Unable to override Domain not found

sidkipper

Hi,

Email from a particular domain is always rejected by postfix, correctly(?) as ubound can’t resolve it. So have tried to config postfix to allow it, but not suceeding

From postfix log…
Jan 5 17:19:24 localhost 6d9deaef8f29[872]: Jan 5 17:19:24 6d9deaef8f29 postfix/smtpd[1151]: NOQUEUE: reject: RCPT from cluster-b.mailcontrol.com[85.115.56.190]: 450 4.1.8 <player@national-lottery.co.uk>: Sender address rejected: Domain not found; from=<player@national-lottery.co.uk> to=<someone@mydomain.com> proto=ESMTP helo=<cluster-b.mailcontrol.com>

Ubound can’t resolve the sender domain…

root@mail01:/opt/mailcow-dockerized# docker compose exec unbound-mailcow dig mx national-lottery.co.uk

; <<>> DiG 9.18.27 <<>> mx national-lottery.co.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 36516
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;national-lottery.co.uk.                IN      MX

;; Query time: 3999 msec
;; SERVER: 127.0.0.11#53(127.0.0.11) (UDP)
;; WHEN: Sun Jan 05 18:38:26 GMT 2025
;; MSG SIZE  rcvd: 40

root@mail01:/opt/mailcow-dockerized# docker compose exec unbound-mailcow dig a national-lottery.co.uk

; <<>> DiG 9.18.27 <<>> a national-lottery.co.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 7649
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;national-lottery.co.uk.                IN      A

;; Query time: 3999 msec
;; SERVER: 127.0.0.11#53(127.0.0.11) (UDP)
;; WHEN: Sun Jan 05 18:38:34 GMT 2025
;; MSG SIZE  rcvd: 40

Have updated postfix’s smtpd_sender_restrictions in extra.cf…

smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch,
  permit_mynetworks,
  permit_sasl_authenticated,
  check_sender_access regexp:/opt/postfix/conf/sender_access,
  reject_unlisted_sender,
  reject_unknown_sender_domain

Added the domain to the sender_access file…
/[@.]national-lottery\.co\.uk$/ OK

And applied by running postmap and restarting the container.

I’ve tried various different of allowing the domain using regex or hash files, or even by just removing reject_unknown_sender_domain. Nothing has any impact, any pointers on what to look at would be much appreciated.

Thanks

DocFraggle

Are you able to resolve the domain from your host system? Do you have some kind of firewall which blocks DNS requests to the DNS server responsible for this domain? I can resolve it without problems

sidkipper

The host is unable to resolve the domain as well.

There is a firewall, but outbound DNS is open. If I try to query the nameserver directly I get a time-out, but can see the traffic passing successfully in the firewall logs

esackbauer

sidkipper outbound DNS is open

port 53 UDP and TCP?

sidkipper

esackbauer Yes - outbound is open on both TCP and UDP

DocFraggle

While running

dig mx national-lottery.co.uk +trace

you can see that the guys at national-lottery.co.uk seem to have fckd up their DNS servers… you can’t resolve anything using i.e. ns7.national-lottery.biz or
ns6.national-lottery.biz due to a timeout.

Maybe that’s the reason

sidkipper

Thanks - can I workaround it through postfix config as I was attempting to, or not possible without them fixing their DNS setup?

DocFraggle

I would try to add the domain to your whitelist

System -> Configuration -> Global filter maps -> RegEx maps (check the box) -> Header-From: Whitelist

Add the line

/.+national-lottery\.co\.uk/i

sidkipper

I already have that set

DocFraggle

Ah ok, you didn’t write that in your posts above

sidkipper

Sorry - I tried previously that but came to conclusion that postfix was probably taking action before rspamd.