Am 26.11.2010 19:48, schrieb Mike Fedyk: > On Tue, Nov 16, 2010 at 11:49 AM, Rob Kampen <rkampen at kampensonline.com> wrote: >> Hi list, >> I have noted over the last week or so my DNS servers are dumping lots of >> messages for bogus domain lookups. Examining the postfix queue with >> postqueue -p: I see many >> (Host or domain name not found. Name service error for >> name=bdgiedjhea.po6e4ina.com type=MX: Host not found, try again) >> Jake at bdgiedjhea.po6e4ina.com >> My question - why does this stay in the message queue - why not dumped back >> with message undeliverable or dropped? >> I understand this is probably related to my config - which follows: >> <main.cf> > > > Here's what you want (copied from my config): Not really - because the shown part of the Postfix config is doubtful. > maps_rbl_reject_code = 450 > non_fqdn_reject_code = 450 Why a temporary DSN? You want those to come back again and again and again ...? > smtpd_delay_reject = yes Running the default of a delayed reject, why then splitting up the smtpd_*_restrictions causing plenty of tests to be run more than 1 time? > smtpd_helo_required = yes > > smtpd_helo_restrictions = > reject_unauth_pipelining > permit_sasl_authenticated > permit_mynetworks > reject_invalid_hostname > reject_non_fqdn_hostname Can lead to a lot of rejects for legitimate senders. > reject_unknown_helo_hostname > permit > > smtpd_sender_restrictions = > reject_unauth_pipelining > reject_non_fqdn_sender > reject_non_fqdn_recipient Again in smptd_recipient_restrictions. > reject_unknown_recipient_domain Again in smptd_recipient_restrictions. > reject_unknown_sender_domain > permit > > smtpd_client_restrictions = > # sleep 1 > reject_unauth_pipelining > permit_sasl_authenticated > permit_mynetworks > reject_unknown_client_hostname > permit > > smtpd_recipient_restrictions = > reject_unauth_pipelining > reject_non_fqdn_recipient > reject_unknown_recipient_domain > permit_mynetworks > permit_sasl_authenticated > reject_unauth_destination > #fully automated RBLs Much too much RBLs, really. > reject_rbl_client truncate.gbudb.net > reject_rbl_client dnsbl.proxybl.org > reject_rbl_client psbl.surriel.com > reject_rbl_client db.wpbl.info > reject_rbl_client bl.spamcop.net spamcop can be too aggressive. > # reject_rbl_client bl.spamcannibal.org #blocked charles > reject_rbl_client intercept.datapacket.net > reject_rbl_client spamtrap.drbl.drand.net > # reject_rbl_client dnsbl.ahbl.org #blocked godaddy > reject_rbl_client dnsbl-1.uceprotect.net > reject_rbl_client bhnc.njabl.org > reject_rbl_client dnsbl.njabl.org > #larder RBLs with some non-automation and larger ranges of IPs > # reject_rbl_client dnsbl.sorbs.net #(blocked fedora) > # reject_rbl_client dnsbl-2.uceprotect.net > reject_rbl_client dnsbl-3.uceprotect.net > reject_rbl_client zen.spamhaus.org > # reject_rbl_client > # reject_rbl_client dnsbl-2.uceprotect.net, > # check_policy_service unix:private/spfpolicy > # check_policy_service inet:127.0.0.1:10023 > permit > > strict_rfc821_envelopes = yes > smtpd_reject_unlisted_sender = yes Alexander