HELO for outgoing mail not working properly

Bugs in eFa 4
Post Reply
tessar
Posts: 4
Joined: 10 Nov 2018 09:10

HELO for outgoing mail not working properly

Post by tessar » 24 Jul 2020 06:32

Hello,

I have discovered an issue but I don't know how long it was there already and how it happened but I'm pretty sure it worked in the past.

I have 2 internet lines with 2 static External IP addresses. Therefor I have also 2 (virtual) IP addresses for EFA4 and the router is configured to route the first IP from EFA to the first internet line and the second IP to the second internet line. All works good so far.

In order for postfix to receive and send on 2 internet lines I had to configure a few things in master.cf:

Code: Select all

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
# ==========================================================================
# Internal
127.0.0.1:smtp     inet   n      -      n       -       -          smtpd
        -o syslog_name=postfix-local
        -o smtp_helo_name=localhost
        -o smtp_bind_address=127.0.0.1
        -o myhostname=localhost

# Incoming 1 
10.1.1.xx1:smtp      inet  n       -       n       -       -       smtpd
        -o syslog_name=postfix-mail1
        -o smtp_helo_name=mail.XXXX.com
        -o smtp_bind_address=10.1.1.xx1
        -o myhostname=mail.XXXX.com

# Incoming 2
10.1.1.xx2:smtp      inet  n       -       n       -       -       smtpd
        -o syslog_name=postfix-mail2
        -o smtp_helo_name=mail2.XXXX.com
        -o smtp_bind_address=10.1.1.xx2
        -o myhostname=mail2.XXXX.com

# Outgoing 1
relay1    unix  -       -       n       -       -       smtp
        -o smtp_bind_address=10.1.1.xx1
        -o smtp_helo_name=mail.XXXX.com
        -o syslog_name=relay1

# Outgoing 2
relay2    unix  -       -       n       -       -       smtp
        -o smtp_bind_address=10.1.1.xx2
        -o smtp_helo_name=mail2.XXXX.com
        -o syslog_name=relay2
        
 # The following are system defaults       
 qmqp      unix  n       -       n       -       -       qmqpd
pickup    unix  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     unix  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp

showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache
postlog   unix-dgram n  -       n       -       1       postlogd

Additionally for Postfix to be able to send on 2 Lines I had to set something in Main.cf:
(This randomly uses one of the 2 lines for sending emails)

Code: Select all

sender_dependent_default_transport_maps = randmap:{relay1,relay2}

The big problem is now that when relay1 sends an email, the HELO which is transmitted to the remote email server is the IP address of the external static IP instead of the DNS name mail.XXXX.com (DNS and rDNS are registered and configured properly... nslookup does resolve directions)

I used the service helocheck@abuseat.org (just send an email and in the returning diagnostic information it states the HELO that was received)
In my case it was the following:

mail.abuseat.org
Remote Server returned '<mail.abuseat.org #5.0.0 smtp; 550 *** The HELO for IP address xxx.xxx.120.13 was '[xxx.xxx.120.13]' (valid but not recommended syntax) ***>'

If i send via the second line using relay2 I get the following return:

mail.abuseat.org
Remote Server returned '<mail.abuseat.org #5.0.0 smtp; 550 *** The HELO for IP address xxx.xxx.207.27 was 'mail2.XXXX.com' (valid syntax) ***>'

It seems as there is a DNS resolution made by the postfix server for the relay1 because the external IP is nowhere configured.

Does anyone have a suggestion what went wrong and how to solve this mystery.

Thank you
Mario

User avatar
pdwalker
Posts: 1320
Joined: 18 Mar 2015 09:16

Re: HELO for outgoing mail not working properly

Post by pdwalker » 25 Jul 2020 03:52

A question.

Why do you have two incoming postfix instances? Won't 1 do?

I have an installation with 4 ISPs, 4 static ip addresses and my firewall maps all smtp traffic back to the eFa server. I have no issues.

Next, can you eFa host resolve mail.XXXX.com and mail2.XXXX.com correctly? Why do the EHLO names have to be different?

tessar
Posts: 4
Joined: 10 Nov 2018 09:10

Re: HELO for outgoing mail not working properly

Post by tessar » 04 Aug 2020 03:15

Hello,

I have 2 instances to be able to see through which ISP the emails are coming from. I don't really think this can be the problem as these are different processes.

When i make a nslookup on these addresses then there is the following. The domain name mail.XXXX.com is the external facing domain name for the exchange server that handles this email domain. So eFa is just in the middle and relays all the incoming emails to this Exchange Server. So the nslookup gives me the internal IP of this Exchange Server.

mail2.XXXX.com can not be resolved because it does not exist as a real server.

Now the funny thing is, how can postfix get the external IP from the ISP that shows up in the server EHLO response?

mail.abuseat.org
Remote Server returned '<mail.abuseat.org #5.0.0 smtp; 550 *** The HELO for IP address xxx.xxx.120.13 was '[xxx.xxx.120.13]' (valid but not recommended syntax) ***>'


I'm using the EFA nameserver unbound but have another Windows DNS Server that handles the internal addresses. I have a forwarder for internal addresses (XXXX.com) from unbound to the Windows DNS Server in the conf.d of unbound.

tessar
Posts: 4
Joined: 10 Nov 2018 09:10

Re: HELO for outgoing mail not working properly

Post by tessar » 06 Aug 2020 06:37

OK, something is fishy....

I captured the LAN traffic and it seems that the EHLO submits the correct name. But for my relay1 it won't start TLS while for relay2 it does.

Traffic for relay1:

Code: Select all

Response: 		220 mail-server-domain ESMTP mail service ready
Command Line: 	EHLO mail.XXXX.com
Response: 		250-emmex.spamhaus.org Hi mail.XXXX.com [xxx.xxx.120.13]
Command Line: 	MAIL FROM:<aaa.bbb@XXXX.com>
Response: 		250 <aaa.bbb@XXXX.com>, sender OK - how exciting to get mail from you!
Command Line: 	RCPT TO:<helocheck@abuseat.org>
Response: 		550 *** The HELO for IP address xxx.xxx.120.13 was '[xxx.xxx.120.13]' (valid but not recommended syntax) ***\r\n
Command Line: 	RSET
Response: 		250 OK
Command Line: 	QUIT
Traffic from relay2:

Code: Select all

Response: 		220 SMMail 1.48.1 ESMTP
Command Line: 	EHLO mail2.XXXX.com
Response: 		250-emmex.spamhaus.org Hi mail2.XXXX.com [xxx.xxx.207.27]\r\n
Command Line: 	STARTTLS
Response: 		220 Go ahead with TLS
*** the rest is encrypted***
So is there something wrong with the TLS? Why won't it start for relay1?

Any ideas?

Edit:
After some further tests I found out that I always get this as a first response:
220 mail-server-domain ESMTP mail service ready
It does not matter, where i send the email to.
(my other ISP works normal by the way)

Is my ISP messing around with my emails and has some sort of "man in the middle" service that also prevents me from using TLS?

User avatar
shawniverson
Posts: 3144
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: HELO for outgoing mail not working properly

Post by shawniverson » 07 Aug 2020 09:39

Probably ISP, I agree.
Version eFa 4.0.2 now available!

Post Reply