Scenario:
This is a production mailserver since 4 years, with around 2000 mailboxes on ~50 domains, and works good with almost any other mailserver. Logs are constantly watched and the following issue arised recently.
Edit 1: Ubutntu 16.04.6 - postfix (3.1.0-3ubuntu0.3)
Issue:
There is a mailserver who seems unable to deliver mail to this system.
It fails with 4.7.25 Client host rejected.
NOQUEUE: reject: RCPT from unknown[159.135.224.3]: 450 4.7.25 Client host rejected: cannot find your hostname, [159.135.224.3]
That's how I configured postfix as I want to avoid relayers without reverse dns record.
root@mail:~# grep restrictions /etc/postfix/main.cf
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf, check_policy_service unix:private/policy-spf
smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, reject_invalid_hostname, reject_non_fqdn_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo
smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/tag_as_originating.re , permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, check_sender_access regexp:/etc/postfix/tag_as_foreign.re, reject_unknown_sender_domain, reject_unknown_reverse_client_hostname, check_client_access hash:/etc/postfix/client_access, reject_unknown_client_hostname
smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
BUT it has a valid one, test exectued locally on mailserver:
DNS tests on 159.135.224.3
root@mail:~# nslookup 159.135.224.3
Server: 1.1.1.1
Address: 1.1.1.1#53
Non-authoritative answer:
3.224.135.159.in-addr.arpa name = relay.teamgioia.it.
Authoritative answers can be found from:
root@mail:~# dig 159.135.224.3
; <<>> DiG 9.10.3-P4-Ubuntu <<>> 159.135.224.3
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 23656
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;159.135.224.3. IN A
;; AUTHORITY SECTION:
. 10165 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2019083000 1800 900 604800 86400
;; Query time: 6 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Fri Aug 30 12:18:21 CEST 2019
;; MSG SIZE rcvd: 117
In resolv.conf:
nameserver 1.1.1.1
nameserver 1.0.0.1
Questions:
Why does reject_unknown_client_hostname isn't working as I expect?
If that's not this server's fault but sender's fault, How can I whitelist some senders to avoid their mail to be rejected?
Could you also explain or speculate what's their fault?
The IP addresses don't match the domain lookup.
Quote from the documentation:
If you look up the client IP address, then look up the resolved DNS name again and compare those:
You see, that the original IP address does not match the DNS resolved addresses. That's why it fails the check.