[solved] best practice with unbound in pfSense and email-server behind it?
-
What would be an ideal configuration for DNS in pfSense when there is my personal email-server behind it? I have everything working in general but especially with DNSBL in the email-server itself I am unsure if it is ideal right now and I have problems understanding this topic fully.
What settings would be recommended for unbound in pfSense regarding the email-server behind it?
And what settings would be recommended for the DNSBL part in pfBlocker? -
A mail server is a ... server.
This means you only have to do one thing on pfSense :
Open port 25 TCP => to the IP of the mail server.
And done.Postfix will use the DNS facilities available on the server (device) it's running.
This device will typically use the resolver running on pfSense to handle the DNS requests.A mail server like postfix can use "DNSBL" to filter incoming mail (never outgoing, that would be .... stupid)
I've this in my main.cf :smtpd_recipient_restrictions = permit_sasl_authenticated, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, check_sender_access hash:/etc/postfix/sender_checks, warn_if_reject reject_unverified_sender, permit_mynetworks, reject_unauth_destination, check_sender_access pcre:/etc/postfix/blacklist_clients.pcre, check_recipient_access pcre:/etc/postfix/recipient_checks.pcre, check_helo_access hash:/etc/postfix/helo_checks, check_client_access cidr:/etc/postfix/client_checks, check_policy_service unix:private/spfcheck, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2, reject_rhsbl_sender hostkarma.junkemailfilter.com=127.0.0.2, reject_rhsbl_sender dsn.rfc-ignorant.org,
The last 4 lines, if the check falls trough to that point, will check against these four DNSBL lists.
Outgoing mail is never filtered like that. Why would you want send a mail to a host that is known to be a spammer ?
Btw : I advice you strongly to Google a bit about why NOT to use a mail server at home.
Believe me : no joke.I'll give you one no-go reason : if you use an ISP, you use the IPv4 of that ISP. I hope it's a static IPv4.
These ISP IPs are listed and known as such.
IN the past, if an IPv4 was sending mail, and its from an ISP IP, this was surely an infected PC that was transformed into a zombie mailer. Nearly all ISP these days do not allow you to use port 25 TCP for outgoing traffic (you know the reason now) but allow only port 25 to their own (ISP) mail server. So ... your mail server won't be able to connect to any other mail server on the Internet ..... so game over right on the start.There are other reasons .....
My advise : If you really want to use mail server, use your wallet, there is no other way.
You'll be needing :
A domain name.
A small VPS, probably a couple of $ per month.
Use a known over documented OS like Debian (forget about the rest)
Forget about GUI administration : and repeat after me "that doesn't exists". It will be 'ssh' / Putty / an SFTP all the way.
Take postfix. As postfix handles already >>50% (millions a second) of all mail on the Internet, it is well documented.I do have to say this :
Years (decades ) back, I had the same idea as you : hosting my own mail server @work (= @home).
And it worked ....As we send mails to 'every where' (I work for a hotel) as mails means business = my pay check at the end of the month, I needed a mail server that works all the time. Mail became as important as a working phone line. Mail became $$$.
After several month I discovered to much issues :
gmail / msn / outlook yahoo / etc couldn't send me mail for some reason ... (see above for the why part).gmail / msn / outlook yahoo / etc wouldn't accept mails from me, as my reverse IP or PTR wasn't set correctly. Better : Google (gmail) told my my IP was an ISP subscriber IP address so : bye.
I also discovered that I had to have a very fine control over the "DNS info" of my domain name.
I've solved that by saying to my registrar : thanks for your DNS facilities, but from now on, I'll handle my own domain name needs. I had my registrar point the DNS to my own DNS servers (you need to of them at a minimum)
I installed "bind" and handled my own DNS stuff from then on.
Now, it was easy - no, easier, to do SPF and DKIM and DMARC. And handle the reverse PTR. And DNSSEC and more.Today, after 27 years, I still run my own postfix. It uses 8 IPv4 (back then, they were free) each domain name has it's own IPv4 (that's something you 'want').
I can send mail to any garbage mail address (see list above) and receive all mails, as long as they were send by a host that respect "the rules". These rules, I control them.
Be ware that you will see mails from hosts that do not respect the rules. But you still want to receive these mails. You'll be handling white listed addresses. And loads of blacklisted address.
Administrating your own mail needs is an never ending business.Sorry for the rant.
-
@Gertjan said in best practice for running email-server behind pfSense?:
Sorry for the rant.
Yeah, you went totally off topic. My only question is about unbound in pfSense. That is why I posted this in DNS. But I will alter the topic to be more precise.
-
@Bob-Dig Not sure I understand the question. If you block domainx.tld from a client going there via dns filtering. Why would you want your email server to send email there?
Why would you think there should be something different setup?
-
@johnpoz So my first question is, is the pfSense default config for unbound good (Services - DNS Resolver - Advanced Settings) or could it be optimized for this usecase? I know it is kinda broad question...
I do DNS Query Forwarding though, lets say to cloudflare, will this change stuff?
Other question, if I have a dns redirect by portforwarding active, could it interfere with the ability of the email-server itself for doing its own DNSBL stuff? I guess, so I don't do it.
I have read somewhere that it is advised to run your own DNS-server for an email-server but that is probably not the case for my very light used email-server.
Again, everything is working fine but I want to optimize, if I can. And I am unclear about DNSBL in general. I think I get it how it works with pfBlocker but I am not sure how this is implemented in mail-servers exactly and that I don't mess with it.
@Gertjan said in best practice with unbound in pfSense for an email-server behind it?:
Forget about GUI administration : and repeat after me "that doesn't exists". It will be 'ssh' / Putty / an SFTP all the way.
I am not that bright so I have to stick to GUIs, that is why I use pfSense.
-
@Bob-Dig said in best practice with unbound in pfSense for an email-server behind it?:
somewhere that it is advised to run your own DNS-server
Not sure where you read that? That sure isn't true..
Be it you resolve, be it you forward, be it you filter dns has really little to do with having a normal client, or a box sending receiving email.
If your going to forward.. There is little reason to change anything in the resolver settings, other than turning off dnssec.. When you forward there is just no reason to have that checked. Where you forward to is going to be doing dnssec or they are not. Having that enabled in unbound settings is just going to cause possible issues.
A email server isn't really different than any other client.. But vs looking up say www.domainx.tld A record, the email server would most likely be only doing MX look ups for domainx.tld when someone wants to send email there.
Now you might have yours setup to check the PTR of some IP trying to send email to the server.. But again - that is just another query, and there is nothing special that you need to do.
-
@Gertjan said in best practice with unbound in pfSense for an email-server behind it?:
A mail server like postfix can use "DNSBL" to filter incoming mail (never outgoing, that would be .... stupid)
I've this in my main.cf :@Bob-Dig If you are using unbound and have rebind protection enabled, I believe you may need to exclude those dnsbl hosts you're using. For example:
private-domain: "zen.spamhaus.org" private-domain: "b.barracudacentral.org"
I'm also guessing that it is best to allow the mail server to perform its own dnsbl lookups, rather than use any cached information provided by pfblocker. Since AIUI DNSBL such as zen returns subtley different responses according to the their BL.
-
I seem to be successfully hosting mail on my domestic broadband IP. However I have a static IP and I send via the ISP's relay to avoind PBL issues.
It's more out of interest than anything and I would not do it this way if my business relied upon it. I'd pay for proper mail hosting. -
@darcey said in best practice with unbound in pfSense for an email-server behind it?:
private-domain: "zen.spamhaus.org"
Note (for the forum and @Bob-Dig) Spamhaus returns an error when forwarding DNS to public DNS, resulting in all mail being blocked:
https://www.spamhaus.com/resource-center/successfully-accessing-spamhauss-free-block-lists-using-a-public-dns/
https://pro-it.rocks/all-mails-rejected-by-spamhaus/Another option when hosting your own email is to use a third party spam filter, and only allow those IPs to connect to your mail server. Often those services will provide outbound relaying/smart host as well.
-
@SteveITS Now it is getting interesting because I don't understand this: "Spamhaus returns an error when forwarding DNS to public DNS"
In what case does this happen?And just for completeness, I am using an email-server with spamassassin and stuff (with GUI), have my own domain and "businesses-IP", etc. Here in this thread it is only about pfSense and unbound before an email-server.
-
@Bob-Dig I think this means you need to point your mailserver at (your own) recursive dns resolver e.g. unbound. If that's unbound on pfsense, you may want to reconsider whether to run pfblocker dnsbl. I decided not use pfblocker dnsbl, though I do use the IP blocking and instead run pihole for certain LAN hosts.
Having the business IP should at least mean you're not on the PBL and therefore deliver mail directly. -
@darcey What I am missing on is the connection between e.g. Spamhaus and unbound or my upstream DNS.
I guess and I could be wrong, my email server is asking Spamhaus directly, my unbound is not involved, right? I really don't know how this part works though. -
@darcey said in best practice with unbound in pfSense for an email-server behind it?:
Having the business IP should at least mean you're not on the PBL and therefore deliver mail directly.
Again, not the point of this thread.
-
@Bob-Dig Say you're using one or more of the dnsbl services with e.g. postfix's postscreen. The dnsbl checks are made by postfix, via regular dns queries, to whatever the mailserver host's configued dns is.
The dns queries are of the form 12.34.56.78.zen.spamhaus.org
The replies (from spamhaus's NS ideally via recursive lookup) are of the form 127.0.0.X. Which is then interpretted by your mailserver. Usually you query several dnsblservers, optionally weighted according to which you prefer. -
@Bob-Dig said in best practice with unbound in pfSense for an email-server behind it?:
my email server is asking Spamhaus directly, my unbound is not involved
Incorrect, it's a DNS based lookup:
# dig +short 2.0.0.127.zen.spamhaus.org 127.0.0.2 127.0.0.10 127.0.0.4 # dig +short 2.0.0.127.zen.spamhaus.org txt "https://www.spamhaus.org/query/ip/127.0.0.2" "https://www.spamhaus.org/sbl/query/SBL2"
They have blocked Quad9/CloudFlare from connecting to their services by telling any queries that all IPs are bad. I thought Google also, actually but they don't seem to be blocked today?
#dig +short 2.0.0.127.zen.spamhaus.org @9.9.9.9 127.255.255.254 #dig +short 2.0.0.127.zen.spamhaus.org txt @9.9.9.9 "Error: open resolver; https://www.spamhaus.org/returnc/pub/2620:171:fe:f0::237" #dig +short 2.0.0.127.zen.spamhaus.org txt @1.1.1.1 "Error: open resolver; https://www.spamhaus.org/returnc/pub/172.70.177.38"
So in Unbound, uncheck "DNS Query Forwarding." Unless maybe if you're using Google DNS.
-
Ok, this is the hard part, I don't get. DNS is hard it seems.
-
@Bob-Dig said in best practice with unbound in pfSense for an email-server behind it?:
Ok, this is the hard part, I don't get. DNS is hard it seems.
Nah, ask a question, get an answer, simple.
-
I think I kinda getting it slowly. Will try tomorrow if I get the whole picture. And so my DNS configured in pfSense can make a big difference if this stuff will actually work or not. Thanks guys!
-
- Don't use upstream public DNS.
- If using unbound, either disable rebind protection or use the unbound config mentioned above for your specific dnsbl's.
- Be selective with the dnsbl's and,with postfix, you can also weight them:
postscreen_dnsbl_sites = zen.spamhaus.org*2,dnsbl.sorbs.net*1,bl.spamcop.net*1,b.barracudacentral.org*1 postscreen_dnsbl_threshold = 2
This has been working reasonably well for me other than some recent paypal 'communications' getting blocked by sorbs. None of the transaction related mail was affected.
-
@SteveITS @darcey Thank you both for helping me understand that topic and also showing me ways to validate my solution myself.
For now on one Site I am using a DNS Provider that is not blocked by any of those services I use and gave the mx that DNS server directly, not going through unbound anymore. One another Site I turned off DNS Query Forwarding in pfSense and turned on Python Group Policy in pfBlocker for the mx, just to make sure. In the end I can make it work now, thanks to you guys.A note to @biggsy , thanks you for your kindly offer, I am good now, topic is closed.