Wagner, Patrick:
> Hello,
>
> I'm running a virus/spam checker mail server: clients point their MX records
> towards my server, my server checks the mail via content_filter script, and
> sends good mail towards the real mailserver by way of transport table
> lookup.
>
> My server is a CentOS 7.2 x64 server with the distro-supplied version of
> Postfix 2.10.1
>
> The server has reject_unverified_recipient in its
> smtpd_recipient_restrictions,
> so my server doesn't need to know about all the possible recipient
> addresses in advance.
> This works just fine for the vast amount of messages, but sometimes
> fails: the
> double-bounce probe gets rejected with a permanent 5xx error, but postfix
> nevertheless accepts and queues the mail, sends it to the content_filter
> script, which reinserts it into the queue, and the SMTP client, inevitably,
> gets the same 5xx error and we've got a bounce.
Short reply: what you see is the result of your configuration,
or your address verification database is corrupted.
Your Postfix SMTP daemon queries the address verification daemon
with reject_unverified_recipient.
You have "unverified_recipient_defer_code = 250". This means, among
other things, that reject_unverified_recipient will accept a recipient
if an address verification result is not available after
$address_verify_poll_count queries.
The default address_verify_poll_count value for Postfix 2.10 is:
address_verify_poll_count = ${stress?1}${stress:3}
Under overload conditions, the Postfix SMTP daemon makes only one
address verification query, and if the information is not already
in the address_verify_map, the Postfix SMTP daemon considers the
result as unavailable. With "unverified_recipient_defer_code = 250",
it will accept the recipient.
Under non-overload, the Postfix SMTP daemon will make up to three
queries, separated by $address_verify_poll_delay (default: three)
seconds. This means the Postfix SMTP daemon may be blocked for 6
seconds. That is OK when it is not under overload.
So there are two possible explanations:
1) Your SMTP server was recently under overload (look for "STRESS"
in the maillog file). To avoid accepting unverified mail under
overload, remove the "unverified_recipient_defer_code = 250" setting.
2) Your address_verify_map database is corrupted. Remove the .db
file, and execute "postfix reload".
Wietse
