Current time: 11-23-2024, 01:15 PM Hello There, Guest! (LoginRegister)


Post Reply 
Problems with Policyd
Author Message
GuS Offline
Junior Member
*

Posts: 47
Joined: Apr 2007
Reputation: 1
Post: #1
Problems with Policyd
Hi!

I've recently installed latest Ubuntu with latest ISPcp. Now, after migrating all to this new server, i saw that policyd is blocking own accounts from the server, with something like this:

postfix/policyd-weight decided action=550 Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs.

Actually there is many others servers in my networks, mostly LTSP, so i saw that policyd also blocks those IPs, which correspond to my network.

Any Tip of what is goin on?

I've tempory disabled the lines in main.cf of Postfix to avoid these checks.
08-13-2010 11:30 PM
Visit this user's website Find all posts by this user Quote this message in a reply
joximu Offline
helper
*****
Moderators

Posts: 7,024
Joined: Jan 2007
Reputation: 92
Post: #2
RE: Problems with Policyd
Hm, more infos (from the log and about your hostnames....) may be helpful because there are several reasons why policyd blocks...
If it's really because of helo things then helo and PTR(reverse DNS) are not ok.

/J
08-14-2010 05:28 AM
Visit this user's website Find all posts by this user Quote this message in a reply
GuS Offline
Junior Member
*

Posts: 47
Joined: Apr 2007
Reputation: 1
Post: #3
RE: Problems with Policyd
(08-14-2010 05:28 AM)joximu Wrote:  Hm, more infos (from the log and about your hostnames....) may be helpful because there are several reasons why policyd blocks...
If it's really because of helo things then helo and PTR(reverse DNS) are not ok.

/J

My hostname is mail.distalnet.com
The log example is:

Quote:Aug 12 16:57:08 distal-mx postfix/policyd-weight[5287]: weighted check: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 NOT_IN_BL_NJABL=-1.5 CL_IP_NE_HELO=1.5 RESOLVED_IP_IS_NOT_HELO=1.5 (check from: .bomplan. - helo: .atencionpsicologicabuenosaires. - helo-domain: .atencionpsicologicabuenosaires.) FROM_NOT_FAILED_HELO(DOMAIN)=3; <client=72.233.64.31> <helo=atencionpsicologicabuenosaires.com> <from=promociones@bomplan.com.ar> <to=gerardo@distalnet.com>; rate: 1.5
Aug 12 16:57:08 distal-mx postfix/policyd-weight[5287]: decided action=550 Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs; MTA helo: atencionpsicologicabuenosaires.com, MTA hostname: 31.64.233.72.static.reverse.ltdomains.com[72.233.64.31] (helo/hostname mismatch); <client=72.233.64.31> <helo=atencionpsicologicabuenosaires.com> <from=promociones@bomplan.com.ar> <to=gerardo@distalnet.com>; delay: 3s
08-14-2010 05:40 AM
Visit this user's website Find all posts by this user Quote this message in a reply
kilburn Offline
Development Team
*****
Dev Team

Posts: 2,182
Joined: Feb 2007
Reputation: 34
Post: #4
RE: Problems with Policyd
Setup your clients to use their hostname as the "helo" parameter, not your (public) domain.
08-14-2010 07:02 AM
Visit this user's website Find all posts by this user Quote this message in a reply
GuS Offline
Junior Member
*

Posts: 47
Joined: Apr 2007
Reputation: 1
Post: #5
RE: Problems with Policyd
(08-14-2010 07:02 AM)kilburn Wrote:  Setup your clients to use their hostname as the "helo" parameter, not your (public) domain.

What do you mean their hostname as "helo"? You mean in imap/pop/smtp configuration in their email clients apps?
If you mean that, i don't get "their hostname".
IN their client apps i use mail.distalnet.com.

Thanks

EDIT: here i have another similar:

Quote:Aug 13 08:11:11 distal-mx postfix/policyd-weight[5135]: weighted check: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 NOT_IN_BL_NJABL=-1.5 BOGUS_MX=2.1 CL_IP_NE_HELO=1.5 RESOLVED_IP_IS_NOT_HELO=1.5 (check from: .localhost.localdomain. - helo: .localhost.localdomain. - helo-domain: .localdomain.) MAIL_SEEMS_FORGED=2.5; <client=64.76.16.229> <helo=localhost.localdomain> <from=apache@localhost.localdomain> <to=mariano@distalnet.com>; rate: 3.1
Aug 13 08:11:11 distal-mx postfix/policyd-weight[5135]: decided action=450 Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs; MTA helo: localhost.localdomain, MTA hostname: server1.asatej.com[64.76.16.229] (helo/hostname mismatch); <client=64.76.16.229> <helo=localhost.localdomain> <from=apache@localhost.localdomain> <to=mariano@distalnet.com>; delay: 2s
Aug 13 08:11:11 distal-mx postfix/smtpd[4197]: NOQUEUE: reject: RCPT from server1.asatej.com[64.76.16.229]: 450 4.7.1 <mariano@distalnet.com>: Recipient address rejected: Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs; MTA helo: localhost.localdomain, MTA hostname: server1.asatej.com[64.76.16.229] (helo/hostname mismatch); from=<apache@localhost.localdomain> to=<mariano@distalnet.com> proto=ESMTP helo=<localhost.localdomain>

All @distalnet.com correspond to my server users.
(This post was last modified: 08-14-2010 07:29 AM by GuS.)
08-14-2010 07:11 AM
Visit this user's website Find all posts by this user Quote this message in a reply
kilburn Offline
Development Team
*****
Dev Team

Posts: 2,182
Joined: Feb 2007
Reputation: 34
Post: #6
RE: Problems with Policyd
If these are "normal" mail clients, then it means that you're not properly setting them up. Specifically, you are not providing any authentication credentials for the smtp configuration (the exact way on how to do this depends on the mail software you use, but usually there's a "this server requires authentication" checkbox around there that must check). This will solve your problem because authenticated clients doesn't need to pass any policyd-weight nor greylisting filter.
08-14-2010 07:44 AM
Visit this user's website Find all posts by this user Quote this message in a reply
GuS Offline
Junior Member
*

Posts: 47
Joined: Apr 2007
Reputation: 1
Post: #7
RE: Problems with Policyd
(08-14-2010 07:44 AM)kilburn Wrote:  If these are "normal" mail clients, then it means that you're not properly setting them up. Specifically, you are not providing any authentication credentials for the smtp configuration (the exact way on how to do this depends on the mail software you use, but usually there's a "this server requires authentication" checkbox around there that must check). This will solve your problem because authenticated clients doesn't need to pass any policyd-weight nor greylisting filter.

Ahh ok, i believe that is the problem. Now, without using policyd and postgrey, is working anyway... but well, is not the idea to continue like this.

Thanks! I will try when back to work next week.
08-14-2010 09:59 AM
Visit this user's website Find all posts by this user Quote this message in a reply
joximu Offline
helper
*****
Moderators

Posts: 7,024
Joined: Jan 2007
Reputation: 92
Post: #8
RE: Problems with Policyd
I think there are several Mails coming from outside which have not good settings (MX, sender, IP etc).
Most will be spam - but you never know.

You can incrrease the level of "action deciding" :-)

put this in /etc/policyd-weight.conf:

$REJECTLEVEL = 8;

I did so - since the default of "1" seems to me to be to low...

/J
08-14-2010 07:06 PM
Visit this user's website Find all posts by this user Quote this message in a reply
GuS Offline
Junior Member
*

Posts: 47
Joined: Apr 2007
Reputation: 1
Post: #9
RE: Problems with Policyd
(08-14-2010 07:06 PM)joximu Wrote:  I think there are several Mails coming from outside which have not good settings (MX, sender, IP etc).
Most will be spam - but you never know.

You can incrrease the level of "action deciding" :-)

put this in /etc/policyd-weight.conf:

$REJECTLEVEL = 8;

I did so - since the default of "1" seems to me to be to low...

/J

The problem is not from the emails that comes from outside. That error comes when a user from my server (from another machine of the local network) tries to send an email (SMTP).
08-15-2010 01:50 AM
Visit this user's website Find all posts by this user Quote this message in a reply
joximu Offline
helper
*****
Moderators

Posts: 7,024
Joined: Jan 2007
Reputation: 92
Post: #10
RE: Problems with Policyd
Ok, lets try the example from Post 3:

MTA helo: atencionpsicologicabuenosaires.com,
MTA hostname: 31.64.233.72.static.reverse.ltdomains.com[72.233.64.31]
(helo/hostname mismatch)

the helo has no correspondance with the ip of the sender...

# host atencionpsicologicabuenosaires.com
atencionpsicologicabuenosaires.com has address 190.228.29.82

which is not the same as 72.233.64.31.

so the MTA which sends the mail should have a hostname which points to his IP.

eg. set the hostname on 72.233.64.31 to server1.atencionpsicologicabuenosaires.com and also set the ip of this hostname in the dns zone file to 72.233.64.31...

The same in the other example:
MTA helo: localhost.localdomain,
MTA hostname: server1.asatej.com[64.76.16.229]

/Joxi
... or at least set the hostname in the postfix of the sending server...
(This post was last modified: 08-15-2010 08:03 PM by joximu.)
08-15-2010 07:52 PM
Visit this user's website Find all posts by this user Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: