Possible to enforce 4XX error upon dns lookups which result in NXDomain?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Possible to enforce 4XX error upon dns lookups which result in NXDomain?

Tobi
Hi list

I wonder if the following idea is somehow "do-able" in postfix. We have
a fallback postfix instance which gets all mails that our scanners could
not send to our customers target server. Now the fallback tries to
submit those msg to our customers. Sometimes our customers do not know
how to manage dns and delete an important record (like the a-rec for the
target server). We do not manage their zones, that's done by themselves.

Now we thought that it would be very nice if we could "tell" our
fallback instance that in case of NXDomain in DNS lookup of a target
server to return a DEFER (4xx) instead of a REJECT (5xx).
I found soft_bounce parameter in the docs but that seems too wide, as we
would only soft bounce in case of NXDomain results of target servers and
not for any other reason. Is it possible to use smtp_dns_reply_filter to
filter for NXDomain results and return a DEFER action?

Thanks for any idea and have a good one

--

tobi


signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Possible to enforce 4XX error upon dns lookups which result in NXDomain?

Wietse Venema
Tobi:

> I wonder if the following idea is somehow "do-able" in postfix. We have
> a fallback postfix instance which gets all mails that our scanners could
> not send to our customers target server. Now the fallback tries to
> submit those msg to our customers. Sometimes our customers do not know
> how to manage dns and delete an important record (like the a-rec for the
> target server). We do not manage their zones, that's done by themselves.
>
> Now we thought that it would be very nice if we could "tell" our
> fallback instance that in case of NXDomain in DNS lookup of a target
> server to return a DEFER (4xx) instead of a REJECT (5xx).
> I found soft_bounce parameter in the docs but that seems too wide, as we
> would only soft bounce in case of NXDomain results of target servers and
> not for any other reason. Is it possible to use smtp_dns_reply_filter to
> filter for NXDomain results and return a DEFER action?

This would require a filter for DNS reply STATUS codes. This is
different from smtp_dns_reply_filter which currently can only change
the content of resource records (i.e. when the DNS query succeeds).

Unbound has a filtering feature that is more powerful than Postfix's
(no surprise, since Unbound is specialized for DNS). Maybe unbound
can handle your case.

https://medium.com/nlnetlabs/client-based-filtering-in-unbound-d7da3f1ef639
https://github.com/ohitz/unbound-domainfilter/blob/master/dns_filter.py
https://github.com/cbuijs/unbound-dns-filter

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Possible to enforce 4XX error upon dns lookups which result in NXDomain?

Wietse Venema
Wietse Venema:

> Tobi:
> > I wonder if the following idea is somehow "do-able" in postfix. We have
> > a fallback postfix instance which gets all mails that our scanners could
> > not send to our customers target server. Now the fallback tries to
> > submit those msg to our customers. Sometimes our customers do not know
> > how to manage dns and delete an important record (like the a-rec for the
> > target server). We do not manage their zones, that's done by themselves.
> >
> > Now we thought that it would be very nice if we could "tell" our
> > fallback instance that in case of NXDomain in DNS lookup of a target
> > server to return a DEFER (4xx) instead of a REJECT (5xx).
> > I found soft_bounce parameter in the docs but that seems too wide, as we
> > would only soft bounce in case of NXDomain results of target servers and
> > not for any other reason. Is it possible to use smtp_dns_reply_filter to
> > filter for NXDomain results and return a DEFER action?

Of course Postfix can, it just isn't called smtp_dns_reply_filter

Instead, use smtp_delivery_status_filter.

The filter is invoked with a string of the form :

    enhanced-status-code SPACE explanatory-text

For example:

    5.4.4 Host or domain name not found. Name service error for...

So the following could do the trick for your fallback relay host:

/etc/postfix/main.cf:
     smtp_delivery_status_filter = pcre:/etc/postfix/fallback_status_filter

/etc/postfix/fallback_status_filter:
    /^(5\S+\s+Host or domain name not found.+)/ 4$1

This changes the hard error into a soft one, and is more selective
than setting soft_bounce=yes.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Possible to enforce 4XX error upon dns lookups which result in NXDomain?

Wietse Venema
Wietse Venema:

> Wietse Venema:
> > Tobi:
> > > I wonder if the following idea is somehow "do-able" in postfix. We have
> > > a fallback postfix instance which gets all mails that our scanners could
> > > not send to our customers target server. Now the fallback tries to
> > > submit those msg to our customers. Sometimes our customers do not know
> > > how to manage dns and delete an important record (like the a-rec for the
> > > target server). We do not manage their zones, that's done by themselves.
> > >
> > > Now we thought that it would be very nice if we could "tell" our
> > > fallback instance that in case of NXDomain in DNS lookup of a target
> > > server to return a DEFER (4xx) instead of a REJECT (5xx).
> > > I found soft_bounce parameter in the docs but that seems too wide, as we
> > > would only soft bounce in case of NXDomain results of target servers and
> > > not for any other reason. Is it possible to use smtp_dns_reply_filter to
> > > filter for NXDomain results and return a DEFER action?
>
> Of course Postfix can, it just isn't called smtp_dns_reply_filter
>
> Instead, use smtp_delivery_status_filter.
>
> The filter is invoked with a string of the form :
>
>     enhanced-status-code SPACE explanatory-text
>
> For example:
>
>     5.4.4 Host or domain name not found. Name service error for...
>
> So the following could do the trick for your fallback relay host:
>
> /etc/postfix/main.cf:
>      smtp_delivery_status_filter = pcre:/etc/postfix/fallback_status_filter

Corrected text: The '5' needs to be outside the ().

/etc/postfix/fallback_status_filter:
    /^5(\S+\s+Host or domain name not found.+)/ 4$1

This changes the hard error into a soft one, and is more selective
than setting soft_bounce=yes.

        Wietse
>
Reply | Threaded
Open this post in threaded view
|

Re: Possible to enforce 4XX error upon dns lookups which result in NXDomain?

Tobi
Hi Wietse

thanks a lot for your hint :-) Deployed and first tests show it works as
it should: changing 5xx to 4xx in case of NX domain for nexthop.

Cheers

tobi

Am 15.10.19 um 21:58 schrieb Wietse Venema:

> Wietse Venema:
>> Wietse Venema:
>>> Tobi:
>>>> I wonder if the following idea is somehow "do-able" in postfix. We have
>>>> a fallback postfix instance which gets all mails that our scanners could
>>>> not send to our customers target server. Now the fallback tries to
>>>> submit those msg to our customers. Sometimes our customers do not know
>>>> how to manage dns and delete an important record (like the a-rec for the
>>>> target server). We do not manage their zones, that's done by themselves.
>>>>
>>>> Now we thought that it would be very nice if we could "tell" our
>>>> fallback instance that in case of NXDomain in DNS lookup of a target
>>>> server to return a DEFER (4xx) instead of a REJECT (5xx).
>>>> I found soft_bounce parameter in the docs but that seems too wide, as we
>>>> would only soft bounce in case of NXDomain results of target servers and
>>>> not for any other reason. Is it possible to use smtp_dns_reply_filter to
>>>> filter for NXDomain results and return a DEFER action?
>>
>> Of course Postfix can, it just isn't called smtp_dns_reply_filter
>>
>> Instead, use smtp_delivery_status_filter.
>>
>> The filter is invoked with a string of the form :
>>
>>     enhanced-status-code SPACE explanatory-text
>>
>> For example:
>>
>>     5.4.4 Host or domain name not found. Name service error for...
>>
>> So the following could do the trick for your fallback relay host:
>>
>> /etc/postfix/main.cf:
>>      smtp_delivery_status_filter = pcre:/etc/postfix/fallback_status_filter
>
> Corrected text: The '5' needs to be outside the ().
>
> /etc/postfix/fallback_status_filter:
>     /^5(\S+\s+Host or domain name not found.+)/ 4$1
>
> This changes the hard error into a soft one, and is more selective
> than setting soft_bounce=yes.
>
> Wietse
>>