The default setting of unknown_address_reject_code is 450 (http://www.postfix.org/postconf.5.html#unknown_address_reject_code).
If the sender domain or recipient domain are not found (subject to the caveat that this is NOT a temporary DNS error when postfix does the lookup) isn't it reasonable to reject with a 5xx code, assuming no temporary DNS error? I have a particular situation in which this has come up: I am receiving thousands and thousands of attempts by valid cox.net mail servers to send to [email protected] (where elided.com is my domain) from [email protected], and they look like this in my mail logs: Nov 27 17:59:58 mailhost postfix/smtpd[20612]: NOQUEUE: reject: RCPT from fed1rmfepi108.cox.net[68.230.241.139]: 450 4.1.8 <[email protected]>: Sender address rejected: Domain not found; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<fed1rmfepi108.cox.net> Now, this is an obvious phishing attempt, and cibconline.cibc.com is a valid domain (DNS query returns status: NOERROR) BUT it does not have any A or MX records associated with it. That is presumably the reason Postfix is rejecting the sender address because of my reject_unknown_sender_domain setting in smtpd_sender_restrictions. But the mail comes from a valid cox.net mail server (http://postmaster.cox.net/confluence/display/postmaster/Outbound+MTA), and so when Postfix returns a 4xx, the Cox mailserver queues the mail and continues to retry it. So a few hundred phishing attempts turn into thousands as they are retried over and over. Can anyone provide advice? Is it reasonable to change unknown_address_reject_code to 550 despite the admonition in the manual: "do not change this unless you have a complete understanding of RFC 5321". Pointers to the relevant section within that RFC are welcome -- I've looked and didn't find anything that would imply 5xx should not be used in this case. As an aside: I think the new NullMX support added within the last few days is relevant for this case also, but what is the best work-around until that feature is widely available? Regards, Raman Gupta
