Mail delivery issues

[innersphere]

Hi,

I am getting some issues with mail delivery from my ISP. Certain messages are being rejected as follows:

450 <jrabbat@horizonfcb.co.ae>: Sender address rejected: Domain not found
maildirserial: info: new/1192849121.8274.autoturn02,S=3529 failed temporarily: 381.374.353.319 said: 450 <jrabbat@horizonfcb.co.ae>: Sender address rejected: Domain not found


To me (as a non-expert), this looks like the Bubba Postfix server is doing a reverse lookup on the domain to prevent spam and deferring messages to prevent them coming through. This in itself is not the issue however.

The ISP is saying that the 4xx codes are deferral codes, so their server will keep trying to send the messages. What they need is a 5xx code which is a rejection code - then their server will not continue to send the messages.

All I need to do is either let the messages through, or reject them properly, as I am getting quite a queue building up on what is effectively my Backup MX server.

Someone please help

Thanks,
Graeme

[johannes]

Hi!

Yes, postfix does some blacklist checks before letting the mail through, and this can be turned off if required. Edit /etc/postfix/main.cf and comment the lines about blacklist checks, at the end of the file. Do a postfix reload when you are done.

Hope it helps!

[tor]

Hi innersphere,

Could you try to remove the line saying:

Code: Select all

 reject_unknown_sender_domain

near the end in the file /etc/postfix/main.cf and tell postfix to reload its config

Code: Select all

/etc/init.d/postfix reload

/Tor

[innersphere]

Thanks very much for your responses guys - greatly appreciated!

However - please bear in mind that I am a compete noob when it comes to this stuff.

I assume the file is somewhere on the Bubba and I have to edit it somehow (this much is obvious).

What is the easiest way to edit the file, and how do I backup the config in case I need to restore it at some point?

Thanks,
Graeme

[Ubi]

People, please do not do this.

First of all, the reject_unknown_sender_domain is *NOT* a blacklist. It is a syntax check to see if the message conforms to RFC 821. Please do not confuse your users by making these mistakes (reject_rbl_client dnsbl.sorbs.net is a call to a blacklist for example).

Postfix gives a 4xx here on purpose. The response is always 450 in case of a temporary DNS error. If the problem remains, the sending server gives up after x-many hours and return the message. By accepting mail from non-existing domains you just opened a floodgate for spammers.

If you *must* reject on first try, change this:

Code: Select all

defer_code 550

(This is the numerical Postfix SMTP server response code when a remote SMTP client request is rejected by the "defer" restriction. Do not change this unless you have a complete understanding of RFC 821.)

* http://www.postfix.org/uce.html
* http://www.postfix.org/postconf.5.html

Ubi

[johannes]

Ubi,

Thanks for educating us.

However, I don't see the problems with removing the blacklist checks (i.e. changing:

Code: Select all

smtpd_recipient_restrictions =
 permit_mynetworks
 reject_unauth_destination
 reject_unauth_pipelining
 reject_invalid_hostname
 reject_non_fqdn_sender
 reject_unknown_sender_domain
 reject_non_fqdn_recipient
 reject_unknown_recipient_domain
 reject_rbl_client list.dsbl.org
 reject_rbl_client relays.ordb.org
 reject_rbl_client dnsbl.njabl.org
 reject_rbl_client dnsbl.sorbs.net
 reject_rbl_client bl.spamcop.net
 permit

to

Code: Select all

smtpd_recipient_restrictions =
 permit_mynetworks
 reject_unauth_destination
 reject_unauth_pipelining
 reject_invalid_hostname
 reject_non_fqdn_sender
 reject_unknown_sender_domain
 reject_non_fqdn_recipient
 reject_unknown_recipient_domain
# reject_rbl_client list.dsbl.org
# reject_rbl_client relays.ordb.org
# reject_rbl_client dnsbl.njabl.org
# reject_rbl_client dnsbl.sorbs.net
# reject_rbl_client bl.spamcop.net
 permit

..if this is what causes the problem? Some of these lists have sometimes caused problems, filtering out ISP's mail servers, preventing loads of users from sending email.

innersphere,

To edit the file, do the following:

ssh to bubba, for instance using Putty. Log on a your regular user, and then type su to become root. Password is 'excito'.
Type nano /etc/postfix/main.cf to edit the file. When you're done, save the file and type 'postfix reload'.
Done!

[innersphere]

Thanks Johannes & Ubi & Tor

The original suggestion was to remove the unknown domain, not the blacklists. I did test this, and of course it worked great!

But then I read Ubi's post and put it back - lol! The problem I have is that the email never leaves the ISP, as they are my Backup MX in case my connection or server is down etc. This means that the mail is not coming from the originator and getting dropped after failing to deliver after a period of time - it just sits in the queue.

I am not sure how to get around this issue to be honest. Logic suggests that after the same message has been 'deferred' say 10 times, that it should get a rejection, but I suspect this is not programmable.

It looks to me like my only option is to open the floodgates and let my client take care of the spam flood?

Help!

Thanks again guys for your time and efforts and help !

PS - Nano much easier than vi

[Ubi]

Just a few reactions;

Johannes:

I don't see the problems with removing the blacklist checks .if this is what causes the problem

In this case the blacklists were not the problem. Postfix gives a very specific about what went wrong. If a car runs out of oil, would you solve it by changing the tyres??

Re Innersphere:

The problem I have is that the email never leaves the ISP, as they are my Backup MX in case my connection or server is down etc. This means that the mail is not coming from the originator and getting dropped after failing to deliver after a period of time - it just sits in the queue.

I find this very hard to believe. The backup MX may have a very tolerant latency form the primary (can be up to a few days), but it should always return the mail to original sender after the timeout. If they set this to unlimited the backup mx needs repair. Now in this case the FROM adress is forged, so it is impossible to return to sender and the message should indeed be dropped.
Of course the *real* mistake is at the level of the backup MX who should have assured that the message was RFC821 compliant (i.e. no invalid FROM address)

[innersphere]

Ubi - thanks again.

You definitely know too much about RFC's though - lol !!

I will pursue this with my ISP

[innersphere]

Hi all,

I am back again - different problem, but directly related

Message below - please advise

Thanks,
Graeme


All mails sent to me are now getting bounced with the following message:
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

abc@abc.co.uk
SMTP error from remote mailer after RCPT TO:<abc@abc.co.uk>:
host mail.abc.co.uk [81.174.153.219]:
554 Service unavailable; Client host [82.110.105.38] blocked using relays.ordb.org; ordb.org was shut down on December 18, 2006. Please remove from your mailserver.

[RonaldJ]

Hi,

I have the same sort of problem since this morning!
I get this, while trying to send a message from yahoo:

Remote host said: 554 Service unavailable; Client host [216.252.110.65] blocked using relays.ordb.org; ordb.org was shut down on December 18, 2006. Please remove from your mailserver.
Giving up on <mi ip-adress>.

Until now everything was working fine and I changed nothing....

[johannes]

innersphere, RonaldJ,

Yes, it seems as one of the spam block servers Bubba uses to verify all incoming email against has shut down, and ordb.org apparently chooses to block all email to get people to note this.

A quick fix would be to comment out that check in the mail server configuration file. A small guide on how to do this yourself follows:

- SSH to Bubba. If you don't know how, follow this guide up until "Examples of use".

- Become root:

Code: Select all

su

Password 'excito' if you haven't changed it.

- Edit the configuration file:

Code: Select all

nano /etc/postfix/main.cf

- Scroll down to the section with restrictions, in the end, looking like this:

Code: Select all

smtpd_recipient_restrictions =
 permit_mynetworks
 reject_unauth_destination
 reject_unauth_pipelining
 reject_invalid_hostname
 reject_non_fqdn_sender
 reject_unknown_sender_domain
 reject_non_fqdn_recipient
 reject_unknown_recipient_domain
 reject_rbl_client list.dsbl.org
 reject_rbl_client relays.ordb.org
 reject_rbl_client dnsbl.njabl.org
 reject_rbl_client dnsbl.sorbs.net
 reject_rbl_client bl.spamcop.net
 permit

- Comment out the ordb line:

Code: Select all

smtpd_recipient_restrictions =
 permit_mynetworks
 reject_unauth_destination
 reject_unauth_pipelining
 reject_invalid_hostname
 reject_non_fqdn_sender
 reject_unknown_sender_domain
 reject_non_fqdn_recipient
 reject_unknown_recipient_domain
 reject_rbl_client list.dsbl.org
# reject_rbl_client relays.ordb.org
 reject_rbl_client dnsbl.njabl.org
 reject_rbl_client dnsbl.sorbs.net
 reject_rbl_client bl.spamcop.net
 permit

- Save:

Code: Select all

 ctrl-x 

and

Code: Select all

 y 

to confirm.

- Reload the configuration:

Code: Select all

 postfix reload 

This should do the trick as a quick fix.

[RonaldJ]

Hi again,

I solved it myself with my very thin knowledge of Unix and postfix...
sweaty hands!
I did this:

open main.cf (the postfix config file) in /etc/postfix
find the line with reject(rbl_client relays.ordb.org
put a '#' in front of that
the line now reads '#reject_rbl_client relays.ordb.org'
save the file
tell postfix to use the new file with the command

postfix reload

That's it!

[RonaldJ]

Johannes,

You gave us the right solution while I was writing mine.... My post looks kind of silly now!
Thanks for your help, but I'm proud I found it myself....

[innersphere]

Yeah - I did the same, with even less of said knowledge.

However - I am slightly concerned that this is in the default build, and if I have to rebuild it, I will find myself in the same place again and will have to try remember what I did to fix it

**EDIT** lol - I also just saw johannes' post - but the above still stands

Either way - thanks for the quick replies!!