On 3 Oct 2012, at 14:48, Wietse Venema wrote:
Bill Cole:
I recently updated a Postfix system from 2.4 to 2.9 and I have found
what I believe is a change in behavior for
reject_unknown_sender_domain
which is confusing. In the past, an effective means of dealing with
some
Sort answer: Postfix does not pass SERVFAIL, it just rejects them
later.
Long answer: Postfix 2.6 and later reject the unknown sender
- With $unknown_address_tempfail_action after temporary lookup error
(including timeout and SERVFAIL). Earlier Postfix versions
hard-coded the result.
- With $unknown_address_reject_code after all other lookup errors.
This is what I would expect, based on the documentation. However, it is
accepting and delivering mail whose sender domain yields a SERVFAIL and
I can't figure out why. Note that as I stated in my first message,
Postfix *is* rejecting sender domains with definitive lack of DNS.
Here's a simple test message sent by hand from a machine with no special
trust:
***BEGIN MESSAGE
Return-Path: <domain.spam...@dfleur.com>
X-Original-To: b...@scconsult.com
Delivered-To: d...@toaster.scconsult.com
Received: from sirius.cipherspace.net (sirius.CipherSpace.net
[74.115.116.138])
by toaster.scconsult.com (Postfix) with ESMTP id 3XX4dN3MM4zkV2V
for <b...@scconsult.com>; Wed, 3 Oct 2012 13:55:20 -0400 (EDT)
Subject: How is it that this works?
To: <b...@scconsult.com>
From: <domain.spam...@dfleur.com>
X-Spam-Score: 1.461 (*)
BAYES_50,MISSING_DATE,NO_DNS_FOR_FROM,SCC_DEBUG,SCC_RCVD_FORMAT_NOT_SENDMAIL
X-Spam-Status: No, score=1.461 required=4.3
tests=[BAYES_50,MISSING_DATE,NO_DNS_FOR_FROM,SCC_DEBUG,SCC_RCVD_FORMAT_NOT_SENDMAIL]
The domain doesn't resolve. Yet Postfix takes it. Hmmm...
****END MESSAGE
The log shows nothing interesting:
lazarus:~# grep 3XX4dN3MM4zkV2V /var/log/mail.log
Oct 3 13:55:20 lazarus postfix/smtpd[632]: 3XX4dN3MM4zkV2V:
client=sirius.CipherSpace.net[74.115.116.138]
Oct 3 13:56:45 lazarus postfix/cleanup[638]: 3XX4dN3MM4zkV2V:
message-id=<>
Oct 3 13:56:46 lazarus mimedefang.pl[64141]: 3XX4dN3MM4zkV2V:
MDLOG,3XX4dN3MM4zkV2V,spam,1.461,74.115.116.138,<domain.spam...@dfleur.com>,<b...@scconsult.com>,How
is it that this works?
Oct 3 13:56:46 lazarus mimedefang.pl[64141]: 3XX4dN3MM4zkV2V:
3XX4dN3MM4zkV2V: SA: 1.461 (*)
BAYES_50,MISSING_DATE,NO_DNS_FOR_FROM,SCC_DEBUG,SCC_RCVD_FORMAT_NOT_SENDMAIL
Oct 3 13:56:46 lazarus postfix/qmgr[72555]: 3XX4dN3MM4zkV2V:
from=<domain.spam...@dfleur.com>, size=410, nrcpt=1 (queue active)
Oct 3 13:56:47 lazarus postfix/local[653]: 3XX4dN3MM4zkV2V:
to=<d...@toaster.scconsult.com>, orig_to=<b...@scconsult.com>,
relay=local, delay=87, delays=87/0.02/0/0.13, dsn=2.0.0, status=sent
(delivered to command: /usr/bin/procmail -Y )
Oct 3 13:56:47 lazarus postfix/qmgr[72555]: 3XX4dN3MM4zkV2V: removed
lazarus:~#
DNS is definitely failing for dfleur.com, as the hit on the SA rule
"NO_DNS_FOR_FROM" indicates and as confirmed by a manual query:
lazarus:~# dig dfleur.com mx
; <<>> DiG 9.9.1-P3 <<>> dfleur.com mx
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 41183
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dfleur.com. IN MX
;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Oct 3 15:07:35 2012
;; MSG SIZE rcvd: 39
lazarus:~ root# dig dfleur.com A
; <<>> DiG 9.9.1-P3 <<>> dfleur.com A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 23577
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dfleur.com. IN A
;; Query time: 3 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Oct 3 15:07:44 2012
;; MSG SIZE rcvd: 39
lazarus:~#
And finally, confirming the relevant config variables:
lazarus:~# postconf unknown_address_tempfail_action
reject_tempfail_action unknown_address_reject_code
unknown_address_tempfail_action = $reject_tempfail_action
reject_tempfail_action = defer_if_permit
unknown_address_reject_code = 553
lazarus:~#
The only quirk I can think of in the config (included in my first
message) is that the naming of the machine and the domains it accepts
and locally delivers mail for is a bit of a tangle as an artifact of
historical architectural evolution. I don't see anything in that which
would redeem a message that otherwise deserves deferral or rejection.
