On Wed, Dec 31, 2014 at 11:20:09AM -0500, Wietse Venema wrote: > > Dec 30 14:27:55 inet08 postfix-p25/smtpd[24854]: NOQUEUE: reject: RCPT from > > upsmailer.acsbps.com[216.115.165.7]: 450 4.7.1 <SUASMTP.upsdiv.com>: Helo > > command rejected: Host not found; from=<ica.servi...@upsdocs.com> > > to=<foste...@harte-lyne.ca> proto=ESMTP helo=<SUASMTP.upsdiv.com> > > upsdocs.com has no MX, A, or AAAA record. Thus, they fail > the reject_unknown_sender_domain test. > > They do have an NS record, though, and You could put check_sender_ns_access > before reject_unknown_sender_domain, and "permit" all domains with > an ups.com DNS server... > > /etc/postfix/main.cf: > smtpd_sender_restrictions = > check_sender_ns_access hash:/etc/postfix/ns_access > reject_unknown_sender_domain > > /etc/postfix/ns_access: > ups.com permit
UPS messed up, they publish SPF records, but have no MX, A or AAAA records. ;upsdocs.com. ANY upsdocs.com. SOA resolve01.sslra.com. internet.ups.com. 388909522 600 10800 604800 600 upsdocs.com. NS nsa.ups.com. upsdocs.com. NS nsb.ups.com. upsdocs.com. TXT "v=spf1 ip4:216.115.165.7 ~all" You can also exempt their sole authorized IP address, or the domain itself from reject_unknown_sender_domain via one of: check_client_access check_sender_access -- Viktor.