Hi,
I have a postfix-3.7.3 fedora37 system and have a few users who want me to
disable reject_non_fqdn_sender because it seems many of their users have
DNS problems. For example, email from nore...@info.apr.gov.rs fails to
resolve with:
$ host info.apr.gov.rs
Host info.apr.gov.rs not found: 2(SERVFAIL)
and the following in my bind logs:
16-May-2023 09:01:37.082 resolver: DNS format error from 195.178.56.17#53
resolving ns2.apr.gov.rs/AAAA for <unknown>: server sent FORMERR
16-May-2023 09:01:37.082 lame-servers: received FORMERR resolving '
ns2.apr.gov.rs/AAAA/IN': 195.178.56.17#53
16-May-2023 09:01:41.088 lame-servers: timed out resolving '
ns2.apr.gov.rs/AAAA/IN': 212.62.49.194#53
16-May-2023 09:01:41.095 lame-servers: timed out resolving '
ns1.apr.gov.rs/AAAA/IN': 212.62.49.194#53
Their name servers appear to be broken.
and in the (multi-instance) postfix logs I have the following:
May 16 07:23:53 iceman postfix-199/smtpd[2634611]: NOQUEUE: reject: RCPT
from unknown[195.178.56.17]: 450 4.1.8 <nore...@info.apr.gov.rs>: Sender
address rejected: Domain not found; from=<nore...@info.apr.gov.rs> to=<
sovljansk...@example.co.rs> proto=ESMTP helo=<info.apr.gov.rs>
Without a FQDN, I'm of course concerned about disabling any form of
spoofing protection, particularly for what appears to be mail from a
government agency domain, but we also can't just block mail because of
that. The return path is also the same domain, which means we also have no
ability to verify the email origin using SPF.
I've since added an entry to my sender_checks.pcre that appears to be
working:
/info\.apr\.gov\.rs/ permit
So my questions are related to this specific instance where email was being
rejected from this domain, and the way I handled it, but also the more
broader question about how to relax some of the DNS checks that we use to
prevent sender fraud. How can I find a "happy medium" to limit fraud as
much as possible, yet not reject all mail because they're having temporary
DNS issues?
$ postconf -fn -c /etc/postfix-120
...
smtpd_recipient_restrictions = reject_non_fqdn_recipient,
reject_non_fqdn_sender, reject_unlisted_recipient,
reject_unknown_recipient_domain, permit_mynetworks,
reject_unauth_destination, reject_rhsbl_sender
[reject_rbls ...]
${indexed}check_backscatterer, check_helo_access
pcre:$config_directory/helo_checks.pcre, check_helo_access
${indexed}helo_checks, reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname, check_policy_service
unix:private/policy-spf,
check_policy_service inet:127.0.0.1:2501, check_recipient_access
pcre:$config_directory/recipient_checks, check_recipient_access
pcre:$config_directory/relay_recips_access, check_recipient_access,
permit
Thanks so much for any ideas.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
