Results 1 to 9 of 9

Thread: reject_unknown_sender_domain

  1. #1
    Join Date
    Aug 2006
    Location
    San Diego
    Posts
    193
    Rep Power
    9

    Thumbs down reject_unknown_sender_domain

    Hey everyone,
    I wanted to know how many people implemented this feature in Zimbra? We have had it implemented over the past couple months but have had numerous complaints from our clients that people are unable to email them. Most of the time it is due to Exchange hosts with internal addresses using that as their EHLO command, so we have had to take it off temporarily. It seems to keep a lot of spam from coming through though so i wanted others' opinions and experiences with this option.
    Thanks

  2. #2
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    ok, so should the Exchange postmasters sort their systems out I use this in all my installations, with or without Zimbra, and have no problems. I do appreciate though that you are getting negative vibes from your clients hence raising the question. SPAM is a knightmare and anything that can help to reduce it does sometimes mean legitimate emails do get stopped. A lot of the time this is due misconfiguration of the remote MTA. I use whitelisting a lot, but ensure my database is fully populated with known hosts first, before it goes live. It is a fine line, but at the end of the day email is not a guaranteed delivery service anyway.

  3. #3
    Join Date
    May 2007
    Location
    Oklahoma
    Posts
    703
    Rep Power
    9

    Default

    I will try to contact the company whose internal server does not show up with a DNS A record. They have to go through a public IP somewhere. And if they will set an A record matching the name returned for the helo command to the external IP where the mail hits the Internet I have found it to work. Especially with a one to one NAT. If they don't want to take the time to do that then I just reject them and explain to my customers that the sender isn't following RFC's for mail servers.

    This madness of people setting up mail servers and not following all RFC's has got to stop in my opinion.

  4. #4
    Join Date
    Aug 2006
    Location
    San Diego
    Posts
    193
    Rep Power
    9

    Default

    I would love to reject their email because they do not follow RFC standards, however that would be absolutely unacceptable to my clients considering they were waiting on information for very large and well financed projects.

    as a tmp work around, i added the host name to /etc/hosts and then contacted the respective MTA admins.
    some have complied, others have told me to go %$#^ myself.

  5. #5
    Join Date
    May 2007
    Location
    Oklahoma
    Posts
    703
    Rep Power
    9

    Default

    I tried adding to hosts file to no avail. Possibly because there was no MX record.

    I manage my own DNS and so For one sender only, I added a zone to my DNS server with the proper entries. I only did this for one domain as it was the CPA for my company. To do this on a large scale would simply be impossible and impractical. But it worked. The rest are simply being rejected.

    After explaining to users of my hosted domains and showing them e-mails from those refusing to fix the issue, it quieted them down. Most agreed to fix their MX records and A records to solve the issue, however. One took a letter to the CEO of his company. I think when the CEO realized his IT department wasn't doing their job, things were fixed.

    It's unfortunate that their are IT personnel who either don't care enough or don't know enough to do their mail servers properly. But there are a lot of them.

  6. #6
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,374
    Rep Power
    11

    Default

    Quote Originally Posted by reza225 View Post
    Hey everyone,
    I wanted to know how many people implemented this feature in Zimbra? We have had it implemented over the past couple months but have had numerous complaints from our clients that people are unable to email them. Most of the time it is due to Exchange hosts with internal addresses using that as their EHLO command, so we have had to take it off temporarily. It seems to keep a lot of spam from coming through though so i wanted others' opinions and experiences with this option.
    Thanks
    In the ZCS Admin Console we implement:

    reject_non_fqdn_sender
    reject_unknown_sender_domain

    and have had zero complaints from customers.

    Implementing any of the other Protocol Checks and DNS Checks in the ZCS Admin Console generates a lot of customer complaints from "legitimate" email being blocked.

    There are just too many "big gorilla" legitimate email servers out there that are "misconfigured" in that they are not configured to be in strict compliance with the RFCs.

    Such is life...

    Mark

  7. #7
    Join Date
    Aug 2007
    Posts
    100
    Rep Power
    8

    Default

    Quote Originally Posted by LMStone View Post
    In the ZCS Admin Console we implement:

    reject_non_fqdn_sender
    reject_unknown_sender_domain

    and have had zero complaints from customers.
    I observed the same thing, checking reject_non_fqdn_sender and reject_unknown_sender_domain is OK, checking the others as well starts to create issues with incoming mail "going missing"

    Implementing any of the other Protocol Checks and DNS Checks in the ZCS Admin Console generates a lot of customer complaints from "legitimate" email being blocked.

    There are just too many "big gorilla" legitimate email servers out there that are "misconfigured" in that they are not configured to be in strict compliance with the RFCs.

    Such is life...

    Mark
    Interestingly, even mail from the Zimbra support portal and Zimbra.com sales staff addresses "disappears" when i check all these options. Aren't the Zimbra sales people on a properly configured Zimbra server ?

  8. #8
    Join Date
    Oct 2005
    Location
    Thatcher, AZ
    Posts
    5,606
    Rep Power
    21

    Default

    Quote Originally Posted by centrex View Post
    I observed the same thing, checking reject_non_fqdn_sender and reject_unknown_sender_domain is OK, checking the others as well starts to create issues with incoming mail "going missing"



    Interestingly, even mail from the Zimbra support portal and Zimbra.com sales staff addresses "disappears" when i check all these options. Aren't the Zimbra sales people on a properly configured Zimbra server ?
    Zimbra is currently experiencing some difficulty with our Reverse Lookup Records which should be resolved by the end of the week. Sorry for the trouble

  9. #9
    Join Date
    Aug 2007
    Posts
    100
    Rep Power
    8

    Default

    Quote Originally Posted by jholder View Post
    Zimbra is currently experiencing some difficulty with our Reverse Lookup Records which should be resolved by the end of the week. Sorry for the trouble
    Ah that drove the poor sales guy insane. I had placed an order for ZCS NE and never heard back from him.. Or so I thought.

    I sent him half a dozen follow-up e-mails over the next ten days and never got a reply.

    Finally, we reached each other on the phone and it turns out that e-mails generated by the support portal as well as e-mails he had sent to me from his zimbra.com address were all filtered by my Zimbra server until I disabled most of the protocol checks.

    For a second I thought "Oh my god, are these guys using Exchange??"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •