Home / server / Questions / 149495
In Process
bignose
Asked: 2010-06-09 19:47:32 +0800 CST

Incoming mail from sender, MX record won't accept replies. How to block the incoming SMTP connection from that sender?

  • 772

How do I block an SMTP connection when I determine the sender's MX record will reject mail?

That is, if the advertised (MX record) way to send mail back to the domain will in fact not work, I want to reject the incoming SMTP connection.

I'm administrating a mail service for a small business. They have a mail host, foo.example.org, whose internet connection is an ADSL service with a permanent IP address.

Unfortunately, many mail systems are misconfigured in the following way:

  • the sending host, bar.example.com, will happily deliver to foo.example.org, and
  • the DNS for bar.example.com has an MX record listing the host (mail.example.com) to which mail should be directed for that domain; but
  • the specified host mail.example.com rejects SMTP connections from foo.example.org.

So the declared sender's domain has an MX which refuses to receive connections from this host. That misconfiguration makes their system a one-way mail sender, which is a problem.

Note that I'm not, as some commenters have assumed, talking about hosts which only send mail; that's not the problem. The misconfiguration is in that domain's mail system, declaring a sender domain for the message when that domain's MX won't accept SMTP connections from the domain to which you're sending.

I have also confirmed the DNS configuration is correct (with A and PTR records that map correctly both ways) and confirmed the host's IP address is not blacklisted in many of the reputable blacklist services, with helpful links from JohnnyD.

Those mail systems that are rejecting this host seem to be doing so primarily because it's on an ADSL service, regardless of the fact that it has a permanently-assigned IP address and is not listed in reputable lists of dynamic IP addresses (because it's a permanently-assigned address).

How can I configure Postfix on this customer's mail host to refuse SMTP sessions that declare a sender domain which itself refuses SMTP from this host? That is, if the SMTP client declares a domain that we can't make SMTP connections back to, then there's not much point accepting the incoming connection in the first place.

I'm imagining a late check (after the low-cost checks to winnow most of the rubbish connections) that keeps the client on the other end while it attempts an SMTP client connection back to the declared domain of the sender. If that connection is rejected, the incoming one is also rejected.

Yes, that means some mail might be blocked. But that's better than accepting the message, and then not having a way to reply or tell the sender there's a problem at their end. By blocking the message at SMTP time, the sender will at least receive prompt notification, which isn't the case now.

I'm also open to other suggestions for how this problem might be addressed (short of not using this mail host, which isn't an option).

smtp postfix

9 Answers

  1. I would start by doing a thourgh check of all composite blocking lists:

    MyIpTest.com

    Barracuda Central

    Anti-Abuse Project - enter IP in Multi-RBL Check textbox on right

    UCEProtect-Network

    Let me know how you make out.

    • 3

  2. What do you suppose is the most parsimonious explanation:

    • "Many" mail systems are misconfigured because they won't accept mail from you.
    • "Many" mail systems won't accept mail from you because your system is misconfigured.

    I'm leaning toward the second option. Even if it were the first, it's still bad form to punish the other networks for daring to not accept mail from you. Wouldn't it be more productive to find out the root of the problem?

    I suspect that one or both of the following are true:

    • Your DNS settings are screwed up. Let's say your SMTP server is mail.example.com. You need to make sure that your DNS servers have an A record mapping to mail.example.com, that mail.example.com is listed as an MX server for example.com, and (this is the big one) your ISP's DNS servers have an rDNS record mapping your public IP address back to mail.example.com. As a spam countermeasure, many mail servers won't accept inbound connections from IP addresses that fail these DNS tests.
    • There is a spam-spewing bot on the LAN, so your IP address has been blacklisted.
    • 1

  3. Doing what you propose here will likely eventually result in you no longer receiving email from the biggest and most widely used domains in the world (gmail, hotmail, yahoo, etc.).

    I'm also open to other suggestions for how this problem might be addressed (short of not using this mail host at all, which isn't an option).

    The first thing I'd try is to make sure the PTR record for your IP matches your domain, and does not resolve to something like "user1235.big-isp-adsl-for-the-masses.com".

    But ultimately, and I know this answer sucks, I think the only thing you are going to be able to do to properly send to those domains that currently reject you is to get a new IP address for your mail host. I know, it isn't fair. And I strongly urge you to fight the good fight. But when you get tired of your mail getting lost sporadically, then I think you'll decide that getting a new IP is what you've gotta do (or bite the bullet and move to a different server/host that works).

    • 1

  4. You could use ppolicy to add new policies. You will probably need to write your own module, but it should be do-able

    https://bimbo.fjfi.cvut.cz/ppolicy/browser/trunk/README

    • 0

  5. Check http://www.spamhaus.org/pbl/ list.

    If it is there, and it is a static address, you will be able to remove it.

    • 0

  6. Spamhaus and/or greylisting will drop most of the problem addresses. Requiring FQDN in the helo/ehlo messages will catch a lot of the rest.

    Dropping messages from servers which don't accept messages won't work if they also do the same. There are a number of legitimate senders who don't accept bounce messages after the fact.

    Bounce the message during the connection not afterwards or you will contribute to SPAM through backscatter.

    DNS and rDNS need to agree for your server. If your address is listed as dynamic at Spamhaus, you will be refused by a large number of servers, mine included.

    • 0

  7. Can you set up your mailserver to pass all outbound mail to an upstream host (at the ISP, or a separate paid service) that's not blacklisted?

    Does your customer know you're proposing/working on an approach that's going to result in them not getting inbound E-mail from their customers? I think the "bounce mail from people who discriminate against ADSL SMTP senders" policy is going to cause confusion for your customer (who will get phone calls asking about the bounces) and ultimately make their system(s) less useful, which is hard to justify.

    • 0

  8. i am VERY recommend you to find freshest instruction for antispam or your mail server became spam-botted within 2 days.

    and "refusing SMTP sessions that declare a sender domain which itself refuses SMTP" is not enough!

    it`s from my own experience :( (but for another mailer)

    • -1

  9. It dawned on me. You keep mentioning MX records, but those are not what you're looking for. The DNS feature you want to leverage is the TXT record with the SPF line.

    https://en.wikipedia.org/wiki/Sender_Policy_Framework

    This allows you to whitelist IPs that are allowed to send mail for that domain. But be careful, you can easily cut yourself off if you fail to whitelist your ISP's SMTP relay or if it changes.

    And after knowing the name of what we want, finding articles is easy:

    https://www.howtoforge.com/postfix_spf

    • -1