Recipient address rejected: Domain not found

Discussion:

(too old to reply)

Michael Fox

2015-01-19 20:12:34 UTC

I have a question about the situation where postfix receives a connection
from a client trying to send to an invalid recipient address such as
***@nohow.noway.org.

Currently, postfix responds with:

450 4.1.2 <***@nohow.noway.org>: Recipient address rejected: Domain not
found

What seems reasonable to me is the following:

-- If postfix receives a response from DNS that the domain does not exist,
then reject with 550

-- Otherwise, delay with 450 (DNS failure, etc.)

http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient says one
can use unverified_recipient_reject_code to change the 450 (temporary)
failure to a 550 (permanent) failure "when you trust Postfix's judgments".

As a newbie, I'm cautious about changing values from their default because
I'm sure the default was chosen for a reason. But, I don't why the default
would be to send back a temporary failure (450) if we get an answer from DNS
that the domain doesn't exist. It seems like this needlessly leaves the
message in the client's queue, where it tries to send over and over, just
because maybe the domain might exist sometime in the future. But I'm a
newbie and certainly don't know what all of the subtleties and unintended
consequences would be if I were to change "unverified_recipient_reject_code
to 550.

So:

1) Can someone explain what "when you trust Postfix's judgments" means,
specifically?

2) What do you gurus do/recommend with "unverified_recipient_reject_code"?

3) If you do recommend changing "unverified_recipient_reject_code" to 550,
is there anything to watch out for?

Thanks much,

Michael

l***@rhsoft.net

2015-01-19 20:20:43 UTC

Permalink

Post by Michael Fox
I have a question about the situation where postfix receives a
connection from a client trying to send to an invalid recipient address
found
-- If postfix receives a response from DNS that the domain does not
exist, then reject with 550
-- Otherwise, delay with 450 (DNS failure, etc.)

nonsense - your own incoming server don't need to depend on DNS to guess
what RCPT's are valid - in other words: don't list
"reject_unknown_recipient_domain" on top

reject_unauth_destination
reject_unlisted_recipient

before should reject the invalid RCPT independent of any DNS query

Viktor Dukhovni

2015-01-19 20:43:13 UTC

Permalink

Turn off the default safety net, I have:

unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 550
unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550

I've left plaintext_reject_code at its default value. See:

http://www.postfix.org/postconf.5.html#unknown_address_reject_code
http://www.postfix.org/postconf.5.html#unknown_client_reject_code
http://www.postfix.org/postconf.5.html#unknown_hostname_reject_code
http://www.postfix.org/postconf.5.html#unverified_recipient_reject_code
http://www.postfix.org/postconf.5.html#unverified_sender_reject_code

Post by Michael Fox
-- If postfix receives a response from DNS that the domain does not exist,
then reject with 550

That's the behaviour without the safety net.

Post by Michael Fox
-- Otherwise, delay with 450 (DNS failure, etc.)
http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient says one
can use unverified_recipient_reject_code to change the 450 (temporary)
failure to a 550 (permanent) failure "when you trust Postfix's judgments".

The reject_code's should be changed in production systems once the
configuration is otherwise correct.

Post by Michael Fox
As a newbie, I'm cautious about changing values from their default because
I'm sure the default was chosen for a reason.

In this case an initial deployment safety net, that should be removed once
the configuration is believed correct.

Post by Michael Fox
1) Can someone explain what "when you trust Postfix's judgments" means,
specifically?

Your DNS is not broken. Your main.cf settings are not broken.

Post by Michael Fox
2) What do you gurus do/recommend with "unverified_recipient_reject_code"?

See above.

Post by Michael Fox
3) If you do recommend changing "unverified_recipient_reject_code" to 550,
is there anything to watch out for?

Rejection of mail you wanted accepted, but the best time to watch
out for that is while the safety net is still in place.

--
Viktor.

Noel Jones

2015-01-19 20:49:17 UTC

Permalink

Post by Michael Fox
I have a question about the situation where postfix receives a
connection from a client trying to send to an invalid recipient
not found

This is really a different question... In your example above, the
recipient DOMAIN does not exist.
http://www.postfix.org/postconf.5.html#reject_unknown_recipient_domain

Post by Michael Fox
-- If postfix receives a response from DNS that the domain does not
exist, then reject with 550
-- Otherwise, delay with 450 (DNS failure, etc.)

Yes, that is what postfix does.

Post by Michael Fox
http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient
says one can use unverified_recipient_reject_code to change the 450
(temporary) failure to a 550 (permanent) failure “when you trust
Postfix’s judgments”.

This is for when your local USER does not exist. Don't use address
verification for remote domains.

Post by Michael Fox
1) Can someone explain what “when you trust Postfix’s judgments”
means, specifically?

When you have postfix configured correctly such that you're not
getting unexpected "not found" errors. This is an installation
safety net and should be changed when things are working correctly.

Post by Michael Fox
2) What do you gurus do/recommend with
“unverified_recipient_reject_code”?

set to 550 after your config is working. There are other
*_reject_code settings that default to 450 for installation. Change
them to 550 after postfix is working. The things to look out for
are problems related to DNS and chroot.

Post by Michael Fox
3) If you do recommend changing “unverified_recipient_reject_code”
to 550, is there anything to watch out for?

Before changing to 550, check logs for unexpected 450 rejects.

-- Noel Jones

Michael Fox

2015-01-20 00:42:56 UTC

Permalink

Thanks Victor. This is exactly what I was looking for.

Thanks Noel: yes, I messed up and wrote the wrong parameter. Yes,
reject_unknown_recipient_domain is what I meant. But thanks for the
additional details.

Thanks ***@rhsoft.net: I didn't make it clear that I was referring to
outgoing, not incoming. Hence the reference to DNS. But thanks for
responding.

I've got what I need, now. Thanks all.

Michael

-----Original Message-----
Sent: Monday, January 19, 2015 12:43 PM
Subject: Re: Recipient address rejected: Domain not found
found
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 550
unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550
http://www.postfix.org/postconf.5.html#unknown_address_reject_code
http://www.postfix.org/postconf.5.html#unknown_client_reject_code
http://www.postfix.org/postconf.5.html#unknown_hostname_reject_code
http://www.postfix.org/postconf.5.html#unverified_recipient_reject_code
http://www.postfix.org/postconf.5.html#unverified_sender_reject_code

Post by Michael Fox
-- If postfix receives a response from DNS that the domain does not

exist,

Post by Michael Fox
then reject with 550

That's the behaviour without the safety net.

Post by Michael Fox
-- Otherwise, delay with 450 (DNS failure, etc.)
http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient says

one

Post by Michael Fox
can use unverified_recipient_reject_code to change the 450 (temporary)
failure to a 550 (permanent) failure "when you trust Postfix's

judgments".
The reject_code's should be changed in production systems once the
configuration is otherwise correct.

Post by Michael Fox
As a newbie, I'm cautious about changing values from their default

because

Post by Michael Fox
I'm sure the default was chosen for a reason.

In this case an initial deployment safety net, that should be removed once
the configuration is believed correct.

Post by Michael Fox
1) Can someone explain what "when you trust Postfix's judgments" means,
specifically?

Your DNS is not broken. Your main.cf settings are not broken.

Post by Michael Fox
2) What do you gurus do/recommend with

"unverified_recipient_reject_code"?
See above.

Post by Michael Fox
3) If you do recommend changing "unverified_recipient_reject_code" to

550,

Post by Michael Fox
is there anything to watch out for?

Rejection of mail you wanted accepted, but the best time to watch
out for that is while the safety net is still in place.
--
Viktor.