Sender verify failed

Questions and answers about how to do stuff
Post Reply
zthephoenixz
Posts: 26
Joined: 28 May 2015 01:55

Sender verify failed

Post by zthephoenixz »

Hi, I apologize if i missed a How-to that already fixes my issue, I couldn't find it.

My Setup is Exchange server behind a EFA virtual machine to the rest of the world. We have 1 supplier in another country that has Sender verify turned on so whenever we try and send them an email the email bounces with "550-No Such User Here 550 Sender verify failed".

Already talked to the supply and their IT support won't whitelist us so I have to fix it at this end (first time in 10+ years I have found someone that actually uses this feature). I am not a massive postfix expert and can't seem to find the right documentation to try and create a db that will answer their server requests, "is this email real".

Please any assistance would be appreciated.

James.
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Sender verify failed

Post by pdwalker »

Verify the email address you are sending to. Is the address correct? Do all emails to that domain get rejected with the same error, or only that particular email address? Can you send email to that address from another domain, like gmail or some other mail provider?
zthephoenixz
Posts: 26
Joined: 28 May 2015 01:55

Re: Sender verify failed

Post by zthephoenixz »

I tested their email addresses/domain from gmail and hotmail and all went through, it is my end that isn't answering the probe and getting my domain a 550 error.

I already cache my email/proxy addresses from my exchange box to EFA I just need the EFA box to respond to the probe properly.
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Sender verify failed

Post by pdwalker »

Interesting. I've not heard of this feature before, so I've been reading up on it; https://infogalactic.com/info/Callback_verification

Apparently, this seems like a bad idea and I think I have to agree. However, since they are doing it, you're going to have to live with their not-very-wise mail server implementation.

So, you send mail to this domain, and they attempt to validate the sending (your) address and that check is failing.

Why is this check failing then? Is the From: email address not a valid email address on your system? Can you mail from an external party to this address and is properly accepted and delivered?

Can you capture the smtp conversation between your efa server and their mail server so we can see exactly what is happening? Look under Process in the infogalactic link. Can you test that bit of the conversation and see how your efa responds?

I wonder if greylisting is causing the upstream mail server to fail the verification check? Maybe you could try whitelisting their domain so the greylisting doesn't happen - hopefully causing your postfix to pass their sending verification check.

Let me know what you find out.
zthephoenixz
Posts: 26
Joined: 28 May 2015 01:55

Re: Sender verify failed

Post by zthephoenixz »

Totally I agree, it is the only time i have every come across a domain that has Sender Verification enabled and a requirement to receive the email, it is nasty little security whole which would allow a spammer bot to fish for valid email addresses. It is probably why, by default efa/postfix has disable_vrfy_command = yes so postfix denies verify requests.

Changed it to no so it would accept vrfy commands and I have a perl script that keeps the recipient list updates out of my AD regularly, I have tested and vrfy commands come back with the standard 252 (hand it over and I will try and deliver it) instead of a hard 550. Thing is it still bounces with the same error.

I can email the remote domain from hotmail/gmail without issue even though their servers give the same 252 code when a vrfy is done (which i think their IT has exceptions in place). Their end seems to be using exim with every thing turned on.

Whitelisted their servers, it isn't the greylisting causing the issue as vrfy happens before the other end is told they are greylisted and come back in 5 minutes.

I was trying to avoid putting verbose logging on postfix due to the volume of email we receive, might have to do it at 1am so the volume is low.

A perfect solution would be to have postfix reply 250 to all vrfy requests and then when email is attempted to be delivered, bounce it. But i suppose that is then circumventing a "security" feature in the very loose sense.
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Sender verify failed

Post by pdwalker »

The problem currently is that we don't know why they are rejecting your messages, beyond the vague, "we cannot verify the sender address".

Capturing the logging, or even smtp traffic between the two servers when it happens may give us the clue we need to find a solution to your problem.
henk
Posts: 517
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: Sender verify failed

Post by henk »

Somehow its difficult to understand the nature of this issue, is it you, the supplier or both?
I have a perl script that keeps the recipient list updates out of my AD regularly,
So there is no issue in missing recipients due the update interval?
I assume ( there we go again :roll:) you did read/try http://www.postfix.org/ADDRESS_VERIFICATION_README.html
I already cache my email/proxy addresses from my exchange box to EFA
and the caching part? http://www.postfix.org/ADDRESS_VERIFICA ... ml#caching
See timeouts and the controlling the routing of address verification probes.

Bad option: You could overrule the unverified_sender_reject_code to 250 for all vrfy requests from that specific domain.

You already did propose swithing supplier? :lol:
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Sender verify failed

Post by pdwalker »

henk wrote: 28 May 2018 22:30Bad option: You could overrule the unverified_sender_reject_code to 250 for all vrfy requests from that specific domain.
Maybe not such a bad idea. Try it and see if it resolves the problem first.
Post Reply