NOQUEUE Domain not found errors

FunkyFilip

In the Postfix log I see a lot of the following errors; they are all newsletters from companies using salesforce.
Is this an issue with mailcow, or is mailcow rejecting these because of some misconfiguration on the senders’ side? In any case I want to allow these senders, is there a way to configure this?

Example:
02/09/2024, 06:30:24 PM info disconnect from unknown[161.71.38.64] ehlo=2 starttls=1 mail=1 rcpt=0/1 quit=1 commands=⅚
02/09/2024, 06:30:24 PM info NOQUEUE: reject: RCPT from unknown[161.71.38.64]: 450 4.1.8 bounce-10_HTML-2003924-97023-510000646-3319@bounce.em.delhaize.be: Sender address rejected: Domain not found; from=bounce-10_HTML-2003924-97023-510000646-3319@bounce.em.delhaize.be to=recipient@xyz.be proto=ESMTP helo=<mta.em.delhaize.be>
02/09/2024, 06:30:00 PM info Anonymous TLS connection established from unknown[161.71.38.64]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
02/09/2024, 06:30:00 PM info connect from unknown[161.71.38.64]
02/09/2024, 06:29:52 PM info WHITELISTED [161.71.38.64]:52271
02/09/2024, 06:29:52 PM info CONNECT from [161.71.38.64]:52271 to [172.22.1.253]:25

esackbauer

Seems like this is a DNS resolution issue. The error message indicates that postfix is unable to resolve the mx record for the domain bounce.em.delhaize.be. However the MX record exists:
https://mxtoolbox.com/SuperTool.aspx?action=mx%3abounce.em.delhaize.be&run=toolpage

Make sure that you have all outgoing ports open as needed by mailcow. For DNS, that is port 53 UDP and TCP

DocFraggle

MX exists, but no A or CNAME record… maybe that’s not RFC compliant

Edit: https://www.postfix.org/postconf.5.html#reject_unknown_sender_domain

reject_unknown_sender_domain
Reject the request when Postfix is not the final destination for the sender address, and the MAIL FROM domain has 1) no DNS MX and no DNS A record

So Salesforce has to add an A record

esackbauer

DocFraggle So Salesforce has to add an A record

The A record for the domain is typically used as fallback when there is no MX record. But there is an MX record, and it points to an existing A record, as the output of my link above shows.

So from Salesforce side everything seems OK. They even have a SPF record set up.

DocFraggle

esackbauer Yes, the MX record points to an existing A record. But I read the postfix docs more like there has to be both a MX record AND an A record for bounce.em.delhaize.be (the “MAIL FROM domain”), and that’s not the case. One would have to dig deeper into this…

Edit: OK, after further digging it seems to be ok that only a MX record exists.

maddler

So, just having this issue too.
Sender domain actually exists, MX record is OK and has a valid A record.
Everything resolves fine from the machine running MailCow.

So far I’ve found no other option than removing the reject_unknown_sender_domain option.

DocFraggle

maddler Do you mind sharing the FQDN?

maddler

farmastudio.com

Weird thing is I can send to that domain no problem.

DocFraggle

maddler ARM64 or AMD64?

maddler

AMD64

added regexp:/opt/postfix/conf/whitelist to smtpd_sender_restrictions as a workaround.

FunkyFilip

I also removed reject_unknown_sender_domain; then the mails come in, though some of them were then still rejected by rspamd, for similar reasons. I tweaked rspamd a bit, we’ll see; I still assume rspamd would catch actual spammers so for me removing reject_unknown_sender_domain is probably not an issue. I’m on ARM64.

Still wondering though on which side there’s an issue, maybe there’s confusion between looking up bounce.em.delhaize.be, em.delhaize.be, mta.em.delhaize.be and/or delhaize.be?

Have a look at these parts from the raw source:
Authentication-Results: mymailcowserver; dkim=temperror (“DNS error when getting key”) header.d=em.delhaize.be header.s=50dkim1 header.b=tTc3YADf; dmarc=temperror reason=“SPF/DKIM temp error” header.from=delhaize.be (policy=temperror); spf=temperror (mymailcowserver: error in processing during lookup of bounce-10_HTML-54618272-97023-510000646-918@bounce.em.delhaize.be: DNS error) smtp.mailfrom=bounce-10_HTML-54618272-97023-510000646-918@bounce.em.delhaize.be

X-Spamd-Result: default: False [-2029.43 / 16.00]; GLOBAL_MIME_FROM_WL(-2050.00)[hello@em.delhaize.be]; HFILTER_HOSTNAME_UNKNOWN(5.00)[]; BAYES_SPAM(4.48)[99.95%]; MX_MISSING(3.50)[]; HFILTER_FROMHOST_NORES_A_OR_MX(1.50)[bounce.em.delhaize.be]; DATE_IN_PAST(1.00)[48]; SUBJECT_ENDS_QUESTION(1.00)[]; URI_COUNT_ODD(1.00)[71]; HFILTER_HELO_IP_A(1.00)[mta.em.delhaize.be]; RDNS_NONE(1.00)[]; MX_INVALID(0.50)[]; MIME_GOOD(-0.40)[multipart/alternative,text/plain]; HFILTER_HELO_NORES_A_OR_MX(0.30)[mta.em.delhaize.be]; FORGED_SENDER(0.30)[hello@em.delhaize.be,bounce-10_HTML-54618272-97023-510000646-918@bounce.em.delhaize.be]; MANY_INVISIBLE_PARTS(0.30)[4]; ONCE_RECEIVED(0.10)[]; HAS_LIST_UNSUB(-0.01)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; BCC(0.00)[]; RCPT_MAILCOW_DOMAIN(0.00)[mydomain.com]; ARC_NA(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[filip@mydomain]; RCPT_COUNT_ONE(0.00)[1]; DMARC_DNSFAIL(0.00)[delhaize.be : SPF/DKIM temp error,reject]; TO_DN_NONE(0.00)[]; ASN(0.00)[asn:14340, ipnet:161.71.0.0/17, country:US]; RCVD_TLS_LAST(0.00)[]; FROM_HAS_DN(0.00)[]; ARC_SIGNED(0.00)[mydomain.com:s=dkim:i=1]; R_DKIM_TEMPFAIL(0.00)[em.delhaize.be:s=50dkim1]; RCVD_COUNT_ONE(0.00)[1]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_NEQ_ENVFROM(0.00)[hello@em.delhaize.be,bounce-10_HTML-54618272-97023-510000646-918@bounce.em.delhaize.be]; R_SPF_DNSFAIL(0.00)[temporary DNS error]; DKIM_TRACE(0.00)[em.delhaize.be:?]; RDNS_DNSFAIL(0.00)[]; MISSING_XM_UA(0.00)[]

PS: separate but related question here which would help me in training rspamd better.

DocFraggle

Hmm, OK, I thought it’s maybe an ARM related problem, we just had a buggy SoGo package for the ARM version… but @maddler seems to be running on AMD64.
Just had a look at my postfix logs for the last few days, no errors so far with “Sender address rejected”

EDIT: did you ever resolve the FQDN and MX from within the postfix container and check for differences to resolving from the host system?

maddler

I’m starting to think there might have been some sort of “external” issue somewhere. Some transient resolution issue with upstream DNS causing resolution to randomly fail for that domain.
I’ve disabled he whitelisting and working OK so far.
Will keep looking at this.
Thanks for the help so far!