Hi,

Email from a particular domain is always rejected by postfix, correctly(?) as ubound can’t resolve it. So have tried to config postfix to allow it, but not suceeding

From postfix log…
Jan 5 17:19:24 localhost 6d9deaef8f29[872]: Jan 5 17:19:24 6d9deaef8f29 postfix/smtpd[1151]: NOQUEUE: reject: RCPT from cluster-b.mailcontrol.com[85.115.56.190]: 450 4.1.8 <player@national-lottery.co.uk>: Sender address rejected: Domain not found; from=<player@national-lottery.co.uk> to=<someone@mydomain.com> proto=ESMTP helo=<cluster-b.mailcontrol.com>

Ubound can’t resolve the sender domain…

root@mail01:/opt/mailcow-dockerized# docker compose exec unbound-mailcow dig mx national-lottery.co.uk

; <<>> DiG 9.18.27 <<>> mx national-lottery.co.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 36516
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;national-lottery.co.uk.                IN      MX

;; Query time: 3999 msec
;; SERVER: 127.0.0.11#53(127.0.0.11) (UDP)
;; WHEN: Sun Jan 05 18:38:26 GMT 2025
;; MSG SIZE  rcvd: 40

root@mail01:/opt/mailcow-dockerized# docker compose exec unbound-mailcow dig a national-lottery.co.uk

; <<>> DiG 9.18.27 <<>> a national-lottery.co.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 7649
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;national-lottery.co.uk.                IN      A

;; Query time: 3999 msec
;; SERVER: 127.0.0.11#53(127.0.0.11) (UDP)
;; WHEN: Sun Jan 05 18:38:34 GMT 2025
;; MSG SIZE  rcvd: 40

Have updated postfix’s smtpd_sender_restrictions in extra.cf…

smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch,
  permit_mynetworks,
  permit_sasl_authenticated,
  check_sender_access regexp:/opt/postfix/conf/sender_access,
  reject_unlisted_sender,
  reject_unknown_sender_domain

Added the domain to the sender_access file…
/[@.]national-lottery\.co\.uk$/ OK

And applied by running postmap and restarting the container.

I’ve tried various different of allowing the domain using regex or hash files, or even by just removing reject_unknown_sender_domain. Nothing has any impact, any pointers on what to look at would be much appreciated.

Thanks

  • sidkipper
    Did you tried removing reject_unknown_sender_domain from line 8 of master.cf?
    I’ve found the problem:
    1.settings in master.cf will overwrite setting in main.cf, comment out smtpd_sender_restrictions on specific service(or all of them);
    2.use regexp:/opt/postfix/conf/sender_access, instead of check_sender_access regexp:/opt/postfix/conf/sender_access, otherwise postfix will report some thing like unknown smtpd restriction: "check_sender_access"

  • DocFraggle

    • Community Hero
    Moolevel 244

Are you able to resolve the domain from your host system? Do you have some kind of firewall which blocks DNS requests to the DNS server responsible for this domain? I can resolve it without problems

Have something to say?

Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

The host is unable to resolve the domain as well.

There is a firewall, but outbound DNS is open. If I try to query the nameserver directly I get a time-out, but can see the traffic passing successfully in the firewall logs

    • esackbauer

      • Community Hero
      Moolevel 347
    • Edited

    sidkipper outbound DNS is open

    port 53 UDP and TCP?

      • DocFraggle

        • Community Hero
        Moolevel 244

      While running

      dig mx national-lottery.co.uk +trace

      you can see that the guys at national-lottery.co.uk seem to have fckd up their DNS servers… you can’t resolve anything using i.e. ns7.national-lottery.biz or
      ns6.national-lottery.biz due to a timeout.

      Maybe that’s the reason

      Thanks - can I workaround it through postfix config as I was attempting to, or not possible without them fixing their DNS setup?

      • DocFraggle

        • Community Hero
        Moolevel 244

      I would try to add the domain to your whitelist

      System -> Configuration -> Global filter maps -> RegEx maps (check the box) -> Header-From: Whitelist

      Add the line

      /.+national-lottery\.co\.uk/i

      I already have that set

      • DocFraggle

        • Community Hero
        Moolevel 244

      Ah ok, you didn’t write that in your posts above

      Sorry - I tried previously that but came to conclusion that postfix was probably taking action before rspamd.

      a month later

      Think you’d only want to do that for networks you completely trust. Any network you add to mynetworks will be able to use your mailserver to relay/send mail. If they send spam etc it’ll completely ruin your reputation and you’ll not be able to send email anywhere.

      I don’t trust the domain thats having the issue enough to want to allow them to relay email out of my server, but do want to be able to receive email destined only to my users from them.

        sidkipper
        Did you tried removing reject_unknown_sender_domain from line 8 of master.cf?
        I’ve found the problem:
        1.settings in master.cf will overwrite setting in main.cf, comment out smtpd_sender_restrictions on specific service(or all of them);
        2.use regexp:/opt/postfix/conf/sender_access, instead of check_sender_access regexp:/opt/postfix/conf/sender_access, otherwise postfix will report some thing like unknown smtpd restriction: "check_sender_access"

          Rasping6015

          Perfect - that seemed to be working as wanted now. Many thanks!

          No one is typing