Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Recipient address rejected: Domain not found

67 views
Skip to first unread message

Michael Fox

unread,
Jan 19, 2015, 3:13:09 PM1/19/15
to

I have a question about the situation where postfix receives a connection from a client trying to send to an invalid recipient address such as us...@nohow.noway.org.

 

Currently, postfix responds with:

 

450 4.1.2 <us...@nohow.noway.org>: Recipient address rejected: Domain not found

 

What seems reasonable to me is the following:

-- If postfix receives a response from DNS that the domain does not exist, then reject with 550

-- Otherwise, delay with 450 (DNS failure, etc.)

 

http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient says one can use unverified_recipient_reject_code to change the 450 (temporary) failure to a 550 (permanent) failure “when you trust Postfix’s judgments”.

 

As a newbie, I’m cautious about changing values from their default because I’m sure the default was chosen for a reason.  But, I don’t why the default would be to send back a temporary failure (450) if we get an answer from DNS that the domain doesn’t exist.  It seems like this needlessly leaves the message in the client’s queue, where it tries to send over and over, just because maybe the domain might exist sometime in the future.  But I’m a newbie and certainly don’t know what all of the subtleties and unintended consequences would be if I were to change “unverified_recipient_reject_code to 550. 

 

So:

1)  Can someone explain what “when you trust Postfix’s judgments” means, specifically?

2)  What do you gurus do/recommend with “unverified_recipient_reject_code”?

3)  If you do recommend changing “unverified_recipient_reject_code” to 550, is there anything to watch out for?

 

Thanks much,

Michael

 

 

 

li...@rhsoft.net

unread,
Jan 19, 2015, 3:21:05 PM1/19/15
to


Am 19.01.2015 um 21:12 schrieb Michael Fox:
> I have a question about the situation where postfix receives a
> connection from a client trying to send to an invalid recipient address
> such as us...@nohow.noway.org.
>
> Currently, postfix responds with:
>
> 450 4.1.2 <us...@nohow.noway.org>: Recipient address rejected: Domain not
> found
>
> What seems reasonable to me is the following:
>
> -- If postfix receives a response from DNS that the domain does not
> exist, then reject with 550
>
> -- Otherwise, delay with 450 (DNS failure, etc.)

nonsense - your own incoming server don't need to depend on DNS to guess
what RCPT's are valid - in other words: don't list
"reject_unknown_recipient_domain" on top

reject_unauth_destination
reject_unlisted_recipient

before should reject the invalid RCPT independent of any DNS query

Viktor Dukhovni

unread,
Jan 19, 2015, 3:43:37 PM1/19/15
to
On Mon, Jan 19, 2015 at 12:12:34PM -0800, Michael Fox wrote:

> 450 4.1.2 <us...@nohow.noway.org>: Recipient address rejected: Domain not found

Turn off the default safety net, I have:

unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 550
unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550

I've left plaintext_reject_code at its default value. See:

http://www.postfix.org/postconf.5.html#unknown_address_reject_code
http://www.postfix.org/postconf.5.html#unknown_client_reject_code
http://www.postfix.org/postconf.5.html#unknown_hostname_reject_code
http://www.postfix.org/postconf.5.html#unverified_recipient_reject_code
http://www.postfix.org/postconf.5.html#unverified_sender_reject_code

> What seems reasonable to me is the following:
>
> -- If postfix receives a response from DNS that the domain does not exist,
> then reject with 550

That's the behaviour without the safety net.

> -- Otherwise, delay with 450 (DNS failure, etc.)
>
> http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient says one
> can use unverified_recipient_reject_code to change the 450 (temporary)
> failure to a 550 (permanent) failure "when you trust Postfix's judgments".

The reject_code's should be changed in production systems once the
configuration is otherwise correct.

> As a newbie, I'm cautious about changing values from their default because
> I'm sure the default was chosen for a reason.

In this case an initial deployment safety net, that should be removed once
the configuration is believed correct.

> 1) Can someone explain what "when you trust Postfix's judgments" means,
> specifically?

Your DNS is not broken. Your main.cf settings are not broken.

> 2) What do you gurus do/recommend with "unverified_recipient_reject_code"?

See above.

> 3) If you do recommend changing "unverified_recipient_reject_code" to 550,
> is there anything to watch out for?

Rejection of mail you wanted accepted, but the best time to watch
out for that is while the safety net is still in place.

--
Viktor.

Noel Jones

unread,
Jan 19, 2015, 3:49:39 PM1/19/15
to
On 1/19/2015 2:12 PM, Michael Fox wrote:
> I have a question about the situation where postfix receives a
> connection from a client trying to send to an invalid recipient
> address such as us...@nohow.noway.org.
>
>
>
> Currently, postfix responds with:
>
>
>
> 450 4.1.2 <us...@nohow.noway.org>: Recipient address rejected: Domain
> not found


This is really a different question... In your example above, the
recipient DOMAIN does not exist.
http://www.postfix.org/postconf.5.html#reject_unknown_recipient_domain

>
>
>
> What seems reasonable to me is the following:
>
> -- If postfix receives a response from DNS that the domain does not
> exist, then reject with 550
>
> -- Otherwise, delay with 450 (DNS failure, etc.)

Yes, that is what postfix does.


>
> http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient
> says one can use unverified_recipient_reject_code to change the 450
> (temporary) failure to a 550 (permanent) failure “when you trust
> Postfix’s judgments”.

This is for when your local USER does not exist. Don't use address
verification for remote domains.


>
> 1) Can someone explain what “when you trust Postfix’s judgments”
> means, specifically?

When you have postfix configured correctly such that you're not
getting unexpected "not found" errors. This is an installation
safety net and should be changed when things are working correctly.


>
> 2) What do you gurus do/recommend with
> “unverified_recipient_reject_code”?

set to 550 after your config is working. There are other
*_reject_code settings that default to 450 for installation. Change
them to 550 after postfix is working. The things to look out for
are problems related to DNS and chroot.

> 3) If you do recommend changing “unverified_recipient_reject_code”
> to 550, is there anything to watch out for?

Before changing to 550, check logs for unexpected 450 rejects.





-- Noel Jones

Michael Fox

unread,
Jan 19, 2015, 7:43:39 PM1/19/15
to
Thanks Victor. This is exactly what I was looking for.

Thanks Noel: yes, I messed up and wrote the wrong parameter. Yes,
reject_unknown_recipient_domain is what I meant. But thanks for the
additional details.

Thanks li...@rhsoft.net: I didn't make it clear that I was referring to
outgoing, not incoming. Hence the reference to DNS. But thanks for
responding.

I've got what I need, now. Thanks all.

Michael


> -----Original Message-----
> From: owner-pos...@postfix.org [mailto:owner-postfix-
> us...@postfix.org] On Behalf Of Viktor Dukhovni
> Sent: Monday, January 19, 2015 12:43 PM
> To: postfi...@postfix.org
> Subject: Re: Recipient address rejected: Domain not found
>
> On Mon, Jan 19, 2015 at 12:12:34PM -0800, Michael Fox wrote:
>
> > 450 4.1.2 <us...@nohow.noway.org>: Recipient address rejected: Domain not
> found
>
> Turn off the default safety net, I have:
>
> unknown_address_reject_code = 550
> unknown_client_reject_code = 550
> unknown_hostname_reject_code = 550
> unverified_recipient_reject_code = 550
> unverified_sender_reject_code = 550
>
> I've left plaintext_reject_code at its default value. See:
>
> http://www.postfix.org/postconf.5.html#unknown_address_reject_code
> http://www.postfix.org/postconf.5.html#unknown_client_reject_code
> http://www.postfix.org/postconf.5.html#unknown_hostname_reject_code
>
> http://www.postfix.org/postconf.5.html#unverified_recipient_reject_code
> http://www.postfix.org/postconf.5.html#unverified_sender_reject_code
>
> > What seems reasonable to me is the following:
> >
> > -- If postfix receives a response from DNS that the domain does not
> exist,
> > then reject with 550
>
> That's the behaviour without the safety net.
>
> > -- Otherwise, delay with 450 (DNS failure, etc.)
> >
> > http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient says
> one
> > can use unverified_recipient_reject_code to change the 450 (temporary)
> > failure to a 550 (permanent) failure "when you trust Postfix's
> judgments".
>
> The reject_code's should be changed in production systems once the
> configuration is otherwise correct.
>
> > As a newbie, I'm cautious about changing values from their default
> because
> > I'm sure the default was chosen for a reason.
>
> In this case an initial deployment safety net, that should be removed once
> the configuration is believed correct.
>
> > 1) Can someone explain what "when you trust Postfix's judgments" means,
> > specifically?
>
> Your DNS is not broken. Your main.cf settings are not broken.
>
> > 2) What do you gurus do/recommend with
> "unverified_recipient_reject_code"?
>
> See above.
>
> > 3) If you do recommend changing "unverified_recipient_reject_code" to
> 550,
> > is there anything to watch out for?
>
0 new messages