Mailing List Archive: exim: users

HELO name problems

Index | Next | Previous | View Threaded

ross at biostat

Aug 13, 2009, 9:15 AM

Post #1 of 7 (880 views)
Permalink

HELO name problems

Because of our network setup, outgoing email goes through a single IP.
This leads to (from a failure report by our exim server):
logcheck-users [at] lists
SMTP error from remote mail server after RCPT TO:<logcheck-users [at] lists>:
host lists.alioth.debian.org [217.196.43.134]:
550-policyd-weight said: Mail appeared to be SPAM or forged. Ask your
550-Mail/DNS-Administrator to correct HELO and DNS MX settings or to get
550-removed from DNSBLs; MTA helo: biostat.ucsf.edu, MTA hostname:
550 upstrm185.psg-ucsf.org[38.99.193.74] (helo/hostname mismatch)

My outbound mail (at least--maybe others) also seems to end up
classified as spam sometimes, and this name mismatch (HELO name
biostat.ucsf.edu does not match the reverse DNS on external IP) might
contribute to that. alioth.debian.org is the only remote server I have
noticed that consistently refuses our email outright.

The admins of the alioth server have indicated they are unwilling to
relax the restriction because of spam. I have seen some opinions that
such a restriction is too strict, but we seem to be stuck with it.

I think this addition to our SMTP transport will fix the problem for the
alioth server:

helo_data = ${if match_domain{$host}{*.alioth.debian.org}{upstrm185.psg-ucsf.org}{$primary_hostname}}

Is there a better solution? Will the previous modification work?

I don't think changing the DNS info for our external IP [38.99.193.74]
is possible, because all our outbound traffic from all machines goes
through it.

Thanks.
Ross Boylan

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

exim-users at lists

Aug 13, 2009, 12:46 PM

Post #2 of 7 (834 views)
Permalink

Re: HELO name problems [In reply to]

Ross Boylan wrote:

> helo_data = ${if match_domain{$host}{*.alioth.debian.org}{upstrm185.psg-ucsf.org}{$primary_hostname}}
>
> Is there a better solution? Will the previous modification work?
>
> I don't think changing the DNS info for our external IP [38.99.193.74]
> is possible, because all our outbound traffic from all machines goes
> through it.

If you can't change the DNS, why not just change the helo? You've
already shown you know how to do it with helo_data. Why not just have this:

helo_data = upstrm185.psg-ucsf.org

--
Mike Cardwell - IT Consultant and LAMP developer
Cardwell IT Ltd. (UK Reg'd Company #06920226) http://cardwellit.com/

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

ross at biostat

Aug 14, 2009, 1:50 PM

Post #3 of 7 (822 views)
Permalink

Re: HELO name problems [In reply to]

On Thu, 2009-08-13 at 20:46 +0100, Mike Cardwell wrote:
> Ross Boylan wrote:
>
> > helo_data = ${if match_domain{$host}{*.alioth.debian.org}{upstrm185.psg-ucsf.org}{$primary_hostname}}
> >
> > Is there a better solution? Will the previous modification work?
> >
> > I don't think changing the DNS info for our external IP [38.99.193.74]
> > is possible, because all our outbound traffic from all machines goes
> > through it.
>
> If you can't change the DNS, why not just change the helo? You've
> already shown you know how to do it with helo_data. Why not just have this:
>
> helo_data = upstrm185.psg-ucsf.org
>
Our sysadmin is concerned that if the upstream name changes we'll be
need to change the rule again. The networking environment we have to go
through to reach the public IP is not under our control, and the folks
who do control it don't necessarily keep us informed.

Ross

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

eximusers at downhill

Aug 15, 2009, 12:34 AM

Post #4 of 7 (820 views)
Permalink

Re: HELO name problems [In reply to]

Ross Boylan <ross [at] biostat> wrote:
> On Thu, 2009-08-13 at 20:46 +0100, Mike Cardwell wrote:
>> Ross Boylan wrote:

>> > helo_data = ${if match_domain{$host}{*.alioth.debian.org}{upstrm185.psg-ucsf.org}{$primary_hostname}}

>> > Is there a better solution? Will the previous modification work?
[...]
>> If you can't change the DNS, why not just change the helo? You've
>> already shown you know how to do it with helo_data. Why not just have this:

>> helo_data = upstrm185.psg-ucsf.org

> Our sysadmin is concerned that if the upstream name changes we'll be
> need to change the rule again. The networking environment we have to go
> through to reach the public IP is not under our control, and the folks
> who do control it don't necessarily keep us informed.

Hello,

you could use a dnsdb lookup to keep it up to date automatically.

helo_data = ${lookup dnsdb {ptr=$sending_ip_address}{$value}{$primary_hostname}}

cu and- Quoted from Debian's exim4 config -reas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

ross at biostat

Aug 15, 2009, 8:42 AM

Post #5 of 7 (811 views)
Permalink

Re: HELO name problems [In reply to]

On Sat, 2009-08-15 at 09:34 +0200, Andreas Metzler wrote:
> Ross Boylan <ross [at] biostat> wrote:
> > On Thu, 2009-08-13 at 20:46 +0100, Mike Cardwell wrote:
> >> Ross Boylan wrote:
>
> >> > helo_data = ${if match_domain{$host}{*.alioth.debian.org}{upstrm185.psg-ucsf.org}{$primary_hostname}}
>
> >> > Is there a better solution? Will the previous modification work?
> [...]
> >> If you can't change the DNS, why not just change the helo? You've
> >> already shown you know how to do it with helo_data. Why not just have this:
>
> >> helo_data = upstrm185.psg-ucsf.org
>
> > Our sysadmin is concerned that if the upstream name changes we'll be
> > need to change the rule again. The networking environment we have to go
> > through to reach the public IP is not under our control, and the folks
> > who do control it don't necessarily keep us informed.
>
> Hello,
>
> you could use a dnsdb lookup to keep it up to date automatically.
>
> helo_data = ${lookup dnsdb {ptr=$sending_ip_address}{$value}{$primary_hostname}}
Does this impose much of an extra load?

exim says it caches queries but it's not clear if that includes dnsdb,
or that it should. Also the cache is only per process. Similarly DNS
also caches. I don't know how much different that makes, esp if there
is some DNS failure.

Also, the IP address could change as well as the name.

Ross

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

eximusers at downhill

Aug 15, 2009, 9:31 AM

Post #6 of 7 (802 views)
Permalink

Re: HELO name problems [In reply to]

On 2009-08-15 Ross Boylan <ross [at] biostat> wrote:
> On Sat, 2009-08-15 at 09:34 +0200, Andreas Metzler wrote:
>> Ross Boylan <ross [at] biostat> wrote:
>>> On Thu, 2009-08-13 at 20:46 +0100, Mike Cardwell wrote:
[...]
>>>> helo_data = upstrm185.psg-ucsf.org
[...]

>> you could use a dnsdb lookup to keep it up to date automatically.

>> helo_data = ${lookup dnsdb {ptr=$sending_ip_address}{$value}{$primary_hostname}}
> Does this impose much of an extra load?

Hello,

I /think/ the extra overhead should be low if you are running a local
caching DNS server which afaik is best practice anyway when running a
SMTP server.

> exim says it caches queries but it's not clear if that includes dnsdb,
> or that it should. Also the cache is only per process. Similarly DNS
> also caches. I don't know how much different that makes, esp if there
> is some DNS failure.

defer_never is probably a must, however I guess a failure to resolve will
slow down things a lot.

> Also, the IP address could change as well as the name.

$sending_ip_address will change accordingly.
cu andreas

--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

ross at biostat

Aug 15, 2009, 10:52 AM

Post #7 of 7 (810 views)
Permalink

Re: HELO name problems [In reply to]

On Sat, 2009-08-15 at 18:31 +0200, Andreas Metzler wrote:
> >> helo_data = ${lookup dnsdb {ptr=
> $sending_ip_address}{$value}{$primary_hostname}}
....
> > Also, the IP address could change as well as the name.
>
> $sending_ip_address will change accordingly.
I didn't realize that was a real variable. I don't think it will help
us, since the local ip address is not the one the outside world sees;
the transmission bumps around our internal network first.

Ross

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads