Loading ...
Sorry, an error occurred while loading the content.

allowing and then dropping wildcard users

Expand Messages
  • LuKreme
    I have several domains on my postfix server, and I have one where the owner wants the following behavior: user1@domain.tld = real user account user2@domain.tld
    Message 1 of 5 , May 5, 2013
    • 0 Attachment
      I have several domains on my postfix server, and I have one where the owner wants the following behavior:

      user1@... = real user account
      user2@... = real user account
      *@... = mail checks accepted, actual mail dropped.

      basically, some servers sent a query to the mailserver to see if an email address is accepted by the server, and she wants any email address to pass this check, but for actual emails to any addresses other than user1 or user2 to be dropped.

      This has to be isolated to just this domain, without affecting the way all the other domains on the same mailserver work.

      Not sure how to set this up, partly because I'm not sure what these mail checks involve. I was guessing it was simply a connection that send a RCPT header and then dropped it after OK?

      --
      My biggest problem is that Steve insists on serving PURPLE Kool Aid, an
      I don't like PURPLE <sip sip> Kool Aid.
    • Sahil Tandon
      ... Use virtual alias mapping to direct mail for user{1,2}@domain.tld to actual accounts. Then, implement a catch-all which maps *@domain.tld to an address
      Message 2 of 5 , May 5, 2013
      • 0 Attachment
        On Sun, 2013-05-05 at 02:39:30 -0600, LuKreme wrote:

        > I have several domains on my postfix server, and I have one where the
        > owner wants the following behavior:
        >
        > user1@... = real user account
        > user2@... = real user account
        > *@... = mail checks accepted, actual mail dropped.

        Use virtual alias mapping to direct mail for user{1,2}@... to
        actual accounts. Then, implement a catch-all which maps *@... to
        an address that, via transport(5), directs mail to the discard(8)
        service.

        --
        Sahil Tandon
      • Viktor Dukhovni
        ... That s an answer, but the OP still has not figured out what the question is, so he should do nothing until the question is understood. In most cases,
        Message 3 of 5 , May 5, 2013
        • 0 Attachment
          On Sun, May 05, 2013 at 01:26:20PM -0400, Sahil Tandon wrote:

          > On Sun, 2013-05-05 at 02:39:30 -0600, LuKreme wrote:
          >
          > > I have several domains on my postfix server, and I have one where the
          > > owner wants the following behavior:
          > >
          > > user1@... = real user account
          > > user2@... = real user account
          > > *@... = mail checks accepted, actual mail dropped.
          >
          > Use virtual alias mapping to direct mail for user{1,2}@... to
          > actual accounts. Then, implement a catch-all which maps *@... to
          > an address that, via transport(5), directs mail to the discard(8)
          > service.

          That's an answer, but the OP still has not figured out what the question
          is, so he should do nothing until the question is understood.

          In most cases, discarding mail to invalid addresses is unwise, the
          address could be an honest typo and the message may be important.

          If the concern is dictionary attacks, just use a sensible postscreen
          configuration to keep the bots away or accept the fact that one can't
          keep email addresses secret, focus on stopping spam, not hiding email
          addresses.

          --
          Viktor.
        • Noel Jones
          ... This was a common anti-spam technique ~15 years ago when both the spammers and anti-spam countermeasures were far cruder. No doubt your customer read about
          Message 4 of 5 , May 5, 2013
          • 0 Attachment
            On 5/5/2013 3:39 AM, LuKreme wrote:
            > I have several domains on my postfix server, and I have one where the owner wants the following behavior:
            >
            > user1@... = real user account
            > user2@... = real user account
            > *@... = mail checks accepted, actual mail dropped.
            >
            > basically, some servers sent a query to the mailserver to see if an email address is accepted by the server, and she wants any email address to pass this check, but for actual emails to any addresses other than user1 or user2 to be dropped.

            This was a common anti-spam technique ~15 years ago when both the
            spammers and anti-spam countermeasures were far cruder.

            No doubt your customer read about this technique in some ancient
            article on avoiding spam. It's good they're trying to educate
            themselves, but they stopped too soon.

            The idea back then was to keep valid email addresses a secret from
            the spammers. The side effect was that misrouted mail disappeared
            into a black hole with no notice to either the sender or recipient.
            Sometimes this was important mail. People were unhappy.

            These days, spammers have better ways to find email addresses.
            Don't expect any valid address that's used by more than a handful of
            recipients to stay secret for long.

            There's also the apparent effect of wildcard domains being "spam
            attractors". It seems that spammers-for-hire, who are paid per
            delivery, may target wildcard domains to pad their delivery numbers
            (I'm NOT talking about legit bulk mailers).

            Best practices often change with time. Invite your customer to the
            21st century. Wildcard domains are no longer recommended, and for
            good reasons.



            -- Noel Jones




            >
            > This has to be isolated to just this domain, without affecting the way all the other domains on the same mailserver work.
            >
            > Not sure how to set this up, partly because I'm not sure what these mail checks involve. I was guessing it was simply a connection that send a RCPT header and then dropped it after OK?
            >
          • LuKreme
            Noel Jones opined on Sunday 05-May-2013@20:37:44 ... The actual answer was much… odder. ... The owner of the domain is active on some web forum were each
            Message 5 of 5 , May 13, 2013
            • 0 Attachment
              Noel Jones opined on Sunday 05-May-2013@20:37:44
              > On 5/5/2013 3:39 AM, LuKreme wrote:
              >> I have several domains on my postfix server, and I have one where the owner wants the following behavior:
              >>
              >> user1@... = real user account
              >> user2@... = real user account
              >> *@... = mail checks accepted, actual mail dropped.
              >>
              >> basically, some servers sent a query to the mailserver to see if an email address is accepted by the server, and she wants any email address to pass this check, but for actual emails to any addresses other than user1 or user2 to be dropped.
              >
              > This was a common anti-spam technique ~15 years ago when both the
              > spammers and anti-spam countermeasures were far cruder.

              The actual answer was much… odder.

              > No doubt your customer read about this technique in some ancient
              > article on avoiding spam. It's good they're trying to educate
              > themselves, but they stopped too soon.

              The owner of the domain is active on some web forum<1> were each message posted subscribes the user to the thread with no option to disable the subscription. The owner wanted to change his email address on the forum so he would not get the replies posted delivered to his email, but the forum ‘verifies’ that the address is valid by opening an SMTP connection to the server.

              Once this was clear I told him to just use user1+junk@... which would deliver the mail to the Junk mailbox and mark it as read on delivery.

              > Best practices often change with time. Invite your customer to the
              > 21st century. Wildcard domains are no longer recommended, and for
              > good reasons.

              I would not allow a wildcard domain that delivered the mail.

              <1> I didn’t ask, he didn’t tell me.

              --
              'How do you know I'm mad?' said Alice 'You must be' said the Cat 'or you
              wouldn't have come here.'
            Your message has been successfully submitted and would be delivered to recipients shortly.