rspamd HFILTER_HOSTNAME_UNKNOWN getting triggered

chriss

I recently had problems getting OTP’s via email from my bank. The emails were being delayed because of greylisting to the extent that the OTP expired before I received the email.

So to solve the problem, I decided to add the two IP addresses of the bank’s servers to the file data/conf/postfix/custom_postscreen_whitelist.cidr as per the instructions here: Whitelist IP in Postscreen

The same servers also send account transaction notifications and at about the same time since the above, I seem to have stopped receiving these, but didn’t realise it at the time.
This afternoon I was checking my rspamd logs and found that rspamd has bounced the last couple of account transactions. There are some minor flags, but the major one is:
HFILTER_HOSTNAME_UNKNOWN • Unknown client hostname (PTR or FCrDNS verification failed) (8.5)

Searching google for this tends to point to it being potentially an IPv4/IPv6 issue.

I have connected to the unbound-mailcow container and confirmed that both forward and reverse DNS lookups on both the bank’s notification servers are working as expected. The only oddity is that when using +trace, IPv6 lookups seem to be failing, but this is true for all domains queried, eg for google:

7a0577f0d268:/# dig -ta dns.google +trace

; <<>> DiG 9.18.34 <<>> -ta dns.google +trace
;; global options: +cmd
.                       5767    IN      NS      l.root-servers.net.
.                       5767    IN      NS      e.root-servers.net.
.                       5767    IN      NS      i.root-servers.net.
.                       5767    IN      NS      j.root-servers.net.
.                       5767    IN      NS      g.root-servers.net.
.                       5767    IN      NS      a.root-servers.net.
.                       5767    IN      NS      b.root-servers.net.
.                       5767    IN      NS      h.root-servers.net.
.                       5767    IN      NS      c.root-servers.net.
.                       5767    IN      NS      m.root-servers.net.
.                       5767    IN      NS      f.root-servers.net.
.                       5767    IN      NS      d.root-servers.net.
.                       5767    IN      NS      k.root-servers.net.
;; Received 262 bytes from 127.0.0.11#53(127.0.0.11) in 4 ms

;; UDP setup with 2001:503:c27::2:30#53(2001:503:c27::2:30) for dns.google failed: network unreachable.
;; no servers could be reached
;; UDP setup with 2001:503:c27::2:30#53(2001:503:c27::2:30) for dns.google failed: network unreachable.
;; no servers could be reached
;; UDP setup with 2001:503:c27::2:30#53(2001:503:c27::2:30) for dns.google failed: network unreachable.
;; UDP setup with 2001:500:2f::f#53(2001:500:2f::f) for dns.google failed: network unreachable.
;; UDP setup with 2001:500:9f::42#53(2001:500:9f::42) for dns.google failed: network unreachable.
google.                 172800  IN      NS      ns-tld1.charlestonroadregistry.com.
google.                 172800  IN      NS      ns-tld2.charlestonroadregistry.com.
google.                 172800  IN      NS      ns-tld3.charlestonroadregistry.com.
google.                 172800  IN      NS      ns-tld4.charlestonroadregistry.com.
google.                 172800  IN      NS      ns-tld5.charlestonroadregistry.com.
google.                 86400   IN      DS      6125 8 2 80F8B78D23107153578BAD3800E9543500474E5C30C29698B40A3DB2 3ED9DA9F
google.                 86400   IN      RRSIG   DS 8 1 86400 20250425050000 20250412040000 53148 . kNd+Qpd70ZoQFLg9pEAFRhiX2bQQoMDRnHbaYSIfInztWEfE3lC0/5l5 LH17l7uK97kTDU0bHUeZ9+Nc1i4/UqpPQf311ct161/dRAsGRxostyb5 v1gXjiWnrh/bKW+uKSu6nQjvOX9nSJdBUpaJOt/jVDBJUmNHV+UIUY2l vkcMP7RamCyO/gqrGvUT75vFtb/g40EtbEuPMpPhoelQHCI1iZQnNCRW xQK1j9w/PGhCVyz2+vnOstHqUQAWxZP748hn3ompcV6JcPOJGD/hUVGV QidOXREq9kUIreScSComHwfUP5J/akv5oNh7d2FDC6sZ/4wLIbAQbCcN JbVXUw==
;; Received 730 bytes from 192.203.230.10#53(e.root-servers.net) in 0 ms

dns.google.             10800   IN      NS      ns3.zdns.google.
dns.google.             10800   IN      NS      ns2.zdns.google.
dns.google.             10800   IN      NS      ns4.zdns.google.
dns.google.             10800   IN      NS      ns1.zdns.google.
dns.google.             900     IN      DS      56044 8 2 1B0A7E90AA6B1AC65AA5B573EFC44ABF6CB2559444251B997103D2E4 0C351B08
dns.google.             900     IN      RRSIG   DS 8 2 900 20250430171111 20250408171111 7695 google. RV1U3YSqbGlfqQFASY0Kfr7xzNpHUuX+54sG+HxCYMzBLDP7ih2d4vtn nuIg7ZnZYEsJj/EgF0cascPP19+SF4P39M03itKDxafHdV5pDkx2kDi/ 2tK+O1qH38U6TxT4bAun5RJffVh9ncxytbd/gunRRT5zIjLmWgS1vvFl J/4=
;; Received 539 bytes from 216.239.32.105#53(ns-tld1.charlestonroadregistry.com) in 52 ms

dns.google.             900     IN      A       8.8.4.4
dns.google.             900     IN      A       8.8.8.8
dns.google.             900     IN      RRSIG   A 8 2 900 20250502234856 20250410234856 45784 dns.google. Cs5kM2f3D3Ljigskgedzqe2x7xbuz8mhFLRWbv9AYDTNLhs7+Q12TvIe 9otG9Clm4akb7H++9ssV4zMI9PBfVmBcmKxHiEduH/0yX7Nj3cjJ1ghI pP3S41KgetqtTycVz8SpTlChMrff6nxlzBfEmqzH2NRVLP5XLgKW98cB qwM=
;; Received 274 bytes from 216.239.34.114#53(ns2.zdns.google) in 84 ms

7a0577f0d268:/#

and

7a0577f0d268:/# dig -x 8.8.4.4 +trace

; <<>> DiG 9.18.34 <<>> -x 8.8.4.4 +trace
;; global options: +cmd
.                       5631    IN      NS      l.root-servers.net.
.                       5631    IN      NS      e.root-servers.net.
.                       5631    IN      NS      i.root-servers.net.
.                       5631    IN      NS      j.root-servers.net.
.                       5631    IN      NS      g.root-servers.net.
.                       5631    IN      NS      a.root-servers.net.
.                       5631    IN      NS      b.root-servers.net.
.                       5631    IN      NS      h.root-servers.net.
.                       5631    IN      NS      c.root-servers.net.
.                       5631    IN      NS      m.root-servers.net.
.                       5631    IN      NS      f.root-servers.net.
.                       5631    IN      NS      d.root-servers.net.
.                       5631    IN      NS      k.root-servers.net.
;; Received 262 bytes from 127.0.0.11#53(127.0.0.11) in 0 ms

;; UDP setup with 2001:500:2f::f#53(2001:500:2f::f) for 4.4.8.8.in-addr.arpa. failed: network unreachable.
;; no servers could be reached
;; UDP setup with 2001:500:2f::f#53(2001:500:2f::f) for 4.4.8.8.in-addr.arpa. failed: network unreachable.
;; no servers could be reached
;; UDP setup with 2001:500:2f::f#53(2001:500:2f::f) for 4.4.8.8.in-addr.arpa. failed: network unreachable.
;; UDP setup with 2001:503:ba3e::2:30#53(2001:503:ba3e::2:30) for 4.4.8.8.in-addr.arpa. failed: network unreachable.
;; UDP setup with 2001:500:9f::42#53(2001:500:9f::42) for 4.4.8.8.in-addr.arpa. failed: network unreachable.
in-addr.arpa.           172800  IN      NS      a.in-addr-servers.arpa.
in-addr.arpa.           172800  IN      NS      b.in-addr-servers.arpa.
in-addr.arpa.           172800  IN      NS      c.in-addr-servers.arpa.
in-addr.arpa.           172800  IN      NS      d.in-addr-servers.arpa.
in-addr.arpa.           172800  IN      NS      e.in-addr-servers.arpa.
in-addr.arpa.           172800  IN      NS      f.in-addr-servers.arpa.
in-addr.arpa.           86400   IN      DS      47054 8 2 5CAFCCEC201D1933B4C9F6A9C8F51E51F3B39979058AC21B8DF1B1F2 81CBC6F2
in-addr.arpa.           86400   IN      DS      53696 8 2 13E5501C56B20394DA921B51412D48B7089C5EB6957A7C58553C4D4D 424F04DF
in-addr.arpa.           86400   IN      DS      54956 8 2 E0E2BF5CFBD66572CA05EC18267D91509BA6A9405AF05C3FD4141DFA 45200C08
in-addr.arpa.           86400   IN      DS      63982 8 2 AAF4FB5D213EF25AE44679032EBE3514C487D7ABD99D7F5FEC3383D0 30733C73
in-addr.arpa.           86400   IN      RRSIG   DS 8 2 86400 20250425060000 20250412050000 37615 arpa. 1aV5dfy7x/a8erClyEaVrlltzCZE7Wkiza6sw2P477VlKJ6wUlnF4rEn 5ICVcqSbN4P/q69wxXhzttvF/4iFAoDfQS8B2QnG+8kgRvm52rFOriLr tUwwhJtcCR0CqR0NxWg1WaNpAqSO5zYyYCMK90yRmZ0X3b1eEgZk9Yaq QJCph16nYw2o7A2+6G7E7niMpwDkjjQe1M/9cPWQ2Qz0dc7a1xPyw1cH ip82KARsdoboBJp/bIikVj+0UBvVKMEgwiGtghbK1uNt4oMCacNeb+QC ocWCzK8griWRQm1DramhtrfvDeWLta3iBH2nY5J+qeFzOQT3nEQQv1+m 2TmLQg==
;; Received 909 bytes from 199.7.91.13#53(d.root-servers.net) in 0 ms

;; UDP setup with 2001:13c7:7010::53#53(2001:13c7:7010::53) for 4.4.8.8.in-addr.arpa. failed: network unreachable.
8.in-addr.arpa.         86400   IN      NS      u.arin.net.
8.in-addr.arpa.         86400   IN      NS      arin.authdns.ripe.net.
8.in-addr.arpa.         86400   IN      NS      r.arin.net.
8.in-addr.arpa.         86400   IN      NS      z.arin.net.
8.in-addr.arpa.         86400   IN      NS      x.arin.net.
8.in-addr.arpa.         86400   IN      NS      y.arin.net.
8.in-addr.arpa.         86400   IN      DS      50557 8 2 9F10D91795D971A4940B436FF80CE3FF720AFC1CA2C690A2A4D04A8E 8A5FE8BD
8.in-addr.arpa.         86400   IN      RRSIG   DS 8 3 86400 20250426153250 20250405125244 60795 in-addr.arpa. UhcVwzTLF5XHLFfhgPhAMwo6jcfPvDvH6TjHs2ocnjvgJSuuA3ssIsEm et7aS8UUimSVI6GZkahCzETb0a47LJg3IMVAjdOLuR0izjqyRYlXE0Xo U/jGx3WzcRVldJ+gyZFxjqwnIm0OuqxznsLitfj4ClUxX3ghHP0rSLuc 8b0=
;; Received 434 bytes from 199.180.182.53#53(a.in-addr-servers.arpa) in 68 ms

;; UDP setup with 2001:500:f0::63#53(2001:500:f0::63) for 4.4.8.8.in-addr.arpa. failed: network unreachable.
;; UDP setup with 2001:500:f0::63#53(2001:500:f0::63) for 4.4.8.8.in-addr.arpa. failed: network unreachable.
4.8.8.in-addr.arpa.     86400   IN      NS      ns2.google.com.
4.8.8.in-addr.arpa.     86400   IN      NS      ns1.google.com.
4.8.8.in-addr.arpa.     86400   IN      NS      ns4.google.com.
4.8.8.in-addr.arpa.     86400   IN      NS      ns3.google.com.
4.8.8.in-addr.arpa.     10800   IN      NSEC    40.8.8.in-addr.arpa. NS RRSIG NSEC
4.8.8.in-addr.arpa.     10800   IN      RRSIG   NSEC 8 5 10800 20250426042817 20250412032817 42168 8.in-addr.arpa. G/rvAb6bqCbpUgZNSvg0ffR6CHw81C5XAxwfFUesWVUrDZiRcB4LRyCF qdrV86jBMS16/2F3ZGOFfzhsIYVKs0VlcUJAKOpHOTzzcG7bDIvLLCfo rtNwDg90wVbC4YGE6tGUkupM3LIE/74wqnSrbej6MH3V07ldoGEjzsc9 fKY=
;; Received 374 bytes from 199.180.180.63#53(x.arin.net) in 68 ms

4.4.8.8.in-addr.arpa.   86400   IN      PTR     dns.google.
;; Received 73 bytes from 216.239.34.10#53(ns2.google.com) in 8 ms

7a0577f0d268:/#

Other than this, I can’t really understand why rspamd is adding HFILTER_HOSTNAME_UNKNOWN when rDNS appears to be properly configured and the only recent modification is my adding both IP’s to the postscreen whitelist.

Has anyone seen similar behaviour, or has any idea what is going wrong here that’s causing the triggering of HFILTER_HOSTNAME_UNKNOWN? Anything else I should be looking at?

I’m going to look into disabling IPv6 in unbound next as part of the troubleshooting.

Unfortunatly it’s a bit tricky to test since I don’t control the bank’s servers, but on the face of it, I can’t see anything wrong with them.

TIA

Ok, so the IPv6 issue seems to be an artifact of dig and not unbound. IPv6 is already disabled in unbound, so that’s just a red herring.

esackbauer

Before you try to whitelist in postscreen, you should add those IP addresses as “forwarding hosts”, under Mailcow Admin UI, System - Configuration - Options - Forwarding hosts.

chriss

esackbauer

Thanks.
I’ve seen this suggested before, but always considered forwarding hosts to be “hosts under my control”, such as backup mx hosts, or external forwarders permitted to relay etc. So didn’t really look into it further, but now I have.

Reading the description in the UI, this part intrigues me: “Spam received from them is never rejected…”
So if an email fails with HFILTER_HOSTNAME_UNKNOWN and receives an 8.5 penalty SPAM score, would it also fall into the category “Spam received from them is never rejected…”? If so, this would be a very good option.

I suppose it can’t hurt to add them here. My bank’s servers are unlikely to try and relay email through my server… 🙂

esackbauer

Question:

The “Spam filter” setting in Forwarding Hosts has two options:
1.) Active
2.) Inactive

I don’t see this option documented, but I interpret it as follows:
Active = Include this host in all spam filter checks
Inactive = Do not include this host in any spam filter checks

So in my case, I would add both servers IP addresses and choose Inactive for Spam filter.

Do I understand this correctly?

Thanks

esackbauer

chriss I would add both servers IP addresses and choose Inactive for Spam filter.

Correct.