United Parcel Service - Sender address rejected: Domain not found

[James B. Byrne]

CentOS-6.6
Postfix-2.11.1

I am still unable to receive mail from this particular UPS email source, which
is a web based password reset interface.  We receive other mail sent directly
from ups.com.

I have added this to helo_checks.pcre:

/^SUASMTP.upsdiv.com$/                              OK

I have added this to /etc/postfix/sender_access:

upsdocs.com                                         OK
.upsdocs.com                                        OK

I have run postmap and reloaded postfix and yet we still see this error
message when our staff request a password reset:


Jan  2 09:31:39 inet08 postfix-p25/smtpd[31166]: NOQUEUE: reject: RCPT from
upsmailer.acsbps.com[216.115.165.7]: 450 4.1.8 <ica.servi...@upsdocs.com>:
Sender address rejected: Domain not found; from=<ica.servi...@upsdocs.com>
to=<x...@harte-lyne.ca> proto=ESMTP helo=<SUASMTP.upsdiv.com>

I note that upsdos.com has neither A nor MX RRs, see dig output below, and
that we have the following:

smtpd_sender_restrictions =
  permit_mynetworks,
  check_sender_access hash:/etc/postfix/sender_access,
  check_sender_mx_access hash:/etc/postfix/sender_mx_access,
  check_sender_ns_access hash:/etc/postfix/sender_ns_access,
  permit_sasl_authenticated,
  reject_non_fqdn_sender,
  reject_unknown_sender_domain,
  permit

Both:
  check_sender_mx_access hash:/etc/postfix/sender_mx_access
and:
  check_sender_ns_access hash:/etc/postfix/sender_ns_access

Do not support OK, only DUNNO, so I am guessing that this is where the problem
is although I cannot see how sender_access is not working.  I just lack the
imagination to determine how to handle it without screwing up something else.

So, I have to ask: What am I missing?  What configuration change must I make
to let this stuff in without opening the same path to the whole Internet?


# dig upsdocs.com ANY

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.1 <<>> upsdocs.com ANY
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37184
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;upsdocs.com.                   IN      ANY

;; ANSWER SECTION:
upsdocs.com.            3600    IN      TXT     "v=spf1 ip4:216.115.165.7 ~all"
upsdocs.com.            3600    IN      SOA     resolve01.sslra.com.
internet.ups.com. 388909522 600 10800 604800 600
upsdocs.com.            3600    IN      NS      nsa.ups.com.
upsdocs.com.            3600    IN      NS      nsb.ups.com.

;; AUTHORITY SECTION:
upsdocs.com.            3600    IN      NS      nsb.ups.com.
upsdocs.com.            3600    IN      NS      nsa.ups.com.

;; ADDITIONAL SECTION:
nsa.ups.com.            172713  IN      A       153.2.242.115
nsb.ups.com.            172713  IN      A       153.2.244.155

;; Query time: 63 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jan  2 10:07:40 2015
;; MSG SIZE  rcvd: 232

 I note that it hase neither A nor MX address and that we have


# postconf -n
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
delay_warning_time = 30m
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/header_checks.regexp
home_mailbox = Maildir/
html_directory = no
ignore_mx_lookup_error = no
inet_interfaces = localhost, inet08.hamilton.harte-lyne.ca
inet_protocols = all
mail_spool_directory = /var/spool/mail
mailman_destination_recipient_limit = 1
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 20480000
milter_default_action = accept
milter_protocol = 2
mydestination =
mynetworks = 216.185.71.0/26, 209.47.176.0/26, 127.0.0.0/8
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = $smtpd_milters
policyd-spf_time_limit = 3600
queue_minfree = 40960000
rbl_reply_maps = hash:/etc/postfix/rbl_reply
readme_directory = /usr/share/doc/postfix-2.11.1/README_FILES
recipient_delimiter = +
relay_clientcerts = hash:/etc/postfix/relay_clientcerts
relay_domains = hash:/etc/postfix/relay_domains
sample_directory = /usr/share/doc/postfix-2.11.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_dns_support_level = dnssec
smtp_host_lookup = dns
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_tls_cert_file = /etc/pki/tls/certs/ca.harte-lyne.hamilton.smtp.crt
smtp_tls_key_file = /etc/pki/tls/private/ca.harte-lyne.hamilton.smtp.key
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
smtp_tls_session_cache_timeout = 3600s
smtp_use_tls = yes
smtpd_client_restrictions = permit
smtpd_data_restrictions = permit_mynetworks, reject_multi_recipient_bounce,
reject_unauth_pipelining, permit
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, check_helo_access
pcre:/etc/postfix/helo_checks.pcre, reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname, reject_unknown_helo_hostname, permit
smtpd_milters = inet:127.0.0.1:8891
smtpd_proxy_timeout = 300s
smtpd_recipient_restrictions = reject_non_fqdn_recipient,
reject_unknown_recipient_domain, reject_non_fqdn_sender,
reject_unknown_sender_domain, permit_mynetworks, permit_sasl_authenticated,
reject_invalid_hostname, reject_unauth_destination, reject_unauth_pipelining,
check_policy_service unix:/var/spool/postfix/postgrey/socket,
check_policy_service unix:private/policyd-spf, sleep 1, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = smtpd
smtpd_sender_restrictions = permit_mynetworks, check_sender_access
hash:/etc/postfix/sender_access, check_sender_mx_access
hash:/etc/postfix/sender_mx_access, check_sender_ns_access
hash:/etc/postfix/sender_ns_access, permit_sasl_authenticated,
reject_non_fqdn_sender, reject_unknown_sender_domain, permit
smtpd_starttls_timeout = ${stress?10}${stress:120}s
smtpd_timeout = ${stress?10}${stress:120}s
smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtpd_tls_ask_ccert = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/ca.harte-lyne.hamilton.smtp.crt
smtpd_tls_fingerprint_digest = sha1
smtpd_tls_key_file = /etc/pki/tls/private/ca.harte-lyne.hamilton.smtp.key
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
soft_bounce = no
strict_rfc821_envelopes = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual,
regexp:/etc/postfix/virtual.regexp

-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:byrn...@harte-lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3