Reject Unknown Clients/Senders

[olluz]

I was playing around with those options and I've noticed that when enabled the message will ALWAYS be rejected the first time and afterwards accepted.
Is this the intended behaviour?

#1
2026-02-25T09:28:24.832248+01:00 pmg postfix/smtpd[11133]: connect from unknown[IP_SENDER]
2026-02-25T09:28:24.949216+01:00 pmg postfix/smtpd[11133]: Anonymous TLS connection established from unknown[IP_SENDER]: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
2026-02-25T09:28:25.078754+01:00 pmg postfix/smtpd[11133]: NOQUEUE: reject: RCPT from unknown[IP_SENDER]: 450 4.7.25 Client host rejected: cannot find your hostname, [IP_SENDER]; from=<EMAIL_SENDER> to=<EMAIL_RECEIVER> proto=ESMTP helo=<SERVER_SENDER>
2026-02-25T09:28:45.241716+01:00 pmg postfix/smtpd[11133]: disconnect from unknown[IP_SENDER] ehlo=2 starttls=1 mail=1 rcpt=0/1 rset=1 quit=1 commands=6/7

#2
2026-02-25T09:28:49.480986+01:00 pmg postfix/smtpd[11133]: connect from SERVER_SENDER[IP_SENDER]
2026-02-25T09:28:49.587506+01:00 pmg postfix/smtpd[11133]: Anonymous TLS connection established from SERVER_SENDER[IP_SENDER]: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
2026-02-25T09:28:50.754922+01:00 pmg postfix/smtpd[11133]: B832228305: client=SERVER_SENDER[IP_SENDER]
2026-02-25T09:28:50.807306+01:00 pmg postfix/cleanup[11147]: B832228305: message-id=<MESSAGE_ID>
2026-02-25T09:28:50.862109+01:00 pmg postfix/qmgr[1010]: B832228305: from=<EMAIL_FROM>, size=94176, nrcpt=1 (queue active)
2026-02-25T09:28:50.929227+01:00 pmg pmg-smtp-filter[10734]: 2817F699EB2C2E0E27: new mail message-id=<MESSAGE_ID>
2026-02-25T09:29:15.322760+01:00 pmg postfix/smtpd[11133]: disconnect from SERVER_SENDER[IP_SENDER] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
2026-02-25T09:29:16.788895+01:00 pmg pmg-smtp-filter[10734]: 2817F699EB2C2E0E27: SA score=5/5 time=25.810 bayes=undefined autolearn=no autolearn_force=no hits=AWL(-3.989),DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DMARC_REJECT(0.1),HTML_FONT_SIZE_HUGE(0.001),HTML_MESSAGE(0.001),KAM_BODY_MARKETINGBL_PCCC(0.001),KAM_DMARC_REJECT(7),KAM_EU(0.5),KAM_INFOUSMEBIZ(0.75),KAM_MARKETINGBL_PCCC(1),LOTS_OF_MONEY(0.001),POISEN_SPAM_PILL_3(0.1),RCVD_IN_DNSWL_NONE(-0.0001),SPF_HELO_NONE(0.001),T_KAM_HTML_FONT_INVALID(0.01),T_REMOTE_IMAGE(0.01),T_SPF_TEMPERROR(0.01)
2026-02-25T09:29:16.791449+01:00 pmg pmg-smtp-filter[10734]: 2817F699EB2C2E0E27: modified header 'X-SPAM-LEVEL' for <EMAIL_RECEIVER> (rule: Modify Header)
2026-02-25T09:29:16.795518+01:00 pmg pmg-smtp-filter[10734]: 2817F699EB2C2E0E27: moved mail for <EMAIL_RECEIVER> to spam quarantine - 28306699EB2DCC121B (rule: Quarantine/Mark Spam (Level 5))
2026-02-25T09:29:16.798943+01:00 pmg pmg-smtp-filter[10734]: 2817F699EB2C2E0E27: processing time: 25.873 seconds (25.81, 0.046, 0)
2026-02-25T09:29:16.799603+01:00 pmg postfix/lmtp[11148]: B832228305: to=<EMAIL_RECEIVER>, relay=127.0.0.1[127.0.0.1]:10024, delay=27, delays=1.2/0.02/0.04/26, dsn=2.5.0, status=sent (250 2.5.0 OK (2817F699EB2C2E0E27))
2026-02-25T09:29:16.800212+01:00 pmg postfix/qmgr[1010]: B832228305: removed

 

[Onslow]

Hi, @olluz
It isn't very clear from the excerpts as you obfuscated them, but are you sure these two connections relate to the same triplet "client, sender, recipient"?

If the client's IP address was the same, it may mean that the first time the DNS lookup failed due to a temporary problem.

Similarly for the second option (unknown sender domain), though there is no example of it in your post.

In https://pmg.proxmox.com/pmg-docs/pmg.conf.5.html one can read:

rejectunknown: <boolean> (default = 0)
Reject unknown clients. (postfix option reject_unknown_client_hostname)

rejectunknownsender: <boolean> (default = 0)
Reject unknown senders. (postfix option reject_unknown_sender_domain)

The Postfix docs explain these options:

https://www.postfix.org/postconf.5.html#reject_unknown_client_hostname

https://www.postfix.org/postconf.5.html#reject_unknown_sender_domain

 

[olluz]

Thanks for the reply and sorry for redacting too much. Here is the log again (without obfuscation), that should make it clearer.

#1
2026-02-25T09:28:24.832248+01:00 pmg postfix/smtpd[11133]: connect from unknown[23.249.220.48]
2026-02-25T09:28:24.949216+01:00 pmg postfix/smtpd[11133]: Anonymous TLS connection established from unknown[23.249.220.48]: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
2026-02-25T09:28:25.078754+01:00 pmg postfix/smtpd[11133]: NOQUEUE: reject: RCPT from unknown[23.249.220.48]: 450 4.7.25 Client host rejected: cannot find your hostname, [23.249.220.48]; from=<0102019c93e9a2c4-083b1cd3-79db-4092-931f-a320e85409d6-000000@awsmail.immobilienscout24.de> to=<my@mail.com> proto=ESMTP helo=<d220-48.smtp-out.eu-west-1.amazonses.com>
2026-02-25T09:28:45.241716+01:00 pmg postfix/smtpd[11133]: disconnect from unknown[23.249.220.48] ehlo=2 starttls=1 mail=1 rcpt=0/1 rset=1 quit=1 commands=6/7

#2
2026-02-25T09:28:49.480986+01:00 pmg postfix/smtpd[11133]: connect from d220-48.smtp-out.eu-west-1.amazonses.com[23.249.220.48]
2026-02-25T09:28:49.587506+01:00 pmg postfix/smtpd[11133]: Anonymous TLS connection established from d220-48.smtp-out.eu-west-1.amazonses.com[23.249.220.48]: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
2026-02-25T09:28:50.754922+01:00 pmg postfix/smtpd[11133]: B832228305: client=d220-48.smtp-out.eu-west-1.amazonses.com[23.249.220.48]
2026-02-25T09:28:50.807306+01:00 pmg postfix/cleanup[11147]: B832228305: message-id=<0102019c93ea412b-983369a4-eff0-446b-93c5-3b9c4a986cf8-000000@eu-west-1.amazonses.com>
2026-02-25T09:28:50.862109+01:00 pmg postfix/qmgr[1010]: B832228305: from=<0102019c93ea412b-983369a4-eff0-446b-93c5-3b9c4a986cf8-000000@awsmail.immobilienscout24.de>, size=94176, nrcpt=1 (queue active)
2026-02-25T09:28:50.929227+01:00 pmg pmg-smtp-filter[10734]: 2817F699EB2C2E0E27: new mail message-id=<0102019c93ea412b-983369a4-eff0-446b-93c5-3b9c4a986cf8-000000@eu-west-1.amazonses.com>
2026-02-25T09:29:15.322760+01:00 pmg postfix/smtpd[11133]: disconnect from d220-48.smtp-out.eu-west-1.amazonses.com[23.249.220.48] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
2026-02-25T09:29:16.788895+01:00 pmg pmg-smtp-filter[10734]: 2817F699EB2C2E0E27: SA score=5/5 time=25.810 bayes=undefined autolearn=no autolearn_force=no hits=AWL(-3.989),DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DMARC_REJECT(0.1),HTML_FONT_SIZE_HUGE(0.001),HTML_MESSAGE(0.001),KAM_BODY_MARKETINGBL_PCCC(0.001),KAM_DMARC_REJECT(7),KAM_EU(0.5),KAM_INFOUSMEBIZ(0.75),KAM_MARKETINGBL_PCCC(1),LOTS_OF_MONEY(0.001),POISEN_SPAM_PILL_3(0.1),RCVD_IN_DNSWL_NONE(-0.0001),SPF_HELO_NONE(0.001),T_KAM_HTML_FONT_INVALID(0.01),T_REMOTE_IMAGE(0.01),T_SPF_TEMPERROR(0.01)
2026-02-25T09:29:16.791449+01:00 pmg pmg-smtp-filter[10734]: 2817F699EB2C2E0E27: modified header 'X-SPAM-LEVEL' for <my@mail.com> (rule: Modify Header)
2026-02-25T09:29:16.795518+01:00 pmg pmg-smtp-filter[10734]: 2817F699EB2C2E0E27: moved mail for <my@mail.com> to spam quarantine - 28306699EB2DCC121B (rule: Quarantine/Mark Spam (Level 5))
2026-02-25T09:29:16.798943+01:00 pmg pmg-smtp-filter[10734]: 2817F699EB2C2E0E27: processing time: 25.873 seconds (25.81, 0.046, 0)
2026-02-25T09:29:16.799603+01:00 pmg postfix/lmtp[11148]: B832228305: to=<my@mail.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=27, delays=1.2/0.02/0.04/26, dsn=2.5.0, status=sent (250 2.5.0 OK (2817F699EB2C2E0E27))
2026-02-25T09:29:16.800212+01:00 pmg postfix/qmgr[1010]: B832228305: removed

It definitely is the same mail. It will always fail the first time and work the second time when the option is on:

Here is another example:
#1
2026-02-24T09:23:48.451480+01:00 pmg postfix/smtpd[32827]: connect from unknown[140.86.230.173]
2026-02-24T09:23:48.481413+01:00 pmg postfix/smtpd[32827]: Anonymous TLS connection established from unknown[140.86.230.173]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
2026-02-24T09:23:48.543296+01:00 pmg postfix/smtpd[32827]: NOQUEUE: reject: RCPT from unknown[140.86.230.173]: 450 4.7.25 Client host rejected: cannot find your hostname, [140.86.230.173]; from=<info@mail.my.mediamarkt.de> to=<my@mail.com> proto=ESMTP helo=<omp.mail.my.mediamarkt.de>
2026-02-24T09:23:48.548086+01:00 pmg postfix/smtpd[32827]: disconnect from unknown[140.86.230.173] ehlo=2 starttls=1 mail=1 rcpt=0/1 quit=1 commands=5/6

#2
2026-02-24T09:38:54.102927+01:00 pmg postfix/smtpd[33027]: connect from omp.mail.my.mediamarkt.de[140.86.230.173]
2026-02-24T09:38:54.137032+01:00 pmg postfix/smtpd[33027]: Anonymous TLS connection established from omp.mail.my.mediamarkt.de[140.86.230.173]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
2026-02-24T09:38:55.453452+01:00 pmg postfix/smtpd[33027]: 6E98229473: client=omp.mail.my.mediamarkt.de[140.86.230.173]
2026-02-24T09:38:55.470970+01:00 pmg postfix/cleanup[32999]: 6E98229473: message-id=<0.1.B.C3F.1DCA566DCA6EA0C.0@omp.mail.my.mediamarkt.de>
2026-02-24T09:38:55.496999+01:00 pmg postfix/qmgr[18087]: 6E98229473: from=<info@mail.my.mediamarkt.de>, size=147560, nrcpt=1 (queue active)
2026-02-24T09:38:55.504364+01:00 pmg postfix/smtpd[33027]: disconnect from omp.mail.my.mediamarkt.de[140.86.230.173] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
2026-02-24T09:38:55.548234+01:00 pmg pmg-smtp-filter[32525]: 29474699D639F83E80: new mail message-id=<0.1.B.C3F.1DCA566DCA6EA0C.0@omp.mail.my.mediamarkt.de>
2026-02-24T09:39:07.228368+01:00 pmg pmg-smtp-filter[32525]: 29474699D639F83E80: SA score=1/5 time=11.624 bayes=undefined autolearn=no autolearn_force=no hits=AWL(-0.026),DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-0.1),DKIM_VALID_EF(-0.1),DMARC_PASS(-0.1),FROM_EXCESS_BASE64(0.001),HTML_FONT_SIZE_HUGE(0.001),HTML_MESSAGE(0.001),KAM_HUGEIMGSRC(0.2),KAM_REALLYHUGEIMGSRC(0.5),MIME_HTML_ONLY(0.1),RCVD_IN_DNSWL_NONE(-0.0001),RCVD_IN_VALIDITY_SAFE_BLOCKED(0.659),SPF_HELO_NONE(0.001),SPF_PASS(-0.001)
2026-02-24T09:39:07.231179+01:00 pmg pmg-smtp-filter[32525]: 29474699D639F83E80: modified header 'X-SPAM-LEVEL' for <my@mail.com> (rule: Modify Header)
2026-02-24T09:39:07.232400+01:00 pmg postfix/smtpd[33009]: connect from localhost.localdomain[127.0.0.1]
2026-02-24T09:39:07.233941+01:00 pmg postfix/smtpd[33009]: 390FB29476: client=localhost.localdomain[127.0.0.1], orig_client=omp.mail.my.mediamarkt.de[140.86.230.173]
2026-02-24T09:39:07.235619+01:00 pmg postfix/cleanup[32999]: 390FB29476: message-id=<0.1.B.C3F.1DCA566DCA6EA0C.0@omp.mail.my.mediamarkt.de>
2026-02-24T09:39:07.281764+01:00 pmg postfix/qmgr[18087]: 390FB29476: from=<info@mail.my.mediamarkt.de>, size=149127, nrcpt=1 (queue active)
2026-02-24T09:39:07.282082+01:00 pmg postfix/smtpd[33009]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
2026-02-24T09:39:07.282250+01:00 pmg pmg-smtp-filter[32525]: 29474699D639F83E80: accept mail to <my@mail.com> (390FB29476) (rule: default-accept)
2026-02-24T09:39:07.285116+01:00 pmg pmg-smtp-filter[32525]: 29474699D639F83E80: processing time: 11.739 seconds (11.624, 0.053, 0)
2026-02-24T09:39:07.285458+01:00 pmg postfix/lmtp[33000]: 6E98229473: to=<my@mail.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=13, delays=1.3/0/0.04/12, dsn=2.5.0, status=sent (250 2.5.0 OK (29474699D639F83E80))
2026-02-24T09:39:07.285823+01:00 pmg postfix/qmgr[18087]: 6E98229473: removed
2026-02-24T09:39:11.847594+01:00 pmg postfix/smtp[33010]: 390FB29476: to=<my@mail.com>, relay=192.168.3.40[192.168.3.40]:25, delay=4.6, delays=0.05/0/4.5/0.02, dsn=2.0.0, status=sent (250 OK)
2026-02-24T09:39:11.848081+01:00 pmg postfix/qmgr[18087]: 390FB29476: removed

 

[Onslow]

It definitely is the same mail.

In these particular two entries probably not. The senders are different.
In the first entry it is:

from=<0102019c93e9a2c4-083b1cd3-79db-4092-931f-a320e85409d6-000000@awsmail.immobilienscout24.de>

and in the second:

from=<0102019c93ea412b-983369a4-eff0-446b-93c5-3b9c4a986cf8-000000@awsmail.immobilienscout24.de>

Unless the sending software changes the sender's email address at every retry, these were different messages.

Anyway, the connecting clients were the same. Looks like for some reason your nameserver doesn't resolve quickly enough or if you have more than one nameserver, the first fails.

Maybe try (from the PMG command line) to ask for names of some IP addresses a few times in the row and can observe some pattern in the results and how quickly you get the results.

E.g.:
$ host 23.249.220.48
$ host 23.249.220.48
$ host 23.249.220.48

Etc.

Or rather some other IP address, because the already resolved one (due to earlier connection) may be cached.

Check what nameservers are in your /etc/resolv.conf (or whatever place systemd chooses in its current version ;-( )

Are the results better if you ask other nameservers, e.g. Cloudflare's:

$ host 23.249.220.48 1.1.1.1

If still not satisfactory, it may indicate some network / firewall problem. Just guessing, the reason can be other...

P.S. You'll get more verbose results using dig , e.g.:

$ dig 23.249.220.48

or to ask a specific nameserver:

$ dig @1.1.1.1 23.249.220.48