how to allow a rejcted domain
in [Postfix]
|
From: Jamie Griffin on 25 Mar 2010 11:40 Hello My isp has sent a message that my postfix is rejecting. I have spent the morning reading through what i think are the relevent parts of the documentation and through the archives but the changes i've made to my configuration are not working and I don't understand what i've done wrong. The logfile has the following entry: Mar 25 15:04:45 fix postfix/smtpd[11095]: NOQUEUE: reject: RCPT from pih-inmx03.plus.net[212.159.10.4]: 450 4.1.8 <www-data(a)fhw-workplace02.servers.plus.net>: Sender address rejected: Domain not found; from=<www-data(a)fhw-workplace02.servers.plus.net> to=<griffin(a)fantomatic.co.uk> proto=ESMTP helo=<pih-inmx03.plus.net> Mar 25 15:04:45 fix postfix/smtpd[11095]: disconnect from pih-inmx03.plus.net[212.159.10.4] So i tried letting this domain through by putting .plus.net into a file: hash:/usr/pkg/etc/postfix/whitelist_sender like so: /usr/pkg/etc/postfix/main.cf : smtpd_sender_restrictions = check_sender_access hash:/usr/pkg/etc/postfix/whitelist_sender, [ ... ] /usr/pkg/etc/postfix/whitelist_sender: .plus.net OK Before this, I thought the problem might with configuration i've used in $smtpd_recipient_restrictions but I tried a similar approach as above but that didn't work either. I know I've made a mistake but i can't see what it is, i'm stuck. I'm wondering if someone on list could give some guidance. My postconf -n is below, thank you. Jamie. --------------------- fix# /usr/pkg/sbin/postconf -n biff = no body_checks = pcre:/usr/pkg/etc/postfix/body_checks config_directory = /usr/pkg/etc/postfix default_destination_concurrency_limit = 10 empty_address_recipient = MAILER-DAEMON header_checks = pcre:/usr/pkg/etc/postfix/header_checks home_mailbox = Maildir/inbox/ inet_interfaces = all local_destination_concurrency_limit = 2 mydestination = $myhostnme, $mydomain, localhost.$mydomain, localhost mydomain = fantomatic.co.uk myhostname = fix.fantomatic.co.uk mynetworks_style = host myorigin = $mydomain queue_minfree = 120000000 smtp_tls_CAfile = /usr/pkg/etc/ssl/certs/ca.crt smtp_tls_CApath = /usr/pkg/etc/ssl/certs smtp_tls_cert_file = /usr/pkg/etc/ssl/certs/server.crt smtp_tls_key_file = /usr/pkg/etc/ssl/certs/server.key smtp_tls_loglevel = 1 smtp_use_tls = yes smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) smtpd_client_restrictions = permit_mynetworks, reject_unknown_client_hostname, reject_rbl_client zen.spamhaus.org=127.0.0.10, reject_rbl_client zen.spamhaus.org=127.0.0.11, reject_rbl_client zen.spamhaus.org smtpd_data_restrictions = reject_unauth_pipelining smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, check_helo_access hash:/usr/pkg/etc/postfix/helo_checks, reject_unlisted_recipient, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_mynetworks, reject_unauth_destination, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_non_fqdn_hostname, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org smtpd_sender_restrictions = check_sender_access hash:/usr/pkg/etc/postfix/whitelist_sender, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unlisted_sender smtpd_tls_CAfile = /usr/pkg/etc/ssl/certs/ca.crt smtpd_tls_CApath = /usr/pkg/etc/ssl/certs smtpd_tls_cert_file = /usr/pkg/etc/ssl/certs/server.crt smtpd_tls_key_file = /usr/pkg/etc/ssl/certs/server.key smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes tls_random_source = dev:/dev/urandom
From: Dennis Guhl on 25 Mar 2010 12:36 On Thu, Mar 25, 2010 at 03:40:55PM +0000, Jamie Griffin wrote: > > Hello > > My isp has sent a message that my postfix is rejecting. I have spent the morning reading through what i think are the relevent parts of the documentation and through the archives but the changes i've made to my configuration are not working and I don't understand what i've done wrong. > > The logfile has the following entry: > > Mar 25 15:04:45 fix postfix/smtpd[11095]: NOQUEUE: reject: RCPT from > pih-inmx03.plus.net[212.159.10.4]: 450 4.1.8 > <www-data(a)fhw-workplace02.servers.plus.net>: Sender address > rejected: Domain not found; > from=<www-data(a)fhw-workplace02.servers.plus.net> > to=<griffin(a)fantomatic.co.uk> proto=ESMTP helo=<pih-inmx03.plus.net > The reject should be expected since fhw-workplace02.servers.plus.net neither owns an A nor an MX-RR. > Mar 25 15:04:45 fix postfix/smtpd[11095]: disconnect from pih-inmx03.plus.net[212.159.10.4] > > So i tried letting this domain through by putting .plus.net into a file: > > hash:/usr/pkg/etc/postfix/whitelist_sender > > like so: > /usr/pkg/etc/postfix/main.cf : > smtpd_sender_restrictions = > check_sender_access hash:/usr/pkg/etc/postfix/whitelist_sender, > [ ... ] > > /usr/pkg/etc/postfix/whitelist_sender: > .plus.net OK I think -- whilst I'm not entirely sure -- you should whitelist @fhw-workplace02.servers.plus.net and not only .plus.net. Oh, and don't forget to invoke postmap to create /usr/pkg/etc/postfix/whitelist_sender.db > Before this, I thought the problem might with configuration i've used in $smtpd_recipient_restrictions but I tried a similar approach as above but that didn't work either. > > I know I've made a mistake but i can't see what it is, i'm stuck. I'm wondering if someone on list could give some guidance. My postconf -n is below, thank you. IHMO you did no mistake, all postfix installations I know use reject_unknown_sender_domain to prevent SPAM. And no one should send emails with no valid A and MX-RR. > Jamie. Dennis
From: /dev/rob0 on 25 Mar 2010 12:44 On Thu, Mar 25, 2010 at 03:40:55PM +0000, Jamie Griffin wrote: > Mar 25 15:04:45 fix postfix/smtpd[11095]: NOQUEUE: reject: RCPT > from pih-inmx03.plus.net[212.159.10.4]: 450 4.1.8 > <www-data(a)fhw-workplace02.servers.plus.net>: Sender address > rejected: Domain not found; fhw-workplace02.servers.plus.net is the domain that does not exist. The REAL problem that needs to be addressed is that the sender is trying to use an invalid sender address. These deserve to be rejected. That said, recently I did a special order from Lowe's (a big USA retailer), and they outsourced their order service to some silly company which did not understand this VERY BASIC issue in email. (That company is called "IBM".) Since I needed the order, I had to whitelist, ugh. It was very painful, thinking of how much money Lowe's pays IBM for that fine service, and me being in need of a job. :) > So i tried letting this domain through by putting .plus.net into a > file: You need to understand the documentation of parent_domain_matches_subdomains. Unfortunately, I don't know enough to explain it to you. :) But I'm fairly sure in your case that the leading dot pattern was not looked up. I unset this: parent_domain_matches_subdomains = so, for me, something similar (with ihost.com) is what worked. > hash:/usr/pkg/etc/postfix/whitelist_sender > > like so: > /usr/pkg/etc/postfix/main.cf : > smtpd_sender_restrictions = > check_sender_access hash:/usr/pkg/etc/postfix/whitelist_sender, > [ ... ] > > /usr/pkg/etc/postfix/whitelist_sender: > .plus.net OK -- Offlist mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header
From: Jamie Griffin on 25 Mar 2010 13:43 Hello Rob (sorry if that's wrong, just assumed that's your name) and Dennis, thank you for your time and help. > You need to understand the documentation of > parent_domain_matches_subdomains. Unfortunately, I don't know enough > to explain it to you. :) But I'm fairly sure in your case that the > leading dot pattern was not looked up. I unset this: > parent_domain_matches_subdomains = > so, for me, something similar (with ihost.com) is what worked. I had briefly looked at that setting earlier but thought just using the .domain.tld notation would be ok. Just having another read about that, it looks as though I need to set it like this: /usr/pkg/etc/postfix/main.cf: [ ... ] parent_domain_matches_subdomains = smtpd_access_maps [ ... ] is that right? I also understood that using the $smtpd_sender_restrictions parameter would be the right way to whitelist this domain for what i'm trying to achieve, have I got that right? Jamie.
From: Dennis Guhl on 25 Mar 2010 14:06
On Thu, Mar 25, 2010 at 05:43:11PM +0000, Jamie Griffin wrote: > > Hello Rob (sorry if that's wrong, just assumed that's your name) and Dennis, thank you for your time and help. dnf [..] > I also understood that using the $smtpd_sender_restrictions parameter would be the right way to whitelist this domain for what i'm trying to achieve, have I got that right? yup, it is It looks after the MAIL FROM: if there is anything unwanted -- or, in your case, wanted -- and decides if to close the connection or to give an OK to recieve the RCPT TO:. > Jamie. Dennis |