| Welcome to the Zimbra :: Forums! | |
Welcome, if you would like to post a comment please register.
We also encourage you to explore all things Zimbra with our team and members of the community.
|
 | | 
10-27-2009, 04:15 PM
| | |  Non-Resolving HELO names
We have a client that has a source(sender), which when that source sends our client an email it never gets to the client. !Because!, the source (the sender) has a screwed up mail server setup and it answers with the hello of "beetle", which doesn't resolve to anything.
Question: How can I tell Zimbra to make an exception for this non-reversing name, without disabling the the "non-resolving" filter globally. The white list function only trains the amavis filters, but this issue is at the MTA level.
__________________
Robert Canary
OCDirect Electrical-Datacomm
|
10-27-2009, 04:22 PM
| | |
Unfortunately you either have this option on and block a ton of mail... spam and non spam messages alike, or you turn this option off and deal with spam another way. There are LOTS of email servers that are improperly configured and respond with only the first part of their host name rather then the proper FQDN. |
10-27-2009, 08:09 PM
| | |
We have a Sendmail server that is sourced by LDAP. It uses the access-list in the LDAP server. On it we always include that domain and it would allow the domain all though it did not resolve the HELO name.
Does Zimbra use the access list on the LDAP server? But then the setup created an LDAP password and I don't know how to get into it. I've seen the CLI to change the password, but I was afraid to change, afraid it would break something.
__________________
Robert Canary
OCDirect Electrical-Datacomm
Last edited by rwcanary; 10-27-2009 at 08:10 PM..
Reason: Spelling Correction
|
10-28-2009, 11:56 AM
| | |
Sorry looks like I forgot to actually specify the option in the config that is blocking that server:
Global Settings -> MTA tab -> Client must greet with a fully qualified hostname (reject_non_fqdn_hostname)
As for an LDAP ACL... I don't think so but you can look. The LDAP root password can be found using this command: Code: zmlocalconfig -s ldap_root_password And the root DN I use to connect is Code: uid=zimbra,cn=admins,cn=zimbra |
10-28-2009, 08:50 PM
| | |
I use GQ for easier browsing, but can't figure out what it is wanting for a base DN and the Bind DN.
__________________
Robert Canary
OCDirect Electrical-Datacomm
|
10-29-2009, 02:46 AM
| | |
I would highly recommend that your client fixes their MTA ... If they are sending out to other people aswell then I am pretty sure a lot of their email will not be getting delivered.
As that is pretty much a given in Postfix configuration the only thing you could do is add a header check prior to reject_non_fqdn_hostname and if it matches their MTA name accept the email. This would be a real fudge when what should happen is that they make their MTA RFC compliant.
__________________  |
10-29-2009, 05:10 PM
| | |
Quote:
Originally Posted by rwcanary  We have a client that has a source(sender), which when that source sends our client an email it never gets to the client. !Because!, the source (the sender) has a screwed up mail server setup and it answers with the hello of "beetle", which doesn't resolve to anything.
Question: How can I tell Zimbra to make an exception for this non-reversing name, without disabling the the "non-resolving" filter globally. The white list function only trains the amavis filters, but this issue is at the MTA level. | We run a lot of mail servers in addition to Zimbra, and unfortunately I can tell you there are many, many legitimate email servers that don't HELO with their FQDN.
Consequently, we don't use this test.
Hope that helps,
Mark
__________________
___________________________________ L. Mark Stone, CIO  "Uptime. All the time."
477 Congress Street | Portland, ME 04101-3431 | (207) 772-5678
proactive maintenance and monitoring | technology consulting
Zimbra groupware | EMR implementations | private cloud hosting
|
10-30-2009, 01:55 AM
| | |
Mark,
It is like somebody sending you a letter and not paying the appropriate postage. Should the recipient pay the difference or the sender ?
Perhaps bouncing with a 450 to start with asking the sender to make their MTA RFC compliant.
__________________ |
10-30-2009, 04:55 AM
| | |
Quote:
Originally Posted by uxbod Mark,
It is like somebody sending you a letter and not paying the appropriate postage. Should the recipient pay the difference or the sender ?
Perhaps bouncing with a 450 to start with asking the sender to make their MTA RFC compliant. |
It actually isn't like that...
It happens when the MX record is a proxy, load balancing several real mail servers behind it. We see this with Postini and a number of largeISPs with high availability systems.
It's easy to point to a single Exchange server whose admin never set the smtp greeting properly (and they should), especially when Zimbra sets this for us automatically, but blocking email based on a mismatch between the MX record and the HELO will block tons of legitimate email from systems whose admins won't even return your call.
Hope that helps,
Mark
__________________
___________________________________ L. Mark Stone, CIO "Uptime. All the time."
477 Congress Street | Portland, ME 04101-3431 | (207) 772-5678
proactive maintenance and monitoring | technology consulting
Zimbra groupware | EMR implementations | private cloud hosting
|
10-30-2009, 05:18 AM
| | |
So much for having standards then Mark  And I do take your comments on board and have seen similar but otherwise how do companies learn.
__________________ | | Thread Tools | Search this Thread | | | | | Display Modes |  Linear Mode | | Why Join? Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.   |
Bugzilla
Wiki
Source
