Loading ...
Sorry, an error occurred while loading the content.

Re: compensating for cellphone company's misconfigurations

Expand Messages
  • Victor Duchovni
    ... Yes, mm.att.com exists, but mm.att.net does not. Perhaps they meant mm.att.com, but botched the extension. ... If you are running a local BIND caching dns
    Message 1 of 4 , May 31, 2008
    View Source
    • 0 Attachment
      On Sat, May 31, 2008 at 10:50:53AM -0400, Postfix Mail System wrote:

      > May 31 09:39:26 helix postfix/smtpd[16252]: NOQUEUE: reject: RCPT from
      > atlmtaow01.cingularme.com[66.102.165.6]: 450 <5185551234@...>:
      > Sender address rejected: Domain not found; from=<5185551234@...>
      > to=<baby@...> proto=ESMTP helo=<atlmtaow01.cingularme.com>
      >
      > If I am interpreting the logs correctly, postfix is properly rejecting due
      > to the hostname mm.att.net not resolving:

      Yes, mm.att.com exists, but mm.att.net does not. Perhaps they meant mm.att.com,
      but botched the extension.

      > I would like to compensate for this by whitelisting them on some level or
      > another. I am looking for some thoughts on the best method/strategy to do
      > this...

      If you are running a local BIND caching dns server on your system, you
      could help them out by creating a private authoritative mm.att.net zone,
      and setting its MX records to point at those of mm.att.com...

      But, it may be better to reach out to their postmaster...

      > smtpd_recipient_restrictions =
      > reject_non_fqdn_sender,
      > reject_non_fqdn_recipient,
      > reject_unknown_sender_domain,
      > reject_unknown_recipient_domain,
      > permit_mynetworks,
      > # check_client_access hash:/usr/local/etc/postfix/pop-before-smtp,
      > # permit_sasl_authenticated,
      > reject_unauth_destination,

      Start with:

      reject_non_fqdn_sender,
      reject_non_fqdn_recipient,
      permit_mynetworks,
      reject_unauth_destination,

      Only then add

      reject_unknown_sender_domain,

      and directly above it add a "check_sender_access ..." that handles
      exceptions, note you will whitelist these sender domains from all other
      checks that follow unless you resolve to a restriction class that does
      all the other checks, except unknown sender domain. THis is complex. I
      reject unknown sender domains in the *data* restrictions. The BIND
      solution is actually cleaner in some ways, but resolving the issue with
      their postmaster is better still.


      --
      Viktor.

      Disclaimer: off-list followups get on-list replies or get ignored.
      Please do not ignore the "Reply-To" header.

      To unsubscribe from the postfix-users list, visit
      http://www.postfix.org/lists.html or click the link below:
      <mailto:majordomo@...?body=unsubscribe%20postfix-users>

      If my response solves your problem, the best way to thank me is to not
      send an "it worked, thanks" follow-up. If you must respond, please put
      "It worked, thanks" in the "Subject" so I can delete these quickly.
    • Postfix Mail System
      Hey thanks for the BIND idea.. That was a good outside-the-box solution that is working great for now, until I get in touch with them.
      Message 2 of 4 , Jun 1, 2008
      View Source
      • 0 Attachment
        Hey thanks for the BIND idea.. That was a good outside-the-box solution
        that is working great for now, until I get in touch with them.


        On Sat, 31 May 2008, Victor Duchovni wrote:

        > On Sat, May 31, 2008 at 10:50:53AM -0400, Postfix Mail System wrote:
        >
        >> May 31 09:39:26 helix postfix/smtpd[16252]: NOQUEUE: reject: RCPT from
        >> atlmtaow01.cingularme.com[66.102.165.6]: 450 <5185551234@...>:
        >> Sender address rejected: Domain not found; from=<5185551234@...>
        >> to=<baby@...> proto=ESMTP helo=<atlmtaow01.cingularme.com>
        >>
        >> If I am interpreting the logs correctly, postfix is properly rejecting due
        >> to the hostname mm.att.net not resolving:
        >
        > Yes, mm.att.com exists, but mm.att.net does not. Perhaps they meant mm.att.com,
        > but botched the extension.
        >
        >> I would like to compensate for this by whitelisting them on some level or
        >> another. I am looking for some thoughts on the best method/strategy to do
        >> this...
        >
        > If you are running a local BIND caching dns server on your system, you
        > could help them out by creating a private authoritative mm.att.net zone,
        > and setting its MX records to point at those of mm.att.com...
        >
        > But, it may be better to reach out to their postmaster...
        >
        >> smtpd_recipient_restrictions =
        >> reject_non_fqdn_sender,
        >> reject_non_fqdn_recipient,
        >> reject_unknown_sender_domain,
        >> reject_unknown_recipient_domain,
        >> permit_mynetworks,
        >> # check_client_access hash:/usr/local/etc/postfix/pop-before-smtp,
        >> # permit_sasl_authenticated,
        >> reject_unauth_destination,
        >
        > Start with:
        >
        > reject_non_fqdn_sender,
        > reject_non_fqdn_recipient,
        > permit_mynetworks,
        > reject_unauth_destination,
        >
        > Only then add
        >
        > reject_unknown_sender_domain,
        >
        > and directly above it add a "check_sender_access ..." that handles
        > exceptions, note you will whitelist these sender domains from all other
        > checks that follow unless you resolve to a restriction class that does
        > all the other checks, except unknown sender domain. THis is complex. I
        > reject unknown sender domains in the *data* restrictions. The BIND
        > solution is actually cleaner in some ways, but resolving the issue with
        > their postmaster is better still.
        >
        >
        > --
        > Viktor.
        >
        > Disclaimer: off-list followups get on-list replies or get ignored.
        > Please do not ignore the "Reply-To" header.
        >
        > To unsubscribe from the postfix-users list, visit
        > http://www.postfix.org/lists.html or click the link below:
        > <mailto:majordomo@...?body=unsubscribe%20postfix-users>
        >
        > If my response solves your problem, the best way to thank me is to not
        > send an "it worked, thanks" follow-up. If you must respond, please put
        > "It worked, thanks" in the "Subject" so I can delete these quickly.
        >
      • Victor Duchovni
        ... I sent a note to their DNS whois contact. Have not yet spotted a response in my inbox, most likely they have not yet replied. We are also seeing a low rate
        Message 3 of 4 , Jun 2, 2008
        View Source
        • 0 Attachment
          On Sun, Jun 01, 2008 at 09:54:14PM -0400, Postfix Mail System wrote:

          > Hey thanks for the BIND idea.. That was a good outside-the-box solution
          > that is working great for now, until I get in touch with them.

          I sent a note to their DNS whois contact. Have not yet spotted a response
          in my inbox, most likely they have not yet replied. We are also seeing a
          low rate of similar rejected messages.

          --
          Viktor.

          Disclaimer: off-list followups get on-list replies or get ignored.
          Please do not ignore the "Reply-To" header.

          To unsubscribe from the postfix-users list, visit
          http://www.postfix.org/lists.html or click the link below:
          <mailto:majordomo@...?body=unsubscribe%20postfix-users>

          If my response solves your problem, the best way to thank me is to not
          send an "it worked, thanks" follow-up. If you must respond, please put
          "It worked, thanks" in the "Subject" so I can delete these quickly.
        Your message has been successfully submitted and would be delivered to recipients shortly.