Hi Benny > > This causes Postfix to accept all emails which match this local mailbox > > regexp and make it believe to deliver them to /dev/null, which never > > happens as we will extract the real recipient from the SRS header with > > MIMEDefang. > > how does this prevent accept and bounce ? > how does it protect to not loose emails ? > why is this not the same as catch-all domain ? > > one day i begin to understand mimedefang, it takes time
Well we have a very complex set-up. One of the goals: * Minimize Backscatter (excessive backscatter could get your services blacklisted) I suppose you know, how SPF works and that therefore you cannot forward an email to a destination and leave the original sender intact. This is also bound to cause your server to generate backscatter in case the email cannot be delivered to the destination. So SRS is used to rewrite and sign the envelope sender. Of a reply (a bounce in most cases) is getting back to this SRS signed sender, the signature is verified to make sure it is legitimate and not somebody trying to just relay emails over your server. But still, this cases backscatter if your server (or the remote server) bounces emails which cannot be delivered. So how do we minimize the problem? SRS only encodes the original sender, not the forwarding mailbox. We encode the local recipient, which forwarded the email, into the SRS sender. So if we get a bounce back, we can decode this and get both informations: * Original Sender (to which we want to return the bounce) * Local Recipient with defunct forwarding. This allows us to count the bounces generated by a local recipient with a defunct forwarding. Of course, there are always reasons, why an email, even forwarded, does not reach the destination (server down etc). So we have to allow for a certain amount of bounces per day. But if a threshold is reached, we just stop accepting email for the local recipient and issue a message like "550 Forwarding Disabled because of bounces from far server". This prevents DDOS like attacks where the sender address is the email address of a victim, the destination is purposefully an address which generated delayed bounces, and the goal is to flood that victim's mailbox with those bounces (SPF cannot help in such a case and yes, we had such cases). So hopefully you understand what we are doing to try to fix design issues of the aging SMTP protocol :-) Mit freundlichen Grüssen -Benoît Panizzon- -- I m p r o W a r e A G - Leiter Commerce Kunden ______________________________________________________ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 Pratteln Fax +41 61 826 93 01 Schweiz Web http://www.imp.ch ______________________________________________________ _______________________________________________ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list [email protected] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
