Score:0

Server

User can't send mail depending on ISP, unknown user error

Kantan

2/24/23, 9:39 AM

Ubuntu server 18.04.6 LTS, with functional postfix/dovecot mailserver. When using his phone to send mail, user Joe gets the following error :

An error occurred while sending mail. The mail server responded:
4.7.25 Client host rejected: cannot find your hostname, [178.197.200.200].
Please check the message recipient "[email protected]" and try again.

with the following in /var/log/mail.log

Oct 24 08:49:23 vps postfix/submission/smtpd[25163]: connect from unknown[178.197.200.200]
Oct 24 08:49:23 vps postfix/submission/smtpd[25163]: NOQUEUE: reject: RCPT from unknown[178.197.200.200]: 450 4.7.25 Client host rejected: cannot find your hostname, [178.197.200.200]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[192.168.184.19]>

When he gets home and uses another ISP, the mail is sent without error. /var/log/mail.log reads as follow :

Oct 24 08:59:21 vps postfix/submission/smtpd[25331]: connect from 84-75-202-59.dclient.hispeed.ch[84.75.202.59]
Oct 24 08:59:22 vps postfix/submission/smtpd[25331]: 386394150E: client=84-75-202-59.dclient.hispeed.ch[84.75.202.59], sasl_method=PLAIN, [email protected]
Oct 24 08:59:22 vps postfix/cleanup[25335]: 386394150E: message-id=<[email protected]>
Oct 24 08:59:22 vps postfix/qmgr[6203]: 386394150E: from=<[email protected]>, size=1105, nrcpt=1 (queue active)

At first I thought that the submission port might be blocked by the ISP, but I don't get why the mailserver would even be reachable in this case.

In /etc/postfix/main.cf I set up the following restrictions :

smtpd_client_restrictions =
    permit_mynetworks
    reject_unknown_client_hostname
    check_client_access    hash:/etc/postfix/access_client

 smtpd_helo_restrictions =
    permit_mynetworks
    reject_non_fqdn_helo_hostname 
    reject_invalid_helo_hostname
    check_helo_access      hash:/etc/postfix/access_helo

 smtpd_sender_restrictions =
    permit_mynetworks
    reject_unknown_sender_domain
    reject_non_fqdn_sender
    check_sender_access    hash:/etc/postfix/access_sender

 smtpd_relay_restrictions =
    permit_mynetworks
    permit_sasl_authenticated
    reject_unauth_destination

I could allow unknown_client_hostname, but isn't it detrimental to security to let anyone's fridge connect here? Is it ok to remove restrictions for reject_non_fqdn_helo_hostname and reject_invalid_helo_hostname to let the user authenticate? This means giving a chance to a bot to try for credentials.

Is there a way to allow the user to send mail without sacrificing on security in this case?

0 + 0

postfix

NiKiZe

2/24/23, 9:59 AM

See the missing PTR record for IP, but when someone sends mail from client, it should use a login to the SMTP server, and then the IP or PTR should not be checked.

Paul

2/24/23, 12:45 PM

One of the challenges with Postfix is that there are so many configurations possible for so many use cases, I find it difficult to figure out how to answer these questions without knowing what your use case is plus the output of `postconf -n`. Even then, you may need to wait for someone to come along and help you with your issue.

djdomi

2/24/23, 7:47 PM

@kantan the question is why do you restrict via ip? a public facing postfix should be secured with fail2ban to prevent brute forcing, but restrictions via ip that are not secure since it can be spoofed

Kantan

2/25/23, 4:40 AM

@NiKiZe : So is there an obvious change in my config that I needs to be made ? Is the order of the checks relevant ? Or is it because of the helo restrictions that come before the authentication checks?

Kantan

2/25/23, 4:40 AM

@djdomi : Fail2ban is setup. However, it takes a few failures to identify unwanted attempts. From my understanding (I can be wrong), it is even better to avoid those few attempts. However not being able to send mail seems too high a price to pay in this case.

djdomi

2/25/23, 5:38 AM

@Kantan Nope, Welcome to the internet with full of Bots and other Surprises. I run my server since around 2000 and none of my mailserver got ever "hacked" due the fact i use strong passwords.

NiKiZe

2/25/23, 9:54 AM

You use authentication first as an alternative method of authentication. Never expect a true mail client to send valid HELO.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: User can't send mail depending on ISP, unknown user error

TH: ผู้ใช้ไม่สามารถส่งจดหมายขึ้นอยู่กับ ISP ข้อผิดพลาดของผู้ใช้ที่ไม่รู้จัก

RO: Utilizatorul nu poate trimite e-mail în funcție de ISP, eroare utilizator necunoscută

RU: Пользователь не может отправлять почту в зависимости от интернет-провайдера, неизвестная ошибка пользователя

VI: Người dùng không thể gửi thư tùy thuộc vào ISP, lỗi người dùng không xác định

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.