Like a lot of American Express customers, Kelly and I receive email notifications from the company. Most of the time, these emails arrive with no trouble. Occasionally, though, they mysteriously fail.
We run our own mailserver, so I checked the log files to find out what might be happening. I found Postfix logging this message (and highlighted the important part):
Aug 17 01:23:45 maestro postfix/smtpd[22090]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 450 4.7.1 sppim501.ipc.us.aexp.com: Helo command rejected: Host not found; from=sppim504@welcome.aexp.com to=blahblah@blah.edu proto=ESMTP helo=sppim501.ipc.us.aexp.com
You see, I’ve configured Postfix to reject incoming email from servers that do not properly identify themselves. It’s been my experience that 99.9% of the time an email arrives from a server that doesn’t identify itself, the email is spam. American Express’s servers are part of the few legitimate servers which do not properly identify themselves as required by the email RFC. The host sppim501.ipc.us.aexp.com does not exist in DNS and therefore email from this server gets flagged as suspicious.
I’m hoping American Express gets its servers fixed but in the meantime I’ll have to create my own hostnames to keep their emails from bouncing.
I run postfix on my mail server, and I have a set of “access” rules that are applied to incoming mail before any other tests are applied.
In the postfix documentation, take a look at smtpd_client_restrictions, smtpd_helo_restrictions, smtpd_sender_restrictions, and smtpd_recipient_restrictions.
In each of these cases, one of the first rules I apply is to look in my own white/black list tables. That way, I can flag a single sender as being OK to being banished forever.
For example:
smtpd_sender_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
check_sender_access mysql:/etc/postfix/mysql_access_sender.cf,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
permit
And the access_sender table looks like this:
mysql> select * from access_sender ;
+—-+—————————-+—————————-+
| id | sender | result |
+—-+—————————-+—————————-+
| 1 | masenc.com | OK Mom’s office |
| 2 | mx01.net | REJECT spam |
| 3 | mx02.net | REJECT spam |
| 4 | mx03.net | REJECT spam |
| 7 | tmio.com | OK tmio |
| 8 | *.tmio.com | OK tmio |
| 25 | baduser@gmail.edu | REJECT Bad user, IEEE |
+—-+—————————-+—————————-+
So if my mom sends me an email from her company’s mis-configured server at masenc.com, it passes the “sender” test.
If readers out there are interested in the details, I am happy to share them. Contact me at http://AlanPorter.com
Thanks, Alan! I’m using some of Postfix’s anti-spam capabilities but haven’t tried the check_sender_access directive yet. Thanks for the tip!
Mark
Mark, you might want to take a look at pilot.trilug.org, since it is pretty much set up the same way (because I set it up back in February). The main difference is that TriLUG uses text files instead of mysql tables. Normal (non-root) users should be able to read the config files, if I am not mistaken.