NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2000-06

Subject: Re: reject_unknown_sender_domain flawed?
From: Wietse Venema (wietseporcupine.org)
Date: Fri Jun 30 2000 - 20:04:36 CDT

Next message: Jürgen Fluk: "defer_transports and maximal_queue_lifetime"
Previous message: Wietse Venema: "Re: 451 Error: queue file write error"
In reply to: Rask Ingemann Lambertsen: "reject_unknown_sender_domain flawed?"
Next in thread: Rask Ingemann Lambertsen: "Re: reject_unknown_sender_domain flawed?"
Reply: Wietse Venema: "Re: reject_unknown_sender_domain flawed?"
Reply: Rask Ingemann Lambertsen: "Re: reject_unknown_sender_domain flawed?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

According to my /usr/include/netdb.h, SERVFAIL becomes TRY_AGAIN
which becomes DNS_RETRY in Postfix parlance. That in turn should
result in a 450 reply for reject_unknown_{sender,recipient}_domain.

The reject_unknown_{sender,recipient}_domain test verifies only
that the specified domain has an A or MX record, not of the listed
mail exchangers are actually capable of receiving mail.

Wietse

Rask Ingemann Lambertsen wrote:
> Hi.
>
> Despite using both reject_unknown_sender_domain and
> reject_unknown_recipient_domain, we've seen a few double bounced due to
> unresolvable domains slip through, but not quite figured out how that could
> happen. Now I've managed to find an example, I think:
>
> # postconf smtpd_sender_restrictions
> smtpd_sender_restrictions = reject_unauth_pipelining,
> reject_non_fqdn_sender, reject_unknown_sender_domain,
> check_sender_access hash:/etc/postfix/badsenders, permit
>
> # postconf smtpd_recipient_restrictions
> smtpd_recipient_restrictions = reject_unauth_pipelining,
> reject_non_fqdn_recipient, reject_unknown_recipient_domain,
> permit_mynetworks, reject_unauth_destination,
> check_recipient_access hash:/etc/postfix/badrecipients, permit
>
>
> # telnet localhost smtp
> Trying 127.0.0.1...
> Connected to localhost.localdomain.
> Escape character is '^]'.
> 220 nevald.k-net.dk ESMTP Postfix
> EHLO localhost
> 250-nevald.k-net.dk
> 250-PIPELINING
> 250-SIZE 10240000
> 250-ETRN
> 250 8BITMIME
> MAIL FROM:<afprøvninggdev.hom.net>
> 250 Ok
> QUIT
> 221 Bye
> Connection closed by foreign host.
>
> # dig MX gdev.hom.net
>
> ; <<>> DiG 8.2 <<>> MX gdev.hom.net
> ;; res options: init recurs defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 4
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> ;; QUERY SECTION:
> ;; gdev.hom.net, type = MX, class = IN
>
> ;; Total query time: 452 msec
> ;; FROM: nevald.k-net.dk to SERVER: default -- 192.38.208.81
> ;; WHEN: Fri Jun 30 03:29:45 2000
> ;; MSG SIZE sent: 30 rcvd: 30
>
>
> It looks as if reject_unknown_(sender|recipient)_domain fails to return
> 4xx in the SERVFAIL case.
>
> Btw, is it also checked that the host names in the MX record(s) resolve?
>
> Regards,
>
> /¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯T¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯\
> | Rask Ingemann Lambertsen | E-mail: mailto:raskkampsax.k-net.dk |
> | A4000, 896 kkeys/s (RC5-64) | "ThrustMe" on XPilot, ARCnet and IRC |
> | If it jams, force it. If it breaks, it needed replacing. |
>
>
>
>
>

Next message: Jürgen Fluk: "defer_transports and maximal_queue_lifetime"
Previous message: Wietse Venema: "Re: 451 Error: queue file write error"
In reply to: Rask Ingemann Lambertsen: "reject_unknown_sender_domain flawed?"
Next in thread: Rask Ingemann Lambertsen: "Re: reject_unknown_sender_domain flawed?"
Reply: Wietse Venema: "Re: reject_unknown_sender_domain flawed?"
Reply: Rask Ingemann Lambertsen: "Re: reject_unknown_sender_domain flawed?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]