Loading ...
Sorry, an error occurred while loading the content.
 

Re: how to prevent a mail loop?

Expand Messages
  • Victor Duchovni
    ... But if the message comes back to your domain, you will reject it. You may want to strip Delivered-To: headers on the submission port. In any case think
    Message 1 of 27 , Dec 29, 2006
      On Fri, Dec 29, 2006 at 04:18:34PM -0500, Shaun T. Erickson wrote:

      > On 12/29/06, Victor Duchovni <Victor.Duchovni@...> wrote:
      > >On Fri, Dec 29, 2006 at 03:38:17PM -0500, Shaun T. Erickson wrote:
      > >
      > >> On 12/29/06, Noel Jones <njones@...> wrote:
      > >> >
      > >> >There have been some other reports of forged "Delivered-To:" headers
      > >> >on this list recently.
      > >>
      > >> Would the correct way to combat these, be to do a header check in my
      > >> smtpd_recipient_restrictions and reject any email that has a
      > >> Delivered-To: header in it?
      > >>
      > >
      > >No, you would get no mail from this list, but you could reject any
      > >mail that has:
      > >
      > > header-checks.pcre:
      > > /^Delivered-To: \S+@example\.com(?:\s|$)/ REJECT forgery
      > >
      > >provided that "example.com" is your domain, AND when mail is delivered
      > >to a user either no Delivered-To header is ever added, or the mail is
      > >never forwarded or resent out (mutt/pine/... users sometimes resend
      > >messages with all the original headers intact).
      >
      > I often do that via the redirect plugin I installed in Thunderbird.
      > But any mail I would redirect would get reinjected to postfix over the
      > submission port, which is configured thusly:
      >
      > submission inet n - n - - smtpd
      > -o cleanup_service_name=pre-cleanup
      > -o smtpd_sasl_type=dovecot
      > -o smtpd_sasl_path=private/auth
      > -o smtpd_sasl_authenticated_header=yes
      > -o smtpd_sasl_auth_enable=yes
      > -o smtpd_tls_security_level=encrypt
      > -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
      >
      > which, if I understand it correctly, would skip the header check and
      > let it through, yes?

      But if the message comes back to your domain, you will reject it. You
      may want to strip Delivered-To: headers on the submission port. In any
      case think through the possible cases. Delivered-To is designed to
      break (terminate) forwarding loops (often .procmailrc driven). If you
      don't need it, you can disable it in various ways.

      --
      Viktor.

      Disclaimer: off-list followups get on-list replies or get ignored.
      Please do not ignore the "Reply-To" header.

      To unsubscribe from the postfix-users list, visit
      http://www.postfix.org/lists.html or click the link below:
      <mailto:majordomo@...?body=unsubscribe%20postfix-users>

      If my response solves your problem, the best way to thank me is to not
      send an "it worked, thanks" follow-up. If you must respond, please put
      "It worked, thanks" in the "Subject" so I can delete these quickly.
    Your message has been successfully submitted and would be delivered to recipients shortly.