On 11/2/2009 4:16 AM, Peter Macko wrote:
> On 10/28/2009 7:23 PM, Peter Macko wrote:
> > DNS that is used by postfix stopped working and consequently caused
> > postfix respond to:
> > 1. senders from outside: NOQUEUE: reject: RCPT from
> > unknown[194.168.1.66]: 450 4.1.8
> > 2. senders from inside (LAN): NOQUEUE: reject: RCPT from
> > unknown[172.16.125.115]: 450 4.1.2
> >
> > 1. case looks Ok, mailservers from outside keep trying to deliver the
> > rejected messages.
> > 2. case is not that good. Email clients on LAN e.g. outlook generate
> > failed delivery message 450 4.1.2.
> > The problem is that I use AVG antivirus to check emails and it will not
> > generate any message in this case.
> > In case of DNS failure, can I configure postfix to construct standard
> > message (failed delivery) for senders from LAN (local users of postfix
> > server) and
> > for senders from outside (other email servers) to keep responding
450 4.1.8?
> >
>
> Yes, don't subject internal or authenticated users to
> reject_unknown_client_hostname checks.
>
> Make sure the permit_mynetworks and/or
> permit_sasl_authenticated is listed first.
>
> If you need more help, refer to the list welcome message you
> received when you signed up, or see
> http://www.postfix.org/DEBUG_README.html#mail
>
>
> -- Noel Jones
Thanks, your advice was helpful.
I still have one problem. When I send email from mynetworks to local
user that does not exist,
postfix does not construct error message.
In maillog:
Nov 2 11:01:05 mail postfix/smtpd[5083]: NOQUEUE: reject: RCPT from unknown[A.A.A.A]: 550
5.1.1<u...@domain.eu>: Recipient address rejected: User unknown in local recipient table;
from=<us...@domain.eu> to=<u...@domain.eu> proto=ESMTP helo=<oit03>
You want postfix to generate a bounce back to the sender
rather than correctly refusing the mail? Why?
postconf -n
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_helo_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_destination,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client dul.dnsbl.sorbs.net
Better to move "reject_unauth_destination" to just after
"permit_sasl_authenticated". Rule of thumb is to put
reject_unauth_destination as early as possible.
Consider replacing sbl.spamhaus.org and cbl.abuseat.org with
zen.spamhaus.org.
http://www.spamhaus.org/zen/
-- Noel Jones