Sender address rejected: Domain not found

isaacgross1

In the last week or so I have not been getting emails from some domains. I use Proxmox Mail Gateway between mailcow and the outside world, been working for months before, but now some domains are getting rejected. The Proxmox mail gateway tracking center shows they are being rejected from mailcow with response “Sender address rejected: Domain not found” However the domains I’m getting emails from, do exist. I can use mxtoolbox to lookup and they all have valid DNS records. It appears DNS queries are not working from mailcow. There is nothing being logged in Rspamd. I can’t seem to find any settings to disable any spam settings in postfix. Some domains work fine though, Outlook, Github, emails come through,
Here’s two domains I’m getting not found errors from.
Example 1: em157825.dediseedbox.com
Example 2: shared-p200-i10.d.sp2-brevo.net

esackbauer

Check your unbound logs.
Try to use dig from within the unbound container to see if DNS resolution works.
Also if you have IPv6 enabled, make sure you have your AAAA records and reverse DNS also setup for IPv6

isaacgross1

I did just now exec into the unbound docker container of mailcow. I did the dig requests to various domains and also reverse lookups, mx lookups, and everything checks out like it should. It’s showing me the same values I get using MXtoolbox to verify. I do have IPv6 enabled and setup correctly, but it appears these emails are coming from IPv4 addresses anyways when I look at the header info from PMG.

isaacgross1

I have found the resolution to my problem. As the saying goes, IT’S ALWAYS DNS! I finally found a couple other threads similar or identical to my problem after digging hard. Those problems were firewall based. I checked to make sure I wasn’t doing IDS/IPS and was not. I then found one saying they were block port 53 for DNS outbound. So I checked my firewall rules and then remembered I enabled DNS redirection to force any outbound DNS queries to be redirected to my DNS on my firewall so no one can bypass by DNS filtering. Turns out postfix did not like that, not sure why, it should still be able to resolve going through my server. But anyways, disabling that rule I now got the emails there were queued up in my PMG.

DocFraggle

isaacgross1 That’s because unbound, which is used in mailcow, is configured to lookup hosts starting with the DNS root hints. So I guess it’s failing if it can’t do this due to your firewall rule

isaacgross1

DocFraggle
The part I can’t wrap my head around is though if I did the dig command in the unbound container, I could resolve any domain. It was the postfix container that couldn’t resolve. They both are on the same network and would go through the same firewall. It appears postfix uses it’s own DNS functions and doesn’t use the unbound container at all. Also it should still be able to resolve addresses going through my server, if my server doesn’t have it cached it should then go out to the root servers.