On 2016-02-20 16:45, Curtis Maurand wrote:
Not sure if I found something or not. A client tried to send email
to one of my other addresses. The requisite portion of the main.cf
follows at the end of the message. The logs are telling me:
Feb 19 16:30:29 ispconfig postfix/smtpd[18437]: warning: hostname
delivery.mailspamprotection.com does not resolve to address
108.163.243.188
Feb 19 16:30:29 ispconfig postfix/smtpd[18437]: connect from
unknown[108.163.243.188]
Feb 19 16:30:29 ispconfig postfix/smtpd[18437]: NOQUEUE: reject: RCPT
from unknown[108.163.243.188]: 450 4.7.1 Client host rejected: cannot
find your hostname, [108.163.243.188];
from=<edi...@whiteeaglenews.com> to=<cmaur...@xyonet.com> proto=ESMTP
helo=<delivery.mailspamprotection.com>
Have you had dns lookup problems? This is a temporary error and the
client should retry delivery
Feb 19 16:30:30 ispconfig postfix/smtpd[18437]: disconnect from
unknown[108.163.243.188]
deliver.mailspamprotection.com resolves to a lot of addresses (and
this is a partial list):
dig delivery.mailspamprotection.com |grep 108.163.243
delivery.mailspamprotection.com. 30 IN A 108.163.243.188
delivery.mailspamprotection.com. 30 IN A 108.163.243.187
delivery.mailspamprotection.com. 30 IN A 108.163.243.189
delivery.mailspamprotection.com. 30 IN A 108.163.243.190
delivery.mailspamprotection.com. 30 IN A 108.163.243.186
and
;188.243.163.108.in-addr.arpa. IN PTR
;; ANSWER SECTION:
188.243.163.108.in-addr.arpa. 3600 IN PTR
delivery.mailspamprotection.com.
given such a round robin setup, does postfix account for this when
performing it's hostname lookup? This email should not have been
rejected for any kind of ip mismatch. Forward, reverse and helo all
match.
Thanks,
Curtis
smtpd_sender_restrictions =
check_sender_access regexp:/etc/postfix/tag_as_originating.re
permit_mynetworks,
permit_sasl_authenticated,
check_recipient_access
mysql:/etc/postfix/mysql-virtual_recipient.cf,
check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf,
regexp:/etc/postfix/tag_as_foreign.re
reject_invalid_hostname,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_pipelining,
reject_rbl_client bl.spamcop.net,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client b.barracudacentral.org
smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
check_client_access
mysql:/etc/postfix/mysql-virtual_client.cf,
reject_unknown_client,
this restriction causes the reject, see
http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname
reject_unknown_client_hostname (with Postfix < 2.3:
reject_unknown_client)
Reject the request when 1) the client IP address->name mapping fails, 2)
the name->address mapping fails, or 3) the name->address mapping does
not match the client IP address.
This is a stronger restriction than the
reject_unknown_reverse_client_hostname feature, which triggers only
under condition 1) above.
The unknown_client_reject_code parameter specifies the response code for
rejected requests (default: 450). The reply is always 450 in case the
address->name or name->address lookup failed due to a temporary problem.
reject_unknown_reverse_client_hostname is considered the safer
alternative but in your case maybe removing it altogether allows more
legitimate mail through.
reject_invalid_hostname,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_pipelining,
reject_unauth_destination,
reject_rbl_client bl.spamcop.net,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client b.barracudacentral.org
--
Curtis Maurand
cur...@maurand.com
207-252-7748
--
Christian Kivalo
