On Sat, Dec 06, 2025 at 06:45:17PM -0500, Bill Cole via Postfix-users wrote:
> > Sorry, I missed that point. There were NO entries in the logs pertaining
> > to gmail failures.
>
> Which indicates that GMail didn't even connect to attempt a delivery.
>
> This suggests that the problem is in the DNS of the recipient domain(s),
> which I don't see stated clearly.
Quite possibly, though in that case:
- The bounce messages would usually be delayed (by a few of days), as
Google's servers repeated fail to resolve the MX RRset of the
domain, or the IP addresses of the MX hosts.
- The bounce can be expected to mention failure to perform one of
those DNS lookups.
> I don't see any problem with the relevant DNS for the visible domains. I
> don't see any reason for a sending server to not even attempt to give you
> mail for ssph.org.uk, bristolweb.net, or linkcheck.co.uk.
Some authoritative DNS servers have overly aggressive filters,
rate-limiting DNS queries from clients that at times block Google's
DNS from resolving the domain. So it is possible that the DNS issue
is client-netblock-specific.
FWIW, from MEL, Google's Quad8 DNS resolver can resolve the above
domains and their MX host.
> > smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated
> > reject_unknown_client_hostname reject_unauth_pipelining
> > smtpd_data_restrictions = reject_unauth_pipelining, permit
Many rules, perhaps some are relevant, especially if, conversely, the
receiving server has trouble doing reverse resolution of Google's source
IPs.
> > smtpd_discard_ehlo_keywords = pipelining
This is not recommended.
> > smtpd_helo_restrictions = permit_mynetworks permit_sasl_authenticated
> > check_helo_access pcre:/etc/postfix/white_bypass.pcre
> > check_client_access cidr:/etc/postfix/ip_check_whitelist
> > reject_invalid_helo_hostname
> > reject_non_fqdn_helo_hostname reject_unknown_helo_hostname
> > check_client_access cidr:/etc/postfix/ip_check_blacklist
> > check_helo_access pcre:/etc/postfix/helo_checks.pcre
> > reject_unauth_pipelining permit
> > smtpd_milters = unix:/var/run/opendkim/opendkim.sock,
> > unix:/var/run/opendmarc/opendmarc.sock,
> > unix:/var/run/spamass/spamass.sock,
> > unix:/var/run/clamav/clamav-milter.ctl
> > smtpd_recipient_restrictions = permit_mynetworks
> > permit_sasl_authenticated
> > reject_unauth_destination reject_non_fqdn_hostname
> > reject_non_fqdn_recipient
> > reject_unknown_recipient_domain reject_invalid_hostname
> > reject_unauth_pipelining reject_unverified_recipient
> > reject_unlisted_recipient check_recipient_access
> > pcre:/etc/postfix/recipient_checks.pcre check_policy_service
> > unix:private/policy-spf reject_rbl_client
> > zen.spamhaus.org=127.0.0.[2..11]
> > reject_rhsbl_sender dbl.spamhaus.org=127.0.1.[2..99]
> > reject_rhsbl_helo dbl.spamhaus.org=127.0.1.[2..99]
> > reject_rhsbl_reverse_client dbl.spamhaus.org=127.0.1.[2..99]
> > warn_if_reject reject_rbl_client
> > zen.spamhaus.org=127.255.255.[1..255] permit
> > smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
> > reject_unauth_destination
> > smtpd_sender_restrictions = permit_mynetworks permit_sasl_authenticated
> > reject_unauth_pipelining check_sender_mx_access
> > cidr:/etc/postfix/sender_mx_access check_sender_access
> > pcre:/etc/postfix/sender_whitelist.pcre reject_non_fqdn_sender
> > reject_unknown_sender_domain reject_unlisted_sender
> > check_sender_access pcre:/etc/postfix/sender_checks.pcre
> > smtpd_soft_error_limit = 4
This could be a bit too strict.
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
