Loading ...
Sorry, an error occurred while loading the content.

Postfix still sending bounces

Expand Messages
  • Ian Evans
    Migrating to a new server and decided I would switch to postfix. On my old qmail server, I used validrcptto to drop emails not destines for the virtual accts
    Message 1 of 16 , Nov 4, 2013
    • 0 Attachment
      Migrating to a new server and decided I would switch to postfix. On my old qmail server, I used validrcptto to drop emails not destines for the virtual accts on our site.

      I've read tutorials and the backscatter/local recipient pages and my postfix is still sending out bounce message instead of just dropping the connections. I want to be a good netizen so want to nip this in the bud.

      Here's my main.cf. Please let me know if there's more info you need.

      alias_database = hash:/etc/aliases
      alias_maps = hash:/etc/aliases
      append_dot_mydomain = no
      biff = no
      broken_sasl_auth_clients = yes
      config_directory = /etc/postfix
      content_filter = smtp-amavis:[127.0.0.1]:10024
      home_mailbox = Maildir/
      inet_interfaces = all
      inet_protocols = ipv4
      local_recipient_maps = $virtual_mailbox_maps
      local_transport = virtual
      mailbox_command = /usr/lib/dovecot/deliver -c /etc/dovecot/dovecot.conf -m "${EXTENSION}"
      mailbox_size_limit = 0
      myhostname = localhost
      mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
      myorigin = /etc/mailname
      policy-spf_time_limit = 3600s
      readme_directory = no
      recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
      recipient_delimiter = +
      relay_recipient_maps = hash:/etc/postfix/relay_recipients
      relayhost =
      smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
      smtp_use_tls = yes
      smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
      smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,check_policy_service unix:private/policy-spf,reject_rbl_client zen.spamhaus.org,reject_rbl_client bl.spamcop.net,reject_rbl_client cbl.abuseat.org,check_policy_service inet:127.0.0.1:10023
      smtpd_relay_restrictions = permit_mynetworks,permit_sasl_authenticated,defer_unauth_destination
      smtpd_sasl_auth_enable = yes
      smtpd_sasl_authenticated_header = yes
      smtpd_sasl_local_domain = $myhostname
      smtpd_sasl_path = private/dovecot-auth
      smtpd_sasl_security_options = noanonymous
      smtpd_sasl_type = dovecot
      smtpd_sender_restrictions = reject_unknown_sender_domain
      smtpd_tls_auth_only = yes
      smtpd_tls_cert_file = /etc/dovecot/dovecot.pem
      smtpd_tls_key_file = /etc/dovecot/private/dovecot.pem
      smtpd_tls_mandatory_ciphers = medium
      smtpd_tls_mandatory_protocols = SSLv3, TLSv1
      smtpd_tls_received_header = yes
      smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
      smtpd_use_tls = yes
      tls_random_source = dev:/dev/urandom
      virtual_gid_maps = static:5000
      virtual_mailbox_base = /home/vmail
      virtual_mailbox_domains = digitalhit.com
      virtual_mailbox_maps = hash:/etc/postfix/vmaps
      virtual_minimum_uid = 1000
      virtual_uid_maps = static:5000
    • Benny Pedersen
      ... first question from me is, why do you mix virtual and local users ? and show postfix logs to get more help with the bounces
      Message 2 of 16 , Nov 4, 2013
      • 0 Attachment
        Ian Evans skrev den 2013-11-05 00:03:

        > Here's my main.cf [1]. Please let me know if there's more info you
        > need.

        first question from me is, why do you mix virtual and local users ?

        and show postfix logs to get more help with the bounces
      • Jim Wright
        ... Normally, bouncing undeliverable messages is the proper behavior for a good netizen. Why are you being rude and dropping the connection? Doing this to a
        Message 3 of 16 , Nov 4, 2013
        • 0 Attachment
          On Nov 4, 2013, at 5:03 PM, Ian Evans <dheianevans@...> wrote:
          >
          > I've read tutorials and the backscatter/local recipient pages and my postfix is still sending out bounce message instead of just dropping the connections. I want to be a good netizen so want to nip this in the bud.

          Normally, bouncing undeliverable messages is the proper behavior for a good netizen. Why are you being rude and dropping the connection? Doing this to a properly configured mail server will just cause them to retry the delivery until they hit their retry limit.
        • lists@rhsoft.net
          ... *what*? you never ever have to bounce - not for incoming mail you must not if you won t get blacklisted for good reasons
          Message 4 of 16 , Nov 4, 2013
          • 0 Attachment
            Am 05.11.2013 00:50, schrieb Jim Wright:
            > On Nov 4, 2013, at 5:03 PM, Ian Evans <dheianevans@...> wrote:
            >>
            >> I've read tutorials and the backscatter/local recipient pages and my postfix is still sending out bounce message instead of just dropping the connections. I want to be a good netizen so want to nip this in the bud.
            >
            > Normally, bouncing undeliverable messages is the proper behavior for a good netizen.

            *what*?

            you never ever have to bounce - not for incoming mail
            you must not if you won't get blacklisted for good reasons

            http://en.wikipedia.org/wiki/Backscatter

            > Why are you being rude and dropping the connection?

            he meant REJECT and not simply drop the connection

            > Doing this to a properly configured mail server will just cause them to retry the delivery

            not in case of a 5xx status code
          • Wietse Venema
            ... What do you mean with postfix is bouncing messages ? Show an example. Wietse
            Message 5 of 16 , Nov 4, 2013
            • 0 Attachment
              Ian Evans:
              > Migrating to a new server and decided I would switch to postfix. On my old
              > qmail server, I used validrcptto to drop emails not destines for the
              > virtual accts on our site.
              >
              > I've read tutorials and the backscatter/local recipient pages and my
              > postfix is still sending out bounce message instead of just dropping the
              > connections. I want to be a good netizen so want to nip this in the bud.

              What do you mean with "postfix is bouncing messages"? Show an example.

              Wietse
            • Ian Evans
              Argh...gmail and mailing lists. Sent this response directly to Benny instead of the list, so here I go again: ... How am I mixing them? Still getting used to
              Message 6 of 16 , Nov 4, 2013
              • 0 Attachment
                Argh...gmail and mailing lists. Sent this response directly to Benny instead of the list, so here I go again:

                Ian Evans skrev den 2013-11-05 00:03:

                Here's my main.cf [1]. Please let me know if there's more info you
                need.

                first question from me is, why do you mix virtual and local users ?

                How am I mixing them? Still getting used to the postfix way of things, so if I'm mixing them I'm not even sure how. I don't have any mail accts that are also unix accts. The root acct is aliased to my personal mail.
                 

                and show postfix logs to get more help with the bounces

                I sent an email from this acct to a user that doesn't exist on my system. 

                Nov  4 13:24:21 localhost postfix/smtpd[30584]: 4D6B221209: client=mail-la0-f41.google.com[209.85.215.41]
                Nov  4 13:24:21 localhost postgrey[9679]: 4D6B221209: action=pass, reason=client whitelist, client_name=mail-la0-f41.google.com, client_address=209.85.215.41, sender=dheianevans@..., recipient=zurb@...
                Nov  4 13:24:21 localhost postfix/smtpd[30584]: 4D6B221209: reject: RCPT from mail-la0-f41.google.com[209.85.215.41]: 550 5.1.1 <zurb@...>: Recipient address rejected: User unknown in virtual mailbox table; from=<dheianevans@...> to=<zurb@...> proto=ESMTP helo=<mail-la0-f41.google.com>
                Nov  4 13:24:21 localhost postfix/cleanup[30592]: 4D6B221209: message-id=<CABiY0=j+amR8JQ88pSBMc9-9uMm+z2CHnieRcEwPAcgRpzSqnw@...>

                However, I think I might have some egg on my face, potentially a lot of egg. To answer Venema's question, I went to get the "bounce" message.

                As I copied it, I realized it was coming from _Google's_ mailer daemon.

                "Delivery to the following recipient failed permanently:

                     zurb@...

                Technical details of permanent failure:
                Google tried to deliver your message, but it was rejected by the server for the recipient domain digitalhit.com by mail.digitalhit.com. [162.243.65.187].

                The error that the other server returned was:
                550 5.1.1 <zurb@...>: Recipient address rejected: User unknown in virtual mailbox table "

                So is I'm guessing it's safe to assume that I'm _not_ sending out bounce messages? However I still want to be sure I'm configured properly. If some bot sent out thousands of emails to non-existent users on my site using someone else's email, would that unsuspecting person get thousands of messages like that?

                Are there any other config changes you would recommend to lock this down further?
              • LuKreme
                ... *NEVER* Bounce. Ever. Reject, yes. Bounce? Absolutely never. If you bounce a message to me, you get put on the deepest darkest shitlist imaginable where
                Message 7 of 16 , Nov 4, 2013
                • 0 Attachment
                  On 04 Nov 2013, at 16:50 , Jim Wright <jim@...> wrote:

                  > On Nov 4, 2013, at 5:03 PM, Ian Evans <dheianevans@...> wrote:
                  >>
                  >> I've read tutorials and the backscatter/local recipient pages and my postfix is still sending out bounce message instead of just dropping the connections. I want to be a good netizen so want to nip this in the bud.
                  >
                  > Normally, bouncing undeliverable messages is the proper behavior for a good netizen.

                  *NEVER* Bounce. Ever.

                  Reject, yes. Bounce? Absolutely never. If you bounce a message to me, you get put on the deepest darkest shitlist imaginable where you *never* get removed.

                  > Why are you being rude and dropping the connection? Doing this to a properly configured mail server will just cause them to retry the delivery until they hit their retry limit.

                  I think you are confusing reject and bounce.

                  --
                  Did they get you to trade your heroes for ghosts? Hot ashes for trees?
                  Hot air for a cool breeze? Cold comfort for change?
                • Jose Borges Ferreira
                  ... Your server, Your rules but don t try to influence people with bad ideas. Backscatter is done with bounces. Not all bounces are backscatter. José Borges
                  Message 8 of 16 , Nov 5, 2013
                  • 0 Attachment
                    On Tue, Nov 5, 2013 at 4:43 AM, LuKreme <kremels@...> wrote:
                    >> Normally, bouncing undeliverable messages is the proper behavior for a good netizen.
                    >
                    > *NEVER* Bounce. Ever.
                    >
                    > Reject, yes. Bounce? Absolutely never. If you bounce a message to me, you get put on the deepest darkest shitlist imaginable where you *never* get removed.
                    >

                    Your server, Your rules but don't try to influence people with bad ideas.

                    Backscatter is done with bounces. Not all bounces are backscatter.


                    José Borges Ferreira.
                  • lists@rhsoft.net
                    ... if a server is sending bounces instead reject messages it is wrong configured ... the one and only reason why a bounce is acceptable is to *your* users
                    Message 9 of 16 , Nov 5, 2013
                    • 0 Attachment
                      Am 05.11.2013 12:03, schrieb Jose Borges Ferreira:
                      > On Tue, Nov 5, 2013 at 4:43 AM, LuKreme <kremels@...> wrote:
                      >>> Normally, bouncing undeliverable messages is the proper behavior for a good netizen.
                      >>
                      >> *NEVER* Bounce. Ever.
                      >>
                      >> Reject, yes. Bounce? Absolutely never. If you bounce a message to me, you get put on the deepest darkest shitlist imaginable where you *never* get removed.
                      >>
                      >
                      > Your server, Your rules but don't try to influence people with bad ideas.

                      if a server is sending bounces instead reject messages it is wrong configured

                      > Backscatter is done with bounces. Not all bounces are backscatter.

                      the one and only reason why a bounce is acceptable is to *your* users beause
                      the remote MTA rejected a message and after accept a incoming message the LDA
                      does not accept it because quotas whichthe MTA can not check for

                      * if you accept a message and the RCPT is unknown -> config error
                      * if you accept a message and use a post-queue spamfilter you must not bounce
                      avoid such filters

                      there is no other valid reason accept a incoming message and after
                      that send a bounce - that's the Microsoft Exchange way accepting and
                      then send bounces "user unknown", but this is unacceptable behavior
                    • Mark Goodge
                      ... This. The reason backscatter is a problem is because too many servers bounce when they should reject. The solution to this is to reject when you should
                      Message 10 of 16 , Nov 5, 2013
                      • 0 Attachment
                        On 05/11/2013 11:03, Jose Borges Ferreira wrote:
                        > On Tue, Nov 5, 2013 at 4:43 AM, LuKreme <kremels@...> wrote:
                        >>> Normally, bouncing undeliverable messages is the proper behavior
                        >>> for a good netizen.
                        >>
                        >> *NEVER* Bounce. Ever.
                        >>
                        >> Reject, yes. Bounce? Absolutely never. If you bounce a message to
                        >> me, you get put on the deepest darkest shitlist imaginable where
                        >> you *never* get removed.
                        >>
                        >
                        > Your server, Your rules but don't try to influence people with bad
                        > ideas.
                        >
                        > Backscatter is done with bounces. Not all bounces are backscatter.

                        This.

                        The reason backscatter is a problem is because too many servers bounce
                        when they should reject. The solution to this is to reject when you
                        should reject, and ensure that you can reject in as many circumstances
                        as possible. It is not to reject even when you should bounce.

                        In practice, the number of occasions when an Internet-facing server
                        should bounce a message back to the public Internet is very low[1]. But
                        it's precisely because it's an uncommon occurrence that it's important
                        to do it on the rare occasions that you need to.

                        [1] Bouncing back to an internal location is far more common, of course,
                        and pretty much essential if you are using an outbound edge relay
                        between your internal servers and the public Internet.

                        Mark
                        --
                        My blog: http://mark.goodge.co.uk
                      • Mark Goodge
                        ... Indeed. But there are circumstances where a reject isn t possible. In those cases, the choice is between drop or bounce. And bounce is the right choice if
                        Message 11 of 16 , Nov 5, 2013
                        • 0 Attachment
                          On 05/11/2013 11:10, lists@... wrote:
                          >
                          >
                          > Am 05.11.2013 12:03, schrieb Jose Borges Ferreira:
                          >> On Tue, Nov 5, 2013 at 4:43 AM, LuKreme <kremels@...> wrote:
                          >>>> Normally, bouncing undeliverable messages is the proper
                          >>>> behavior for a good netizen.
                          >>>
                          >>> *NEVER* Bounce. Ever.
                          >>>
                          >>> Reject, yes. Bounce? Absolutely never. If you bounce a message to
                          >>> me, you get put on the deepest darkest shitlist imaginable where
                          >>> you *never* get removed.
                          >>>
                          >>
                          >> Your server, Your rules but don't try to influence people with bad
                          >> ideas.
                          >
                          > if a server is sending bounces instead reject messages it is wrong
                          > configured

                          Indeed. But there are circumstances where a reject isn't possible. In
                          those cases, the choice is between drop or bounce. And bounce is the
                          right choice if the reason for the non-delivery is anything other than
                          spam filtering.

                          > there is no other valid reason accept a incoming message and after
                          > that send a bounce - that's the Microsoft Exchange way accepting and
                          > then send bounces "user unknown", but this is unacceptable behavior

                          Just because one server routinely gets it wrong doesn't mean that all
                          servers which correctly bounce instead of drop are getting it wrong.

                          Mark
                          --
                          My blog: http://mark.goodge.co.uk
                        • Jose Borges Ferreira
                          ... My point exactly! btw, this is getting really off topic.... José Borges Ferreira
                          Message 12 of 16 , Nov 5, 2013
                          • 0 Attachment
                            On Tue, Nov 5, 2013 at 11:29 AM, Mark Goodge <mark@...> wrote:
                            >> if a server is sending bounces instead reject messages it is wrong
                            >> configured
                            >
                            >
                            > Indeed. But there are circumstances where a reject isn't possible. In
                            > those cases, the choice is between drop or bounce. And bounce is the
                            > right choice if the reason for the non-delivery is anything other than spam
                            > filtering.
                            >
                            >
                            >> there is no other valid reason accept a incoming message and after
                            >> that send a bounce - that's the Microsoft Exchange way accepting and
                            >> then send bounces "user unknown", but this is unacceptable behavior
                            >
                            >
                            > Just because one server routinely gets it wrong doesn't mean that all
                            > servers which correctly bounce instead of drop are getting it wrong.
                            >

                            My point exactly!

                            btw, this is getting really off topic....

                            José Borges Ferreira
                          • Jim Wright
                            ... Apologies to the OP and the list, I said bounce when I should have said reject. Reject is the meaning I meant to convey.
                            Message 13 of 16 , Nov 5, 2013
                            • 0 Attachment
                              > On Nov 4, 2013, at 10:43 PM, LuKreme <kremels@...> wrote:
                              >
                              >
                              >> On 04 Nov 2013, at 16:50 , Jim Wright <jim@...> wrote:
                              >>
                              >>
                              >> Normally, bouncing undeliverable messages is the proper behavior for a good netizen.
                              >
                              > *NEVER* Bounce. Ever.
                              >
                              > Reject, yes. Bounce? Absolutely never.

                              Apologies to the OP and the list, I said bounce when I should have said reject. Reject is the meaning I meant to convey.
                            • Vijay Rajah
                              ... How do I configure postfix to drop the mail rather than reject? Is it configurable? I have already configured my servers to REJECT all mails not-intended
                              Message 14 of 16 , Nov 5, 2013
                              • 0 Attachment
                                On 05/11/13 4:56 PM, Mark Goodge wrote:
                                > On 05/11/2013 11:03, Jose Borges Ferreira wrote:
                                >> On Tue, Nov 5, 2013 at 4:43 AM, LuKreme <kremels@...> wrote:
                                >>>> Normally, bouncing undeliverable messages is the proper behavior
                                >>>> for a good netizen.
                                >>>
                                >>> *NEVER* Bounce. Ever.
                                >>>
                                >>> Reject, yes. Bounce? Absolutely never. If you bounce a message to
                                >>> me, you get put on the deepest darkest shitlist imaginable where
                                >>> you *never* get removed.
                                >>>
                                >>
                                >> Your server, Your rules but don't try to influence people with bad
                                >> ideas.
                                >>
                                >> Backscatter is done with bounces. Not all bounces are backscatter.
                                >
                                > This.
                                >
                                > The reason backscatter is a problem is because too many servers bounce
                                > when they should reject. The solution to this is to reject when you
                                > should reject, and ensure that you can reject in as many circumstances
                                > as possible. It is not to reject even when you should bounce.
                                >
                                > In practice, the number of occasions when an Internet-facing server
                                > should bounce a message back to the public Internet is very low[1].
                                > But it's precisely because it's an uncommon occurrence that it's
                                > important to do it on the rare occasions that you need to.
                                >
                                > [1] Bouncing back to an internal location is far more common, of
                                > course, and pretty much essential if you are using an outbound edge
                                > relay between your internal servers and the public Internet.
                                >
                                > Mark

                                How do I configure postfix to drop the mail rather than reject? Is it
                                configurable? I have already configured my servers to REJECT all mails
                                not-intended to my domains and non-exsistant users and I do not accept
                                mails from non-exsistant domains. Is this enough?

                                What do I do when I accept an email, only to later find out the user's
                                quota is full? (it only recently that dovecot has an way for REJECTING
                                mail on such cases). Do I Bounce that email or drop the mail (After I
                                have accepted it? Surely, in this scenario the correct thing would be to
                                BOUNCE is it not?)?

                                I'm just trying to understand the ways to prevent BOUNCEs..

                                -Thanks
                                Vijay
                              • Jose Borges Ferreira
                                ... Depending on your setup, you should try to anticipate all situations where a bounce can happen and try to handle that ( REJECT) before accept it. After you
                                Message 15 of 16 , Nov 5, 2013
                                • 0 Attachment
                                  On Tue, Nov 5, 2013 at 6:01 PM, Vijay Rajah <me@...> wrote:
                                  > How do I configure postfix to drop the mail rather than reject? Is it
                                  > configurable? I have already configured my servers to REJECT all mails
                                  > not-intended to my domains and non-exsistant users and I do not accept mails
                                  > from non-exsistant domains. Is this enough?


                                  Depending on your setup, you should try to anticipate all situations
                                  where a bounce can happen and try to handle that ( REJECT) before
                                  accept it.
                                  After you accept it, you have two options:
                                  a) You have a rare and catastrophic situation the you should bounce
                                  to notify the sender.
                                  b) You are doing content-filter and detect spam or virus ( or any
                                  other similar reason) and the you should DISCARD or HOLD ( quarantine
                                  ) the message.


                                  > What do I do when I accept an email, only to later find out the user's quota
                                  > is full? (it only recently that dovecot has an way for REJECTING mail on
                                  > such cases). Do I Bounce that email or drop the mail (After I have accepted
                                  > it? Surely, in this scenario the correct thing would be to BOUNCE is it
                                  > not?)?
                                  >
                                  > I'm just trying to understand the ways to prevent BOUNCEs..

                                  Check this:
                                  http://sys4.de/en/blog/2013/04/08/postfix-dovecot-mailbox-quota/

                                  José Borges Ferreira
                                • Peter
                                  ... Why on earth would you want to drop mail that you can reject? ... That s a good start, it also helps to do as much screening pre-queue as possible and to
                                  Message 16 of 16 , Nov 5, 2013
                                  • 0 Attachment
                                    On 11/06/2013 07:01 AM, Vijay Rajah wrote:
                                    >
                                    > How do I configure postfix to drop the mail rather than reject? Is it
                                    > configurable?

                                    Why on earth would you want to drop mail that you can reject?

                                    > I have already configured my servers to REJECT all mails
                                    > not-intended to my domains and non-exsistant users and I do not accept
                                    > mails from non-exsistant domains. Is this enough?

                                    That's a good start, it also helps to do as much screening pre-queue as
                                    possible and to reject mail based on that. postscreen is an excellent
                                    tool for this.

                                    > What do I do when I accept an email, only to later find out the user's
                                    > quota is full?

                                    You shouldn't be doing this (see below), but if you must accept the mail
                                    then I would highly recommend you deliver it, even if the mailbox is
                                    over quota.

                                    > (it only recently that dovecot has an way for REJECTING
                                    > mail on such cases).

                                    Correct, dovecot now provides a policy daemon that works well with
                                    postfix, use it and reject that mail as you should.

                                    > Do I Bounce that email or drop the mail (After I
                                    > have accepted it? Surely, in this scenario the correct thing would be to
                                    > BOUNCE is it not?)?

                                    Consider that if a user goes over quota and you cannot, due to bad
                                    configuration, reject the mail, and you bounce, like you seem to want to
                                    do, then all it takes is for a spammer to spam that user with various
                                    spoofed senders and you have instant backscatter.

                                    > I'm just trying to understand the ways to prevent BOUNCEs..

                                    Prevent bounces by rejecting as much as possible instead. If you're in
                                    a situation where you think you have then often times if you think a bit
                                    more creatively you can avoid bouncing or dropping mail. In the case of
                                    SPAM you can deliver to the user's "Spam" folder, in the case of viruses
                                    you can quarantine.

                                    I'm not saying that there isn't case where bouncing is appropriate, but
                                    I am hard pressed to think of one, and it makes sense to try to avoid it
                                    wherever possible.


                                    Peter
                                  Your message has been successfully submitted and would be delivered to recipients shortly.