Erratic NOQUEUE Behavior
In an effort to reduce spam, I recently enabled reject_unknown_hostname in Zimbra 6.04 via the admin panel. I've checked the logs to verify that this is indeed blocking a lot of spam. A few legitimate inbound emails are getting blocked with the error 450 4.7.1 Helo command rejected: Host not found;, but I handle this by maintaining a white list in postfix_recipient_restrictions.cf.
Today I had a user contact me about a legitimate sender who was having her mail rejected with the above-noted error. When I checked the logs, I noticed that an earlier mail from the same sender had made it through. Why would postfix decide to reject the sender after an earlier email from the same sender was accepted? In checking my logs, it appears that this has happened more than once with different senders.
In both cases, the helo host was the same. A reverse lookup shows the IP to be valid, but doesn't match the host name sent by the Helo command. Could this be a DNS timeout error?
Following are the two entries in my logs, the first being successful and the second being rejected.
Mar 24 09:11:17 freedomics postfix/smtpd: connect from mail.pti.cc[18.104.22.168]
Mar 24 09:11:18 freedomics postfix/smtpd: B5B2319B065C: client=mail.pti.cc[22.214.171.124]
Mar 24 09:11:19 freedomics amavis: (18294-16) Checking: elU+uYIZHqYP [126.96.36.199] <ACamp@ptitime.com> -> <email@example.com>
Mar 24 09:11:19 freedomics postfix/smtpd: disconnect from mail.pti.cc[188.8.131.52]
Mar 24 09:11:19 freedomics amavis: (18294-16) Passed CLEAN, [184.108.40.206] [220.127.116.11] <ACamp@ptitime.com> -> <firstname.lastname@example.org>, Message-ID: <B3C0CE4436B5FF4A8C81DCE0E048BA6B0186C732@fs3.pti.cc>, mail_id: elU+uYIZHqYP, Hits: 1.677, size: 1665, queued_as: 9BCFDDC0005, 631 ms
Mar 24 09:23:18 freedomics postfix/smtpd: connect from mail.pti.cc[18.104.22.168]
Mar 24 09:23:18 freedomics postfix/smtpd: NOQUEUE: reject: RCPT from mail.pti.cc[22.214.171.124]: 450 4.7.1 <fs3.pti.cc>: Helo command rejected: Host not found; from=<ACamp@ptitime.com> to=<email@example.com> proto=ESMTP helo=<fs3.pti.cc>
Mar 24 09:23:18 freedomics postfix/smtpd: lost connection after RSET from mail.pti.cc[126.96.36.199]
Mar 24 09:23:18 freedomics postfix/smtpd: disconnect from mail.pti.cc[188.8.131.52]
using my dns server
using level3's public dns server
bdial@hercules:~> host fs3.pti.cc
Host fs3.pti.cc not found: 3(NXDOMAIN)
bdial@hercules:~> host fs3.pti.cc 184.108.40.206
Using domain server:
Host fs3.pti.cc not found: 3(NXDOMAIN)
Agreed. The helo host fs3.pti.cc is not valid. It should have been rejected. Why then did postfix accept it at one point and then reject it later the same hour?
Originally Posted by bdial
hard to say without a time machine. maybe it was valid? maybe they've screwed up their zone file? maybe you had a cached valid address? but it's definately broken right now.
its DNS issue at your user end..if you see different DNS info on internet then that is the root of the problem.
on the side note..this is NOT the most reliable way to stop spam connections as many many good email servers have bad DNS or during any dns changes you may get this kind of results.
you can try GREYLISTING the zimrba server which will reject everyting by default and wait for retry, spammers dont like to retry :)
moreover GREYLISTING is not prone to this kind of DNS problem and is self maintained.
there are lots of other things you can do also to stop spam
Improving Anti-spam system - Zimbra :: Wiki
Thanks for your quick responses.
I took a closer look at my logs and found a few other instances of inbound mail with the same seemingly random behavior of being rejected (450 4.7.1) or accepted.
My guess is that there's some type of occassional error between postfix and my DNS server. I guess I'll have to turn up the log levels to see what's happening.