Rejecting messages based on recipient MTA''s IP address

Hello,

We know that a certain IP range contains no MTA's, but hosts websites
for a lot of domains that have no email service, i.e., those domains
have A records in that range but no MX records at all.

Our Postfix server regularly receives messages over MSA where the
sender and recipient addresses are the same, and in one of those
domains.

Because the domain has a valid A record, there's nothing wrong with
those messages that Postfix can detect, so the messages get accepted.
Then because there is no MTA running at that IP address, they sit in
the outbound queue for five days, bounce, and the bounce sits in the
outbound queue for five more days.

Is there a way to:
A) Selectively identify a message based on the IP address of the MTA
it would be delivered to.
B) Reject such messages in the MSA connection or, at a minimum, keep
them from building up in the outbound queue?

Thanks for any suggestions!

On 29 Sep 2020, at 13:46, J David wrote:

See the entry for check_sender_a_access in the postconf(5) man page.


--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

J David:
> Hello,
>
> We know that a certain IP range contains no MTA's, but hosts websites
> for a lot of domains that have no email service, i.e., those domains
> have A records in that range but no MX records at all.

One alternative is to set reject_unverified_recipient
on the MSA service.

/etc/postfix/main.cf:
    mua_recipient_restrictions =
        reject_unverified_recipient, permit_sasl_authenticated, ...

/etc/postfix/master.cf:
    submission
        ....
        -o smtpd_sender_restrictions=$mua_recipient_restrictions
        ...

Ditto for the smtps service.

This will reach out to the MX or A address and if there is no
mail service, the probe will fail. Eventually.

Alternatively, if the IP address range is known, check_sender_mx_access
will control access by MX record (or A record if the domain has no
MX record).

/etc/postfix/main.cf:
    mua_sender_restrictions =
        check_sender_mx_access cidr:/etc/postfix/mx_access.cidr

/etc/postfix/mx_access.cidr:
   1.2.3.4/16 reject bla blah

/etc/postfix/master.cf:
    submission    
        ....
        -o smtpd_sender_restrictions=$mua_sender_restrictions
        ...

Ditto for the smtps service.

-- Wietse

On Tue, Sep 29, 2020 at 2:15 PM Wietse Venema <[hidden email]> wrote:
> One alternative is to set reject_unverified_recipient

Thanks, I will give this a shot and see if it helps our situation.

> Alternatively, if the IP address range is known, check_sender_mx_access
> will control access by MX record (or A record if the domain has no
> MX record).

This seems to have the same issue as Bill's suggestion of
check_sender_a_access; it's acting on the sender, not the recipient.

While the problem messages I'm trying to catch have the same sender
and recipient, other messages with those senders do have valid
recipients, so we can't select purely on sender due to the resulting
false positives.  Sorry, I should have clarified that in the original
message.

(Blocking messages based solely on having a sender that can't receive
mail, while IMO a very reasonable thing to do, would cause immediate
and severe blowback for us.)

Hopefully reject_unverified_recipient will cover us.

Thanks!

On 29 Sep 2020, at 14:36, J David wrote:

> This seems to have the same issue as Bill's suggestion of
> check_sender_a_access; it's acting on the sender, not the recipient.

check_recipient_a_access and check_recipient_mx_access also exist.

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

J David:
Then use check_recipient_mx_acces?

        Wietse

On Tue, Sep 29, 2020 at 3:33 PM Wietse Venema <[hidden email]> wrote:
> Then use check_recipient_mx_acces?

Yes, after some pretty thorough testing, check_recipient_mx_access
seems to be the perfect fix for our situation.  The message gets
refused and the MUA gets a 554 error message.

For reference here are the findings from the other options:

check_recipient_a_access bounces mail for a domain simply for being
web-hosted in that IP block, even if that domain does have valid email
service somewhere else, which is not desirable in this situation.

reject_unverified_recipient returns a temporary initial fail if the
domain has not yet been verified.  Most of the client applications
using this server don't appear to be able to queue and retry, so that
wasn't a good fit either.

Thanks again, Wietse & Bill.

Postfix really is a wonderful tool!

On Tue, Sep 29, 2020 at 03:33:14PM -0400, Wietse Venema wrote:

> > This seems to have the same issue as Bill's suggestion of
> > check_sender_a_access; it's acting on the sender, not the recipient.
>
> Then use check_recipient_mx_acces?

There is perhaps a documentation gap here.  The fact that one
check_mumble_mx_accesss performs table lookups not only on the MX host
names, but also on their A/AAAA addresses does not appear to be
documented.  The OP might have had better luck if this were mentioned
in the docs...

--
    Viktor.

On Tue, Sep 29, 2020 at 6:32 PM Viktor Dukhovni
<[hidden email]> wrote:
> There is perhaps a documentation gap here.  The fact that one
> check_mumble_mx_accesss performs table lookups not only on the MX host
> names, but also on their A/AAAA addresses does not appear to be
> documented.  The OP might have had better luck if this were mentioned
> in the docs...

Your point is well-taken; I did mentally prune any search branches
that hit MX records because I knew the domains in question didn't have
any.

Still, I think the blame falls on me here.  I've been using Postfix
since at least 2007, but I only learned about check_recipient_a_access
and check_recipient_mx_access today.

Admittedly no search with "a record" in it was ever going to give me
great results.  But I did start at check_recipient_access and still
somehow missed them!

On 29 Sep 2020, at 11:46, J David <[hidden email]> wrote:
> domains that have no email service, i.e., those domains
> have A records in that range but no MX records at all.

As we've covered recently omit eh list, the is no requirement to have an MX record in order to have a mail services. This might not matter to you, but if some of those sites send out thing like login confirmations codes, password resets, or account verification you're going to run into problems.


--
Love seeketh not itself to please Nor for itself hath any care But
        for another gives its ease And builds a heaven in Hell's despair

On 30/09/2020 15:58, @lbutlr wrote:
> On 29 Sep 2020, at 11:46, J David <[hidden email]> wrote:
>> domains that have no email service, i.e., those domains
>> have A records in that range but no MX records at all.

Question at a tangent:-

Does the SMTP daemon resolve a destination if there is no MX record?

Allen C

On 2020-09-30 Allen Coates wrote:
> On 30/09/2020 15:58, @lbutlr wrote:
>> On 29 Sep 2020, at 11:46, J David <[hidden email]> wrote:
>>> domains that have no email service, i.e., those domains have A
>>> records in that range but no MX records at all.
>
> Question at a tangent:-
>
> Does the SMTP daemon resolve a destination if there is no MX record?

Normally Postfix will check for an MX first, and if that is absent check
for an A record for the domain. This is standard MTA behavior as defined
in section 5 of RFC 5321.

<https://tools.ietf.org/html/rfc5321#section-5.1>

If a domain should never receive mail it's better to define a null MX
for that domain (see RFC 7505).

<https://tools.ietf.org/html/rfc7505>

Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky

On 01/10/2020 08:01, Ansgar Wiechers wrote:
> On 2020-09-30 Allen Coates wrote:
>>
>> Does the SMTP daemon resolve a destination if there is no MX record?
>
> Normally Postfix will check for an MX first, and if that is absent check
> for an A record for the domain. This is standard MTA behavior as defined
> in section 5 of RFC 5321.
>
> <https://tools.ietf.org/html/rfc5321#section-5.1>

and then, presumably, the fall-back relay, if it is defined.

Thanks for clearing up my confusion.

Allen C