IP blocked in Rules but still accessing FTP

KOM

We're getting our mail just fine on all our domains.

It's not receipt that will be your problem, but sending.  As an anti-spam measure, a lot of mail servers will do a reverse lookup on you and if everything doesn't come up clean, your mail to them is rejected.

cdsJerry

@KOM:

We're getting our mail just fine on all our domains.

It's not receipt that will be your problem, but sending.  As an anti-spam measure, a lot of mail servers will do a reverse lookup on you and if everything doesn't come up clean, your mail to them is rejected.

Our PTR is accurate.  We haven't had much trouble with being labeled as a SPAMMER (we've never spammed anyone)  but we do sometimes end up in people's spam boxes.  Port 25 is open and listening.  I think the reason he didn't see it was that he was testing from a Comcast IP and they do block port 25.

johnpoz

No I tested from one of my vps, the second time - and your ptr is not accurate for all your mail servers

for example .52 has - see attached domain starts with i and ends in h, snipped for your privacy.

But there is not even a forward for that name mail.i<snipped>h.com

same goes for .53

Checked your mx and your only pointing to the 1, but you listed 52 and 53 as mail servers.

when I checked with mxtoolbox it reported this
SMTP Reverse DNS Mismatch Warning - Reverse DNS does not match SMTP Banner

But upon checking the IP that ends in .51 for ptr and looking up the forward for that name and whats in your mx record they match.  Its possible your hiding your smtp banner?  Checking with another tool I get this

The hostname in the greeting message is

All

I get this when I connect
Escape character is '^]'.
220 All actions are logged.  No mail relay takes place from this server.

And looks like your not accepting mail for postmaster@ip which is part of the rfc I pretty sure
The SMTP server does not accept mails to postmaster@[IP_ADDRESS]. This is a very bad thing, as this address is used by people that don't know your domain name! The reported error is: 550 not local host [All], not a gateway

You really should look into your ssl stuff!!

</snipped>

cdsJerry

@johnpoz:

No I tested from one of my vps, the second time - and your ptr is not accurate for all your mail servers

for example .52 has - see attached domain starts with i and ends in h, snipped for your privacy.

But there is not even a forward for that name mail.i<snipped>h.com

same goes for .53

Checked your mx and your only pointing to the 1, but you listed 52 and 53 as mail servers.</snipped>

You are right on those two examples. They are inbound only.  I bought those two domains and receive mail for the users that were on it, but no mail is ever sent from those domains.  The mx records forward mail to my main domain's mail server where it's directed to the right contact.

@johnpoz:

But upon checking the IP that ends in .51 for ptr and looking up the forward for that name and whats in your mx record they match.  Its possible your hiding your smtp banner?

And looks like your not accepting mail for postmaster@ip which is part of the rfc I pretty sure
The SMTP server does not accept mails to postmaster@[IP_ADDRESS]. This is a very bad thing, as this address is used by people that don't know your domain name! The reported error is: 550 not local host [All], not a gateway

You really should look into your ssl stuff!!

I did a test to postmaster@myipaddy just now and the server processed it.  I'd sent the test message from outside.  I'll need to look into this.  I do see where TestOfDnsqueriesDotCom@dnsqueries.com came in and ran your tests.  It got successful responses until it attempted a postmaster@[All] email.  but the individual postmaster@myipaddy.com were successful as were the abuse@ tests.  The testing IP was blocked soon however because it had reached the maximum number of invalid recipients allowed.  After that it failed due to a temporary restriction due to the abuse so no other tests would pass.

doktornotor

This kind of stuff… really.

Take a sheet of paper.
Make a list of all servers, IPs and ports that are supposed to be public or externally accessible (and from where.)
Set up your firewall according to that paper. Nothing else should be allowed. Use the descriptions in aliases/rules to state exactly what is the purpose of that rule/alias IP/alias port. If you use aliases, do not mix unrelated stuff in them.

I would strongly suggest to avoid recycling the current aliases mess for this purpose.

johnpoz

^ exactly!!!  And then if you want to block specific "bad" ips via blocker aliases or your own from talking to the stuff you have allowed.. Then feel free to put those blocks above your allows.

doktornotor

BTW, there's Notes package to keep some simple notes available in pfSense GUI, keep track of configuration changes or whatever similar. Nothing fancy but it gets saved in config.xml, so it's kinda self-contained.