false positive

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
pattonb
Posts: 38
Joined: Sat Jul 01, 2017 3:09 am
ZCS/ZD Version: 8.8.12

false positive

Post by pattonb »

Am seeing "false positives" in zimbra.log ".....50 4.7.25 Client host rejected: cannot find your hostname....." , Am wondering how this happens.
A dig/nslookup confirms that the fqdn does resolve.
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: false positive

Post by phoenix »

Many things can 'cause' it but you've given no information (nor any log files) about the circumstances under which this problem occurs nor have you mentioned how often this happens nor whether it's a new problem nor anything about your ZCS server and there's also no confirmation about your DNS records (including reverse dns) being correct. You should always post the full output of the following command:

Code: Select all

zmcontrol -v
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
pattonb
Posts: 38
Joined: Sat Jul 01, 2017 3:09 am
ZCS/ZD Version: 8.8.12

Re: false positive

Post by pattonb »

zmcontrol -v --> Release 8.7.6_GA_1776.RHEL6_64_20170326144124 RHEL6_64 FOSS edition.

and here is a snippit of the logs.

Oct 12 12:40:45 gw postfix/postscreen[25313]: CONNECT from [72.2.34.28]:17339 to [184.68.103.194]:25
Oct 12 12:40:45 gw postfix/postscreen[25313]: PASS OLD [72.2.34.28]:17339
Oct 12 12:40:45 gw postfix/smtpd[29598]: warning: hostname hrmdf.net does not resolve to address 72.2.34.28
Oct 12 12:40:45 gw postfix/smtpd[29598]: connect from unknown[72.2.34.28]
Oct 12 12:40:45 gw postfix/smtpd[29598]: Anonymous TLS connection established from unknown[72.2.34.28]: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
Oct 12 12:40:45 gw postfix/smtpd[29598]: NOQUEUE: filter: RCPT from unknown[72.2.34.28]: <user@highriver.ca>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<user@highriver.ca> to=<user@outlookrealty.ca> proto=ESMTP helo=<mail.hrmdf.net>
Oct 12 12:40:45 gw postfix/smtpd[29598]: NOQUEUE: filter: RCPT from unknown[72.2.34.28]: <user@highriver.ca>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<user@highriver.ca> to=<user@outlookrealty.ca> proto=ESMTP helo=<mail.hrmdf.net>
Oct 12 12:40:45 gw postfix/smtpd[29598]: NOQUEUE: reject: RCPT from unknown[72.2.34.28]: 450 4.7.25 Client host rejected: cannot find your hostname, [72.2.34.28]; from=<user@highriver.ca> to=<user@outlookrealty.ca> proto=ESMTP helo=<mail.hrmdf.net>
Oct 12 12:40:45 gw postfix/smtpd[29598]: disconnect from unknown[72.2.34.28] ehlo=2 starttls=1 mail=1 rcpt=0/1 quit=1 commands=5/6
Oct 12 12:41:46 gw postfix/postscreen[25313]: CONNECT from [72.2.34.28]:17358 to [184.68.103.194]:25
Oct 12 12:41:46 gw postfix/postscreen[25313]: PASS OLD [72.2.34.28]:17358
Oct 12 12:41:46 gw postfix/smtpd[29598]: warning: hostname hrmdf.net does not resolve to address 72.2.34.28

I have edited the email to and from, other than that, the pertinent info is there.

frequently I see the "cannot find your hostname " mean, ptr lookup failed. In this example the ptr is fine.

dig -x 72.2.34.28
;; ANSWER SECTION:
28.34.2.72.in-addr.arpa. 66892 IN PTR hrmdf.net.
28.34.2.72.in-addr.arpa. 66892 IN PTR mail.hrmdf.net.

I wonder if having 2 answers is the issue.
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: false positive

Post by phoenix »

pattonb wrote:28.34.2.72.in-addr.arpa. 66892 IN PTR hrmdf.net.

I wonder if having 2 answers is the issue.
That's exactly the problem and the record above is not a valid hostname and it's required to be that - remove that entry and it will be fine.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
vtsunami
Posts: 9
Joined: Thu Jan 04, 2018 1:35 pm

Re: false positive

Post by vtsunami »

Hey,

Did you resolve your issue ? I got similiar problem. I thnik problem is that hrmdf.net does not point to 72.2.34.28.

ping hrmdf.net

Pinging hrmdf.net [104.18.50.84]

My problem is with other domain but result is the same domain does not indicate the ip from which it is connected

Is there anything that can be done about it ?
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: false positive

Post by phoenix »

vtsunami wrote:Did you resolve your issue ? I got similiar problem. I thnik problem is that hrmdf.net does not point to 72.2.34.28.
A 'similar problem' is not the same problem as mentioned here, you should always start a new thread rather than tag your question onto a thread that isn't the same. You should always start your post by giving the full output of the following command:

Code: Select all

zmcontrol -v
You're also not giving full details of the exact problem
vtsunami wrote:ping hrmdf.net

Pinging hrmdf.net [104.18.50.84]

My problem is with other domain but result is the same domain does not indicate the ip from which it is connected

Is there anything that can be done about it ?
That depends. ;) Is this inbound or outbound mail connections? What have you tried to resolve the problem? Is this a new install or an upgraded system? How long has this been happening, is it a new problem or have you had it for a while? A bit of research and a comprehensive description of the problem goes a long way to getting your questions answered.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
vtsunami
Posts: 9
Joined: Thu Jan 04, 2018 1:35 pm

Re: false positive

Post by vtsunami »

Sorry, most of time people complain about search function.

My zimbra version :

zmcontrol -v Release 8.7.1_GA_1670.RHEL7_64_20161025045328 RHEL7_64 FOSS edition.

Last time i upgrade my zimbra was december 2016 so its not new or upgrade version. Its hard to tell how long im experience this problem, first time when someone asked my why he's not reciving some of the emails was like 6 months ago. After that i had like 3 or 4 same question with same problem. Problem is with incoming emails

Sample logs :

Jan 3 13:23:05 v-kajmany postfix/postscreen[8995]: CONNECT from [89.161.251.167]:45142 to [149.156.208.232]:25
Jan 3 13:23:06 v-kajmany postfix/postscreen[8995]: PASS OLD [89.161.251.167]:45142
Jan 3 13:23:07 v-kajmany postfix/smtpd[22965]: warning: hostname post.pl does not resolve to address 89.161.251.167
Jan 3 13:23:07 v-kajmany postfix/smtpd[22965]: connect from unknown[89.161.251.167]
Jan 3 13:23:07 v-kajmany postfix/smtpd[22965]: Anonymous TLS connection established from unknown[89.161.251.167]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jan 3 13:23:08 v-kajmany postfix/smtpd[22965]: NOQUEUE: filter: RCPT from unknown[89.161.251.167]: <xxx@post.pl>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<xxx@post.pl> to=<xxx@uek.krakow.pl> proto=ESMTP helo=<post.pl>
Jan 3 13:23:08 v-kajmany postfix/smtpd[22965]: NOQUEUE: filter: RCPT from unknown[89.161.251.167]: <xxx@post.pl>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<xxx@post.pl> to=<xxx@uek.krakow.pl> proto=ESMTP helo=<post.pl>
Jan 3 13:23:09 v-kajmany postfix/smtpd[22965]: NOQUEUE: reject: RCPT from unknown[89.161.251.167]: 450 4.7.25 Client host rejected: cannot find your hostname, [89.161.251.167]; from=<xxx@post.pl> to=<xxx@uek.krakow.pl> proto=ESMTP helo=<post.pl>

And if we check :

Pinging post.pl [212.85.96.51] ( i think here is a problem, it should refere to 89.161.251.167 also )
host 89.161.251.167
167.251.161.89.in-addr.arpa domain name pointer post.pl. ( revDNS seems fine )

Same here :

Dec 29 15:15:25 v-kajmany postfix/postscreen[27097]: CONNECT from [210.93.48.153]:38183 to [149.156.208.232]:25
Dec 29 15:15:25 v-kajmany postfix/postscreen[27097]: CONNECT from [210.93.48.153]:38184 to [149.156.208.232]:25
Dec 29 15:15:31 v-kajmany postfix/postscreen[27097]: PASS NEW [210.93.48.153]:38183
Dec 29 15:15:31 v-kajmany postfix/postscreen[27097]: PASS NEW [210.93.48.153]:38184
Dec 29 15:15:32 v-kajmany postfix/smtpd[11748]: warning: hostname mail.kpu.ac.kr does not resolve to address 210.93.48.153
Dec 29 15:15:32 v-kajmany postfix/smtpd[11748]: connect from unknown[210.93.48.153]
Dec 29 15:15:32 v-kajmany postfix/smtpd[2350]: warning: hostname mail.kpu.ac.kr does not resolve to address 210.93.48.153
Dec 29 15:15:32 v-kajmany postfix/smtpd[2350]: connect from unknown[210.93.48.153]
Dec 29 15:15:34 v-kajmany postfix/smtpd[2350]: NOQUEUE: filter: RCPT from unknown[210.93.48.153]: <xxx@kpu.ac.kr>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<xxx@kpu.ac.kr> to=<xxx@uek.krakow.pl> proto=SMTP helo=<kpu.ac.kr>
Dec 29 15:15:35 v-kajmany postfix/smtpd[11748]: NOQUEUE: filter: RCPT from unknown[210.93.48.153]: <xxx@kpu.ac.kr>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<xxx@kpu.ac.kr> to=<xxx@uek.krakow.pl> proto=SMTP helo=<kpu.ac.kr>
Dec 29 15:15:35 v-kajmany postfix/smtpd[2350]: NOQUEUE: filter: RCPT from unknown[210.93.48.153]: <xxx@kpu.ac.kr>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<xxx@kpu.ac.kr> to=<xxx@uek.krakow.pl> proto=SMTP helo=<kpu.ac.kr>
Dec 29 15:15:35 v-kajmany postfix/smtpd[2350]: NOQUEUE: reject: RCPT from unknown[210.93.48.153]: 450 4.7.25 Client host rejected: cannot find your hostname, [210.93.48.153]; from=<xxx@kpu.ac.kr> to=<xxx@uek.krakow.pl> proto=SMTP helo=<kpu.ac.kr>
Dec 29 15:15:35 v-kajmany postfix/smtpd[11748]: NOQUEUE: filter: RCPT from unknown[210.93.48.153]: <xxx@kpu.ac.kr>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<xxx@kpu.ac.kr> to=<xxx@uek.krakow.pl> proto=SMTP helo=<kpu.ac.kr>
Dec 29 15:15:35 v-kajmany postfix/smtpd[11748]: NOQUEUE: reject: RCPT from unknown[210.93.48.153]: 450 4.7.25 Client host rejected: cannot find your hostname, [210.93.48.153]; from=<xxx@kpu.ac.kr> to=<xxx@uek.krakow.pl> proto=SMTP helo=<kpu.ac.kr>
Dec 29 15:15:35 v-kajmany postfix/smtpd[2350]: lost connection after RCPT from unknown[210.93.48.153]
Dec 29 15:15:35 v-kajmany postfix/smtpd[2350]: disconnect from unknown[210.93.48.153] helo=1 mail=1 rcpt=0/1 commands=2/3

Pinging mail.kpu.ac.kr [210.93.48.155]

dig -x 210.93.48.153

;; ANSWER SECTION:
153.48.93.210.in-addr.arpa. 43173 IN PTR mail.kpu.ac.kr.
vtsunami
Posts: 9
Joined: Thu Jan 04, 2018 1:35 pm

Re: false positive

Post by vtsunami »

Im using my own DNS server ( not using ZCS dnscache )

Here is nslookup from ZCS server :

[zimbra@v-kajmany ~]$ nslookup
> server 149.156.208.49
Default server: 149.156.208.49
Address: 149.156.208.49#53
> post.pl
Server: 149.156.208.49
Address: 149.156.208.49#53

Non-authoritative answer:
Name: post.pl
Address: 212.85.96.51
>
> 89.161.251.167
Server: 149.156.208.49
Address: 149.156.208.49#53

Non-authoritative answer:
167.251.161.89.in-addr.arpa name = post.pl.

Authoritative answers can be found from:
251.161.89.in-addr.arpa nameserver = dns.home.pl.
251.161.89.in-addr.arpa nameserver = dns3.home.pl.
251.161.89.in-addr.arpa nameserver = dns2.home.pl.
dns.home.pl internet address = 46.242.149.10
dns.home.pl internet address = 46.242.149.11
dns2.home.pl internet address = 46.242.149.20
dns2.home.pl internet address = 46.242.149.21
dns3.home.pl internet address = 46.242.149.31
dns3.home.pl internet address = 46.242.149.30


> mail.kpu.ac.kr
Server: 149.156.208.49
Address: 149.156.208.49#53

Non-authoritative answer:
Name: mail.kpu.ac.kr
Address: 210.93.48.155
> 210.93.48.153
Server: 149.156.208.49
Address: 149.156.208.49#53

Non-authoritative answer:
153.48.93.210.in-addr.arpa name = mail.kpu.ac.kr.

Authoritative answers can be found from:
48.93.210.in-addr.arpa nameserver = rev2.kornet.net.
48.93.210.in-addr.arpa nameserver = rev1.kornet.net.
rev1.kornet.net internet address = 211.216.50.170
rev2.kornet.net internet address = 211.216.50.180

As for RBLs im using :

zimbraMtaRestriction: reject_rbl_client b.barracudacentral.org
zimbraMtaRestriction: reject_rbl_client zen.spamhaus.org
zimbraMtaRestriction: reject_rbl_client bl.spamcop.net
zimbraMtaRestriction: reject_rhsbl_client dbl.spamhaus.org
zimbraMtaRestriction: reject_rhsbl_client multi.uribl.com
zimbraMtaRestriction: reject_rhsbl_client multi.surbl.org
zimbraMtaRestriction: reject_rhsbl_reverse_client dbl.spamhaus.org
zimbraMtaRestriction: reject_rhsbl_sender multi.uribl.com
zimbraMtaRestriction: reject_rhsbl_sender multi.surbl.org
zimbraMtaRestriction: reject_rhsbl_sender rhsbl.sorbs.net
zimbraMtaRestriction: reject_rhsbl_sender dbl.spamhaus.org

Problem is not intermittent is mail from post.pl come from ip 212.85.96.51, there is no problem, and zimbra dont comaplain about unknow hostname, but if it comes from 89.161.251.167 its rejected. Cant say about kpu.ac.kr becose they only mailed us once. Most of emails ( if its not spam ) dont have thiss kind of a problem, its only when ip from where mail came from dont match the domain, like in this case. post.pl = 212.85.96.51 and mail came from ip : 89.161.251.167

Only thing that came in mind is that they should just point that domain name to another ip addres. Like google :

host gmail.com
gmail.com has address 172.217.20.197
gmail.com has IPv6 address 2a00:1450:401b:803::2005
gmail.com mail is handled by 40 alt4.gmail-smtp-in.l.google.com.
gmail.com mail is handled by 10 alt1.gmail-smtp-in.l.google.com.
gmail.com mail is handled by 30 alt3.gmail-smtp-in.l.google.com.
gmail.com mail is handled by 20 alt2.gmail-smtp-in.l.google.com.
gmail.com mail is handled by 5 gmail-smtp-in.l.google.com.
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: false positive

Post by phoenix »

I can't imagine why those servers are being rejected, I don't have any problems determining their correct IP address from their DNS responses. I think what it's indicating to me is that there is a DNS problem somewhere, what are you using for DNS is it a local DNS caching server (or the ZCS dnscache) or an external public DNS server? Do you have any RBLs that may be doing a lookup for these servers? I'm assuming that this problem is intermittent for these specific server and does it only happen for those servers or are there others? When you do the DNS checks for these servers are you actually doing it from the ZCS server?
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
vtsunami
Posts: 9
Joined: Thu Jan 04, 2018 1:35 pm

Re: false positive

Post by vtsunami »

Anyone with same problem, and got solution ?
Post Reply