[SOLVED] reject_unknown_reverse_client_hostname / rDNS

[eneref]

We would like to automatically block all incoming email from domains that have no rDNS. Not having rDNS violates the RFC, so that's an easy block. We do not want to necessarily block email from domains that don't match on reverse, because using one IP for multiple domains is actually pretty common.

From what I gather, that falls under the postfix classification of reject_unknown_reverse_client_hostname vs reject_unknown_client_hostname. Is that available in Proxmox? I only see reject_unknown_client_hostname as a configurable option.

 

[Onslow]

We do not want to necessarily block email from domains that don't match on reverse,

IMHO, an IP address which pretends to have a domainname can be a sign of a bigger risk than having no domainname at all, because pretending in fact spoofs membership in a particular entity. Possibly in fraudulent intent.

because using one IP for multiple domains is actually pretty common.

The fact that there are many domainnames mappings to one particular IP address isn't easily visible and your smtpd server probably won't notice it anyway and it doesn't care.
Because first the smtpd server can see the IP address, not the domainname.
Then the smtpd server (optionally?) checks the IP address --> domainname mapping.
Then it (optionally?) verifies the domainname --> IP address mapping.
It (optionally) only requires that those both directions mappings match.

So a smtpd server doesn't care if there are many mappings like
host.example1.net --> 12.34.56.78
host.example2.net --> 12.34.56.78
host.example3.net --> 12.34.56.78

From what I gather, that falls under the postfix classification of reject_unknown_reverse_client_hostname vs reject_unknown_client_hostname.

This is my understanding as well. Quoting https://www.postfix.org/postconf.5.html

reject_unknown_reverse_client_hostname
Reject the request when the client IP address has no address->namemapping.
This is a weaker restriction than the reject_unknown_client_hostname feature

Is that available in Proxmox?

I don't know if it is available in the GUI. But see below...

I only see reject_unknown_client_hostname as a configurable option.

It shouldn't be a problem. I believe you can set any Postfix' parameter by means of "templates":

https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_template_engine

"You can find the default templates in /var/lib/pmg/templates/ . Please do not modify these directly, otherwise your modifications will be lost on the next update. Instead, copy the template you wish to change to /etc/pmg/templates/ , then apply your changes there. [...]" (Read also the continuation of this excerpt).

HTH

edit: typos

 

[eneref]

Cool. I'll dig into it and see how it goes. Thanks!

 

[Onslow]

Note also:

"The unknown_client_reject_code parameter specifies the response code for rejected requests (default: 450). The reply is always 450 in case the address->name lookup failed due to a temporary problem."

So to reject immediately, you'll have to change it to some 5xx code.
But before you do, have some sufficiently long testing period and carefully observe the logs for rejects, to avoid unintended hard rejections.

 

[eneref]

Yeah. I'm LESS concerned about that, because a 450 response should still block incoming, albeit temporarily. But if it continues to respond 450, it will sit in the client queue until expiry. And if they fix their issues, it will eventually come through. Which is an ideal scenario for us, I think.

 

[eneref]

Got a good test this week after i made the change, as our ISP had some routing issues that caused intermittent outages, so DNS wasn't always reachable. Got a few incoming emails that blocked on a 450 because DNS timed out. But they were later resent and worked fine. So, I will call this a success.

For those wanting to do the same, I created an /etc/pmg/templates directory, added reject_unknown_reverse_client_hostname in main.cf.in in the smtpd_sender_restrictions section (just before the pmg.mail options that are edited via GUI), and ran a pmgconfig sync --restart 1 as per instructions. Worked like a charm:

smtpd_sender_restrictions =
permit_mynetworks
reject_non_fqdn_sender
check_client_access cidr:/etc/postfix/clientaccess
check_sender_access regexp:/etc/postfix/senderaccess
check_sender_access hash:/etc/pmg/tls_inbound_domains
check_recipient_access regexp:/etc/postfix/rcptaccess
reject_unknown_reverse_client_hostname
[%- IF pmg.mail.rejectunknown %] reject_unknown_client_hostname[% END %]
[%- IF pmg.mail.rejectunknownsender %] reject_unknown_sender_domain[% END %]