DevHeads.net

A problem I'm not sure how best to solve

I have a perplexing puzzle thrust upon me.

Consider the following:

Oct 8 15:55:33 minbar postfix/smtpd[7422]: NOQUEUE: reject: RCPT from
rs230.mailgun.us[209.61.151.230]: 551 5.1.8 < ... at mg dot pluspora.com>:
Sender address rejected: Domain not found;
from=<bounce+db1162.5fcd4c-alrekr=caerllewys. ... at mg dot pluspora.com>
to=< ... at caerllewys dot net> proto=ESMTP helo=<rs230.mailgun.us>

mailgun.us is connecting with a good HELO, and appears to be authorized
to send mail on behalf of pluspora.com, but the mail has a sender
address that is bad because mg.pluspora.com does not resolve in DNS, and
so the mail is rejected.

I want to TEMPORARILY (I hope) whitelist <a href="mailto: ... at mg dot pluspora.com"> ... at mg dot pluspora.com</a> as a
sender address as long as the mail is being sent by mailgun.us.

How would you do it?

Comments

Re: A problem I'm not sure how best to solve

By Matus UHLAR - f... at 10/09/2018 - 03:37

On 08.10.18 22:42, Phil Stracchino wrote:
correct.

I would not whitelist mail from domain that is not deliverable.
they should fix their DNS first.

but if you really want to whitelist them, you must add it to access list
which will be parsed before reject_unknown_sender_domain.

Re: A problem I'm not sure how best to solve

By Phil Stracchino at 10/09/2018 - 09:56

Well, I normally wouldn't either, this is just a temporary patch until
they fix their DNS.

Re: A problem I'm not sure how best to solve

By Philip Paeps at 10/09/2018 - 03:33

On 2018-10-08 22:42:27 (-0400), Phil Stracchino wrote:
You could add a check_sender_access which returns OK for mg.pluspora.com
before the reject_unknown_sender_domain in smtpd_recipient_restrictions.

(Guessing, because you didn't include your configuration.)

Philip

Re: A problem I'm not sure how best to solve

By Phil Stracchino at 10/09/2018 - 09:58

Yeah, I tried that as a quick-and-dirty temporary patch; I'm a little
surprised that it appears not to have worked.

......DOH! Because I inadvertently typed check_*client*_access instead
of check_sender...

OK, let's try this again.

Re: A problem I'm not sure how best to solve

By Viktor Dukhovni at 10/09/2018 - 10:03

I hope you did not forget that "check_sender_access" returning
"OK" must not be used in smtpd_recipient_restrictions prior to
"reject_unauth_destination", unless your configuration is a bit
more "modern" and uses "smtpd_relay_restrictions" to restrict
relay access.

Re: A problem I'm not sure how best to solve

By Phil Stracchino at 10/09/2018 - 11:12

On 10/9/18 11:03 AM, Viktor Dukhovni wrote:

Indeed, reject_unauth_destination is my third rule, after
permit_mynetworks and permit_tls_clientcerts. And it's my *second*
rule, after permit_tls_clientcerts, in smtpd_relay_restrictions.

Re: A problem I'm not sure how best to solve

By Jan P. Kessler at 10/09/2018 - 05:10

s/OK/permit_auth_destination/

reduces the chance to become an open relay for that sender

Re: A problem I'm not sure how best to solve

By Phil Stracchino at 10/09/2018 - 09:56

On 10/9/18 6:10 AM, Jan P. Kessler wrote:
Good call. Thanks, I didn't think of that.