MTA bouncing valid email addresses as "undeliverable"

[zwvpadmin]

I was having some bad issues with spam. It was recommended that I check the following boxes in zimbraAdmin:

reject_unknown_client
reject_unknown_hostname
reject_unknown_sender_domain

I also added RBLs for:

zen.spamhaus.org
dnsbl.sorbs.net
b.barracudacentral.org

Spam stopped being a problem, BUT now we've little by little started bouncing valid vendors emails as "undeliverable"

This is a HUGE problem. So far its only about a dozen addresses, but seems to be growing quickly (only 6 last week).

using one of the problem email addresses ( _@crosbybrownlie.com), I've grep'd through logs and found:

/var/log/zimbra.log

Jan 8 09:10:15 mail postfix/smtpd[9804]: NOQUEUE: reject: RCPT from host-69-95-11-35.roc.choiceone.net[69.95.11.35]: 450 4.7.1 <CBSERVER.CBDOMAIN.local>: Helo command rejected: Host not found; from=<_@crosbybrownlie.com> to=<_@vpsupply.com> proto=ESMTP helo=<CBSERVER.CBDOMAIN.local>

Which appears several times for each attempt they've made to try again.

I've added the following rule to the /opt/zimbra/conf/salocal.cf.in:

whitelist_from *@crosbybrownlie.com

But it did not seem to affect the issue.

Is there a way to remedy this without turning off the reject rules? Hopefully one that does not require adding each domain to a safe list as I'm sure this problem will be reoccurring as time goes forward.

I need to get this figured out immediately, very large bids are being held up and we are risking loosing large accounts over it.

Thanks in advance for any help!

[Bill Brock]

The bounced message is coming from a server that is not RFC compliant. Either its response to the HELO command is not what their MX record says it should be or reverse DNS is incorrect. Probably the former. Zimbra is doing a DNS check as per the settings and the DNS response from the offending server is incorrect.

This is a big problem as a lot of mail admins setup their servers without bothering to read to RFC's that are pertinent.

These DNS checks stop probably 80% of the spam coming to my server since so much spam comes from botnets instead of actual mail servers.

Our company's CPA's mail was being bounced for this very reason. But his mail admin fixed their issues after I sent him a link from MS regarding this issue as it pertains to Exchange and customizing the HELO response.

I'm of the belief if their mail server isn't setup properly than their mail gets bounced - PERIOD. This is a decision you will have to make. Either turn of the DNS checks, or try to communicate with the mail admin of the offending server to fix his problem, or continue to have these mails bounce.

[Jbrabander]

We had to turn off reject_unknown_client and reject_unknown_hostname as it was blocking a lot of mail from legitimate vendors we deal with. (big name companies too!) And who knows how many customer emails we never received.

[uxbod]

You would certainly need to remove them as the sending MTA is using a suffix off .local Adding them into salocal.conf will not make a difference anyway as those reject lines are for Postfix which happens before SA even gets involved. The only way I can think of whitelisting them is to create a Postfix policy map and allow those domains to be received from.

[zwvpadmin]

How would I go about creating said map? This would be cumbersome but perhaps a good compromise.

Calling a dozen vendors to say "if you want to do business with us you have to let OUR IT guy tell YOUR IT guy he didn't pay attention in class" doesn't sound feasible.

I did a quick google search but didn't find anything like this.

[Bill Brock]

BIND 8 for NT

Postfix Configuration - UCE Controls