"SPF no-mail record" clashing with reject_unknown_recipient_domain

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

"SPF no-mail record" clashing with reject_unknown_recipient_domain

Ehlers, Y.W. (Ydo)
Dear postfix users, admins and guru's.

Today I was alerted to a new 'problem'. As I was unable to find any
information on it online, I decided to present it to you......

An important application we run has, unfortunately, an internal
mail-queuing system that is, to say the least, sub-optimal.
A transient error (450) for an unknown domain will keep the message on
top of the queue resulting, in practice, in a shutdown of the system
that can send out tens of thousands of e-mails per day.
To circumvent this problem, the application delivers the mail to a local
postfix instance with the following settings:

> # JUNK MAIL CONTROLS
> unknown_address_reject_code     = 550
> unknown_address_tempfail_action = defer
> smtpd_recipient_restrictions    = reject_non_fqdn_recipient,
>                                   reject_unknown_recipient_domain,
>                                   permit_mynetworks,
>                                   reject

Being a work-around, it does exactly what is is supposed to do.
However, today problems arose as a misspelled e-mail address once again
'stopped' the processing.

The 'original' address  returned a 450: 
> Oct 28 09:43:19 pelona postfix/smtpd[93730]: 3A3FA2C01E0: reject: RCPT
> from localhost[127.0.0.1]: 450 4.1.2 <[hidden email]>: Recipient
> address rejected: Domain not found; from=<[hidden email]>
> to=<[hidden email]> proto=SMTP helo=<pelona>
And an almost identical one returned the expected 550::
> Oct 28 09:44:37 pelona postfix/smtpd[93730]: 3A3FA2C01E0: reject: RCPT
> from localhost[127.0.0.1]: 550 5.1.2 <[hidden email]>:
> Recipient address rejected: Domain not found; from=<[hidden email]>
> to=<[hidden email]> proto=SMTP helo=<pelona>


After some (literal) digging I found out that Microsoft has started to
mark domains as 'Non-Mail' bu actively using an 'deny all' SPF record:

>  dig any hotmail.co
>
> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.1 <<>> any hotmail.co
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23310
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;hotmail.co.                    IN      ANY
>
> ;; ANSWER SECTION:
> hotmail.co.             7200    IN      NS      ns2.msft.net.
> hotmail.co.             7200    IN      NS      ns3.msft.net.
> hotmail.co.             7200    IN      NS      ns4.msft.net.
> hotmail.co.             7200    IN      NS      ns1.msft.net.
> hotmail.co.             3600    IN      TXT     "v=spf1 -all"

This usage of a single SPF record results in an existing domain from
Postfix's  perspective.
There is no MX record, there is no A record, so mail can not be delivered.
And Microsoft tops it off by explicitely claiming no e-mail will be send
from this domain

So now, Postfix does no longer mark this as a "unknown_recipient_domain".
It is technically correct in (not) doing so, but it breaks the purpose
it is being used for in many cases.


Does any one have any bright ideas how to deal with this situation?


Ydo Ehlers

Reply | Threaded
Open this post in threaded view
|

Re: "SPF no-mail record" clashing with reject_unknown_recipient_domain

Wietse Venema
Ehlers, Y.W. (Ydo):
> This usage of a single SPF record results in an existing domain from
> Postfix's? perspective.

Nope. It has nothing to do with SPF. Instead, it's a borked DNS
server.

reject_unknown_sender/recipient_domain looks for MX, A, and AAAA
records (if compiled with IPv6 support).

With hotmail.co, lookup for MX, A or AAAA results in SERVFAIL,
therefore Postfix decides that the domain status is unknown.
Instead of SERVFAIL, the DNS server should reply with NOERROR.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: "SPF no-mail record" clashing with reject_unknown_recipient_domain

Ehlers, Y.W. (Ydo)
Wietse,

you're absolutely right.
I thought I checked my findings correctly, but I missed this one.
I'll direct my attention to my networking colleagues for a properly configured DNS server.....


Ydo Ehlers


On 28-10-2019 12:11, Wietse Venema wrote:
Ehlers, Y.W. (Ydo):
This usage of a single SPF record results in an existing domain from
Postfix's? perspective.
Nope. It has nothing to do with SPF. Instead, it's a borked DNS
server.

reject_unknown_sender/recipient_domain looks for MX, A, and AAAA
records (if compiled with IPv6 support).

With hotmail.co, lookup for MX, A or AAAA results in SERVFAIL,
therefore Postfix decides that the domain status is unknown.
Instead of SERVFAIL, the DNS server should reply with NOERROR.

	Wietse

--

Ydo Ehlers | IT Beheerder | ICT Service Center | Radboud Universiteit | Postbus 9102, 6500 HC Nijmegen | (024) 361 78 94 |www.ru.nl/isc

Dit bericht en elke eventuele bijlage is uitsluitend bestemd voor de geadresseerde(n) en kan vertrouwelijke informatie bevatten. Indien u niet de geadresseerde bent mag u dit bericht en de bijlage niet kopiëren of aan derden ter inzage geven of verspreiden. U wordt verzocht de afzender hiervan onmiddellijk op de hoogte te stellen en het bericht te vernietigen.

Reply | Threaded
Open this post in threaded view
|

Re: "SPF no-mail record" clashing with reject_unknown_recipient_domain

A. Schulze
In reply to this post by Ehlers, Y.W. (Ydo)

Ehlers, Y.W. (Ydo):

> There is no MX record, there is no A record, so mail can not be delivered.
> And Microsoft tops it off by explicitely claiming no e-mail will be send
> from this domain

for the record: one like to use RFC 7505 to express "this domain don't  
send / receive email"

adding an SPF -all is more one of many advises described in the fine  
MAAWG BCP:
https://www.m3aawg.org/sites/default/files/m3aawg_parked_domains_bp-2015-12.pdf

Andreas