bug report: Postfix reject email with valid SPF but unresolvable hostname

[IIIlllIIllIIIll]

📝 Preliminary Checks

• I tried searching for an existing issue and followed the debugging docs advice, but still need assistance.

👀 What Happened?

Postfix reject email with valid SPF but unresolvable hostname.

DNS records

SPF

root@server0:/# dig txt ire.barfoot.co.nz

; <<>> DiG 9.16.44-Debian <<>> txt ire.barfoot.co.nz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29346
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;ire.barfoot.co.nz.             IN      TXT

;; ANSWER SECTION:
ire.barfoot.co.nz.      300     IN      TXT     "v=spf1 include:mailgun.org ~all"

;; Query time: 28 msec
;; SERVER: 127.0.0.11#53(127.0.0.11)
;; WHEN: Fri Dec 22 00:42:01 UTC 2023
;; MSG SIZE  rcvd: 90

root@server0:/# dig txt mailgun.org

; <<>> DiG 9.16.44-Debian <<>> txt mailgun.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18055
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;mailgun.org.                   IN      TXT

;; ANSWER SECTION:
mailgun.org.            268     IN      TXT     "google-site-verification=FIGVOKZm6lQFDBJaiC2DdwvBy8TInunoGCt-1gnL4PA"
mailgun.org.            268     IN      TXT     "v=spf1 include:_spf.mailgun.org include:_spf.eu.mailgun.org -all"
mailgun.org.            268     IN      TXT     "8f7088gv5932jxw9lwwd1b6ttx2pw2ds"

;; Query time: 0 msec
;; SERVER: 127.0.0.11#53(127.0.0.11)
;; WHEN: Fri Dec 22 00:42:45 UTC 2023
;; MSG SIZE  rcvd: 243

root@server0:/# dig txt _spf.mailgun.org

; <<>> DiG 9.16.44-Debian <<>> txt _spf.mailgun.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33877
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;_spf.mailgun.org.              IN      TXT

;; ANSWER SECTION:
_spf.mailgun.org.       60      IN      TXT     "v=spf1 ip4:209.61.151.0/24 ip4:166.78.68.0/22 ip4:198.61.254.0/23 ip4:192.237.158.0/23 ip4:23.253.182.0/23 ip4:104.130.96.0/28 ip4:146.20.113.0/24 ip4:146.20.191.0/24 ip4:159.135.224.0/20 ip4:69.72.32.0/20" " ip4:104.130.122.0/23 ip4:146.20.112.0/26 ip4:161.38.192.0/20 ip4:143.55.224.0/21 ip4:143.55.232.0/22 ip4:159.112.240.0/20 ip4:198.244.48.0/20 ip4:204.220.160.0/20 ~all"

;; Query time: 160 msec
;; SERVER: 127.0.0.11#53(127.0.0.11)
;; WHEN: Fri Dec 22 00:45:31 UTC 2023
;; MSG SIZE  rcvd: 432

A & AAAA

root@server0:/# dig a ire.barfoot.co.nz

; <<>> DiG 9.16.44-Debian <<>> a ire.barfoot.co.nz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61422
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;ire.barfoot.co.nz.             IN      A

;; AUTHORITY SECTION:
barfoot.co.nz.          1074    IN      SOA     george.ns.cloudflare.com. dns.cloudflare.com. 2328629896 10000 2400 604800 1800

;; Query time: 0 msec
;; SERVER: 127.0.0.11#53(127.0.0.11)
;; WHEN: Fri Dec 22 00:54:07 UTC 2023
;; MSG SIZE  rcvd: 110

root@server0:/# dig aaaa ire.barfoot.co.nz

; <<>> DiG 9.16.44-Debian <<>> aaaa ire.barfoot.co.nz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8178
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;ire.barfoot.co.nz.             IN      AAAA

;; AUTHORITY SECTION:
barfoot.co.nz.          1800    IN      SOA     george.ns.cloudflare.com. dns.cloudflare.com. 2328629896 10000 2400 604800 1800

;; Query time: 56 msec
;; SERVER: 127.0.0.11#53(127.0.0.11)
;; WHEN: Fri Dec 22 00:54:35 UTC 2023
;; MSG SIZE  rcvd: 110

MX

root@server0:/# dig mx ire.barfoot.co.nz

; <<>> DiG 9.16.44-Debian <<>> mx ire.barfoot.co.nz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47845
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;ire.barfoot.co.nz.             IN      MX

;; AUTHORITY SECTION:
barfoot.co.nz.          1800    IN      SOA     george.ns.cloudflare.com. dns.cloudflare.com. 2328629896 10000 2400 604800 1800

;; Query time: 20 msec
;; SERVER: 127.0.0.11#53(127.0.0.11)
;; WHEN: Fri Dec 22 01:09:10 UTC 2023
;; MSG SIZE  rcvd: 110

👟 Reproduction Steps

No response

🐋 DMS Version

v13.0.1

💻 Operating System and Architecture

Linux 6.1.0-13-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.55-1 (2023-09-29) x86_64 unknown unknown GNU/Linux

⚙️ Container configuration files

No response

📜 Relevant log output

Dec 10 21:36:47 server0 postfix/smtpd[1122872]: connect from rs238.mailgun.us[209.61.151.238]
Dec 10 21:36:49 server0 postfix/smtpd[1122872]: Anonymous TLS connection established from rs238.mailgun.us[209.61.151.238]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256
Dec 10 21:36:49 server0 postfix/smtpd[1122872]: NOQUEUE: reject: RCPT from rs238.mailgun.us[209.61.151.238]: 450 4.1.8 <bounce+05eba7.6384d-lbz=rivensbane.com@ire.barfoot.co.nz>: Sender address rejected: Domain not found; from=<bounce+05eba7.6384d-lbz=rivensbane.com@ire.barfoot.co.nz> to=<lbz@rivensbane.com> proto=ESMTP helo=<rs238.mailgun.us>
Dec 10 21:36:49 server0 postfix/smtpd[1122872]: disconnect from rs238.mailgun.us[209.61.151.238] ehlo=2 starttls=1 mail=1 rcpt=0/1 quit=1 commands=5/6

Improvements to this form?

No response

[georglauterbach]

What Postfix does makes perfect sense: it rejects the from=<bounce+05eba7.6384d-lbz=rivensbane.com@ire.barfoot.co.nz> because ire.barfoot.co.nz has no valid A, AAAA or MX DNS entries associated, i.e. it does not seem to exist.

SPF does not change this fact, i.e. it is irrelevant here.

[IIIlllIIllIIIll]

Is it okay to reject an email that does not have a valid A, AAAA or MX record, even if the email passed the SPF check?

[georglauterbach]

You can probably change the Postfix configuration to accept such e-mails (don't ask me how though, the internet knows better which of the many options that is), but I highly recommend not disabling it! This check makes perfect sense, and I'd keep it.

[IIIlllIIllIIIll]

It seems that adding this line to postfix-main.cf will disable the check and accept such emails.
dms_smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks

[polarathene]

smtpd_sender_restrictions may be the one responsible, it becomes applicable when mail arrives due to smtpd_delay_reject=yes (default) I think:

Wait until the RCPT TO command before evaluating $smtpd_client_restrictions, $smtpd_helo_restrictions and $smtpd_sender_restrictions

SMTP command specific restrictions described under smtpd_recipient_restrictions. When recipient restrictions are listed under smtpd_sender_restrictions, they have effect only with smtpd_delay_reject = yes, so that $smtpd_sender_restrictions is evaluated at the time of the RCPT TO command.

reject_unknown_sender_domain
Reject the request when Postfix is not the final destination for the sender address, and the MAIL FROM domain has
1) no DNS MX and no DNS A record, or
2) a malformed MX record such as a record with a zero-length MX hostname.

docker-mailserver/target/postfix/main.cf

Line 56 in 3adb53e

smtpd_sender_restrictions = $dms_smtpd_sender_restrictions

docker-mailserver/target/postfix/main.cf

Lines 60 to 61 in 3adb53e

	# Custom defined parameters for DMS:
	dms_smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain

---

It seems that adding this line to postfix-main.cf will disable the check and accept such emails.
dms_smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks

EDIT: Ah yeah.. you already figured it out 😅

It's a common enough issue, here's the same error with MailGun involved:

bpetetot/conference-hall#661 (comment)
INFURA/infura#136

Both resolved it by giving their domains an MX record. When it's a third-party out of your control, you'll need to drop the restriction.

The bounce is sent to MailGun as they're the MTA / relay service delivering the mail, and bounces are typically sent back to the MTA that delivered the mail (not to the VERP / Return-Path address, or the original sender address), the relay will then handle returning the bounce notification. So MX record isn't relevant for the bounce, but it's probably why the bounce has happened in the first place (by failing this restriction check delivering to DMS).

Quotes from cited links of prior paragraph

reject: RCPT from rs238.mailgun.us[209.61.151.238]: 450 4.1.8 <bounce+05eba7.6384d-lbz=rivensbane.com@ire.barfoot.co.nz>
Sender address rejected: Domain not found;
from=<bounce+05eba7.6384d-lbz=rivensbane.com@ire.barfoot.co.nz> to=<lbz@rivensbane.com>

If an SMTP server has accepted the task of relaying the mail and later finds that the destination is incorrect or that the mail cannot be delivered for some other reason, then it MUST construct an "undeliverable mail" notification message and send it to the originator of the undeliverable mail (as indicated by the reverse-path).

When bounces occur they are generally returned to the server that is sending the email, and do not follow the MX records.
Thats why they are sent to the mailgun servers and also arrive there.

To tackle the issue, VERP was introduced. It includes recipient’s email in the return-path address.
For example, the VERP version of bounce-messageID@subdomain.bestcompanyever.com would be bounce-message+oliver.doe=example.com@subdomain.bestcompanyever.com.
Since the email address should contain only one at (@) sign, it’s substituted with equals (=) sign in the recipient’s address.

---

I think this feature is for address verification which notes it is intended to reduce junk mail by rejecting a sender address that cannot be replied to. The link also mentions reject_unknown_sender_domain:

The reject_unknown_sender_domain restriction blocks mail from non-existent domains.

[GrantGryczan]

Just adding this for future readers interested in additional thoughts on potential rationale for this:

Mail servers without a PTR reverse DNS record to point from their IP to their canonical hostname are more likely to be considered spam. (In fact, Google and Yahoo now require mail servers over a certain volume to have valid PTR records.) And an IPv4 PTR record requires a mail server to have a corresponding A record, since PTR records are the reverse of A records. So a mail server configured perfectly for deliverability should have an A record (due to having a PTR record) and therefore pass the reject_unknown_sender_domain check.