asking ARP for an internal IP 169.254.140.241
in [Postfix]
|
Prev: email account bombarded with SPAM error bounces - what to do?
Next: Error between two postfix "Command not recognized", RCPT is cut intwo words
From: =?ISO-8859-1?Q?St=E9phane_MERLE?= on 9 Jul 2010 12:09 Hi, I would have 2 questions : - 1 what is the procedure for postfix when it try to send email to a domain with no MX record ? like : dig mx elv.enic.fr - 2 would that be an offense to refuse to send to domain with no MX record ? (I don't know if there's a lot of them) -2+ : how can I do that with postfix ? Thanks for your help ... Stéphane Le 09/07/2010 15:48, Stéphane MERLE a écrit : > Hi, > > Le 09/07/2010 15:21, Victor Duchovni a écrit : >> On Fri, Jul 09, 2010 at 01:47:40PM +0200, St?phane MERLE wrote: >> >> >>> Hi, >>> >>> My ISP (ovh) is complaining about my postfix servers doing wrong ARP >>> demand, do you have any idea of what can cause this in my postfix >>> configuration ? >>> >>> 188.165.55.92 : is one of the server ip (ip failover) >>> >>> Thu Jul 8 02:03:32 2010 : arp who-has 169.254.140.241 tell 188.165.55.92 >>> >> This IP address is a link-local IP address: >> >> http://tools.ietf.org/html/rfc3927 >> >> these support zero-configuration local networking, ... >> >> >>> 19:43:20.840082 arp reply 169.254.140.241 is-at 00:24:c3:84:04:00 >>> >> Your ISP or router is proxy-arping for this IP, it should not. Link-local >> addresses should be exempt (if possible). >> >> >>> 19:43:20.840087 IP ovh63.bpreducer.com.59549> 169.254.140.241.smtp: S >>> 1213354010:1213354010(0) win 5840<mss 1460,sackOK,timestamp 759487196 >>> 0,nop,wscale 6> >>> >> Why are are sending email to this IP address? Any Postfix logs that >> indicate attempts to connect to this relay? >> >> >>> if you need the postfix conf files, I will send it in. >>> >> Mostly just logs that show the life-cycle of a message (all log entries >> for its queue-id) in which deliveries to this IP address were attempted >> and failed. >> >> > > Thank you, because of your post, I checked in the postfix logs and > found : ahafid(a)elv.enic.fr > > Jul 9 01:18:33 ovh63 postfix/smtp[30687]: connect to > elv.enic.fr[169.254.140.241]:25: Connection timed out > Jul 9 01:18:33 ovh63 postfix/smtp[30687]: 138C92011CE6: > to=<ahafid(a)elv.enic.fr>, relay=none, delay=45185, delays=45095/0/90/0, > dsn=4.4.1, status=deferred (connect to > elv.enic.fr[169.254.140.241]:25: Connection timed out) > > I first clean that domain from the database and then check my bot > cleanner which missed this. > > Thank you !! > > Stéphane
From: Victor Duchovni on 9 Jul 2010 12:15 On Fri, Jul 09, 2010 at 06:09:26PM +0200, St?phane MERLE wrote: > Hi, > > I would have 2 questions : > - 1 what is the procedure for postfix when it try to send email to a > domain with no MX record ? > like : dig mx elv.enic.fr Per 20+ year old SMTP standards it sends to the A record. MX records are optional, and anyone who wants to debate this here (again) will find themselves no longer on this list... No follow-ups please. > - 2 would that be an offense to refuse to send to domain with no MX > record ? (I don't know if there's a lot of them) It is wrong to require MX records. -- Viktor.
From: Phil Howard on 9 Jul 2010 12:35 On Fri, Jul 9, 2010 at 12:09, Stéphane MERLE <stephane.merle(a)distrigame.com> wrote: > I would have 2 questions : > - 1 what is the procedure for postfix when it try to send email to a > domain with no MX record ? > like : dig mx elv.enic.fr > > - 2 would that be an offense to refuse to send to domain with no MX > record ? (I don't know if there's a lot of them) > -2+ : how can I do that with postfix ? > > Thanks for your help ... > > Stéphane It doesn't matter. It is valid for domains to have or not have an MX record. It will need an A record if no MX record. Based on your tcpdump output in your private reply to me, some other domain is answering an A query (whether after an MX or not) with 169.254.140.241. So it's not a Postfix issue, and probably not even your server issue, unless your own DNS server has that configured. For the list ... it's a case of some DNS answering with the LL address .... case closed with respect to Postfix. -- sHiFt HaPpEnS!
From: Noel Jones on 9 Jul 2010 13:59
On 7/9/2010 11:35 AM, Phil Howard wrote: > On Fri, Jul 9, 2010 at 12:09, Stéphane MERLE > <stephane.merle(a)distrigame.com> wrote: > >> I would have 2 questions : >> - 1 what is the procedure for postfix when it try to send email to a >> domain with no MX record ? >> like : dig mx elv.enic.fr >> >> - 2 would that be an offense to refuse to send to domain with no MX >> record ? (I don't know if there's a lot of them) >> -2+ : how can I do that with postfix ? >> >> Thanks for your help ... >> >> Stéphane > > It doesn't matter. It is valid for domains to have or not have an MX > record. It will need an A record if no MX record. > > Based on your tcpdump output in your private reply to me, some other > domain is answering an A query (whether after an MX or not) with > 169.254.140.241. So it's not a Postfix issue, and probably not even > your server issue, unless your own DNS server has that configured. > > For the list ... it's a case of some DNS answering with the LL address > ... case closed with respect to Postfix. > To bring this back to postfix, you can reject domains with bogus IPs like this by using check_sender_mx_access. http://www.postfix.org/postconf.5.html#check_sender_mx_access (if there's no MX, the A record will be used) Something like... smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination ... other local stuff ... check_sender_mx_access cidr:/etc/postfix/bogus_mx.cidr # /etc/postfix/bogus_mx.cidr 169.254.0.0/16 REJECT rfc3927 address ... other IPs you consider bogus ... Note: there is a slight risk of false positives from legit but misconfigured domains. -- Noel Jones |