Loading ...
Sorry, an error occurred while loading the content.

Null sender address in NDR's

Expand Messages
  • James Day
    Hello List, I ll have to start by breaking to golden rule of this list and not posting postconf -n output as my question relates to a server over which I have
    Message 1 of 13 , Feb 14, 2013
    • 0 Attachment
      Hello List,

      I'll have to start by breaking to golden rule of this list and not posting postconf -n output as my question relates to a server over which I have no control.

      A customer of mine is using a smart host provided by their ISP through which all outbound mail is delivered smtp.enta.net (which is running postfix).

      This server holds a list of valid domain from which this customer is allowed to send. A sensible precaution to prevent a compromised machine from sending spam using spoofed sender addresses on other domains.

      The problem is that when clients mail server sends a NDR the sender address is <> (ie NULL). The null sender address causes the message to be rejected with:

      554+5.7.1+<>:+Sender+address+rejected:+Access+denied

      Is there a sensible way to configure postfix to allow these messages with null sender addresses to be relayed without opening the smart host up to exploitation?

      Or alternatively - and this is off topic for this list - is there a way to configure Microsoft exchange 2003 to send NDR's with a different sender address.

      And before anyone comments, yes I know this isn't best practice as NDR's should have null sender addresses to stop loops (bouncing bounce-backs!).

      Kind regards,

      James Day
      (IT Engineer)
    • Viktor Dukhovni
      ... This ISP s outbound relay is a submission service that is *only* suitable for relaying email from MUAs. ... The relay does not support MTAs. ... Sending
      Message 2 of 13 , Feb 14, 2013
      • 0 Attachment
        On Thu, Feb 14, 2013 at 03:03:23PM +0000, James Day wrote:

        > A customer of mine is using a smart host provided by their ISP
        > through which all outbound mail is delivered smtp.enta.net (which
        > is running postfix).

        This ISP's outbound relay is a submission service that is *only* suitable
        for relaying email from MUAs.

        > The problem is that when clients mail server sends a NDR the
        > sender address is <> (ie NULL). The null sender address causes the
        > message to be rejected with:

        The relay does not support MTAs.

        > Is there a sensible way to configure postfix to allow these
        > messages with null sender addresses to be relayed without opening
        > the smart host up to exploitation?

        Sending bounces is not "exploitation", but the "smart host" (really
        submission service) policy is up to the ISP. Ask them.

        > Or alternatively - and this is off topic for this list - is there
        > a way to configure Microsoft exchange 2003 to send NDR's with a
        > different sender address.

        NO. Bounces MUST be sent with a null sender address. Otherwise,
        bounces would elicit bounces in return creating mail loops, sometimes
        exponentially growing, if a message elicits multiple non-delivery
        reports.

        The solution is to use a relay that permits bounces. Either the ISP
        relaxes their policies, or a different relay must be found.

        > And before anyone comments, yes I know this isn't best practice
        > as NDR's should have null sender addresses to stop loops (bouncing
        > bounce-backs!).

        Not "should", MUST. Not "isn't best practice", rather prohibited.

        --
        Viktor.
      • Robert Schetterer
        ... Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft:
        Message 3 of 13 , Feb 14, 2013
        • 0 Attachment
          Am 14.02.2013 16:03, schrieb James Day:
          > Hello List,
          >
          > I'll have to start by breaking to golden rule of this list and not posting postconf -n output as my question relates to a server over which I have no control.
          >
          > A customer of mine is using a smart host provided by their ISP through which all outbound mail is delivered smtp.enta.net (which is running postfix).
          >
          > This server holds a list of valid domain from which this customer is allowed to send. A sensible precaution to prevent a compromised machine from sending spam using spoofed sender addresses on other domains.
          >
          > The problem is that when clients mail server sends a NDR the sender address is <> (ie NULL). The null sender address causes the message to be rejected with:
          >
          > 554+5.7.1+<>:+Sender+address+rejected:+Access+denied
          >
          > Is there a sensible way to configure postfix to allow these messages with null sender addresses to be relayed without opening the smart host up to exploitation?
          >
          > Or alternatively - and this is off topic for this list - is there a way to configure Microsoft exchange 2003 to send NDR's with a different sender address.
          >
          > And before anyone comments, yes I know this isn't best practice as NDR's should have null sender addresses to stop loops (bouncing bounce-backs!).
          >
          > Kind regards,
          >
          > James Day
          > (IT Engineer)
          >



          Best Regards
          MfG Robert Schetterer

          --
          [*] sys4 AG

          http://sys4.de, +49 (89) 30 90 46 64
          Franziskanerstraße 15, 81669 München

          Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
          Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
          Aufsichtsratsvorsitzender: Joerg Heidrich
        • James Day
          . ... I wasn t trying to suggest that sending bounces would be exploitation, rather that allowing *all* messages with a NULL sender to relayed through could
          Message 4 of 13 , Feb 14, 2013
          • 0 Attachment
            .
            > > Is there a sensible way to configure postfix to allow these messages
            > > with null sender addresses to be relayed without opening the smart
            > > host up to exploitation?
            >
            > Sending bounces is not "exploitation", but the "smart host" (really
            > submission service) policy is up to the ISP. Ask them.

            I wasn't trying to suggest that sending bounces would be exploitation, rather that allowing *all* messages with a NULL sender to relayed through could potentially be exploited to send spam as <>


            > NO. Bounces MUST be sent with a null sender address. Otherwise, bounces
            > would elicit bounces in return creating mail loops, sometimes exponentially
            > growing, if a message elicits multiple non-delivery reports.

            Yes I know that and have referred to that point below.

            > The solution is to use a relay that permits bounces. Either the ISP relaxes
            > their policies, or a different relay must be found.

            As I feared, thank you for confirming.

            > > And before anyone comments, yes I know this isn't best practice as
            > > NDR's should have null sender addresses to stop loops (bouncing
            > > bounce-backs!).
            >
            > Not "should", MUST. Not "isn't best practice", rather prohibited.
            >
            > --
            > Viktor.

            I understand and agree however in my experience you sometimes have to fudge things so they operate with incorrectly configured systems (against my own wishes!)

            James
          • Reindl Harald
            ... no you have not if you can clearly show that your setup goes with all relevant RFC s and is configured by best common practice you NEVER need to do
            Message 5 of 13 , Feb 14, 2013
            • 0 Attachment
              Am 14.02.2013 16:36, schrieb James Day:

              >> Not "should", MUST. Not "isn't best practice", rather prohibited.
              > I understand and agree however in my experience you sometimes have
              > to fudge things so they operate with incorrectly configured systems
              > (against my own wishes!)

              no you have not

              if you can clearly show that your setup goes with all
              relevant RFC's and is configured by best common practice
              you NEVER need to do anything to support incorrectly
              configured systems

              the one with the incorrectly configured system has to fix it
              if i know what i am doing and can verify that my setup is
              correct and some boss is forcing me to violate RFC's this
              would be my last day working for whatever company
            • Robert Schetterer
              ... looking in my relayhosts for exchange, i see is accepted via submission tls if sasl auth is done before from exchange with reject_sender_login_mismatch
              Message 6 of 13 , Feb 14, 2013
              • 0 Attachment
                Am 14.02.2013 16:36, schrieb James Day:
                > .
                >>> Is there a sensible way to configure postfix to allow these messages
                >>> with null sender addresses to be relayed without opening the smart
                >>> host up to exploitation?
                >>
                >> Sending bounces is not "exploitation", but the "smart host" (really
                >> submission service) policy is up to the ISP. Ask them.
                >
                > I wasn't trying to suggest that sending bounces would be exploitation, rather that allowing *all* messages with a NULL sender to relayed through could potentially be exploited to send spam as <>
                >
                >
                >> NO. Bounces MUST be sent with a null sender address. Otherwise, bounces
                >> would elicit bounces in return creating mail loops, sometimes exponentially
                >> growing, if a message elicits multiple non-delivery reports.
                >
                > Yes I know that and have referred to that point below.
                >
                >> The solution is to use a relay that permits bounces. Either the ISP relaxes
                >> their policies, or a different relay must be found.
                >
                > As I feared, thank you for confirming.
                >
                >>> And before anyone comments, yes I know this isn't best practice as
                >>> NDR's should have null sender addresses to stop loops (bouncing
                >>> bounce-backs!).
                >>
                >> Not "should", MUST. Not "isn't best practice", rather prohibited.
                >>
                >> --
                >> Viktor.
                >
                > I understand and agree however in my experience you sometimes have to fudge things so they operate with incorrectly configured systems (against my own wishes!)
                >
                > James
                >

                looking in my relayhosts for exchange, i see <> is accepted via
                submission tls if sasl auth is done before
                from exchange with reject_sender_login_mismatch ,
                smtpd_sender_login_maps exists, this should be enough for the smarthost
                isp , i only know the problem apearing with i.e static restrict tables
                solution

                Best Regards
                MfG Robert Schetterer

                --
                [*] sys4 AG

                http://sys4.de, +49 (89) 30 90 46 64
                Franziskanerstraße 15, 81669 München

                Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
                Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
                Aufsichtsratsvorsitzender: Joerg Heidrich
              • Viktor Dukhovni
                ... This has nothing to do with spam. One can just as easily send spam as as one can as . The ISP can equally easily track it down,
                Message 7 of 13 , Feb 14, 2013
                • 0 Attachment
                  On Thu, Feb 14, 2013 at 03:36:11PM +0000, James Day wrote:

                  > > > Is there a sensible way to configure postfix to allow these messages
                  > > > with null sender addresses to be relayed without opening the smart
                  > > > host up to exploitation?
                  > >
                  > > Sending bounces is not "exploitation", but the "smart host" (really
                  > > submission service) policy is up to the ISP. Ask them.
                  >
                  > I wasn't trying to suggest that sending bounces would be
                  > exploitation, rather that allowing *all* messages with a NULL sender
                  > to relayed through could potentially be exploited to send spam as <>

                  This has nothing to do with spam. One can just as easily send spam
                  as <malory@...> as one can as <>. The ISP can equally easily
                  track it down, since the Received: headers will contain the offending
                  IP address.

                  The real issue is that the ISP offering a consumer-grade submission
                  service for MUAs, not a relay service for MTAs. Their rate limit
                  policies may be based on sender domains, rather than client IP
                  addresses (ideally they should really use the SASL login name).

                  Perhaps a business-grade service offering from the same ISP
                  (typically at a higher price-point) offers ISP support, or a
                  static sending IP not listed in the PBL (in which case simply
                  send direct and don't use the ISP relay).

                  > > > And before anyone comments, yes I know this isn't best practice as
                  > > > NDR's should have null sender addresses to stop loops (bouncing
                  > > > bounce-backs!).
                  > >
                  > > Not "should", MUST. Not "isn't best practice", rather prohibited.
                  >
                  > I understand and agree however in my experience you sometimes
                  > have to fudge things so they operate with incorrectly configured
                  > systems (against my own wishes!)

                  Not in this case, sending NDRs with a non-null envelope sender
                  address is a fundamental violation of the robustness requirements
                  of SMTP. This goes beyond working-around misconfiguration to flagrant
                  violation of a basic design requirement that prevents congestive
                  collapse of the mail system.

                  --
                  Viktor.
                • James Day
                  ... I hope you don t take offence when I say that your messages come across as rather hostile. Unfortunately when dealing with a 3rd party it s not always
                  Message 8 of 13 , Feb 14, 2013
                  • 0 Attachment
                    > -----Original Message-----
                    > From: owner-postfix-users@... [mailto:owner-postfix-
                    > users@...] On Behalf Of Reindl Harald
                    > Sent: 14 February 2013 15:43
                    > To: postfix-users@...
                    > Subject: Re: Null sender address in NDR's
                    >
                    >
                    >
                    > Am 14.02.2013 16:36, schrieb James Day:
                    >
                    > >> Not "should", MUST. Not "isn't best practice", rather prohibited.
                    > > I understand and agree however in my experience you sometimes have to
                    > > fudge things so they operate with incorrectly configured systems
                    > > (against my own wishes!)
                    >
                    > no you have not
                    >
                    > if you can clearly show that your setup goes with all relevant RFC's and is
                    > configured by best common practice you NEVER need to do anything to
                    > support incorrectly configured systems
                    >
                    > the one with the incorrectly configured system has to fix it if i know what i am
                    > doing and can verify that my setup is correct and some boss is forcing me to
                    > violate RFC's this would be my last day working for whatever company


                    I hope you don't take offence when I say that your messages come across as rather hostile.

                    Unfortunately when dealing with a 3rd party it's not always possible to ensure RFC compliance so on some occasions exceptions have to be made for the sake of getting things working.

                    Perhaps "incorrectly configured" was the wrong phrase to use. It's not that there is anything inherently wrong with the smtp.enta.net server, rather it wasn't designed to do what I'm asking of it.

                    I'm going to setup reverse DNS for the IP of this connection and send out directly from the clients Exchange server.

                    Thanks for your input.

                    James
                  • James Day
                    --snip-- ... I understand the potential consequences (bouncing bounce-backs!). I was hoping someone had a clever fix to work around the issue I was having but
                    Message 9 of 13 , Feb 14, 2013
                    • 0 Attachment
                      --snip--
                      > Not in this case, sending NDRs with a non-null envelope sender address is a
                      > fundamental violation of the robustness requirements of SMTP. This goes
                      > beyond working-around misconfiguration to flagrant violation of a basic
                      > design requirement that prevents congestive collapse of the mail system.
                      >
                      > --
                      > Viktor.

                      I understand the potential consequences (bouncing bounce-backs!). I was hoping someone had a clever fix to work around the issue I was having but it appears my initial thought was correct and I'll need to find an alternative method to send mail.

                      I didn't mean to start an argument about breaking RFC's.

                      Again, thanks for your input, it is greatly appreciated.

                      James
                    • Viktor Dukhovni
                      ... I don t think you did. I m not an RFC maximalist, and don t care a great deal whether a particular setting does or does not violate some RFC. The RFCs
                      Message 10 of 13 , Feb 14, 2013
                      • 0 Attachment
                        On Thu, Feb 14, 2013 at 04:14:06PM +0000, James Day wrote:

                        > > Not in this case, sending NDRs with a non-null envelope sender address is a
                        > > fundamental violation of the robustness requirements of SMTP. This goes
                        > > beyond working-around misconfiguration to flagrant violation of a basic
                        > > design requirement that prevents congestive collapse of the mail system.
                        >
                        > I didn't mean to start an argument about breaking RFC's.

                        I don't think you did. I'm not an RFC maximalist, and don't care
                        a great deal whether a particular setting does or does not violate
                        some RFC. The RFCs provide a guide to determine what is sound and
                        robust behaviour, and what is fragile or dangerously misguided.

                        One should generally strive to be RFC compliant, but, more importantly,
                        one must apply logic and avoid misguided configurations or policy
                        that put the network at risk, or carry a high risk of interoperability
                        failure. This is a combination of RFC compliance, common sense, and
                        best-practice experience.

                        There was only one knee-jerk RFC maximalist post in this thread, it
                        can be safely ignored.

                        --
                        Viktor.
                      • mouss
                        ... null sender should be accepted. as of today, null sendr is not (yet?) abused by spammers. and even if someday spammers decide to abuse it, we will setup
                        Message 11 of 13 , Feb 14, 2013
                        • 0 Attachment
                          Le 14/02/2013 16:03, James Day a écrit :
                          > Hello List,
                          >
                          > I'll have to start by breaking to golden rule of this list and not posting postconf -n output as my question relates to a server over which I have no control.
                          >
                          > A customer of mine is using a smart host provided by their ISP through which all outbound mail is delivered smtp.enta.net (which is running postfix).
                          >
                          > This server holds a list of valid domain from which this customer is allowed to send. A sensible precaution to prevent a compromised machine from sending spam using spoofed sender addresses on other domains.
                          >
                          > The problem is that when clients mail server sends a NDR the sender address is <> (ie NULL). The null sender address causes the message to be rejected with:
                          >
                          > 554+5.7.1+<>:+Sender+address+rejected:+Access+denied
                          >
                          > Is there a sensible way to configure postfix to allow these messages with null sender addresses to be relayed without opening the smart host up to exploitation?

                          null sender should be accepted. as of today, null sendr is not (yet?)
                          abused by spammers.

                          and even if someday spammers decide to abuse it, we will setup simple
                          content filtering rules (NDR is not supposed to use a "normal" From:
                          address, etc etc).

                          so I'd say: just allow the null sender for now.

                          >
                          > Or alternatively - and this is off topic for this list - is there a way to configure Microsoft exchange 2003 to send NDR's with a different sender address.


                          dunno. but if you can put a postfix in front of exchange, you could
                          replace the null sender with specific address (of course, if you do so,
                          make sure to discard mail to this address to avoid loops). of course,
                          you should try to only do that for that specific ISP.

                          >
                          > And before anyone comments, yes I know this isn't best practice as NDR's should have null sender addresses to stop loops (bouncing bounce-backs!).
                          >

                          yeah. but as long as you take care for auto-replies, you can replace the
                          null sender with any specific address of yours (such as ndr@...)
                          for which you never send bounces. not trivial, but you can do that.
                        • Rod Whitworth
                          ... I don t know if you are seeing the storm I m seeing that works like this: Spammer sends mail to my domain using a target like and
                          Message 12 of 13 , Feb 14, 2013
                          • 0 Attachment
                            On Thu, 14 Feb 2013 15:58:34 +0000, Viktor Dukhovni wrote:

                            >This has nothing to do with spam. One can just as easily send spam
                            >as <malory@...> as one can as <>. The ISP can equally easily
                            >track it down, since the Received: headers will contain the offending
                            >IP address.
                            >

                            I don't know if you are seeing the storm I'm seeing that works like
                            this:

                            Spammer sends mail to my domain using a target like
                            <JIXnZQwb5@...> and of course that is not accepted at entry.

                            However there are masses of idiots who accept and bounce and so I see:
                            <UHpUaGeKa48@...> proto=ESMTP helo=<mail-pa0-f68.google.com>
                            in bounce messages that did not originate in my domain.

                            The spammer is hoping for his message to be bounced so that it looks
                            like the spam came from an innocent domain.

                            I aasume that the content is spam. I don't have time to probe messages
                            that may even have malware involved.

                            I wonder how many bounced messages are read at the falsely accused
                            domain....

                            R/

                            *** NOTE *** Please DO NOT CC me. I <am> subscribed to the list.
                            Mail to the sender address that does not originate at the list server is tarpitted. The reply-to: address is provided for those who feel compelled to reply off list. Thankyou.

                            Rod/
                            ---
                            This life is not the real thing.
                            It is not even in Beta.
                            If it was, then OpenBSD would already have a man page for it.
                          • Robert Schetterer
                            ... as in real world, there is less you can do against idiots ... you may use dmarc, helps a little bit however in my most spammed domain, i use an adaptive
                            Message 13 of 13 , Feb 14, 2013
                            • 0 Attachment
                              Am 15.02.2013 00:29, schrieb Rod Whitworth:
                              > On Thu, 14 Feb 2013 15:58:34 +0000, Viktor Dukhovni wrote:
                              >
                              >> This has nothing to do with spam. One can just as easily send spam
                              >> as <malory@...> as one can as <>. The ISP can equally easily
                              >> track it down, since the Received: headers will contain the offending
                              >> IP address.
                              >>
                              >
                              > I don't know if you are seeing the storm I'm seeing that works like
                              > this:
                              >
                              > Spammer sends mail to my domain using a target like
                              > <JIXnZQwb5@...> and of course that is not accepted at entry.
                              >
                              > However there are masses of idiots who accept and bounce and so I see:
                              > <UHpUaGeKa48@...> proto=ESMTP helo=<mail-pa0-f68.google.com>
                              > in bounce messages that did not originate in my domain.

                              as in real world, there is less you can do against idiots

                              >
                              > The spammer is hoping for his message to be bounced so that it looks
                              > like the spam came from an innocent domain.
                              >
                              > I aasume that the content is spam. I don't have time to probe messages
                              > that may even have malware involved.
                              >
                              > I wonder how many bounced messages are read at the falsely accused
                              > domain....

                              you may use dmarc, helps a little bit

                              however in my most spammed domain, i use an adaptive firewall
                              for blocking servers/bot ips ( beyond postscreen etc ), this keeps the
                              log clean, and free up cpu power for legal mail, but that isnt a concept
                              for everywhere, its more like last defense


                              >
                              > R/
                              >
                              > *** NOTE *** Please DO NOT CC me. I <am> subscribed to the list.
                              > Mail to the sender address that does not originate at the list server is tarpitted. The reply-to: address is provided for those who feel compelled to reply off list. Thankyou.
                              >
                              > Rod/
                              > ---
                              > This life is not the real thing.
                              > It is not even in Beta.
                              > If it was, then OpenBSD would already have a man page for it.
                              >
                              >



                              Best Regards
                              MfG Robert Schetterer

                              --
                              [*] sys4 AG

                              http://sys4.de, +49 (89) 30 90 46 64
                              Franziskanerstraße 15, 81669 München

                              Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
                              Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
                              Aufsichtsratsvorsitzender: Joerg Heidrich
                            Your message has been successfully submitted and would be delivered to recipients shortly.