Smtpd detecting my intranet DNS setup with bind9 as an dynamic DNS, thus not allowing to send messages to my intranet mail.

[Ferocious1881]

I have setup a self hosted Mail sever, which is only available to my intranet setup, it is advertised in my intranet DNS with bind9 with the following configuration:

acl LAN {
     192.168.0.0/24;
};

acl ALLEN_LOCALHOST {
     127.0.0.1/32;
};

acl PUBLIC0 {
     192.168.0.3;
};

options {
  directory "/var/named";
  allow-recursion { LAN; localhost; };
  forwarders {
    1.1.1.1; // Cloudflare
    208.67.222.222; // OpenDNS
  };

  listen-on { 192.168.0.3; localhost; };
  listen-on-v6 { none; };

 pid-file "/var/run/named/pid";
  allow-transfer port 53 { PUBLIC0; 0.0.0.0; };
  allow-query { localhost; LAN; };

  recursion yes;

  dump-file "/var/named/data/cache_dump.db";
  statistics-file "/var/named/data/named_stats.txt";
  memstatistics-file "/var/named/data/named_mem_stats.txt";

zone "my-domain.inexistent-top-level" IN {
  type master;
  file "/var/named/my-domain.inexistent-top-level.db";
  allow-update { none; };
};

zone "mail-probe-eins.my-domain.inexistent-top-level" IN {
  type master;
  file "/var/named/mail-probe-eins.my-domain.inexistent-top-level.db";
  allow-update { none; };
};

zone "168.192.in-addr.arpa" IN {
  type master;
  file "/var/named/168.192.db";
  allow-update { none; };
};

$TTL 3600
$ORIGIN my-domain.inexistent-top-level.
@   IN SOA ns1.my-domain.inexistent-top-level. admin.my-domain.inexistent-top-level. (
            234
            3600
            600
            604800  
            1800 )


@   IN NS ns1.my-domain.inexistent-top-level.
@   MX 0 mail

@            IN TXT "v=spf1 a:mail.my-domain.inexistent-top-level mx -all ra=postmaster"
mail         IN TXT "v=spf1 a -all ra=postmaster"

; Several IN A and IN TXT of the rest of the FreeBSD Jails and the FreeBSD host, and Kerberos

$TTL 3600
$ORIGIN mail-probe-eins.my-domain.inexistent-top-level.
@   IN SOA ns1.my-domain.inexistent-top-level. admin.my-domain.inexistent-top-level. (
            21301334
            3600
            600
            604800
            1800 ) 


@   IN NS ns1.my-domain.inexistent-top-level.
@   MX 0 mail

;@           IN TXT "v=spf1 a:mail.mail-probe-eins.my-domain.inexistent-top-level mx -all ra=postmaster"
@            IN TXT "v=spf1 a ip4:192.168.0.41 mx ~all"
_dmarc       IN TXT "v=DMARC1;p=none;pct=100;rua=mailto:postmaster@mail-probe-eins.my-domain.inexistent-top-level"
mail         IN TXT "v=spf1 a -all ra=postmaster"

mail        IN A 192.168.0.41
mail._domainkey    IN TXT "v=DKIM1;K=rsa;p=The-first-part-of-my-2018-bits-public-key"
mail._domainkey    IN TXT "the-rest-of-the-key"

My smtpd has several filters, configured nearly idential to this blog post https://it-notes.dragas.net/2024/03...erver-freebsd-opensmptd-rspamd-dovecot-part1/, of which the non dynamic DNS connections, id est this

filter check_dyndns phase connect match rdns regex { '.*\.dyn\..*', '.*\.dsl\..*' } \
    disconnect "550 no residential connections - Thou shalt not pass"

Is preventing me to send a message from an account that I myself setup in this server, to another account in the same exact server.

I know it is that happened, because after setting an email client in my android tablet, and the account being unable to send messages, it activated logs and the message "550 no residential connections - Thou shalt not pass" appeared in the logs.

Anyway any ideas of how to correct my intranet DNS settings?

 

[SirDice]

What's in /var/named/168.192.db?

 

[Ferocious1881]

What's in /var/named/168.192.db?

$TTL 604800
@   IN SOA my-domain.inexistent-top-level. admin.my-domain.inexistent-top-level. (                                               24444444 ; Serial Nummer
            3600     ; Refresh period
            600      ; Retry period
            604800   ; Expire time                                                                                                       
           1800 )   ; negative ttl

@   IN NS ns1.my-domain.inexistent-top-level.
3.0   IN PTR ns1.my-domain.inexistent-top-level.

6.0   IN PTR nfs.my-domain.inexistent-top-level.
201.0 IN PTR hp.my-domain.inexistent-top-level.

41.0  IN PTR mail.mail-probe-eins.my-domain.inexistent-top-level.

 

[SirDice]

Does the reverse actually work? Test it with drill @192.168.0.3 -x <ip of the host>

Does your 'my-domain.inexistent-top-level' (I assume you changed it for privacy reasons) include '.dyn.' or '.dsl.' in its name? Because that's what it's complaining about here:

filter check_dyndns phase connect match rdns regex { '.*\.dyn\..*', '.*\.dsl\..*' } \
    disconnect "550 no residential connections - Thou shalt not pass"

 

[Ferocious1881]

Does the reverse actually work? Test it with drill @192.168.0.3 -x <ip of the host>

I had proved it with host 192.168.0.41, in my Linux workstation, multiple jails, and by current bhyve debian-12-nocloud-amd64.img, and all do work returning: 41.0.168.192.in-addr.arpa domain name pointer mail.mail-probe-eins.my-domain.inexistent-top-level.. I have also tested it in the jail that is running the mail servers.

Does your 'my-domain.inexistent-top-level' (I assume you changed it for privacy reasons) include '.dyn.' or '.dsl.' in its name? Because that's what it's complaining about here:

It certainly des not include neither dyn nor dsl.
Also, I think I have misread my logs, it actually says: "no rdns -Thou shalt not pass", and goes for the rule

filter check_rdns phase connect match !rdns \
    disconnect "550 no rdns - Thou shalt not pass"

 

[Ferocious1881]

drill @192.168.0.3 -x <ip of the host>

;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 10908
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;; 192.168.0.41.        IN      A

;; ANSWER SECTION:

;; AUTHORITY SECTION:
.       41256   IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2024100202 1800 900 604800 86400

;; ADDITIONAL SECTION:

;; Query time: 0 msec
;; SERVER: 192.168.0.3
;; WHEN: Thu Oct  3 15:01:16 2024
;; MSG SIZE  rcvd: 105

 

[Ferocious1881]

;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 10908
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;; 192.168.0.41.        IN      A

;; ANSWER SECTION:

;; AUTHORITY SECTION:
.       41256   IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2024100202 1800 900 604800 86400

;; ADDITIONAL SECTION:

;; Query time: 0 msec
;; SERVER: 192.168.0.3
;; WHEN: Thu Oct  3 15:01:16 2024
;; MSG SIZE  rcvd: 105

When run in my Linux machine.

;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 6016
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; 41.0.168.192.in-addr.arpa.   IN      PTR

;; ANSWER SECTION:
41.0.168.192.in-addr.arpa.      604800  IN      PTR     mail.mail-probe-eins.my-domain.inexistent-top-level.

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 5 msec
;; SERVER: 127.0.0.53
;; WHEN: Fri Oct  4 17:07:26 2024
;; MSG SIZE  rcvd: 88

 

[Ferocious1881]

Checking my logs looks like the problem is that the email client is trying to make the delivery throught SMTP rather than for imap and as the table does not have reverse dns configured it is rejecting the mails:

Oct  5 04:15:45 mail dma[f775][167]: new mail from user=root uid=26 envelope_from=<root@mail.mail-probe-eins.my-domain.inexistent-top-level>
Oct  5 04:15:45 mail dma[f775][167]: mail to=<root> queued as f775.2495f3648000
Oct  5 04:15:45 mail dma[f775.2495f3648000][696]: <root> trying delivery
Oct  5 04:15:45 mail dma[f775.2495f3648000][696]: <root> delivery successful
Oct  5 06:28:04 mail dovecot[96578]: imap-login: Login: user=<benutzereins@mail-probe-eins.my-domain.inexistent-top-level>, method=PLAIN, rip=192.168.0.71, lip=192.168.0.41, mpid=26830, TLS, session=<XPLb47QjPoHAqABH>
Oct  5 06:28:04 mail smtpd[90062]: 4444444444444444 smtp connected address=192.168.0.71 host=<unknown>
Oct  5 06:28:04 mail smtpd[90062]: 4444444444444444 smtp failed-command command="" result="550 no rdns - Thou shalt not pass"
Oct  5 06:28:04 mail smtpd[90062]: 4444444444444444 smtp disconnected reason=quit
Oct  5 06:28:53 mail dovecot[96578]: imap(benutzereins@mail-probe-eins.my-domain.inexistent-top-level)<26830><XPLb47QjPoHAqABH>: Disconnected: Connection closed (IDLE running for 0.001 + waiting input for 45.514 secs, 2 B in + 10 B out, state=wait-input) in=316 out=1802 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
Oct  5 06:31:31 mail smtpd[90062]: 4444444444444444 smtp connected address=192.168.0.71 host=<unknown>
Oct  5 06:31:31 mail smtpd[90062]: 4444444444444444 smtp failed-command command="" result="550 no rdns - Thou shalt not pass"
Oct  5 06:31:31 mail smtpd[90062]: 4444444444444444 smtp disconnected reason=quit
Oct  5 06:31:35 mail dovecot[96578]: imap-login: Login: user=<benutzereins@mail-probe-eins.my-domain.inexistent-top-level>, method=PLAIN, rip=192.168.0.71, lip=192.168.0.41, mpid=38114, TLS, session=<3ml28LQjWIHAqABH>
Oct  5 06:31:35 mail dovecot[96578]: imap(benutzereins@mail-probe-eins.my-domain.inexistent-top-level)<38114><3ml28LQjWIHAqABH>: Disconnected: Logged out in=9 out=483 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
Oct  5 06:31:49 mail smtpd[90062]: 4444444444444444 smtp connected address=192.168.0.71 host=<unknown>
Oct  5 06:31:49 mail smtpd[90062]: 4444444444444444 smtp failed-command command="" result="550 no rdns - Thou shalt not pass"
Oct  5 06:31:49 mail smtpd[90062]: 4444444444444444 smtp disconnected reason=quit
Oct  5 06:31:50 mail dovecot[96578]: imap-login: Login: user=<benutzereins@mail-probe-eins.my-domain.inexistent-top-level>, method=PLAIN, rip=192.168.0.71, lip=192.168.0.41, mpid=38395, TLS, session=<KHJW8bQjXIHAqABH>
Oct  5 06:31:50 mail dovecot[96578]: imap(benutzereins@mail-probe-eins.my-domain.inexistent-top-level)<38395><KHJW8bQjXIHAqABH>: Disconnected: Logged out in=9 out=483 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
Oct  5 06:32:05 mail dovecot[96578]: imap-login: Login: user=<benutzereins@mail-probe-eins.my-domain.inexistent-top-level>, method=PLAIN, rip=192.168.0.71, lip=192.168.0.41, mpid=38674, TLS, session=<Q51C8rQjYIHAqABH>
Oct  5 06:32:06 mail dovecot[96578]: imap-login: Login: user=<benutzereins@mail-probe-eins.my-domain.inexistent-top-level>, method=PLAIN, rip=192.168.0.71, lip=192.168.0.41, mpid=39134, TLS, session=<EBhO8rQjYoHAqABH>
Oct  5 06:32:47 mail smtpd[90062]: 4444444444444444 smtp connected address=192.168.0.71 host=<unknown>
Oct  5 06:32:47 mail smtpd[90062]: 4444444444444444 smtp failed-command command="" result="550 no rdns - Thou shalt not pass"
Oct  5 06:32:47 mail smtpd[90062]: 4444444444444444 smtp disconnected reason=quit
Oct  5 06:32:57 mail dovecot[96578]: imap-login: Login: user=<benutzereins@mail-probe-eins.my-domain.inexistent-top-level>, method=PLAIN, rip=192.168.0.71, lip=192.168.0.41, mpid=39634, TLS, session=<Sw5V9bQjbIHAqABH>