Postfix/rspamd and multiple IPs for senders MX domain (like dhl.com)

Support
, ,
1

NethServer Version: 7.9.2009
Module: Email

Hello,

Having some problems here… Background: All started as our ISP set 30 mail (port 25) per minute limit in their firewall, that should be more than sufficient, but we got blocked many times in the last few months. First there were DDoS attacks trying to send dozens of emails to not existing users at our domain, and actually fail2ban got them after 3 attempts but until it read the log files and applied the filter we already exceeded the limit by responding to these. Fortunately after reorganizing the whole network and setting IP blacklists in pFsense, this problem has gone for now.

Currently we have a strange problem: whenever DHL sends an automated email (arrives without a problem), postfix goes crazy, tries to connect to all of the mail servers (to do some feedback??). It is always some kind of response to the incoming e-mail that triggers the filter at ISP - 4th time in the last 4 work days.

The problem is, I could not find any good flowchart or description about what really happens when an e-mail arrives. First I thought it might be a DMARC report due to some misconfiguration, but SPF, DKIM is valid (according to rSpamd, but also checked SPF manually).

I have packet capture on port 25 for the last time it happened, but as a non-expert all I can see is that after the e-mail arrives well from an IP, a second later there are dozens of SYN connections to several other IPs in a totally different IP range, and then FIN, ACK to the same IPs and the filter bans us, rest of the FIN, ACK ends with TCP tries to do its job.

What I have figured out is that all of these IPs are resolved by the DNS records for the MX domains:

> dhl.com
Server:  UnKnown
Address:  10.10.10.10

Non-authoritative answer:
dhl.com MX preference = 5, mail exchanger = mx1.dhl.iphmx.com
dhl.com MX preference = 10, mail exchanger = mx2.dhl.iphmx.com

mx1.dhl.iphmx.com       internet address = 68.232.135.99
mx1.dhl.iphmx.com       internet address = 68.232.129.198
mx1.dhl.iphmx.com       internet address = 68.232.148.170
mx1.dhl.iphmx.com       internet address = 68.232.142.218
mx1.dhl.iphmx.com       internet address = 68.232.148.169
mx1.dhl.iphmx.com       internet address = 68.232.142.49
mx1.dhl.iphmx.com       internet address = 68.232.143.139
mx1.dhl.iphmx.com       internet address = 68.232.148.171
mx1.dhl.iphmx.com       internet address = 68.232.143.176
mx1.dhl.iphmx.com       internet address = 68.232.130.32
mx1.dhl.iphmx.com       internet address = 68.232.142.236
mx1.dhl.iphmx.com       internet address = 68.232.129.11
mx1.dhl.iphmx.com       internet address = 68.232.142.240
mx1.dhl.iphmx.com       internet address = 68.232.129.199
mx1.dhl.iphmx.com       internet address = 68.232.135.103
mx1.dhl.iphmx.com       internet address = 68.232.141.220
mx1.dhl.iphmx.com       internet address = 68.232.143.21
mx1.dhl.iphmx.com       internet address = 68.232.135.98
mx1.dhl.iphmx.com       internet address = 68.232.135.101
mx1.dhl.iphmx.com       internet address = 68.232.141.53

Possibly not the best way DHL does load balancing (is this even valid)?

Gmail for reference:

> gmail.com
Server:  UnKnown
Address:  10.10.10.10

Non-authoritative answer:
gmail.com       MX preference = 5, mail exchanger = gmail-smtp-in.l.google.com
gmail.com       MX preference = 30, mail exchanger = alt3.gmail-smtp-in.l.google.com
gmail.com       MX preference = 40, mail exchanger = alt4.gmail-smtp-in.l.google.com
gmail.com       MX preference = 20, mail exchanger = alt2.gmail-smtp-in.l.google.com
gmail.com       MX preference = 10, mail exchanger = alt1.gmail-smtp-in.l.google.com

gmail-smtp-in.l.google.com      internet address = 108.177.127.27
gmail-smtp-in.l.google.com      AAAA IPv6 address = 2a00:1450:4013:c07::1a
alt3.gmail-smtp-in.l.google.com internet address = 142.250.157.27
alt3.gmail-smtp-in.l.google.com AAAA IPv6 address = 2404:6800:4008:c13::1a
alt4.gmail-smtp-in.l.google.com internet address = 74.125.199.26
alt4.gmail-smtp-in.l.google.com AAAA IPv6 address = 2607:f8b0:400e:c02::1a
alt2.gmail-smtp-in.l.google.com internet address = 74.125.200.26
alt2.gmail-smtp-in.l.google.com AAAA IPv6 address = 2404:6800:4003:c00::1a
alt1.gmail-smtp-in.l.google.com internet address = 142.250.150.26
alt1.gmail-smtp-in.l.google.com AAAA IPv6 address = 2a00:1450:4010:c1c::1a

Anyhow, it looks like the problem could be solved if postfix would use only 1 IP from the many it receives from the DNS query, or by limiting the rate it does whatever it does.

For limiting, I made some custom changes to the config:

/etc/e-smith/templates-custom/etc/postfix/main.cf/99smtplimit

#default_process_limit = 10
default_destination_concurrency_limit = 2
smtp_destination_recipient_limit = 2
smtp_destination_concurrency_limit = 2
smtp_destination_rate_delay = 10s

/etc/e-smith/templates-custom/etc/postfix/master.cf/99smtplimit

smtp      inet  n       -       n       -       10       smtpd
  -o smtpd_helo_required=yes
  -o strict_rfc821_envelopes=yes

But these did not help - I guess these are for outgoing emails only, not for responses to incoming emails. Still, it would be only a workaround by slowing the whole thing down.

Maybe we could add something to the Nethserver config that is possibly missing or misconfigured? Or is this a postfix issue and I should ask them instead?

So the questions:

  • Could we force postfix to pick 1 IP from this list, and use only that one instead of flooding all of them? Or even handle the DNS records manually for the few problematic domains.
  • Alternatively, could we limit the response rate of these incoming feedbacks?
  • Or make this parallel response sequential - that only continues if the first IP fails?

Bonus:

  • What does postfix respond to (or ask from) all of these IPs?

Thanks for any input, I am pretty much lost and annoyed due to this long lasting problem that strikes back every time I think I have a solution…

2

@CptCharlesG

Hi

A quick solution for your specific Postfix problem I can’t provide…
But maybe an idea for a workaround, as the problem occurs only with one single domain / business / company…

Outsource the problem, eg to Gmail!
Then create a POP3 connector (Or IMAP, whatever works) and feed this into a mail group / list for DHL.
Or you could dedicate 1-2 PCs with a Thunderbird GMail (Or whatever you choose) to handle DHL requests…

You did already note that DHL doesn’t use very optimal DNS configuration. It may be legal, but someone obviously didn’t really pay attention in DNS classes… Or had a nice window seat…
So your poor Postfix tries to verify Mail stuff (Read DKIM, DMARC, SPF etc) for each and every server on the DNS answer.

Not much you can do about someone elses bad configuration - except outsource the major issue until you / they change things…

But you / your users should NOT have outage due to blocking becaues of a single badly configured DNS!

Let them take on someone their size, or bigger… :slight_smile:
(I don’t think GMail will have an Issue with DHL mail. )

My 2 cents
Andy

3

Hi Andy,

Somehow I expected you to be the first to reply… :grinning:

Previously our mailing was on a shared webhost, but I just got annoyed by the server IP getting blacklisted every month by somebody else’s fault, and that took longer time to be removed.

Later we decided to move the mailing to the HQ with NethServer, which worked fine for a year.

Then this filter was applied - which is a good thing to have an extra layer of security, and actually it forced us to strengthen the firewall, filtering and configs, but still these small things those should be harmless are now driving me crazy. Our ISP’s sysadmin can lift the ban quickly, but if it gets annoying for me, then I guess they would be to see a final solution too…

Actually we are also moving our website off from the shared hosting to a VPS, which could host mailing, but the mailing is already configured in send only mode and also would not spend the storage for mails. Well, maybe with POP3 connector and immediate delete would be an option, but them also there is the problem of shared mailboxes and it also makes LDAP much harder.

Moving the whole mailing to Google Business Suite or something would be also an option, but honestly, in this world I tend to think that the company’s data is safer inside its walls - hello cloud technology, nice to meet you… :roll_eyes:

I am not sure what this traffic supposed to be but rSpamd SPF/DKIM checks gives the very same results whether port 25 is blocked or not, so incoming emails are working just fine despite we are blocked. Or possibly the only difference is that google sends the daily DMARC report multiple times when we are blocked - but every regular email arrives only once and at the time they send it.

So overall it would be better to find a solution for this problem - because otherwise the current setup on Nethserver is just rock solid, more secure than ever, and highly integrated with other systems locally.

Edit: actually it might be rspamd and not postfix… really hard to tell based on time stamps of NethServer and pfSense (ntp: pfSense->Win DC->NS)

1 Like
4

@CptCharlesG

I also tend to avoid Cloud where possible, however it does have it’s uses…
I’ll admit having a “junkmail” account at GMail - just for that purpose…

Hey! Google makes money with advertising.
And essentially, junkmail is mostly unsolicited advertising mail, aka SPAM.
Well, let the advertising pros handle the advertising… :slight_smile:

I’ll also admit having to use a GMail account to register 5 copies of (paid for) MS-Office - as the clients mail was badly configured by my predecessor and I had to wait for the transfer (DNS). And I needed those Office activated, and MS would not accept the internal mail server (then)…

6 Months later, I added the correct mail to that account… :slight_smile:

My 2 cents
Andy

5

I am thinking about it could be rSpamd too…

But do we have any log for that or only the maillog?
There is a /var/log/rspamd/ folder but completely empty.
In the admin the under the History the Error list is also empty - possibly that folder is only for errors.

6

Maybe we need help from @stephdl ?

:slight_smile:

PS: I’ll also admit to not knowing Baja… But Szeged has a really beautiful old town - well kept, tidy & beautiful! And the flowers! :slight_smile:

7

https://rspamd.com/doc/modules/mx_check.html

This looks very much like what I see in the traffic logs… Also in the History there is MX_INVALID (0.5) for all the DHL e-mails, despite in the packet capture it looks like their server responds to ours initially - but possibly cannot finish all the check as we are getting banned half time.

I will add dhl.com to the exclude domains in /etc/rspamd/override.d/mx_check.conf and we will see…

ps: Baja and Szeged are “rivals” on who makes the better “Fisherman’s Soup” - our recipe is better of course… I’m just not a huge fan tho…

1 Like