Mail Server behaving oddly



  • Hi Guys,

    I have several networks that has identical setup and I have this new office wherein we have a new E1 connection, the old network was using DSL and for several months I have no problem but ever since they've moved to the new office it's been a PITA. One of the issue that until now I haven't been able to resolve is the mail (postfix) server behind pfSense i.e., all emails gets tagged by Postfix's RBL rule as spam thereby bouncing it back, it was working great when we're on DSL but problems arose when we switched to E1.

    My initial setup was pfSense -> Untangle (bridge mode) -> LAN + Mail Server but since users from outside the network is having difficulty accessing their emails using Outlook I have no recourse but to immediately put the Mail server just behind pfSense together with the Untangle box. After a few days after this I'm now getting bouncing emails, even legitimate servers like yahoo and gmail bounces back and gets tagged by Postfix's rbl rule to be listed in spamhaus.org, to make a long story short almost all incoming emails are bouncing.

    The only thing that has changed in pfSense is the WAN public IP and I'm quite sure that the DNS pointers are correct. I've already posted in several forums including postfix itself and their suggestion is to at least install a DNS caching nameserver on the SMTP server, they even implied that I should not be using DNS forwarders e.g., OpenDNS and my setup is vulnerable to the Kaminsky attack, is this true?

    Does using pfSense's dnsmasq safeguard me from Kaminsky? Would you suggest using TinyDNS instead on the pfSense box? or install a locally caching nameserver on Postfix itself?

    TIA



  • This sounds like a postfix problem.  All you've posted says nothing about why mail is being marked as spam.  You need to resolve that problem if you expect to move forwards.  I'd really suggest you try the postfix mailing list.



  • @Cry:

    This sounds like a postfix problem.  All you've posted says nothing about why mail is being marked as spam.  You need to resolve that problem if you expect to move forwards.  I'd really suggest you try the postfix mailing list.

    I've already tried posting to postfix and they said it's not postfix that causing the problem, they suspected that DNS might be the culprit. I've have dnsmasq running on pfSense and it was running okay when I'm still using pfSense 1.2 and now it has undergone two upgrades, it's currently at 1.2.2. Also, I'm using OpenDNS as forwarding DNS, not sure though if it's the one causing it, for the meantime I've disabled the RBL checks both at the MTA level and MailScanner level, caveat is I'm getting lots of spam. SpamD is not option coz my users are a PITA.

    Is this Kaminsky vulnerability affecting dnsmasq?



  • Presumably your new connection has a new IP (static?) address. Is that IP address appropriately registered with OpenDNS?

    As well as providing name services OpenDNS has a filtering service such that (for example) a lookup of racists-advocating-violence.com returns the IP address of an OpenDNS web server which says access to racists-advocating-violence.com is not allowed. If your new IP address was previously used by someone who had registered with OpenDNS and selected some level of filtering then your new IP address may have unintentionally inherited the settings of the previous user of the IP address and its possible this could have some impact on your email spam issue. (I don't know anything significant about postfix. Its not clear to me whether the email spam issue is on outgoing mail from your system or incoming mail to your system.) I have no idea how OpenDNS deals with address to name translations nor how they deal with IP address reassignments.

    Have you tried using your ISP's DNS server for a while?

    Its been my experience that some mail operators are pretty slack about keeping the lists of spam sources up to date. Over a period of some months I made a number of attempts to get my ISP's SMTP server off the spam source list for hanmail.com (which I believe is a korean hotmail-like service) but they were utterly uninterested in communicating with me or my ISP about the issue and it was only "resolved" when the person with whom I was attempting to communicate got a mailbox at another provider.

    I have no idea what you sent on the postfix list but it would be helpful to have more information along the lines of "a message from … to ... was marked as spam by postfix and the postfix log file entry said the reason was ..." That may  give us something more to work with.



  • Sample log from my SMTP Server:

    Feb 10 21:34:46 kartero postfix/smtpd[14176]: NOQUEUE: reject: RCPT
    from wf-out-1314.google.com[209.85.200.172]: 554 5.7.1 Service
    unavailable; Client host [209.85.200.172] blocked using
    bl.spamcop.net; from= ipcopper.ph@gmail.comto= jan.gestre@ddb.com.phproto=ESMTP helo= <wf-out-1314.google.com>Some of the logs not shown here indicated UNKNOWN host, basically I have minimal filtering on my OpenDNS (phising only), I've also registered the ip address as suggested to no avail and I've also tried other DNS like 4.2.2.2 and 156.154.70.1 with the same result. As of now I've disabled the RBL check at the MTA level as well as MailScanner's. If I turn them on almost all incoming mail are being blocked as listed in an rbl list but when you check if it's really listed, it's not.</wf-out-1314.google.com>/jan.gestre@ddb.com.ph/ipcopper.ph@gmail.com



  • The log file entry looks to me as if its saying the mail from 209.85.200.172 was rejected by postfix because it matched a list from bl.spamcop.net.

    I don't have any relevant knowledge of postfix, but MAYBE it's working from a corrupt list from bl.spamcop.net and its rejecting everything to be safe. I presume this list is kept in a file, if so, are you checking the same file that postfix uses? Does the file protection allow postfix to read it? Presumably postfix will want to update the file with a fresh copy from time to time. Does the file ownership and protection allow that?

    You mentioned you have several networks. Do they all have a mailserver?
    If so, are they all working with the same list from bl.spamcop.net?

    As Cry Havok wrote, this looks like a postfix problem and I can't see any point continuing to discuss it here because there's no evidence to sggest pfSense is doing anything dubious or wrong. Perhaps armed with more specific information you'll be able to get some more specific help from some postfix experts.



  • Afaik the rb(l) blocklists in postfix are not stored locally or cached. Try running rblcheck on your mailserver like this:

    rblcheck -s bl.spamcop.net 209.85.200.172

    It should reply with:

    209.85.200.172 not RBL filtered by xbl.spamhaus.org
    209.85.200.172 not RBL filtered by sbl.spamhaus.org
    209.85.200.172 not RBL filtered by list.dsbl.org
    209.85.200.172 not RBL filtered by dnsbl.njabl.org
    209.85.200.172 not RBL filtered by dul.dnsbl.sorbs.net
    209.85.200.172 not RBL filtered by l1.spews.dnsbl.sorbs.net
    209.85.200.172 not RBL filtered by bl.spamcop.net



  • I wonder if you've got a broken DNS server somewhere that responds to DNS lookups of the relevant hostname with an address, or if you've got one doing wildcard resolving of anything (like OpenDNS does for certain domains).

    What does "host 172.200.85.209.bl.spamcop.net" (on the Postfix server) show?


Locked