Loading ...
Sorry, an error occurred while loading the content.

Re: reject unknown hosts

Expand Messages
  • Edward avanti
    ... It appear from more investigation this cause is SERVFAIL always send 4xx, can postifx override to 5xx with setting for SERVFAIL ? Many Thaks
    Message 1 of 6 , Aug 1, 2010
    • 0 Attachment
      On Mon, Aug 2, 2010 at 9:45 AM, Edward avanti <edward.avanti@...> wrote:
      <SNIP>



      In  4.x.x above me, the sender are known to us, his hostname presented exist, but no PTR RR (he is get fixed but take time), it is we prefer to 5xx, so he  and others like him not wait 5 days to find mail never went, I was think unknown_client_reject_code = 550  would be this solve, but not? Anyway to have this so?


      It appear from more investigation this cause is SERVFAIL  always send 4xx, can postifx override to 5xx with setting for SERVFAIL ?

      Many Thaks


    • Noel Jones
      ... Why in the world would you want to 5xx reject on temporary errors? Postfix would be insane to offer such an option. You will lose legit mail anytime
      Message 2 of 6 , Aug 2, 2010
      • 0 Attachment
        On 8/1/2010 10:49 PM, Edward avanti wrote:
        >
        >
        > On Mon, Aug 2, 2010 at 9:45 AM, Edward avanti
        > <edward.avanti@... <mailto:edward.avanti@...>> wrote:
        >
        > <SNIP>
        >
        >
        >
        > In 4.x.x above me, the sender are known to us, his
        > hostname presented exist, but no PTR RR (he is get fixed
        > but take time), it is we prefer to 5xx, so he and others
        > like him not wait 5 days to find mail never went, I was
        > think unknown_client_reject_code = 550 would be this
        > solve, but not? Anyway to have this so?
        >
        >
        > It appear from more investigation this cause is SERVFAIL
        > always send 4xx, can postifx override to 5xx with setting for
        > SERVFAIL ?

        Why in the world would you want to 5xx reject on temporary
        errors? Postfix would be insane to offer such an option. You
        will lose legit mail anytime there is a DNS hiccup.

        If you don't care about losing legit mail, you can use a
        check_client_access table and reject clients named "unknown",
        or use an external policy service.
        http://www.postfix.org/SMTPD_POLICY_README.html


        -- Noel Jones
      • Edward avanti
        Halo Noel, ... not them think mail delivered and 5 day later find out it not. We know the risk, have done this with all our sendmail farm for many many year
        Message 3 of 6 , Aug 2, 2010
        • 0 Attachment
          Halo Noel,

          On Tue, Aug 3, 2010 at 12:37 AM, Noel Jones <njones@...> wrote:



          It appear from more investigation this cause is SERVFAIL
          always send 4xx, can postifx override to 5xx with setting for
          SERVFAIL ?

          Why in the world would you want to 5xx reject on temporary errors?  Postfix would be insane to offer such an option.  You will lose legit mail anytime there is a DNS hiccup.

          Because in some case it is better to tell sender " there is problem" now, not them think mail delivered and 5 day later find out it not.

          We know the risk, have done this with all our sendmail farm for many many year with only one ever problem
          We trust our multiple DNS, but accept cant trust senders.
           
          If you don't care about losing legit mail, you can use a check_client_access table and reject clients named "unknown",

          sorry for english but I think you mean ;
          unknown    571 We cannot accept your mails for no known DNS

          I not see "unknown" as special keyword but for lack of knowledge are try now.

          or use an external policy service.
          http://www.postfix.org/SMTPD_POLICY_README.html



          We thought use milter-regex, but this mean full duplicate all whitelist since postfix not work like sendmail and honor access list in class, we try check_client_access now to see if work well under recipient check, since we want to whitelist some no PTR in earlier check we think not to put in client or sender restrictions group.

          Thaks for advice.




        • Jeroen Geilman
          ... Then set the delay_warning_time option to a suitable value. J.
          Message 4 of 6 , Aug 5, 2010
          • 0 Attachment
            On 08/03/2010 02:05 AM, Edward avanti wrote: Halo Noel,

            On Tue, Aug 3, 2010 at 12:37 AM, Noel Jones <njones@...> wrote:



            It appear from more investigation this cause is SERVFAIL
            always send 4xx, can postifx override to 5xx with setting for
            SERVFAIL ?

            Why in the world would you want to 5xx reject on temporary errors?  Postfix would be insane to offer such an option.  You will lose legit mail anytime there is a DNS hiccup.

            Because in some case it is better to tell sender " there is problem" now, not them think mail delivered and 5 day later find out it not.

            Then set the delay_warning_time option to a suitable value.

            J.

          • Edward avanti
            ... Huh? This setting will not affect anything on my end as I not sender with DNS problem, the sender server need this setting, no setting on my end will
            Message 5 of 6 , Aug 6, 2010
            • 0 Attachment
              On Fri, Aug 6, 2010 at 4:54 AM, Jeroen Geilman <jeroen@...> wrote:
              On 08/03/2010 02:05 AM, Edward avanti wrote:
              Halo Noel,

              On Tue, Aug 3, 2010 at 12:37 AM, Noel Jones <njones@...> wrote:



              It appear from more investigation this cause is SERVFAIL
              always send 4xx, can postifx override to 5xx with setting for
              SERVFAIL ?

              Why in the world would you want to 5xx reject on temporary errors?  Postfix would be insane to offer such an option.  You will lose legit mail anytime there is a DNS hiccup.

              Because in some case it is better to tell sender " there is problem" now, not them think mail delivered and 5 day later find out it not.

              Then set the delay_warning_time option to a suitable value.

              J.


              Huh?
              This setting will not affect anything on my end as I not sender with DNS problem, the sender server need  this setting, no setting on my end will alter what they do.

              Noel's suggestion on use access list to 54xx them work very good. Problem now solved for us.


            Your message has been successfully submitted and would be delivered to recipients shortly.