Postgrey and Recipient address rejected

[DMRDave]

Hello all,

I was hoping for some assistance with a problem that I'm having while implementing some anti-spam measures. I'm running the 5.05 network version, Ubuntu 6.06. I've followed the wiki article regarding installing postgrey, and have it working somewhat. I've also searched the forums for a few days while testing, but haven't found a solution, though after racking my brain, I think I've found the root of the issue.

The problem I'm seeing is that when a new, first-time outside account sends my zimbra server an initial message, that user receives the following message.

----- The following addresses had permanent fatal errors -----
<xxx@xxxxxx.com>
(reason: 550 <xxx@xxxxxx.com>: Recipient address rejected: dmrcom.com)

Then also get the 450 error stating that the recipient address is rejected and Greylisted.

DATA
<<< 450 4.7.1 <xxx@xxxxxx.com>: Recipient address rejected: Greylisted for 145 seconds (see Postgrey - Postfix Greylisting Policy Server)
<xxx@xxxxxx.com>... Deferred: 450 4.7.1 <xxx@xxxxxx.com>: Recipient address rejected: Greylisted for 145 seconds (see Postgrey - Postfix Greylisting Policy Server)
<<< 554 5.5.1 Error: no valid recipients
... while talking to mail.xxxxxx.com.:
DATA
<<< 550 <xxx@xxxxxx.com>: Recipient address rejected: dmrcom.com
550 5.1.1 <xxx@xxxxxx.com>... User unknown
<<< 554 Error: no valid recipients

The issue is that I have a secondary server (mail.xxxxxx.com) that I use for customer relay services only, with an MX record and priority of 20. My production server has an MX record priority of 10 (mail2.xxxxxx.com). What I think is happening is that the initial incoming request gets rejected by the production server with the greylisting message, then the incoming request hits the secondary server which has no accounts on it, hence generating the 550 error.

These are the posts that I followed up to this point:
Improving Anti-spam system - Zimbra :: Wiki
[SOLVED] I don't think RBLs or Bayes are working for me
[SOLVED] Frequently getting 450...address verification in progress

Does anyone have any ideas as to how I can configure my dns to not roll to the secondary (MX=20) server in order to no get the 550 message while greylisting? Regards and thank you in advance.

[DMRDave]

What I did at this point as a quick fix, is to remove the MX record (20) of my secondary server which is being used only as a relay server for customers in our network. I'll report back the results. I would still like to know if there are any suggestions as to DNS MX configuration in a multi-server environment for such a scenario.

[DMRDave]

Kinda fun having a conversation with myself online. But I digress...

Following up, removing the MX record wasn't a good idea because of the obvious reason that I need a valid MX record for this relay server to talk to the real world and deliver mail for customers. So what I've done at this point is to close port 25 access from the outside world to the relay server on our firewall. That way, any message bound for my the secondary MX record server (20) inbound from outside servers never gets to it's intended target, and messages are now coming through to my production server. Spam volume has decreased dramatically.

However, I'm still open to any suggestions as to DNS MX configuration in a multi-server environment for such a scenario (greylisting, relay, etc.)

[naeb]

How about defining the relay server as a MX record for a subdomain rather than your primary domain?

In DNS form:
example.com. IN MX 10 mail1.example.com.
relay.example.com. IN MX 10 mail2.relay.example.com.

I suppose this could potentially cause problems with reverse dns lookups, but it might be worth trying.

[DMRDave]

Appreciate the response. I'll investigate and test, but yes, I would be concerned about reverse lookups, which is why I added the mx record back in - in the first place.