8

Our postfix sometimes rejects emails. I see this error in our postfix log (/var/log/mail.log):

Feb  9 16:16:33 sd-15xxx postfix/smtpd[1972]: NOQUEUE: reject: RCPT from
    unknown[x.x.x.x]: 450 4.7.1 Client host rejected: cannot find your hostname,
    [x.x.x.x]; from=<someone@sender.com> to=<someone.else@my-domain.com>
    proto=ESMTP helo=<smtp.sender.com>

Here is my postconf -n :

append_dot_mydomain = yes
biff = no
config_directory = /etc/postfix
disable_vrfy_command = yes
inet_interfaces = all
mydestination = localhost, localhost.localdomain, sd-15xxx.dedibox.fr
mydomain = my-domain.com
myhostname = my-domain.com
mynetworks = 127.0.0.0/8 192.168.0.0/24 y.y.y.y <our server IP address>
relayhost = 
smtpd_banner = $myhostname ESMTP (Debian/GNU)
smtpd_client_restrictions = reject_unknown_client,
    permit_mynetworks
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_mynetworks,
    reject_unauth_destination,
    reject_unknown_recipient_domain,
    reject_non_fqdn_recipient
smtpd_sender_restrictions = permit_mynetworks,
    reject_unknown_sender_domain,
    warn_if_reject reject_unverified_sender
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual_aliases.cf,mysql:/etc/postfix/mysql-virtual_aliases_mailbox.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/spool/vmail/
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_uid_maps = static:5000

It doesn't occur often, but it could have serious consequences if we missed an important email.

Do you see where this problem comes from? Is it a problem of configuration or a reverse DNS problem (as I read somewhere)?

Here is the result of nslookup x.x.x.x :

41.180.106.89.in-addr.arpa  name = Smtp16.sender.com.

Authoritative answers can be found from:
180.106.89.in-addr.arpa nameserver = dns2.iland.com.
180.106.89.in-addr.arpa nameserver = dns3.iland.com.
180.106.89.in-addr.arpa nameserver = dns1.iland.com.
dns1.iland.com  internet address = 65.57.248.5
dns2.iland.com  internet address = 63.211.182.4
dns3.iland.com  internet address = 64.154.20.10

and the result of dig x.x.x.x :

; <<>> DiG 9.5.1-P3 <<>> x.x.x.x
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 5920
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;x.x.x.x.           IN  A

;; AUTHORITY SECTION:
.           10800   IN  SOA a.root-servers.net. nstld.verisign-grs.com. 2010020901 1800 900 604800 86400

;; Query time: 227 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Feb 10 13:45:54 2010
;; MSG SIZE  rcvd: 106

I don't even know if the problem comes form our side or from the sender side.

Alexis Wilke
  • 2,210
  • 1
  • 20
  • 37
  • Providing un-anonymized output would really help to determine the issue. If you feel like you can do that, please do. – Bill Weiss Feb 09 '10 at 19:59

2 Answers2

12

This is caused by the reject_unknown_client instruction ( http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname )

Dominik
  • 2,218
  • 14
  • 9
  • So I should comment the 'reject_unknown_client' in smtpd_client_restrictions of /etc/postix/main.cf, that's it? But why isn't it a sender restriction? –  Feb 10 '10 at 13:00
  • Ok, I commented it and the email who was being rejected continuously has been accepted. I hope this security restriction wasn't too sensitive. –  Feb 10 '10 at 13:17
  • 2
    How about when the reverse DNS lookup clearly is returning the correct response (that is ANSWER SECTION), what could be the reason? – mfx May 20 '11 at 19:53
  • Also the `permit_mynetworks` should appear first in`smtpd_client_restrictions = reject_unknown_client, permit_mynetworks` — otherwise you could be blocking your own computers! – Alexis Wilke Feb 04 '17 at 18:47
5

That's because the ip address sending the email (x.x.x.x in your case) isn't returning a valid reverse dns entry - either because there isn't a ptr record on their name server giving a valid hostname or because your dns lookups are failing. The first thing to try is 'nslookup x.x.x.x' to see what you get.

WheresAlice
  • 5,530
  • 2
  • 24
  • 20
  • nslookup gives : Non-authoritative answer: 41.180.a.b.in-addr.arpa name = smtp16.sender.com. Authoritative answers can be found from: 180.106.89.in-addr.arpa nameserver = dns2.iland.com. 180.106.89.in-addr.arpa nameserver = dns1.iland.com. 180.106.89.in-addr.arpa nameserver = dns3.iland.com. dns1.iland.com internet address = 65.57.a.b dns2.iland.com internet address = 63.211.d.e dns3.iland.com internet address = 64.154.f.g Is it ok? –  Feb 09 '10 at 18:01
  • Can you show the output of "dig x.x.x.x"? Edit your question and put it there instead of as a comment so that formatting can be retained. – Bill Weiss Feb 09 '10 at 18:50