Re: Catch a forged Return Path

Thu, 04 Feb 2021 01:57:21 -0800 

So the PCRE header check

/^Return-Path: <MAILER-DAEMON>/   REJECT Forged Return-Path

does not catch.



are you sure it's a Return-Path header?
usually, envelope sender is put to Return-Path, so you may need to block
envelope sender MAILER-DAEMON.
You can see Return-Path after delivery to mbox, but it's often not
generated before that, so at SMTP level it may not exist.


Not sure what puts it there. The logs reveal very little about those
deliveries.


On 04.02.21 10:37, ludic...@gmail.com wrote:

I mainly see a connect and then:

Feb  3 13:34:47 stretch greylisting filter[32274]: Bounce message. SKIP
Feb  3 13:34:48 stretch postfix/qmgr[16941]: B0F0D6A402A6: from=<>,
size=925, nrcpt=1 (queue active)
This is null envelope sender, as specified by RFCs for delivery reports (or any mail that is not supposed to generate delivery report)
That gets replaced as MAILER-DAEMON when stored into Return-Path header. 
You should not block mail from empty envelope senders, but you may scan them
for spamminess or there are tricks like VERP where you can detect if the
delivery report is legitimate.

https://en.wikipedia.org/wiki/Variable_envelope_return_path

SpamAssassin has VBounce plugin to detect the same.


Feb  3 13:34:48 stretch postfix-local[32278]: postfix-local:
from=MAILER-DAEMON, to=...

In between just plesk stuff about what it can not do with that mail, like
greylisting, virus scan..


I catch those by putting reject_non_fqdn_sender into

smtpd_sender_restrictions:

smtpd_sender_restrictions = check_sender_access
hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated,
reject_non_fqdn_sender, check_sender_access pcre:/etc/postfix/pcre_sender,
reject_unknown_sender_domain


technically you can put <> to sender access map, as it is used by default to
look up empty envelope sender, unless you changed
smtpd_null_access_lookup_key:

http://www.postfix.org/postconf.5.html#smtpd_null_access_lookup_key

however as I said, rfc 1123 (5.2.9) requires you to support empty sender
address and you may get blacklisted if you refuse to do so.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"Where do you want to go to die?" [Microsoft]

Reply via email to