reject unknown hosts
in [Postfix]
|
Prev: Providing SMTP relay access to roaming laptop without creatingan open relay...
Next: Invalid warning list domain in BOTH mydestination and virtual_mailbox_domains
From: Edward avanti on 1 Aug 2010 19:45 Halo, I have question about rejection. Some unknown hostnames get 4.x.x defer, others get 5xx, I would like all blocks at 5.x.x, yes, I know consequences of this, I run mail servers (sendmail) for 15 years, now we move to postfix for mysql management of company email I have problem replicate sendmail settings Relevant sections of postconf -n: smtpd_sender_restrictions = check_recipient_access hash:/etc/postfix/access.never_to smtpd_recipient_restrictions = reject_unknown_sender_domain reject_unknown_recipient_domain permit_mynetworks permit_sasl_authenticated reject_unauth_destination check_recipient_access hash:/etc/postfix/access.to check_sender_access hash:/etc/postfix/access.froms check_client_access hash:/etc/postfix/access.hosts reject_unknown_client_hostname reject_unknown_helo_hostname reject_invalid_helo_hostname reject_non_fqdn_helo_hostname reject_non_fqdn_sender reject_non_fqdn_recipient reject_unlisted_recipient reject_unlisted_sender reject_rbl_client cbl.abuseat.org reject_rbl_client dnsbl.sorbs.net reject_rbl_client bl.spamcop.net reject_rbl_client dnsbl.ahbl.org check_policy_service unix:private/spfpolicy soft_bounce = no unknown_address_reject_code = 550 unknown_client_reject_code = 550 unknown_hostname_reject_code = 550 unknown_local_recipient_reject_code = 550 unverified_sender_reject_code = 550 Now we see many of: NOQUEUE: reject: RCPT from unknown[202.150.184.185]: 550 5.7.1 Client host rejected: cannot find your hostname, [202.150.184.185]; from=< cornmealvf3(a)rehau.com> to=<deletethis(a)REMOVED> proto=ESMTP helo=<FFVYYQO> But.. then I also see many of: NOQUEUE: reject: RCPT from unknown[194.xx.xx.xx]: 450 4.7.1 Client host rejected: cannot find your hostname, [194.xx.xx.xx]; from=<name(a)valid-domain> to=<REMOVED(a)REMOVEDt> proto=ESMTP helo=<valid-domain-removed> In 4.x.x above me, the sender are known to us, his hostname presented exist, but no PTR RR (he is get fixed but take time), it is we prefer to 5xx, so he and others like him not wait 5 days to find mail never went, I was think unknown_client_reject_code = 550 would be this solve, but not? Anyway to have this so? My Thaks
From: Edward avanti on 1 Aug 2010 23:49 On Mon, Aug 2, 2010 at 9:45 AM, Edward avanti <edward.avanti(a)gmail.com>wrote: > <SNIP> > > > > In 4.x.x above me, the sender are known to us, his hostname presented > exist, but no PTR RR (he is get fixed but take time), it is we prefer to > 5xx, so he and others like him not wait 5 days to find mail never went, I > was think unknown_client_reject_code = 550 would be this solve, but not? > Anyway to have this so? > > It appear from more investigation this cause is SERVFAIL always send 4xx, can postifx override to 5xx with setting for SERVFAIL ? Many Thaks
From: Noel Jones on 2 Aug 2010 10:37 On 8/1/2010 10:49 PM, Edward avanti wrote: > > > On Mon, Aug 2, 2010 at 9:45 AM, Edward avanti > <edward.avanti(a)gmail.com <mailto:edward.avanti(a)gmail.com>> wrote: > > <SNIP> > > > > In 4.x.x above me, the sender are known to us, his > hostname presented exist, but no PTR RR (he is get fixed > but take time), it is we prefer to 5xx, so he and others > like him not wait 5 days to find mail never went, I was > think unknown_client_reject_code = 550 would be this > solve, but not? Anyway to have this so? > > > It appear from more investigation this cause is SERVFAIL > always send 4xx, can postifx override to 5xx with setting for > SERVFAIL ? Why in the world would you want to 5xx reject on temporary errors? Postfix would be insane to offer such an option. You will lose legit mail anytime there is a DNS hiccup. If you don't care about losing legit mail, you can use a check_client_access table and reject clients named "unknown", or use an external policy service. http://www.postfix.org/SMTPD_POLICY_README.html -- Noel Jones
From: Edward avanti on 2 Aug 2010 20:05 Halo Noel, On Tue, Aug 3, 2010 at 12:37 AM, Noel Jones <njones(a)megan.vbhcs.org> wrote: > >> >> >> It appear from more investigation this cause is SERVFAIL >> always send 4xx, can postifx override to 5xx with setting for >> SERVFAIL ? >> > > Why in the world would you want to 5xx reject on temporary errors? Postfix > would be insane to offer such an option. You will lose legit mail anytime > there is a DNS hiccup. > > Because in some case it is better to tell sender " there is problem" now, not them think mail delivered and 5 day later find out it not. We know the risk, have done this with all our sendmail farm for many many year with only one ever problem We trust our multiple DNS, but accept cant trust senders. > If you don't care about losing legit mail, you can use a > check_client_access table and reject clients named "unknown", sorry for english but I think you mean ; unknown 571 We cannot accept your mails for no known DNS I not see "unknown" as special keyword but for lack of knowledge are try now. or use an external policy service. > http://www.postfix.org/SMTPD_POLICY_README.html > > We thought use milter-regex, but this mean full duplicate all whitelist since postfix not work like sendmail and honor access list in class, we try check_client_access now to see if work well under recipient check, since we want to whitelist some no PTR in earlier check we think not to put in client or sender restrictions group. Thaks for advice.
From: Jeroen Geilman on 5 Aug 2010 14:54
On 08/03/2010 02:05 AM, Edward avanti wrote: > Halo Noel, > > On Tue, Aug 3, 2010 at 12:37 AM, Noel Jones <njones(a)megan.vbhcs.org > <mailto:njones(a)megan.vbhcs.org>> wrote: > > > > > It appear from more investigation this cause is SERVFAIL > always send 4xx, can postifx override to 5xx with setting for > SERVFAIL ? > > > Why in the world would you want to 5xx reject on temporary errors? > Postfix would be insane to offer such an option. You will lose > legit mail anytime there is a DNS hiccup. > > Because in some case it is better to tell sender " there is problem" > now, not them think mail delivered and 5 day later find out it not. Then set the delay_warning_time option to a suitable value. J. |