OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: reject_unknown_sender_domain flawed?
From: Rask Ingemann Lambertsen (rask-postfixkampsax.k-net.dk)
Date: Thu Jun 29 2000 - 20:42:35 CDT

   Hi.

   Despite using both reject_unknown_sender_domain and
reject_unknown_recipient_domain, we've seen a few double bounced due to
unresolvable domains slip through, but not quite figured out how that could
happen. Now I've managed to find an example, I think:

# postconf smtpd_sender_restrictions
smtpd_sender_restrictions = reject_unauth_pipelining,
 reject_non_fqdn_sender, reject_unknown_sender_domain,
 check_sender_access hash:/etc/postfix/badsenders, permit

# postconf smtpd_recipient_restrictions
smtpd_recipient_restrictions = reject_unauth_pipelining,
 reject_non_fqdn_recipient, reject_unknown_recipient_domain,
 permit_mynetworks, reject_unauth_destination,
 check_recipient_access hash:/etc/postfix/badrecipients, permit

# telnet localhost smtp
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
220 nevald.k-net.dk ESMTP Postfix
EHLO localhost
250-nevald.k-net.dk
250-PIPELINING
250-SIZE 10240000
250-ETRN
250 8BITMIME
MAIL FROM:<afprĝvninggdev.hom.net>
250 Ok
QUIT
221 Bye
Connection closed by foreign host.

# dig MX gdev.hom.net

; <<>> DiG 8.2 <<>> MX gdev.hom.net
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 4
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUERY SECTION:
;; gdev.hom.net, type = MX, class = IN

;; Total query time: 452 msec
;; FROM: nevald.k-net.dk to SERVER: default -- 192.38.208.81
;; WHEN: Fri Jun 30 03:29:45 2000
;; MSG SIZE sent: 30 rcvd: 30

   It looks as if reject_unknown_(sender|recipient)_domain fails to return
4xx in the SERVFAIL case.

   Btw, is it also checked that the host names in the MX record(s) resolve?

Regards,

/ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻTŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ\
| Rask Ingemann Lambertsen | E-mail: mailto:raskkampsax.k-net.dk |
| A4000, 896 kkeys/s (RC5-64) | "ThrustMe" on XPilot, ARCnet and IRC |
| If it jams, force it. If it breaks, it needed replacing. |