Discussion:
Warning host name does not resolve
(too old to reply)
@lbutlr
2016-07-14 22:05:34 UTC
Permalink
I get a few thousand messages like this every day:

mail postfix/smtpd[59689]: warning: hostname sa0877.azar-a.net does not resolve to address 91.219.236.126

And while I assume that these are all just spammers, it looks like the connection continues to get processed and (at least in the few I’ve checked) eventually gets rejected by an RBL check in postscreen.

This processing takes a while, and several connections are made, so is there anything I should consider doing to speed this reection process up? Or shoudl I just ignore this as “working as intended”? Here is one connecton from earlier today which appears to have made a total of 6 connections (4 CONNECT and 2 connect) over the course of about 90 seconds.

Jul 14 08:12:35 mail postfix/postscreen[19509]: CONNECT from [104.171.171.62]:47075 to [65.121.55.42]:25
Jul 14 08:12:39 mail postfix/postscreen[19509]: PASS NEW [104.171.171.62]:47075
Jul 14 08:12:54 mail postfix/smtpd[23615]: warning: hostname rheocrat62.vwhconsulting.com does not resolve to address 104.171.171.62: hostname nor servname provided, or not known
Jul 14 08:12:54 mail postfix/smtpd[23615]: connect from unknown[104.171.171.62]
Jul 14 08:12:54 mail postfix/smtpd[23615]: lost connection after CONNECT from unknown[104.171.171.62]
Jul 14 08:12:54 mail postfix/smtpd[23615]: disconnect from unknown[104.171.171.62] commands=0/0
Jul 14 08:13:17 mail postfix/postscreen[19509]: CONNECT from [104.171.171.62]:45788 to [65.121.55.42]:25
Jul 14 08:13:17 mail postfix/postscreen[19509]: PASS OLD [104.171.171.62]:45788
Jul 14 08:13:32 mail postfix/smtpd[23615]: warning: hostname rheocrat62.vwhconsulting.com does not resolve to address 104.171.171.62: hostname nor servname provided, or not known
Jul 14 08:13:32 mail postfix/smtpd[23615]: connect from unknown[104.171.171.62]
Jul 14 08:13:32 mail postfix/smtpd[23615]: lost connection after CONNECT from unknown[104.171.171.62]
Jul 14 08:13:32 mail postfix/smtpd[23615]: disconnect from unknown[104.171.171.62] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Jul 14 08:13:42 mail postfix/postscreen[19509]: CONNECT from [104.171.171.62]:58369 to [65.121.55.42]:25
Jul 14 08:13:42 mail postfix/dnsblog[23446]: addr 104.171.171.62 listed by domain zen.spamhaus.org as 127.0.0.3
Jul 14 08:13:42 mail postfix/postscreen[19509]: DNSBL rank 7 for [104.171.171.62]:58369
Jul 14 08:13:42 mail postfix/postscreen[19509]: NOQUEUE: reject: RCPT from [104.171.171.62]:58369: 550 5.7.1 Service unavailable; client [104.171.171.62] blocked using zen.spamhaus.org; from=<***@amhea1.binncp.top>, to=<*munged*@*munged*>, proto=ESMTP, helo=<amhea1.binncp.top>
Jul 14 08:13:42 mail postfix/postscreen[19509]: DISCONNECT [104.171.171.62]:58369
Jul 14 08:14:00 mail postfix/postscreen[19509]: CONNECT from [104.171.171.62]:39959 to [65.121.55.42]:25
Jul 14 08:14:00 mail postfix/dnsblog[23450]: addr 104.171.171.62 listed by domain zen.spamhaus.org as 127.0.0.3
Jul 14 08:14:01 mail postfix/postscreen[19509]: DNSBL rank 7 for [104.171.171.62]:39959
Jul 14 08:14:01 mail postfix/postscreen[19509]: NOQUEUE: reject: RCPT from [104.171.171.62]:39959: 550 5.7.1 Service unavailable; client [104.171.171.62] blocked using zen.spamhaus.org; from=<***@amhea1.binncp.top>, to=<*munged2*@*munged2*>, proto=ESMTP, helo=<amhea1.binncp.top>
Jul 14 08:14:01 mail postfix/postscreen[19509]: DISCONNECT [104.171.171.62]:39959
Jul 14 08:19:21 mail postfix/anvil[21876]: statistics: max connection rate 2/60s for (smtpd:104.171.171.62) at Jul 14 08:13:32

`dig rheocrat62.vwhconsulting.com` returns no ANSWER section, but `dig 104.171.171.62` returns "rheocrat62.vwhconsulting.com” so maybe it’s my DNS that is the issue, but `dig @8.8.8.8 rheocrat62.vwhconsulting.com` didn’t return a result either.

I am not sure, but it seems like a hostname not resolving to the connecting IP could easily be cause for immediate rejection without losing legitimate mail?
--
Don't congratulate yourself too much, or berate yourself either. You
choices are half chance; so are everybody else's.
Wietse Venema
2016-07-14 23:17:28 UTC
Permalink
mail postfix/smtpd[59689]: warning: hostname sa0877.azar-a.net does not =
resolve to address 91.219.236.126
And while I assume that these are all just spammers, it looks like the =
connection continues to get processed and (at least in the few I've
checked) eventually gets rejected by an RBL check in postscreen.
The warning is logged, so that you know why the client is logged
as "unknown", and why access rules based on domain names will not
work as expected.
This processing takes a while, and several connections are made, so is =
there anything I should consider doing to speed this reection process =
up? Or shoudl I just ignore this as =E2=80=9Cworking as intended=E2=80=9D?=
Here is one connecton from earlier today which appears to have made a =
total of 6 connections (4 CONNECT and 2 connect) over the course of =
about 90 seconds.
If you could speed up the remote DNS server, that would be best
(yes, that is a joke). But it does illustrate why postscreen will
never to client hostname lookups.
Jul 14 08:12:35 mail postfix/postscreen[19509]: CONNECT from =
[104.171.171.62]:47075 to [65.121.55.42]:25
Jul 14 08:12:39 mail postfix/postscreen[19509]: PASS NEW =
[104.171.171.62]:47075
Jul 14 08:12:54 mail postfix/smtpd[23615]: warning: hostname =
rheocrat62.vwhconsulting.com does not resolve to address 104.171.171.62: =
hostname nor servname provided, or not known
With this particular domain, any lookup for vwhconsulting.com fails
with SERVFAIL after several seconds. There are many poorly-managed
domains.

Wietse
Noel Jones
2016-07-15 00:50:59 UTC
Permalink
Post by @lbutlr
mail postfix/smtpd[59689]: warning: hostname sa0877.azar-a.net does not resolve to address 91.219.236.126
This is normal for a client with broken DNS, and is necessary to
record why the client is labeled "unknown". Note this is only
logged if the client gets past postscreen.
Post by @lbutlr
And while I assume that these are all just spammers, it looks like the connection continues to get processed and (at least in the few I’ve checked) eventually gets rejected by an RBL check in postscreen.
This processing takes a while, and several connections are made, so is there anything I should consider doing to speed this reection process up? Or shoudl I just ignore this as “working as intended”? Here is one connecton from earlier today which appears to have made a total of 6 connections (4 CONNECT and 2 connect) over the course of about 90 seconds.
No, 4 connections (CONNECT to postscreen), 2 of which made it past
postscreen to the smtpd connect -- likely because the IP wasn't
listed in RBLs yet. And it looks as if the spamware email engine
disconnected prematurely before attempting to send anything "lost
connection after CONNECT" logged by smtpd.

Aside from Wietse's joke about speeding up the remote DNS, just
ignore these. The actual load incurred on your system is
essentially nil, especially when they're blocked in postscreen.
Post by @lbutlr
Jul 14 08:12:35 mail postfix/postscreen[19509]: CONNECT from [104.171.171.62]:47075 to [65.121.55.42]:25
A connection
Post by @lbutlr
Jul 14 08:12:39 mail postfix/postscreen[19509]: PASS NEW [104.171.171.62]:47075
passed by postscreen to...
Post by @lbutlr
Jul 14 08:12:54 mail postfix/smtpd[23615]: warning: hostname rheocrat62.vwhconsulting.com does not resolve to address 104.171.171.62: hostname nor servname provided, or not known
Jul 14 08:12:54 mail postfix/smtpd[23615]: connect from unknown[104.171.171.62]
smtpd, which logs the bad DNS.
Post by @lbutlr
Jul 14 08:12:54 mail postfix/smtpd[23615]: lost connection after CONNECT from unknown[104.171.171.62]
the other end drops the connection without sending anything.
Post by @lbutlr
Jul 14 08:12:54 mail postfix/smtpd[23615]: disconnect from unknown[104.171.171.62] commands=0/0
postfix logs the disconnect. Note commands=0/0 ie. nothing sent.
This is then repeated, not shown here. Also notice the disconnect
is logged by smtpd.
Post by @lbutlr
Jul 14 08:13:42 mail postfix/postscreen[19509]: CONNECT from [104.171.171.62]:58369 to [65.121.55.42]:25
Jul 14 08:13:42 mail postfix/dnsblog[23446]: addr 104.171.171.62 listed by domain zen.spamhaus.org as 127.0.0.3
Jul 14 08:13:42 mail postfix/postscreen[19509]: DNSBL rank 7 for [104.171.171.62]:58369
Jul 14 08:13:42 mail postfix/postscreen[19509]: DISCONNECT [104.171.171.62]:58369
~48 seconds later, a connection is blocked by postscreen RBL
settings. This is also repeated, not shown here. Notice there is
no logging from smtpd this time, and the DISCONNECT is logged by
postscreen.
Post by @lbutlr
I am not sure, but it seems like a hostname not resolving to the connecting IP could easily be cause for immediate rejection without losing legitimate mail?
This will never be done in postscreen, but smtpd can block
connections with bad dns with reject_unknown_client_hostname
(DANGER: known to reject legit mail), and
reject_unknown_reverse_client_hostname (less strict, widely used,
but still possible to reject legit mail).

http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname
http://www.postfix.org/postconf.5.html#reject_unknown_reverse_client_hostname

This client would have been rejected with the less strict
reject_unknown_reverse_client_hostname after logging the sender and
recipient, assuming the default smtpd_delay_reject=yes.

Don't get too enthusiastic with trying to optimize for early
rejections; it will come back to bite you when you do get a false
positive.


-- Noel Jones
@lbutlr
2016-07-17 21:14:56 UTC
Permalink
Post by Noel Jones
Aside from Wietse's joke about speeding up the remote DNS, just
ignore these. The actual load incurred on your system is
essentially nil, especially when they're blocked in postscreen.
Thanks. I wasn’t so much worried about load, but about the possibility that the issue was something my server was causing.
--
Don't congratulate yourself too much, or berate yourself either. You
choices are half chance; so are everybody else's.
Continue reading on narkive:
Loading...