Hi,
First of all, I know sending NDRs is not a great idea. I do sender/rcpt
checking, and so on, but still there are some cases when NDRs are generated
or sent (for example: customer's own mail server which generates NDR - I
have no control over it - and I have outgoing relay service for customers -,
or when I accept mails at the MX server, but after some hops inside my
system it turns out that the target mail server is over quota for that rcpt
meanwhile, or customer has inbound mail relay service, and they can't
provide map for rcpt check, etc). Fortunately, the rate of sending out NDRs
are quite low now (after I've introduced rcpt checking, also sender check
for senders I have information on within a domain I'm handling, at least,
not SAV!).
However, still, I would like to make things better by passing NDRs to
another server: its task is only send out the NDRs, nothing more. It would
help to analyze/block the NDR traffic there, also if that server is blacklisted
(because of being source of "backscatter"), it's not a real problem, as
"normal" mails are not sent from there.
I'm trying to implement this, but I have got few problems. First, I've tried
this:
sender_dependent_relayhost_maps = hash:/etc/postfix/sender_is_null_for_ndr
The table specified the null-key <> and target is the "ndr server".
My second try was this:
smtpd_sender_restrictions =
[...]
check_sender_access hash:/etc/postfix/sender_is_null_for_ndr_filter
where the /etc/postfix/sender_is_null_for_ndr_filter file is:
<> FILTER smtp:[10.10.10.10]
The idea about this, that though it's a "filter", it won't pass back the
mail (the NDR server, "10.10.10.10" in this example) just I use "FILTER" action
to be able to modify the target of the mails.
However it seems both of these solutions has problems:
It seems, locally generated NDRs (if there is any at all, it was a test
scenario, that I wanted to generate) won't be handled well, at least not
with the second solution. The problem I've experienced with the first
solution: if I have a domain with a transport map, then NDRs (would be sent
for an rcpt in that domain) are sent directly, bypassing my need to be
"relayed" for the NDR server (which use the same ldap based transport map to
send them out - or block, as I plan to analyze NDR traffic there, as I've
told).
What is the nice and clean solution for this problem which works in any
cases? I met NDRs generated locally but also from customers' servers and I
need all of them to be passed to the NDR server.
Thanks a lot in advance,
- Gábor
