and Stoiko Ivanov
quick question on greylisting i was reading a bit

is a spam reduction technique that can be very effective. It works by temporarily rejecting from client machines that are unknown to the server's greylisting service.
Click to expand...

But how does it determine or does it determine on the initial HELO greet?

This article seems really interesting going to try out a few things and post back

https://www.linuxbabe.com/mail-server/block-email-spam-postfix

Greylisting can result in bad experience for the end user, as the user has to wait another several minute for the email to arrive. To minimize this bad experience, you can create a whitelist, and use a second MX record that points to the same host.
Click to expand...
 
Last edited:
Greylisting is a very effective way to combat spam mails as most spam bot will only send out spams once. But it do come with it own pro and cons. Check out below link on greylisting.

https://en.wikipedia.org/wiki/Greylisting_(email)

Once you have enable gresylisting, it will apply to all incoming emails or you can whitelist IP/domain/hostname to bypass greylisting under Mail Proxy -> Whitelist.
 
  • Like
Reactions: killmasta93
killmasta93 said:
But how does it determine or does it determine on the initial HELO greet?
Click to expand...
It does determine if the triple <sending-ip-network, sender-email, recipient-email> is new (is the first e-mail matching that triple) and then replies with 450(try again later)
on the other hand if there has been a mail in the past matching that triple the mail is directly accepted.
So the delay is only there for new triples.

A description of the technical workings in PMG can be found in the reference documentation:
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_mail_proxy_configuration (section 4.6.6)

I hope this helps!
 
  • Like
Reactions: killmasta93
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom