Loading ...
Sorry, an error occurred while loading the content.

291381Re: Null sender address in NDR's

Expand Messages
  • mouss
    Feb 14, 2013
      Le 14/02/2013 16:03, James Day a écrit :
      > Hello List,
      >
      > I'll have to start by breaking to golden rule of this list and not posting postconf -n output as my question relates to a server over which I have no control.
      >
      > A customer of mine is using a smart host provided by their ISP through which all outbound mail is delivered smtp.enta.net (which is running postfix).
      >
      > This server holds a list of valid domain from which this customer is allowed to send. A sensible precaution to prevent a compromised machine from sending spam using spoofed sender addresses on other domains.
      >
      > The problem is that when clients mail server sends a NDR the sender address is <> (ie NULL). The null sender address causes the message to be rejected with:
      >
      > 554+5.7.1+<>:+Sender+address+rejected:+Access+denied
      >
      > Is there a sensible way to configure postfix to allow these messages with null sender addresses to be relayed without opening the smart host up to exploitation?

      null sender should be accepted. as of today, null sendr is not (yet?)
      abused by spammers.

      and even if someday spammers decide to abuse it, we will setup simple
      content filtering rules (NDR is not supposed to use a "normal" From:
      address, etc etc).

      so I'd say: just allow the null sender for now.

      >
      > Or alternatively - and this is off topic for this list - is there a way to configure Microsoft exchange 2003 to send NDR's with a different sender address.


      dunno. but if you can put a postfix in front of exchange, you could
      replace the null sender with specific address (of course, if you do so,
      make sure to discard mail to this address to avoid loops). of course,
      you should try to only do that for that specific ISP.

      >
      > And before anyone comments, yes I know this isn't best practice as NDR's should have null sender addresses to stop loops (bouncing bounce-backs!).
      >

      yeah. but as long as you take care for auto-replies, you can replace the
      null sender with any specific address of yours (such as ndr@...)
      for which you never send bounces. not trivial, but you can do that.
    • Show all 13 messages in this topic