Rejecting messages based on recipient MTA''s IP address

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

Rejecting messages based on recipient MTA''s IP address

J David
Hello,

We know that a certain IP range contains no MTA's, but hosts websites
for a lot of domains that have no email service, i.e., those domains
have A records in that range but no MX records at all.

Our Postfix server regularly receives messages over MSA where the
sender and recipient addresses are the same, and in one of those
domains.

Because the domain has a valid A record, there's nothing wrong with
those messages that Postfix can detect, so the messages get accepted.
Then because there is no MTA running at that IP address, they sit in
the outbound queue for five days, bounce, and the bounce sits in the
outbound queue for five more days.

Is there a way to:
A) Selectively identify a message based on the IP address of the MTA
it would be delivered to.
B) Reject such messages in the MSA connection or, at a minimum, keep
them from building up in the outbound queue?

Thanks for any suggestions!
Reply | Threaded
Open this post in threaded view
|

Re: Rejecting messages based on recipient MTA''s IP address

Bill Cole-3
On 29 Sep 2020, at 13:46, J David wrote:

> Hello,
>
> We know that a certain IP range contains no MTA's, but hosts websites
> for a lot of domains that have no email service, i.e., those domains
> have A records in that range but no MX records at all.
>
> Our Postfix server regularly receives messages over MSA where the
> sender and recipient addresses are the same, and in one of those
> domains.
>
> Because the domain has a valid A record, there's nothing wrong with
> those messages that Postfix can detect, so the messages get accepted.
> Then because there is no MTA running at that IP address, they sit in
> the outbound queue for five days, bounce, and the bounce sits in the
> outbound queue for five more days.
>
> Is there a way to:
> A) Selectively identify a message based on the IP address of the MTA
> it would be delivered to.
> B) Reject such messages in the MSA connection or, at a minimum, keep
> them from building up in the outbound queue?

See the entry for check_sender_a_access in the postconf(5) man page.


--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
Reply | Threaded
Open this post in threaded view
|

Re: Rejecting messages based on recipient MTA''s IP address

Wietse Venema
In reply to this post by J David
J David:
> Hello,
>
> We know that a certain IP range contains no MTA's, but hosts websites
> for a lot of domains that have no email service, i.e., those domains
> have A records in that range but no MX records at all.

One alternative is to set reject_unverified_recipient
on the MSA service.

/etc/postfix/main.cf:
    mua_recipient_restrictions =
        reject_unverified_recipient, permit_sasl_authenticated, ...

/etc/postfix/master.cf:
    submission
        ....
        -o smtpd_sender_restrictions=$mua_recipient_restrictions
        ...

Ditto for the smtps service.

This will reach out to the MX or A address and if there is no
mail service, the probe will fail. Eventually.

Alternatively, if the IP address range is known, check_sender_mx_access
will control access by MX record (or A record if the domain has no
MX record).

/etc/postfix/main.cf:
    mua_sender_restrictions =
        check_sender_mx_access cidr:/etc/postfix/mx_access.cidr

/etc/postfix/mx_access.cidr:
   1.2.3.4/16 reject bla blah

/etc/postfix/master.cf:
    submission    
        ....
        -o smtpd_sender_restrictions=$mua_sender_restrictions
        ...

Ditto for the smtps service.

-- Wietse

> Our Postfix server regularly receives messages over MSA where the
> sender and recipient addresses are the same, and in one of those
> domains.
>
> Because the domain has a valid A record, there's nothing wrong with
> those messages that Postfix can detect, so the messages get accepted.
> Then because there is no MTA running at that IP address, they sit in
> the outbound queue for five days, bounce, and the bounce sits in the
> outbound queue for five more days.
>
> Is there a way to:
> A) Selectively identify a message based on the IP address of the MTA
> it would be delivered to.
> B) Reject such messages in the MSA connection or, at a minimum, keep
> them from building up in the outbound queue?
>
> Thanks for any suggestions!
>
Reply | Threaded
Open this post in threaded view
|

Re: Rejecting messages based on recipient MTA''s IP address

J David
On Tue, Sep 29, 2020 at 2:15 PM Wietse Venema <[hidden email]> wrote:
> One alternative is to set reject_unverified_recipient

Thanks, I will give this a shot and see if it helps our situation.

> Alternatively, if the IP address range is known, check_sender_mx_access
> will control access by MX record (or A record if the domain has no
> MX record).

This seems to have the same issue as Bill's suggestion of
check_sender_a_access; it's acting on the sender, not the recipient.

While the problem messages I'm trying to catch have the same sender
and recipient, other messages with those senders do have valid
recipients, so we can't select purely on sender due to the resulting
false positives.  Sorry, I should have clarified that in the original
message.

(Blocking messages based solely on having a sender that can't receive
mail, while IMO a very reasonable thing to do, would cause immediate
and severe blowback for us.)

Hopefully reject_unverified_recipient will cover us.

Thanks!
Reply | Threaded
Open this post in threaded view
|

Re: Rejecting messages based on recipient MTA''s IP address

Bill Cole-3
On 29 Sep 2020, at 14:36, J David wrote:

> This seems to have the same issue as Bill's suggestion of
> check_sender_a_access; it's acting on the sender, not the recipient.

check_recipient_a_access and check_recipient_mx_access also exist.

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
Reply | Threaded
Open this post in threaded view
|

Re: Rejecting messages based on recipient MTA''s IP address

Wietse Venema
In reply to this post by J David
J David:

> On Tue, Sep 29, 2020 at 2:15 PM Wietse Venema <[hidden email]> wrote:
> > One alternative is to set reject_unverified_recipient
>
> Thanks, I will give this a shot and see if it helps our situation.
>
> > Alternatively, if the IP address range is known, check_sender_mx_access
> > will control access by MX record (or A record if the domain has no
> > MX record).
>
> This seems to have the same issue as Bill's suggestion of
> check_sender_a_access; it's acting on the sender, not the recipient.

Then use check_recipient_mx_acces?

        Wietse

> While the problem messages I'm trying to catch have the same sender
> and recipient, other messages with those senders do have valid
> recipients, so we can't select purely on sender due to the resulting
> false positives.  Sorry, I should have clarified that in the original
> message.
>
> (Blocking messages based solely on having a sender that can't receive
> mail, while IMO a very reasonable thing to do, would cause immediate
> and severe blowback for us.)
>
> Hopefully reject_unverified_recipient will cover us.
>
> Thanks!
>
Reply | Threaded
Open this post in threaded view
|

Re: Rejecting messages based on recipient MTA''s IP address

J David
On Tue, Sep 29, 2020 at 3:33 PM Wietse Venema <[hidden email]> wrote:
> Then use check_recipient_mx_acces?

Yes, after some pretty thorough testing, check_recipient_mx_access
seems to be the perfect fix for our situation.  The message gets
refused and the MUA gets a 554 error message.

For reference here are the findings from the other options:

check_recipient_a_access bounces mail for a domain simply for being
web-hosted in that IP block, even if that domain does have valid email
service somewhere else, which is not desirable in this situation.

reject_unverified_recipient returns a temporary initial fail if the
domain has not yet been verified.  Most of the client applications
using this server don't appear to be able to queue and retry, so that
wasn't a good fit either.

Thanks again, Wietse & Bill.

Postfix really is a wonderful tool!
Reply | Threaded
Open this post in threaded view
|

Re: Rejecting messages based on recipient MTA''s IP address

Viktor Dukhovni
In reply to this post by Wietse Venema
On Tue, Sep 29, 2020 at 03:33:14PM -0400, Wietse Venema wrote:

> > This seems to have the same issue as Bill's suggestion of
> > check_sender_a_access; it's acting on the sender, not the recipient.
>
> Then use check_recipient_mx_acces?

There is perhaps a documentation gap here.  The fact that one
check_mumble_mx_accesss performs table lookups not only on the MX host
names, but also on their A/AAAA addresses does not appear to be
documented.  The OP might have had better luck if this were mentioned
in the docs...

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Rejecting messages based on recipient MTA''s IP address

J David
On Tue, Sep 29, 2020 at 6:32 PM Viktor Dukhovni
<[hidden email]> wrote:
> There is perhaps a documentation gap here.  The fact that one
> check_mumble_mx_accesss performs table lookups not only on the MX host
> names, but also on their A/AAAA addresses does not appear to be
> documented.  The OP might have had better luck if this were mentioned
> in the docs...

Your point is well-taken; I did mentally prune any search branches
that hit MX records because I knew the domains in question didn't have
any.

Still, I think the blame falls on me here.  I've been using Postfix
since at least 2007, but I only learned about check_recipient_a_access
and check_recipient_mx_access today.

Admittedly no search with "a record" in it was ever going to give me
great results.  But I did start at check_recipient_access and still
somehow missed them!
Reply | Threaded
Open this post in threaded view
|

Re: Rejecting messages based on recipient MTA''s IP address

@lbutlr
In reply to this post by J David
On 29 Sep 2020, at 11:46, J David <[hidden email]> wrote:
> domains that have no email service, i.e., those domains
> have A records in that range but no MX records at all.

As we've covered recently omit eh list, the is no requirement to have an MX record in order to have a mail services. This might not matter to you, but if some of those sites send out thing like login confirmations codes, password resets, or account verification you're going to run into problems.


--
Love seeketh not itself to please Nor for itself hath any care But
        for another gives its ease And builds a heaven in Hell's despair

Reply | Threaded
Open this post in threaded view
|

Re: Rejecting messages based on recipient MTA''s IP address

allenc


On 30/09/2020 15:58, @lbutlr wrote:
> On 29 Sep 2020, at 11:46, J David <[hidden email]> wrote:
>> domains that have no email service, i.e., those domains
>> have A records in that range but no MX records at all.

Question at a tangent:-

Does the SMTP daemon resolve a destination if there is no MX record?

Allen C

Reply | Threaded
Open this post in threaded view
|

Re: Rejecting messages based on recipient MTA''s IP address

Ansgar Wiechers
On 2020-09-30 Allen Coates wrote:
> On 30/09/2020 15:58, @lbutlr wrote:
>> On 29 Sep 2020, at 11:46, J David <[hidden email]> wrote:
>>> domains that have no email service, i.e., those domains have A
>>> records in that range but no MX records at all.
>
> Question at a tangent:-
>
> Does the SMTP daemon resolve a destination if there is no MX record?

Normally Postfix will check for an MX first, and if that is absent check
for an A record for the domain. This is standard MTA behavior as defined
in section 5 of RFC 5321.

<https://tools.ietf.org/html/rfc5321#section-5.1>

If a domain should never receive mail it's better to define a null MX
for that domain (see RFC 7505).

<https://tools.ietf.org/html/rfc7505>

Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
Reply | Threaded
Open this post in threaded view
|

Re: Rejecting messages based on recipient MTA''s IP address

allenc


On 01/10/2020 08:01, Ansgar Wiechers wrote:
> On 2020-09-30 Allen Coates wrote:
>>
>> Does the SMTP daemon resolve a destination if there is no MX record?
>
> Normally Postfix will check for an MX first, and if that is absent check
> for an A record for the domain. This is standard MTA behavior as defined
> in section 5 of RFC 5321.
>
> <https://tools.ietf.org/html/rfc5321#section-5.1>

and then, presumably, the fall-back relay, if it is defined.

Thanks for clearing up my confusion.

Allen C