Loading ...
Sorry, an error occurred while loading the content.

Specifying a transport for bounce messages

Expand Messages
  • Jose Maria Sanchez de Ocana
    My expertise with email servers & protocols is very limited. That being said, here is a problem I ve been dealing with for a few hours now without finding a
    Message 1 of 3 , Oct 1, 2009
    • 0 Attachment
      My expertise with email servers & protocols is very limited. That
      being said, here is a problem I've been dealing with for a few hours
      now without finding a suitable solution:

      I run a box in Amazon's EC2, and I use postfix. In order to avoid
      being marked as a SPAM source because of EC2's IPs being dynamically
      assigned, I use AuthSMTP as a relay for my outbound email. My setup
      pretty much matches what is described at http://is.gd/3Qfay .

      Actually this is not true for ALL outbound emails. I actually love
      Gmail as a MUA, so I have most of my own domain's email accounts
      mapped to gmail accounts. For example, all incoming emails for my
      account myaccount@... are forwarded to myaccount@... .

      Thus, in order to save AuthSMTP quota, and since Gmail servers deal
      correctly with EC2 IPs (they don't take them for SPAM sources), I
      actually use the transport_maps directive as follows:

      [/etc/postfix/main.cf]:
      transport_maps = hash:/etc/postfix/transport

      [/etc/postfix/transport]:
      # Syntax: .domain transport:relay_host
      gmail.com smtp:
      * :

      If I got it right, this makes all emails bound for gmail.com accounts
      to be sent directly by postfix via SMTP, whereas all other emails will
      be sent through the AuthSMTP relay.

      OK, so now here is my problem: When my postfix receives a SPAM message
      bound for one of my accounts, this email is forwarded to gmail's SMTP
      server directly. But then gmail's SPAM filter rejects this message and
      here starts my problem. AFAIK what postfix should do is bounce the
      message to the SPAM source address.

      But according to my transport file, unless the SPAM source address is
      a gmail account, postfix will attempt to send the bounce through my
      AuthSMTP relay, and my AuthSMTP quota gets quickly exhausted with all
      these SPAM bounce messages.

      What I have done is I have included the following line in my main.cf file:
      soft_bounce = yes

      This prevents the bounces to be sent through AuthSMTP, but I can see
      them getting stacked in postfix's queue:

      root@mydomain:/etc/postfix# mailq
      -Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
      233898A289 16603 Thu Oct 1 12:04:31 fahd@...
      (host gmail-smtp-in.l.google.com[209.85.212.99] said: 552-5.7.0 Our
      system detected an illegal attachment on your message. Please
      552-5.7.0 visit
      http://mail.google.com/support/bin/answer.py?answer=6590 to 552 5.7.0
      review our attachment guidelines. 39si713908vws.28 (in reply to end of
      DATA command))
      myaccount@...

      A04908A222 68107 Thu Oct 1 11:42:23 siliconet6@...
      (host gmail-smtp-in.l.google.com[209.85.212.20] said: 552-5.7.0 Our
      system detected an illegal attachment on your message. Please
      552-5.7.0 visit
      http://mail.google.com/support/bin/answer.py?answer=6590 to 552 5.7.0
      review our attachment guidelines. 28si15619914vws.148 (in reply to end
      of DATA command))
      myaccount@...


      I understand that this is not a real fix, and that after a time limit
      (default 5 days, I believe), postfix will eventually try to send those
      bounces through AuthSMTP anyway.

      Any ideas on how I should deal with these SPAM bounces in order to
      preserve my AuthSMTP quota?
      Is there any way I could force postfix to send bounces directly via
      SMTP instead of looking at my transport table?

      Many thanks,
      Jose
    • Wietse Venema
      ... The REAL mistake in your setup is that you forward SPAM into gmail. This causes gmail to treat your machine as a SPAMMER, and may affect legitimate mail
      Message 2 of 3 , Oct 1, 2009
      • 0 Attachment
        Jose Maria Sanchez de Ocana:
        > OK, so now here is my problem: When my postfix receives a SPAM message
        > bound for one of my accounts, this email is forwarded to gmail's SMTP
        > server directly. But then gmail's SPAM filter rejects this message and
        > here starts my problem. AFAIK what postfix should do is bounce the
        > message to the SPAM source address.

        The REAL mistake in your setup is that you forward SPAM into gmail.
        This causes gmail to treat your machine as a SPAMMER, and may affect
        legitimate mail that you do want to receive.

        You must NEVER bounce SPAM to the sender address, because in most
        cases that is not the sender.

        Wietse
      • Stan Hoeppner
        ... 110% correct. ... Exactly. Most MAIL FROM: addresses in spam are forged. Bouncing spam messages after you receive them merely creates outscatter
        Message 3 of 3 , Oct 1, 2009
        • 0 Attachment
          Wietse Venema put forth on 10/1/2009 12:34 PM:

          > The REAL mistake in your setup is that you forward SPAM into gmail.
          > This causes gmail to treat your machine as a SPAMMER, and may affect
          > legitimate mail that you do want to receive.

          110% correct.

          > You must NEVER bounce SPAM to the sender address, because in most
          > cases that is not the sender.

          Exactly. Most MAIL FROM: addresses in spam are forged. Bouncing spam
          messages after you receive them merely creates outscatter
          http://en.wikipedia.org/wiki/Backscatter_(e-mail), and makes your MX a
          spam source in the eyes of receivers. You need to reject all spam (or
          as much as possible) at the inbound SMTP stage on your Postfix MX.

          Welcome to the world of spam fighting Jose. It's probably as important
          as any other aspect of running an MX host in 2009 and beyond. You need
          to implement some basic anti spam/UCE controls on your Postfix MX asap.
          Adding the following to your main.cf and restarting Postfix would be a
          good place to start immediately:

          disable_vrfy_command = yes

          smtpd_client_restrictions =
          reject_unknown_reverse_client_hostname

          smtpd_helo_required = yes
          smtpd_helo_restrictions =
          reject_non_fqdn_helo_hostname,
          reject_invalid_helo_hostname,
          reject_unknown_helo_hostname

          smtpd_recipient_restrictions =
          permit_mynetworks,
          reject_unauth_destination,
          reject_rbl_client zen.spamhaus.org,
          reject_rbl_client dnsbl.sorbs.net,
          reject_rbl_client bl.spamcop.net,
          reject_rbl_client psbl.surriel.com

          This is just a basic setup and will help kill most of the spam you're
          currently receiving. As time passes and more spammers get ahold of the
          email addresses at your domain, you'll need to implement additional
          measures. There is plenty of Postfix antispam/UCE documentation
          available on the Postfix website and other places easily found with
          Google. There are also many antispam mailing lists you could join to
          gain knowledge and experience on the subject as well. Probably the
          first thing you should look at implementing is Postgrey:
          http://postgrey.schweikert.ch/

          If you can, install the version available through your operating
          system's package management system, instead of manually installing all
          the components from the Postgrey website.

          Hope this gets you off to a good start.

          --
          Stan
        Your message has been successfully submitted and would be delivered to recipients shortly.