Koozali.org: home of the SME Server

Help needed understanding why my SME10 box rejects this message

Offline Michail Pappas

  • *
  • 339
  • +1/-0
Any ideas?

Code: [Select]
2022-06-17 11:58:34.481758500 18817 Accepted connection 2/40 from 84.205.251.179 / mail.synigoros.gr
2022-06-17 11:58:34.481932500 18817 Connection from mail.synigoros.gr [84.205.251.179]
2022-06-17 11:58:35.627736500 18817 (connect) earlytalker: pass, not spontaneous
2022-06-17 11:58:35.630252500 18817 (connect) relay: skip, no match
2022-06-17 11:58:35.695425500 18817 (connect) dnsbl: pass
2022-06-17 11:58:35.696090500 18817 220 mail.pieria.gr ESMTP
2022-06-17 11:58:35.710194500 18817 dispatching EHLO EXSRV01.SYNIGOROS2.LOCAL
2022-06-17 11:58:35.715113500 18817 (ehlo) helo: karma -1 (-1)
2022-06-17 11:58:35.715289500 18817 (ehlo) helo: fail, NAUGHTY, no such host
2022-06-17 11:58:35.716588500 18817 250-pieria.gr Hi mail.synigoros.gr [84.205.251.179]
2022-06-17 11:58:35.716721500 18817 250-PIPELINING
2022-06-17 11:58:35.716819500 18817 250-8BITMIME
2022-06-17 11:58:35.716921500 18817 250-SIZE 30000000
2022-06-17 11:58:35.717059500 18817 250-STARTTLS
2022-06-17 11:58:35.717160500 18817 250 AUTH PLAIN LOGIN
2022-06-17 11:58:35.728953500 18817 dispatching MAIL FROM:<abosd@synigoros.gr> SIZE=886086
2022-06-17 11:58:35.770021500 18817 (mail) resolvable_fromhost: pass, synigoros.gr has MX at mail3.synigoros.gr
2022-06-17 11:58:35.796156500 18817 (mail) sender_permitted_from: skip, tolerated, none, synigoros.gr: No applicable sender policy available
2022-06-17 11:58:35.796428500 18817 (mail) naughty: disconnecting
2022-06-17 11:58:35.796849500 18817 (deny) logging::logterse: ` 84.205.251.179  mail.synigoros.gr       EXSRV01.SYNIGOROS2.LOCAL                        naughty 903     (helo) HELO hostname does not exist     msg denied before queued
2022-06-17 11:58:35.797268500 18817 deny mail from <abosd@synigoros.gr> ((helo) HELO hostname does not exist)
2022-06-17 11:58:35.797407500 18817 550 (helo) HELO hostname does not exist
2022-06-17 11:58:35.797583500 18817 click, disconnecting
2022-06-17 11:58:35.858701500 1521 cleaning up after 18817

No special contribs, plain SME. My /etc/qpsmtpd/plugins:

Code: [Select]
#
#  Example configuration file for plugins
#

# enable this to get configuration via http; see perldoc
# plugins/http_config for details.
#   http_config http://localhost/~smtpd/config/  http://www.example.com/smtp.pl?config=

# tls should load before count_unrecognized_commands
# to support legacy port 465, tls must load before connection plugins
#tls

# hosts_allow does not work with the tcpserver deployment model!
#   perldoc plugins/hosts_allow for an alternative.
#
# The hosts_allow module must be loaded if you want the -m / --max-from-ip /
# my $MAXCONNIP = 5; # max simultaneous connections from one IP
# settings... without this it will NOT refuse more than $MAXCONNIP connections
# from one IP!
hosts_allow

# connection / informational plugins
#connection_time
#karma penalty_box 1 reject naughty
ident/geoip
#ident/p0f /tmp/.p0f_socket version 3
fcrdns

quit_fortune
earlytalker
count_unrecognized_commands 4

relay
#whitelist
dnsbl reject naughty reject_type disconnect
rhsbl
# greylisting reject 0 p0f genre,windows


# HELO plugins
helo policy strict reject 0
# enable to reject MAIL FROM:/RCPT TO: parameters if client helo was HELO
# (strict RFC 821)... this is not used in EHLO ...
# parse_addr_withhelo


# AUTH plugins
#auth/auth_checkpassword checkpw /usr/local/vpopmail/bin/vchkpw true /usr/bin/true
#auth/auth_vpopmail
#auth/auth_vpopmaild
#auth/auth_vpopmail_sql
auth/auth_flat_file
auth/authdeny

# enable to accept MAIL FROM:/RCPT TO: addresses without surrounding <>
dont_require_anglebrackets

# MAIL FROM plugins
badmailfrom reject naughty
#badmailfromto
resolvable_fromhost reject 0
sender_permitted_from reject 1


# RCPT TO plugins
badrcptto
#qmail_deliverable
# this plugin needs to run after all other "rcpt" plugins
rcpt_ok

# DATA plugins
#uribl
headers reject 0 reject_type temp require From,Date future 2 past 15
bogus_bounce log
#loop
dkim reject 0
# dmarc requires dkim and SPF to run before it
dmarc

# content filters
virus/klez_filter

# You can run the spamassassin plugin with options.  See perldoc
# plugins/spamassassin for details.
#
spamassassin reject 12

# rejects mails with a SA score higher than 20 and munges the subject
# of the score is higher than 10.
#
#   spamassassin reject 20 munge_subject_threshold 10

# dspam must run after spamassassin for the learn_from_sa feature to work
dspam autolearn spamassassin reject 0.95

# run the clamav virus checking plugin (max size in Kb)
# virus/clamav
# virus/clamdscan deny_viruses yes max_size 1024

naughty reject data

# You must enable a queue plugin - see the options in plugins/queue/ - for example:

# queue to a maildir
# queue/maildir /home/spamtrap/mail

# queue the mail with qmail-queue
# queue/qmail-queue

# forward to another mail server
# queue/smtp-forward 10.2.2.2 9025


# If you need to run the same plugin multiple times, you can do
# something like the following
#    relay
#    relay:0 somearg
#    relay:1 someotherarg

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Help needed understanding why my SME10 box rejects this message
« Reply #1 on: June 17, 2022, 04:42:56 PM »
Right in front of you.

2022-06-17 11:58:35.797268500 18817 deny mail from <abosd@synigoros.gr> ((helo) HELO hostname does not exist)
2022-06-17 11:58:35.797407500 18817 550 (helo) HELO hostname does not exist
2022-06-17 11:58:35.797583500 18817 click, disconnecting

They have a badly set up mail server. Tell them to fix their HELO name.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Jean-Philippe Pialasse

  • *
  • 2,747
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Help needed understanding why my SME10 box rejects this message
« Reply #2 on: June 17, 2022, 05:34:48 PM »
their hostname is EXSRV01.SYNIGOROS2.LOCAL

the smtp server should identify with a resolvable address. 

can you tell
rpm -q smeserver-qpsmtpd

Offline Michail Pappas

  • *
  • 339
  • +1/-0
Re: Help needed understanding why my SME10 box rejects this message
« Reply #3 on: June 17, 2022, 08:53:53 PM »
Hey lads, thank for the quick response.

Right in front of you.

2022-06-17 11:58:35.797268500 18817 deny mail from <abosd@synigoros.gr> ((helo) HELO hostname does not exist)
2022-06-17 11:58:35.797407500 18817 550 (helo) HELO hostname does not exist
2022-06-17 11:58:35.797583500 18817 click, disconnecting

They have a badly set up mail server. Tell them to fix their HELO name.

That was my initial impression. However, there's a danger of legal action here, in case we do not receive messages that we are supposed to. So I tried to make sense of the SMTP RFC. At https://datatracker.ietf.org/doc/html/rfc5321#section-4.1.4 there's the following passage:

Quote
An SMTP server MAY verify that the domain name argument in the EHLO
   command actually corresponds to the IP address of the client.
   However, if the verification fails, the server MUST NOT refuse to
   accept a message on that basis.  Information captured in the
   verification attempt is for logging and tracing purposes.  Note that
   this prohibition applies to the matching of the parameter to its IP
   address only; see Section 7.9 for a more extensive discussion of
   rejecting incoming connections or mail messages.

I'm definitely not an expert here. In other cases, for example when the sending server does not have an rDNS entry IIRC that is a legitimate reason to block traffic. In that case the receiver is in the clear.

But in this scenario I must be extra carefull: if the shit hits the fan and I have to prove that blocking the message was not 100% my fault. This has already happened from the same sender over the last 2-3 weeks, but got informed today in a rather unfriendly tone from the organization head... :(




their hostname is EXSRV01.SYNIGOROS2.LOCAL

the smtp server should identify with a resolvable address. 

can you tell
rpm -q smeserver-qpsmtpd
smeserver-qpsmtpd-2.7.0-7.el7.sme.noarch

The bottomline is that if this is a misconfiguration but one that I must not act upon by rejecting, then I'll simply try to inform the admins from the sender side and on my sme box simply whitelist their servers...

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Help needed understanding why my SME10 box rejects this message
« Reply #4 on: June 18, 2022, 02:05:10 AM »
I seem to recall you have had the same issue with other people before.

Their server does not have a rDNS.

It's up to you whether you accept it.

I don't as it is a normal spam vector. YMMV.

So disabling it will open the flood gates to a lot more spam. That is your choice.

However, if there is a legal aspect then they should get their act together and use a compliant well configured server.

Like to see them send to say M$ or Google..... Almost certainly rejected.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Jean-Philippe Pialasse

  • *
  • 2,747
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Help needed understanding why my SME10 box rejects this message
« Reply #5 on: June 18, 2022, 06:14:09 AM »
67   * Thu Feb 10 2022 Jean-Philippe Pialasse <tests@pialasse.com> 2.7.0-8.sme
68   - fix regression Set the default helo policy to lenient [SME: 11864]
69


without forcing you to get all the updates in smeupdates-testing you ahould at leat get that one.
indeed the curent version is more strict that what is asking rfc



Offline Michail Pappas

  • *
  • 339
  • +1/-0
Re: Help needed understanding why my SME10 box rejects this message
« Reply #6 on: June 18, 2022, 10:13:06 AM »
@Jean some questions, please bear with me:
1) Instead of installing 2.7.0.8 can I simply do a:
Code: [Select]
db configuration setprop qpsmtpd HeloPolicy lenient
to accomplish the same thing? I'm asking because I'm wondering a bit here: if this fix was much needed wouldn't this patch be in updates instead of updates-testing?

2) I've got the wbl contrib. Would another approach be to simply whitelist the hosts in this case to get the job done?
3) With a lenient policy this message would not be blocked obviously. Would it be blocked if I switched to rfc instead of strict?

IIRC the lenient policy would let too much spam pass. Since I came from SME9 with a lenient policy for years I definitely concur with that observation. On the other hand I do want to block bad traffic, but without raising legal issues for blocking...
« Last Edit: June 18, 2022, 10:18:35 AM by Michail Pappas »

Offline TerryF

  • grumpy old man
  • *
  • 1,821
  • +6/-0
Re: Help needed understanding why my SME10 box rejects this message
« Reply #7 on: June 18, 2022, 11:36:01 AM »
to accomplish the same thing? I'm asking because I'm wondering a bit here: if this fix was much needed wouldn't this patch be in updates instead of updates-testing?

This was the bug that changed that setting - https://bugs.koozali.org/show_bug.cgi?id=11864,  smeserver-qpsmtpd-2.7.0-8.el7.sme.noarch.rpm, verified back in Feb..since then there have been another 3 Bugs resolved and verified, now at smeserver-qpsmtpd-2.7.0-11.el7.sme.noarch.rpm, put it down to caution (or the few were occupied elsewhere) those who like to walk on the wild side have been happy to date (fingers crossed) look for latest to be available in updates shortly

--
qui scribit bis legit

Offline Michail Pappas

  • *
  • 339
  • +1/-0
Re: Help needed understanding why my SME10 box rejects this message
« Reply #8 on: June 18, 2022, 11:59:40 AM »
You guys, always there for us and always informative! Thumbs up!

I'll install 2.7.0-8 then.

Offline TerryF

  • grumpy old man
  • *
  • 1,821
  • +6/-0
Re: Help needed understanding why my SME10 box rejects this message
« Reply #9 on: June 18, 2022, 12:03:46 PM »
you will have to go to -9

Added - it and 8 very similar, -9 is safe :-)

* Tue Apr 05 2022 Jean-Philippe Pialasse <tests@pialasse.com> 2.7.0-9.sme
- add softlimit template for qpsmtpd [SME: 11858]
  increase softlimit to 50000000.

* Thu Feb 10 2022 Jean-Philippe Pialasse <tests@pialasse.com> 2.7.0-8.sme
- fix regression Set the default helo policy to lenient [SME: 11864]

« Last Edit: June 18, 2022, 12:05:30 PM by TerryF »
--
qui scribit bis legit

Offline TerryF

  • grumpy old man
  • *
  • 1,821
  • +6/-0
Re: Help needed understanding why my SME10 box rejects this message
« Reply #10 on: June 18, 2022, 12:09:24 PM »
with all that, very shortly latest update will be in updates along with a handful of others that have been worked over last few weeks/month
--
qui scribit bis legit

Offline Michail Pappas

  • *
  • 339
  • +1/-0
Re: Help needed understanding why my SME10 box rejects this message
« Reply #11 on: June 18, 2022, 12:13:49 PM »
Awesome work fellas, congrats again!  :pint: :pint: :pint:

Offline Michail Pappas

  • *
  • 339
  • +1/-0
Re: Help needed understanding why my SME10 box rejects this message
« Reply #12 on: June 19, 2022, 01:04:13 PM »
Something I must be doing wrong here. I've installed the -9 package with:
Code: [Select]
yum update-to smeserver-qpsmtpd-2.7.0-9.el7.sme.noarch --enablerepo=smeupdates-testing

Not sure if update-to was proper here or not, I was not sure how to update to an interim version. In any case:
Code: [Select]
# rpm -q  smeserver-qpsmtpd
smeserver-qpsmtpd-2.7.0-9.el7.sme.noarch

Funny thing is that I was not prompted to do the signal-event post-upgrade and reboot cycle. I did so, but nothing happened. /etc/qpsmtpd/plugins remained the same:
Code: [Select]
# ls -laFt /etc/qpsmtpd/plugins
-rw-r--r-- 1 root root 2951 Nov 17  2021 /etc/qpsmtpd/plugins

Furthermore, in /etc/qpsmtpd/plugins policy seems to be still set to strict:
Code: [Select]
...
# HELO plugins
helo policy strict reject 0

Looking things more closely, wasn't rfc the default behaviour up to -7? Why is it set here as strict?

My qpsmtpd configuration:
Code: [Select]
# config show qpsmtpd
qpsmtpd=service
    Authentication=enabled
    Bcc=disabled
    BccMode=cc
    BccUser=maillog
    DKIMSigning=enabled
    DMARCContactInfo=http://myhost/
    DMARCReject=enabled
    DMARCReportEmail=admin@mydomain
    DNSBL=enabled
    HeloHost=myhost
    Instances=40
    InstancesPerIP=5
    LogLevel=6
    MaxScannerSize=25000000
    MaximumDateOffset=0
    PatternsScan=enabled
    Proxy=blocked
    RBLList=bl.spamcop.net,psbl.surriel.com,zen.spamhaus.org
    RHSBL=disabled
    RelayRequiresAuth=enabled
    SBLList=multi.surbl.org,rhsbl.sorbs.net
    TCPPort=25
    TCPProxyPort=25
    TlsBeforeAuth=0
    UBLList=multi.surbl.org:8-16-64-128,black.uribl.com,rhsbl.sorbs.net
    URIBL=disabled
    VirusScan=enabled
    access=public
    qplogsumm=enabled
    status=enabled
    tnef2mime=enabled

I have the WBL contrib installed, could it be doing something to my general setup here?

Offline Michail Pappas

  • *
  • 339
  • +1/-0
Re: Help needed understanding why my SME10 box rejects this message
« Reply #13 on: June 19, 2022, 01:15:06 PM »
Doh! I was looking at the wrong place. It seems that files affected were under /var/service/qpsmtpd/config/peers:
Code: [Select]
# grep -R "policy" /var/service/qpsmtpd/config/peers/
/var/service/qpsmtpd/config/peers/0:helo policy lenient reject naughty
/var/service/qpsmtpd/config/peers/0:sender_permitted_from reject 1 no_dmarc_policy 0
/var/service/qpsmtpd/config/peers/myip:helo policy lenient reject naughty
/var/service/qpsmtpd/config/peers/myip:sender_permitted_from reject 1 no_dmarc_policy 0

What is the /etc/qpsmtpd and plugins/ hierarchy used for, if stuff is under /var/service/qpsmtpd ?

Offline Jean-Philippe Pialasse

  • *
  • 2,747
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Help needed understanding why my SME10 box rejects this message
« Reply #14 on: June 19, 2022, 02:48:02 PM »
we only use the /var/service for historical reasons (runit / daemontools)