| View previous topic :: View next topic |
| Author |
Message |
jecepede
Apprentice
Joined: 19 Nov 2002
Posts: 239
|
 Posted: Mon Feb 08, 2021 6:14 pm Post subject: [SOLVED] Postfix, how to reject in stead of bounce ? |
 |
|
Aloha !
Like so many of us I have followed the Complete Virtual Mail Server guide : https://wiki.gentoo.org/wiki/Complete_Virtual_Mail_Server
It is working like a charm but I have only one petpeeve. I have a number of elderly users who in stead of choosing someone from the addresbook,
they type the email addres and more often then not, the wohle emial address is typed worng 
Naturally this wrong address will not be handled by my mailserver :
| Code: | | Feb 8 17:44:57 postbox postfix/virtual[28164]: D13D09E014B: to=<typo@mydomain.nl>, relay=virtual, delay=0.11, delays=0.05/0.01/0/0.06, dsn=5.1.1, status=bounced (unknown user: "typo@mydomain.nl") |
The mail gets bounced and.... then gets killed by the mailrelay of the ISP over which I naturally have no control.
Now mind you, they kill it with good reason :
| Quote: | | Feb 8 17:44:58 postbox postfix/smtp[28166]: ED3159E014E: to=<returnaddress@somedomain.com>, relay=smtp.mailrelay.nl[200.54.11.34]:25, delay=0.18, delays=0.04/0.01/0.07/0.06, dsn=5.0.0, status=bounced (host smtp.mailrelay.nl[200.54.11.34] said: 550-Bounce Message refused to prevent mailserver backscatter 550 blacklisting. (in reply to end of DATA command)) |
Now I have read that you can tell Posfix not to bounce but do a more nicer reject. The sender will get an email saying the address is wrong.
However, I'm at this for weeks now and I am not able to get this working. It will allways bounces ????
I am sure that I, in my infinite stupidity, am overlooking something simple but I have no idea what...
Could anyone please point me in the right direction ? If you need config files, I'll gladly post them here 
Cheeeeeeeeeers and stay healthy
Jecepede
_________________
I've got that retro-feeling :
http://instagram.com/jecepede
Check out my YouTube channel
https://www.youtube.com/jecepede
Last edited by jecepede on Sat Feb 13, 2021 8:16 pm; edited 1 time in total |
|
| Back to top |
|
 |
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3493
|
| Posted: Mon Feb 08, 2021 9:52 pm Post subject: |
|
|
I don't understand your setup. Why do you even go through ISP's server?
And if you are using ISP's server as a relay, how comes you are getting a reject within the same SMTP conversation?
If you send an email via a relay, it goes like that:
you successfully send to the relay (and disconnect)
relay fails to forward to the recipient's server (because it rejects due to an invalid address)
relay creates a bounce message and attempts to send it whoever is in Return-Path (or From, if RP does not exist)
You seem to be doing something weird there.
So... Do you have your own domain and a public IP address? What does the email's route look like, hop by hop (at least on the part where you can control it?)
Which machine actually creates bounce messages? |
|
| Back to top |
|
|
jecepede
Apprentice
Joined: 19 Nov 2002
Posts: 239
|
| Posted: Tue Feb 09, 2021 4:32 pm Post subject: |
|
|
Aloha !
Yub I have a public (static) IP address with a mailserver behind it under my own domain. That is indeed why I use my ISP's smpt.mailrelay.nl for outgoing mail.
"reject within the same SMTP conversation" ???
There is no 'same conversation'. The mail is dropped in a queue, scanned for SPAM, scanned for virusses and then it will try to deliver it in one of the mailboxes...
I am not sure I understand Szatox's question, if there is any...
Let me try to elaborate.
- Someone in the world sends an email to my mailserver. It will go direcly to my machine. No problem there.
- My mailserver does not recognise the mail address due to the fact it is misspelled.
- My mailserver then has to reject the mail with "Sorry address unknown" (outgoing mail goes to my ISP)
- ISP says 'no can't do'. Apparently coz it gets bounced in stead of rejected by my mailserver
So the question :
How can I make it reject in stead of bounce
Cheeeeeeeeeeeers,
Jecepede
_________________
I've got that retro-feeling :
http://instagram.com/jecepede
Check out my YouTube channel
https://www.youtube.com/jecepede |
|
| Back to top |
|
|
Ant P.
Watchman
Joined: 18 Apr 2009
Posts: 6920
|
| Posted: Tue Feb 09, 2021 6:19 pm Post subject: |
|
|
| Postfix's default configuration should reject. Post the output of "comm -23 <(postconf -n | sort) <(postconf -d | sort)", minus any sensitive things like hostnames (we don't need those to debug this). |
|
| Back to top |
|
|
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3493
|
| Posted: Tue Feb 09, 2021 7:47 pm Post subject: |
|
|
| Quote: | | Yub I have a public (static) IP address with a mailserver behind it under my own domain. That is indeed why I use my ISP's smpt.mailrelay.nl for outgoing mail. |
Ok, so if you have your own domain and a public IP address, what is the purpose of ISP's relay in your setup?
Why won't you just send those messages directly where you want them delivered? |
|
| Back to top |
|
|
jecepede
Apprentice
Joined: 19 Nov 2002
Posts: 239
|
| Posted: Wed Feb 10, 2021 4:38 pm Post subject: |
|
|
Aloha !
[quote="Ant P."]comm -23 <(postconf -n | sort) <(postconf -d | sort)[/color]
Here goes :
| Code: | postbox [PROD] / # comm -23 <(postconf -n | sort) <(postconf -d | sort)
postconf: warning: inet_protocols: disabling IPv6 name/address support: Address family not supported by protocol
alias_maps = mysql:/etc/postfix/mysql-aliases.cf
compatibility_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
home_mailbox = .maildir/
inet_protocols = ipv4
local_recipient_maps = $alias_maps $virtual_mailbox_maps unix:passwd.byname
local_transport = local
mail_spool_directory = /var/spool/mail
manpage_directory = /usr/share/man
mydestination = localhost.$mydomain, localhost
mydomain = mydomain.nl
relayhost = [smtp.mailrelay.nl]
relocated_maps = mysql:/etc/postfix/mysql-relocated.cf
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
smtpd_sasl_auth_enable = yes
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = mydomain.nl, myseconddomain.nl, mythirddomain.com, myfourthdomain.nl
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-maps.cf
virtual_minimum_uid = 1000
virtual_uid_maps = static:5000 |
Cheeeeeeeeeeers,
Jecepede
_________________
I've got that retro-feeling :
http://instagram.com/jecepede
Check out my YouTube channel
https://www.youtube.com/jecepede
Last edited by jecepede on Wed Feb 10, 2021 4:44 pm; edited 1 time in total |
|
| Back to top |
|
|
jecepede
Apprentice
Joined: 19 Nov 2002
Posts: 239
|
| Posted: Wed Feb 10, 2021 4:43 pm Post subject: |
|
|
Aloha !
| szatox wrote: | Ok, so if you have your own domain and a public IP address, what is the purpose of ISP's relay in your setup?
Why won't you just send those messages directly where you want them delivered? |
Long story but a lot of ISP's nowadays block mail for various reasons. For example when you have no reverse DNS records.
I helped a friend of mine who had a simular problem with his server. With my server I did not feel like trying to cut trough all the red tape again,
so I use my ISP as a mail relay and in the few years I had this server, it did not gave any problems....
Technically speaking, it still gives no problems. Bounced mail should indeed be stopped due to backscatting.
Cheeeeeeeeeers,
Jecepede
_________________
I've got that retro-feeling :
http://instagram.com/jecepede
Check out my YouTube channel
https://www.youtube.com/jecepede |
|
| Back to top |
|
|
jecepede
Apprentice
Joined: 19 Nov 2002
Posts: 239
|
|
| Back to top |
|
|
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3493
|
| Posted: Wed Feb 10, 2021 8:59 pm Post subject: |
|
|
| Quote: | | Long story but a lot of ISP's nowadays block mail for various reasons. For example when you have no reverse DNS records. |
Yes, that's why people actually set revdns, spf, dkim, dmarc, and make sure their servers are not open relays.
| Quote: | | Technically speaking, it still gives no problems. Bounced mail should indeed be stopped due to backscatting. |
Yeah, so your ISP's relay does not bounce messages when it fails to deliver them, which you commend, but also makes you unhappy enough to ask how you can change it.
Confusing AF. |
|
| Back to top |
|
|
jecepede
Apprentice
Joined: 19 Nov 2002
Posts: 239
|
| Posted: Thu Feb 11, 2021 7:44 pm Post subject: |
|
|
Aloha !
Uhmm... apparently you did not read the text correctly. Or I suck at explaning 
It is not the ISP that bounces.
It is my mailserver which bounces the mail
(See the supplied log in post#1)
According to Ant P. it should not bounce but reject by default :
| Ant P. wrote: | | Postfix's default configuration should reject. |
As far as I know I did not change this behaviour but it has apperantly changed.
All I want is for MY mailserver to reject.... not bounce....
Cheeeeeeeers,
Jecepede
_________________
I've got that retro-feeling :
http://instagram.com/jecepede
Check out my YouTube channel
https://www.youtube.com/jecepede |
|
| Back to top |
|
|
Ant P.
Watchman
Joined: 18 Apr 2009
Posts: 6920
|
| Posted: Fri Feb 12, 2021 5:42 am Post subject: |
|
|
Nothing there looks outright misconfigured, so that's good. I've got a few lines in my config that you don't have; maybe it's one of these.
| Code: | disable_vrfy_command = yes
strict_rfc821_envelopes = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname, permit
smtpd_recipient_restrictions = reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_mynetworks, reject_unauth_destination, permit
smtpd_sender_restrictions = permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit |
They were taken from postfix hardening articles around the internet, so they should be safe. Make sure to check the documentation for each though.
(I could be wrong about this - maybe it just sends bounces because you have a relayhost set...) |
|
| Back to top |
|
|
freke
Veteran
Joined: 23 Jan 2003
Posts: 1051
Location: Somewhere in Denmark
|
| Posted: Fri Feb 12, 2021 9:08 am Post subject: |
|
|
I have catchall-adresses on my mailserver, so I don't have the reject/bounce problem, but maybe try changing these to 550 instead of the default 450?:
| Quote: | Recipient address verification
As mentioned earlier, recipient address verification is useful to block mail for undeliverable recipients on a mail relay host that does not have a list of all valid recipient addresses. This can help to prevent the mail queue from filling up with MAILER-DAEMON messages.
Recipient address verification is relatively straightforward and there are no surprises. If a recipient probe fails, then Postfix rejects mail for the recipient address. If a recipient probe succeeds, then Postfix accepts mail for the recipient address. However, recipient address verification probes can increase the load on down-stream MTAs when you're being flooded by backscatter bounces, or when some spammer is mounting a dictionary attack.
By default, address verification results are saved in a persistent database (Postfix version 2.7 and later; with earlier versions, specify the database in main.cf as described later). The persistent database helps to avoid probing the same address repeatedly.
| Code: | /etc/postfix/main.cf:
smtpd_recipient_restrictions =
permit_mynetworks
# reject_unauth_destination is not needed here if the mail
# relay policy is specified under smtpd_relay_restrictions
# (available with Postfix 2.10 and later).
reject_unauth_destination
...
reject_unknown_recipient_domain
reject_unverified_recipient
...
# Postfix 2.6 and later privacy feature.
# unverified_recipient_reject_reason = Address lookup failed
# Postfix 3.2 and earlier workaround.
# Do not set enable_original_recipient=no. This prevents Postfix
# from saving the recipient address verification result under
# the original address, when the address verification probe
# message goes through address aliasing or canonical mapping.
|
The "reject_unknown_recipient_domain" restriction blocks mail for non-existent domains. Putting this before "reject_unverified_recipient" avoids the overhead of generating unnecessary probe messages.
The unverified_recipient_reject_code parameter (default 450) specifies the numerical Postfix SMTP server reply code when a recipient address is known to bounce. Change this setting into 550 when you trust Postfix's judgments.
The following features are available in Postfix 2.6 and later.
The unverified_recipient_defer_code parameter (default 450) specifies the numerical Postfix SMTP server reply code when a recipient address probe fails with some temporary error. |
EDIT: Not sure this works - tried it on a dummy-domain on my mail-server w/o a catchall-address and it seemed to generate a bounce-mail :/ |
|
| Back to top |
|
|
freke
Veteran
Joined: 23 Jan 2003
Posts: 1051
Location: Somewhere in Denmark
|
| Posted: Fri Feb 12, 2021 11:13 pm Post subject: |
|
|
In main.cf I'm using | Code: | | virtual_transport = dovecot |
I can addto the dovecot entry in my master.cf, ie. | Code: | dovecot unix - n n - - pipe
-o soft_bounce=yes
flags=DRhu user=mail:mail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${user}@${domain} |
then I get this in my log | Code: | | Feb 13 00:08:49 mail postfix/pipe[26057]: 00E771A802C9: to=<test@sindalsen.dk>, relay=dovecot, delay=0.22, delays=0.11/0/0/0.11, dsn=4.1.1, status=SOFTBOUNCE (user unknown) |
and no mail generated  |
|
| Back to top |
|
|
jecepede
Apprentice
Joined: 19 Nov 2002
Posts: 239
|
| Posted: Sat Feb 13, 2021 8:16 pm Post subject: Solved ! |
|
|
Aloha !
So I have tried a number of things you guys suggested. Low and behold, I got it to work by using :
| Code: | | reject_unverified_recipient |
That was so easy I can't believe I did not think about this myself.
The mail is rejected instead of being bounced and the sender get a "delivery failure notice" in their inbox
Tthank you all for the suggestions
Cheeeeeeeeeers and stay safe,
Jecepede
_________________
I've got that retro-feeling :
http://instagram.com/jecepede
Check out my YouTube channel
https://www.youtube.com/jecepede |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
