On Wed, Dec 31, 2014 at 11:20:09AM -0500, Wietse Venema wrote:
> > Dec 30 14:27:55 inet08 postfix-p25/smtpd[24854]: NOQUEUE: reject: RCPT from
> > upsmailer.acsbps.com[216.115.165.7]: 450 4.7.1 <SUASMTP.upsdiv.com>: Helo
> > command rejected: Host not found; from=<ica.servi...@upsdocs.com>
> > to=<foste...@harte-lyne.ca> proto=ESMTP helo=<SUASMTP.upsdiv.com>
>
> upsdocs.com has no MX, A, or AAAA record. Thus, they fail
> the reject_unknown_sender_domain test.
>
> They do have an NS record, though, and You could put check_sender_ns_access
> before reject_unknown_sender_domain, and "permit" all domains with
> an ups.com DNS server...
>
> /etc/postfix/main.cf:
> smtpd_sender_restrictions =
> check_sender_ns_access hash:/etc/postfix/ns_access
> reject_unknown_sender_domain
>
> /etc/postfix/ns_access:
> ups.com permit
UPS messed up, they publish SPF records, but have no MX, A or AAAA
records.
;upsdocs.com. ANY
upsdocs.com. SOA resolve01.sslra.com. internet.ups.com. 388909522
600 10800 604800 600
upsdocs.com. NS nsa.ups.com.
upsdocs.com. NS nsb.ups.com.
upsdocs.com. TXT "v=spf1 ip4:216.115.165.7 ~all"
You can also exempt their sole authorized IP address, or the domain
itself from reject_unknown_sender_domain via one of:
check_client_access
check_sender_access
--
Viktor.
