Re: Rejecting mail to unknown users
On 11.09.2013 16:52, Kris Deugau wrote: Mark Goodge wrote: It might help if you explained why you want to do this. What particular problem is being caused by your internal users getting an error message instead of a bounce? Some idiot mail clients (*cough*ManyversionsofOutlook*cough*) don't actually display the SMTP error response to the user, they just pop up a generic Wahh! Can't do that! error message. Some users are also quite resistant to actually *reading* the text of the error (although these users will also have trouble with reading the bounce message). Exactly! On 11.09.2013 15:27, Wietse Venema wrote: Thank you Wietse, that is what I was looking for! So, for now, my problem is solved. Just one more thing: Will this setting have some kind of (big) negative impact? I guess not, but just to be sure... Yes. When a client becomes malware infected, it will send spam with a false sender address, and Postfix will return some of that spam to innocent people. Can you please explain how is this connected? If client is infected, it can send spam with false sender address no matter if sending to uknown recipients is enabled or disabled, if it has access to smtp (sasl_authenticated, etc.)?
Re: Rejecting mail to unknown users
Zel Uneec: [ Charset ISO-8859-2 unsupported, converting... ] On 11.09.2013 16:52, Kris Deugau wrote: Mark Goodge wrote: It might help if you explained why you want to do this. What particular problem is being caused by your internal users getting an error message instead of a bounce? Some idiot mail clients (*cough*ManyversionsofOutlook*cough*) don't actually display the SMTP error response to the user, they just pop up a generic Wahh! Can't do that! error message. Some users are also quite resistant to actually *reading* the text of the error (although these users will also have trouble with reading the bounce message). Exactly! On 11.09.2013 15:27, Wietse Venema wrote: Thank you Wietse, that is what I was looking for! So, for now, my problem is solved. Just one more thing: Will this setting have some kind of (big) negative impact? I guess not, but just to be sure... Yes. When a client becomes malware infected, it will send spam with a false sender address, and Postfix will return some of that spam to innocent people. Can you please explain how is this connected? If client is infected, it can send spam with false sender address no matter if sending to uknown recipients is enabled or disabled, if it has access to smtp (sasl_authenticated, etc.)? With the proposed modification, Postfix will not reject spam for an unknown recipient from a local or authenticated client, and will instead send a bounce message to the forged sender address. Wietse
Rejecting mail to unknown users
Hello everyone! I need your help setting up postfix. This is my problem/question: I have multiple domains on my mail server running postfix (adn dovecot), with LDAP based user accounts. When someone from outside (that is: not from my domains) sends mail to a user that does not exist, he gets a bounce message that the given mail account/user does not exist on server. But, when someone from inside (from one of my domains) tries to send mail to non existing user, he is not able to send e-mail, and mail clients give him reject code (some with explanation that account/user does not exist, some with no explanation). What I want to do is to set postfix to let those inside mails pass too, and then recive bounce mail with note that user does not exist (that is, the same behavior as when someone from outside sends mail to non existing user). I've tried numerous changes in main.cf, but could not achieve this behaviour. Is it even possible? Thanks, Zel
Re: Rejecting mail to unknown users
On 11/09/2013 12:23, Zel Uneec wrote: Hello everyone! I need your help setting up postfix. This is my problem/question: I have multiple domains on my mail server running postfix (adn dovecot), with LDAP based user accounts. When someone from outside (that is: not from my domains) sends mail to a user that does not exist, he gets a bounce message that the given mail account/user does not exist on server. But, when someone from inside (from one of my domains) tries to send mail to non existing user, he is not able to send e-mail, and mail clients give him reject code (some with explanation that account/user does not exist, some with no explanation). What I want to do is to set postfix to let those inside mails pass too, and then recive bounce mail with note that user does not exist (that is, the same behavior as when someone from outside sends mail to non existing user). It might help if you explained why you want to do this. What particular problem is being caused by your internal users getting an error message instead of a bounce? As a general rule, sending a bounce is a last resort, something that you do when you can't reject a message. That's how the system is designed to work, and sending a bounce when you don't need to is generally considered bad practice. Mark -- My blog: http://mark.goodge.co.uk
Re: Rejecting mail to unknown users
On 11.09.2013 13:31, Mark Goodge wrote: It might help if you explained why you want to do this. What particular problem is being caused by your internal users getting an error message instead of a bounce? As a general rule, sending a bounce is a last resort, something that you do when you can't reject a message. That's how the system is designed to work, and sending a bounce when you don't need to is generally considered bad practice. Mark This is why: previously we used qmail, but I decided to migrate to postfix+dovecot. On previous mail server installation (qmail) we had the behaviour I now want to achieve - bounce mails for everyone, not only outsiders, and thus no error message while trying to send to unknown user. Particular problem: my boss (and his Mac Mail). :) My boss wants this functionality. With old mail server, he could send mail to numerous addresses, and if one of them does not exist, he would recieve a bounce mail note for non existing user, but mails to valid users will be sent. Now, if he misspells only one address, the mail is not sent at all, nor even to valid addresses. That's how he sees it. No matter what I say and try to explain which is better and why. He wants the old functionality, as it is better for him. So, here's one more additional question from me: why is it so problematic if inside (my domains) users send mails to non existing mail addresses? I assume this would not happen so often to have some impact on server. Much much more impact have outsider mails to non existing addresses.
Re: Rejecting mail to unknown users
On Wed, Sep 11, 2013 at 01:23:01PM +0200, Zel Uneec wrote: This is my problem/question: I have multiple domains on my mail server running postfix (adn dovecot), with LDAP based user accounts. When someone from outside (that is: not from my domains) sends mail to a user that does not exist, he gets a bounce message that the given mail account/user does not exist on server. No, not from your server, anyway. Your server rejects the mail from the remote client, and that MTA generates the bounce for their own user. But, when someone from inside (from one of my domains) tries to From one of my domains? Do you mean from your networks? send mail to non existing user, he is not able to send e-mail, and mail clients give him reject code (some with explanation that account/user does not exist, some with no explanation). What I want to do is to set postfix to let those inside mails pass too, and then recive bounce mail with note that user does not exist This is what happens if permit_mynetworks precedes any other reatrictions you may have set. (that is, the same behavior as when someone from outside sends mail to non existing user). No, it is not. But in effect it is similar, if their MTA sent a bounce. I guess that's what you mean? I've tried numerous changes in main.cf, but could not achieve this behaviour. Is it even possible? Of course it is. But it is not possible to guess what you did. http://www.postfix.org/DEBUG_README.html#mail -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject:
Re: Rejecting mail to unknown users
/dev/rob0: On Wed, Sep 11, 2013 at 01:23:01PM +0200, Zel Uneec wrote: This is my problem/question: I have multiple domains on my mail server running postfix (adn dovecot), with LDAP based user accounts. When someone from outside (that is: not from my domains) sends mail to a user that does not exist, he gets a bounce message that the given mail account/user does not exist on server. No, not from your server, anyway. Your server rejects the mail from the remote client, and that MTA generates the bounce for their own user. But, when someone from inside (from one of my domains) tries to From one of my domains? Do you mean from your networks? send mail to non existing user, he is not able to send e-mail, and mail clients give him reject code (some with explanation that account/user does not exist, some with no explanation). What I want to do is to set postfix to let those inside mails pass too, and then recive bounce mail with note that user does not exist This is what happens if permit_mynetworks precedes any other reatrictions you may have set. It is slightly different. The user unknown test is enabled by default: Built-in default: smtpd_reject_unlisted_recipient = yes With this, there is an implicit reject_unlisted_recipient that is enforcedi for all clients. To accept mail from local clients to unknown recipients, while blocking mail from remote clients to unknown recipients, you have to specify the reject_unlisted_recipient explicitly. /etc/postfix/main.cf: smtpd_reject_unlisted_recipient = no smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unlisted_recipient ... reject_unauth_destination ... It's is very easy to screw this up and become a backscatter source. That is why smtpd_reject_unlisted_recipient = no is not the default setting. http://www.postfix.org/postconf.5.html#smtpd_reject_unlisted_recipient http://www.postfix.org/postconf.5.html#reject_unlisted_recipient Wietse
Re: Rejecting mail to unknown users
On 11.09.2013 14:43, Wietse Venema wrote: /etc/postfix/main.cf: smtpd_reject_unlisted_recipient = no smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unlisted_recipient ... reject_unauth_destination ... It's is very easy to screw this up and become a backscatter source. That is why smtpd_reject_unlisted_recipient = no is not the default setting. Thank you Wietse, that is what I was looking for! So, for now, my problem is solved. Just one more thing: Will this setting have some kind of (big) negative impact? I guess not, but just to be sure... Thank you, once again. Cheers, Zel
Re: Rejecting mail to unknown users
Zel Uneec: On 11.09.2013 14:43, Wietse Venema wrote: /etc/postfix/main.cf: smtpd_reject_unlisted_recipient = no smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unlisted_recipient ... reject_unauth_destination ... It's is very easy to screw this up and become a backscatter source. That is why smtpd_reject_unlisted_recipient = no is not the default setting. Thank you Wietse, that is what I was looking for! So, for now, my problem is solved. Just one more thing: Will this setting have some kind of (big) negative impact? I guess not, but just to be sure... Yes. When a client becomes malware infected, it will send spam with a false sender address, and Postfix will return some of that spam to innocent people. Wietse
Re: Rejecting mail to unknown users
Is there any way to control the malware infected computer, not to send more then counted or limited messages. On Wed, Sep 11, 2013 at 6:57 PM, Wietse Venema wie...@porcupine.org wrote: Zel Uneec: On 11.09.2013 14:43, Wietse Venema wrote: /etc/postfix/main.cf: smtpd_reject_unlisted_recipient = no smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unlisted_recipient ... reject_unauth_destination ... It's is very easy to screw this up and become a backscatter source. That is why smtpd_reject_unlisted_recipient = no is not the default setting. Thank you Wietse, that is what I was looking for! So, for now, my problem is solved. Just one more thing: Will this setting have some kind of (big) negative impact? I guess not, but just to be sure... Yes. When a client becomes malware infected, it will send spam with a false sender address, and Postfix will return some of that spam to innocent people. Wietse
Re: Rejecting mail to unknown users
On 9/11/2013 9:18 AM, Vishal Agarwal wrote: Is there any way to control the malware infected computer, not to send more then counted or limited messages. There are several policy services that implement rate limits. postfwd is one that is commonly used. http://www.postfix.org/SMTPD_POLICY_README.html http://www.postfix.org/addon.html#policy -- Noel Jones
Re: Rejecting mail to unknown users
Am 11.09.2013 16:52, schrieb Kris Deugau: Mark Goodge wrote: It might help if you explained why you want to do this. What particular problem is being caused by your internal users getting an error message instead of a bounce? Some idiot mail clients (*cough*ManyversionsofOutlook*cough*) don't actually display the SMTP error response to the user, they just pop up a generic Wahh! Can't do that! error message iPhones do not show the errors at all as well as ignoring the 5xx repsonse a try over months and weeks to send the same message every 5 minutes by stupidity but that is no reason to generate bounces
Re: Rejecting mail to unknown users
Mark Goodge wrote: It might help if you explained why you want to do this. What particular problem is being caused by your internal users getting an error message instead of a bounce? Some idiot mail clients (*cough*ManyversionsofOutlook*cough*) don't actually display the SMTP error response to the user, they just pop up a generic Wahh! Can't do that! error message. Some users are also quite resistant to actually *reading* the text of the error (although these users will also have trouble with reading the bounce message). -kgd
Problem with rejecting mail to unknown users
Hi. I'e got a problem I've been trying to solve for some time now, but I can't seem to get it to work. I'm running Postfix on FreeBSD with Maildrop delivery, SASL authentification and PostGreSQL backend. However I'm sending tons of backscatter because Postfix dosn't reject mail for unknown local recipients I've tried setting local_recipient_maps and unknown_local_recipient_reject_code = 550 - Nothing seems to help though... Anyone with some pointers as to where I should look for the error? # postconf -n alias_maps = broken_sasl_auth_clients = yes command_directory = /usr/local/sbin config_directory = /usr/local/etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10026 daemon_directory = /usr/local/libexec/postfix data_directory = /var/db/postfix debug_peer_level = 2 html_directory = /usr/local/share/doc/postfix in_flow_delay = 0 local_recipient_maps = proxy:pgsql:/usr/local/etc/postfix/local_recipient_maps mail_owner = postfix mailq_path = /usr/local/bin/mailq manpage_directory = /usr/local/man message_size_limit = 41943040 mydestination = mynetworks = 10.10.10.0/24, 127.0.0.0/8 newaliases_path = /usr/local/bin/newaliases proxy_interfaces = 194.255.69.21 proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $smtp_sasl_password_maps queue_directory = /var/spool/postfix readme_directory = /usr/local/share/doc/postfix relay_domains = proxy:pgsql:/usr/local/etc/postfix/relaydomainmap relay_recipient_maps = proxy:pgsql:/usr/local/etc/postfix/relayaliasmap sample_directory = /usr/local/etc/postfix sendmail_path = /usr/local/sbin/sendmail setgid_group = maildrop smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unlisted_recipient smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_local_domain = pixelpoint.dk smtpd_sasl_path = smtpd smtpd_sender_login_maps = proxy:pgsql:/usr/local/etc/postfix/saslmap smtpd_tls_auth_only = no smtpd_tls_cert_file = /usr/local/share/courier-imap/imapd.pem smtpd_tls_key_file = /usr/local/share/courier-imap/imapd.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_use_tls = yes transport_maps = proxy:pgsql:/usr/local/etc/postfix/mxmap unknown_local_recipient_reject_code = 550 virtual_alias_maps = proxy:pgsql:/usr/local/etc/postfix/aliasmap virtual_mailbox_domains = proxy:pgsql:/usr/local/etc/postfix/domainmap virtual_transport = maildrop master.cf: # # Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: man 5 master). # # == # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # == smtp inet n - n - - smtpd -o content_filter=smtp-amavis:[127.0.0.1]:10024 -o smtp_send_xforward_command=yes submission inet n - n - - smtpd # -o smtpd_enforce_tls=yes -o smtpd_etrn_restrictions=reject -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o content_filter=smtp-amavis:[127.0.0.1]:10026 #smtps inet n - n - - smtpd # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject #628 inet n - n - - qmqpd pickupfifo n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr #qmgr fifo n - n 300 1 oqmgr tlsmgrunix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounceunix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verifyunix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap smtp unix - - n - - smtp # When relaying mail as backup MX, disable fallback_relay to avoid MX loops relay unix - - n - - smtp -o fallback_relay= # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - n - - showq error unix - - n - - error retry unix - -
Re: Problem with rejecting mail to unknown users
Am 01.02.2012 11:09, schrieb Martin Kruse Jensen: Hi. I'e got a problem I've been trying to solve for some time now, but I can't seem to get it to work. I'm running Postfix on FreeBSD with Maildrop delivery, SASL authentification and PostGreSQL backend. However I'm sending tons of backscatter because Postfix dosn't reject mail for unknown local recipients I've tried setting local_recipient_maps and unknown_local_recipient_reject_code = 550 - Nothing seems to help though... Anyone with some pointers as to where I should look for the error? # postconf -n local_recipient_maps = proxy:pgsql:/usr/local/etc/postfix/local_recipient_maps debug your local_recipient_maps as long your configuration does not handle this correct unknown_local_recipient_reject_code is not part of the game because a) 550 is default and b) even if it would be any other status-code - if you are rejecting then you would not be a backscatter because you will never accept the message signature.asc Description: OpenPGP digital signature
Re: Problem with rejecting mail to unknown users
Den 01-02-2012 11:48, Reindl Harald skrev: Am 01.02.2012 11:09, schrieb Martin Kruse Jensen: Hi. I'e got a problem I've been trying to solve for some time now, but I can't seem to get it to work. I'm running Postfix on FreeBSD with Maildrop delivery, SASL authentification and PostGreSQL backend. However I'm sending tons of backscatter because Postfix dosn't reject mail for unknown local recipients I've tried setting local_recipient_maps and unknown_local_recipient_reject_code = 550 - Nothing seems to help though... Anyone with some pointers as to where I should look for the error? # postconf -n local_recipient_maps = proxy:pgsql:/usr/local/etc/postfix/local_recipient_maps debug your local_recipient_maps as long your configuration does not handle this correct unknown_local_recipient_reject_code is not part of the game because a) 550 is default and b) even if it would be any other status-code - if you are rejecting then you would not be a backscatter because you will never accept the message Turns out all I needed was to set relay_recipient_maps - problem appears to be solved!
Re: Problem with rejecting mail to unknown users
On Wed, Feb 01, 2012 at 02:00:15PM +0100, Martin Kruse Jensen wrote: Turns out all I needed was to set relay_recipient_maps - problem appears to be solved! Given the overall confusion of address classes in the postconf, including virtual_mailbox_domains being set without corresponding virtual_mailbox_maps, I am not at all confident that you have truly solved this. Sometimes relay_domains is set using the default of $mydestination http://www.postfix.org/ADDRESS_CLASS_README.html If further assistance is required, logs must be included: http://www.postfix.org/DEBUG_README.html#mail -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject: