I agree about the nameserver, but unfortunately I don't have a choice.
I'm required to use this one.
I'm not as familiar with DNS as I should be, but is there a temporary
error code the nameserver could return instead, that would cause Postfix
to defer this mail?
Another question. As far as Postfix is concerned, is there a difference
between a domain with no mx record and a domain where there is an mx
record, but it's not resolvable?
P.S.
I'm not sure it matters, but I am running a caching nameserver on the
mail relay.
On 2018-06-28 2:28 pm, Viktor Dukhovni wrote:
On Jun 28, 2018, at 3:23 PM, li...@mbchandler.net wrote:
I have email relays that relay/filter email between the internet and
our internal network. I must use the DNS servers we maintain and those
servers use a DNS blacklisting service. The problem I'm having is that
when a legitimate domain is blacklisted,
Presumably you're interested in blacklisting sending domains, not
receiving domains.
I see log messages like the ones below and the email is bounced. In
the situation that brought this up, both the sender and recipient
domain were blocked so the bounce went nowhere. Since these
blacklistings are temporary, maybe several hours, I'd like to defer
this mail and have postfix try again later. That way mail will
eventually go through and nothing is lost. Is there a way to do this?
Jun 23 04:53:14 mx postfix/smtp[24776]: warning: no MX host for
domain.com has a valid address record
Jun 23 04:53:37 mx postfix/smtp[4838]: 9071C1809199:
to=<recipi...@domain.com>, relay=none, delay=0.05, delays=0.04/0/0/0,
dsn=5.4.4, status=bounced (Host or domain name not found. Name service
error for mx.domain.com type=A: Host not found)
Instead of returning a temporary error code, the nameserver is lying
and saying that the host does not exist. The correct solution is to
NOT use this nameserver for DNS lookups for outbound mail.
(To be clear, an mx record for domain.com was found (mx.domain.com),
but that name could not be resolved to an IP because of the
blacklist.)
You could make all DNS lookup failures soft, but that would be a bad
idea, as users who typo an address won't get prompt bounces.
