[CentOS] Postfix - message queue filling with Host or name not found - try again

Fri Nov 26 20:24:07 UTC 2010
Alexander Dalloz <ad+lists at uni-x.org>

Am 26.11.2010 19:48, schrieb Mike Fedyk:
> On Tue, Nov 16, 2010 at 11:49 AM, Rob Kampen <rkampen at kampensonline.com> wrote:
>> Hi list,
>> I have noted over the last week or so my DNS servers are dumping lots of
>> messages for bogus domain lookups. Examining the postfix queue with
>> postqueue -p:  I see many
>> (Host or domain name not found. Name service error for
>> name=bdgiedjhea.po6e4ina.com type=MX: Host not found, try again)
>>                                        Jake at bdgiedjhea.po6e4ina.com
>> My question - why does this stay in the message queue - why not dumped back
>> with message undeliverable or dropped?
>> I understand this is probably related to my config - which follows:
>> <main.cf>
> 
> 
> Here's what you want (copied from my config):

Not really - because the shown part of the Postfix config is doubtful.

> maps_rbl_reject_code = 450
> non_fqdn_reject_code = 450

Why a temporary DSN? You want those to come back again and again and
again ...?

> smtpd_delay_reject = yes

Running the default of a delayed reject, why then splitting up the
smtpd_*_restrictions causing plenty of tests to be run more than 1 time?

> smtpd_helo_required = yes
> 
> smtpd_helo_restrictions =
>         reject_unauth_pipelining
>         permit_sasl_authenticated
>         permit_mynetworks
>         reject_invalid_hostname
>         reject_non_fqdn_hostname

Can lead to a lot of rejects for legitimate senders.

>         reject_unknown_helo_hostname
>         permit
> 
> smtpd_sender_restrictions =
>         reject_unauth_pipelining
>         reject_non_fqdn_sender
>         reject_non_fqdn_recipient

Again in smptd_recipient_restrictions.

>         reject_unknown_recipient_domain

Again in smptd_recipient_restrictions.

>         reject_unknown_sender_domain
>         permit
> 
> smtpd_client_restrictions =
> #       sleep 1
>         reject_unauth_pipelining
>         permit_sasl_authenticated
>         permit_mynetworks
>         reject_unknown_client_hostname
>         permit
> 
> smtpd_recipient_restrictions =
>         reject_unauth_pipelining
>         reject_non_fqdn_recipient
>         reject_unknown_recipient_domain
>         permit_mynetworks
>         permit_sasl_authenticated
>         reject_unauth_destination
>         #fully automated RBLs

Much too much RBLs, really.

>         reject_rbl_client truncate.gbudb.net
>         reject_rbl_client dnsbl.proxybl.org
>         reject_rbl_client psbl.surriel.com
>         reject_rbl_client db.wpbl.info
>         reject_rbl_client bl.spamcop.net

spamcop can be too aggressive.

> #       reject_rbl_client bl.spamcannibal.org  #blocked charles
>         reject_rbl_client intercept.datapacket.net
>         reject_rbl_client spamtrap.drbl.drand.net
> #       reject_rbl_client dnsbl.ahbl.org #blocked godaddy
>         reject_rbl_client dnsbl-1.uceprotect.net
>         reject_rbl_client bhnc.njabl.org
>         reject_rbl_client dnsbl.njabl.org
>         #larder RBLs with some non-automation and larger ranges of IPs
> #       reject_rbl_client dnsbl.sorbs.net #(blocked fedora)
> #       reject_rbl_client dnsbl-2.uceprotect.net
>         reject_rbl_client dnsbl-3.uceprotect.net
>         reject_rbl_client zen.spamhaus.org
> #       reject_rbl_client
> #       reject_rbl_client dnsbl-2.uceprotect.net,
> #       check_policy_service unix:private/spfpolicy
> #       check_policy_service inet:127.0.0.1:10023
>         permit
> 
> strict_rfc821_envelopes = yes
> smtpd_reject_unlisted_sender = yes

Alexander