reject_unknown_sender_domain seems not to work

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

reject_unknown_sender_domain seems not to work

Lars Liedtke
Hello,

I am having trouble using reject_unknown_sender_domain. I boiled the
whole restrictions down to

smtpd_recipient_restrictions = warn_if_reject reject_unknown_sender_domain

and still a mail do an invalid domain is not rejected or I am not warned
about rejection:

Oct 24 18:22:14 mailstore postfix/smtpd[98529]: >>> START Recipient
address RESTRICTIONS <<<
Oct 24 18:22:14 mailstore postfix/smtpd[98529]: generic_checks:
name=warn_if_reject
Oct 24 18:22:14 mailstore postfix/smtpd[98529]: generic_checks:
name=reject_unknown_sender_domain
Oct 24 18:22:14 mailstore postfix/smtpd[98529]: reject_unknown_address:
[hidden email]
Oct 24 18:22:14 mailstore postfix/smtpd[98529]: ctable_locate: move
existing entry key [hidden email]?[hidden email]
Oct 24 18:22:14 mailstore postfix/smtpd[98529]: generic_checks:
name=reject_unknown_sender_domain status=0
Oct 24 18:22:14 mailstore postfix/smtpd[98529]: generic_checks:
name=reject_non_fqdn_sender
Oct 24 18:22:14 mailstore postfix/smtpd[98529]: reject_non_fqdn_address:
[hidden email]
Oct 24 18:22:14 mailstore postfix/smtpd[98529]: generic_checks:
name=reject_non_fqdn_sender status=0
Oct 24 18:22:14 mailstore postfix/smtpd[98529]: >>> END Recipient
address RESTRICTIONS <<<

what am I doing wrong?

Best Regards

Lars

--
punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe
Tel. 0721 9109 0 * Fax 0721 9109 100
[hidden email]       https://www.punkt.de
Gf: Jürgen Egeling      AG Mannheim 108285


0xDD6D744EC1628062.asc (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: reject_unknown_sender_domain seems not to work

P.V.Anthony
On 25/10/19 12:34 am, Lars Liedtke wrote:

> I am having trouble using reject_unknown_sender_domain. I boiled the
> whole restrictions down to
>
> smtpd_recipient_restrictions = warn_if_reject reject_unknown_sender_domain

For me I use it in smtpd_sender_restrictions.

Also check if your postfix version can support reject_unknown_sender_domain.

I am not an expert. Please wait for other advice.

P.V.Anthony
Reply | Threaded
Open this post in threaded view
|

Re: reject_unknown_sender_domain seems not to work

Wietse Venema
In reply to this post by Lars Liedtke
Lars Liedtke:
> Hello,
>
> I am having trouble using reject_unknown_sender_domain. I boiled the
> whole restrictions down to
>
> smtpd_recipient_restrictions = warn_if_reject reject_unknown_sender_domain
>
> and still a mail do an invalid domain is not rejected or I am not warned
> about rejection:

reject_unknown_sender_domain will consider the domain as "existing"
- if a DNS query of type MX, A, or AAAA (if compiled with IPv6
  support) produces a resource record,
- or the above query produces a response and you have configured
  an smtpd_dns_reply_filter that removed those resource records.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: reject_unknown_sender_domain seems not to work

Lars Liedtke
In reply to this post by P.V.Anthony

Am 24.10.19 um 19:01 schrieb P.V.Anthony:

> On 25/10/19 12:34 am, Lars Liedtke wrote:
>
>> I am having trouble using reject_unknown_sender_domain. I boiled the
>> whole restrictions down to
>>
>> smtpd_recipient_restrictions = warn_if_reject
>> reject_unknown_sender_domain
>
> For me I use it in smtpd_sender_restrictions.
>
> Also check if your postfix version can support
> reject_unknown_sender_domain.
>
> I am not an expert. Please wait for other advice.
>
> P.V.Anthony
--
punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe
Tel. 0721 9109 0 * Fax 0721 9109 100
[hidden email]       https://www.punkt.de
Gf: Jürgen Egeling      AG Mannheim 108285


0xDD6D744EC1628062.asc (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: reject_unknown_sender_domain seems not to work

Lars Liedtke
In reply to this post by P.V.Anthony

Am 24.10.19 um 19:01 schrieb P.V.Anthony:

> On 25/10/19 12:34 am, Lars Liedtke wrote:
>
>> I am having trouble using reject_unknown_sender_domain. I boiled the
>> whole restrictions down to
>>
>> smtpd_recipient_restrictions = warn_if_reject
>> reject_unknown_sender_domain
>
> For me I use it in smtpd_sender_restrictions.
>
> Also check if your postfix version can support
> reject_unknown_sender_domain.
>
> I am not an expert. Please wait for other advice.
>
> P.V.Anthony
Yes i would have put it in the smtpd_sender_restricitons myself as well,
but I am working with a book and that shows it in the
smtpd_recipient_restrictions, so in my many tries I put it there as well
just to be sure.

--
punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe
Tel. 0721 9109 0 * Fax 0721 9109 100
[hidden email]       https://www.punkt.de
Gf: Jürgen Egeling      AG Mannheim 108285


0xDD6D744EC1628062.asc (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: reject_unknown_sender_domain seems not to work

Lars Liedtke
In reply to this post by Wietse Venema

Am 24.10.19 um 20:20 schrieb Wietse Venema:

> Lars Liedtke:
>> Hello,
>>
>> I am having trouble using reject_unknown_sender_domain. I boiled the
>> whole restrictions down to
>>
>> smtpd_recipient_restrictions = warn_if_reject reject_unknown_sender_domain
>>
>> and still a mail do an invalid domain is not rejected or I am not warned
>> about rejection:
> reject_unknown_sender_domain will consider the domain as "existing"
> - if a DNS query of type MX, A, or AAAA (if compiled with IPv6
>   support) produces a resource record,
> - or the above query produces a response and you have configured
>   an smtpd_dns_reply_filter that removed those resource records.
>
> Wietse
Unfortunately both cases turn out negative:

- $ drill domain.invalid any
  ;; ->>HEADER<<- opcode: QUERY, rcode: SERVFAIL, id: 49179
  ;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
  ;; QUESTION SECTION:
  ;; domain.invalid.      IN      TYPE255

  ;; ANSWER SECTION:

  ;; AUTHORITY SECTION:

  ;; ADDITIONAL SECTION:

  ;; Query time: 0 msec
  ;; SERVER: 10.0.2.3
  ;; WHEN: Fri Oct 25 09:47:04 2019
 ;; MSG SIZE  rcvd: 32

- $ postconf | grep smtpd_dns
  smtpd_dns_reply_filter =

--
punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe
Tel. 0721 9109 0 * Fax 0721 9109 100
[hidden email]       https://www.punkt.de
Gf: Jürgen Egeling      AG Mannheim 108285


0xDD6D744EC1628062.asc (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: reject_unknown_sender_domain seems not to work

Matus UHLAR - fantomas
>> Lars Liedtke:
>>> I am having trouble using reject_unknown_sender_domain. I boiled the
>>> whole restrictions down to
>>>
>>> smtpd_recipient_restrictions = warn_if_reject reject_unknown_sender_domain
>>>
>>> and still a mail do an invalid domain is not rejected or I am not warned
>>> about rejection:

>Am 24.10.19 um 20:20 schrieb Wietse Venema:
>> reject_unknown_sender_domain will consider the domain as "existing"
>> - if a DNS query of type MX, A, or AAAA (if compiled with IPv6
>>   support) produces a resource record,
>> - or the above query produces a response and you have configured
>>   an smtpd_dns_reply_filter that removed those resource records.

On 25.10.19 10:00, Lars Liedtke wrote:
>Unfortunately both cases turn out negative:
>
>- $ drill domain.invalid any
>  ;; ->>HEADER<<- opcode: QUERY, rcode: SERVFAIL, id: 49179

this is your problem, the rcode should be NXDOMAIN.

SERVFAIL means that the dns server failed to find out whether the domain
exists.

it's a DNS problem.
--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"Two words: Windows survives." - Craig Mundie, Microsoft senior strategist
"So does syphillis. Good thing we have penicillin." - Matthew Alton
Reply | Threaded
Open this post in threaded view
|

Re: reject_unknown_sender_domain seems not to work

Lars Liedtke

Am 25.10.19 um 10:55 schrieb Matus UHLAR - fantomas:

>>> Lars Liedtke:
>>>> I am having trouble using reject_unknown_sender_domain. I boiled the
>>>> whole restrictions down to
>>>>
>>>> smtpd_recipient_restrictions = warn_if_reject
>>>> reject_unknown_sender_domain
>>>>
>>>> and still a mail do an invalid domain is not rejected or I am not
>>>> warned
>>>> about rejection:
>
>> Am 24.10.19 um 20:20 schrieb Wietse Venema:
>>> reject_unknown_sender_domain will consider the domain as "existing"
>>> - if a DNS query of type MX, A, or AAAA (if compiled with IPv6
>>>   support) produces a resource record,
>>> - or the above query produces a response and you have configured
>>>   an smtpd_dns_reply_filter that removed those resource records.
>
> On 25.10.19 10:00, Lars Liedtke wrote:
>> Unfortunately both cases turn out negative:
>>
>> - $ drill domain.invalid any
>>   ;; ->>HEADER<<- opcode: QUERY, rcode: SERVFAIL, id: 49179
>
> this is your problem, the rcode should be NXDOMAIN.
>
> SERVFAIL means that the dns server failed to find out whether the domain
> exists.
>
> it's a DNS problem.
Right and not :-(

Right: The SERVFAIL part.

Wrong: even with a domain that does not exist and a DNS-Lookup delievers
NXDOMAIN still the Domain ist not rejected.

$ drill dgibsjaganicht.de
;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 31428
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; dgibsjaganicht.de.   IN      A

;; ANSWER SECTION:

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 0 msec
;; SERVER: 10.0.2.3
;; WHEN: Fri Oct 25 11:31:55 2019
;; MSG SIZE  rcvd: 35


Oct 25 11:25:26 mailstore postfix/smtpd[16444]: >>> START Recipient
address RESTRICTIONS <<<
Oct 25 11:25:26 mailstore postfix/smtpd[16444]: generic_checks:
name=reject_unknown_sender_domain
Oct 25 11:25:26 mailstore postfix/smtpd[16444]: reject_unknown_address:
[hidden email]
Oct 25 11:25:26 mailstore postfix/smtpd[16444]: ctable_locate: leave
existing entry key [hidden email]?[hidden email]
Oct 25 11:25:26 mailstore postfix/smtpd[16444]: generic_checks:
name=reject_unknown_sender_domain status=0
Oct 25 11:25:26 mailstore postfix/smtpd[16444]: generic_checks:
name=reject_unknown_recipient_domain
Oct 25 11:25:26 mailstore postfix/smtpd[16444]: reject_unknown_address:
[hidden email]
Oct 25 11:25:26 mailstore postfix/smtpd[16444]: ctable_locate: move
existing entry key [hidden email]?[hidden email]

Additionally, I only see the status=0 in the logfile if
reject_unknown_sender_domain is inside the smtpd_recipient_restrictions;
if it is in the smtpd_sender_restrictions I only see this:

Oct 25 11:25:26 mailstore postfix/smtpd[16444]: generic_checks:
name=reject_non_fqdn_sender
Oct 25 11:25:26 mailstore postfix/smtpd[16444]: reject_non_fqdn_address:
[hidden email]
Oct 25 11:25:26 mailstore postfix/smtpd[16444]: generic_checks:
name=reject_non_fqdn_sender status=0
Oct 25 11:25:26 mailstore postfix/smtpd[16444]: generic_checks:
name=reject_unknown_sender_domain
Oct 25 11:25:26 mailstore postfix/smtpd[16444]: reject_unknown_address:
[hidden email]
Oct 25 11:25:26 mailstore postfix/smtpd[16444]: rewrite_clnt: cached:
local: [hidden email] -> [hidden email]

--
punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe
Tel. 0721 9109 0 * Fax 0721 9109 100
[hidden email]       https://www.punkt.de
Gf: Jürgen Egeling      AG Mannheim 108285


0xDD6D744EC1628062.asc (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: reject_unknown_sender_domain seems not to work

Bastian Blank-3
On Fri, Oct 25, 2019 at 11:37:04AM +0200, Lars Liedtke wrote:
> Right and not :-(

Sadly, our crystal ball is in revision.  So please do as you are told
and read http://www.postfix.org/DEBUG_README.html#mail.

Bastian

--
The heart is not a logical organ.
                -- Dr. Janet Wallace, "The Deadly Years", stardate 3479.4
Reply | Threaded
Open this post in threaded view
|

Re: reject_unknown_sender_domain seems not to work

Wietse Venema
In reply to this post by Lars Liedtke
Lars Liedtke:
> Wrong: even with a domain that does not exist and a DNS-Lookup delievers
> NXDOMAIN still the Domain ist not rejected.
>
> $ drill dgibsjaganicht.de
 ;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 31428

Please provide evidence that this query uses the same
resolver as Postfix.

Use tcpdump or some equivalent.

        Wietse