Loading ...
Sorry, an error occurred while loading the content.

compensating for cellphone company's misconfigurations

Expand Messages
  • Postfix Mail System
    I ve done my best to provide the info requested, as per http://www.postfix.org/DEBUG_README.html#mail. Please let me know if I have forgotten something.
    Message 1 of 4 , May 31 7:50 AM
    • 0 Attachment
      I've done my best to provide the info requested, as per
      http://www.postfix.org/DEBUG_README.html#mail. Please let me know if I
      have forgotten something. Postconf output is attached.

      I'm writing today not about anything wrong with my server, but seemingly a
      misconfiguration with the mail server used by Cingular as a SMS-to-email
      gateway.

      May 31 09:39:26 helix postfix/smtpd[16252]: NOQUEUE: reject: RCPT from atlmtaow01.cingularme.com[66.102.165.6]: 450 <5185551234@...>: Sender address rejected: Domain not found; from=<5185551234@...> to=<baby@...> proto=ESMTP helo=<atlmtaow01.cingularme.com>

      If I am interpreting the logs correctly, postfix is properly rejecting due
      to the hostname mm.att.net not resolving:

      > nslookup mm.att.net
      >
      > ** server can't find mm.att.net: NXDOMAIN

      I would like to compensate for this by whitelisting them on some level or
      another. I am looking for some thoughts on the best method/strategy to do
      this...

      Thanks in advance...


      My smptd_recipient_restrictions are as follows:

      smtpd_recipient_restrictions =
      reject_non_fqdn_sender,
      reject_non_fqdn_recipient,
      reject_unknown_sender_domain,
      reject_unknown_recipient_domain,
      permit_mynetworks,
      # check_client_access hash:/usr/local/etc/postfix/pop-before-smtp,
      # permit_sasl_authenticated,
      reject_unauth_destination,
      reject_multi_recipient_bounce,
      reject_non_fqdn_hostname,
      reject_invalid_hostname,
      check_helo_access pcre:/usr/local/etc/postfix/helo_checks,
      check_sender_mx_access cidr:/usr/local/etc/postfix/bogus_mx,
      # #reject_unknown_client,
      # warn_if_reject reject_unknown_sender_domain,
      # warn_if_reject reject_rbl_client sbl-xbl.spamhaus.org,
      # warn_if_reject reject_non_fqdn_recipient,
      # warn_if_reject reject_unknown_recipient_domain,
      # warn_if_reject reject_unverified_sender,
      # check_recipient_access hash:/usr/local/etc/postfix/recipient_access,
      check_sender_access hash:/usr/local/etc/postfix/rhsbl_sender_exceptions,
      check_sender_access hash:/usr/local/etc/postfix/sender_access,
      # The trial of warning for spam reject
      # warn_if_reject reject_rhsbl_sender bogusmx.rfc-ignorant.org,
      # warn_if_reject reject_rhsbl_sender nomail.rhsbl.sorbs.net,
      # warn_if_reject reject_rbl_client relays.ordn.org,
      reject_rhsbl_sender bogusmx.rfc-ignorant.org,
      reject_rhsbl_sender nomail.rhsbl.sorbs.net,
      # reject_rbl_client relays.ordn.org,
      # reject_unverified_sender,
      permit

      address_verify_map = btree:/usr/local/etc/postfix/verify
      address_verify_negative_cache = no

      -------------------------------------------------------------------------
      shot through the heart ooh baby do you know what that's worth
      and you're to blame ooh heaven is a place on earth
      darling you give love they say in heaven love comes first
      a bad name we'll make heaven a place on earth
      ORBITAL "Halcyon Live"
    • Victor Duchovni
      ... Yes, mm.att.com exists, but mm.att.net does not. Perhaps they meant mm.att.com, but botched the extension. ... If you are running a local BIND caching dns
      Message 2 of 4 , May 31 9:34 AM
      • 0 Attachment
        On Sat, May 31, 2008 at 10:50:53AM -0400, Postfix Mail System wrote:

        > May 31 09:39:26 helix postfix/smtpd[16252]: NOQUEUE: reject: RCPT from
        > atlmtaow01.cingularme.com[66.102.165.6]: 450 <5185551234@...>:
        > Sender address rejected: Domain not found; from=<5185551234@...>
        > to=<baby@...> proto=ESMTP helo=<atlmtaow01.cingularme.com>
        >
        > If I am interpreting the logs correctly, postfix is properly rejecting due
        > to the hostname mm.att.net not resolving:

        Yes, mm.att.com exists, but mm.att.net does not. Perhaps they meant mm.att.com,
        but botched the extension.

        > I would like to compensate for this by whitelisting them on some level or
        > another. I am looking for some thoughts on the best method/strategy to do
        > this...

        If you are running a local BIND caching dns server on your system, you
        could help them out by creating a private authoritative mm.att.net zone,
        and setting its MX records to point at those of mm.att.com...

        But, it may be better to reach out to their postmaster...

        > smtpd_recipient_restrictions =
        > reject_non_fqdn_sender,
        > reject_non_fqdn_recipient,
        > reject_unknown_sender_domain,
        > reject_unknown_recipient_domain,
        > permit_mynetworks,
        > # check_client_access hash:/usr/local/etc/postfix/pop-before-smtp,
        > # permit_sasl_authenticated,
        > reject_unauth_destination,

        Start with:

        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        permit_mynetworks,
        reject_unauth_destination,

        Only then add

        reject_unknown_sender_domain,

        and directly above it add a "check_sender_access ..." that handles
        exceptions, note you will whitelist these sender domains from all other
        checks that follow unless you resolve to a restriction class that does
        all the other checks, except unknown sender domain. THis is complex. I
        reject unknown sender domains in the *data* restrictions. The BIND
        solution is actually cleaner in some ways, but resolving the issue with
        their postmaster is better still.


        --
        Viktor.

        Disclaimer: off-list followups get on-list replies or get ignored.
        Please do not ignore the "Reply-To" header.

        To unsubscribe from the postfix-users list, visit
        http://www.postfix.org/lists.html or click the link below:
        <mailto:majordomo@...?body=unsubscribe%20postfix-users>

        If my response solves your problem, the best way to thank me is to not
        send an "it worked, thanks" follow-up. If you must respond, please put
        "It worked, thanks" in the "Subject" so I can delete these quickly.
      • Postfix Mail System
        Hey thanks for the BIND idea.. That was a good outside-the-box solution that is working great for now, until I get in touch with them.
        Message 3 of 4 , Jun 1, 2008
        • 0 Attachment
          Hey thanks for the BIND idea.. That was a good outside-the-box solution
          that is working great for now, until I get in touch with them.


          On Sat, 31 May 2008, Victor Duchovni wrote:

          > On Sat, May 31, 2008 at 10:50:53AM -0400, Postfix Mail System wrote:
          >
          >> May 31 09:39:26 helix postfix/smtpd[16252]: NOQUEUE: reject: RCPT from
          >> atlmtaow01.cingularme.com[66.102.165.6]: 450 <5185551234@...>:
          >> Sender address rejected: Domain not found; from=<5185551234@...>
          >> to=<baby@...> proto=ESMTP helo=<atlmtaow01.cingularme.com>
          >>
          >> If I am interpreting the logs correctly, postfix is properly rejecting due
          >> to the hostname mm.att.net not resolving:
          >
          > Yes, mm.att.com exists, but mm.att.net does not. Perhaps they meant mm.att.com,
          > but botched the extension.
          >
          >> I would like to compensate for this by whitelisting them on some level or
          >> another. I am looking for some thoughts on the best method/strategy to do
          >> this...
          >
          > If you are running a local BIND caching dns server on your system, you
          > could help them out by creating a private authoritative mm.att.net zone,
          > and setting its MX records to point at those of mm.att.com...
          >
          > But, it may be better to reach out to their postmaster...
          >
          >> smtpd_recipient_restrictions =
          >> reject_non_fqdn_sender,
          >> reject_non_fqdn_recipient,
          >> reject_unknown_sender_domain,
          >> reject_unknown_recipient_domain,
          >> permit_mynetworks,
          >> # check_client_access hash:/usr/local/etc/postfix/pop-before-smtp,
          >> # permit_sasl_authenticated,
          >> reject_unauth_destination,
          >
          > Start with:
          >
          > reject_non_fqdn_sender,
          > reject_non_fqdn_recipient,
          > permit_mynetworks,
          > reject_unauth_destination,
          >
          > Only then add
          >
          > reject_unknown_sender_domain,
          >
          > and directly above it add a "check_sender_access ..." that handles
          > exceptions, note you will whitelist these sender domains from all other
          > checks that follow unless you resolve to a restriction class that does
          > all the other checks, except unknown sender domain. THis is complex. I
          > reject unknown sender domains in the *data* restrictions. The BIND
          > solution is actually cleaner in some ways, but resolving the issue with
          > their postmaster is better still.
          >
          >
          > --
          > Viktor.
          >
          > Disclaimer: off-list followups get on-list replies or get ignored.
          > Please do not ignore the "Reply-To" header.
          >
          > To unsubscribe from the postfix-users list, visit
          > http://www.postfix.org/lists.html or click the link below:
          > <mailto:majordomo@...?body=unsubscribe%20postfix-users>
          >
          > If my response solves your problem, the best way to thank me is to not
          > send an "it worked, thanks" follow-up. If you must respond, please put
          > "It worked, thanks" in the "Subject" so I can delete these quickly.
          >
        • Victor Duchovni
          ... I sent a note to their DNS whois contact. Have not yet spotted a response in my inbox, most likely they have not yet replied. We are also seeing a low rate
          Message 4 of 4 , Jun 2, 2008
          • 0 Attachment
            On Sun, Jun 01, 2008 at 09:54:14PM -0400, Postfix Mail System wrote:

            > Hey thanks for the BIND idea.. That was a good outside-the-box solution
            > that is working great for now, until I get in touch with them.

            I sent a note to their DNS whois contact. Have not yet spotted a response
            in my inbox, most likely they have not yet replied. We are also seeing a
            low rate of similar rejected messages.

            --
            Viktor.

            Disclaimer: off-list followups get on-list replies or get ignored.
            Please do not ignore the "Reply-To" header.

            To unsubscribe from the postfix-users list, visit
            http://www.postfix.org/lists.html or click the link below:
            <mailto:majordomo@...?body=unsubscribe%20postfix-users>

            If my response solves your problem, the best way to thank me is to not
            send an "it worked, thanks" follow-up. If you must respond, please put
            "It worked, thanks" in the "Subject" so I can delete these quickly.
          Your message has been successfully submitted and would be delivered to recipients shortly.