MTA Rejection Explanation Needed

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

MTA Rejection Explanation Needed

Rich Shepard
    Postfix is rejecting mail from an address that should be allowed in. The
mail log tells me:

Jul 28 13:11:58 salmo postfix/smtpd[17243]: NOQUEUE: reject: RCPT from
wsip-xx-xxx-xx-xx.ph.ph.cox.net[xx.xxx.xx.xxx]: 450 4.1.7
<[hidden email]>: Sender address rejected: unverified
address: Address verification in progress;
from=<[hidden email]> to=<[hidden email]>
proto=ESMTP helo=<venus.someserver.com>

    The IP address for cox.net is correct. I've added the 'someserver'.com and
hotmail addresses to /etc/postfix/rhsbl_sender_exceptions with an explicit
'OK'.

    Which address of the three is unverified, and how do I fix this problem?

Rich

--
Richard B. Shepard, Ph.D.               |  Integrity            Credibility
Applied Ecosystem Services, Inc.        |            Innovation
<http://www.appl-ecosys.com>     Voice: 503-667-4517      Fax: 503-667-8863
Reply | Threaded
Open this post in threaded view
|

Re: MTA Rejection Explanation Needed

Rich Shepard
On Mon, 28 Jul 2008, Rich Shepard wrote:

>   Postfix is rejecting mail from an address that should be allowed in. The
> mail log tells me:

   More information.

> proto=ESMTP helo=<venus.someserver.com>

   I should have written this as 'somedomain.com'.

   When I try to traceroute to the sending address I get as far as Cox's
Phoenix servers, then it stalls.

   Using 'dig' on the domain name returns the registed company name and
address, with a specific IP address. Running 'whois' on that IP address
yields a different company; I assume a small Tucson business hosting the
domain name.

   So, I suppose this is the source of the verification error. I'm not
putting specific details in messages that will be archived on the 'Net, but
it seems to convoluted. What I mean is, if a business is using cox.net for
their 'Net access, why wouldn't they have an IP address within Cox's address
block? Why an IP address that resolves to somewhere else?

   This mess involves a new client for me so I would like to figure out how
to receive mail from them ... and get mail sent back to them.

Rich

--
Richard B. Shepard, Ph.D.               |  Integrity            Credibility
Applied Ecosystem Services, Inc.        |            Innovation
<http://www.appl-ecosys.com>     Voice: 503-667-4517      Fax: 503-667-8863
Reply | Threaded
Open this post in threaded view
|

Re: MTA Rejection Explanation Needed

Charles Marcus
In reply to this post by Rich Shepard
On 7/28/2008 5:03 PM, Rich Shepard wrote:

> Postfix is rejecting mail from an address that should be allowed in. The
> mail log tells me:
>
> Jul 28 13:11:58 salmo postfix/smtpd[17243]: NOQUEUE: reject: RCPT from
> wsip-xx-xxx-xx-xx.ph.ph.cox.net[xx.xxx.xx.xxx]: 450 4.1.7
> <[hidden email]>: Sender address rejected: unverified
> address: Address verification in progress;
> from=<[hidden email]> to=<[hidden email]>
> proto=ESMTP helo=<venus.someserver.com>
>
> The IP address for cox.net is correct.

It said SENDER address rejected... cox.net was the CLIENT address. The
SENDER was <[hidden email]>

Post output of postconf -n

Are you doing SAV (Sender Address Verification)? You should NOT use SAV
for general mail reception, you should only do SAV probes for sending
domains you control and/or have gotten explicit permission to do SAV for.

> I've added the 'someserver'.com and hotmail addresses to
> /etc/postfix/rhsbl_sender_exceptions with an explicit 'OK'.
>
> Which address of the three is unverified, and how do I fix this
> problem?

Disable SAV... you will never be able to receive mail from the big
vendors (gmail, hotmail, yahoo) if you are doing SAV probes all the time...

So

--

Best regards,

Charles
Reply | Threaded
Open this post in threaded view
|

Re: MTA Rejection Explanation Needed

Rich Shepard
On Mon, 28 Jul 2008, Charles Marcus wrote:

> Post output of postconf -n

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/postfix/aliases, hash:/etc/postfix/major-aliases
body_checks = regexp:/etc/postfix/body_checks
command_directory = /usr/sbin/
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debug_peer_list = petfooddirect.com
default_privs = nobody
default_process_limit = 200
header_checks = regexp:/etc/postfix/header_checks
html_directory = no
in_flow_delay = 1s
inet_interfaces = all
local_recipient_maps = unix:passwd.byname $alias_maps
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailbox_command = /usr/bin/procmail
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 32768000
mydestination = $myhostname, mail.$mydomain, localhost.$mydomain,
localhost.$mydomain, $mydomain, /etc/postfix/local/localdomains
mydomain = xxxx.com
myhostname = yyyy.xxxx.com
mynetworks = 192.168.xx.0/24, 127.0.0.0/8
mynetworks_style = subnet
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /etc/postfix/README_FILES
sample_directory = /etc/postfix/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_client_restrictions = check_client_access
hash:/etc/postfix/internal_network,        permit_mynetworks,
check_client_access hash:/etc/postfix/badaddr,        reject_rbl_client
zen.spamhaus.org,        reject_rbl_client bl.spamcop.net,
reject_rbl_client list.dsbl.org,        reject_rhsbl_sender
dsn.rfc-ignorant.org,        reject_unknown_reverse_client_hostname,
check_sender_mx_access cidr:/etc/postfix/bogus_mx,      check_sender_access
hash:/etc/postfix/rhsbl_sender_exceptions,  check_sender_access
hash:/etc/postfix/common_spam_senderdomains,        check_sender_access
hash:/etc/postfix/badaddr,  permit
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,        reject_unauth_destination,
check_recipient_access hash:/etc/postfix/roleaccount_exceptions,
check_recipient_access hash:/etc/postfix/recipients,
check_helo_access pcre:/etc/postfix/helo_checks,
reject_non_fqdn_recipient,      reject_non_fqdn_sender,
reject_unknown_sender_domain,   reject_non_fqdn_hostname,
reject_invalid_hostname,        permit
smtpd_restriction_classes = has_our_domain_as_sender
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = smtpd
soft_bounce = no
unknown_local_recipient_reject_code = 550

> Are you doing SAV (Sender Address Verification)? You should NOT use SAV for
> general mail reception, you should only do SAV probes for sending domains you
> control and/or have gotten explicit permission to do SAV for.

   Not sure if that's enabled under a different name.

> Disable SAV... you will never be able to receive mail from the big vendors
> (gmail, hotmail, yahoo) if you are doing SAV probes all the time...

   I've had no problems -- and still don't -- receiving mail from gmail,
hotmail, or yahoo accounts except for this one instance.

   The sender (@hotmail.com) is using another company's server
(somedomain.com) between her and cox.net. It's that other company's server
to which I cannot trace the route and where dig and whois do not supply the
same IP address and domain name.

Rich

--
Richard B. Shepard, Ph.D.               |  Integrity            Credibility
Applied Ecosystem Services, Inc.        |            Innovation
<http://www.appl-ecosys.com>     Voice: 503-667-4517      Fax: 503-667-8863
Reply | Threaded
Open this post in threaded view
|

Re: MTA Rejection Explanation Needed

Sahil Tandon
Rich Shepard <[hidden email]> wrote:

> On Mon, 28 Jul 2008, Charles Marcus wrote:

[...]

>> Are you doing SAV (Sender Address Verification)? You should NOT use SAV
>> for general mail reception, you should only do SAV probes for sending
>> domains you control and/or have gotten explicit permission to do SAV for.
>
>   Not sure if that's enabled under a different name.

Sender Address Verification (SAV) is done in Postfix with the  
reject_unverified_sender parameter; see postconf(5) for details.  Before
employing this feature, make sure you understand its implications and read
the ADDRESS_VERIFICATION_README.
   

>> Disable SAV... you will never be able to receive mail from the big vendors
>> (gmail, hotmail, yahoo) if you are doing SAV probes all the time...
>
>   I've had no problems -- and still don't -- receiving mail from gmail,
> hotmail, or yahoo accounts except for this one instance.
>
>   The sender (@hotmail.com) is using another company's server
> (somedomain.com) between her and cox.net. It's that other company's server
> to which I cannot trace the route and where dig and whois do not supply the
> same IP address and domain name.
   
There are several references to access(5) maps in your main.cf; do any of
them have reject_unverified_sender as an action on the RHS?  Check with:
                   
# grep reject_unverified_sender /path/to/maps/folder/*  
                       
[...]

--
Sahil Tandon <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: MTA Rejection Explanation Needed

Rich Shepard
On Mon, 28 Jul 2008, Sahil Tandon wrote:

> Sender Address Verification (SAV) is done in Postfix with the
> reject_unverified_sender parameter; see postconf(5) for details.  Before
> employing this feature, make sure you understand its implications and read
> the ADDRESS_VERIFICATION_README.

Sahil,

   I did have hotmail in common_spam_senderdomains, and just removed it. That
should solve the problem.

   It was so long ago that I last looked at (or edited)
common_spam_senderdomains that I totally forgot what was in there.

Thank you,

Rich

--
Richard B. Shepard, Ph.D.               |  Integrity            Credibility
Applied Ecosystem Services, Inc.        |            Innovation
<http://www.appl-ecosys.com>     Voice: 503-667-4517      Fax: 503-667-8863