Re: dns failure - postfix - avg - outlook

Mon, 02 Nov 2009 05:57:47 -0800 

On 11/2/2009 4:16 AM, Peter Macko wrote:

 > On 10/28/2009 7:23 PM, Peter Macko wrote:
 > > DNS that is used by postfix stopped working and consequently caused
 > > postfix respond to:
 > > 1. senders from outside: NOQUEUE: reject: RCPT from
 > > unknown[194.168.1.66]: 450 4.1.8
 > > 2. senders from inside (LAN): NOQUEUE: reject: RCPT from
 > > unknown[172.16.125.115]: 450 4.1.2
 > >
 > > 1. case looks Ok, mailservers from outside keep trying to deliver the
 > > rejected messages.
 > > 2. case is not that good. Email clients on LAN e.g. outlook generate
 > > failed delivery message 450 4.1.2.
 > > The problem is that I use AVG antivirus to check emails and it will not
 > > generate any message in this case.
 > > In case of DNS failure, can I configure postfix to construct standard
 > > message (failed delivery) for senders from LAN (local users of postfix
 > > server) and
 > > for senders from outside (other email servers) to keep responding
450 4.1.8?
 > >
 >
 > Yes, don't subject internal or authenticated users to
 > reject_unknown_client_hostname checks.
 >
 > Make sure the permit_mynetworks and/or
 > permit_sasl_authenticated is listed first.
 >
 > If you need more help, refer to the list welcome message you
 > received when you signed up, or see
 > http://www.postfix.org/DEBUG_README.html#mail
 >
 >
 > -- Noel Jones

Thanks, your advice was helpful.
I still have one problem. When I send email from mynetworks to local
user that does not exist,
postfix does not construct error message.

In maillog:

Nov  2 11:01:05 mail postfix/smtpd[5083]: NOQUEUE: reject: RCPT from unknown[A.A.A.A]: 550 
5.1.1<u...@domain.eu>: Recipient address rejected: User unknown in local recipient table; 
from=<us...@domain.eu>  to=<u...@domain.eu>  proto=ESMTP helo=<oit03>
You want postfix to generate a bounce back to the sender rather than correctly refusing the mail? Why? 




postconf -n

smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_helo_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_destination,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client dul.dnsbl.sorbs.net
Better to move "reject_unauth_destination" to just after "permit_sasl_authenticated". Rule of thumb is to put reject_unauth_destination as early as possible.
Consider replacing sbl.spamhaus.org and cbl.abuseat.org with zen.spamhaus.org. 
http://www.spamhaus.org/zen/

  -- Noel Jones

Reply via email to