Am 08.02.2013 10:42, schrieb Angel L. Mateo:
> El 08/02/13 10:02, Robert Schetterer escribió:
>> Am 08.02.2013 09:29, schrieb Angel L. Mateo:
>>> Hello,
>>>
>>> I have list servers that send mails through another relay servers.
>>> With this configuration all mail sent from our mail servers are
>>> delivered through our relay servers. All servers use postfix (list
>>> servers use 2.7.0 and relay 2.5.5)
>>>
>>> We are having problems with dns lookups to one domain. I know is
>>> not
>>> a postfix problem, but a dns configuration error in that domain. But it
>>> is affecting our servers.
>>>
>>> The problem is that whenever the relay server receives a mail
>>> directed to that domain, I get the error "conversation with <mail
>>> server> timed out while sending MAIL FROM". And as list server group
>>> messages, all recipients in that group as rejected.
>>
>> as workaround you can use a a deditacted transport for that domain
>>
>>
>>>
>>> I've been looking for the problem on that domain and is a timeout
>>> problem. Due to some problem in its configuration, I've never have an
>>> answer (the domain exists, but it doesn't answer).
>>
>> what does not answer ,their mailserver , your dns ?
>>
> Their DNS doesn't respond. If I query it manually with dig, I get a
> timeout with no answer.
>
> The problem I'm having is that my relay server has
>
> smtpd_recipient_restrictions = reject_non_fqdn_recipient,
> reject_unknown_recipient_domain, check_recipient_access
> pcre:/etc/postfix/recipient_checks.pcre, check_recipient_access
> hash:/etc/postfix/verified_recipient_checks, check_policy_service
> inet:127.0.0.1:10031,
> permit_mynetworks,permit_sasl_authenticated,
> reject_unauth_destination, check_recipient_maps, permit
>
> and is timing out in the reject_unknown_recipient_domain. As the
> server doesn't have any answer, the smtp connection from my list servers
> are completely timing out.
>
> I guess it could be a better behaviour if in this situation my relay
> server could return a 450 for this domain (at least, with this behaviour
> my list server could try with other recipients of the message)
this should be default, unless you didnt changed or override it
reject_unknown_recipient_domain
Reject the request when Postfix is not final destination for the
recipient domain, and the RCPT TO domain has 1) no DNS A or MX record or
2) a malformed MX record such as a record with a zero-length MX hostname
(Postfix version 2.3 and later).
The unknown_address_reject_code parameter specifies the numerical
response code for rejected requests (default: 450). The response is
always 450 in case of a temporary DNS error.
>
>> you should invest more time in analyse the real problem
>> i.e some routing problems may cause it
>
> Solving the problem with this particular domain (which is not mine),
> solves my problem now, but not future similar problems. So I think it
> would be better to avoid the situation.
>
as far i remember all dns checks have tmp failure code
at default, sometimes it makes sense to change some of them global, this
is kind of design question, however you may construct bypasses with
smtpd_restriction_classes too depending to i.e some ipaddress etc
http://www.postfix.org/RESTRICTION_CLASS_README.html
i your case , the question seems , at what server and what point you
want to react with what error by dns rejects
Best Regards
MfG Robert Schetterer
--
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Joerg Heidrich
