Hi, I have a postfix-3.7.3 fedora37 system and have a few users who want me to disable reject_non_fqdn_sender because it seems many of their users have DNS problems. For example, email from nore...@info.apr.gov.rs fails to resolve with:
$ host info.apr.gov.rs Host info.apr.gov.rs not found: 2(SERVFAIL) and the following in my bind logs: 16-May-2023 09:01:37.082 resolver: DNS format error from 195.178.56.17#53 resolving ns2.apr.gov.rs/AAAA for <unknown>: server sent FORMERR 16-May-2023 09:01:37.082 lame-servers: received FORMERR resolving ' ns2.apr.gov.rs/AAAA/IN': 195.178.56.17#53 16-May-2023 09:01:41.088 lame-servers: timed out resolving ' ns2.apr.gov.rs/AAAA/IN': 212.62.49.194#53 16-May-2023 09:01:41.095 lame-servers: timed out resolving ' ns1.apr.gov.rs/AAAA/IN': 212.62.49.194#53 Their name servers appear to be broken. and in the (multi-instance) postfix logs I have the following: May 16 07:23:53 iceman postfix-199/smtpd[2634611]: NOQUEUE: reject: RCPT from unknown[195.178.56.17]: 450 4.1.8 <nore...@info.apr.gov.rs>: Sender address rejected: Domain not found; from=<nore...@info.apr.gov.rs> to=< sovljansk...@example.co.rs> proto=ESMTP helo=<info.apr.gov.rs> Without a FQDN, I'm of course concerned about disabling any form of spoofing protection, particularly for what appears to be mail from a government agency domain, but we also can't just block mail because of that. The return path is also the same domain, which means we also have no ability to verify the email origin using SPF. I've since added an entry to my sender_checks.pcre that appears to be working: /info\.apr\.gov\.rs/ permit So my questions are related to this specific instance where email was being rejected from this domain, and the way I handled it, but also the more broader question about how to relax some of the DNS checks that we use to prevent sender fraud. How can I find a "happy medium" to limit fraud as much as possible, yet not reject all mail because they're having temporary DNS issues? $ postconf -fn -c /etc/postfix-120 ... smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_non_fqdn_sender, reject_unlisted_recipient, reject_unknown_recipient_domain, permit_mynetworks, reject_unauth_destination, reject_rhsbl_sender [reject_rbls ...] ${indexed}check_backscatterer, check_helo_access pcre:$config_directory/helo_checks.pcre, check_helo_access ${indexed}helo_checks, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, check_policy_service unix:private/policy-spf, check_policy_service inet:127.0.0.1:2501, check_recipient_access pcre:$config_directory/recipient_checks, check_recipient_access pcre:$config_directory/relay_recips_access, check_recipient_access, permit Thanks so much for any ideas.
_______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org