check_sender_mx_access and MX records matching my MTA

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

check_sender_mx_access and MX records matching my MTA

(private) HKS
I recently implemented "smtpd_sender_restrictions =
check_sender_mx_access cidr:/etc/postfix/sender_mx_access" on Postfix
2.3.3 running on Ubuntu 6.10.

$ cat /etc/postfix/sender_mx_access
0.0.0.0/8 REJECT MX in IANA reserved network
127.0.0.0/8 REJECT MX in loopback network
10.0.0.0/8 REJECT MX in non-routable network
169.254.0.0/16 REJECT MX in non-routable network
172.16.0.0/12 REJECT MX in non-routable network
192.168.0.0/16 REJECT MX in non-routable network
224.0.0.0/4 REJECT MX in multicast network
240.0.0.0/4 REJECT MX in IANA reserved network


Turning this on, however, led to some unexpected failures when email
was sent from my own domain:

Jul 30 11:43:34 mail.example.com postfix/smtpd[28463]: NOQUEUE:
reject: RCPT from server1.example.com[10.1.0.1]: 554 5.7.1 <
[hidden email]>: Sender address rejected: MX in
loopback network; from=<[hidden email]>
to=<[hidden email]> proto=ESMTP helo=<server1.example.local>


A dig shows that the MX record for sub1.example.com is
mail.example.com (a public IP address). How does postfix decide that
it's running on the loopback network, then?

Thanks for the help.

-HKS
Reply | Threaded
Open this post in threaded view
|

Re: check_sender_mx_access and MX records matching my MTA

Brian Evans - Postfix List
(private) HKS wrote:

> I recently implemented "smtpd_sender_restrictions =
> check_sender_mx_access cidr:/etc/postfix/sender_mx_access" on Postfix
> 2.3.3 running on Ubuntu 6.10.
>
> $ cat /etc/postfix/sender_mx_access
> 0.0.0.0/8 REJECT MX in IANA reserved network
> 127.0.0.0/8 REJECT MX in loopback network
> 10.0.0.0/8 REJECT MX in non-routable network
> 169.254.0.0/16 REJECT MX in non-routable network
> 172.16.0.0/12 REJECT MX in non-routable network
> 192.168.0.0/16 REJECT MX in non-routable network
> 224.0.0.0/4 REJECT MX in multicast network
> 240.0.0.0/4 REJECT MX in IANA reserved network
>
>
> Turning this on, however, led to some unexpected failures when email
> was sent from my own domain:
>
> Jul 30 11:43:34 mail.example.com postfix/smtpd[28463]: NOQUEUE:
> reject: RCPT from server1.example.com[10.1.0.1]: 554 5.7.1 <
> [hidden email]>: Sender address rejected: MX in
> loopback network; from=<[hidden email]>
> to=<[hidden email]> proto=ESMTP helo=<server1.example.local>
>
>
> A dig shows that the MX record for sub1.example.com is
> mail.example.com (a public IP address). How does postfix decide that
> it's running on the loopback network, then?
>  
You need:
smtpd_sender_restrictions = permit_mynetworks, check_sender_mx_access
cidr:/etc/postfix/sender_mx_access

Brian

Reply | Threaded
Open this post in threaded view
|

Re: check_sender_mx_access and MX records matching my MTA

mouss-2
In reply to this post by (private) HKS
(private) HKS wrote:

> I recently implemented "smtpd_sender_restrictions =
> check_sender_mx_access cidr:/etc/postfix/sender_mx_access" on Postfix
> 2.3.3 running on Ubuntu 6.10.
>
> $ cat /etc/postfix/sender_mx_access
> 0.0.0.0/8 REJECT MX in IANA reserved network
> 127.0.0.0/8 REJECT MX in loopback network
> 10.0.0.0/8 REJECT MX in non-routable network
> 169.254.0.0/16 REJECT MX in non-routable network
> 172.16.0.0/12 REJECT MX in non-routable network
> 192.168.0.0/16 REJECT MX in non-routable network
> 224.0.0.0/4 REJECT MX in multicast network
> 240.0.0.0/4 REJECT MX in IANA reserved network
>
>
> Turning this on, however, led to some unexpected failures when email
> was sent from my own domain:
>
> Jul 30 11:43:34 mail.example.com postfix/smtpd[28463]: NOQUEUE:
> reject: RCPT from server1.example.com[10.1.0.1]: 554 5.7.1 <
> [hidden email]>: Sender address rejected: MX in
> loopback network; from=<[hidden email]>
> to=<[hidden email]> proto=ESMTP helo=<server1.example.local>
>
>
> A dig shows that the MX record for sub1.example.com is
> mail.example.com (a public IP address).

Not here.

dig mx mail.example.com

; <<>> DiG 9.4.2 <<>> mx mail.example.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36605
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;mail.example.com.              IN      MX

;; AUTHORITY SECTION:
example.com.            10800   IN      SOA     dns1.icann.org.
hostmaster.icann.org. 2007051703 7200 3600 1209600 86400

;; Query time: 184 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jul 30 19:22:02 2008
;; MSG SIZE  rcvd: 95

but you may be living in parallel internet. if you manage to get back to
our internet, we may be able to help you. In the meantime, say helo to
the martians.


  How does postfix decide that
> it's running on the loopback network, then?
>

postfix does not decide. you decide. you tell it when to reject mail,
and it will. postfix does not invent DNS records.