On 27 March 2017 at 17:25, <billgr...@sent.com> wrote:
> Hello, > > I'm getting the following log msg for a user (u...@example.com), > > Mar 26 13:22:19 bigben postfix/ps2/smtpd[32481]: NOQUEUE: reject: > RCPT from chrelay.taleo.net[68.233.76.14]: 450 4.1.8 > <jpmorgan_ch...@jpmcstaffing.com>: Sender address rejected: Domain not > found; from=<jpmorgan_ch...@jpmcstaffing.com> to=<u...@example.com> > proto=ESMTP helo=<chrelay11.taleo.net> > > in my Postfix 3.2 logs. > > I note that JPMCStaffing.com has no legit A/MX record. > > dig ANY JPMCStaffing.com > > ;; ANSWER SECTION: > JPMCStaffing.com. 1883 IN SOA > ns1.jpmorganchase.com. hostmaster.jpmchase.com. 478475997 10800 1800 > 1209600 3600 > JPMCStaffing.com. 1883 IN TXT "v=spf1 > include:taleo.net -all" > JPMCStaffing.com. 1883 IN NS > ns1.jpmorganchase.com. > JPMCStaffing.com. 1883 IN NS > ns05.jpmorganchase.com. > JPMCStaffing.com. 1883 IN NS > ns06.jpmorganchase.com. > JPMCStaffing.com. 1883 IN NS > ns2.jpmorganchase.com. > > Since > > (a) it's a legit email > (b) it's a legit sender > (c) they're too $&^$& big to be able to get anyone to respond, let > alone fix their end (Working on it ...) > > I just want to whitelist past them. > > My main.cf has > > ps2 pass - - n - - smtpd > -o syslog_name=postfix/ps2 > -o smtpd_relay_restrictions=permit_mynetworks,reject_ > unauth_destination,permit > -o smtpd_proxy_filter=127.0.0.1:10001 > -o smtpd_authorized_xforward_hosts=127.0.0.0/8 > > my master.cf includes > > smtpd_client_restrictions = > permit_mynetworks > > > check_client_access lmdb:/etc/postfix/client_whitelist > reject_unknown_reverse_client_hostname > reject_unauth_pipelining > > > > smtpd_sender_restrictions = > permit_mynetworks > permit_tls_clientcerts > reject_non_fqdn_sender > > > reject_unknown_sender_domain > permit > > and > > cat /etc/postfix/client_whitelist > 68.233.76.0/24 OK > 68.233.76.14 OK > > Iiuc, SMTPD 'MUMBLE' RESTRICTIONS get checked in this order > > client, helo, sender, relay, recipient, data, or end-of-data > > So I was hoping that my whitelist would prevent that reject. > > Clearly, not working like I thought :-( > > What do I need to configure to get Postfix/Postscreen to PASS this sender? > > I think the rejection you are seeing is being generated by reject_unknown_sender_domain. OKing an email in one restriction list only affects tests later in that same list, not tests in other restriction lists. Try adding the line ' check_client_access lmdb:/etc/postfix/client_whitelist' to the smtpd_sender_restriction list, after permit_mynetworks.