Defer mail instead of bounce

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Defer mail instead of bounce

lists
I have email relays that relay/filter email between the internet and our
internal network. I must use the DNS servers we maintain and those
servers use a DNS blacklisting service. The problem I'm having is that
when a legitimate domain is blacklisted, I see log messages like the
ones below and the email is bounced. In the situation that brought this
up, both the sender and recipient domain were blocked so the bounce went
nowhere. Since these blacklistings are temporary, maybe several hours,
I'd like to defer this mail and have postfix try again later. That way
mail will eventually go through and nothing is lost. Is there a way to
do this?

Jun 23 04:53:14 mx postfix/smtp[24776]: warning: no MX host for
domain.com has a valid address record

Jun 23 04:53:37 mx postfix/smtp[4838]: 9071C1809199:
to=<[hidden email]>, relay=none, delay=0.05, delays=0.04/0/0/0,
dsn=5.4.4, status=bounced (Host or domain name not found. Name service
error for mx.domain.com type=A: Host not found)

(To be clear, an mx record for domain.com was found (mx.domain.com), but
that name could not be resolved to an IP because of the blacklist.)


postfix verion 2.10.1

postconf -n

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
anvil_rate_time_unit = 600s
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = pmx:[127.0.0.1]:10025
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
default_destination_concurrency_limit = 40
default_process_limit = 350
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/header_checks
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3
lmtp_tls_protocols = !SSLv2, !SSLv3
local_destination_concurrency_limit = 4
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 20480000
mydestination = $myhostname, localhost.$mydomain, localhost
mynetworks = 10.0.0.0/8, 127.0.0.0/8
mynetworks_style = host
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
postscreen_access_list = permit_mynetworks,
cidr:/etc/postfix/postscreen_access.cidr
postscreen_blacklist_action = drop
postscreen_cache_cleanup_interval = 0
postscreen_cache_map = memcache:/etc/postfix/postscreen_cache
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = b.barracudacentral.org*2, zen.spamhaus.org*2
postscreen_dnsbl_threshold = 2
postscreen_greet_action = enforce
postscreen_helo_required = yes
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
recipient_delimiter = +
relay_domains = /etc/postfix/relaydomains
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_CAfile = $smtpd_tls_CAfile
smtp_tls_cert_file = $smtpd_tls_cert_file
smtp_tls_ciphers = medium
smtp_tls_exclude_ciphers = EXPORT, LOW, MD5, aDSS, kECDHe, kECDHr, kDHd,
kDHr, SEED, IDEA, RC2
smtp_tls_key_file = $smtpd_tls_key_file
smtp_tls_loglevel = 1
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = may
smtpd_banner = $myhostname ESMTP
smtpd_client_connection_count_limit = 20
smtpd_client_connection_rate_limit = 200
smtpd_client_event_limit_exceptions = $mynetworks, .gov, .edu,
.outbound.protection.outlook.com
smtpd_client_message_rate_limit = 200
smtpd_client_recipient_rate_limit = 200
smtpd_client_restrictions = check_policy_service inet:localhost:4466
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, check_helo_access
hash:/etc/postfix/helo_checks
smtpd_recipient_restrictions = check_sender_access
hash:/etc/postfix/valid_users, reject_unknown_sender_domain,
reject_unknown_recipient_domain, reject_non_fqdn_sender,
reject_non_fqdn_recipient, permit_mynetworks,
reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname,
reject_unauth_destination, reject_rhsbl_sender
fresh.spameatingmonkey.net, reject_rhsbl_client
fresh.spameatingmonkey.net, warn_if_reject reject_rhsbl_sender
fresh30.spameatingmonkey.net, warn_if_reject reject_rhsbl_client
fresh30.spameatingmonkey.net
smtpd_sender_restrictions = check_sender_access
hash:/etc/postfix/access, check_client_access
cidr:/etc/postfix/enforced_inbound_tls.cidr
smtpd_tls_CAfile = /etc/pki/tls/certs/fullchain.pem
smtpd_tls_cert_file = /opt/ssl/relay.crt
smtpd_tls_ciphers = medium
smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
smtpd_tls_eecdh_grade = strong
smtpd_tls_exclude_ciphers = EXPORT, LOW, MD5, SEED, IDEA, RC2
smtpd_tls_key_file = /opt/ssl/relay.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
tlsproxy_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols
tlsproxy_tls_protocols = $smtpd_tls_protocols
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual
Reply | Threaded
Open this post in threaded view
|

Re: Defer mail instead of bounce

Viktor Dukhovni


> On Jun 28, 2018, at 3:23 PM, [hidden email] wrote:
>
> I have email relays that relay/filter email between the internet and our internal network. I must use the DNS servers we maintain and those servers use a DNS blacklisting service. The problem I'm having is that when a legitimate domain is blacklisted,

Presumably you're interested in blacklisting sending domains, not
receiving domains.

> I see log messages like the ones below and the email is bounced. In the situation that brought this up, both the sender and recipient domain were blocked so the bounce went nowhere. Since these blacklistings are temporary, maybe several hours, I'd like to defer this mail and have postfix try again later. That way mail will eventually go through and nothing is lost. Is there a way to do this?
>
> Jun 23 04:53:14 mx postfix/smtp[24776]: warning: no MX host for domain.com has a valid address record
>
> Jun 23 04:53:37 mx postfix/smtp[4838]: 9071C1809199: to=<[hidden email]>, relay=none, delay=0.05, delays=0.04/0/0/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for mx.domain.com type=A: Host not found)

Instead of returning a temporary error code, the nameserver is lying
and saying that the host does not exist.  The correct solution is to
NOT use this nameserver for DNS lookups for outbound mail.

> (To be clear, an mx record for domain.com was found (mx.domain.com),
> but that name could not be resolved to an IP because of the blacklist.)

You could make all DNS lookup failures soft, but that would be a bad
idea, as users who typo an address won't get prompt bounces.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Defer mail instead of bounce

lists
I agree about the nameserver, but unfortunately I don't have a choice.
I'm required to use this one.

I'm not as familiar with DNS as I should be, but is there a temporary
error code the nameserver could return instead, that would cause Postfix
to defer this mail?

Another question. As far as Postfix is concerned, is there a difference
between a domain with no mx record and a domain where there is an mx
record, but it's not resolvable?



P.S.
I'm not sure it matters, but I am running a caching nameserver on the
mail relay.



On 2018-06-28 2:28 pm, Viktor Dukhovni wrote:

>> On Jun 28, 2018, at 3:23 PM, [hidden email] wrote:
>>
>> I have email relays that relay/filter email between the internet and
>> our internal network. I must use the DNS servers we maintain and those
>> servers use a DNS blacklisting service. The problem I'm having is that
>> when a legitimate domain is blacklisted,
>
> Presumably you're interested in blacklisting sending domains, not
> receiving domains.
>
>> I see log messages like the ones below and the email is bounced. In
>> the situation that brought this up, both the sender and recipient
>> domain were blocked so the bounce went nowhere. Since these
>> blacklistings are temporary, maybe several hours, I'd like to defer
>> this mail and have postfix try again later. That way mail will
>> eventually go through and nothing is lost. Is there a way to do this?
>>
>> Jun 23 04:53:14 mx postfix/smtp[24776]: warning: no MX host for
>> domain.com has a valid address record
>>
>> Jun 23 04:53:37 mx postfix/smtp[4838]: 9071C1809199:
>> to=<[hidden email]>, relay=none, delay=0.05, delays=0.04/0/0/0,
>> dsn=5.4.4, status=bounced (Host or domain name not found. Name service
>> error for mx.domain.com type=A: Host not found)
>
> Instead of returning a temporary error code, the nameserver is lying
> and saying that the host does not exist.  The correct solution is to
> NOT use this nameserver for DNS lookups for outbound mail.
>
>> (To be clear, an mx record for domain.com was found (mx.domain.com),
>> but that name could not be resolved to an IP because of the
>> blacklist.)
>
> You could make all DNS lookup failures soft, but that would be a bad
> idea, as users who typo an address won't get prompt bounces.
Reply | Threaded
Open this post in threaded view
|

Re: Defer mail instead of bounce

Viktor Dukhovni


> On Jun 28, 2018, at 6:10 PM, [hidden email] wrote:
>
> I agree about the nameserver, but unfortunately I don't have a choice. I'm required to use this one.
>
> I'm not as familiar with DNS as I should be, but is there a temporary error code the nameserver could return instead, that would cause Postfix to defer this mail?

Yes.  Instead of: rcode=NXDOMAIN
      Reply with: rcode=SERVFAIL

> Another question. As far as Postfix is concerned, is there a difference between a domain with no mx record and a domain where there is an mx record, but it's not resolvable?

Yes, there's a difference, specified in RFC5321, so all working
MTAs do the same thing.  The former is an implicit MX:
       
        nomx.example. IN MX 0 nomx.example.

leading to delivery attempts to the addresses of nomx.example,
if any.  The latter is an error.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Defer mail instead of bounce

Matus UHLAR - fantomas
In reply to this post by lists
On 28.06.18 17:10, [hidden email] wrote:
>I agree about the nameserver, but unfortunately I don't have a choice.
>I'm required to use this one.

required how, or by whom?

If you are required to use a broken server, you should explain it leads to
providing broken mail service.

>I'm not sure it matters, but I am running a caching nameserver on the
>mail relay.

do you use it for DNS resolution?

Does it forward requests to other servers? (e.g. to those one you are required to
use?)

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
REALITY.SYS corrupted. Press any key to reboot Universe.
Reply | Threaded
Open this post in threaded view
|

Re: Defer mail instead of bounce

@lbutlr
In reply to this post by lists
On 28 Jun 2018, at 16:10, [hidden email] wrote:
> I agree about the nameserver, but unfortunately I don't have a choice. I'm required to use this one.

Explain to the non-technical person mandating this, possibly using very small words, why the will result in lost mail. Your initial post is a good starting point o explain this persons error in thought.

DNS servers that lie about DNS are not usable DNS servers. Reporting NXDOMAIN for valid domains is what is known as "a lie" and things will break.


--
I got a question. If you guys know so much about women, how come you're
here at like the Gas 'n' Sip on a Saturday night completely alone
drinking beers with no women anywhere?