[Mailman-Users] Problems with undeliverable mail

Michelle Brownsworth michelle at primelogic.com
Sun Dec 30 23:37:08 CET 2001 

>On Sat, 29 Dec 2001, Michelle Brownsworth wrote:
>>  >On Thu, 27 Dec 2001 14:06:53 -0800
>>  >Michelle Brownsworth <michelle at primelogic.com> wrote:
>>  >
>>  >>  My mailhost is chugging away, trying over and over to deliver to a
>>  >>  large batch of addresses with a .gov domain that doesn't resolve;
>>  >>  this particular .gov nameserver is obviously having problems.  And
>>  >>  it's not from the sendmail's mail queue; /var/spool/mqueue/ is
>>  >>  completely empty.  It's Mailman reattempting to send to the
>>  >>  problem addresses.
>>  >
>>  >Configure your MTA to not do DNS verifies on deliveries from
>>  >localhost.
>>
>>  But since none of the subscribers are local, I don't see how that
>>  will help in this situation.  And as I said, the batch of reattempts
>>  didn't seem to be coming from sendmail's mail queue.  The only
>>  explanation is that Mailman must have a means of keeping track of
>>  failed deliveries.
>
>Perhaps a re-phrasing: configure your MTA to blindly accept mail from
>localhost without verifying that the *destination* domain is valid.
>
>Many MTA configurations won't accept mail that they know they can't
>deliver - if the destination domain doesn't resolve, there's no point in
>accepting it. So the MTA reports, typically, a temporary SMTP error.
>
>Sounds like Mailman is trying, over and over, to get these messages into
>the MTA.
>
>If you instead configure your MTA to accept the message, it will accept it
>and immediately generate a bounce. Mailman does the right thing with
>bounces.
>
>Here's an example: my list of SMTPD restrictions from postfix. I reject
>mail for unknown recipient domains - but I have an exception list for my
>list servers. /etc/postfix/class_host_exception includes localhost and a
>few other machines that I let dump blindly into the system.
>
>smtpd_recipient_restrictions =
>         check_client_access hash:/etc/postfix/class_host_exception,
>         reject_unknown_sender_domain,
>         reject_unknown_recipient_domain,
>         reject_unauth_pipelining,
>         permit_mynetworks,
>         reject_unauth_destination,
>         reject_non_fqdn_sender,
>         reject_non_fqdn_recipient,
>         reject_invalid_hostname,
>         permit
>
>This can also speed up injection into the MTA, if that's important to you.
>
>--
>Charlie Watts
>cewatts at frontier.net
>Frontier Internet
>http://www.frontier.net/


That makes good sense, Charlie.  Only problem is, I don't know how to 
accomplish it in sendmail without enabling FEATURE(relay_local_from), 
something I am loath to do for security reasons.  According to 
cf/README in the sendmail source:

   FEATURE(relay_local_from)
     Allows relaying if the domain portion of the mail sender
     is a local host. This should only be used if absolutely
     necessary as it opens a window for spammers. Specifically,
     they can send mail to your mail server that claims to be
     from your domain (either directly or via a routed address),
     and you will go ahead and relay it out to arbitrary hosts
     on the Internet.

If anyone on the list can tell me how to configure sendmail to accept 
mail from localhost without checking for a valid domain either 
without using FEATURE(relay_local_from) or using it without 
compromising security, I would greatly appreciate it.

.\\ichelle
---------------------
Michelle Brownsworth
System Administrator
PrimeLogic Corporation
http://www.primelogic.com

More information about the Mailman-Users mailing list