[pfx] Re: Bounces are disappearing
Nico Hoffmann via Postfix-users: >Jun 23 22:50:02 schubert postfix/qmgr[26673]: 60970354BC3: >from=, size=471, nrcpt=1 (queue active) This message was sent from x...@lewonzelewonze.de, therefore a non-delivery notification will be sent to that address. This is defined in the SMTP protocol, also known as RFC 5321. >Jun 23 22:50:12 schubert postfix/bounce[7837]: 60970354BC3: sender >non-delivery notification: 3DBEA354BC8 >...dialup... >Jun 23 22:50:27 schubert postfix/qmgr[26673]: 3DBEA354BC8: from=<>, > size=2533, >nrcpt=1 (queue active) >Jun 23 22:50:27 schubert postfix/smtp[7836]: 3DBEA354BC8: >to=, relay=mail.gmx.de[212.227.17.168]:25, delay=16, >delays=15/0/0.76/0.05, dsn=5.0.0, status=bounced (host As required by RFC 5321 the non-delivery notification is sent to x...@lewonze.de. Also as required by RFC 5321 the non-delivery notification has a null sender address. After a delivery failure the MTA MUST NOT send another non-delivery notification. You can configure Postfix to send you some information about undeliverbale mail: main.cf: notify_classes = resource, software, bounce bounce_notice_recipient = you@localhost This is not a backup mechanism, you only receive the message header. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Bounces are disappearing
Hello, I hvae a question about dealing with locally generated email (non delivery notifications) with an empty sender address. I am running postfix 3.8.5 on my 'dialup' box. It is used to deliver my email by smtp via a relay host. I submit outgoing email with a user settable envelope address (I do no sender address rewriting for outgoing email). But if there are bounces because the email is rejected by the relay, (a typo in the domain of the recipient address, for example...) things get weird. See the log snipplet below. Apparently, postfix creates a non delivery notification for the rejected email. This has an empty sender address, and actually it should be go back to me, in my local mailbox and not send to any node outside. But postfix offers this non delivery notification to the relay, which rejects it, this time for having a empty sender address. Now, postfix seems to discard the email silently, at least I didn't find it anywhere. I think postfix should deliver such emails only local, not to a relay host, even if the recipient address is a vaild, routable email address. But I didn't find out how to configure such a rule. BTW., aliases for root/postmaster/MAILER-DAEMON are set up, Any hint is welcome. Thanks in advance, N. P.S.: Just for being complete: I've set up sender dependent relaying. Email with a from adress "@lewonze.de" is send via variomedia.de, the rest is sent via gmx.de. For straightforward cases, this works well. I don't think that this plays a role here. In short, my setting in main.cf look like this: # grep -v "#\|^$" main.cf compatibility_level = 3.7 queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix mail_owner = postfix unknown_local_recipient_reject_code = 550 alias_maps = hash:/etc/postfix/aliases alias_database = $alias_maps debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 sendmail_path = /usr/sbin/sendmail newaliases_path = /usr/bin/newaliases mailq_path = /usr/bin/mailq setgid_group = postdrop html_directory = no manpage_directory = /usr/share/man sample_directory = /etc/postfix readme_directory = no meta_directory = /etc/postfix shlib_directory = /usr/lib64/postfix/${mail_version} mail_spool_directory = /var/mail smtp_sasl_security_options = noplaintext, noanonymous smtp_sasl_tls_security_options = noanonymous smtp_sender_dependent_authentication = yes sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay smtp_sasl_auth_enable = yes smtp_tls_security_level = encrypt smtp_sasl_tls_security_options = noanonymous relayhost = mail.gmx.de smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd defer_transports = smtp home_mailbox = Mail/inbox mailbox_size_limit = 16384 message_size_limit = 8192 Here is the log snipplet: Jun 23 22:50:02 schubert postfix/pickup[7287]: 60970354BC3: uid=1000 from= Jun 23 22:50:02 schubert postfix/cleanup[7776]: 60970354BC3: message-id= Jun 23 22:50:02 schubert postfix/qmgr[26673]: 60970354BC3: from=, size=471, nrcpt=1 (queue active) Jun 23 22:50:02 schubert postfix/error[7782]: 60970354BC3: to=, relay=none, delay=0.01, delays=0.01/0/0/0, dsn=4.3.2, status=deferred (deferred transport) Jun 23 22:50:11 schubert postfix/qmgr[26673]: 60970354BC3: from=, size=471, nrcpt=1 (queue active) Jun 23 22:50:12 schubert postfix/smtp[7836]: 60970354BC3: to=, relay=smtp.variomedia.de[2a00:1c38:1:1:511c:e01c::]:25, delay=9.8, delays=9.1/0.04/0.64/0.08, dsn=5.0.0, status=bounced (host smtp.variomedia.de[2a00:1c38:1:1:511c:e01c::] said: 550 Unrouteable address (in reply to RCPT TO command)) Jun 23 22:50:12 schubert postfix/cleanup[7776]: 3DBEA354BC8: message-id=<20240623205012.3DBEA354BC8@schubert.localdomain> Jun 23 22:50:12 schubert postfix/bounce[7837]: 60970354BC3: sender non-delivery notification: 3DBEA354BC8 Jun 23 22:50:12 schubert postfix/qmgr[26673]: 3DBEA354BC8: from=<>, size=2533, nrcpt=1 (queue active) Jun 23 22:50:12 schubert postfix/qmgr[26673]: 60970354BC3: removed Jun 23 22:50:12 schubert postfix/error[7782]: 3DBEA354BC8: to=, relay=none, delay=0, delays=0/0/0/0, dsn=4.3.2, status=deferred (deferred transport) Jun 23 22:50:27 schubert postfix/qmgr[26673]: 3DBEA354BC8: from=<>, size=2533, nrcpt=1 (queue active) Jun 23 22:50:27 schubert postfix/smtp[7836]: 3DBEA354BC8: to=, relay=mail.gmx.de[212.227.17.168]:25, delay=16, delays=15/0/0.76/0.05, dsn=5.0.0, status=bounced (host mail.gmx.de[212.227.17.168] said: 550-Requested action not taken: mailbox unavailable 550 Sender address is not allowed. (in reply to MAIL FROM command)) Jun 23 22:50:27 schubert postfix/qmgr[26673]: 3DBEA354BC8: removed
[pfx] Re: strict access restrictions and bounces
On Wed, Mar 27, 2024 at 11:57:22AM +0100, Daniel Marquez-Klaka via Postfix-users wrote: > Why my setup looks like this? mail-server1 servs a couple of other mail > domains, not only the one destined for the mailing lists. An access list > here would affect all domains, right? Only if the access rules in question apply to those domains. You should be able to use "smtpd_restriction_classes" to apply some rules to just the domain in question. smtpd_restriction_classes = list_server_access smtpd_recipient_restrictions = check_recipient_access inline:{ { list.example.org = list_server_access } } ... list_server_access = check_sender_access inline:{ { a.example = permit_auth_destination }, { b.example = permit_auth_destination }, { c.example = permit_auth_destination } } -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: strict access restrictions and bounces
Dnia 27.03.2024 o godz. 11:57:22 Daniel Marquez-Klaka via Postfix-users pisze: > True as well that mailman can restrict senders to list members only > but I have a couple of open lists that should be addressable by all > participating domains/company’s, no one else. If you have a list of domains from which mail should be accepted, you can configure that in mailman too. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: strict access restrictions and bounces
Hiya, thanks for your reply’s. My solution was as easy as adding the line “/^([<]+[>])$/ OK" to my access map. Changing smtpd_null_access_lookup_key didn’t seem to have any effect. Why my setup looks like this? mail-server1 servs a couple of other mail domains, not only the one destined for the mailing lists. An access list here would affect all domains, right? Also, by moving the access part to the satellite server, it keeps the config on mail-server1 straight. True as well that mailman can restrict senders to list members only but I have a couple of open lists that should be addressable by all participating domains/company’s, no one else. Cheers, Daniel -- Anything that is unrelated to elephants is irrelephant. Am 25.3.2024 18:05, schrieb Jaroslaw Rafa via Postfix-users: Dnia 25.03.2024 o godz. 16:11:47 Daniel Marquez-Klaka via Postfix-users pisze: 2 postfix mail server, one, mail-server1, is connected to the internet, the second, calling it list-server1, which serves a few mailing lists, is only reachable thru mail-server1. On mail-server1 a transport map entry sends everything for @list-dom.de to list-server1, list-server1 does his work and sends all back to mail-server1 which then delivers to the final destination. On list-server1, to prevent the whole world sending mails, I have installed a check_sender_access map to accept a few allowed domains, reject everything else. I don't understand what is actually your scenario and what exactly are you trying to prevent. From what you write, I assume that only mail-server1 is open to receive mail from the Internet, and it forwards only messages that should reach list-server1 to that server. I assume list-server1 does not accept mails directly from the Internet, so there is no possibility of "whole world sending mails" to it. (If it isn't the case, then just block list-server1 from receiving mails from anywhere except mail-server1 using check_client_access). Maybe you want the people who are not subscribed to the mailing lists on list-server1 to not be able to send mail to those lists? But you can do this directly on mailing list level, every mailing list software has controls that allow to specify who is able to send to the list (usually the choice is everyone/subscribers only/moderators only, sometimes additionally you can block or allow particular senders). So please describe more clearly, what do you actually want to do. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: strict access restrictions and bounces
Dnia 25.03.2024 o godz. 16:11:47 Daniel Marquez-Klaka via Postfix-users pisze: > 2 postfix mail server, one, mail-server1, is connected to the > internet, the second, > calling it list-server1, which serves a few mailing lists, is only > reachable thru > mail-server1. > > On mail-server1 a transport map entry sends everything for > @list-dom.de to list-server1, > list-server1 does his work and sends all back to mail-server1 which > then delivers to > the final destination. > > On list-server1, to prevent the whole world sending mails, I have > installed a > check_sender_access map to accept a few allowed domains, reject > everything else. I don't understand what is actually your scenario and what exactly are you trying to prevent. >From what you write, I assume that only mail-server1 is open to receive mail from the Internet, and it forwards only messages that should reach list-server1 to that server. I assume list-server1 does not accept mails directly from the Internet, so there is no possibility of "whole world sending mails" to it. (If it isn't the case, then just block list-server1 from receiving mails from anywhere except mail-server1 using check_client_access). Maybe you want the people who are not subscribed to the mailing lists on list-server1 to not be able to send mail to those lists? But you can do this directly on mailing list level, every mailing list software has controls that allow to specify who is able to send to the list (usually the choice is everyone/subscribers only/moderators only, sometimes additionally you can block or allow particular senders). So please describe more clearly, what do you actually want to do. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: strict access restrictions and bounces
On Mon, Mar 25, 2024 at 04:11:47PM +0100, Daniel Marquez-Klaka via Postfix-users wrote: > I have a problem with check_sender_access that I can't find a solution to. > > 2 postfix mail server, one, mail-server1, is connected to the > internet, the second, calling it list-server1, which serves a few > mailing lists, is only reachable thru mail-server1. > > On mail-server1 a transport map entry sends everything for > @list-dom.de to list-server1, list-server1 does his work and sends all > back to mail-server1 which then delivers to the final destination. > > On list-server1, to prevent the whole world sending mails, I have > installed a check_sender_access map to accept a few allowed domains, > reject everything else. The problem is self-inflicted, the access checks are in the wrong place. The access(5) checks need to be implemented *at* the edge relay (server1), not the downstream list server. > ... bounces, as the are send with empty FROM (<>), as I understand to > prevent loops, get rejected to. This is a problem because nobody will > ever notice if there are dead emails in a list. Also, automatic bounce > handling (I am using mailman3 on list-server1) > will never do anything. The vast majority of bounces will happen at the outbound edge relay, when remote systems reject the outgoing mail. These will not run into any access check issues, once they're implemented in the right place. Some bounces will be remote, you can use a milter to process remote bounces, parsing the bounce multipart/report. Bottom line, all filters belong on the relay, not the internal server. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: strict access restrictions and bounces
On 25.03.24 16:11, Daniel Marquez-Klaka via Postfix-users wrote: I have a problem with check_sender_access that I can't find a solution to. My setup actually works very well with the exception of bounce handling. More on that later, first to describe my setup: 2 postfix mail server, one, mail-server1, is connected to the internet, the second, calling it list-server1, which serves a few mailing lists, is only reachable thru mail-server1. On mail-server1 a transport map entry sends everything for @list-dom.de to list-server1, list-server1 does his work and sends all back to mail-server1 which then delivers to the final destination. On list-server1, to prevent the whole world sending mails, I have installed a check_sender_access map to accept a few allowed domains, reject everything else. 8< smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/config/access_sender, reject 8< access_sender file: 8< /^([a-z0-9_=\.-]+)@dom1.de/OK /^([a-z0-9_=\.-]+)@dom2.de/OK /^([a-z0-9_=\.-]+)@dom3.de/ OK are you trying to limit allowed characters for local part of address in those domains? I'd recommend simple hash map, containing "dom1.de", "dom2.de", "dom3.de" - you need not (probably should not) to use regular expressions for everything 8< All fine so far, but... ... bounces, as the are send with empty FROM (<>), as I understand to prevent loops, get rejected to. This is a problem because nobody will ever notice if there are dead emails in a list. Also, automatic bounce handling (I am using mailman3 on list-server1) will never do anything. 8< : host 10.245.16.24[10.245.16.24] said: 554 5.7.1 <>: Sender address rejected: Access denied (in reply to MAIL FROM command) 8< add "<>" or whatever you have defined as smtpd_null_access_lookup_key as another allowed sender. http://www.postfix.org/postconf.5.html#smtpd_null_access_lookup_key with 10.245.16.24 being list-server1 After all googleing and manual reading I have done, I can't find a solution and hope someone can point me into the right direction. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux IS user friendly, it's just selective who its friends are... ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] strict access restrictions and bounces
Hello List, I have a problem with check_sender_access that I can't find a solution to. My setup actually works very well with the exception of bounce handling. More on that later, first to describe my setup: 2 postfix mail server, one, mail-server1, is connected to the internet, the second, calling it list-server1, which serves a few mailing lists, is only reachable thru mail-server1. On mail-server1 a transport map entry sends everything for @list-dom.de to list-server1, list-server1 does his work and sends all back to mail-server1 which then delivers to the final destination. On list-server1, to prevent the whole world sending mails, I have installed a check_sender_access map to accept a few allowed domains, reject everything else. 8< smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/config/access_sender, reject 8< access_sender file: 8< /^([a-z0-9_=\.-]+)@dom1.de/OK /^([a-z0-9_=\.-]+)@dom2.de/OK /^([a-z0-9_=\.-]+)@dom3.de/ OK 8< All fine so far, but... ... bounces, as the are send with empty FROM (<>), as I understand to prevent loops, get rejected to. This is a problem because nobody will ever notice if there are dead emails in a list. Also, automatic bounce handling (I am using mailman3 on list-server1) will never do anything. 8< : host 10.245.16.24[10.245.16.24] said: 554 5.7.1 <>: Sender address rejected: Access denied (in reply to MAIL FROM command) 8< with 10.245.16.24 being list-server1 After all googleing and manual reading I have done, I can't find a solution and hope someone can point me into the right direction. Thanks in advance, Daniel -- Anything that is unrelated to elephants is irrelephant.___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: rbl bounces email that has both rbl_override and client_checks whitelisting
On 2024-02-27 at 16:39:54 UTC-0500 (Tue, 27 Feb 2024 13:39:54 -0800 (PST)) lists--- via Postfix-users is rumored to have said: I have a sender_checks file but I don't see that on the postfix.org website. Is that a deprecated parameter? The names of Postfix map files are up to you. Their usage is determined by the specific restriction directive referencing them. So you could have 'check_sender_access hash:/etc/postfix/any_name_you_like' and Postfix will use that file, as long as you populate it with access entries and 'postmap' it to create the .db file. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: rbl bounces email that has both rbl_override and client_checks whitelisting
Wietse: > Your mistake: you are trying to match a SENDER ADDRESS with > check_CLIENT_access. lists--- via Postfix-users: > Well do I put the domain in sender_access or sender_checks? What do you want to not block: the sender email domain? Then use check_sender_access (note that is check_sender_access not check_sender) and follow instructions in https://www.postfix.org/access.5.html Specifically the section "EMAIL ADDRESS PATTERNS". Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: rbl bounces email that has both rbl_override and client_checks whitelisting
Well do I put the domain in sender_access or sender_checks? It looks like sender_access with an OK since it acts on the FROK field. https://www.postfix.org/postconf.5.html I have a sender_checks file but I don't see that on the postfix.org website. Is that a deprecated parameter? Feb 27, 2024 1:09:02 PM Wietse Venema : > Your mistake: you are trying to match a SENDER ADDRESS with > check_CLIENT_access. > > Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: rbl bounces email that has both rbl_override and client_checks whitelisting
Your mistake: you are trying to match a SENDER ADDRESS with check_CLIENT_access. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] rbl bounces email that has both rbl_override and client_checks whitelisting
I still have that problem with the sender that used a spammy microsoft server that gets rejected by IP for using spamcop. I put the domain in the client_checks file but the sender gets bounced. postconf mail_version mail_version = 3.8.1 compatibility_level = 2 The client_checks line was added. smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unauth_pipelining, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_recipient, check_client_access hash:/etc/postfix/client_checks, check_sender_access hash:/etc/postfix/sender_checks, check_client_access hash:/etc/postfix/rbl_override, reject_rbl_client bl.spamcop.net, check_policy_service unix:private/policy This is the contents of client_checks: cat client_checks idontspam.com OK A simple check to verify the postmap worked: sh-4.2# ls -l client_check* -rw-r--r-- 1 root root19 Feb 25 03:03 client_checks -rw-r--r-- 1 root root 12288 Feb 25 03:06 client_checks.db ** This is an actual spammer being rejected: Feb 25 23:10:03 MYDOMAIN postfix/smtpd[19121]: connect from mail-co1nam11on2108.outbound.protection.outlook.com[40.107.220.108] Feb 25 23:10:03 MYDOMAIN postfix/smtpd[19121]: Anonymous TLS connection established from mail-co1nam11on2108.outbound.protection.outlook.com[40.107.220.108]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Feb 25 23:10:03 MYDOMAIN postfix/smtpd[19121]: NOQUEUE: reject: RCPT from mail-co1nam11on2108.outbound.protection.outlook.com[40.107.220.108]: 554 5.7.1 Service unavailable; Client host [40.107.220.108] blocked using bl.spamcop.net; Blocked - see https://www.spamcop.net/bl.shtml?40.107.220.108; from= to= proto=ESMTP helo= Feb 25 23:10:03 MYDOMAIN postfix/smtpd[19121]: using backwards-compatible default setting smtpd_relay_before_recipient_restrictions=no to reject recipient "m...@mydomain.com" from client "mail-co1nam11on2108.outbound.protection.outlook.com[40.107.220.108]" Feb 25 23:10:04 MYDOMAIN postfix/smtpd[19121]: disconnect from mail-co1nam11on2108.outbound.protection.outlook.com[40.107.220.108] ehlo=2 starttls=1 mail=1 rcpt=0/1 quit=1 commands=5/6 ** ** This is email from the sender that appears on the client_check file Feb 27 03:55:55 MYDOMAIN postfix/smtpd[31397]: connect from mail-dm6nam10on2125.outbound.protection.outlook.com[40.107.93.125] Feb 27 03:55:55 MYDOMAIN postfix/smtpd[31397]: Anonymous TLS connection established from mail-dm6nam10on2125.outbound.protection.outlook.com[40.107.93.125]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Feb 27 03:55:55 MYDOMAIN postfix/smtpd[31397]: NOQUEUE: reject: RCPT from mail-dm6nam10on2125.outbound.protection.outlook.com[40.107.93.125]: 554 5.7.1 Service unavailable; Client host [40.107.93.125] blocked using bl.spamcop.net; Blocked - see https://www.spamcop.net/bl.shtml?40.107.93.125; from= to= proto=ESMTP helo= Feb 27 03:55:55 MYDOMAIN postfix/smtpd[31397]: using backwards-compatible default setting smtpd_relay_before_recipient_restrictions=no to reject recipient "m...@mydomain.com" from client "mail-dm6nam10on2125.outbound.protection.outlook.com[40.107.93.125]" Feb 27 03:55:55 MYDOMAIN postfix/smtpd[31397]: disconnect from mail-dm6nam10on2125.outbound.protection.outlook.com[40.107.93.125] ehlo=2 starttls=1 mail=1 rcpt=0/1 quit=1 commands=5/6 Feb 27 03:57:47 ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
Bounces from gmail
Amateur mail-admin here (I know, don't do that) . I have a redirect to gmail set up for two users, and at times this happens: 1) The relayhost ("smarthost") I use, my internet provider, will accept the mail for gmail. 2) Gmail rejects the mail as spam. 3) Relayhost bounces mail back at me. 4) My postfix tries to forward the bounce back at original sender. 5) Relayhost rejects mail . Point 5 there I can't get my head around precisely /how/ the forwarded bounce is rejected, suffice to say it is rejected before the relayhost ques it, thanks for that at least. Anybody have any pointers for how I could pre-emptively grab those bounces and set them aside? At present I just manually put them on hold, check the contents manually and then when I find they really are spam I delete them, possibly mailing the user a heads up to check his account on my host to make sure he's not missing anything important. Now I'd really like to collect those bounces (in case they are not spam) and compile an archive, or at least a report, for the gmail recipients. Log excerpt from the bounce, altibox.no is my provider: Jan 27 18:17:11 garbo postfix-incoming/smtpd[17720]: connect from altibox-smtp3.altibox.no[212.97.141.37]:51913 Jan 27 18:17:11 garbo postsrsd[17722]: srs_reverse: rewritten as Jan 27 18:17:11 garbo postfix-incoming/smtpd[17720]: 8BBAED26F60: client=altibox-smtp3.altibox.no[212.97.141.37]:51913 Jan 27 18:17:11 garbo postfix-incoming/cleanup[17723]: 8BBAED26F60: message-id=<20230127171711.686ed128...@altibox-smtp3.altibox.no> Jan 27 18:17:13 garbo rspamd[2641]: ; proxy; rspamd_task_write_log: id: <20230127171711.686ed128...@altibox-smtp3.altibox.no>, qid: <8BBAED26F60>, ip: 212.97.141.37, (default: F (no action): [0.61/400.00] [BAYES_HAM(-4.99){99.99%;},RSPAMD_URIBL(4.50){dhl-ma.com:url;},R_MIXED_CHARSET(1.11){subject;},BOUNCE(-0.10){DSN;},DMARC_POLICY_SOFTFAIL(0.10){altibox.no : No valid SPF, No valid DKIM;none;},MIME_GOOD(-0.10){text/plain;},RCVD_NO_TLS_LAST(0.10){},ARC_NA(0.00){},ASN(0.00){asn:48854, ipnet:212.97.140.0/22, country:DK;},FROM_NO_DN(0.00){},MID_RHS_MATCH_FROM(0.00){},MIME_TRACE(0.00){0:~;1:+;2:~;3:~;4:~;},NEURAL_HAM(-0.00){-0.852;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_TWO(0.00){2;},R_DKIM_NA(0.00){},R_SPF_NA(0.00){no SPF record;},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 22473, time: 1395.675ms, dns req: 64, digest: <52a0923f840b246f04b1c4842e916f00>, rcpts: , mime_rcpts: Jan 27 18:17:13 garbo rspamd[2641]: ; proxy; rspamd_protocol_http_reply: regexp statistics: 0 pcre regexps scanned, 5 regexps matched, 172 regexps total, 66 regexps cached, 0B scanned using pcre, 24.40KiB scanned total Jan 27 18:17:13 garbo postfix-incoming/qmgr[22826]: 8BBAED26F60: from=<>, size=22762, nrcpt=1 (queue active) Jan 27 18:17:13 garbo postfix-incoming/smtpd[17720]: disconnect from altibox-smtp3.altibox.no[212.97.141.37]:51913 ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5 Jan 27 18:17:13 garbo postfix-local-deliver/smtpd[17725]: connect from localhost[127.0.0.1]:50734 Jan 27 18:17:13 garbo postfix-local-deliver/smtpd[17725]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]:50734: 450 4.1.1 : Recipient address rejected: User unknown in local recipient table; from=<> to= proto=ESMTP helo= Jan 27 18:17:13 garbo postfix-incoming/smtp[17724]: 8BBAED26F60: to=, relay=127.0.0.1[127.0.0.1]:10025, delay=1.5, delays=1.5/0.01/0.01/0.02, dsn=4.1.1, status=deferred (host 127.0.0.1[127.0.0.1] said: 450 4.1.1 : Recipient address rejected: User unknown in local recipient table (in reply to RCPT TO command)) Jan 27 18:17:13 garbo postfix-local-deliver/cleanup[17728]: 137C1C20FD5D: message-id=<20230127171713.137c1c20f...@postfix-local-deliver.alstadheim.priv.no> Jan 27 18:17:13 garbo postfix-local-deliver/smtpd[17725]: disconnect from localhost[127.0.0.1]:50734 ehlo=1 xforward=2 mail=1 rcpt=0/1 data=0/1 rset=1 quit=1 commands=6/8 Jan 27 18:17:13 garbo postfix-local-deliver/qmgr[4342]: 137C1C20FD5D: from=, size=1553, nrcpt=1 (queue active) Jan 27 18:17:13 garbo dovecot: lda(hakon)<17731>: sieve: msgid=<20230127171713.137c1c20f...@postfix-local-deliver.alstadheim.priv.no>: stored mail into mailbox 'INBOX' Jan 27 18:17:13 garbo postfix-local-deliver/local[17729]: 137C1C20FD5D: to=, orig_to=, relay=local, delay=0.14, delays=0.01/0.01/0/0.13, dsn=2.0.0, status=sent (delivered to command: /usr/lib/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT") Jan 27 18:17:13 garbo postfix-local-deliver/qmgr[4342]: 137C1C20FD5D: removed
Re: How to allow bounces to authenticaded users
H?kon Alstadheim: > I have a rather convoluted multi-instance setup that mostly works to my > liking, with spam-filters, hand-off to mailman, dkim-signing and > whatnot. One problem is that mis-typed outgoing addresses (host part) > from my local, authenticated users end up deferred (450) and not bounced > back to the sender. I am a bit wary of enabling bounces, but if I can > make sure that I don't bounce incoming mail, I should be OK. You are not supposed to accept and deliver mail for a remote recipient domain (whether it exists or not) from unauthenticated clients or untrusted clients. That would be an exploitable open relay. As long as that condition is met, only authenticated or trusted clients can specify a non-existent recipient domain. > Long story short, If in a specific postfix instance I am SURE I'm only > handling mail submitted by authenticated users, I should be OK to change > unknown_address_reject_code to 550 ? I think so. This controls the handling of a non-existent domain with reject_unknown_recipient_domain and reject_unknown_sender_domain. Wietse > I don't want to do the change in submit (before queue) because I have a > dance with DKIM signing before handing off to address-mapping and > further to relay/local delivery/mailman, > >
Re: How to allow bounces to authenticaded users
Sorry folks, I'm not entirely there today. Receiving MX may of course be temporarily gone from DNS, so 450 it is. Pleas allow this thread to disappear into oblivion. :-) Den 21. okt. 2018 15:47, skrev Håkon Alstadheim: > I have a rather convoluted multi-instance setup that mostly works to my > liking, with spam-filters, hand-off to mailman, dkim-signing and > whatnot. One problem is that mis-typed outgoing addresses (host part) > from my local, authenticated users end up deferred (450) and not bounced > back to the sender. I am a bit wary of enabling bounces, but if I can > make sure that I don't bounce incoming mail, I should be OK. > > Long story short, If in a specific postfix instance I am SURE I'm only > handling mail submitted by authenticated users, I should be OK to change > unknown_address_reject_code to 550 ? > > I don't want to do the change in submit (before queue) because I have a > dance with DKIM signing before handing off to address-mapping and > further to relay/local delivery/mailman, >
How to allow bounces to authenticaded users
I have a rather convoluted multi-instance setup that mostly works to my liking, with spam-filters, hand-off to mailman, dkim-signing and whatnot. One problem is that mis-typed outgoing addresses (host part) from my local, authenticated users end up deferred (450) and not bounced back to the sender. I am a bit wary of enabling bounces, but if I can make sure that I don't bounce incoming mail, I should be OK. Long story short, If in a specific postfix instance I am SURE I'm only handling mail submitted by authenticated users, I should be OK to change unknown_address_reject_code to 550 ? I don't want to do the change in submit (before queue) because I have a dance with DKIM signing before handing off to address-mapping and further to relay/local delivery/mailman,
Re: Reject bounces
George: > Hi, > > I have a mail server running postfix that sends a lot of emails and gets > back a lot of bounces. These bounces a filling up my server and causing > additional load. > > Is there any way on a postfix level to reject/not accept any type of bounce > that gets sent to the mail server? Fix the real problem: you are using stale recipient lists. Fix that problem, and you might find that more of your email is accepted. Wietse
Re: Reject bounces
On 15.09.2017 17:00, "George" wrote: > I have a mail server running postfix that sends a lot of emails and > gets back a lot of bounces. These bounces a filling up my server and > causing additional load. > > Is there any way on a postfix level to reject/not accept any type of > bounce that gets sent to the mail server? Seriously? Is this not answered in the Spam Senders Anonymous new member information package? ;-) -Ralph
Re: Reject bounces
George skrev den 2017-09-15 17:00: I have a mail server running postfix that sends a lot of emails and gets back a lot of bounces. These bounces a filling up my server and causing additional load. if i know my book right, you send mail to a host that accept and bounce where thay should have rejected ? in that case you should use dns rpz zone with a list of hosts that makes backscattering with accept and bounce in postfix you can make a recipient access with hots to make local reject mail to hosts like this, sadly this is maintain works :( Is there any way on a postfix level to reject/not accept any type of bounce that gets sent to the mail server? if i am right above you should do nothing, if unsure show logs from you that shows exact problem do not make -v on smtpd to be helpfull, raw plain logs not debug logs hopefully others can then help more then me
Reject bounces
Hi, I have a mail server running postfix that sends a lot of emails and gets back a lot of bounces. These bounces a filling up my server and causing additional load. Is there any way on a postfix level to reject/not accept any type of bounce that gets sent to the mail server? Please let me know.
Re: Getting bounces from only one server
Hello, On Server2, configure bounce_notice_recipient to a e-mail address that is located on server1. By default it's using Postmaster. Otherwise, on Server2, forward mail from the Postmaster account to server2. Marco Pizzoli wrote: Dear all, I need to find a workaround an issue I am facing due to the limitation of an external product I am using to send/receive emails. Long story short: - 2 postfix servers acting both as sending as receiving servers from/to the Internet. - 1 application server sending to the Internet via both of them - the application server is capable of getting bounce information polling via POP3 ONLY one location So my need is to get the bounces only via server1. Is there a way to accomplish this? Somewhat like a DSN relay?
Getting bounces from only one server
Dear all, I need to find a workaround an issue I am facing due to the limitation of an external product I am using to send/receive emails. Long story short: - 2 postfix servers acting both as sending as receiving servers from/to the Internet. - 1 application server sending to the Internet via both of them - the application server is capable of getting bounce information polling via POP3 ONLY one location So my need is to get the bounces only via server1. Is there a way to accomplish this? Somewhat like a DSN relay? I am open for suggestions... I am already thinking about migrating the POP3 server to Dovecot and making use of its "sync" capabilities, but again I would appreciate hearing other ideas... Thank you in advance Marco
Re: Is not honoring bounces-to violation of RFC?
On 29 Jun 2016, at 11:45, Chip wrote: I will read up on it. Thank you for the link. Not everyone, I think, who visits this list is an engineer. True, unless you accept Michael Wise's generous functional definition. I'm on the fence there, as I've held job titles calling me an engineer but my only formal engineering training was secondary to theatrical set design and construction, i.e. to make sure actors didn't die in collapses of not quite enough steel and/or wood. All of my education in "software engineering" and "systems engineering" (skills I supposedly have if you believe job titles) is from a handful of low-numbered college classes 25+ years ago and on-the-job/self training But Michael is entirely correct in that nearly everyone subscribed to this list is a de facto mail system "engineer" in that we work with the complexities of configuring and operating mail systems. So even though I don't build bridges, haven't built a stage set in decades, and don't write much ode these days, I DO "drive the trains" of multiple email systems, some of which use Postfix. So I'm an engineer, I guess. And so are you, since you seem to have run both Postfix and Exim systems at least at the "train driver" level (and frankly, railroad engineers ARE engineers to at least the same degree as sysadmins, but most of us just don't have any idea how complex trains can be...) So it would have been easier to understand if the response had been along the lines of: "envelope-from" instead of just FROM since there are a number of Froms in the source code. Someone wrote: "Return-path is a header added by the receiving MTA (usually on final delivery) that contains the envelope sender (MAIL FROM) used by the sending system. Which is accurate, if a bit ecumenical in its nomenclature... It would definitely be helpful if everyone trying to manage mail systems read RFC5598 (https://tools.ietf.org/html/rfc5598) carefully enough and often enough to adopt its formal terminology. Dave Crocker's purpose in writing that RFC was to establish precise standard jargon and a baseline understanding of how email actually works (and is intended to work) for people who should have such an understanding. If you're running a mail server, whether you accept the label "engineer" or not, you should definitely read it.
Re: (Off-topic: who's on the list) was: Is not honoring bounces-to violation of RFC?
> On 6/29/16 3:13 PM, Michael J Wise wrote: > >>> On 6/29/16 2:30 PM, Michael J Wise wrote: >>> > I will read up on it. Thank you for the link. > > Not everyone, I think, who visits this list is an engineer. In that you are mistaken. Almost everyone who subscribes to this mailing-list is an engineer. Please re-read that line. This mailing list is for people who need to configure or make changes to the configuration of a Mail Transfer Agent called Postfix. Some people here actually suggest software changes, since the author of the system is present on the list. Pretty much everyone here is an engineer. >>> I could be wrong, but I expect that many of the folks here are NOT >>> engineers. >> I guess it depends on one's definition of, "Engineer". >> It can cover a lot of ground. > Well... for purposes of discussion, let's restrict "Engineer" to mean > someone who: All of the following, or just a few? Many *VERY* large corporations don't require some or all of these to put, "Engineer" on your business card. This is not the case all over the planet, but in many places, like the USA, it most certainly is. One has to have a global perspective on such issues. > - has a degree in an engineering or engineering related technical field > - has, at one time or another, held a position that included the word > "Engineer" in his/her title > - actually done some engineering along the way (be it R or development) > - with some allowance for special cases who don't meet all of the above > (example: Ray Kurzweil has an MIT degree, in MUSIC - I'd certainly > consider him an engineer, and then some) > - on the other hand, I wouldn't consider someone with a business degree, > even with an MIS concentration, to be an Engineer - even though that's a > fairly common background for CIOs and MIS Directors (and maybe sys > admins?), you wouldn't hire them to design system software or network gear It's a lot looser a definition in many places. For the purposes of this list and similar, I'd define "Engineer" to also include someone reasonably competent enough to make changes to the Postfix config files and not break stuff irreparably. It would for all intents and purposes be equivalent to SysAdmin. Or BOFH. Someone who, for example, can telnet to port 25 and get the mail delivered. > - let's NOT include train drivers :-) Let's not. But this is grossly off-topic for the list, so I won't have anything further to say on the issue. Feel free to declare victory and move on. Aloha mai Nai`a. -- " So this is how Liberty dies ... http://kapu.net/~mjwise/ " To Thunderous Applause.
Re: (Off-topic: who's on the list) was: Is not honoring bounces-to violation of RFC?
> On Jun 29, 2016, at 1:06 PM, Miles Fidelman> wrote: > > AND NOW I'M CURIOUS... What kinds of backgrounds and roles do people here > have? Is managing a postfix installation part of your official duties, or > something that you've fallen into? CS degree from before the 'Net, missed the 'Net programming on toy OS's (CP/M, MSDOS, etc.), and decided to learn IP networking when I retired. Rented a domain and a T1, bought a couple servers, a router, and several pounds of O'Reilly books (and one on Postfix), installed Linux, and started typing. Downhill ever since :-) Managing Postfix is more a recreational duty that I fell into by choice. Postfix is a delightful piece of software. -- Glenn English
Re: (Off-topic: who's on the list) was: Is not honoring bounces-to violation of RFC?
On 6/29/16 3:13 PM, Michael J Wise wrote: On 6/29/16 2:30 PM, Michael J Wise wrote: I will read up on it. Thank you for the link. Not everyone, I think, who visits this list is an engineer. In that you are mistaken. Almost everyone who subscribes to this mailing-list is an engineer. Please re-read that line. This mailing list is for people who need to configure or make changes to the configuration of a Mail Transfer Agent called Postfix. Some people here actually suggest software changes, since the author of the system is present on the list. Pretty much everyone here is an engineer. I could be wrong, but I expect that many of the folks here are NOT engineers. I guess it depends on one's definition of, "Engineer". It can cover a lot of ground. Well... for purposes of discussion, let's restrict "Engineer" to mean someone who: - has a degree in an engineering or engineering related technical field - has, at one time or another, held a position that included the word "Engineer" in his/her title - actually done some engineering along the way (be it R or development) - with some allowance for special cases who don't meet all of the above (example: Ray Kurzweil has an MIT degree, in MUSIC - I'd certainly consider him an engineer, and then some) - on the other hand, I wouldn't consider someone with a business degree, even with an MIS concentration, to be an Engineer - even though that's a fairly common background for CIOs and MIS Directors (and maybe sys admins?), you wouldn't hire them to design system software or network gear - let's NOT include train drivers :-) Cheers, Miles -- In theory, there is no difference between theory and practice. In practice, there is. Yogi Berra
Re: (Off-topic: who's on the list) was: Is not honoring bounces-to violation of RFC?
> On 6/29/16 2:30 PM, Michael J Wise wrote: > >>> I will read up on it. Thank you for the link. >>> >>> Not everyone, I think, who visits this list is an engineer. >> In that you are mistaken. >> >> Almost everyone who subscribes to this mailing-list is an engineer. >> Please re-read that line. >> >> This mailing list is for people who need to configure or make changes to >> the configuration of a Mail Transfer Agent called Postfix. >> Some people here actually suggest software changes, since the author of >> the system is present on the list. >> >> Pretty much everyone here is an engineer. > > I could be wrong, but I expect that many of the folks here are NOT > engineers. I guess it depends on one's definition of, "Engineer". It can cover a lot of ground. > Having said that, it seems not unreasonable for folks on this list to > have a working familiarity with the standards and software associated > with email processing. Managing a postfix installation (or any MTA) is > not a job for amateurs. (IMHO) In that I would completely agree, even though with respect to my use of Postfix, it probably would qualify as, "Amateur" since I don't use it for profit. But with respect to the handling of mail for ... Others ... in that, it is my profession. And I'm particularly interested in problems that other mail servers may experience with relation to certain other mail server software. > AND NOW I'M CURIOUS... What kinds of backgrounds and roles do people > here have? Is managing a postfix installation part of your official > duties, or something that you've fallen into? It used to be what I did up until 8+ years ago. Nowadays I fight spam for a certain large corporation, and keep my hand in here as one of many early warning signs of trouble. Aloha mai Nai`a. -- " So this is how Liberty dies ... http://kapu.net/~mjwise/ " To Thunderous Applause.
(Off-topic: who's on the list) was: Is not honoring bounces-to violation of RFC?
On 6/29/16 2:30 PM, Michael J Wise wrote: I will read up on it. Thank you for the link. Not everyone, I think, who visits this list is an engineer. In that you are mistaken. Almost everyone who subscribes to this mailing-list is an engineer. Please re-read that line. This mailing list is for people who need to configure or make changes to the configuration of a Mail Transfer Agent called Postfix. Some people here actually suggest software changes, since the author of the system is present on the list. Pretty much everyone here is an engineer. I could be wrong, but I expect that many of the folks here are NOT engineers. I happen to have an engineering background, and spend a good part of my time doing engineering work of various sorts - but that's completely incidental to running our mail system. As a one-man shop, I ALSO play sys admin, postmaster, webmaster, listmaster, janitor, chief cook & bottle washer, ad infinitum, ad nauseum. I expect, that many of the folks here are full-time sys admins - a role that does not necessarily involved (or require) an engineering background. Having said that, it seems not unreasonable for folks on this list to have a working familiarity with the standards and software associated with email processing. Managing a postfix installation (or any MTA) is not a job for amateurs. (IMHO) AND NOW I'M CURIOUS... What kinds of backgrounds and roles do people here have? Is managing a postfix installation part of your official duties, or something that you've fallen into? Miles Fidelman RFC 821 (and its successors) is documentation of the COMMANDS (verbs, if you will) used to move mail, of which one, MAIL FROM, is a way to express where an NDR should go if something goes wrong. Furthermore, at some points along the journey of a piece of mail (data, or a NOUN if you will), it will be captured and recorded in a header, most typically in the Return-Path value. But it is not guaranteed to be stored in any header at any time because it's a COMMAND to a server. RFC 822 (and its successors) is documentation of the structure of DATA (the NOUNS mentioned above) that represents an email message, which is divided up into Headers and Data. One of those headers is, "From:". And almost all of those headers are little more than comments, forgeable by anyone with the inclination to do so, and at best advisory in nature. So, to summarize: The "From:" header is a comment, and may or may not reflect reality. Typically it does, but not always. The "Return-Path" is a recognized way to capture the value of the "MAIL FROM:" command, and encode it into the headers, but it is best described as a, "Virtual Header". Some other headers inserted by arbitrary third parties are not documented in *ANY* RFC anywhere, and almost everyone completely ignores them. Such is the case with, "bounces-to". It's not a standard. Almost everything will ignore it. People who expect it to always work should be prepared for disappointment. Aloha mai Nai`a. -- In theory, there is no difference between theory and practice. In practice, there is. Yogi Berra
Re: Is not honoring bounces-to violation of RFC?
> I will read up on it. Thank you for the link. > > Not everyone, I think, who visits this list is an engineer. In that you are mistaken. Almost everyone who subscribes to this mailing-list is an engineer. Please re-read that line. This mailing list is for people who need to configure or make changes to the configuration of a Mail Transfer Agent called Postfix. Some people here actually suggest software changes, since the author of the system is present on the list. Pretty much everyone here is an engineer. RFC 821 (and its successors) is documentation of the COMMANDS (verbs, if you will) used to move mail, of which one, MAIL FROM, is a way to express where an NDR should go if something goes wrong. Furthermore, at some points along the journey of a piece of mail (data, or a NOUN if you will), it will be captured and recorded in a header, most typically in the Return-Path value. But it is not guaranteed to be stored in any header at any time because it's a COMMAND to a server. RFC 822 (and its successors) is documentation of the structure of DATA (the NOUNS mentioned above) that represents an email message, which is divided up into Headers and Data. One of those headers is, "From:". And almost all of those headers are little more than comments, forgeable by anyone with the inclination to do so, and at best advisory in nature. So, to summarize: The "From:" header is a comment, and may or may not reflect reality. Typically it does, but not always. The "Return-Path" is a recognized way to capture the value of the "MAIL FROM:" command, and encode it into the headers, but it is best described as a, "Virtual Header". Some other headers inserted by arbitrary third parties are not documented in *ANY* RFC anywhere, and almost everyone completely ignores them. Such is the case with, "bounces-to". It's not a standard. Almost everything will ignore it. People who expect it to always work should be prepared for disappointment. Aloha mai Nai`a. -- " So this is how Liberty dies ... http://kapu.net/~mjwise/ " To Thunderous Applause.
Re: Is not honoring bounces-to violation of RFC?
I will read up on it. Thank you for the link. Not everyone, I think, who visits this list is an engineer. So it would have been easier to understand if the response had been along the lines of: "envelope-from" instead of just FROM since there are a number of Froms in the source code. Someone wrote: "Return-path is a header added by the receiving MTA (usually on final delivery) that contains the envelope sender (MAIL FROM) used by the sending system. On 06/29/2016 11:22 AM, Jan Ceuleers wrote: On 29/06/16 17:02, Chip wrote: If Return-path is added by receiving MTA, as you say, below, and that it contains the MAIL FROM, then why do I see the following in source code of received message in which return-path does not match From? Could I respectfully suggest that you read up on the difference between the envelope sender and the From header, for example here: http://blog.tidymail.co.uk/glossary/smtp-envelope/ The two are not necessarily the same, and in fact in the examples you showed they were not.
Re: Is not honoring bounces-to violation of RFC?
On 29/06/16 17:02, Chip wrote: > If Return-path is added by receiving MTA, as you say, below, and that it > contains the MAIL FROM, then why do I see the following in source code > of received message in which return-path does not match From? Could I respectfully suggest that you read up on the difference between the envelope sender and the From header, for example here: http://blog.tidymail.co.uk/glossary/smtp-envelope/ The two are not necessarily the same, and in fact in the examples you showed they were not.
Re: Is not honoring bounces-to violation of RFC?
Le 29/06/2016 17:02, Chip a écrit : If Return-path is added by receiving MTA, as you say, below, and that it contains the MAIL FROM, then why do I see the following in source code of received message in which return-path does not match From? X-Mozilla-Status: 0001 X-Mozilla-Status2: X-Mozilla-Keys: Return-path: <sears2.5...@envfrm.rsys2.com> From: "Sears" <se...@value.sears.com> X-Mozilla-Status: 0001 X-Mozilla-Status2: X-Mozilla-Keys: Return-Path: <bar...@restaurantloot.com> From: lucky <lu...@restaurantloot.com> MAIL FROM/envelope from and header From are two different beast. Return-Path: is MAIL FROM/envelope from. From: lucky <lu...@restaurantloot.com> in your example is header from, witch is data and and not directly related to MAIL FROM/envelope from. On 06/29/2016 10:50 AM, Kris Deugau wrote: Chip wrote: My mistake NOT "bounces-to" rather "return-path" Return-path is a header added by the receiving MTA (usually on final delivery) that contains the envelope sender (MAIL FROM) used by the sending system.
Is not honoring bounces-to violation of RFC?
If Return-path is added by receiving MTA, as you say, below, and that it contains the MAIL FROM, then why do I see the following in source code of received message in which return-path does not match From? X-Mozilla-Status: 0001 X-Mozilla-Status2: X-Mozilla-Keys: Return-path: <sears2.5...@envfrm.rsys2.com> From: "Sears" <se...@value.sears.com> X-Mozilla-Status: 0001 X-Mozilla-Status2: X-Mozilla-Keys: Return-Path: <bar...@restaurantloot.com> From: lucky <lu...@restaurantloot.com> On 06/29/2016 10:50 AM, Kris Deugau wrote: Chip wrote: My mistake NOT "bounces-to" rather "return-path" Return-path is a header added by the receiving MTA (usually on final delivery) that contains the envelope sender (MAIL FROM) used by the sending system.
Re: Is not honoring bounces-to violation of RFC?
Chip wrote: > My mistake NOT "bounces-to" rather "return-path" Return-path is a header added by the receiving MTA (usually on final delivery) that contains the envelope sender (MAIL FROM) used by the sending system. > as in the following > snippet of campaign emails from Home Depot, Martha Stewart and Sears: > Return-path:<bounce-21178_html-212410161-294-1014284...@bounce.homedepotemail.com> Notice this one contains an extended ID number? Their mail-sending infrastructure almost certainly generates this pseudoaddress on a per-mailing+recipient basis, so automated systems can quickly tell whose email is bouncing, and which email campaign it bounced on. > Return-path:<everydayf...@mail.marthastewart.com> This doesn't use a unique envelope sender for each recipient, so they'll have to do more complex parsing of any bounce messages to identify stale recipients. > So is "Return-path" supposed to be respected? Because the company I was > speaking of insists it's appropriate to send bounces to something other > than "Return-path" usually the "From" or "Reply-to". No; as stated upthread bounces must be sent to the envelope sender address. Any system sending bounces to any other address is misbehaving and may end up blacklisted (locally or in public datasources like DNSBLs) because of it. All that said, if *you* are a perfectly innocent bulk-mailer who is *receiving* bounces to the wrong place, you'll probably have to suck up and deal with it to keep your service clean. -kgd
Re: Is not honoring bounces-to violation of RFC?
On 6/28/16 2:01 PM, Chip wrote: > My mistake NOT "bounces-to" rather "return-path" This is not a subtle difference. The Return-Path header gets added (or replaced, in the case it is already there) by the receiving MTA with the MAIL FROM address. It is placed there only for convenience of the receiving part. Setting the Return-Path header on outbound messages has no effect. What you need to change is the MAIL FROM address, as already explained a few times in this thread. Cheers, Daniele
Re: Is not honoring bounces-to violation of RFC?
My mistake NOT "bounces-to" rather "return-path" as in the following snippet of campaign emails from Home Depot, Martha Stewart and Sears: From - Mon Jun 20 08:43:03 2016 X-Account-Key: account15 X-UIDL: UID1962-1324328699 X-Mozilla-Status: 0001 X-Mozilla-Status2: X-Mozilla-Keys: Return-path:<bounce-21178_html-212410161-294-1014284...@bounce.homedepotemail.com> From - Tue Jun 21 14:39:36 2016 X-Account-Key: account15 X-UIDL: UID1969-1324328699 X-Mozilla-Status: 0001 X-Mozilla-Status2: X-Mozilla-Keys: Return-path:<everydayf...@mail.marthastewart.com> From - Mon Jun 20 08:43:02 2016 X-Account-Key: account15 X-UIDL: UID1961-1324328699 X-Mozilla-Status: 0001 X-Mozilla-Status2: X-Mozilla-Keys: Return-path:<sears2.5...@envfrm.rsys2.com> So is "Return-path" supposed to be respected? Because the company I was speaking of insists it's appropriate to send bounces to something other than "Return-path" usually the "From" or "Reply-to". On 06/28/2016 03:36 PM, Jim Reid wrote: On 28 Jun 2016, at 20:26, Jeffs Chips <jeffsch...@gmail.com> wrote: I'm just saying that ALL email campaign services allow and indeed suggest users to identity a specific sole purpose email account in which to receive bounces to eliminate spam and which almost all email campaigners adhere to The IETF process is open to all. Feel free to make use of it. BTW, the IETF is where Internet email protocols get developed and documented. It doesn’t and can’t happen on postfix-users.
Re: Is not honoring bounces-to violation of RFC?
> On 28 Jun 2016, at 20:26, Jeffs Chips <jeffsch...@gmail.com> wrote: > > I'm just saying that ALL email campaign services allow and indeed suggest > users to identity a specific sole purpose email account in which to receive > bounces to eliminate spam and which almost all email campaigners adhere to The IETF process is open to all. Feel free to make use of it. BTW, the IETF is where Internet email protocols get developed and documented. It doesn’t and can’t happen on postfix-users.
Re: Is not honoring bounces-to violation of RFC?
I don't dispute any of what happens just saying that a company out there that advertises as their mission to eliminate spam and whom, they advertise, has access to 30 million MX records is sending bounces to the reply to or envelope sender whereas I'm just saying that ALL email campaign services allow and indeed suggest users to identity a specific sole purpose email account in which to receive bounces to eliminate spam and which almost all email campaigners adhere to, is thus defeating the purpose of there mission. Maybe what they do works for the small time spammer who uses a personal account to distribute spam but it defeats the purpose of eliminating non deliverables for honest mailers. On Jun 28, 2016 3:17 PM, "Allen Coates" <znab...@cidercounty.org.uk> wrote: > Mail-server refusals (as in NOQUEUE) are generated before the email body > is received - and will also be sent to the envelope sender. > > On 28/06/16 18:51, Noel Jones wrote: > > On 6/28/2016 12:12 PM, Chip wrote: > >> Meaning there are no standards for the way > >> emailers should respond to bounces? > > bounces always go to the envelope sender, regardless of any > > unrelated junk in the headers. > > > > > > > > > >
Re: Is not honoring bounces-to violation of RFC?
> On 28 Jun 2016, at 19:28, Chip <jeffsch...@gmail.com> wrote: > > Okay maybe it's not in RFC's but I would it would be at least a > recommendation that bounces can be routed back to bounces-to rather than > reply-to. After all, why have the field at all if it's not used properly. No RFC defines a bounces-to email header. Or how an MTA or MUA should handle one. As a matter of fact, the only email-related RFC which contains the word “bounce” is RFC5355. Which is in the Experimental category. It uses “bounce" in the context of clients speaking UTF8SMTP to servers that don’t support this feature. Here’s the relevant part of Section 4.4 of that RFC: Below are a few examples of possible representations. ... "DISPLAY_NAME" <non-ASCII@non-ASCII> ; UTF8SMTP but no ALT-ADDRESS parameter provided, ; message will bounce if UTF8SMTP extension is not supported <non-ASCII@non-ASCII> ; without DISPLAY_NAME and quoted string ; UTF8SMTP but no ALT-ADDRESS parameter provided, ; message will bounce if UTF8SMTP extension is not supported If you think bounces-to has to be part of Internet email standards, feel free to write up a draft and submit it to the IETF.
Re: Is not honoring bounces-to violation of RFC?
Mail-server refusals (as in NOQUEUE) are generated before the email body is received - and will also be sent to the envelope sender. On 28/06/16 18:51, Noel Jones wrote: > On 6/28/2016 12:12 PM, Chip wrote: >> Meaning there are no standards for the way >> emailers should respond to bounces? > bounces always go to the envelope sender, regardless of any > unrelated junk in the headers. > > > >
Re: Is not honoring bounces-to violation of RFC?
Bounces go to the envelope sender, the address used in the SMTP MAIL FROM command. Not reply-to, nor bounces-to, nor any other address listed in a header. To control where bounces are returned, set the envelope sender. -- Noel Jones On 6/28/2016 1:28 PM, Chip wrote: > In standard email campaign software like phplist, constantcontact, > mailchimp all of those popular email campaign software many of which > use Exim and are used literally by millions of email campaigners, > the bounces-to is where bounces are expected to be returned so that > they can be effectively removed from mailings and people don't' > receive spam. It is an very important part of email campaigns and > reduces by great amounts the amount of spam that is manufactured. > > Okay maybe it's not in RFC's but I would it would be at least a > recommendation that bounces can be routed back to bounces-to rather > than reply-to. After all, why have the field at all if it's not > used properly. > > > > > On 06/28/2016 01:51 PM, Noel Jones wrote: >> On 6/28/2016 12:12 PM, Chip wrote: >>> Meaning there are no standards for the way >>> emailers should respond to bounces? >> bounces always go to the envelope sender, regardless of any >> unrelated junk in the headers. >> >> >> >> >
Re: Is not honoring bounces-to violation of RFC?
In standard email campaign software like phplist, constantcontact, mailchimp all of those popular email campaign software many of which use Exim and are used literally by millions of email campaigners, the bounces-to is where bounces are expected to be returned so that they can be effectively removed from mailings and people don't' receive spam. It is an very important part of email campaigns and reduces by great amounts the amount of spam that is manufactured. Okay maybe it's not in RFC's but I would it would be at least a recommendation that bounces can be routed back to bounces-to rather than reply-to. After all, why have the field at all if it's not used properly. On 06/28/2016 01:51 PM, Noel Jones wrote: On 6/28/2016 12:12 PM, Chip wrote: Meaning there are no standards for the way emailers should respond to bounces? bounces always go to the envelope sender, regardless of any unrelated junk in the headers.
Re: Is not honoring bounces-to violation of RFC?
On 6/28/2016 12:12 PM, Chip wrote: > Meaning there are no standards for the way > emailers should respond to bounces? bounces always go to the envelope sender, regardless of any unrelated junk in the headers.
Re: Is not honoring bounces-to violation of RFC?
Chip: > Okay I guess it does. Meaning there are no standards for the way > emailers should respond to bounces? According to RFC 5321, the definition of the Internet email protocol, an undeliverable email message is returned to its MAIL FROM address, and that return message is sent with the null MAIL FROM adress. Undeliverable mail with the null MAIL FROM address is not returned. That answers your question, but you probably meant something else. Wietse
Re: Is not honoring bounces-to violation of RFC?
Okay I guess it does. Meaning there are no standards for the way emailers should respond to bounces? On 06/28/2016 12:54 PM, Wietse Venema wrote: Chip: I know this question is not specifically germane to Postfix but everyone on this list has extensive experience with bouncing policies. If a receiver of campaign emails (that promotes itself as an email security service) sends bounces to "reply-to" rather than "bounces-to" as a policy despite bounces-to present in all campaign emails headers, would this be considered a violation of RFCs? RFCs are published at ietf.org, so I did an experiment: site:ietf.org bounces-to Neither google.com nor bing.com produced any matches. I guess that result speaks for itself, no? Wietse
Re: Is not honoring bounces-to violation of RFC?
Chip: > I know this question is not specifically germane to Postfix but everyone > on this list has extensive experience with bouncing policies. > > If a receiver of campaign emails (that promotes itself as an email > security service) sends bounces to "reply-to" rather than "bounces-to" > as a policy despite bounces-to present in all campaign emails headers, > would this be considered a violation of RFCs? RFCs are published at ietf.org, so I did an experiment: site:ietf.org bounces-to Neither google.com nor bing.com produced any matches. I guess that result speaks for itself, no? Wietse
Is not honoring bounces-to violation of RFC?
I know this question is not specifically germane to Postfix but everyone on this list has extensive experience with bouncing policies. If a receiver of campaign emails (that promotes itself as an email security service) sends bounces to "reply-to" rather than "bounces-to" as a policy despite bounces-to present in all campaign emails headers, would this be considered a violation of RFCs?
Bounces and dmarc reports
Hi, I've recently implemented dmarc on my system. I've implemented both rua and ruf reports. I'm trying to understand why my postfix queue is being inundated with undeliverable messages such as these: E45A5182C7E 2700 Wed Dec 23 11:11:52 postmas...@cheatcodes.com (connect to mulish.yachtspecialnewtips.info[162.214.5.75]:25: No route to host) ab...@yachtspecialnewtips.info Dec 23 11:11:53 juggernaut postfix/qmgr[14771]: E45A5182C7E: from=, size=2700, nrcpt=2 (queue active) Dec 23 11:11:53 juggernaut postfix/smtp[10932]: A2733182CA4: to= , relay=127.0.0.1[127.0.0.1]:10024, conn_use=10, delay=16, delays=0.18/16/0.01/0.18, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as E45A5182C7E) I don't understand why reports from postmas...@cheatcodes.com are being received then attempted to be sent to an obvious spam domain. I suppose this isn't strictly a postfix problem, but I've been unable to find help elsewhere. I was hoping someone familiar with dmarc could guide me to the right solution. Thanks, Alex
blocking bounces from spam advice
I have a small Postfix installation with virtual domains that runs well, however, a user is complaining of being hit with flood of rejects from spam sent out from elsewhere as though from him, the rejects are coming back to him the user in question has been, by his former request, exempted from some checks: --- # cat recipient_no_checks # Let email to the following destinations bypass all the remaining # reject and check tests. tld.com.au OK --- I'll remove him from recipient_no_checks, but, is there some other stuff I should be doing as well ? Greetings to the list and all the best in New Year! -- mail_version = 2.11.0 # postconf -n address_verify_sender = $double_bounce_sender alias_database = hash:/etc/postfix/aliases alias_maps = hash:/etc/postfix/aliases allow_min_user = no allow_percent_hack = no anvil_rate_time_unit = 1800s biff = no body_checks = pcre:/etc/postfix/body_checks body_checks_size_limit = 15 bounce_queue_lifetime = 4h broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id sleep 5 delay_warning_time = 0h disable_vrfy_command = yes dovecot_destination_recipient_limit = 1 enable_original_recipient = no header_checks = pcre:/etc/postfix/header_checks home_mailbox = Maildir/ html_directory = no inet_interfaces = all inet_protocols = ipv4 mail_owner = postfix mailbox_command = /usr/libexec/dovecot/deliver mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man maximal_backoff_time = 4000s maximal_queue_lifetime = 4h message_size_limit = 20971520 mime_header_checks = pcre:$config_directory/mime_headers.pcre minimal_backoff_time = 300s mydestination = $myhostname, localhost, localhost.localdomain, localhost.$myhostname mydomain = sbt.net.au myhostname = emu.sbt.net.au mynetworks = //removed// 127.0.0.1 myorigin = emu.sbt.net.au newaliases_path = /usr/bin/newaliases.postfix proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions queue_directory = /var/spool/postfix queue_run_delay = 300s readme_directory = /usr/share/doc/postfix-2.11.0/README_FILES recipient_bcc_maps = proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf, proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf recipient_delimiter = + relay_domains = $mydestination, proxy:mysql:/etc/postfix/mysql/relay_domains.cf sample_directory = /usr/share/doc/postfix-2.11.0/samples sender_bcc_maps = proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf, proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp-amavis_destination_recipient_limit = 1 smtp_data_init_timeout = 240s smtp_data_xfer_timeout = 600s smtp_tls_loglevel = 1 smtp_tls_note_starttls_offer = yes smtp_tls_security_level = may smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_tls_session_cache_timeout = 3600s smtpd_client_connection_rate_limit = 50 smtpd_data_restrictions = reject_unauth_pipelining smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, check_helo_access pcre:/etc/postfix/helo_access.pcre smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unlisted_recipient, check_policy_service inet:127.0.0.1:, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access hash:/etc/postfix/recipient_no_checks, check_recipient_access pcre:/etc/postfix/recipient_checks.pcre, check_helo_access hash:/etc/postfix/helo_checks, check_sender_access hash:/etc/postfix/sender_checks, check_client_access hash:/etc/postfix/client_checks, check_client_access pcre:/etc/postfix/client_checks.pcre, reject_rbl_client zen.spamhaus.org, reject_rhsbl_client dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org, reject_rbl_client psbl.surriel.com, reject_rhsbl_sender dsn.rfc-ignorant.org, check_policy_service inet:127.0.0.1:10031 smtpd_reject_unlisted_recipient = yes smtpd_reject_unlisted_sender = yes smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = no smtpd_sasl_local_domain = smtpd_sasl_path = ./dovecot-auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf
Postfix bounces
Hi, I'm looking deeper into bounce handling in Postfix and cam across 2 issues: 1) The default From: header, MAILER-DAEMON (Mail Delivery System), is not RFC valid. It can change, though. in ubuntu install the postfix-doc package, then cat /usr/share/doc/postfix-doc/examples/bounce.cf.default | sed -e 's/From: MAILER-DAEMON (Mail Delivery System)/From: postmas...@example.net/' /etc/postfix/bounce.cf and the add to main.cf bounce_template_file=/etc/postfix/bounce.cf Is there a simple way to achieve this ? I noted that Postfix 2.12 adds mydomain and myhostname to be used in the bounce template and changing the template to MAILER-DAEMON@$myhostname would also simplify. Or having something like $bounce_from_address (default to MAILER-DAEMON@$myhostname ) it would be very nice. 2) I want to forward bounces to a specific host. I was looking for a way to specify a relayhost or a transport for that class of messages and couldn't find a way to achieve that. I cannot use sender_dependent_default_transport_maps, because I only want to apply to messages generated by Postfix and not messages in transit. What is the best way to do this ? Regards, José Borges Ferreira
Re: Postfix bounces
Am 03.12.2014 um 12:43 schrieb Jose Borges Ferreira: I'm looking deeper into bounce handling in Postfix and cam across 2 issues: 1) The default From: header, MAILER-DAEMON (Mail Delivery System), is not RFC valid. a bounce has no envelope sender (null sender) and so no from-address 2) I want to forward bounces to a specific host. I was looking for a way to specify a relayhost or a transport for that class of messages and couldn't find a way to achieve that. I cannot use sender_dependent_default_transport_maps, because I only want to apply to messages generated by Postfix and not messages in transit. it is *not* your business to mangle bounces they belong to the envelope sender - period keep your fingers from bounces - unconditional a user sends a mail and when that fails he get a bounce if you are backscatter because you accept mail on your MX which you can't deliver than fix that problem instead shooting at the messener the one and only reason where a mailserver has to produce a bounce is when a authenticated user sends a mail which is later rejected at the final destination
Re: Postfix bounces
Jose Borges Ferreira: Hi, I'm looking deeper into bounce handling in Postfix and cam across 2 issues: 1) The default From: header, MAILER-DAEMON (Mail Delivery System), is not RFC valid. YOU create a non-compliant configuration when YOU disable append_at_myorigin for local submission. 2) I want to forward bounces to a specific host. I was looking for a way to specify a relayhost or a transport for that class of messages and couldn't find a way to achieve that. There is no RFC that requires this. I am highly-suspicious when people want to handle NDRs differently; they usually have a problem that they want to cover up. Wietse
Re: Postfix bounces
On Wed, Dec 3, 2014 at 12:28 PM, Wietse Venema wie...@porcupine.org wrote: Jose Borges Ferreira: Hi, I'm looking deeper into bounce handling in Postfix and cam across 2 issues: 1) The default From: header, MAILER-DAEMON (Mail Delivery System), is not RFC valid. YOU create a non-compliant configuration when YOU disable append_at_myorigin for local submission. Thanks for pointing out where the problem is. I have to maintain a quite complex setup and this was already set. Next time will also test on a Postfix instance with minimal changes. 2) I want to forward bounces to a specific host. I was looking for a way to specify a relayhost or a transport for that class of messages and couldn't find a way to achieve that. There is no RFC that requires this. I am highly-suspicious when people want to handle NDRs differently; they usually have a problem that they want to cover up. The RFC reference was for 1). This is more about policy than anything else. This is the scenario. Box 1 : just receive email from outside - inbound flow. Box 2 : used to sent email to the outside - oubound flow. Firewalls are set in a way that don't allow Box 1 to send traffic to the outside, so i need to route bounces (and defers) generated in Box 1 to Box 2. José Borges Ferreira
Re: Postfix bounces
Am 03.12.2014 um 14:32 schrieb Jose Borges Ferreira: 2) I want to forward bounces to a specific host. I was looking for a way to specify a relayhost or a transport for that class of messages and couldn't find a way to achieve that. There is no RFC that requires this. I am highly-suspicious when people want to handle NDRs differently; they usually have a problem that they want to cover up. The RFC reference was for 1). This is more about policy than anything else. This is the scenario. Box 1 : just receive email from outside - inbound flow. Box 2 : used to sent email to the outside - oubound flow. Firewalls are set in a way that don't allow Box 1 to send traffic to the outside, so i need to route bounces (and defers) generated in Box 1 to Box 2 fix *why* you create bounces at all on a inbound MX http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient in case of not able to list some domains you accept mail for in local_recipient_maps is the way to go we list all domains where we have the RCPT's in /etc/postfix/skip_rcpt_vrfy.cf and anything else needs to pass reject_unverified_recipient and so that way we can even offer spamfiltering services for customers with their own Exchange server without create a single bounce smtpd_relay_restrictions = reject_unauth_destination check_recipient_access hash:/etc/postfix/skip_rcpt_vrfy.cf reject_unverified_recipient
Re: Postfix bounces
Jose Borges Ferreira: This is the scenario. Box 1 : just receive email from outside - inbound flow. Box 2 : used to sent email to the outside - oubound flow. Inbound MTA: primary MX for your domain(s). If mail can't be delivered, use Postfix's relayhost feature to deliver outbound mail via the outbound MTA, if you can't use standard MX logic to deliver directly to the sender's MX hosts. Outbound MTA: if mail can't be delivered, use standard MX logic to deliver NDRs to the sender's MX host(s). Wietse
Re: Postfix bounces
On Wed, Dec 3, 2014 at 1:51 PM, Wietse Venema wie...@porcupine.org wrote: Jose Borges Ferreira: This is the scenario. Box 1 : just receive email from outside - inbound flow. Box 2 : used to sent email to the outside - oubound flow. Inbound MTA: primary MX for your domain(s). If mail can't be delivered, use Postfix's relayhost feature to deliver outbound mail via the outbound MTA, if you can't use standard MX logic to deliver directly to the sender's MX hosts. That's my initially idea, but was afraid that relayhost would catch more than intended. That's why I asked about a way just to apply the relayhost behavior to server generated messages (bounces). Outbound MTA: if mail can't be delivered, use standard MX logic to deliver NDRs to the sender's MX host(s). That's was already covered, because email loops back through the InboundMTA Thanks. José Borges Ferreira
Re: Postfix bounces
Jose Borges Ferreira: On Wed, Dec 3, 2014 at 1:51 PM, Wietse Venema wie...@porcupine.org wrote: Jose Borges Ferreira: This is the scenario. Box 1 : just receive email from outside - inbound flow. Box 2 : used to sent email to the outside - oubound flow. Inbound MTA: primary MX for your domain(s). If mail can't be delivered, use Postfix's relayhost feature to deliver outbound mail via the outbound MTA, if you can't use standard MX logic to deliver directly to the sender's MX hosts. That's my initially idea, but was afraid that relayhost would catch more than intended. It catches outbound mail. Postfix cannot generate other mail, as long as all mail from inside has an inside envelope sender address. And that is standard firewall hygiene. Wietse
Re: Postfix bounces
Wietse Venema: Jose Borges Ferreira: On Wed, Dec 3, 2014 at 1:51 PM, Wietse Venema wie...@porcupine.org wrote: Jose Borges Ferreira: This is the scenario. Box 1 : just receive email from outside - inbound flow. Box 2 : used to sent email to the outside - oubound flow. Inbound MTA: primary MX for your domain(s). If mail can't be delivered, use Postfix's relayhost feature to deliver outbound mail via the outbound MTA, if you can't use standard MX logic to deliver directly to the sender's MX hosts. That's my initially idea, but was afraid that relayhost would catch more than intended. It catches outbound mail. Postfix cannot generate other mail, as long as all mail from inside has an inside envelope sender address. And all mail from outside has an outside envelope sender address. And that is standard firewall hygiene. Wietse
Documentation update: Milter signing bounces
I have added this text at the end of Non-SMTPD Milter applications: Wietse Signing internally-generated bounce messages Postfix normally does not apply content filters to mail that is forwarded or aliased internally, or to mail that is generated internally such as bounces or Postmaster notifications. Filtering internally-generated bounces could result in loss of mail when a filter rejects or defers a message (the resulting double-bounce message would almost certainly also be blocked). To sign Postfix's own bounce messages, enable filtering of internally-generated bounces (line 2 below), and don't block any mail with non_smtpd_milters, header_checks or body_checks (lines 3-5 below). 1 /etc/postfix/main.cf: 2 internal_mail_filter_classes = bounce 3 non_smtpd_milters = nothing that can block mail 4 header_checks = nothing that can block mail 5 body_checks = nothing that can block mail
Re: Documentation update: Milter signing bounces
On Sun, Nov 30, 2014 at 9:00 PM, Wietse Venema wie...@porcupine.org wrote: I have added this text at the end of Non-SMTPD Milter applications: Wietse Signing internally-generated bounce messages Postfix normally does not apply content filters to mail that is forwarded or aliased internally, or to mail that is generated internally such as bounces or Postmaster notifications. Filtering internally-generated bounces could result in loss of mail when a filter rejects or defers a message (the resulting double-bounce message would almost certainly also be blocked). To sign Postfix's own bounce messages, enable filtering of internally-generated bounces (line 2 below), and don't block any mail with non_smtpd_milters, header_checks or body_checks (lines 3-5 below). 1 /etc/postfix/main.cf: 2 internal_mail_filter_classes = bounce 3 non_smtpd_milters = nothing that can block mail 4 header_checks = nothing that can block mail 5 body_checks = nothing that can block mail That's great, thanks. José Borges Ferreira
Milter signing bounces
Hi, I'm returning with this issue* but I consider it starting to have bad side effects. Yesterday on the dmarc-ietf list on a subject of bounce emails, Franck Martin stated that .It is notoriously known that postfix cannot DKIM sign the messages it generates(MDN). and he send the link to Postfix documentation that support that claim, in particular see point 4 on http://www.postfix.org/MILTER_README.html#limitations; that states: Postfix currently does not apply content filters to mail that is forwarded or aliased internally, or to mail that is generated internally such as bounces or Postmaster notifications. This may be a problem when you want to apply a signing Milter to such mail. Last year when I reported that , the discussion was arround the dangers of blocking bounces and therefore shouldn't be filtered (and eventually blocked ). Back then with postfix 2.9 and now with 2.11.3 I have a working setup.** So my question is: What's wrong ? The documentation or the internal_mail_filter_classes/non_smtpd_milters implementation that allows applying a signing Milter to bounces ? * http://postfix.1071664.n5.nabble.com/Error-in-milter-documentation-td62409.html ** http://www.ietf.org/mail-archive/web/dmarc/current/msg01964.html José Borges Ferreira
Re: Milter signing bounces
Jose Borges Ferreira: What's wrong ? The documentation or the internal_mail_filter_classes/non_smtpd_milters implementation that allows applying a signing Milter to bounces ? You appear to believe that there is a difference between Postfix documentation and Postfix implementation. Can you in a few words explain what the difference is, without asking the reader to dig into other mailing list messages? Wietse
Re: Milter signing bounces
On Fri, Nov 28, 2014 at 2:13 PM, Wietse Venema wie...@porcupine.org wrote: Can you in a few words explain what the difference is, without asking the reader to dig into other mailing list messages? Hi, I just reference the other lists for full context and quoted the relevant parts. I'm just pointing that the Milter documentation*, quote: Postfix currently does not apply content filters to mail that is forwarded or aliased internally, or to mail that is generated internally such as bounces or Postmaster notifications. This may be a problem when you want to apply a signing Milter to such mail. This documentation contradicts my current Postfix implementation. I'm using a Milter to sign bounces. People reading that paragraph can wrongly assume that Postfix isn't capable of signing bounce , when it can. So, am I doing something unsupported in my implementation or is something wrong in MILTER_README ? José Borges Ferreira * http://www.postfix.org/MILTER_README.html#limitations , point 4
Re: Milter signing bounces
Jose Borges Ferreira: On Fri, Nov 28, 2014 at 2:13 PM, Wietse Venema wie...@porcupine.org wrote: Can you in a few words explain what the difference is, without asking the reader to dig into other mailing list messages? Hi, I just reference the other lists for full context and quoted the relevant parts. I'm just pointing that the Milter documentation*, quote: Postfix currently does not apply content filters to mail that is forwarded or aliased internally, or to mail that is generated internally such as bounces or Postmaster notifications. This may be a problem when you want to apply a signing Milter to such mail. This documentation contradicts my current Postfix implementation. I'm using a Milter to sign bounces. People reading that paragraph can wrongly assume that Postfix isn't capable of signing bounce , when it can. The documentation DOES NOT CLAIM that Postfix cannot use a Milter to sign bounces. The documentation DOES say that applying filters to bounces can result in loss of mail. Wietse So, am I doing something unsupported in my implementation or is something wrong in MILTER_README ? Jos? Borges Ferreira * http://www.postfix.org/MILTER_README.html#limitations , point 4
Re: Milter signing bounces
Am 28.11.2014 um 17:19 schrieb Wietse Venema: Jose Borges Ferreira: On Fri, Nov 28, 2014 at 2:13 PM, Wietse Venema wie...@porcupine.org wrote: Can you in a few words explain what the difference is, without asking the reader to dig into other mailing list messages? I just reference the other lists for full context and quoted the relevant parts. I'm just pointing that the Milter documentation*, quote: Postfix currently does not apply content filters to mail that is forwarded or aliased internally, or to mail that is generated internally such as bounces or Postmaster notifications. This may be a problem when you want to apply a signing Milter to such mail. This documentation contradicts my current Postfix implementation. I'm using a Milter to sign bounces. People reading that paragraph can wrongly assume that Postfix isn't capable of signing bounce , when it can. The documentation DOES NOT CLAIM that Postfix cannot use a Milter to sign bounces. don't get me wrong but Postfix currently does not apply content filters to mail that is forwarded or aliased internally, or to mail that is generated internally such as bounces or Postmaster notifications. This may be a problem when you want to apply a signing Milter to such mail claims exactly that for every reader The documentation DOES say that applying filters to bounces can result in loss of mail
Re: Milter signing bounces
On Fri, Nov 28, 2014 at 4:30 PM, li...@rhsoft.net li...@rhsoft.net wrote: I'm just pointing that the Milter documentation*, quote: Postfix currently does not apply content filters to mail that is forwarded or aliased internally, or to mail that is generated internally such as bounces or Postmaster notifications. This may be a problem when you want to apply a signing Milter to such mail. This documentation contradicts my current Postfix implementation. I'm using a Milter to sign bounces. People reading that paragraph can wrongly assume that Postfix isn't capable of signing bounce , when it can. The documentation DOES NOT CLAIM that Postfix cannot use a Milter to sign bounces. don't get me wrong but Postfix currently does not apply content filters to mail that is forwarded or aliased internally, or to mail that is generated internally such as bounces or Postmaster notifications. This may be a problem when you want to apply a signing Milter to such mail claims exactly that for every reader I mentioned other the post on the dmarc list because, others also have that understanding. José Borges Ferreira
Re: Milter signing bounces
don't get me wrong but Postfix currently does not apply content filters to mail that is forwarded or aliased internally, or to mail that is generated internally such as bounces or Postmaster notifications. This may be a problem when you want to apply a signing Milter to such mail claims exactly that for every reader Do you mean REPLACE the text with: Applying content filters to such mail should be safe with filters that sign mail, but never bounce? Wietse
Re: Milter signing bounces
Am 28.11.2014 um 20:40 schrieb Wietse Venema: don't get me wrong but Postfix currently does not apply content filters to mail that is forwarded or aliased internally, or to mail that is generated internally such as bounces or Postmaster notifications. This may be a problem when you want to apply a signing Milter to such mail claims exactly that for every reader Do you mean REPLACE the text with: Applying content filters to such mail should be safe with filters that sign mail, but never bounce? sounds good! the problem with the current text is the does not apply what has a different meaning then is not safe and implies the milter never is called in context of a bounce
Strip body / attachments from bounces?
I'm looking for a way to remove anything from the original email from bounces. Yes, I know this is a goofy use case :-) I found a useful article about customizing bounce messages which I'll look into, but I didn't see anything in it about making sure the bounce contains nothing but the bounce message and maybe specific elements from the original like destination, time/date, etc. -- *** * John Oliver http://www.john-oliver.net/ * * * ***
Re: Strip body / attachments from bounces?
On 11/25/2014 10:51 AM, John Oliver wrote: I'm looking for a way to remove anything from the original email from bounces. Yes, I know this is a goofy use case :-) I found a useful article about customizing bounce messages which I'll look into, but I didn't see anything in it about making sure the bounce contains nothing but the bounce message and maybe specific elements from the original like destination, time/date, etc. http://www.postfix.org/postconf.5.html#bounce_size_limit You can set bounce_size_limit = 0 to return the message headers only. This will insure there is nothing of the body left. There is no option to restrict which headers are returned. Bounces should be a rare occurrence. Mail to unknown recipients or mail with unwanted content should be rejected at the gateway, never accepted and later bounced. Let us know if you need help getting that configured correctly. -- Noel Jones
Re: Strip body / attachments from bounces?
Am 25.11.2014 um 17:51 schrieb John Oliver: I'm looking for a way to remove anything from the original email from bounces. Yes, I know this is a goofy use case :-) I found a useful article about customizing bounce messages which I'll look into, but I didn't see anything in it about making sure the bounce contains nothing but the bounce message and maybe specific elements from the original like destination, time/date, etc. as i tried to filter reply-to in a bounce ,i found this http://www.rfc-base.org/txt/rfc-5703.txt might be helpfull, but it is not included in recent dovecot sieve release, perhaps procmail can do what you want Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: Strip body / attachments from bounces?
On Tue, Nov 25, 2014 at 11:19:36AM -0600, Noel Jones wrote: http://www.postfix.org/postconf.5.html#bounce_size_limit You can set bounce_size_limit = 0 to return the message headers only. The minimum allowed value is 1. Therefore, to bounce headers only bounce_size_limit = 1 -- Viktor.
Re: Strip body / attachments from bounces?
Viktor Dukhovni: On Tue, Nov 25, 2014 at 11:19:36AM -0600, Noel Jones wrote: http://www.postfix.org/postconf.5.html#bounce_size_limit You can set bounce_size_limit = 0 to return the message headers only. The minimum allowed value is 1. Therefore, to bounce headers only bounce_size_limit = 1 As a general rule, where Postfix accepts a limit of zero, it means disable the no limit. Unlimited bounces are not a good idea. That's why the minimum is 1. Wietse
Re: Strip body / attachments from bounces?
On 11/25/2014 1:34 PM, Viktor Dukhovni wrote: On Tue, Nov 25, 2014 at 11:19:36AM -0600, Noel Jones wrote: http://www.postfix.org/postconf.5.html#bounce_size_limit You can set bounce_size_limit = 0 to return the message headers only. The minimum allowed value is 1. Therefore, to bounce headers only bounce_size_limit = 1 Thanks for the correction. For some reason I thought 0 was allowed here, and really meant zero. -- Noel Jones
Re: Email-get-bounces.
Am 20.11.2014 um 06:55 schrieb Mohammed Ejaz: Please experiencing two issues with customer. any explanation would be highly appreciated. *1.**I have several entries as below for our one of the customer whose relaying his email through our mail servers* Nov 20 07:41:05 mersal postfix/smtpd[30971]: warning: 212.118.122.108: *address not listed for hostname mail.electro.com.sa* that is just a warning about a bad PTR/A-Record setup of the sending machine - http://en.wikipedia.org/wiki/Forward-confirmed_reverse_DNS 2.What could be reason as the sent messages one of our users get bounce back with the following info. whereas our IP reputation is clean. ask the admin on the other side instead a public group about *his* security policies ion...@akigroup.com mailto:ion...@akigroup.com Your message wasn't delivered because of security policies. Microsoft Exchange will not try to redeliver this message for you. Please provide the following diagnostic text to your system administrator. The following organization rejected your message: pop.alphamedgroup.com. *Diagnostic information for administrators:* Generating server: mersal.cyberia.net.sa ion...@akigroup.com mailto:ion...@akigroup.com pop.alphamedgroup.com #pop.alphamedgroup.com #5.7.1 smtp; 550 5.7.1 Unable to deliver to ion...@akigroup.com mailto:ion...@akigroup.com
Re: Email-get-bounces.
On 11/19/2014 11:55 PM, Mohammed Ejaz wrote: hello, Please experiencing two issues with customer. any explanation would be highly appreciated. *1. **I have several entries as below for our one of the customer whose relaying his email through our mail servers* Nov 20 07:41:05 mersal postfix/smtpd[30971]: warning: 212.118.122.108: *address not listed for hostname mail.electro.com.sa* This is a warning only. The IP listed for mail.electro.com.sa is not the same as the connecting client IP. This is a problem with the client; their PTR hostname does not resolve back to the client IP. # host 212.118.122.108 108.122.118.212.in-addr.arpa domain name pointer mail.electro.com.sa. # host mail.electro.com.sa. mail.electro.com.sa has address 212.118.122.99 Nov 20 07:41:05 mersal postfix/cleanup[31008]: 97C4B11A09F: message-id=01d0047a$58a601a0$09f204e0$@electro.com.sa Nov 20 07:41:06 mersal postfix/qmgr[11505]: 97C4B11A09F: from=morris.dela-to...@electro.com.sa, size=250121, nrcpt=1 (queue active) Where is the rest of the logging for this transaction? Search your log for the queue ID 97C4B11A09F. Nov 20 07:44:10 mersal postfix/smtpd[30958]: warning: 212.118.122.108: address not listed for hostname mail.electro.com.sa another warning from a new transaction. 2. What could be reason as the sent messages one of our users get bounce back with the following info. whereas our IP reputation is clean. It seems you rejected their message. Look in your logs for further info. -- Noel Jones ion...@akigroup.com mailto:ion...@akigroup.com Your message wasn't delivered because of security policies. Microsoft Exchange will not try to redeliver this message for you. Please provide the following diagnostic text to your system administrator. The following organization rejected your message: pop.alphamedgroup.com. *Diagnostic information for administrators:* Generating server: mersal.cyberia.net.sa ion...@akigroup.com mailto:ion...@akigroup.com pop.alphamedgroup.com #pop.alphamedgroup.com #5.7.1 smtp; 550 5.7.1 Unable to deliver to ion...@akigroup.com mailto:ion...@akigroup.com #SMTP# Original message headers: Received: from mail.unitedgroup.com.sa (SRV-EXCHHUB.unitedgroup.com.sa [213.210.243.36]) by mersal.cyberia.net.sa (Postfix) with ESMTP id BAB9F11A09C for ion...@akigroup.com mailto:ion...@akigroup.com; Wed, 19 Nov 2014 15:44:55 +0300 (AST) Received: from SRV-EXCHANGE.unitedgroup.com.sa ([191.0.0.11]) by SRV-EXCHHUB.unitedgroup.com.sa ([191.0.0.18]) with mapi; Wed, 19 Nov 2014 15:35:32 +0300 From: Elias Sleiman eslei...@unitedgroup.com.sa mailto:eslei...@unitedgroup.com.sa To: ion...@akigroup.com mailto:ion...@akigroup.com ion...@akigroup.com mailto:ion...@akigroup.com Date: Wed, 19 Nov 2014 15:35:25 +0300 Subject: Burger fuel - Cheese supply Thread-Topic: Burger fuel - Cheese supply Thread-Index: AdAD9Ur5R5GMhgiWRbSB/MLhQRJW8g== Message-ID: 4f4e9a676dd5c94aaca1d2fe1342d3104452ae9...@srv-exchange.unitedgroup.com.sa mailto:4f4e9a676dd5c94aaca1d2fe1342d3104452ae9...@srv-exchange.unitedgroup.com.sa Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: multipart/related; boundary=_005_4F4E9A676DD5C94AACA1D2FE1342D3104452AE951DSRVEXCHANGEun_; type=multipart/alternative MIME-Version: 1.0 Ejaz
Email-get-bounces.
hello, Please experiencing two issues with customer. any explanation would be highly appreciated. 1. I have several entries as below for our one of the customer whose relaying his email through our mail servers Nov 20 07:41:05 mersal postfix/smtpd[30971]: warning: 212.118.122.108: address not listed for hostname mail.electro.com.sa Nov 20 07:41:05 mersal postfix/cleanup[31008]: 97C4B11A09F: message-id=01d0047a$58a601a0$09f204e0$@electro.com.sa Nov 20 07:41:06 mersal postfix/qmgr[11505]: 97C4B11A09F: from=morris.dela-to...@electro.com.sa, size=250121, nrcpt=1 (queue active) Nov 20 07:44:10 mersal postfix/smtpd[30958]: warning: 212.118.122.108: address not listed for hostname mail.electro.com.sa 2. What could be reason as the sent messages one of our users get bounce back with the following info. whereas our IP reputation is clean. mailto:ion...@akigroup.com ion...@akigroup.com Your message wasn't delivered because of security policies. Microsoft Exchange will not try to redeliver this message for you. Please provide the following diagnostic text to your system administrator. The following organization rejected your message: pop.alphamedgroup.com. Diagnostic information for administrators: Generating server: mersal.cyberia.net.sa ion...@akigroup.com mailto:ion...@akigroup.com pop.alphamedgroup.com #pop.alphamedgroup.com #5.7.1 smtp; 550 5.7.1 Unable to deliver to ion...@akigroup.com mailto:ion...@akigroup.com #SMTP# Original message headers: Received: from mail.unitedgroup.com.sa (SRV-EXCHHUB.unitedgroup.com.sa [213.210.243.36]) by mersal.cyberia.net.sa (Postfix) with ESMTP id BAB9F11A09C for ion...@akigroup.com mailto:ion...@akigroup.com ; Wed, 19 Nov 2014 15:44:55 +0300 (AST) Received: from SRV-EXCHANGE.unitedgroup.com.sa ([191.0.0.11]) by SRV-EXCHHUB.unitedgroup.com.sa ([191.0.0.18]) with mapi; Wed, 19 Nov 2014 15:35:32 +0300 From: Elias Sleiman eslei...@unitedgroup.com.sa mailto:eslei...@unitedgroup.com.sa To: ion...@akigroup.com mailto:ion...@akigroup.com ion...@akigroup.com mailto:ion...@akigroup.com Date: Wed, 19 Nov 2014 15:35:25 +0300 Subject: Burger fuel - Cheese supply Thread-Topic: Burger fuel - Cheese supply Thread-Index: AdAD9Ur5R5GMhgiWRbSB/MLhQRJW8g== Message-ID: 4f4e9a676dd5c94aaca1d2fe1342d3104452ae9...@srv-exchange.unitedgroup.com.sa mailto:4F4E9A676DD5C94AACA1D2FE1342D3104452AE951D@SRV-EXCHANGE.unitedgroup. com.sa Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: multipart/related; boundary=_005_4F4E9A676DD5C94AACA1D2FE1342D3104452AE951DSRVEXCHANGEun_; type=multipart/alternative MIME-Version: 1.0 Ejaz
Re: HTML bounces
Am 17.10.2014 um 07:49 schrieb Andre Rodier: I have a few users who don't understand bounced messages, and consider them as an error from our system. I won't even try to educate them. I would like to know if there is a way to use HTML messages to send beautiful bounces messages (internally) but continue to send standard text format externally. it don't matter if they are beautiful, the point is not that users don#t understand bounces, they just don't try it especially internally: educate them and leave the world in peace with HTML bounces, each time i get such one i'd like to seek and destroy the admin on the other side (also for the backscattering, other topic)
Re: HTML bounces
Andre Rodier: Hi, I have a few users who don't understand bounced messages, and consider them as an error from our system. I won't even try to educate them. I would like to know if there is a way to use HTML messages to send beautiful bounces messages (internally) but continue to send standard text format externally. So this is a double request: 1) HTML format in addition to text. Different formats for different recipients. Neither is supported. The harder you try, the fewer people will read your bounce message. Wietse I already configured my bounce_template_file, but it only allows me to do it as text. If you have a perl/python/... scripted solution, I am interested as well. Thanks, Andr?.
Re: HTML bounces
On 17 Oct 2014, at 04:51 , Wietse Venema wie...@porcupine.org wrote: The harder you try, the fewer people will read your bounce message. Honestly, I do not think it is possible for there to be fewer people who read bounces. Customized LOCAL bounce messages would be nifty. I don't want HTML ones but customizing the messages for local users would be nice. Some extensibility to the variables available might be nice too, to allow more customizations to the bounce message. Not a feature request, per se, but if it showed up somewhere down the line it's a feature I'd use. -- 'I think, if you want thousands, you've got to fight for one.'
Re: HTML bounces
On Fri, 17 Oct 2014 10:49:15 -0600 LuKreme krem...@kreme.com wrote: On 17 Oct 2014, at 04:51 , Wietse Venema wie...@porcupine.org wrote: The harder you try, the fewer people will read your bounce message. Honestly, I do not think it is possible for there to be fewer people who read bounces. Customized LOCAL bounce messages would be nifty. I don't want HTML ones but customizing the messages for local users would be nice. Some extensibility to the variables available might be nice too, to allow more customizations to the bounce message. Not a feature request, per se, but if it showed up somewhere down the line it's a feature I'd use. That would be a bit more helpful to end users who have no idea how things work. Otherwise... Local FAQ re bounces? A custom error message to direct local users to said FAQ? A monthly user newsletter reminding local users to peruse the FAQ for useful information? A monthly user newsletter periodically containing a FAQ topic or three? Cluehammer as a last resort? (not a feature request?) jd?
Re: HTML bounces
On 10/17/2014 12:32 PM, jdebert wrote: On Fri, 17 Oct 2014 10:49:15 -0600 LuKreme krem...@kreme.com wrote: On 17 Oct 2014, at 04:51 , Wietse Venema wie...@porcupine.org wrote: The harder you try, the fewer people will read your bounce message. Honestly, I do not think it is possible for there to be fewer people who read bounces. Customized LOCAL bounce messages would be nifty. I don't want HTML ones but customizing the messages for local users would be nice. Some extensibility to the variables available might be nice too, to allow more customizations to the bounce message. Not a feature request, per se, but if it showed up somewhere down the line it's a feature I'd use. That would be a bit more helpful to end users who have no idea how things work. Otherwise... Local FAQ re bounces? A custom error message to direct local users to said FAQ? A monthly user newsletter reminding local users to peruse the FAQ for useful information? A monthly user newsletter periodically containing a FAQ topic or three? Cluehammer as a last resort? (not a feature request?) jd? For bounces created by your own system (which is all you can control), you can use the smtpd_reject_footer feature to add a web link to helpful information (in your local language). Few people will bother clicking on it, but it might help a little. I'm always a little surprised when people really do contact me through this. http://www.postfix.org/postconf.5.html#smtpd_reject_footer -- Noel Jones
Re: HTML bounces
On October 17, 2014 7:49:34 AM Andre Rodier an...@rodier.me wrote: I have a few users who don't understand bounced messages, and consider them as an error from our system. I won't even try to educate them. So thay understand more if it was html ?, hmm I would like to know if there is a way to use HTML messages to send beautiful bounces messages (internally) but continue to send standard text format externally. Text msgs is beautiful, no ? I already configured my bounce_template_file, but it only allows me to do it as text. You can show a link in bounce to bugzilla on own domain, and hope users will use it, but historical postfix is not a webmaster If you have a perl/python/... scripted solution, I am interested as well. -1000
HTML bounces
Hi, I have a few users who don't understand bounced messages, and consider them as an error from our system. I won't even try to educate them. I would like to know if there is a way to use HTML messages to send beautiful bounces messages (internally) but continue to send standard text format externally. I already configured my bounce_template_file, but it only allows me to do it as text. If you have a perl/python/... scripted solution, I am interested as well. Thanks, André.
Bounces are not sent sometimes.
Hello list! I'm having problem with a bounce that was never send to the sender. *Here is the log when it fails:* Jul 2 13:03:05 smtp9 postfix-out/qmgr[5316]: 575C227A388: from=custo...@domain1.tld, size=125355, nrcpt=1 (queue active) Jul 2 13:03:05 smtp9 postfix-out/smtp[8391]: 575C227A388: to=user.n...@domain2.tld, relay=none, delay=0.11, delays=0.01/0/0.1/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=domain2.tld type=: Host not found) Jul 2 13:03:05 smtp9 postfix-out/qmgr[5316]: 575C227A388: removed *And here is a log when it works (same rcpt):* Jul 3 10:41:17 smtp9 postfix-out/qmgr[25574]: 1CE9A27A4CB: from=m...@domain1.tld, size=8514, nrcpt=1 (queue active) Jul 3 10:41:17 smtp9 postfix-out/smtp[24245]: 1CE9A27A4CB: to=user.n...@domain2.tld, relay=none, delay=0, delays=0/0/0/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=domain2.tld type=: Host not found) Jul 3 10:41:17 smtp9 postfix-out/bounce[11424]: 1CE9A27A4CB: sender non-delivery notification: 1E32427A509 Jul 3 10:41:17 smtp9 postfix-out/qmgr[25574]: 1CE9A27A4CB: removed Can it somehow be a bug or related somehow to the sender? (there is 2 different senders, but from the same domain) What I can see, the differences between the emails is the SIZE, one need truncating and the other doesn't. might that be a problem? Bounce configuration: smtp9:~# postconf -c /etc/postfix-outgoing | grep bounce 2bounce_notice_recipient = postmaster address_verify_sender = $double_bounce_sender backwards_bounce_logfile_compatibility = yes bounce_notice_recipient = postmaster bounce_queue_lifetime = 5d bounce_service_name = bounce bounce_size_limit = 5 bounce_template_file = disable_verp_bounces = no double_bounce_sender = double-bounce lmtp_sasl_auth_soft_bounce = yes multi_recipient_bounce_reject_code = 550 smtp_sasl_auth_soft_bounce = yes soft_bounce = no Im using postfix 2.9.6 from debian wheezy repo: smtp9:~# dpkg --list | grep postfix ii postfix 2.9.6-2amd64High-performance mail transport agent ii postfix-mysql 2.9.6-2amd64MySQL map support for Postfix ii postfix-pcre 2.9.6-2amd64PCRE map support for Postfix Any thoughts or ides are welcome! signature.asc Description: OpenPGP digital signature
Re: Bounces are not sent sometimes.
Patrik B?t: I'm having problem with a bounce that was never send to the sender. *Here is the log when it fails:* Jul 2 13:03:05 smtp9 postfix-out/qmgr[5316]: 575C227A388: from=custo...@domain1.tld, size=125355, nrcpt=1 (queue active) Jul 2 13:03:05 smtp9 postfix-out/smtp[8391]: 575C227A388: to=user.n...@domain2.tld, relay=none, delay=0.11, delays=0.01/0/0.1/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=domain2.tld type=: Host not found) Jul 2 13:03:05 smtp9 postfix-out/qmgr[5316]: 575C227A388: removed *And here is a log when it works (same rcpt):* This could be because: 0) The sender is . 1) The sender sent mail with RCPT TO: address NOTIFY=NONE. 2) You are using a Milter application that adds a recipient with NOTIFY=NONE. 2.5) I vaguely recall that old Postfix milter clients always used NOTIFY=NONE when adding a recipient, but I may be mistaken. 3) You are using an older Postfix implementation that always used NOTIFY=NONE when adding a BCC recipient. Wietse
Re: Bounces are not sent sometimes.
Wietse Venema: Patrik B?t: I'm having problem with a bounce that was never send to the sender. *Here is the log when it fails:* Jul 2 13:03:05 smtp9 postfix-out/qmgr[5316]: 575C227A388: from=custo...@domain1.tld, size=125355, nrcpt=1 (queue active) Jul 2 13:03:05 smtp9 postfix-out/smtp[8391]: 575C227A388: to=user.n...@domain2.tld, relay=none, delay=0.11, delays=0.01/0/0.1/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=domain2.tld type=: Host not found) Jul 2 13:03:05 smtp9 postfix-out/qmgr[5316]: 575C227A388: removed *And here is a log when it works (same rcpt):* This could be because: 0) The sender is . 1) The sender sent mail with RCPT TO: address NOTIFY=NONE. 2) You are using a Milter application that adds a recipient with NOTIFY=NONE. 2.5) I vaguely recall that old Postfix milter clients always used NOTIFY=NONE when adding a recipient, but I may be mistaken. 3) You are using an older Postfix implementation that always used NOTIFY=NONE when adding a BCC recipient. 4) You are using MailScanner or other software that manipulates Postfix queue files. This is not supported. Wietse
Re: Bounces are not sent sometimes.
Wietse Venema: Wietse Venema: Patrik B?t: I'm having problem with a bounce that was never send to the sender. *Here is the log when it fails:* Jul 2 13:03:05 smtp9 postfix-out/qmgr[5316]: 575C227A388: from=custo...@domain1.tld, size=125355, nrcpt=1 (queue active) Jul 2 13:03:05 smtp9 postfix-out/smtp[8391]: 575C227A388: to=user.n...@domain2.tld, relay=none, delay=0.11, delays=0.01/0/0.1/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=domain2.tld type=: Host not found) Jul 2 13:03:05 smtp9 postfix-out/qmgr[5316]: 575C227A388: removed *And here is a log when it works (same rcpt):* This could be because: 0) The sender is . 1) The sender sent mail with RCPT TO: address NOTIFY=NONE. 2) You are using a Milter application that adds a recipient with NOTIFY=NONE. 2.5) I vaguely recall that old Postfix milter clients always used NOTIFY=NONE when adding a recipient, but I may be mistaken. 3) You are using an older Postfix implementation that always used NOTIFY=NONE when adding a BCC recipient. 4) You are using MailScanner or other software that manipulates Postfix queue files. This is not supported. The behavior in 3) exists in all stable Postfix releases. This is documented behavior. Wietse
Re: Bounces are not sent sometimes.
On tor 3 jul 2014 13:10:04, Wietse Venema wrote: Wietse Venema: Wietse Venema: Patrik B?t: I'm having problem with a bounce that was never send to the sender. *Here is the log when it fails:* Jul 2 13:03:05 smtp9 postfix-out/qmgr[5316]: 575C227A388: from=custo...@domain1.tld, size=125355, nrcpt=1 (queue active) Jul 2 13:03:05 smtp9 postfix-out/smtp[8391]: 575C227A388: to=user.n...@domain2.tld, relay=none, delay=0.11, delays=0.01/0/0.1/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=domain2.tld type=: Host not found) Jul 2 13:03:05 smtp9 postfix-out/qmgr[5316]: 575C227A388: removed *And here is a log when it works (same rcpt):* This could be because: 0) The sender is . 1) The sender sent mail with RCPT TO: address NOTIFY=NONE. 2) You are using a Milter application that adds a recipient with NOTIFY=NONE. 2.5) I vaguely recall that old Postfix milter clients always used NOTIFY=NONE when adding a recipient, but I may be mistaken. 3) You are using an older Postfix implementation that always used NOTIFY=NONE when adding a BCC recipient. 4) You are using MailScanner or other software that manipulates Postfix queue files. This is not supported. The behavior in 3) exists in all stable Postfix releases. This is documented behavior. Wietse Hello, Thanks for clearing this out, Wietse! signature.asc Description: OpenPGP digital signature
How do I get Postfix to tell me when a message bounces and who sent it
When a user sends too many messages to bad addresses, it’s probably a spammer using a compromised account. Other than a very messy reading and parsing of the log files, is there a way to get postfix to tell me when a message has bounced and who the sender was (perhaps a hook in the main.cf or something??). When the number of such messages from a specific user reaches a certain threshold, I want to be able to block that user from sending outgoing messages. This latter part is simple enough but getting the bounces information in a way I can read it programmatically has got me baffled. Is that even possible? Thanks, Rob Tanner UNIX Services Manager Linfield College, McMinnville Oregon ITS will never ask you for your password. Please don’t share yours with anyone!
Re: How do I get Postfix to tell me when a message bounces and who sent it
Rob Tanner: When a user sends too many messages to bad addresses, it?s probably a spammer using a compromised account. Other than a very messy reading and parsing of the log files, is there a way to get postfix to tell me when a message has bounced and who the sender was (perhaps a hook in the main.cf or something??). http://www.postfix.org/postconf.5.html#notify_classes This can report the sender, recipient, and message header to a configurable email addresss. These can be piped into a command using Postfix built-in mechanisms: aliases(5) including .forward files, mailbox_command_maps, and pipe(8) commands driven by a transport table. When the number of such messages from a specific user reaches a certain threshold, I want to be able to block that user from sending outgoing messages. This latter part is simple enough but getting the bounces information in a way I can read it programmatically has got me baffled. Is that even possible? Yes, provided that you supply the tooling that processes the notification email messages. Wietse
Re: SRS bounces not working in postfix
Hi Michael, This looks like one of my patches broke the TCP table when using -I... :-) It should be 500 not 400 it seems. Fruneau will be pleased ^^ I've pushed a fix to my own fork which I'll pull to Fruneau soon - its identical to Fruneau's except for this 400-500 fix. My fork is at: https://github.com/driskell/pfixtools However, I don't think this is your issue - since it should still work without -I Thanks again Jason - I get this using your specified telnet test: 500 Hash invalid in SRS address. This is the reason the decoding isn't happening when you were without -I, so you can return to NOT using -I (or use my fork) Check your secrets file doesn't have blank lines or spaces anywhere in it? And is purely just a couple or so lines with a set of random characters in? (max of 1024 a line) I wonder if there are problems happening with the secrets so it can encode but not decode. Maybe even try telnet to 10001 with: getspacet...@example.comenterctrl+D Then with the result telnet to 10002 and decode it. Regards, Jason On 4 Feb 2014, at 00.21, Michael McCallister mikemc-post...@terabytemedia.com wrote: So I have been playing around with it more now in light of this new information - here is what I have found: * It works and delivers mail when the -I switch is NOT present (this has been my usage in all examples). However, when I try to decode in this mode I get 500 Hash invalid in SRS address. when testing in telnet - which could explain why bounces are not working. Telnet encode tests on port 10001 work fine. * When the -I switch IS present, it does not deliver mail. However, it passes both telnet encode/decode tests. Here is the delivery problem I see in the logs: Feb 3 16:31:00 quimby0 postfix/smtpd[32357]: connect from homer.terabytemedia.com[74.206.115.225] Feb 3 16:31:00 quimby0 postfix/smtpd[32357]: warning: tcp:127.0.0.1:10002 lookup error for ~us...@forwardingdomain.com~ Feb 3 16:31:00 quimby0 postfix/smtpd[32357]: NOQUEUE: reject: RCPT from homer.terabytemedia.com[74.206.115.225]: 451 4.3.0 mikeboun...@acermanuals.com: Temporary lookup failure; from=mikemc@terabyte[added_to_prevent_spam]media.com to=~us...@forwardingdomain.com~ proto=ESMTP helo=homer.terabytemedia.com Feb 3 16:31:00 quimby0 postfix/smtpd[32357]: disconnect from homer.terabytemedia.com[74.206.115.225] So I am now getting some warning: tcp:127.0.0.1:10002 lookup error with the -I switch enabled - but it passes telnet encode/decode tests. I am confused why it is logging a decoding error with -I as opposed to without -I in the logs above - you would think it would do that in either case since ~us...@forwardingdomain.com~ is not SRS encoded. One thing that might explain this - when testing on telnet with -I off, I get a 400 external domains are ignored error (maybe 4xx errors are warnings to Postfix and it continues to send and moves on to encoding?) - with -I on, I get a 500 Not an SRS address. which I assume is fatal. One fix might be to patch pfix-srsd (I don't program in C but could probably figure it out) to return a 400 error for the 500 Not an SRS address.. I cannot think of any way that opens me up to problems since I assume the address would just not be rewritten by Postfix in this case. Any ideas? Michael
Re: SRS bounces not working in postfix
On 2/4/2014 2:06 AM, Jason Woods wrote: Hi Michael, This looks like one of my patches broke the TCP table when using -I... :-) It should be 500 not 400 it seems. Fruneau will be pleased ^^ I've pushed a fix to my own fork which I'll pull to Fruneau soon - its identical to Fruneau's except for this 400-500 fix. My fork is at: https://github.com/driskell/pfixtools However, I don't think this is your issue - since it should still work without -I Thanks again Jason - I get this using your specified telnet test: 500 Hash invalid in SRS address. This is the reason the decoding isn't happening when you were without -I, so you can return to NOT using -I (or use my fork) Check your secrets file doesn't have blank lines or spaces anywhere in it? And is purely just a couple or so lines with a set of random characters in? (max of 1024 a line) I wonder if there are problems happening with the secrets so it can encode but not decode. Maybe even try telnet to 10001 with: getspacet...@example.comenterctrl+D Then with the result telnet to 10002 and decode it. Regards, Jason Thanks again Jason. Everything works now. I stumbled across the space in the secrets file problem last night and that got hashes validating - but thanks for that insight too. I am running your updated release now and it is working as expected. Hopefully setting up dkim and j-chkmail go smoother than srs did :-)
Re: SRS bounces not working in postfix
On 4 Feb 2014, at 18.51, Michael McCallister mikemc-post...@terabytemedia.com wrote: Thanks again Jason. Everything works now. I stumbled across the space in the secrets file problem last night and that got hashes validating - but thanks for that insight too. I am running your updated release now and it is working as expected. Hopefully setting up dkim and j-chkmail go smoother than srs did :-) No problem! Can you describe the issue with the space you encountered? Or steps to reproduce? I'll throw a fix over to Fruneau before I start working more on srs-milter.
Re: SRS bounces not working in postfix
On 2/4/2014 2:42 PM, Jason Woods wrote: No problem! Can you describe the issue with the space you encountered? Or steps to reproduce? I'll throw a fix over to Fruneau before I start working more on srs-milter. I originally had one line in the secrets file that was probably 200-300 chars. It had spaces, periods, etc. pfix-srsd had problems validating hashes it created with that secrets file. Then I changed it to just numbers/letters with no spaces (maybe 50-100 chars) and that problem went away. I wish I had kept the secrets file that exhibited the problem, but I just overwrote it.
Re: SRS bounces not working in postfix
On 2/2/2014 11:47 PM, Jason Woods wrote: Hi Michael, I did some tweaks on pfixtools I will have to have a look and check for you (I use it too.) It's not the ideal method though and a milter is really the correct way to do SRS as the canonical filters, although giving almost desired effect, aren't ideal or intended for this. I'm eventually switching to srs-milter and will be improving it. Can you provide the pfixtools options you are using, and contents if the pfix-no-srs? Also the full bounce log entry including the user it showed could prove useful. Thanks Jason Thanks Jason, Here is the information you requested (to continue using my original example to illustrate the problem - I will replace certain things with domains referenced in the original email to keep things consistent - anywhere I do this I will wrap ~ around it i.e. ~srsdomain.com~): * pfix-srsd usage (note: srsdomain.com is in mydestination and the MX records for it point to the mail server in question) /etc/postfix/pfix-srsd -v -f -p /var/lib/postfix/pfix-srsd.pid -U postfix -G postfix ~srsdomain.com~ /etc/postfix/pfix-srs.secrets * Contents of the pfix-no-srs.cf file (it gets compiled to pfix-no-srs.cf.cdb): postmaster@~srsdomain.com~ 12345 * Log data with notes: *Data connection opened from my smtp relay* Feb 2 23:20:48 quimby0 postfix/smtpd[19228]: connect from homer.terabytemedia.com[74.206.115.225] Feb 2 23:20:49 quimby0 postfix/smtpd[19228]: 30D73403ED: client=homer.terabytemedia.com[74.206.115.225] Feb 2 23:20:49 quimby0 postfix/cleanup[19232]: 30D73403ED: message-id=52ef3541.70...@terabytemedia.com *RCPT TO gets rewritten properly - from what I can tell* Feb 2 23:20:49 quimby0 postfix/qmgr[19227]: 30D73403ED: from=SRS0=GUdW=XI=terabytemedia.com=mikemc@~srsdomain.com~, size=819, nrcpt=1 (queue active) Feb 2 23:20:49 quimby0 postfix/smtpd[19228]: disconnect from homer.terabytemedia.com[74.206.115.225] *Delivery attempt to gmail.com fails resulting in a bounce generated by postfix* Feb 2 23:20:52 quimby0 postfix/smtp[19233]: 30D73403ED: to=~badaddr...@gmail.com~, orig_to=~us...@forwardingdomain.com~, relay=gmail-smtp-in.l.google.com[173.194.68.26]:25, delay=3.7, delays=0.25/0.01/0.4/3, dsn=5.1.1, status=bounced (host gmail-smtp-in.l.google.com[173.194.68.26] said: 550-5.1.1 The email account that you tried to reach does not exist. Please try 550-5.1.1 double-checking the recipient's email address for typos or 550-5.1.1 unnecessary spaces. Learn more at 550 5.1.1 http://support.google.com/mail/bin/answer.py?answer=6596 b79si14074112qge.129 - gsmtp (in reply to RCPT TO command)) Feb 2 23:20:52 quimby0 postfix/cleanup[19232]: CC0CB40402: message-id=20140203062052.CC0CB40402@~mx1.srsdomain.com~ Feb 2 23:20:52 quimby0 postfix/qmgr[19227]: CC0CB40402: from=, size=3461, nrcpt=1 (queue active) Feb 2 23:20:52 quimby0 postfix/bounce[19234]: 30D73403ED: sender non-delivery notification: CC0CB40402 Feb 2 23:20:52 quimby0 postfix/qmgr[19227]: 30D73403ED: removed *Postfix attempts a local delivery to SRS0=GUdW=XI=terabytemedia.com=mikemc@~srsdomain.com~ (resulting in unknown user error) instead of rewriting SRS0=GUdW=XI=terabytemedia.com=mikemc@~srsdomain.com~ to my email and sending the bounce to a remote host* Feb 2 23:20:52 quimby0 postfix/local[19235]: CC0CB40402: to=SRS0=GUdW=XI=terabytemedia.com=mikemc@~srsdomain.com~, relay=local, delay=0.02, delays=0.01/0.01/0/0, dsn=5.1.1, status=bounced (unknown user: srs0=gudw=xi=terabytemedia.com=mikemc) Feb 2 23:20:52 quimby0 postfix/qmgr[19227]: CC0CB40402: removed I am very appreciative of your help. Please let me know if any additional information is needed. Michael
Re: SRS bounces not working in postfix
Hi Michael, It all looks fine config wise. But seems the bounce, although going through cleanup according to log, isn't rewriting. All I can suggest is to check there's no conflicting config elsewhere regarding canonical etc. such as master.cf overriding it etc. And maybe test the decoding by Telnet 127.0.0.1 10002 And send the following line: getspaceaddresstodecodeenter Example: get SRS0==XX=test.com=t...@domain.com (Use the address you see in logs, bearing in mind it is only valid for a period of time.) It will either return reason it's not working, or confirm it is working and confirm it's something postfix side preventing the canonical rewriting from processing. Regards, Jason
Re: SRS bounces not working in postfix
Thanks again Jason - I get this using your specified telnet test: 500 Hash invalid in SRS address. So I have been playing around with it more now in light of this new information - here is what I have found: * It works and delivers mail when the -I switch is NOT present (this has been my usage in all examples). However, when I try to decode in this mode I get 500 Hash invalid in SRS address. when testing in telnet - which could explain why bounces are not working. Telnet encode tests on port 10001 work fine. * When the -I switch IS present, it does not deliver mail. However, it passes both telnet encode/decode tests. Here is the delivery problem I see in the logs: Feb 3 16:31:00 quimby0 postfix/smtpd[32357]: connect from homer.terabytemedia.com[74.206.115.225] Feb 3 16:31:00 quimby0 postfix/smtpd[32357]: warning: tcp:127.0.0.1:10002 lookup error for ~us...@forwardingdomain.com~ Feb 3 16:31:00 quimby0 postfix/smtpd[32357]: NOQUEUE: reject: RCPT from homer.terabytemedia.com[74.206.115.225]: 451 4.3.0 mikeboun...@acermanuals.com: Temporary lookup failure; from=mikemc@terabyte[added_to_prevent_spam]media.com to=~us...@forwardingdomain.com~ proto=ESMTP helo=homer.terabytemedia.com Feb 3 16:31:00 quimby0 postfix/smtpd[32357]: disconnect from homer.terabytemedia.com[74.206.115.225] So I am now getting some warning: tcp:127.0.0.1:10002 lookup error with the -I switch enabled - but it passes telnet encode/decode tests. I am confused why it is logging a decoding error with -I as opposed to without -I in the logs above - you would think it would do that in either case since ~us...@forwardingdomain.com~ is not SRS encoded. One thing that might explain this - when testing on telnet with -I off, I get a 400 external domains are ignored error (maybe 4xx errors are warnings to Postfix and it continues to send and moves on to encoding?) - with -I on, I get a 500 Not an SRS address. which I assume is fatal. One fix might be to patch pfix-srsd (I don't program in C but could probably figure it out) to return a 400 error for the 500 Not an SRS address.. I cannot think of any way that opens me up to problems since I assume the address would just not be rewritten by Postfix in this case. Any ideas? Michael