Loading ...
Sorry, an error occurred while loading the content.

reject unknown hosts

Expand Messages
  • Edward avanti
    Halo, I have question about rejection. Some unknown hostnames get 4.x.x defer, others get 5xx, I would like all blocks at 5.x.x, yes, I know consequences of
    Message 1 of 6 , Aug 1, 2010
    • 0 Attachment
      Halo,

      I have question about rejection.

      Some unknown hostnames get 4.x.x defer, others get 5xx, I would like all blocks at 5.x.x, yes, I know consequences of this, I run mail servers (sendmail) for 15 years, now we move to postfix for mysql management of company email I have problem replicate sendmail settings

      Relevant sections of postconf -n:

      smtpd_sender_restrictions =    check_recipient_access hash:/etc/postfix/access.never_to

      smtpd_recipient_restrictions = reject_unknown_sender_domain    reject_unknown_recipient_domain    permit_mynetworks    permit_sasl_authenticated    reject_unauth_destination    check_recipient_access hash:/etc/postfix/access.to    check_sender_access hash:/etc/postfix/access.froms    check_client_access hash:/etc/postfix/access.hosts    reject_unknown_client_hostname    reject_unknown_helo_hostname    reject_invalid_helo_hostname    reject_non_fqdn_helo_hostname    reject_non_fqdn_sender    reject_non_fqdn_recipient    reject_unlisted_recipient    reject_unlisted_sender  reject_rbl_client cbl.abuseat.org    reject_rbl_client dnsbl.sorbs.net    reject_rbl_client bl.spamcop.net    reject_rbl_client dnsbl.ahbl.org   check_policy_service unix:private/spfpolicy

      soft_bounce = no

      unknown_address_reject_code = 550
      unknown_client_reject_code = 550
      unknown_hostname_reject_code = 550
      unknown_local_recipient_reject_code = 550
      unverified_sender_reject_code = 550


      Now we see many of:
       NOQUEUE: reject: RCPT from unknown[202.150.184.185]: 550 5.7.1 Client host rejected: cannot find your hostname, [202.150.184.185]; from=<cornmealvf3@...> to=<deletethis@REMOVED> proto=ESMTP helo=<FFVYYQO>

      But.. then I also see many of:
       NOQUEUE: reject: RCPT from unknown[194.xx.xx.xx]: 450 4.7.1 Client host rejected: cannot find your hostname, [194.xx.xx.xx]; from=<name@valid-domain> to=<REMOVED@REMOVEDt> proto=ESMTP helo=<valid-domain-removed>

      In  4.x.x above me, the sender are known to us, his hostname presented exist, but no PTR RR (he is get fixed but take time), it is we prefer to 5xx, so he  and others like him not wait 5 days to find mail never went, I was think unknown_client_reject_code = 550  would be this solve, but not? Anyway to have this so?

      My Thaks



    • Edward avanti
      ... It appear from more investigation this cause is SERVFAIL always send 4xx, can postifx override to 5xx with setting for SERVFAIL ? Many Thaks
      Message 2 of 6 , Aug 1, 2010
      • 0 Attachment
        On Mon, Aug 2, 2010 at 9:45 AM, Edward avanti <edward.avanti@...> wrote:
        <SNIP>



        In  4.x.x above me, the sender are known to us, his hostname presented exist, but no PTR RR (he is get fixed but take time), it is we prefer to 5xx, so he  and others like him not wait 5 days to find mail never went, I was think unknown_client_reject_code = 550  would be this solve, but not? Anyway to have this so?


        It appear from more investigation this cause is SERVFAIL  always send 4xx, can postifx override to 5xx with setting for SERVFAIL ?

        Many Thaks


      • Noel Jones
        ... Why in the world would you want to 5xx reject on temporary errors? Postfix would be insane to offer such an option. You will lose legit mail anytime
        Message 3 of 6 , Aug 2, 2010
        • 0 Attachment
          On 8/1/2010 10:49 PM, Edward avanti wrote:
          >
          >
          > On Mon, Aug 2, 2010 at 9:45 AM, Edward avanti
          > <edward.avanti@... <mailto:edward.avanti@...>> wrote:
          >
          > <SNIP>
          >
          >
          >
          > In 4.x.x above me, the sender are known to us, his
          > hostname presented exist, but no PTR RR (he is get fixed
          > but take time), it is we prefer to 5xx, so he and others
          > like him not wait 5 days to find mail never went, I was
          > think unknown_client_reject_code = 550 would be this
          > solve, but not? Anyway to have this so?
          >
          >
          > It appear from more investigation this cause is SERVFAIL
          > always send 4xx, can postifx override to 5xx with setting for
          > SERVFAIL ?

          Why in the world would you want to 5xx reject on temporary
          errors? Postfix would be insane to offer such an option. You
          will lose legit mail anytime there is a DNS hiccup.

          If you don't care about losing legit mail, you can use a
          check_client_access table and reject clients named "unknown",
          or use an external policy service.
          http://www.postfix.org/SMTPD_POLICY_README.html


          -- Noel Jones
        • Edward avanti
          Halo Noel, ... not them think mail delivered and 5 day later find out it not. We know the risk, have done this with all our sendmail farm for many many year
          Message 4 of 6 , Aug 2, 2010
          • 0 Attachment
            Halo Noel,

            On Tue, Aug 3, 2010 at 12:37 AM, Noel Jones <njones@...> wrote:



            It appear from more investigation this cause is SERVFAIL
            always send 4xx, can postifx override to 5xx with setting for
            SERVFAIL ?

            Why in the world would you want to 5xx reject on temporary errors?  Postfix would be insane to offer such an option.  You will lose legit mail anytime there is a DNS hiccup.

            Because in some case it is better to tell sender " there is problem" now, not them think mail delivered and 5 day later find out it not.

            We know the risk, have done this with all our sendmail farm for many many year with only one ever problem
            We trust our multiple DNS, but accept cant trust senders.
             
            If you don't care about losing legit mail, you can use a check_client_access table and reject clients named "unknown",

            sorry for english but I think you mean ;
            unknown    571 We cannot accept your mails for no known DNS

            I not see "unknown" as special keyword but for lack of knowledge are try now.

            or use an external policy service.
            http://www.postfix.org/SMTPD_POLICY_README.html



            We thought use milter-regex, but this mean full duplicate all whitelist since postfix not work like sendmail and honor access list in class, we try check_client_access now to see if work well under recipient check, since we want to whitelist some no PTR in earlier check we think not to put in client or sender restrictions group.

            Thaks for advice.




          • Jeroen Geilman
            ... Then set the delay_warning_time option to a suitable value. J.
            Message 5 of 6 , Aug 5, 2010
            • 0 Attachment
              On 08/03/2010 02:05 AM, Edward avanti wrote: Halo Noel,

              On Tue, Aug 3, 2010 at 12:37 AM, Noel Jones <njones@...> wrote:



              It appear from more investigation this cause is SERVFAIL
              always send 4xx, can postifx override to 5xx with setting for
              SERVFAIL ?

              Why in the world would you want to 5xx reject on temporary errors?  Postfix would be insane to offer such an option.  You will lose legit mail anytime there is a DNS hiccup.

              Because in some case it is better to tell sender " there is problem" now, not them think mail delivered and 5 day later find out it not.

              Then set the delay_warning_time option to a suitable value.

              J.

            • Edward avanti
              ... Huh? This setting will not affect anything on my end as I not sender with DNS problem, the sender server need this setting, no setting on my end will
              Message 6 of 6 , Aug 6, 2010
              • 0 Attachment
                On Fri, Aug 6, 2010 at 4:54 AM, Jeroen Geilman <jeroen@...> wrote:
                On 08/03/2010 02:05 AM, Edward avanti wrote:
                Halo Noel,

                On Tue, Aug 3, 2010 at 12:37 AM, Noel Jones <njones@...> wrote:



                It appear from more investigation this cause is SERVFAIL
                always send 4xx, can postifx override to 5xx with setting for
                SERVFAIL ?

                Why in the world would you want to 5xx reject on temporary errors?  Postfix would be insane to offer such an option.  You will lose legit mail anytime there is a DNS hiccup.

                Because in some case it is better to tell sender " there is problem" now, not them think mail delivered and 5 day later find out it not.

                Then set the delay_warning_time option to a suitable value.

                J.


                Huh?
                This setting will not affect anything on my end as I not sender with DNS problem, the sender server need  this setting, no setting on my end will alter what they do.

                Noel's suggestion on use access list to 54xx them work very good. Problem now solved for us.


              Your message has been successfully submitted and would be delivered to recipients shortly.