On 07/12/2025 6:16 am, Viktor Dukhovni via Postfix-users wrote:
On Sat, Dec 06, 2025 at 06:45:17PM -0500, Bill Cole via Postfix-users wrote:
Sorry, I missed that point. There were NO entries in the logs pertaining
to gmail failures.
Which indicates that GMail didn't even connect to attempt a delivery.
This suggests that the problem is in the DNS of the recipient domain(s),
which I don't see stated clearly.
Quite possibly, though in that case:
- The bounce messages would usually be delayed (by a few of days), as
Google's servers repeated fail to resolve the MX RRset of the
domain, or the IP addresses of the MX hosts.
- The bounce can be expected to mention failure to perform one of
those DNS lookups.
See earlier posting.
Some authoritative DNS servers have overly aggressive filters,
rate-limiting DNS queries from clients that at times block Google's
DNS from resolving the domain. So it is possible that the DNS issue
is client-netblock-specific.
I have passed this to my hosting provider for comment. Thanks.
smtpd_discard_ehlo_keywords = pipelining
This is not recommended.
I put this in a few years back on someone's recommendation. Now removed.
What about...
smtpd_forbid_unauth_pipelining = yes
smtpd_helo_restrictions = permit_mynetworks permit_sasl_authenticated
check_helo_access pcre:/etc/postfix/white_bypass.pcre
check_client_access cidr:/etc/postfix/ip_check_whitelist
reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname reject_unknown_helo_hostname
check_client_access cidr:/etc/postfix/ip_check_blacklist
check_helo_access pcre:/etc/postfix/helo_checks.pcre
reject_unauth_pipelining permit
smtpd_milters = unix:/var/run/opendkim/opendkim.sock,
unix:/var/run/opendmarc/opendmarc.sock,
unix:/var/run/spamass/spamass.sock,
unix:/var/run/clamav/clamav-milter.ctl
smtpd_recipient_restrictions = permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination reject_non_fqdn_hostname
reject_non_fqdn_recipient
reject_unknown_recipient_domain reject_invalid_hostname
reject_unauth_pipelining reject_unverified_recipient
reject_unlisted_recipient check_recipient_access
pcre:/etc/postfix/recipient_checks.pcre check_policy_service
unix:private/policy-spf reject_rbl_client
zen.spamhaus.org=127.0.0.[2..11]
reject_rhsbl_sender dbl.spamhaus.org=127.0.1.[2..99]
reject_rhsbl_helo dbl.spamhaus.org=127.0.1.[2..99]
reject_rhsbl_reverse_client dbl.spamhaus.org=127.0.1.[2..99]
warn_if_reject reject_rbl_client
zen.spamhaus.org=127.255.255.[1..255] permit
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject_unauth_destination
smtpd_sender_restrictions = permit_mynetworks permit_sasl_authenticated
reject_unauth_pipelining check_sender_mx_access
cidr:/etc/postfix/sender_mx_access check_sender_access
pcre:/etc/postfix/sender_whitelist.pcre reject_non_fqdn_sender
reject_unknown_sender_domain reject_unlisted_sender
check_sender_access pcre:/etc/postfix/sender_checks.pcre
smtpd_soft_error_limit = 4
This could be a bit too strict.
Possibly but it's worked for years. If gmail has upped its "security" is
there anything there that may affect things?
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
