Re: Restricting the scope of "success" notifications

Mon, 31 Jul 2017 05:55:17 -0700 


On Mon, 31 Jul 2017, Matus UHLAR - fantomas wrote:


On 31.07.17 09:16, Tomas Macek wrote:

Hello, our system is sometimes under attack of spammers using 
"NOTIFY=SUCCESS" param in "rcpt to: " header. And because of a random 
From address, the DSN message obviously goes to an nonexistent server 
or user.



I've read the "Restricting the scope of "success" notifications" topic at 
http://www.postfix.org/DSN_README.html#scope and I'd like to ask you about 
some details:



1) if I turn off the DSN for the networks outside of $mynetwork, do I 
understand it well, that we will not send them (to the outside world) any 
more DSNs with "user over quota" or "access denied"?

We won't be sending anything probably in that case, just asking to be sure.


Correct. DSN at SMTP level means that you take care of sending DSNs, missing
DSN will cause sender to issue DSNs by themselves.
Therefore your server will only send DSNs the old way - if it fails to
deliver message (or if the delay crosses delay_warning_time)


2) how much is it normal to turn off the DSN for outside world? What is 
your settings?


seems it will become much more common now, since many servers receive spam
of that kind.

I am trying to prevent notifications to messages considered spam but that

needs support from spam filter.  You can send NOTIFY= to filter over LMTP,
where filter would pass it back to postfix (over LMTP again).

If filter was able to strip NOTIFY=, we'd have fine control over when to
send notifications...

1. I don't know how effective would this be. Maybe we'd need to disable
    notifies at all.

2. seems that postfix 2.9 doesn't send NOTIFY=SUCCESS to LMTP filter, but
   sends notify imediately. 2.11 does not have this problem.
   see http://marc.info/?l=postfix-users&m=150107262526121&w=2


Thanks!
And what about to use a before-queue Milter? May it be helpful?

According to doc http://www.postfix.org/MILTER_README.html#limitations 
there is supposed to be a limitation if we use before-queue filters 
only and I don't have any.


The doc says:
---

When you use the before-queue content filter for incoming SMTP mail (see 
SMTPD_PROXY_README), Milter applications have access only to the SMTP 
command information; they have no access to the message header or body, 
and cannot make modifications to the message or to the envelope.

---

Is Milter able in that case modify headers?

Tomas























					Reply via email to