On 3/12/2013 1:10 PM, Alex wrote: > Hi all, > > I realize questions about this error are all over the Internet, but > the all involve fixing the broken DNS entries, which I can't do in my > situation. I need to figure out how to work around this unresolvable > address using access controls. This is for a postfix-2.9 system on > fc17. > > I'm receiving the following error because the tank.sub1.domain.com > host doesn't resolve and is being rejected by my configuration. I've > created a "special" check_sender_access file that's listed in > smtpd_recipient_access prior to the reject_unknown_sender_domain, but > it still doesn't work. > > Mar 12 13:54:28 mail02 postfix/smtpd[24053]: NOQUEUE: reject: RCPT > from unknown[64.68.76.15]: 450 4.1.8 <appl...@tank.sub1.domain.com>: > Sender address rejected: Domain not found; > from=<appl...@tank.sub1.domain.com> to=<s...@mydomain.com> proto=ESMTP > helo=<mx02.example.com>
this is being rejected by the reject_unknown_sender_domain restriction. The 450 suggests it's a temporary failure of some sort, but that doesn't mean it will correct itself without action by the remote sysadmin. > > In my check_sender_access file I have the following: > > 64.68.76.15 OK IPs are always a client property, only checked with check_client_access. In addition to the client IP, check_client_access also checks the verified remote client hostname, logged as "unknown" in your example above. > appl...@tank.sub1.domain.com OK OK, that appears to match what postfix logs as the sender address. Postfix only logs and only uses the envelope sender. The From: header is never logged nor used by postfix; it's for end-user display only. That's the correct address to use for a check_sender_access map. check_sender_access is always the envelope sender email address, or the domain part of the email address. > .sub1.domain.com OK The "proceeding dot" form will be ignored unless your non-default parent_domain_matches_subdomain setting does NOT include smtpd_access_maps. > > My smtpd_recipient_restrictions are below. I've had to create this > crazy sender_checks_special file that appears before the normal > sender_checks file because I was concerned that the > reject_unknown_sender_domain was rejecting the mail first. I don't > know the proper way to do this. > > smtpd_recipient_restrictions = > reject_non_fqdn_recipient, > check_client_access hash:/etc/postfix/client_checks_special, > check_sender_access hash:/etc/postfix/sender_checks_special, This is your special non-existent sender check? It must be AFTER reject_unauth_destination, and BEFORE reject_unknown_sender_domain. You likely have another reject_unknown_sender_domain under one of the other smtpd_*_restrictions sections; remove it. No need to use it twice. > reject_non_fqdn_sender, > reject_unlisted_recipient, > permit_mynetworks, > reject_unauth_destination, >>> put overrides/whitelists here <<< > reject_unknown_sender_domain, > reject_unknown_recipient_domain, > reject_rhsbl_reverse_client mykey.dbl.dq.spamhaus.net, > reject_rhsbl_sender mykey.dbl.dq.spamhaus.net, > reject_rhsbl_helo mykey.dbl.dq.spamhaus.net > check_helo_access pcre:/etc/postfix/helo_checks.pcre, > reject_invalid_helo_hostname, > check_client_access hash:/etc/postfix/client_checks, > check_sender_access hash:/etc/postfix/sender_checks, > check_recipient_access pcre:/etc/postfix/relay_recips_access, > permit > > I'd gratefully appreciate any help on the proper way to do this. I'm > actually not even sure that the appl...@tank.sub1.domain.com is the > "envelope from" and not the "From:", which I guess would be listed in > client_checks. > > Thanks, > Alex > -- Noel Jones
