reject mail without valid MX
Hi I am fooling around with my postfix, and I wanted to reject mail without a valid MX record. How to do that? I tried smtpd_sender_restrictions = check_sender_mx_access cidr:/etc/postfix/mxaccess With a file /etc/postfix/mxaccess having the following contents: 64.94.110/24REJECT Verisign hijacked domain 0.0.0.0 REJECT No MX record But that does not seem to work. First of all the check_sender_mx_access checks the MX address, not if there is any MX record at all. Second, it seems like the Verisign problem has been removed. third, I do not get some .db file for the cidr file, is that intentional? I did get a .db file when I used hash: and restarted postfix. best regards Keld
reject_unknown_reverse_client_hostname rejects even if PTR RR is found
Hi More fooling around with postfix, Using in main.cf smtpd_sender_restrictions = reject_unknown_reverse_client_hostname did not do what I expected: from the /var/log/mail/info file: Jul 12 09:12:48 rap postfix/smtpd[6597]: NOQUEUE: reject: RCPT from unknown[92.45.179.70]: 450 4.7.1 Client host rejected: cannot find your reverse hostname , [92.45.179.70]; from= to= proto=ESMTP helo= I then used: host 92.45.179.70 Which gave: 70.179.45.92.in-addr.arpa domain name pointer asy70.asy179.tellcom.com.tr And this means that there is a PTR RR. Can it be something about postfix not set up to do reverse name lookups? best regards keld
Re: reject mail without valid MX
On Sun, Jul 12, 2009 at 11:41:51AM +0200, Magnus Bäck wrote: > On Sunday, July 12, 2009 at 11:37 CEST, > Keld Jørn Simonsen wrote: > > > I am fooling around with my postfix, and I wanted to reject mail > > without a valid MX record. How to do that? > > Don't do that. MX records are not required, and you will reject > legitimate email. If the MX record isn't present, an MTA should > use the A record. Yes it is understood that the RFCs do not require MX for mail. But how many legitimate mails do not have MX? best regards keld
Re: reject_unknown_reverse_client_hostname rejects even if PTR RR is found
On Sun, Jul 12, 2009 at 11:55:36AM +0200, Ole Tange wrote: > 2009/7/12 Keld Jørn Simonsen : > > > from the /var/log/mail/info file: > > > > Jul 12 09:12:48 rap postfix/smtpd[6597]: NOQUEUE: reject: RCPT from > > unknown[92.45.179.70]: 450 4.7.1 Client host rejected: cannot find your > > reverse hostname , [92.45.179.70]; from= > > to= proto=ESMTP helo= > > > > I then used: > > host 92.45.179.70 > > > > Which gave: > > > > 70.179.45.92.in-addr.arpa domain name pointer asy70.asy179.tellcom.com.tr > > > > And this means that there is a PTR RR. > > > > Can it be something about postfix not set up to do reverse name lookups? > > Notice how you get a 4xx error code. It may simply be your nameserver > did not get an answer quickly enough. you mean by debugging via tcpdump or the like? > > If you see no reverse lookups succeeding at all, then it may be your > resolv.conf that does something weird. The host command was done on the same machine. and responses seem fast enough. Anyway asy70.asy179.tellcom.com.tr is a NXdomain. So maybe postfix tries to look up the name it got from the PTR. best regards keld
Re: reject mail without valid MX
On Sun, Jul 12, 2009 at 12:09:15PM +0200, Magnus Bäck wrote: > On Sunday, July 12, 2009 at 11:52 CEST, > Keld Jørn Simonsen wrote: > > > On Sun, Jul 12, 2009 at 11:41:51AM +0200, Magnus Bäck wrote: > > > > > Don't do that. MX records are not required, and you will reject > > > legitimate email. If the MX record isn't present, an MTA should > > > use the A record. > > > > Yes it is understood that the RFCs do not require MX for mail. > > But how many legitimate mails do not have MX? > > I don't know. How many illegitimate messages do not have an MX record > for the sender address? It may be reasonable to break the rules, but > the gain of doing so must outweight the costs. I don't think that's > the case here. There simply are more exact methods of fighting spam > than blocking messages whose sender address lack an MX record. Yes, I am employing a number of other measures too. But I would like to try out seeing what effect rejecting mail without a MX RR wil have. Can I do that in postfix, possibly by specifying something in the file for check_sender_mx_access . I did google for it. And thanks for your quick answers (also to Ole). Best regards keld
Re: reject_unknown_reverse_client_hostname rejects even if PTR RR is found
On Sun, Jul 12, 2009 at 08:15:11AM -0400, Wietse Venema wrote: > Keld Jørn Simonsen: > > Hi > > > > More fooling around with postfix, > > > > Using in main.cf > > > > smtpd_sender_restrictions = reject_unknown_reverse_client_hostname > > > > did not do what I expected: > > > > from the /var/log/mail/info file: > > > > Jul 12 09:12:48 rap postfix/smtpd[6597]: NOQUEUE: reject: RCPT from > > unknown[92.45.179.70]: 450 4.7.1 Client host rejected: cannot find your > > reverse hostname , [92.45.179.70]; from= > > to= proto=ESMTP helo= > > Surely, your assumption that all network paths are working > all the time must be valid, and Postfix must be mistaken. I saw the problem a number of times, that is that sites with a PTR record were listed as unknown. This was just one example out of a number. Anyway a timeout problem could of cause occur multiple times. Is it true that if a PTR was found, then this name would be displayed in the above log message, and not the IP number? Anyway, can you confirm that there is no check on availablilty of the domain name that is referenced in the PTR RR? I would actually think that such a check was a wise thing to do. But then you can catch some valid domains that has a bad configuration. Anyway if it is a name server timeout, then I think this is always handled by a 450 response. In my case the mail was rejected. Best regards keld
Re: reject mail without valid MX
On Sun, Jul 12, 2009 at 05:45:37PM +0200, Ralf Hildebrandt wrote: > * Keld Jørn Simonsen : > > Hi > > > > I am fooling around with my postfix, and I wanted to reject mail without > > a valid MX record. How to do that? > > reject_unknown_sender_domain That does not reject mail, if the A record is OK. I am already using that. Best regards keld
Re: reject mail without valid MX
On Sun, Jul 12, 2009 at 09:14:53PM +0200, Ralf Hildebrandt wrote: > * Keld Jørn Simonsen : > > On Sun, Jul 12, 2009 at 05:45:37PM +0200, Ralf Hildebrandt wrote: > > > * Keld Jørn Simonsen : > > > > Hi > > > > > > > > I am fooling around with my postfix, and I wanted to reject mail without > > > > a valid MX record. How to do that? >> > > > > reject_unknown_sender_domain > > > > That does not reject mail, if the A record is OK. > > Which is a valid MX record then. An A RR is not an MX RR. I wanted to ba able to check explicitely if there was an MX RR. Best regards keld
Re: reject_unknown_reverse_client_hostname rejects even if PTR RR is found
On Sun, Jul 12, 2009 at 03:20:21PM -0500, Noel Jones wrote: > Keld Jørn Simonsen wrote: >> >> Is it true that if a PTR was found, then this name would be displayed in >> the above log message, and not the IP number? > > No, the name will still be "unknown" if the hostname->IP lookup fails. OK. > >> >> Anyway, can you confirm that there is no check on availablilty of the >> domain name that is referenced in the PTR RR? I would actually think >> that such a check was a wise thing to do. But then you can catch some >> valid domains that has a bad configuration. > > The reject_unknown_reverse_client_hostname and > reject_unknown_client_hostname work exactly as documented. > >> Anyway if it is a name server timeout, then I think this is always >> handled by a 450 response. In my case the mail was rejected. > > Yes, temporary errors always get a 450 response. Then I do not understand why the message was rejected. A temporary error should not result in a reject, or why should this happen? best regards keld
temporary errors for DNS
Hi I have a few problems with my changed postfix configuration, maybe somebody could help me? I am using fetchmail in cooperation with postfix, and I repededly get the following error: fetchmail: SMTP error: 450 4.1.8 : Sender address rejected: Domain not found reading message k...@sia.dkuug.dk:2 of 4 (950 header octets) not flushed When I query my nameserver everything resolves fine. So that is one problem, why does postfix say Domain not found? Another problem is the 450 response. I would like it to be 550. 450 indicates a temporary dns error, and I have set unknown_address_reject_code = 550 Can I change some respons code for the temporary dns error so to check on the mail fails on this? How could I best debug the communication between postfix and my named? Best regards keld
postfix not asking for PTR
iA problem I have again with the DNS (lack of query) I have in my mail queue: C074C641AF 2236 Sun Jul 12 15:40:56 k...@rap.rap.dk (host spike.porcupine.org[168.100.189.2] said: 450 4.1.7 : Sender address rejected: unverified address: host rap.rap.dk[85.81.22.91] said: 450 4.7.1 Client host rejected: cannot find your reverse hostname, [168.100.189.2] (in reply to RCPT TO command) (in reply to RCPT TO command)) wie...@porcupine.org Consulting my named/log I see: 13-Jul-2009 11:11:13.712 client 127.0.0.1#33672: query: porcupine.org IN MX + 13-Jul-2009 11:11:13.724 client 127.0.0.1#33672: query: spike.porcupine.org IN A + But no: 13-Jul-2009 11:12:12.352 client 127.0.0.1#33672: query: 2.189.100.168.in-addr.arpa IN PTR + Which is a query by hand.s Shouldn't postfix query for the reverse hostname? Could there be a reason for postfix not to query the PTR RR? Best regards keld
Re: postfix not asking for PTR
On Mon, Jul 13, 2009 at 11:36:21AM +0200, Benny Pedersen wrote: > > On Mon, July 13, 2009 11:21, Keld Jørn Simonsen wrote: > > iA problem I have again with the DNS (lack of query) > > > > > > I have in my mail queue: > > > > C074C641AF 2236 Sun Jul 12 15:40:56 k...@rap.rap.dk > > (host spike.porcupine.org[168.100.189.2] said: 450 4.1.7 : > > Sender address rejected: unverified address: host > > rap.rap.dk[85.81.22.91] said: 450 4.7.1 Client host rejected: cannot find > > your reverse hostname, [168.100.189.2] (in reply to RCPT > > TO command) (in reply to RCPT TO command)) > > wie...@porcupine.org > > you have reject_unverified_semder, but your own mx have no reverse ptr so > your recipient reject it, maybe i am wrong :) No, I dont have reject_unverified_sender porcupine.org 168.100.189.2 rap.rap.dk 85.81.22.91 all resolve My MX rap.rap.dk resolves my postfix does not ask my named for a PTR for 168.100.189.2 - although it says "cannot find your reverse hostname, [168.100.189.2]" Best regards keld
Re: temporary errors for DNS
On Mon, Jul 13, 2009 at 11:10:18AM +0200, Benny Pedersen wrote: > > On Mon, July 13, 2009 10:30, Keld Jørn Simonsen wrote: > > Hi > > > > I have a few problems with my changed postfix configuration, maybe > > somebody could help me? > > > > I am using fetchmail in cooperation with postfix, and I repededly get > > the following error: > > > > fetchmail: SMTP error: 450 4.1.8 : Sender > > address rejected: Domain not found > > reading message k...@sia.dkuug.dk:2 of 4 (950 header octets) not flushed > > http://moensted.dk/spam/?addr=ezbck.ParteiTv.com&Submit=Submit Yes, it is spam. > you got the email from a diff ip ? I am getting it via fetchmail from one of my mail servers, the one at sia.dkuug.dk > unknown domain is here sia.dkuug.dk Why is it not ezbck.ParteiTv.com ? fetchmail reports: "onfnp...@ezbck.parteitv.com>: Sender address rejected: Domain not found" > so > dig sia.dkuug.d A > or > dig sia.dkuug.dk MX > > it exists ? Yes, the A record exists (in the .dk domain, you missed the "k" there), but MX sia.dkuug.dk does not exist. Should it? There is a MX for dkuug.dk > > When I query my nameserver everything resolves fine. > > maybe wrong nameserver or bad config ? Hmm, I think postfix on my system uses the nameservers as recorded in /etc/resolv.conf? So it is the same nameserver set. > > So that is one problem, why does postfix say Domain not found? > > becurse its not found in a A rr, or MX rr The A RR of sia.dkuug.dk is found. I get most of my mail from that server. > > Another problem is the 450 response. I would like it to be 550. > > > > 450 indicates a temporary dns error, and I have set > > unknown_address_reject_code = 550 > > this is imho full email as recipient that does not exists not just the > recipient domain > > > Can I change some respons code for the temporary dns error so to check > > on the mail fails on this? > > better use mda in fetchmail if you get so much problems with postfix :) > > > How could I best debug the communication between postfix and my named? > > rndc querylog > > see logs what happend now my named log says: 13-Jul-2009 12:52:25.615 client 127.0.0.1#33692: query: mail.dkuug.dk IN A + 13-Jul-2009 12:52:25.833 client 127.0.0.1#33692: query: ezbck.ParteiTv.com IN MX + 13-Jul-2009 12:52:25.833 client 127.0.0.1#33692: query: ezbck.ParteiTv.com IN MX + 13-Jul-2009 12:52:25.834 client 127.0.0.1#33692: query: ezbck.parteitv.com IN MX + 13-Jul-2009 12:52:25.834 client 127.0.0.1#33692: query: ezbck.parteitv.com IN MX + 13-Jul-2009 12:52:25.835 client 127.0.0.1#33692: query: ezbck.parteitv.com IN A + 13-Jul-2009 12:52:25.835 client 127.0.0.1#33692: query: ezbck.parteitv.com IN A + 13-Jul-2009 12:52:25.835 client 127.0.0.1#33692: query: ezbck.parteitv.com IN + 13-Jul-2009 12:52:25.837 client 127.0.0.1#33692: query: ezbck.parteitv.com IN + So it finds bot an A and an MX record for ezbck.ParteiTv.com - why does fetchmail/my postfix (SMTP) then say: "onfnp...@ezbck.parteitv.com>: Sender address rejected: Domain not found" Best regards keld
Re: temporary errors for DNS
On Mon, Jul 13, 2009 at 07:18:03AM -0400, Wietse Venema wrote: > Keld Jørn Simonsen: > > 450 indicates a temporary dns error, and I have set > > unknown_address_reject_code = 550 > > unknown_address_reject_code is for permanent errors. > > In your case, the system library getnameinfo() returns a > temporary error, therefore Postfix will reply with 450. > > Since you also can't look up the name for my own server 168.100.189.2, > I suspect one or more of the following: > > - Incorrect system permissions of / /etc /etc/resolv.conf > /etc/nsswitch.conf or the files and directories referenced by > /etc/nsswitch.conf. > > Files must be world readable, and directories must have world > read-execute permission. They look ok. And postfix does get answers from named. I receive all my mail via my local postfix, and I could not have done this email without postfix/named working - which it does most of the time. > - Running Postfix chrooted without providing the necessary files > in the chroot jail. Postfix is not chrooted. best regards keld
Re: temporary errors for DNS
On Mon, Jul 13, 2009 at 07:07:01AM -0400, Charles Marcus wrote: > On 7/13/2009, Keld Jørn Simonsen (k...@dkuug.dk) wrote: > > I am getting it via fetchmail > > > > If you are getting it through fetchmail, then the message has already > been delivered... so you MUST NOT reject it later, *especially* if it is > spam - unless of course you really *want* to end up blacklisted... OK, I want to DISCARD it then. Is that possible? And why would I end up being blacklisted for rejecting spam, already received at one of my mailboxes? Best regards keld
Re: temporary errors for DNS
On Mon, Jul 13, 2009 at 08:28:16AM -0400, Wietse Venema wrote: > Keld Jørn Simonsen: > [ Charset ISO-8859-1 unsupported, converting... ] > > On Mon, Jul 13, 2009 at 07:18:03AM -0400, Wietse Venema wrote: > > > Keld J?rn Simonsen: > > > > 450 indicates a temporary dns error, and I have set > > > > unknown_address_reject_code = 550 > > > > > > unknown_address_reject_code is for permanent errors. > > > > > > In your case, the system library getnameinfo() returns a > > > temporary error, therefore Postfix will reply with 450. > > > > > > Since you also can't look up the name for my own server 168.100.189.2, > > > I suspect one or more of the following: > > > > > > - Incorrect system permissions of / /etc /etc/resolv.conf > > > /etc/nsswitch.conf or the files and directories referenced by > > > /etc/nsswitch.conf. > > > > > > Files must be world readable, and directories must have world > > > read-execute permission. > > > > They look ok. > > If you are not willing to show the evidence, then we cannot > help you find the mistake. Sorry, I am new on this list and not fully aware of your conventions. So here they are: drwxr-xr-x 20 root root 4096 jul 10 09:32 / drwxr-xr-x 113 root root 12288 jul 13 14:09 /etc -rw-r--r-- 2 root root 1277 jun 24 2007 /etc/nsswitch.conf -rw-r--r-- 1 root root47 jul 13 14:09 /etc/resolv.conf > > And postfix does get answers from named. I receive all my > > mail via my local postfix, and I could not have done this email without > > postfix/named working - which it does most of the time. > > Postfix does not need named to RECEIVE email. I think postfix does need DNS assistance to check a number of thins. I understand that I don't need to run named on my own machine, as I just could use any nameserver, but running named here gives me greater control, and I can poke into logs etc. > > > > - Running Postfix chrooted without providing the necessary files > > > in the chroot jail. > > > > Postfix is not chrooted. > > If you are not willing to show the evidence, then we cannot > help you find the mistake. OK, here are the relevant lines of master.cf. I adderd the -v option to get more debugging. Still it does not show me communication with the name server. The name server log does show some communication, that stems from postfix, but it does not show me the responses. I would like to see what named tells postfix. # == # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # == smtpinetn - y - - smtpd -v best regards keld
Re: temporary errors for DNS
On Mon, Jul 13, 2009 at 08:29:28AM -0400, John Peach wrote: > > > > On Mon, 13 Jul 2009 14:25:01 +0200 > Keld J__rn Simonsen wrote: > > > On Mon, Jul 13, 2009 at 07:07:01AM -0400, Charles Marcus wrote: > > > On 7/13/2009, Keld J__rn Simonsen (k...@dkuug.dk) wrote: > > > > I am getting it via fetchmail > > > > > > > > > > > > If you are getting it through fetchmail, then the message has > > > already been delivered... so you MUST NOT reject it later, > > > *especially* if it is spam - unless of course you really *want* to > > > end up blacklisted... > > > > OK, I want to DISCARD it then. Is that possible? > > > > And why would I end up being blacklisted for rejecting spam, already > > received at one of my mailboxes? > > http://lmgtfy.com/?q=backscatter OK, I know, I did some filters for postfix for such things, available from my homepage. at http://dkuug.dk/keld Still would it be possible to discard such mail. best regards keld
Re: temporary errors for DNS
On Mon, Jul 13, 2009 at 09:26:44AM -0400, John Peach wrote: > On Mon, 13 Jul 2009 15:24:04 +0200 > Keld J__rn Simonsen wrote: > > [snip] > > # > > == > > # service type private unpriv chroot wakeup maxproc command + > > args # (yes) (yes) (yes) (never) (100) # > > == > > smtpinetn - y - - smtpd -v > > > It is chrooted. Thanks for spelling it out. I was just building on the defalt configuration of my distro. There were many other chroot services in the master file, I changed them and now I will see if that helps. Best regards keld
Re: temporary errors for DNS
On Mon, Jul 13, 2009 at 03:39:57PM +0200, Keld Jørn Simonsen wrote: > On Mon, Jul 13, 2009 at 09:26:44AM -0400, John Peach wrote: > > On Mon, 13 Jul 2009 15:24:04 +0200 > > Keld J__rn Simonsen wrote: > > > > [snip] > > > # > > > == > > > # service type private unpriv chroot wakeup maxproc command + > > > args # (yes) (yes) (yes) (never) (100) # > > > == > > > smtpinetn - y - - smtpd -v > > > > > > It is chrooted. > > Thanks for spelling it out. I was just building on the defalt configuration > of my distro. There were many other chroot services in the master file, I > changed them and now I will see if that helps. This seems to have solved most of my problems with postfix/named. Even te problem sending mail to Wietse was solved. Are there distros that are known to have a postfix package that is set up correctly wrt chroot? best regards Keld
Re: temporary errors for DNS
On Mon, Jul 13, 2009 at 11:49:10PM +0200, Keld Jørn Simonsen wrote: > On Mon, Jul 13, 2009 at 03:39:57PM +0200, Keld Jørn Simonsen wrote: > > > > > > It is chrooted. > > > > Thanks for spelling it out. I was just building on the defalt configuration > > of my distro. There were many other chroot services in the master file, I > > changed them and now I will see if that helps. > > This seems to have solved most of my problems with postfix/named. > Even te problem sending mail to Wietse was solved. Well, still problems, but of the more understandable type. Jul 14 00:11:58 rap postfix/smtpd[1054]: NOQUEUE: reject: RCPT from rap.rap.dk[127.0.0.1]: 450 4.1.8 : Sender address rejected: Domain not found; from= to= proto=ESMTP helo= Jul 14 00:11:58 rap postfix/smtpd[1054]: > rap.rap.dk[127.0.0.1]: 450 4.1.8 : Sender address rejected: Domain not found host server30.reverya.com gives: Host server30.reverya.com not found: 2(SERVFAIL) So this would probably never resolve, but fail with a 450 error. I would like to discard it. I hade 3 mails like that earlier today, with a nonresolvable domain, and they will keep lying in my IMAP box till I do special things to delete tem. Is there a way to disambiguate between DNS timeouts and DNS errors, and discard the latter? best regards keld
Re: temporary errors for DNS
On Mon, Jul 13, 2009 at 06:19:40PM -0400, Rod Dorman wrote: > On Monday, July 13, 2009, 17:49:10, Keld Jørn Simonsen wrote: > > ... > > Are there distros that are known to have a postfix package that is set > > up correctly wrt chroot? > > OpenBSD Well, I confine myself to Linux, as I am doing some kernel work, and other system work there, so I was wondering if there were any Linux distros, and preferaably rpm based, which does correct packaging of a chrooted postfix? best regards keld
Re: temporary errors for DNS
On Mon, Jul 13, 2009 at 06:58:28PM -0400, Wietse Venema wrote: > Keld Jørn Simonsen: > > Is there a way to disambiguate between DNS timeouts and DNS errors, > > and discard the latter? > > Postfix is only the messenger of the bad news. When the server > responds, Postfix acts accordingly. When the server does not > reply, Postfix assumes that this is a temporary error, because > assuming otherwise would cause a lot of mail to fail. Yes, but there are two types of bad news: one is that we do not know if everything is fine, timeout, and the other that we positively know something is wrong. I understand that in both cases postfix gives a 450 code, and that there is no way in postfix to change this code. Is that so? Best regards keld
Re: temporary errors for DNS
On Tue, Jul 14, 2009 at 06:37:30AM -0400, Wietse Venema wrote: > Keld Jørn Simonsen: > > On Mon, Jul 13, 2009 at 06:58:28PM -0400, Wietse Venema wrote: > > > Keld J?rn Simonsen: > > > > Is there a way to disambiguate between DNS timeouts and DNS errors, > > > > and discard the latter? > > > > > > Postfix is only the messenger of the bad news. When the server > > > responds, Postfix acts accordingly. When the server does not > > > reply, Postfix assumes that this is a temporary error, because > > > assuming otherwise would cause a lot of mail to fail. > > > > Yes, but there are two types of bad news: one is that we do not know if > > everything is fine, timeout, and the other that we positively know > > something is wrong. I understand that in both cases postfix gives a 450 > > code, and that there is no way in postfix to change this code. Is that so? > > Some people are thick enough that they need everything spelled out. Oh, you mean me? No, I am bright, so that can't be:-) But I see that you did say that it reacts differnetly on timeouts and error codes. Still there is something that I do not understand, and which gives me problems, see below. > OK, here goes: > > 1) The server replies with "good news". Postfix replies with good news. > > 2) The server replies with "bad news". Postfix replies with 5xx. > > 3) No server reply. Postfix replies with 4xx. > > Is this finally clear? Yes, thanks. But it seems that my postfix reacts differently on a NXDOMAIN and SVRFAIL, although they both should lead to 5xx error codes. That is why I am so thick to not understand. >From my previous post: Jul 14 00:11:58 rap postfix/smtpd[1054]: NOQUEUE: reject: RCPT from rap.rap.dk[127.0.0.1]: 450 4.1.8 : Sender address +rejected: Domain not found; from= to= proto=ESMTP helo= Jul 14 00:11:58 rap postfix/smtpd[1054]: +> rap.rap.dk[127.0.0.1]: 450 4.1.8 : Sender address rejected: Domain not found here there is a 450 response to a name server error. You said above: > 2) The server replies with "bad news". Postfix replies with 5xx. 5xx is not 450, so what is happening? And thanks for you patience with me. Best regards keld
Re: temporary errors for DNS
On Tue, Jul 14, 2009 at 09:04:15AM -0400, Wietse Venema wrote: > Wietse Venema: > > Keld J_rn Simonsen: > > > > OK, here goes: > > > > > > > > 1) The server replies with "good news". Postfix replies with good news. > > > > > > > > 2) The server replies with "bad news". Postfix replies with 5xx. > > > > > > > > 3) No server reply. Postfix replies with 4xx. > > > > > > > > Is this finally clear? > > > > > > Yes, thanks. But it seems that my postfix reacts differently on > > > a NXDOMAIN and SVRFAIL, although they both should lead to 5xx error codes. > > NXDOMAIN is an example of case 1). You mean case 2) ? > SERVFAIL (not SVRFAIL) is an > example of case 3): the server is unable to provide an answer. It > is not appropriate to treat all SERVFAIL results as if the domain > is illegitimate. OK, I see. Actually NXDOMAIN and SERVFAIL are the only two error statuses that DNS gives (according to some googeling I just did), So I was misled by treating one DNS error in one way, and the only other DNS error in another way, when you said "2) The server replies with "bad news". Postfix replies with 5xx.". The DNS server that is being queried does give an answer, namely SERVFAIL. But on the other hand that reflects an error in responding from the partners of the queried DNS server. Maybe this distinction could be clarified in TFM. I did have: unknown_address_reject_code = 550 in my main.cf (and I did do some RTFM before asking) but was not aware that SERVFAIL was considered a temporary DNS error. I would have thought that SERVFAIL was a permanent DNS error, at least it seems a bit more permanent than just a timeout. And in my case it is predominantly spam, but then more than 99 % of the mail handled by postfix here is spam. SERVFAIL means that there is data for the domain in the root servers, but that the servers giving authorative answers do not answer. The latter may be due to timeouts, perhaps? Or it may be misconfiguration, or nonavailablilty. An aside: would it then be possible to ask for a non-authorative answer and rely on that in postfix? > If you have a problem with particular DNS servers, use > check_sender_ns_access, possibly in the form of a dynamically-updated > blacklist, or suggest a reject_rbl_xxx feature that targets the > DNS operator of the sender or client domain. Well, it is spam, so the servers would change all the time. A hand-coded setup is not feasible. I am not aware of dynamic blacklists for this, whould the be a tutorial for handling this somewhere? Best regards keld
Re: temporary errors for DNS
On Tue, Jul 14, 2009 at 12:24:10AM +0200, Keld Jørn Simonsen wrote: > Well, still problems, but of the more understandable type. > > Jul 14 00:11:58 rap postfix/smtpd[1054]: NOQUEUE: reject: RCPT from > rap.rap.dk[127.0.0.1]: 450 4.1.8 : Sender > address rejected: Domain not found; from= > to= proto=ESMTP helo= Jul 14 00:11:58 rap > postfix/smtpd[1054]: > rap.rap.dk[127.0.0.1]: 450 > 4.1.8 : Sender address rejected: Domain not > found > > > host server30.reverya.com gives: > Host server30.reverya.com not found: 2(SERVFAIL) > > So this would probably never resolve, but fail with a 450 error. > I would like to discard it. I had 3 mails like that earlier today, > with a nonresolvable domain, and they will keep lying in my IMAP box > till I do special things to delete them. > > Is there a way to disambiguate between DNS timeouts and DNS errors, > and discard the latter? I did have in main.cf: unknown_address_reject_code = 550 Now I also have: reject_tempfail_action = discard Still postfix respond with a 450 to fetchmail: Jul 14 18:52:43 rap postfix/smtpd[17637]: NOQUEUE: reject: RCPT from rap.rap.dk[127.0.0.1]: 450 4.1.8 : Sender address rejected : Domain not found; from= to= proto=ESMTP helo= I now have 6 of such email in my IMAP folder. I noticed anther thing: another of my domain not found emails really times out. sys...@doremo.jp - And then I don't understand why this is not a SERVFAIL. This happens repededly. And acces to the .jp domain should be readily available, and then the .jp root server should be able to tell if it did have any info in the second level domain. But then .jp has sectoral domains on the 2nd level, like ac.jp and or.jo. An arbitrary abdjd.jp yields a NXDOMAIN, The query times out after 30 secs. So in my humble eyes it seems like a DNS timeout is actually a timeout on the authoriative server, and that SERVFAIL is not at timeout, and it does not reflect a timeout at the authoritative server. Consequently it should be handled by the unknown_address_reject_code statement. Hmm, also tried to do reject_tempfail_action = accept To get the mail thru, and hope that razor/spamassassin would kill them, eventually I would had to delete it by hand. But still I get the 450 response code from postfix... Any ideas on how to get rid of the 450 code, or other actions?
Re: temporary errors for DNS
On Tue, Jul 14, 2009 at 01:55:39PM -0400, Wietse Venema wrote: > Keld Jørn Simonsen: > > > Jul 14 00:11:58 rap postfix/smtpd[1054]: NOQUEUE: reject: RCPT from > > > rap.rap.dk[127.0.0.1]: 450 4.1.8 : Sender > > > address rejected: Domain not found; from= > > > to= proto=ESMTP helo= Jul 14 00:11:58 rap > > > postfix/smtpd[1054]: > rap.rap.dk[127.0.0.1]: 450 > > > 4.1.8 : Sender address rejected: Domain not > > > found > > Your DNS is still screwed up, that's why it can't find out that > server30.reverya.com has an A record, and that is why Postfix > receives a temporary error. I changed the nameserver and it resolved the problem. Thanks for your help! Best regards keld
Re: temporary errors for DNS
On Tue, Jul 14, 2009 at 07:57:27PM -0400, John Peach wrote: > On Tue, 14 Jul 2009 17:49:13 -0600 > LuKreme wrote: > > > On 13-Jul-2009, at 16:24, Keld J__rn Simonsen wrote: > > > Is there a way to disambiguate between DNS timeouts and DNS errors, > > > and discard the latter? > > > > > > Why the devil would you want to discard mail based on a DNS error? > > DNS errors have a habit of being quite transient. > > The OP seems determined to shoot himself in the head, never mind the > foot. Well, a DNS NXDOMAIN error seems a good reason for discarding mail. I am not so sure about the SERVFAIL error, so I would leave that for now. Thanks to everybody that helped soved my problems here. Best regards Keld
