[pfx] Re: Bounces are disappearing

[Wietse Venema via Postfix-users]

Nico Hoffmann via Postfix-users:
>Jun 23 22:50:02 schubert postfix/qmgr[26673]: 60970354BC3:
>from=, size=471, nrcpt=1 (queue active)

This message was sent from x...@lewonzelewonze.de, therefore
a non-delivery notification will be sent to that address. This is
defined in the SMTP protocol, also known as RFC 5321.

>Jun 23 22:50:12 schubert postfix/bounce[7837]: 60970354BC3: sender
>non-delivery notification: 3DBEA354BC8
>...dialup...
>Jun 23 22:50:27 schubert postfix/qmgr[26673]: 3DBEA354BC8: from=<>, 
> size=2533,
>nrcpt=1 (queue active)
>Jun 23 22:50:27 schubert postfix/smtp[7836]: 3DBEA354BC8:
>to=, relay=mail.gmx.de[212.227.17.168]:25, delay=16,
>delays=15/0/0.76/0.05, dsn=5.0.0, status=bounced (host

As required by RFC 5321 the non-delivery notification is sent to
x...@lewonze.de.

Also as required by RFC 5321 the non-delivery notification has a
null sender address. After a delivery failure the MTA MUST NOT send
another non-delivery notification.

You can configure Postfix to send you some information
about undeliverbale mail:

main.cf:
notify_classes = resource, software, bounce
bounce_notice_recipient = you@localhost

This is not a backup mechanism, you only receive the message header.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Bounces are disappearing

[Nico Hoffmann via Postfix-users]

Hello,

I hvae a question about dealing with locally generated email (non
delivery notifications) with an empty sender address.

I am running postfix 3.8.5 on my 'dialup' box. It is used to deliver
my email by smtp via a relay host. I submit outgoing email with a user
settable envelope address (I do no sender address rewriting for
outgoing email).

But if there are bounces because the email is rejected by the relay,
(a typo in the domain of the recipient address, for example...) things
get weird. See the log snipplet below.

Apparently, postfix creates a non delivery notification for the
rejected email. This has an empty sender address, and actually it
should be go back to me, in my local mailbox and not send to any node
outside.

But postfix offers this non delivery notification to the relay, which
rejects it, this time for having a empty sender address.

Now, postfix seems to discard the email silently, at least I didn't
find it anywhere.

I think postfix should deliver such emails only local, not to a relay
host, even if the recipient address is a vaild, routable email
address. But I didn't find out how to configure such a rule.
BTW., aliases for root/postmaster/MAILER-DAEMON are set up,

Any hint is welcome.

Thanks in advance,

N.

P.S.:
Just for being complete: I've set up sender dependent relaying. Email
with a from adress "@lewonze.de" is send via variomedia.de, the rest
is sent via gmx.de.  For straightforward cases, this works well. I
don't think that this plays a role here.

In short, my setting in main.cf look like this:

  # grep -v "#\|^$" main.cf
  compatibility_level = 3.7
  queue_directory = /var/spool/postfix
  command_directory = /usr/sbin
  daemon_directory = /usr/libexec/postfix
  data_directory = /var/lib/postfix
  mail_owner = postfix
  unknown_local_recipient_reject_code = 550
  alias_maps = hash:/etc/postfix/aliases
  alias_database = $alias_maps
  debug_peer_level = 2
  debugger_command =
   PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
   ddd $daemon_directory/$process_name $process_id & sleep 5
  sendmail_path = /usr/sbin/sendmail
  newaliases_path = /usr/bin/newaliases
  mailq_path = /usr/bin/mailq
  setgid_group = postdrop
  html_directory = no
  manpage_directory = /usr/share/man
  sample_directory = /etc/postfix
  readme_directory = no
  meta_directory = /etc/postfix
  shlib_directory = /usr/lib64/postfix/${mail_version}
  mail_spool_directory = /var/mail
  smtp_sasl_security_options = noplaintext, noanonymous
  smtp_sasl_tls_security_options = noanonymous
  smtp_sender_dependent_authentication = yes
  sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
  smtp_sasl_auth_enable = yes
  smtp_tls_security_level = encrypt
  smtp_sasl_tls_security_options = noanonymous
  relayhost = mail.gmx.de
  smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
  defer_transports = smtp
  home_mailbox = Mail/inbox
  mailbox_size_limit = 16384
  message_size_limit = 8192


Here is the log snipplet:

  Jun 23 22:50:02 schubert postfix/pickup[7287]: 60970354BC3: uid=1000
  from=
  Jun 23 22:50:02 schubert postfix/cleanup[7776]: 60970354BC3:
  message-id=
  Jun 23 22:50:02 schubert postfix/qmgr[26673]: 60970354BC3:
  from=, size=471, nrcpt=1 (queue active)
  Jun 23 22:50:02 schubert postfix/error[7782]: 60970354BC3:
  to=, relay=none, delay=0.01, delays=0.01/0/0/0,
  dsn=4.3.2, status=deferred (deferred transport)
  Jun 23 22:50:11 schubert postfix/qmgr[26673]: 60970354BC3:
  from=, size=471, nrcpt=1 (queue active)
  Jun 23 22:50:12 schubert postfix/smtp[7836]: 60970354BC3:
  to=,
  relay=smtp.variomedia.de[2a00:1c38:1:1:511c:e01c::]:25, delay=9.8,
  delays=9.1/0.04/0.64/0.08, dsn=5.0.0, status=bounced (host
  smtp.variomedia.de[2a00:1c38:1:1:511c:e01c::] said: 550 Unrouteable address
  (in reply to RCPT TO command))
  Jun 23 22:50:12 schubert postfix/cleanup[7776]: 3DBEA354BC8:
  message-id=<20240623205012.3DBEA354BC8@schubert.localdomain>
  Jun 23 22:50:12 schubert postfix/bounce[7837]: 60970354BC3: sender
  non-delivery notification: 3DBEA354BC8
  Jun 23 22:50:12 schubert postfix/qmgr[26673]: 3DBEA354BC8: from=<>, size=2533,
  nrcpt=1 (queue active)
  Jun 23 22:50:12 schubert postfix/qmgr[26673]: 60970354BC3: removed
  Jun 23 22:50:12 schubert postfix/error[7782]: 3DBEA354BC8:
  to=, relay=none, delay=0, delays=0/0/0/0, dsn=4.3.2,
  status=deferred (deferred transport)
  Jun 23 22:50:27 schubert postfix/qmgr[26673]: 3DBEA354BC8: from=<>, size=2533,
  nrcpt=1 (queue active)
  Jun 23 22:50:27 schubert postfix/smtp[7836]: 3DBEA354BC8:
  to=, relay=mail.gmx.de[212.227.17.168]:25, delay=16,
  delays=15/0/0.76/0.05, dsn=5.0.0, status=bounced (host
  mail.gmx.de[212.227.17.168] said: 550-Requested action not taken: mailbox
  unavailable 550 Sender address is not allowed. (in reply to MAIL FROM
  command))
  Jun 23 22:50:27 schubert postfix/qmgr[26673]: 3DBEA354BC8: removed

[pfx] Re: strict access restrictions and bounces

[Viktor Dukhovni via Postfix-users]

On Wed, Mar 27, 2024 at 11:57:22AM +0100, Daniel Marquez-Klaka via 
Postfix-users wrote:

> Why my setup looks like this? mail-server1 servs a couple of other mail
> domains, not only the one destined for the mailing lists. An access list
> here would affect all domains, right?

Only if the access rules in question apply to those domains.  You should
be able to use "smtpd_restriction_classes" to apply some rules to just
the domain in question.

smtpd_restriction_classes = list_server_access
smtpd_recipient_restrictions =
check_recipient_access inline:{
{ list.example.org = list_server_access } }
...

list_server_access =
check_sender_access inline:{
{ a.example = permit_auth_destination },
{ b.example = permit_auth_destination },
{ c.example = permit_auth_destination } }

-- 
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: strict access restrictions and bounces

[Jaroslaw Rafa via Postfix-users]

Dnia 27.03.2024 o godz. 11:57:22 Daniel Marquez-Klaka via Postfix-users pisze:
> True as well that mailman can restrict senders to list members only
> but I have a couple of open lists that should be addressable by all
> participating domains/company’s, no one else.

If you have a list of domains from which mail should be accepted, you can
configure that in mailman too.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: strict access restrictions and bounces

[Daniel Marquez-Klaka via Postfix-users]

Hiya,

thanks for your reply’s. My solution was as easy as adding the line 
“/^([<]+[>])$/ OK" to my access map.

Changing smtpd_null_access_lookup_key didn’t seem to have any effect.

Why my setup looks like this? mail-server1 servs a couple of other mail 
domains, not only the one destined for the mailing lists. An access list 
here would affect all domains, right? Also, by moving the access part to 
the satellite server, it keeps the config on mail-server1 straight.


True as well that mailman can restrict senders to list members only but 
I have a couple of open lists that should be addressable by all 
participating domains/company’s, no one else.


Cheers,
Daniel


--
Anything that is unrelated to elephants is irrelephant.

Am 25.3.2024 18:05, schrieb Jaroslaw Rafa via Postfix-users:
Dnia 25.03.2024 o godz. 16:11:47 Daniel Marquez-Klaka via Postfix-users 
pisze:

2 postfix mail server, one, mail-server1, is connected to the
internet, the second,
calling it list-server1, which serves a few mailing lists, is only
reachable thru
mail-server1.

On mail-server1 a transport map entry sends everything for
@list-dom.de to list-server1,
list-server1 does his work and sends all back to mail-server1 which
then delivers to
the final destination.

On list-server1, to prevent the whole world sending mails, I have
installed a
check_sender_access map to accept a few allowed domains, reject
everything else.


I don't understand what is actually your scenario and what exactly are 
you

trying to prevent.

From what you write, I assume that only mail-server1 is open to 
receive mail

from the Internet, and it forwards only messages that should reach
list-server1 to that server. I assume list-server1 does not accept 
mails

directly from the Internet, so there is no possibility of "whole world
sending mails" to it. (If it isn't the case, then just block 
list-server1

from receiving mails from anywhere except mail-server1 using
check_client_access).

Maybe you want the people who are not subscribed to the mailing lists 
on
list-server1 to not be able to send mail to those lists? But you can do 
this
directly on mailing list level, every mailing list software has 
controls
that allow to specify who is able to send to the list (usually the 
choice is
everyone/subscribers only/moderators only, sometimes additionally you 
can

block or allow particular senders).

So please describe more clearly, what do you actually want to do.

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: strict access restrictions and bounces

[Jaroslaw Rafa via Postfix-users]

Dnia 25.03.2024 o godz. 16:11:47 Daniel Marquez-Klaka via Postfix-users pisze:
> 2 postfix mail server, one, mail-server1, is connected to the
> internet, the second,
> calling it list-server1, which serves a few mailing lists, is only
> reachable thru
> mail-server1.
> 
> On mail-server1 a transport map entry sends everything for
> @list-dom.de to list-server1,
> list-server1 does his work and sends all back to mail-server1 which
> then delivers to
> the final destination.
> 
> On list-server1, to prevent the whole world sending mails, I have
> installed a
> check_sender_access map to accept a few allowed domains, reject
> everything else.

I don't understand what is actually your scenario and what exactly are you
trying to prevent.

>From what you write, I assume that only mail-server1 is open to receive mail
from the Internet, and it forwards only messages that should reach
list-server1 to that server. I assume list-server1 does not accept mails
directly from the Internet, so there is no possibility of "whole world
sending mails" to it. (If it isn't the case, then just block list-server1
from receiving mails from anywhere except mail-server1 using
check_client_access).

Maybe you want the people who are not subscribed to the mailing lists on
list-server1 to not be able to send mail to those lists? But you can do this
directly on mailing list level, every mailing list software has controls
that allow to specify who is able to send to the list (usually the choice is
everyone/subscribers only/moderators only, sometimes additionally you can
block or allow particular senders).

So please describe more clearly, what do you actually want to do.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: strict access restrictions and bounces

[Viktor Dukhovni via Postfix-users]

On Mon, Mar 25, 2024 at 04:11:47PM +0100, Daniel Marquez-Klaka via 
Postfix-users wrote:

> I have a problem with check_sender_access that I can't find a solution to.
>
> 2 postfix mail server, one, mail-server1, is connected to the
> internet, the second, calling it list-server1, which serves a few
> mailing lists, is only reachable thru mail-server1.
> 
> On mail-server1 a transport map entry sends everything for
> @list-dom.de to list-server1, list-server1 does his work and sends all
> back to mail-server1 which then delivers to the final destination.
> 
> On list-server1, to prevent the whole world sending mails, I have
> installed a check_sender_access map to accept a few allowed domains,
> reject everything else.

The problem is self-inflicted, the access checks are in the wrong place.
The access(5) checks need to be implemented *at* the edge relay
(server1), not the downstream list server.

> ... bounces, as the are send with empty FROM (<>), as I understand to
> prevent loops, get rejected to. This is a problem because nobody will
> ever notice if there are dead emails in a list. Also, automatic bounce
> handling (I am using mailman3 on list-server1)
> will never do anything.

The vast majority of bounces will happen at the outbound edge relay,
when remote systems reject the outgoing mail.  These will not run into
any access check issues, once they're implemented in the right place.

Some bounces will be remote, you can use a milter to process remote
bounces, parsing the bounce multipart/report.

Bottom line, all filters belong on the relay, not the internal server.

-- 
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: strict access restrictions and bounces

[Matus UHLAR - fantomas via Postfix-users]

On 25.03.24 16:11, Daniel Marquez-Klaka via Postfix-users wrote:
I have a problem with check_sender_access that I can't find a solution 
to.


My setup actually works very well with the exception of bounce handling.
More on that later, first to describe my setup:

2 postfix mail server, one, mail-server1, is connected to the 
internet, the second,
calling it list-server1, which serves a few mailing lists, is only 
reachable thru

mail-server1.

On mail-server1 a transport map entry sends everything for 
@list-dom.de to list-server1,
list-server1 does his work and sends all back to mail-server1 which 
then delivers to

the final destination.

On list-server1, to prevent the whole world sending mails, I have 
installed a
check_sender_access map to accept a few allowed domains, reject 
everything else.


 8< 
smtpd_sender_restrictions = check_sender_access 
regexp:/etc/postfix/config/access_sender,

 reject
 8< 

access_sender file:

 8< 
/^([a-z0-9_=\.-]+)@dom1.de/OK
/^([a-z0-9_=\.-]+)@dom2.de/OK
/^([a-z0-9_=\.-]+)@dom3.de/   OK


are you trying to limit allowed characters for local part of address in 
those domains?


I'd recommend simple hash map, containing "dom1.de", "dom2.de", "dom3.de" 
- you need not (probably should not) to use regular expressions for 
everything




 8< 

All fine so far, but...

... bounces, as the are send with empty FROM (<>), as I understand to 
prevent loops,
get rejected to. This is a problem because nobody will ever notice if 
there are dead
emails in a list. Also, automatic bounce handling (I am using mailman3 
on list-server1)

will never do anything.

 8< 
: host 10.245.16.24[10.245.16.24] said: 554 
5.7.1 <>:
   Sender address rejected: Access denied (in reply to MAIL FROM 
command)

 8< 


add "<>" or whatever you have defined as smtpd_null_access_lookup_key as 
another allowed sender.


http://www.postfix.org/postconf.5.html#smtpd_null_access_lookup_key


with 10.245.16.24 being list-server1

After all googleing and manual reading I have done, I can't find a 
solution and hope someone

can point me into the right direction.



--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux IS user friendly, it's just selective who its friends are...
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] strict access restrictions and bounces

[Daniel Marquez-Klaka via Postfix-users]

Hello List,

I have a problem with check_sender_access that I can't find a solution 
to.


My setup actually works very well with the exception of bounce handling.
More on that later, first to describe my setup:

2 postfix mail server, one, mail-server1, is connected to the internet, 
the second,
calling it list-server1, which serves a few mailing lists, is only 
reachable thru

mail-server1.

On mail-server1 a transport map entry sends everything for @list-dom.de 
to list-server1,
list-server1 does his work and sends all back to mail-server1 which then 
delivers to

the final destination.

On list-server1, to prevent the whole world sending mails, I have 
installed a
check_sender_access map to accept a few allowed domains, reject 
everything else.


 8< 
smtpd_sender_restrictions = check_sender_access 
regexp:/etc/postfix/config/access_sender,

  reject
 8< 

access_sender file:

 8< 
/^([a-z0-9_=\.-]+)@dom1.de/OK
/^([a-z0-9_=\.-]+)@dom2.de/OK
/^([a-z0-9_=\.-]+)@dom3.de/   OK
 8< 

All fine so far, but...

... bounces, as the are send with empty FROM (<>), as I understand to 
prevent loops,
get rejected to. This is a problem because nobody will ever notice if 
there are dead
emails in a list. Also, automatic bounce handling (I am using mailman3 
on list-server1)

will never do anything.

 8< 
: host 10.245.16.24[10.245.16.24] said: 554 
5.7.1 <>:
Sender address rejected: Access denied (in reply to MAIL FROM 
command)

 8< 

with 10.245.16.24 being list-server1

After all googleing and manual reading I have done, I can't find a 
solution and hope someone

can point me into the right direction.

Thanks in advance,
Daniel

--
Anything that is unrelated to elephants is irrelephant.___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: rbl bounces email that has both rbl_override and client_checks whitelisting

[Bill Cole via Postfix-users]

On 2024-02-27 at 16:39:54 UTC-0500 (Tue, 27 Feb 2024 13:39:54 -0800 
(PST))

lists--- via Postfix-users 
is rumored to have said:

I have a sender_checks file but I don't see that on the postfix.org 
website. Is that a deprecated parameter?


The names of Postfix map files are up to you. Their usage is determined 
by the specific restriction directive referencing them.


So you could have 'check_sender_access 
hash:/etc/postfix/any_name_you_like' and Postfix will use that file, as 
long as you populate it with access entries and 'postmap' it to create 
the .db file.



--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: rbl bounces email that has both rbl_override and client_checks whitelisting

[Wietse Venema via Postfix-users]

Wietse:
> Your mistake:  you are trying to match a SENDER ADDRESS with 
> check_CLIENT_access.

lists--- via Postfix-users:
> Well do I put the domain in sender_access or sender_checks?

What do you want to not block: the sender email domain? Then
use check_sender_access (note that is check_sender_access
not check_sender) and follow instructions in

https://www.postfix.org/access.5.html

Specifically the section "EMAIL ADDRESS PATTERNS".

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: rbl bounces email that has both rbl_override and client_checks whitelisting

[lists--- via Postfix-users]

Well do I put the domain in sender_access or sender_checks?

It looks like sender_access with an OK since it acts on the FROK field.

https://www.postfix.org/postconf.5.html

I have a sender_checks file but I don't see that on the postfix.org website. Is 
that a deprecated parameter?

Feb 27, 2024 1:09:02 PM Wietse Venema :

> Your mistake:  you are trying to match a SENDER ADDRESS with 
> check_CLIENT_access.
> 
>     Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: rbl bounces email that has both rbl_override and client_checks whitelisting

[Wietse Venema via Postfix-users]

Your mistake:  you are trying to match a SENDER ADDRESS with 
check_CLIENT_access.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] rbl bounces email that has both rbl_override and client_checks whitelisting

[lists--- via Postfix-users]

I still have that problem with the sender that used a spammy microsoft
server that gets rejected by IP for  using spamcop. I put the domain in
the client_checks file but the sender gets bounced.

postconf mail_version
mail_version = 3.8.1

compatibility_level = 2

The client_checks line was added. 

smtpd_recipient_restrictions =
  permit_sasl_authenticated,
  permit_mynetworks,
  reject_unauth_destination,
  reject_unauth_pipelining,
  reject_non_fqdn_sender,
  reject_unknown_sender_domain,
  reject_unknown_recipient_domain,
  reject_non_fqdn_recipient,
  check_client_access hash:/etc/postfix/client_checks,
  check_sender_access hash:/etc/postfix/sender_checks,
  check_client_access hash:/etc/postfix/rbl_override,
  reject_rbl_client bl.spamcop.net,
  check_policy_service unix:private/policy

This is the contents of client_checks:
cat client_checks
idontspam.com OK

A simple check to verify the postmap worked:

sh-4.2# ls -l client_check*
-rw-r--r-- 1 root root19 Feb 25 03:03 client_checks
-rw-r--r-- 1 root root 12288 Feb 25 03:06 client_checks.db


**
This is an actual spammer being rejected:
Feb 25 23:10:03 MYDOMAIN postfix/smtpd[19121]: connect from
mail-co1nam11on2108.outbound.protection.outlook.com[40.107.220.108] Feb
25 23:10:03 MYDOMAIN postfix/smtpd[19121]: Anonymous TLS connection
established from
mail-co1nam11on2108.outbound.protection.outlook.com[40.107.220.108]:
TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Feb 25
23:10:03 MYDOMAIN postfix/smtpd[19121]: NOQUEUE: reject: RCPT from
mail-co1nam11on2108.outbound.protection.outlook.com[40.107.220.108]:
554 5.7.1 Service unavailable; Client host [40.107.220.108] blocked
using bl.spamcop.net; Blocked - see
https://www.spamcop.net/bl.shtml?40.107.220.108;
from= to=
proto=ESMTP helo= Feb 25
23:10:03 MYDOMAIN postfix/smtpd[19121]: using backwards-compatible
default setting smtpd_relay_before_recipient_restrictions=no to reject
recipient "m...@mydomain.com" from client
"mail-co1nam11on2108.outbound.protection.outlook.com[40.107.220.108]"
Feb 25 23:10:04 MYDOMAIN postfix/smtpd[19121]: disconnect from
mail-co1nam11on2108.outbound.protection.outlook.com[40.107.220.108]
ehlo=2 starttls=1 mail=1 rcpt=0/1 quit=1 commands=5/6 
**

**
This is email from the sender that appears on the client_check file

Feb 27 03:55:55 MYDOMAIN postfix/smtpd[31397]: connect from
mail-dm6nam10on2125.outbound.protection.outlook.com[40.107.93.125] Feb
27 03:55:55 MYDOMAIN postfix/smtpd[31397]: Anonymous TLS connection
established from
mail-dm6nam10on2125.outbound.protection.outlook.com[40.107.93.125]:
TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Feb 27
03:55:55 MYDOMAIN postfix/smtpd[31397]: NOQUEUE: reject: RCPT from
mail-dm6nam10on2125.outbound.protection.outlook.com[40.107.93.125]: 554
5.7.1 Service unavailable; Client host [40.107.93.125] blocked using
bl.spamcop.net; Blocked - see
https://www.spamcop.net/bl.shtml?40.107.93.125;
from= to= proto=ESMTP
helo= Feb 27 03:55:55
MYDOMAIN postfix/smtpd[31397]: using backwards-compatible default
setting smtpd_relay_before_recipient_restrictions=no to reject
recipient "m...@mydomain.com" from client
"mail-dm6nam10on2125.outbound.protection.outlook.com[40.107.93.125]"
Feb 27 03:55:55 MYDOMAIN postfix/smtpd[31397]: disconnect from
mail-dm6nam10on2125.outbound.protection.outlook.com[40.107.93.125]
ehlo=2 starttls=1 mail=1 rcpt=0/1 quit=1 commands=5/6 Feb 27 03:57:47

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Bounces from gmail

[Håkon Alstadheim]

Amateur mail-admin here (I know, don't do that) . I have a redirect to 
gmail set up for two users, and at times this happens:


1) The relayhost ("smarthost") I use, my internet provider, will accept 
the mail for gmail.


2) Gmail rejects the mail as spam.

3) Relayhost bounces mail back at me.

4) My postfix tries to forward the bounce back at original sender.

5) Relayhost rejects mail .


Point 5 there I can't get my head around precisely /how/ the forwarded 
bounce is rejected, suffice to say it is rejected before the relayhost 
ques it, thanks for that at least.


Anybody have any pointers for how I could pre-emptively grab those 
bounces and set them aside? At present I just manually put them on hold, 
check the contents manually and then when I find they really are spam I 
delete them, possibly mailing the user a heads up to check his account 
on my host to make sure he's not missing anything important.


Now I'd really like to collect those bounces (in case they are not spam) 
and compile an archive, or at least a report, for the gmail recipients.



Log excerpt from the bounce, altibox.no is my provider:

Jan 27 18:17:11 garbo postfix-incoming/smtpd[17720]: connect from 
altibox-smtp3.altibox.no[212.97.141.37]:51913
Jan 27 18:17:11 garbo postsrsd[17722]: srs_reverse: 
 rewritten as 

Jan 27 18:17:11 garbo postfix-incoming/smtpd[17720]: 8BBAED26F60: 
client=altibox-smtp3.altibox.no[212.97.141.37]:51913
Jan 27 18:17:11 garbo postfix-incoming/cleanup[17723]: 8BBAED26F60: 
message-id=<20230127171711.686ed128...@altibox-smtp3.altibox.no>
Jan 27 18:17:13 garbo rspamd[2641]: ; proxy; 
rspamd_task_write_log: id: 
<20230127171711.686ed128...@altibox-smtp3.altibox.no>, qid: 
<8BBAED26F60>, ip: 212.97.141.37, (default: F (no action): [0.61/400.00] 
[BAYES_HAM(-4.99){99.99%;},RSPAMD_URIBL(4.50){dhl-ma.com:url;},R_MIXED_CHARSET(1.11){subject;},BOUNCE(-0.10){DSN;},DMARC_POLICY_SOFTFAIL(0.10){altibox.no 
: No valid SPF, No valid 
DKIM;none;},MIME_GOOD(-0.10){text/plain;},RCVD_NO_TLS_LAST(0.10){},ARC_NA(0.00){},ASN(0.00){asn:48854, 
ipnet:212.97.140.0/22, 
country:DK;},FROM_NO_DN(0.00){},MID_RHS_MATCH_FROM(0.00){},MIME_TRACE(0.00){0:~;1:+;2:~;3:~;4:~;},NEURAL_HAM(-0.00){-0.852;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_TWO(0.00){2;},R_DKIM_NA(0.00){},R_SPF_NA(0.00){no 
SPF record;},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 
22473, time: 1395.675ms, dns req: 64, digest: 
<52a0923f840b246f04b1c4842e916f00>, rcpts: 
, mime_rcpts: 

Jan 27 18:17:13 garbo rspamd[2641]: ; proxy; 
rspamd_protocol_http_reply: regexp statistics: 0 pcre regexps scanned, 5 
regexps matched, 172 regexps total, 66 regexps cached, 0B scanned using 
pcre, 24.40KiB scanned total
Jan 27 18:17:13 garbo postfix-incoming/qmgr[22826]: 8BBAED26F60: 
from=<>, size=22762, nrcpt=1 (queue active)
Jan 27 18:17:13 garbo postfix-incoming/smtpd[17720]: disconnect from 
altibox-smtp3.altibox.no[212.97.141.37]:51913 ehlo=1 mail=1 rcpt=1 
data=1 quit=1 commands=5
Jan 27 18:17:13 garbo postfix-local-deliver/smtpd[17725]: connect from 
localhost[127.0.0.1]:50734
Jan 27 18:17:13 garbo postfix-local-deliver/smtpd[17725]: NOQUEUE: 
reject: RCPT from localhost[127.0.0.1]:50734: 450 4.1.1 
: Recipient address 
rejected: User unknown in local recipient table; from=<> 
to= proto=ESMTP 
helo=
Jan 27 18:17:13 garbo postfix-incoming/smtp[17724]: 8BBAED26F60: 
to=, 
relay=127.0.0.1[127.0.0.1]:10025, delay=1.5, delays=1.5/0.01/0.01/0.02, 
dsn=4.1.1, status=deferred (host 127.0.0.1[127.0.0.1] said: 450 4.1.1 
: Recipient address 
rejected: User unknown in local recipient table (in reply to RCPT TO 
command))
Jan 27 18:17:13 garbo postfix-local-deliver/cleanup[17728]: 
137C1C20FD5D: 
message-id=<20230127171713.137c1c20f...@postfix-local-deliver.alstadheim.priv.no>
Jan 27 18:17:13 garbo postfix-local-deliver/smtpd[17725]: disconnect 
from localhost[127.0.0.1]:50734 ehlo=1 xforward=2 mail=1 rcpt=0/1 
data=0/1 rset=1 quit=1 commands=6/8
Jan 27 18:17:13 garbo postfix-local-deliver/qmgr[4342]: 137C1C20FD5D: 
from=, 
size=1553, nrcpt=1 (queue active)
Jan 27 18:17:13 garbo dovecot: 
lda(hakon)<17731>: sieve: 
msgid=<20230127171713.137c1c20f...@postfix-local-deliver.alstadheim.priv.no>: 
stored mail into mailbox 'INBOX'
Jan 27 18:17:13 garbo postfix-local-deliver/local[17729]: 137C1C20FD5D: 
to=, orig_to=, relay=local, 
delay=0.14, delays=0.01/0.01/0/0.13, dsn=2.0.0, status=sent (delivered 
to command: /usr/lib/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT")
Jan 27 18:17:13 garbo postfix-local-deliver/qmgr[4342]: 137C1C20FD5D: 
removed

Re: How to allow bounces to authenticaded users

[Wietse Venema]

H?kon Alstadheim:
> I have a rather convoluted multi-instance setup that mostly works to my
> liking, with spam-filters, hand-off to mailman, dkim-signing and
> whatnot. One problem is that mis-typed outgoing addresses (host part)
> from my local, authenticated users end up deferred (450) and not bounced
> back to the sender. I am a bit wary of enabling bounces, but if I can
> make sure that I don't bounce incoming mail, I should be OK.

You are not supposed to accept and deliver mail for a remote recipient
domain (whether it exists or not) from unauthenticated clients or
untrusted clients.  That would be an exploitable open relay.

As long as that condition is met, only authenticated or trusted
clients can specify a non-existent recipient domain.

> Long story short, If in a specific postfix instance I am SURE I'm only
> handling mail submitted by authenticated users, I should be OK to change
> unknown_address_reject_code to 550 ?

I think so. This controls the handling of a non-existent domain with
reject_unknown_recipient_domain and reject_unknown_sender_domain.

Wietse

> I don't want to do the change in submit (before queue) because I have a
> dance with DKIM signing before handing off to address-mapping and
> further to relay/local delivery/mailman,
> 
> 

Re: How to allow bounces to authenticaded users

[Håkon Alstadheim]

Sorry folks, I'm not entirely there today. Receiving MX may of course be
temporarily gone from DNS, so 450 it is. Pleas allow this thread to
disappear into oblivion. :-)


Den 21. okt. 2018 15:47, skrev Håkon Alstadheim:
> I have a rather convoluted multi-instance setup that mostly works to my
> liking, with spam-filters, hand-off to mailman, dkim-signing and
> whatnot. One problem is that mis-typed outgoing addresses (host part)
> from my local, authenticated users end up deferred (450) and not bounced
> back to the sender. I am a bit wary of enabling bounces, but if I can
> make sure that I don't bounce incoming mail, I should be OK.
>
> Long story short, If in a specific postfix instance I am SURE I'm only
> handling mail submitted by authenticated users, I should be OK to change
> unknown_address_reject_code to 550 ?
>
> I don't want to do the change in submit (before queue) because I have a
> dance with DKIM signing before handing off to address-mapping and
> further to relay/local delivery/mailman,
>

How to allow bounces to authenticaded users

[Håkon Alstadheim]

I have a rather convoluted multi-instance setup that mostly works to my
liking, with spam-filters, hand-off to mailman, dkim-signing and
whatnot. One problem is that mis-typed outgoing addresses (host part)
from my local, authenticated users end up deferred (450) and not bounced
back to the sender. I am a bit wary of enabling bounces, but if I can
make sure that I don't bounce incoming mail, I should be OK.

Long story short, If in a specific postfix instance I am SURE I'm only
handling mail submitted by authenticated users, I should be OK to change
unknown_address_reject_code to 550 ?

I don't want to do the change in submit (before queue) because I have a
dance with DKIM signing before handing off to address-mapping and
further to relay/local delivery/mailman,

Re: Reject bounces

[Wietse Venema]

George:
> Hi,
> 
> I have a mail server running postfix that sends a lot of emails and gets
> back a lot of bounces. These bounces a filling up my server and causing
> additional load.
> 
> Is there any way on a postfix level to reject/not accept any type of bounce
> that gets sent to the mail server?

Fix the real problem: you are using stale recipient lists. Fix that
problem, and you might find that more of your email is accepted.

Wietse

Re: Reject bounces

[Ralph Seichter]

On 15.09.2017 17:00, "George" wrote:

> I have a mail server running postfix that sends a lot of emails and
> gets back a lot of bounces. These bounces a filling up my server and
> causing additional load.
>
> Is there any way on a postfix level to reject/not accept any type of
> bounce that gets sent to the mail server?

Seriously? Is this not answered in the Spam Senders Anonymous new member
information package? ;-)

-Ralph

Re: Reject bounces

[Benny Pedersen]

George skrev den 2017-09-15 17:00:


I have a mail server running postfix that sends a lot of emails and
gets back a lot of bounces. These bounces a filling up my server and
causing additional load.


if i know my book right, you send mail to a host that accept and bounce 
where thay should have rejected ?


in that case you should use dns rpz zone with a list of hosts that makes 
backscattering with accept and bounce


in postfix you can make a recipient access with hots to make local 
reject mail to hosts like this, sadly this is maintain works :(



Is there any way on a postfix level to reject/not accept any type of
bounce that gets sent to the mail server?


if i am right above you should do nothing, if unsure show logs from you 
that shows exact problem


do not make -v on smtpd to be helpfull, raw plain logs not debug logs

hopefully others can then help more then me

Reject bounces

[George]

Hi,

I have a mail server running postfix that sends a lot of emails and gets
back a lot of bounces. These bounces a filling up my server and causing
additional load.

Is there any way on a postfix level to reject/not accept any type of bounce
that gets sent to the mail server?

Please let me know.

Re: Getting bounces from only one server

[Matthew McGehrin]

Hello,

On Server2, configure bounce_notice_recipient to a e-mail address that 
is located on server1.


By default it's using Postmaster.

Otherwise, on Server2, forward mail from the Postmaster account to server2.

Marco Pizzoli wrote:

Dear all,
I need to find a workaround an issue I am facing due to the limitation 
of an external product I am using to send/receive emails.


Long story short:
- 2 postfix servers acting both as sending as receiving servers 
from/to the Internet.

- 1 application server sending to the Internet via both of them
- the application server is capable of getting bounce information 
polling via POP3 ONLY one location


So my need is to get the bounces only via server1.
Is there a way to accomplish this?
Somewhat like a DSN relay?

Getting bounces from only one server

[Marco Pizzoli]

Dear all,
I need to find a workaround an issue I am facing due to the limitation of
an external product I am using to send/receive emails.

Long story short:
- 2 postfix servers acting both as sending as receiving servers from/to the
Internet.
- 1 application server sending to the Internet via both of them
- the application server is capable of getting bounce information polling
via POP3 ONLY one location

So my need is to get the bounces only via server1.
Is there a way to accomplish this?
Somewhat like a DSN relay?

I am open for suggestions...

I am already thinking about migrating the POP3 server to Dovecot and making
use of its "sync" capabilities, but again I would appreciate hearing other
ideas...

Thank you in advance
Marco

Re: Is not honoring bounces-to violation of RFC?

[Bill Cole]

On 29 Jun 2016, at 11:45, Chip wrote:


I will read up on it.  Thank you for the link.

Not everyone, I think, who visits this list is an engineer.


True, unless you accept Michael Wise's generous functional definition. 
I'm on the fence there, as I've held job titles calling me an engineer 
but my only formal engineering training was secondary to theatrical set 
design and construction, i.e. to make sure actors didn't die in 
collapses of not quite enough steel and/or wood. All of my education in 
"software engineering" and "systems engineering" (skills I supposedly 
have if you believe job titles) is from a handful of low-numbered 
college classes 25+ years ago and on-the-job/self training


But Michael is entirely correct in that nearly everyone subscribed to 
this list is a de facto mail system "engineer" in that we work with the 
complexities of configuring and operating mail systems. So even though I 
don't build bridges, haven't built a stage set in decades, and don't 
write much ode these days, I DO "drive the trains" of multiple email 
systems, some of which use Postfix. So I'm an engineer, I guess.


And so are you, since you seem to have run both Postfix and Exim systems 
at least at the "train driver" level (and frankly, railroad engineers 
ARE engineers to at least the same degree as sysadmins, but most of us 
just don't have any idea how complex trains can be...)


So it would have been easier to understand if the response had been 
along the lines of:


"envelope-from" instead of just FROM since there are a number of Froms 
in the source code.


Someone wrote: "Return-path is a header added by the receiving MTA 
(usually on final

delivery) that contains the envelope sender (MAIL FROM) used by the
sending system.


Which is accurate, if a bit ecumenical in its nomenclature...

It would definitely be helpful if everyone trying to manage mail systems 
read RFC5598 (https://tools.ietf.org/html/rfc5598) carefully enough and 
often enough to adopt its formal terminology. Dave Crocker's purpose in 
writing that RFC was to establish precise standard jargon and a baseline 
understanding of how email actually works (and is intended to work) for 
people who should have such an understanding. If you're running a mail 
server, whether you accept the label "engineer" or not, you should 
definitely read it.

Re: (Off-topic: who's on the list) was: Is not honoring bounces-to violation of RFC?

[Michael J Wise]

> On 6/29/16 3:13 PM, Michael J Wise wrote:
>
>>> On 6/29/16 2:30 PM, Michael J Wise wrote:
>>>
> I will read up on it.  Thank you for the link.
>
> Not everyone, I think, who visits this list is an engineer.
 In that you are mistaken.

 Almost everyone who subscribes to this mailing-list is an engineer.
 Please re-read that line.

 This mailing list is for people who need to configure or make changes
 to
 the configuration of a Mail Transfer Agent called Postfix.
 Some people here actually suggest software changes, since the author
 of
 the system is present on the list.

 Pretty much everyone here is an engineer.
>>> I could be wrong, but I expect that many of the folks here are NOT
>>> engineers.
>> I guess it depends on one's definition of, "Engineer".
>> It can cover a lot of ground.

> Well... for purposes of discussion, let's restrict "Engineer" to mean
> someone who:

All of the following, or just a few?

Many *VERY* large corporations don't require some or all of these to put,
"Engineer" on your business card.

This is not the case all over the planet, but in many places, like the
USA, it most certainly is. One has to have a global perspective on such
issues.

> - has a degree in an engineering or engineering related technical field
> - has, at one time or another, held a position that included the word
> "Engineer" in his/her title
> - actually done some engineering along the way (be it R or development)
> - with some allowance for special cases who don't meet all of the above
> (example: Ray Kurzweil has an MIT degree, in MUSIC - I'd certainly
> consider him an engineer, and then some)
> - on the other hand, I wouldn't consider someone with a business degree,
> even with an MIS concentration, to be an Engineer - even though that's a
> fairly common background for CIOs and MIS Directors (and maybe sys
> admins?), you wouldn't hire them to design system software or network gear

It's a lot looser a definition in many places.

For the purposes of this list and similar, I'd define "Engineer" to also
include someone reasonably competent enough to make changes to the Postfix
config files and not break stuff irreparably. It would for all intents and
purposes be equivalent to SysAdmin. Or BOFH.

Someone who, for example, can telnet to port 25 and get the mail delivered.

> - let's NOT include train drivers :-)

Let's not.

But this is grossly off-topic for the list, so I won't have anything
further to say on the issue. Feel free to declare victory and move on.

Aloha mai Nai`a.
-- 
" So this is how Liberty dies ...  http://kapu.net/~mjwise/
" To Thunderous Applause.

Re: (Off-topic: who's on the list) was: Is not honoring bounces-to violation of RFC?

[Glenn English]

> On Jun 29, 2016, at 1:06 PM, Miles Fidelman  
> wrote:
> 
> AND NOW I'M CURIOUS... What kinds of backgrounds and roles do people here 
> have?  Is managing a postfix installation part of your official duties, or 
> something that you've fallen into?

CS degree from before the 'Net, missed the 'Net programming on toy OS's (CP/M, 
MSDOS, etc.), and decided to learn IP networking when I retired. Rented a 
domain and a T1, bought a couple servers, a router, and several pounds of 
O'Reilly books (and one on Postfix), installed Linux, and started typing. 

Downhill ever since :-)

Managing Postfix is more a recreational duty that I fell into by choice. 
Postfix is a delightful piece of software.

-- 
Glenn English

Re: (Off-topic: who's on the list) was: Is not honoring bounces-to violation of RFC?

[Miles Fidelman]

On 6/29/16 3:13 PM, Michael J Wise wrote:


On 6/29/16 2:30 PM, Michael J Wise wrote:


I will read up on it.  Thank you for the link.

Not everyone, I think, who visits this list is an engineer.

In that you are mistaken.

Almost everyone who subscribes to this mailing-list is an engineer.
Please re-read that line.

This mailing list is for people who need to configure or make changes to
the configuration of a Mail Transfer Agent called Postfix.
Some people here actually suggest software changes, since the author of
the system is present on the list.

Pretty much everyone here is an engineer.

I could be wrong, but I expect that many of the folks here are NOT
engineers.

I guess it depends on one's definition of, "Engineer".
It can cover a lot of ground.



Well... for purposes of discussion, let's restrict "Engineer" to mean 
someone who:

- has a degree in an engineering or engineering related technical field
- has, at one time or another, held a position that included the word 
"Engineer" in his/her title

- actually done some engineering along the way (be it R or development)
- with some allowance for special cases who don't meet all of the above 
(example: Ray Kurzweil has an MIT degree, in MUSIC - I'd certainly 
consider him an engineer, and then some)
- on the other hand, I wouldn't consider someone with a business degree, 
even with an MIS concentration, to be an Engineer - even though that's a 
fairly common background for CIOs and MIS Directors (and maybe sys 
admins?), you wouldn't hire them to design system software or network gear

- let's NOT include train drivers :-)


Cheers,

Miles



--
In theory, there is no difference between theory and practice.
In practice, there is.   Yogi Berra

Re: (Off-topic: who's on the list) was: Is not honoring bounces-to violation of RFC?

[Michael J Wise]

> On 6/29/16 2:30 PM, Michael J Wise wrote:
>
>>> I will read up on it.  Thank you for the link.
>>>
>>> Not everyone, I think, who visits this list is an engineer.
>> In that you are mistaken.
>>
>> Almost everyone who subscribes to this mailing-list is an engineer.
>> Please re-read that line.
>>
>> This mailing list is for people who need to configure or make changes to
>> the configuration of a Mail Transfer Agent called Postfix.
>> Some people here actually suggest software changes, since the author of
>> the system is present on the list.
>>
>> Pretty much everyone here is an engineer.
>
> I could be wrong, but I expect that many of the folks here are NOT
> engineers.

I guess it depends on one's definition of, "Engineer".
It can cover a lot of ground.

> Having said that, it seems not unreasonable for folks on this list to
> have a working familiarity with the standards and software associated
> with email processing.  Managing a postfix installation (or any MTA) is
> not a job for amateurs.  (IMHO)

In that I would completely agree, even though with respect to my use of
Postfix, it probably would qualify as, "Amateur" since I don't use it for
profit.

But with respect to the handling of mail for ... Others ... in that, it is
my profession. And I'm particularly interested in problems that other mail
servers may experience with relation to certain other mail server
software.

> AND NOW I'M CURIOUS... What kinds of backgrounds and roles do people
> here have?  Is managing a postfix installation part of your official
> duties, or something that you've fallen into?

It used to be what I did up until 8+ years ago.
Nowadays I fight spam for a certain large corporation, and keep my hand in
here as one of many early warning signs of trouble.

Aloha mai Nai`a.
-- 
" So this is how Liberty dies ...  http://kapu.net/~mjwise/
" To Thunderous Applause.

(Off-topic: who's on the list) was: Is not honoring bounces-to violation of RFC?

[Miles Fidelman]

On 6/29/16 2:30 PM, Michael J Wise wrote:


I will read up on it.  Thank you for the link.

Not everyone, I think, who visits this list is an engineer.

In that you are mistaken.

Almost everyone who subscribes to this mailing-list is an engineer.
Please re-read that line.

This mailing list is for people who need to configure or make changes to
the configuration of a Mail Transfer Agent called Postfix.
Some people here actually suggest software changes, since the author of
the system is present on the list.

Pretty much everyone here is an engineer.


I could be wrong, but I expect that many of the folks here are NOT 
engineers.


I happen to have an engineering background, and spend a good part of my 
time doing engineering work of various sorts - but that's completely 
incidental to running our mail system.  As a one-man shop, I ALSO play 
sys admin, postmaster, webmaster, listmaster, janitor, chief cook & 
bottle washer, ad infinitum, ad nauseum.


I expect, that many of the folks here are full-time sys admins - a role 
that does not necessarily involved (or require) an engineering background.


Having said that, it seems not unreasonable for folks on this list to 
have a working familiarity with the standards and software associated 
with email processing.  Managing a postfix installation (or any MTA) is 
not a job for amateurs.  (IMHO)


AND NOW I'M CURIOUS... What kinds of backgrounds and roles do people 
here have?  Is managing a postfix installation part of your official 
duties, or something that you've fallen into?


Miles Fidelman




RFC 821 (and its successors) is documentation of the COMMANDS (verbs, if
you will) used to move mail, of which one, MAIL FROM, is a way to express
where an NDR should go if something goes wrong.

Furthermore, at some points along the journey of a piece of mail (data, or
a NOUN if you will), it will be captured and recorded in a header, most
typically in the Return-Path value.

But it is not guaranteed to be stored in any header at any time because
it's a COMMAND to a server.

RFC 822 (and its successors) is documentation of the structure of DATA
(the NOUNS mentioned above) that represents an email message, which is
divided up into Headers and Data. One of those headers is, "From:". And
almost all of those headers are little more than comments, forgeable by
anyone with the inclination to do so, and at best advisory in nature.

So, to summarize:

The "From:" header is a comment, and may or may not reflect reality.
Typically it does, but not always.

The "Return-Path" is a recognized way to capture the value of the "MAIL
FROM:" command, and encode it into the headers, but it is best described
as a, "Virtual Header".

Some other headers inserted by arbitrary third parties are not documented
in *ANY* RFC anywhere, and almost everyone completely ignores them.

Such is the case with, "bounces-to".
It's not a standard.
Almost everything will ignore it.
People who expect it to always work should be prepared for disappointment.

Aloha mai Nai`a.


--
In theory, there is no difference between theory and practice.
In practice, there is.   Yogi Berra

Re: Is not honoring bounces-to violation of RFC?

[Michael J Wise]

> I will read up on it.  Thank you for the link.
>
> Not everyone, I think, who visits this list is an engineer.

In that you are mistaken.

Almost everyone who subscribes to this mailing-list is an engineer.
Please re-read that line.

This mailing list is for people who need to configure or make changes to
the configuration of a Mail Transfer Agent called Postfix.
Some people here actually suggest software changes, since the author of
the system is present on the list.

Pretty much everyone here is an engineer.

RFC 821 (and its successors) is documentation of the COMMANDS (verbs, if
you will) used to move mail, of which one, MAIL FROM, is a way to express
where an NDR should go if something goes wrong.

Furthermore, at some points along the journey of a piece of mail (data, or
a NOUN if you will), it will be captured and recorded in a header, most
typically in the Return-Path value.

But it is not guaranteed to be stored in any header at any time because
it's a COMMAND to a server.

RFC 822 (and its successors) is documentation of the structure of DATA
(the NOUNS mentioned above) that represents an email message, which is
divided up into Headers and Data. One of those headers is, "From:". And
almost all of those headers are little more than comments, forgeable by
anyone with the inclination to do so, and at best advisory in nature.

So, to summarize:

The "From:" header is a comment, and may or may not reflect reality.
Typically it does, but not always.

The "Return-Path" is a recognized way to capture the value of the "MAIL
FROM:" command, and encode it into the headers, but it is best described
as a, "Virtual Header".

Some other headers inserted by arbitrary third parties are not documented
in *ANY* RFC anywhere, and almost everyone completely ignores them.

Such is the case with, "bounces-to".
It's not a standard.
Almost everything will ignore it.
People who expect it to always work should be prepared for disappointment.

Aloha mai Nai`a.
-- 
" So this is how Liberty dies ...  http://kapu.net/~mjwise/
" To Thunderous Applause.

Re: Is not honoring bounces-to violation of RFC?

[Chip]

I will read up on it.  Thank you for the link.

Not everyone, I think, who visits this list is an engineer.

So it would have been easier to understand if the response had been 
along the lines of:


"envelope-from" instead of just FROM since there are a number of Froms 
in the source code.


Someone wrote: "Return-path is a header added by the receiving MTA 
(usually on final

delivery) that contains the envelope sender (MAIL FROM) used by the
sending system.


On 06/29/2016 11:22 AM, Jan Ceuleers wrote:

On 29/06/16 17:02, Chip wrote:

If Return-path is added by receiving MTA, as you say, below, and that it
contains the MAIL FROM, then why do I see the following in source code
of received message in which return-path does not match From?

Could I respectfully suggest that you read up on the difference between
the envelope sender and the From header, for example here:

http://blog.tidymail.co.uk/glossary/smtp-envelope/

The two are not necessarily the same, and in fact in the examples you
showed they were not.

Re: Is not honoring bounces-to violation of RFC?

[Jan Ceuleers]

On 29/06/16 17:02, Chip wrote:
> If Return-path is added by receiving MTA, as you say, below, and that it
> contains the MAIL FROM, then why do I see the following in source code
> of received message in which return-path does not match From?

Could I respectfully suggest that you read up on the difference between
the envelope sender and the From header, for example here:

http://blog.tidymail.co.uk/glossary/smtp-envelope/

The two are not necessarily the same, and in fact in the examples you
showed they were not.

Re: Is not honoring bounces-to violation of RFC?

[Emmanuel Fusté]

Le 29/06/2016 17:02, Chip a écrit :

If Return-path is added by receiving MTA, as you say, below, and that it
contains the MAIL FROM, then why do I see the following in source code
of received message in which return-path does not match From?


X-Mozilla-Status: 0001
X-Mozilla-Status2: 
X-Mozilla-Keys:
Return-path: <sears2.5...@envfrm.rsys2.com>
From: "Sears" <se...@value.sears.com>


X-Mozilla-Status: 0001
X-Mozilla-Status2: 
X-Mozilla-Keys:
Return-Path: <bar...@restaurantloot.com>
From: lucky <lu...@restaurantloot.com>


MAIL FROM/envelope from and header From are two different beast.
Return-Path: is MAIL FROM/envelope from.
From: lucky <lu...@restaurantloot.com> in your example is header from, 
witch is data and and not directly related to MAIL FROM/envelope from.




On 06/29/2016 10:50 AM, Kris Deugau wrote:

Chip wrote:

My mistake NOT "bounces-to" rather "return-path"

Return-path is a header added by the receiving MTA (usually on final
delivery) that contains the envelope sender (MAIL FROM) used by the
sending system.

Is not honoring bounces-to violation of RFC?

[Chip]

If Return-path is added by receiving MTA, as you say, below, and that it 
contains the MAIL FROM, then why do I see the following in source code 
of received message in which return-path does not match From?



X-Mozilla-Status: 0001
X-Mozilla-Status2: 
X-Mozilla-Keys:
Return-path: <sears2.5...@envfrm.rsys2.com>
From: "Sears" <se...@value.sears.com>


X-Mozilla-Status: 0001
X-Mozilla-Status2: 
X-Mozilla-Keys:
Return-Path: <bar...@restaurantloot.com>
From: lucky <lu...@restaurantloot.com>

On 06/29/2016 10:50 AM, Kris Deugau wrote:

Chip wrote:

My mistake NOT "bounces-to" rather "return-path"

Return-path is a header added by the receiving MTA (usually on final
delivery) that contains the envelope sender (MAIL FROM) used by the
sending system.

Re: Is not honoring bounces-to violation of RFC?

[Kris Deugau]

Chip wrote:
> My mistake NOT "bounces-to" rather "return-path"

Return-path is a header added by the receiving MTA (usually on final
delivery) that contains the envelope sender (MAIL FROM) used by the
sending system.

> as in the following
> snippet of campaign emails from Home Depot, Martha Stewart and Sears:

> Return-path:<bounce-21178_html-212410161-294-1014284...@bounce.homedepotemail.com>

Notice this one contains an extended ID number?  Their mail-sending
infrastructure almost certainly generates this pseudoaddress on a
per-mailing+recipient basis, so automated systems can quickly tell whose
email is bouncing, and which email campaign it bounced on.

> Return-path:<everydayf...@mail.marthastewart.com>

This doesn't use a unique envelope sender for each recipient, so they'll
have to do more complex parsing of any bounce messages to identify stale
recipients.

> So is "Return-path" supposed to be respected?  Because the company I was
> speaking of insists it's appropriate to send bounces to something other
> than "Return-path" usually the "From" or "Reply-to".

No;  as stated upthread bounces must be sent to the envelope sender
address.  Any system sending bounces to any other address is misbehaving
and may end up blacklisted (locally or in public datasources like
DNSBLs)  because of it.

All that said, if *you* are a perfectly innocent bulk-mailer who is
*receiving* bounces to the wrong place, you'll probably have to suck up
and deal with it to keep your service clean.

-kgd

Re: Is not honoring bounces-to violation of RFC?

[Daniele Nicolodi]

On 6/28/16 2:01 PM, Chip wrote:
> My mistake NOT "bounces-to" rather "return-path"

This is not a subtle difference. The Return-Path header gets added (or
replaced, in the case it is already there) by the receiving MTA with the
MAIL FROM address. It is placed there only for convenience of the
receiving part.

Setting the Return-Path header on outbound messages has no effect. What
you need to change is the MAIL FROM address, as already explained a few
times in this thread.

Cheers,
Daniele

Re: Is not honoring bounces-to violation of RFC?

[Chip]

My mistake NOT "bounces-to" rather "return-path" as in the following 
snippet of campaign emails from Home Depot, Martha Stewart and Sears:


From - Mon Jun 20 08:43:03 2016
X-Account-Key: account15
X-UIDL: UID1962-1324328699
X-Mozilla-Status: 0001
X-Mozilla-Status2: 
X-Mozilla-Keys:
Return-path:<bounce-21178_html-212410161-294-1014284...@bounce.homedepotemail.com>


From - Tue Jun 21 14:39:36 2016

X-Account-Key: account15
X-UIDL: UID1969-1324328699
X-Mozilla-Status: 0001
X-Mozilla-Status2: 
X-Mozilla-Keys:
Return-path:<everydayf...@mail.marthastewart.com>


From - Mon Jun 20 08:43:02 2016

X-Account-Key: account15
X-UIDL: UID1961-1324328699
X-Mozilla-Status: 0001
X-Mozilla-Status2: 
X-Mozilla-Keys:
Return-path:<sears2.5...@envfrm.rsys2.com>


So is "Return-path" supposed to be respected?  Because the company I was 
speaking of insists it's appropriate to send bounces to something other 
than "Return-path" usually the "From" or "Reply-to".




On 06/28/2016 03:36 PM, Jim Reid wrote:

On 28 Jun 2016, at 20:26, Jeffs Chips <jeffsch...@gmail.com> wrote:

I'm just saying that ALL email campaign services allow and indeed suggest users 
to identity a specific sole purpose email account in which to receive bounces 
to eliminate spam and which almost all email campaigners adhere to

The IETF process is open to all. Feel free to make use of it.

BTW, the IETF is where Internet email protocols get developed and documented. 
It doesn’t and can’t happen on postfix-users.

Re: Is not honoring bounces-to violation of RFC?

[Jim Reid]

> On 28 Jun 2016, at 20:26, Jeffs Chips <jeffsch...@gmail.com> wrote:
> 
> I'm just saying that ALL email campaign services allow and indeed suggest 
> users to identity a specific sole purpose email account in which to receive 
> bounces to eliminate spam and which almost all email campaigners adhere to

The IETF process is open to all. Feel free to make use of it.

BTW, the IETF is where Internet email protocols get developed and documented. 
It doesn’t and can’t happen on postfix-users. 

Re: Is not honoring bounces-to violation of RFC?

[Jeffs Chips]

I don't dispute any of what happens just saying that a company out there
that advertises as their mission to eliminate spam and whom, they
advertise, has access to 30 million MX records is sending bounces to the
reply to or envelope sender whereas I'm just saying that ALL email campaign
services allow and indeed suggest users to identity a specific sole purpose
email account in which to receive bounces to eliminate spam and which
almost all email campaigners adhere to, is thus defeating the purpose of
there mission. Maybe what they do works for the small time spammer who uses
a personal account to distribute spam but it defeats the purpose of
eliminating non deliverables for honest mailers.
On Jun 28, 2016 3:17 PM, "Allen Coates" <znab...@cidercounty.org.uk> wrote:

> Mail-server refusals (as in NOQUEUE) are generated before the email body
> is received - and will also be sent to the envelope sender.
>
> On 28/06/16 18:51, Noel Jones wrote:
> > On 6/28/2016 12:12 PM, Chip wrote:
> >> Meaning there are no standards for the way
> >> emailers should respond to bounces?
> > bounces always go to the envelope sender, regardless of any
> > unrelated junk in the headers.
> >
> >
> >
> >
>
>

Re: Is not honoring bounces-to violation of RFC?

[Jim Reid]

> On 28 Jun 2016, at 19:28, Chip <jeffsch...@gmail.com> wrote:
> 
> Okay maybe it's not in RFC's but I would it would be at least a 
> recommendation that bounces can be routed back to bounces-to rather than 
> reply-to.  After all, why have the field at all if it's not used properly.

No RFC defines a bounces-to email header. Or how an MTA or MUA should handle 
one. As a matter of fact, the only email-related RFC which contains the word 
“bounce” is RFC5355. Which is in the Experimental category. It uses “bounce" in 
the context of clients speaking UTF8SMTP to servers that don’t support this 
feature.

Here’s the relevant part of Section 4.4 of that RFC:

  Below are a few examples of possible  representations.

  ...

  "DISPLAY_NAME" <non-ASCII@non-ASCII>
 ; UTF8SMTP but no ALT-ADDRESS parameter provided,
 ; message will bounce if UTF8SMTP extension is not supported

  <non-ASCII@non-ASCII>
 ; without DISPLAY_NAME and quoted string
 ; UTF8SMTP but no ALT-ADDRESS parameter provided,
 ; message will bounce if UTF8SMTP extension is not supported


If you think bounces-to has to be part of Internet email standards, feel free 
to write up a draft and submit it to the IETF.

Re: Is not honoring bounces-to violation of RFC?

[Allen Coates]

Mail-server refusals (as in NOQUEUE) are generated before the email body
is received - and will also be sent to the envelope sender.

On 28/06/16 18:51, Noel Jones wrote:
> On 6/28/2016 12:12 PM, Chip wrote:
>> Meaning there are no standards for the way
>> emailers should respond to bounces?
> bounces always go to the envelope sender, regardless of any
> unrelated junk in the headers.
>
>
>
>

Re: Is not honoring bounces-to violation of RFC?

[Noel Jones]

Bounces go to the envelope sender, the address used in the SMTP MAIL
FROM command.

Not reply-to, nor bounces-to, nor any other address listed in a
header.

To control where bounces are returned, set the envelope sender.



  -- Noel Jones


On 6/28/2016 1:28 PM, Chip wrote:
> In standard email campaign software like phplist, constantcontact,
> mailchimp all of those popular email campaign software many of which
> use Exim and are used literally by millions of email campaigners,
> the bounces-to is where bounces are expected to be returned so that
> they can be effectively removed from mailings and people don't'
> receive spam.  It is an very important part of email campaigns and
> reduces by great amounts the amount of spam that is manufactured.
> 
> Okay maybe it's not in RFC's but I would it would be at least a
> recommendation that bounces can be routed back to bounces-to rather
> than reply-to.  After all, why have the field at all if it's not
> used properly.
> 
> 
> 
> 
> On 06/28/2016 01:51 PM, Noel Jones wrote:
>> On 6/28/2016 12:12 PM, Chip wrote:
>>> Meaning there are no standards for the way
>>> emailers should respond to bounces?
>> bounces always go to the envelope sender, regardless of any
>> unrelated junk in the headers.
>>
>>
>>
>>
> 

Re: Is not honoring bounces-to violation of RFC?

[Chip]

In standard email campaign software like phplist, constantcontact, 
mailchimp all of those popular email campaign software many of which use 
Exim and are used literally by millions of email campaigners, the 
bounces-to is where bounces are expected to be returned so that they can 
be effectively removed from mailings and people don't' receive spam.  It 
is an very important part of email campaigns and reduces by great 
amounts the amount of spam that is manufactured.


Okay maybe it's not in RFC's but I would it would be at least a 
recommendation that bounces can be routed back to bounces-to rather than 
reply-to.  After all, why have the field at all if it's not used properly.





On 06/28/2016 01:51 PM, Noel Jones wrote:

On 6/28/2016 12:12 PM, Chip wrote:

Meaning there are no standards for the way
emailers should respond to bounces?

bounces always go to the envelope sender, regardless of any
unrelated junk in the headers.

Re: Is not honoring bounces-to violation of RFC?

[Noel Jones]

On 6/28/2016 12:12 PM, Chip wrote:
> Meaning there are no standards for the way
> emailers should respond to bounces?

bounces always go to the envelope sender, regardless of any
unrelated junk in the headers.

Re: Is not honoring bounces-to violation of RFC?

[Wietse Venema]

Chip:
> Okay I guess it does.  Meaning there are no standards for the way 
> emailers should respond to bounces?

According to RFC 5321, the definition of the Internet email protocol,
an undeliverable email message is returned to its MAIL FROM address,
and that return message is sent with the null MAIL FROM adress.
Undeliverable mail with the null MAIL FROM address is not returned.

That answers your question, but you probably meant something else.

Wietse

Re: Is not honoring bounces-to violation of RFC?

[Chip]

Okay I guess it does.  Meaning there are no standards for the way 
emailers should respond to bounces?


On 06/28/2016 12:54 PM, Wietse Venema wrote:

Chip:

I know this question is not specifically germane to Postfix but everyone
on this list has extensive experience with bouncing policies.

If a receiver of campaign emails (that promotes itself as an email
security service) sends bounces to "reply-to" rather than "bounces-to"
as a policy despite bounces-to present in all campaign emails headers,
would this be considered a violation of RFCs?

RFCs are published at ietf.org, so I did an experiment:

    site:ietf.org bounces-to

Neither google.com nor bing.com produced any matches.

I guess that result speaks for itself, no?

Wietse

Re: Is not honoring bounces-to violation of RFC?

[Wietse Venema]

Chip:
> I know this question is not specifically germane to Postfix but everyone 
> on this list has extensive experience with bouncing policies.
> 
> If a receiver of campaign emails (that promotes itself as an email 
> security service) sends bounces to "reply-to" rather than "bounces-to" 
> as a policy despite bounces-to present in all campaign emails headers, 
> would this be considered a violation of RFCs?

RFCs are published at ietf.org, so I did an experiment:

site:ietf.org bounces-to

Neither google.com nor bing.com produced any matches.

I guess that result speaks for itself, no?

Wietse

Is not honoring bounces-to violation of RFC?

[Chip]

I know this question is not specifically germane to Postfix but everyone 
on this list has extensive experience with bouncing policies.


If a receiver of campaign emails (that promotes itself as an email 
security service) sends bounces to "reply-to" rather than "bounces-to" 
as a policy despite bounces-to present in all campaign emails headers, 
would this be considered a violation of RFCs?

Bounces and dmarc reports

[Alex]

Hi,

I've recently implemented dmarc on my system. I've implemented both
rua and ruf reports. I'm trying to understand why my postfix queue is
being inundated with undeliverable messages such as these:

E45A5182C7E 2700 Wed Dec 23 11:11:52  postmas...@cheatcodes.com
(connect to mulish.yachtspecialnewtips.info[162.214.5.75]:25: No route to host)
 ab...@yachtspecialnewtips.info

Dec 23 11:11:53 juggernaut postfix/qmgr[14771]: E45A5182C7E:
from=, size=2700,
 nrcpt=2 (queue active)

Dec 23 11:11:53 juggernaut postfix/smtp[10932]: A2733182CA4:
to=, relay=127.0.0.1[127.0.0.1]:10024,
conn_use=10, delay=16, delays=0.18/16/0.01/0.18, dsn=2.0.0,
status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok:
queued as E45A5182C7E)

I don't understand why reports from postmas...@cheatcodes.com are
being received then attempted to be sent to an obvious spam domain.

I suppose this isn't strictly a postfix problem, but I've been unable
to find help elsewhere. I was hoping someone familiar with dmarc could
guide me to the right solution.

Thanks,
Alex

blocking bounces from spam advice

[lists]

I have a small Postfix installation with virtual domains that runs well,
however, a user is complaining of being hit with flood of rejects from
spam sent out from elsewhere as though from him, the rejects are coming
back to him

the user in question has been, by his former request, exempted from some
checks:

---
# cat recipient_no_checks
# Let email to the following destinations bypass all the remaining
# reject and check tests.

tld.com.au OK
---

I'll remove him from recipient_no_checks, but, is there some other stuff I
should be doing as well ?

Greetings to the list and all the best in New Year!

--
mail_version = 2.11.0

# postconf -n
address_verify_sender = $double_bounce_sender
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_min_user = no
allow_percent_hack = no
anvil_rate_time_unit = 1800s
biff = no
body_checks = pcre:/etc/postfix/body_checks
body_checks_size_limit = 15
bounce_queue_lifetime = 4h
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id  sleep 5
delay_warning_time = 0h
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
enable_original_recipient = no
header_checks = pcre:/etc/postfix/header_checks
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mailbox_command = /usr/libexec/dovecot/deliver
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
maximal_backoff_time = 4000s
maximal_queue_lifetime = 4h
message_size_limit = 20971520
mime_header_checks = pcre:$config_directory/mime_headers.pcre
minimal_backoff_time = 300s
mydestination = $myhostname, localhost, localhost.localdomain,
localhost.$myhostname
mydomain = sbt.net.au
myhostname = emu.sbt.net.au
mynetworks = //removed// 127.0.0.1
myorigin = emu.sbt.net.au
newaliases_path = /usr/bin/newaliases.postfix
proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps
$mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps
$relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps
$sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps
$transport_maps $virtual_alias_domains $virtual_alias_maps
$virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions
queue_directory = /var/spool/postfix
queue_run_delay = 300s
readme_directory = /usr/share/doc/postfix-2.11.0/README_FILES
recipient_bcc_maps =
proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf,
proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf
recipient_delimiter = +
relay_domains = $mydestination,
proxy:mysql:/etc/postfix/mysql/relay_domains.cf
sample_directory = /usr/share/doc/postfix-2.11.0/samples
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf,
proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp-amavis_destination_recipient_limit = 1
smtp_data_init_timeout = 240s
smtp_data_xfer_timeout = 600s
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_session_cache_timeout = 3600s
smtpd_client_connection_rate_limit = 50
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname,
check_helo_access pcre:/etc/postfix/helo_access.pcre
smtpd_recipient_restrictions = reject_unknown_sender_domain,
reject_unknown_recipient_domain, reject_non_fqdn_sender,
reject_non_fqdn_recipient, reject_unlisted_recipient, check_policy_service
inet:127.0.0.1:, permit_mynetworks, permit_sasl_authenticated,
reject_unauth_destination, check_recipient_access
hash:/etc/postfix/recipient_no_checks, check_recipient_access
pcre:/etc/postfix/recipient_checks.pcre, check_helo_access
hash:/etc/postfix/helo_checks, check_sender_access
hash:/etc/postfix/sender_checks, check_client_access
hash:/etc/postfix/client_checks, check_client_access
pcre:/etc/postfix/client_checks.pcre, reject_rbl_client zen.spamhaus.org,
reject_rhsbl_client dbl.spamhaus.org, reject_rhsbl_sender
dbl.spamhaus.org, reject_rbl_client psbl.surriel.com, reject_rhsbl_sender
dsn.rfc-ignorant.org, check_policy_service inet:127.0.0.1:10031
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_local_domain =
smtpd_sasl_path = ./dovecot-auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf

Postfix bounces

[Jose Borges Ferreira]

Hi,

I'm looking deeper into bounce handling in Postfix and cam across 2 issues:

 1)  The default From: header, MAILER-DAEMON (Mail Delivery System),
is not RFC valid.

  It can change, though.

  in ubuntu install the postfix-doc package, then
  cat /usr/share/doc/postfix-doc/examples/bounce.cf.default | sed
-e 's/From: MAILER-DAEMON (Mail Delivery System)/From:
postmas...@example.net/'  /etc/postfix/bounce.cf
  and the add to main.cf
  bounce_template_file=/etc/postfix/bounce.cf

  Is there a simple way to achieve this ?

  I noted that Postfix 2.12 adds mydomain and myhostname to be
used in the bounce template and changing the template to
MAILER-DAEMON@$myhostname would also simplify.
  Or having something like $bounce_from_address (default to
MAILER-DAEMON@$myhostname ) it would  be very nice.

 2) I want to forward bounces to a specific host. I was looking for a
way to specify a relayhost  or a transport for that class of messages
and couldn't find a way to achieve that.
 I cannot use sender_dependent_default_transport_maps, because I
only want to apply to messages generated by Postfix and not messages
in transit.

 What is the best way to do this ?

Regards,
José Borges Ferreira

Re: Postfix bounces

[li...@rhsoft.net]

Am 03.12.2014 um 12:43 schrieb Jose Borges Ferreira:

I'm looking deeper into bounce handling in Postfix and cam across 2 issues:

1)  The default From: header, MAILER-DAEMON (Mail Delivery System),
is not RFC valid.


a bounce has no envelope sender (null sender) and so no from-address


2) I want to forward bounces to a specific host. I was looking for a
way to specify a relayhost  or a transport for that class of messages
and couldn't find a way to achieve that.
I cannot use sender_dependent_default_transport_maps, because I
only want to apply to messages generated by Postfix and not messages
in transit.


it is *not* your business to mangle bounces
they belong to the envelope sender - period

keep your fingers from bounces - unconditional
a user sends a mail and when that fails he get a bounce

if you are backscatter because you accept mail on your MX which you 
can't deliver than fix that problem instead shooting at the messener


the one and only reason where a mailserver has to produce a bounce is 
when a authenticated user sends a mail which is later rejected at the 
final destination

Re: Postfix bounces

[Wietse Venema]

Jose Borges Ferreira:
 Hi,
 
 I'm looking deeper into bounce handling in Postfix and cam across 2 issues:
 
  1)  The default From: header, MAILER-DAEMON (Mail Delivery System),
 is not RFC valid.

YOU create a non-compliant configuration when YOU disable
append_at_myorigin for local submission.

  2) I want to forward bounces to a specific host. I was looking for a
 way to specify a relayhost  or a transport for that class of messages
 and couldn't find a way to achieve that.

There is no RFC that requires this. I am highly-suspicious when
people want to handle NDRs differently; they usually have a problem
that they want to cover up.

Wietse

Re: Postfix bounces

[Jose Borges Ferreira]

On Wed, Dec 3, 2014 at 12:28 PM, Wietse Venema wie...@porcupine.org wrote:
 Jose Borges Ferreira:
 Hi,

 I'm looking deeper into bounce handling in Postfix and cam across 2 issues:

  1)  The default From: header, MAILER-DAEMON (Mail Delivery System),
 is not RFC valid.

 YOU create a non-compliant configuration when YOU disable
 append_at_myorigin for local submission.

Thanks for pointing out where the problem is.
I have to maintain a quite complex setup and this was already set.
Next time will also test on a Postfix instance with minimal changes.



  2) I want to forward bounces to a specific host. I was looking for a
 way to specify a relayhost  or a transport for that class of messages
 and couldn't find a way to achieve that.

 There is no RFC that requires this. I am highly-suspicious when
 people want to handle NDRs differently; they usually have a problem
 that they want to cover up.

The RFC reference was for 1).
This is more about policy than anything else.

This is the scenario.
Box 1 : just receive email from outside - inbound flow.
Box 2 : used to sent email to the outside - oubound flow.

Firewalls are set in a way that don't allow Box 1 to send traffic to
the outside, so i need to route bounces (and defers) generated in
Box 1 to Box 2.

José Borges Ferreira

Re: Postfix bounces

[li...@rhsoft.net]

Am 03.12.2014 um 14:32 schrieb Jose Borges Ferreira:

2) I want to forward bounces to a specific host. I was looking for a
way to specify a relayhost  or a transport for that class of messages
and couldn't find a way to achieve that.


There is no RFC that requires this. I am highly-suspicious when
people want to handle NDRs differently; they usually have a problem
that they want to cover up.


The RFC reference was for 1).
This is more about policy than anything else.

This is the scenario.
Box 1 : just receive email from outside - inbound flow.
Box 2 : used to sent email to the outside - oubound flow.

Firewalls are set in a way that don't allow Box 1 to send traffic to
the outside, so i need to route bounces (and defers) generated in
Box 1 to Box 2


fix *why* you create bounces at all on a inbound MX

http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient in 
case of not able to list some domains you accept mail for in 
local_recipient_maps is the way to go


we list all domains where we have the RCPT's in 
/etc/postfix/skip_rcpt_vrfy.cf and anything else needs to pass 
reject_unverified_recipient and so that way we can even offer 
spamfiltering services for customers with their own Exchange server 
without create a single bounce


smtpd_relay_restrictions =
 reject_unauth_destination
 check_recipient_access hash:/etc/postfix/skip_rcpt_vrfy.cf
 reject_unverified_recipient

Re: Postfix bounces

[Wietse Venema]

Jose Borges Ferreira:
 This is the scenario.
 Box 1 : just receive email from outside - inbound flow.
 Box 2 : used to sent email to the outside - oubound flow.

Inbound MTA: primary MX for your domain(s). If mail can't be
delivered, use Postfix's relayhost feature to deliver outbound mail
via the outbound MTA, if you can't use standard MX logic to deliver
directly to the sender's MX hosts.

Outbound MTA: if mail can't be delivered, use standard MX logic to
deliver NDRs to the sender's MX host(s).

Wietse

Re: Postfix bounces

[Jose Borges Ferreira]

On Wed, Dec 3, 2014 at 1:51 PM, Wietse Venema wie...@porcupine.org wrote:
 Jose Borges Ferreira:
 This is the scenario.
 Box 1 : just receive email from outside - inbound flow.
 Box 2 : used to sent email to the outside - oubound flow.

 Inbound MTA: primary MX for your domain(s). If mail can't be
 delivered, use Postfix's relayhost feature to deliver outbound mail
 via the outbound MTA, if you can't use standard MX logic to deliver
 directly to the sender's MX hosts.

That's my initially idea, but was afraid that relayhost would catch
more than intended.
That's why I asked about a way just to apply the relayhost behavior to
server generated messages (bounces).

 Outbound MTA: if mail can't be delivered, use standard MX logic to
 deliver NDRs to the sender's MX host(s).

That's was already covered, because email loops back through the InboundMTA

Thanks.

José Borges Ferreira

Re: Postfix bounces

[Wietse Venema]

Jose Borges Ferreira:
 On Wed, Dec 3, 2014 at 1:51 PM, Wietse Venema wie...@porcupine.org wrote:
  Jose Borges Ferreira:
  This is the scenario.
  Box 1 : just receive email from outside - inbound flow.
  Box 2 : used to sent email to the outside - oubound flow.
 
  Inbound MTA: primary MX for your domain(s). If mail can't be
  delivered, use Postfix's relayhost feature to deliver outbound mail
  via the outbound MTA, if you can't use standard MX logic to deliver
  directly to the sender's MX hosts.
 
 That's my initially idea, but was afraid that relayhost would catch
 more than intended.

It catches outbound mail. Postfix cannot generate other mail, as
long as all mail from inside has an inside envelope sender address.
And that is standard firewall hygiene.

Wietse

Re: Postfix bounces

[Wietse Venema]

Wietse Venema:
 Jose Borges Ferreira:
  On Wed, Dec 3, 2014 at 1:51 PM, Wietse Venema wie...@porcupine.org wrote:
   Jose Borges Ferreira:
   This is the scenario.
   Box 1 : just receive email from outside - inbound flow.
   Box 2 : used to sent email to the outside - oubound flow.
  
   Inbound MTA: primary MX for your domain(s). If mail can't be
   delivered, use Postfix's relayhost feature to deliver outbound mail
   via the outbound MTA, if you can't use standard MX logic to deliver
   directly to the sender's MX hosts.
  
  That's my initially idea, but was afraid that relayhost would catch
  more than intended.
 
 It catches outbound mail. Postfix cannot generate other mail, as
 long as all mail from inside has an inside envelope sender address.

And all mail from outside has an outside envelope sender address.

 And that is standard firewall hygiene.

Wietse

Documentation update: Milter signing bounces

[Wietse Venema]

I have added this text at the end of Non-SMTPD Milter applications:

Wietse

Signing internally-generated bounce messages

Postfix normally does not apply content filters to mail that is forwarded or
aliased internally, or to mail that is generated internally such as bounces or
Postmaster notifications. Filtering internally-generated bounces could result
in loss of mail when a filter rejects or defers a message (the resulting
double-bounce message would almost certainly also be blocked).

To sign Postfix's own bounce messages, enable filtering of internally-generated
bounces (line 2 below), and don't block any mail with non_smtpd_milters,
header_checks or body_checks (lines 3-5 below).

1 /etc/postfix/main.cf:
2 internal_mail_filter_classes = bounce
3 non_smtpd_milters = nothing that can block mail
4 header_checks = nothing that can block mail
5 body_checks = nothing that can block mail

Re: Documentation update: Milter signing bounces

[Jose Borges Ferreira]

On Sun, Nov 30, 2014 at 9:00 PM, Wietse Venema wie...@porcupine.org wrote:
 I have added this text at the end of Non-SMTPD Milter applications:

 Wietse

 Signing internally-generated bounce messages

 Postfix normally does not apply content filters to mail that is forwarded or
 aliased internally, or to mail that is generated internally such as bounces or
 Postmaster notifications. Filtering internally-generated bounces could result
 in loss of mail when a filter rejects or defers a message (the resulting
 double-bounce message would almost certainly also be blocked).

 To sign Postfix's own bounce messages, enable filtering of 
 internally-generated
 bounces (line 2 below), and don't block any mail with non_smtpd_milters,
 header_checks or body_checks (lines 3-5 below).

 1 /etc/postfix/main.cf:
 2 internal_mail_filter_classes = bounce
 3 non_smtpd_milters = nothing that can block mail
 4 header_checks = nothing that can block mail
 5 body_checks = nothing that can block mail

That's great, thanks.

José Borges Ferreira

Milter signing bounces

[Jose Borges Ferreira]

Hi,

I'm returning with this issue* but I consider it starting to have bad
side effects.

Yesterday on the dmarc-ietf list on a subject of bounce emails, Franck
Martin stated that
.It is notoriously known that postfix cannot DKIM sign the messages
it generates(MDN).
and he send the link to Postfix documentation that support that claim,
in particular
see point 4 on http://www.postfix.org/MILTER_README.html#limitations;
that states:

Postfix currently does not apply content filters to mail that is
forwarded or aliased internally, or to mail that is generated
internally such as bounces or Postmaster notifications. This may be a
problem when you want to apply a signing Milter to such mail.

Last year when I reported that , the discussion was arround the
dangers of blocking bounces and therefore shouldn't be filtered (and
eventually blocked ).

Back then with postfix 2.9 and now with 2.11.3 I have a working setup.**

So my question is:

What's wrong ? The documentation or the
internal_mail_filter_classes/non_smtpd_milters implementation that
allows applying a signing Milter to bounces ?


* 
http://postfix.1071664.n5.nabble.com/Error-in-milter-documentation-td62409.html
** http://www.ietf.org/mail-archive/web/dmarc/current/msg01964.html

José Borges Ferreira

Re: Milter signing bounces

[Wietse Venema]

Jose Borges Ferreira:
 What's wrong ? The documentation or the
 internal_mail_filter_classes/non_smtpd_milters implementation that
 allows applying a signing Milter to bounces ?

You appear to believe that there is a difference between Postfix
documentation and Postfix implementation.

Can you in a few words explain what the difference is, without
asking the reader to dig into other mailing list messages?

Wietse

Re: Milter signing bounces

[Jose Borges Ferreira]

On Fri, Nov 28, 2014 at 2:13 PM, Wietse Venema wie...@porcupine.org wrote:
 Can you in a few words explain what the difference is, without
 asking the reader to dig into other mailing list messages?

Hi,

I just reference the other lists for full context and quoted the relevant parts.

I'm just pointing that the Milter documentation*, quote:

Postfix currently does not apply content filters to mail that is
forwarded or aliased internally, or to mail that is generated
internally such as bounces or Postmaster notifications. This may be a
problem when you want to apply a signing Milter to such mail.

This documentation contradicts my current Postfix implementation. I'm
using a Milter to sign bounces.
People reading that paragraph can wrongly assume that Postfix isn't
capable of signing bounce , when it can.

So, am I doing something unsupported in my implementation or is
something wrong in MILTER_README ?

José Borges Ferreira

* http://www.postfix.org/MILTER_README.html#limitations , point 4

Re: Milter signing bounces

[Wietse Venema]

Jose Borges Ferreira:
 On Fri, Nov 28, 2014 at 2:13 PM, Wietse Venema wie...@porcupine.org wrote:
  Can you in a few words explain what the difference is, without
  asking the reader to dig into other mailing list messages?
 
 Hi,
 
 I just reference the other lists for full context and quoted the relevant 
 parts.
 
 I'm just pointing that the Milter documentation*, quote:
 
 Postfix currently does not apply content filters to mail that is
 forwarded or aliased internally, or to mail that is generated
 internally such as bounces or Postmaster notifications. This may be a
 problem when you want to apply a signing Milter to such mail.
 
 This documentation contradicts my current Postfix implementation. I'm
 using a Milter to sign bounces.
 People reading that paragraph can wrongly assume that Postfix isn't
 capable of signing bounce , when it can.

The documentation DOES NOT CLAIM that Postfix cannot use a Milter
to sign bounces.

The documentation DOES say that applying filters to bounces can
result in loss of mail.

Wietse

 So, am I doing something unsupported in my implementation or is
 something wrong in MILTER_README ?
 
 Jos? Borges Ferreira
 
 * http://www.postfix.org/MILTER_README.html#limitations , point 4
 

Re: Milter signing bounces

[li...@rhsoft.net]

Am 28.11.2014 um 17:19 schrieb Wietse Venema:

Jose Borges Ferreira:

On Fri, Nov 28, 2014 at 2:13 PM, Wietse Venema wie...@porcupine.org wrote:

Can you in a few words explain what the difference is, without
asking the reader to dig into other mailing list messages?


I just reference the other lists for full context and quoted the relevant parts.

I'm just pointing that the Milter documentation*, quote:

Postfix currently does not apply content filters to mail that is
forwarded or aliased internally, or to mail that is generated
internally such as bounces or Postmaster notifications. This may be a
problem when you want to apply a signing Milter to such mail.

This documentation contradicts my current Postfix implementation. I'm
using a Milter to sign bounces.
People reading that paragraph can wrongly assume that Postfix isn't
capable of signing bounce , when it can.


The documentation DOES NOT CLAIM that Postfix cannot use a Milter
to sign bounces.


don't get me wrong but Postfix currently does not apply content filters 
to mail that is forwarded or aliased internally, or to mail that is 
generated internally such as bounces or Postmaster notifications. This 
may be a problem when you want to apply a signing Milter to such mail 
claims exactly that for every reader



The documentation DOES say that applying filters to bounces can
result in loss of mail

Re: Milter signing bounces

[Jose Borges Ferreira]

On Fri, Nov 28, 2014 at 4:30 PM, li...@rhsoft.net li...@rhsoft.net wrote:

 I'm just pointing that the Milter documentation*, quote:

 Postfix currently does not apply content filters to mail that is
 forwarded or aliased internally, or to mail that is generated
 internally such as bounces or Postmaster notifications. This may be a
 problem when you want to apply a signing Milter to such mail.

 This documentation contradicts my current Postfix implementation. I'm
 using a Milter to sign bounces.
 People reading that paragraph can wrongly assume that Postfix isn't
 capable of signing bounce , when it can.


 The documentation DOES NOT CLAIM that Postfix cannot use a Milter
 to sign bounces.


 don't get me wrong but Postfix currently does not apply content filters to
 mail that is forwarded or aliased internally, or to mail that is generated
 internally such as bounces or Postmaster notifications. This may be a
 problem when you want to apply a signing Milter to such mail claims exactly
 that for every reader


I mentioned other the post on the dmarc list because,  others also
have that understanding.

José Borges Ferreira

Re: Milter signing bounces

[Wietse Venema]

 don't get me wrong but Postfix currently does not apply content filters to
 mail that is forwarded or aliased internally, or to mail that is generated
 internally such as bounces or Postmaster notifications. This may be a
 problem when you want to apply a signing Milter to such mail claims exactly
 that for every reader

Do you mean REPLACE the text with: Applying content filters to
such mail should be safe with filters that sign mail, but never
bounce?

Wietse

Re: Milter signing bounces

[li...@rhsoft.net]

Am 28.11.2014 um 20:40 schrieb Wietse Venema:

don't get me wrong but Postfix currently does not apply content filters to
mail that is forwarded or aliased internally, or to mail that is generated
internally such as bounces or Postmaster notifications. This may be a
problem when you want to apply a signing Milter to such mail claims exactly
that for every reader


Do you mean REPLACE the text with: Applying content filters to
such mail should be safe with filters that sign mail, but never
bounce?


sounds good!

the problem with the current text is the does not apply what has a 
different meaning then is not safe and implies the milter never is 
called in context of a bounce

Strip body / attachments from bounces?

[John Oliver]

I'm looking for a way to remove anything from the original email from
bounces.  Yes, I know this is a goofy use case :-)  I found a useful
article about customizing bounce messages which I'll look into, but I
didn't see anything in it about making sure the bounce contains nothing
but the bounce message and maybe specific elements from the original
like destination, time/date, etc.

-- 
***
* John Oliver http://www.john-oliver.net/ *
* *
***

Re: Strip body / attachments from bounces?

[Noel Jones]

On 11/25/2014 10:51 AM, John Oliver wrote:
 I'm looking for a way to remove anything from the original email from
 bounces.  Yes, I know this is a goofy use case :-)  I found a useful
 article about customizing bounce messages which I'll look into, but I
 didn't see anything in it about making sure the bounce contains nothing
 but the bounce message and maybe specific elements from the original
 like destination, time/date, etc.
 


http://www.postfix.org/postconf.5.html#bounce_size_limit

You can set bounce_size_limit = 0 to return the message headers
only.  This will insure there is nothing of the body left.  There is
no option to restrict which headers are returned.

Bounces should be a rare occurrence.  Mail to unknown recipients or
mail with unwanted content should be rejected at the gateway, never
accepted and later bounced.  Let us know if you need help getting
that configured correctly.



  -- Noel Jones

Re: Strip body / attachments from bounces?

[Robert Schetterer]

Am 25.11.2014 um 17:51 schrieb John Oliver:
 I'm looking for a way to remove anything from the original email from
 bounces.  Yes, I know this is a goofy use case :-)  I found a useful
 article about customizing bounce messages which I'll look into, but I
 didn't see anything in it about making sure the bounce contains nothing
 but the bounce message and maybe specific elements from the original
 like destination, time/date, etc.
 

as i tried to filter reply-to  in a bounce ,i found this
http://www.rfc-base.org/txt/rfc-5703.txt
might be helpfull, but it is not included in recent dovecot sieve
release, perhaps procmail can do what you want


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Strip body / attachments from bounces?

[Viktor Dukhovni]

On Tue, Nov 25, 2014 at 11:19:36AM -0600, Noel Jones wrote:

 http://www.postfix.org/postconf.5.html#bounce_size_limit
 
 You can set bounce_size_limit = 0 to return the message headers
 only.  

The minimum allowed value is 1.  Therefore, to bounce headers only

bounce_size_limit = 1

-- 
Viktor.

Re: Strip body / attachments from bounces?

[Wietse Venema]

Viktor Dukhovni:
 On Tue, Nov 25, 2014 at 11:19:36AM -0600, Noel Jones wrote:
 
  http://www.postfix.org/postconf.5.html#bounce_size_limit
  
  You can set bounce_size_limit = 0 to return the message headers
  only.  
 
 The minimum allowed value is 1.  Therefore, to bounce headers only
 
   bounce_size_limit = 1

As a general rule, where Postfix accepts a limit of zero, it means
disable the no limit.

Unlimited bounces are not a good idea. That's why the minimum is 1.

Wietse

Re: Strip body / attachments from bounces?

[Noel Jones]

On 11/25/2014 1:34 PM, Viktor Dukhovni wrote:
 On Tue, Nov 25, 2014 at 11:19:36AM -0600, Noel Jones wrote:
 
 http://www.postfix.org/postconf.5.html#bounce_size_limit

 You can set bounce_size_limit = 0 to return the message headers
 only.  
 
 The minimum allowed value is 1.  Therefore, to bounce headers only
 
   bounce_size_limit = 1
 



Thanks for the correction.  For some reason I thought 0 was allowed
here, and really meant zero.



  -- Noel Jones

Re: Email-get-bounces.

[li...@rhsoft.net]

Am 20.11.2014 um 06:55 schrieb Mohammed Ejaz:

Please experiencing two issues with customer. any explanation would be
highly appreciated.

*1.**I have several  entries  as below for our one of the customer whose
relaying his email through our mail servers*

Nov 20 07:41:05 mersal postfix/smtpd[30971]: warning: 212.118.122.108:
*address not listed for hostname mail.electro.com.sa*


that is just a warning about a bad PTR/A-Record setup of the sending 
machine - http://en.wikipedia.org/wiki/Forward-confirmed_reverse_DNS



2.What could be reason as the sent messages one of our users get bounce
back with the following info. whereas our IP reputation is clean.


ask the admin on the other side instead a public group about *his* 
security policies



ion...@akigroup.com mailto:ion...@akigroup.com
Your message wasn't delivered because of security policies. Microsoft
Exchange will not try to redeliver this message for you. Please provide
the following diagnostic text to your system administrator.

The following organization rejected your message: pop.alphamedgroup.com.

*Diagnostic information for administrators:*

Generating server: mersal.cyberia.net.sa

ion...@akigroup.com mailto:ion...@akigroup.com
pop.alphamedgroup.com #pop.alphamedgroup.com #5.7.1 smtp; 550 5.7.1
Unable to deliver to ion...@akigroup.com mailto:ion...@akigroup.com

Re: Email-get-bounces.

[Noel Jones]

On 11/19/2014 11:55 PM, Mohammed Ejaz wrote:
 hello,
 
  
 
 Please experiencing two issues with customer. any explanation would
 be highly appreciated.
 
  
 
  
 
 *1.   **I have several  entries  as below for our one of the
 customer whose relaying his email through our mail servers*
 
  
 
  
 
  
 
 Nov 20 07:41:05 mersal postfix/smtpd[30971]: warning:
 212.118.122.108: *address not listed for hostname mail.electro.com.sa*
 

This is a warning only. The IP listed for mail.electro.com.sa is not
the same as the connecting client IP.  This is a problem with the
client; their PTR hostname does not resolve back to the client IP.

# host 212.118.122.108
108.122.118.212.in-addr.arpa domain name pointer mail.electro.com.sa.

# host mail.electro.com.sa.
mail.electro.com.sa has address 212.118.122.99



 Nov 20 07:41:05 mersal postfix/cleanup[31008]: 97C4B11A09F:
 message-id=01d0047a$58a601a0$09f204e0$@electro.com.sa
 
 Nov 20 07:41:06 mersal postfix/qmgr[11505]: 97C4B11A09F:
 from=morris.dela-to...@electro.com.sa, size=250121, nrcpt=1 (queue
 active)

Where is the rest of the logging for this transaction?  Search your
log for the queue ID 97C4B11A09F.


 
 Nov 20 07:44:10 mersal postfix/smtpd[30958]: warning:
 212.118.122.108: address not listed for hostname mail.electro.com.sa

another warning from a new transaction.

 
  
 
  
 
 2.   What could be reason as the sent messages one of our users
 get bounce back with the following info. whereas our IP reputation
 is clean.


It seems you rejected their message.  Look in your logs for further
info.



  -- Noel Jones


 
 
 ion...@akigroup.com mailto:ion...@akigroup.com
 Your message wasn't delivered because of security policies.
 Microsoft Exchange will not try to redeliver this message for you.
 Please provide the following diagnostic text to your system
 administrator.
 
  
 
 The following organization rejected your message: pop.alphamedgroup.com.
 
  
 
  
 
  
 
 *Diagnostic information for administrators:*
 
  
 
 Generating server: mersal.cyberia.net.sa
 
  
 
 ion...@akigroup.com mailto:ion...@akigroup.com
 pop.alphamedgroup.com #pop.alphamedgroup.com #5.7.1 smtp; 550 5.7.1
 Unable to deliver to ion...@akigroup.com
 mailto:ion...@akigroup.com #SMTP#
 
  
 
 Original message headers:
 
  
 
 Received: from mail.unitedgroup.com.sa (SRV-EXCHHUB.unitedgroup.com.sa
  [213.210.243.36])   by mersal.cyberia.net.sa (Postfix) with
 ESMTP id
  BAB9F11A09C for ion...@akigroup.com
 mailto:ion...@akigroup.com; Wed, 19 Nov 2014 15:44:55 +0300 (AST)
 Received: from SRV-EXCHANGE.unitedgroup.com.sa ([191.0.0.11]) by
  SRV-EXCHHUB.unitedgroup.com.sa ([191.0.0.18]) with mapi; Wed, 19
 Nov 2014
  15:35:32 +0300
 From: Elias Sleiman eslei...@unitedgroup.com.sa
 mailto:eslei...@unitedgroup.com.sa
 To: ion...@akigroup.com mailto:ion...@akigroup.com
 ion...@akigroup.com mailto:ion...@akigroup.com
 Date: Wed, 19 Nov 2014 15:35:25 +0300
 Subject: Burger fuel - Cheese supply
 Thread-Topic: Burger fuel - Cheese supply
 Thread-Index: AdAD9Ur5R5GMhgiWRbSB/MLhQRJW8g==
 Message-ID:
 4f4e9a676dd5c94aaca1d2fe1342d3104452ae9...@srv-exchange.unitedgroup.com.sa
 mailto:4f4e9a676dd5c94aaca1d2fe1342d3104452ae9...@srv-exchange.unitedgroup.com.sa
 Accept-Language: en-US
 Content-Language: en-US
 X-MS-Has-Attach: yes
 X-MS-TNEF-Correlator:
 acceptlanguage: en-US
 Content-Type: multipart/related;

 boundary=_005_4F4E9A676DD5C94AACA1D2FE1342D3104452AE951DSRVEXCHANGEun_;
 type=multipart/alternative
 MIME-Version: 1.0
 
  
 
  
 
 Ejaz
 

Email-get-bounces.

[Mohammed Ejaz]

hello, 

 

Please experiencing two issues with customer. any explanation would be
highly appreciated.

 

 

1.   I have several  entries  as below for our one of the customer whose
relaying his email through our mail servers

 

 

 

Nov 20 07:41:05 mersal postfix/smtpd[30971]: warning: 212.118.122.108:
address not listed for hostname mail.electro.com.sa

Nov 20 07:41:05 mersal postfix/cleanup[31008]: 97C4B11A09F:
message-id=01d0047a$58a601a0$09f204e0$@electro.com.sa

Nov 20 07:41:06 mersal postfix/qmgr[11505]: 97C4B11A09F:
from=morris.dela-to...@electro.com.sa, size=250121, nrcpt=1 (queue active)

Nov 20 07:44:10 mersal postfix/smtpd[30958]: warning: 212.118.122.108:
address not listed for hostname mail.electro.com.sa

 

 

2.   What could be reason as the sent messages one of our users get
bounce back with the following info. whereas our IP reputation is clean.

 

 

 mailto:ion...@akigroup.com ion...@akigroup.com
Your message wasn't delivered because of security policies. Microsoft
Exchange will not try to redeliver this message for you. Please provide the
following diagnostic text to your system administrator.

 

The following organization rejected your message: pop.alphamedgroup.com.

 

 

 

Diagnostic information for administrators:

 

Generating server: mersal.cyberia.net.sa

 

ion...@akigroup.com mailto:ion...@akigroup.com 
pop.alphamedgroup.com #pop.alphamedgroup.com #5.7.1 smtp; 550 5.7.1 Unable
to deliver to ion...@akigroup.com mailto:ion...@akigroup.com  #SMTP#

 

Original message headers:

 

Received: from mail.unitedgroup.com.sa (SRV-EXCHHUB.unitedgroup.com.sa
 [213.210.243.36])   by mersal.cyberia.net.sa (Postfix) with ESMTP id
 BAB9F11A09C for ion...@akigroup.com mailto:ion...@akigroup.com ;
Wed, 19 Nov 2014 15:44:55 +0300 (AST)
Received: from SRV-EXCHANGE.unitedgroup.com.sa ([191.0.0.11]) by
 SRV-EXCHHUB.unitedgroup.com.sa ([191.0.0.18]) with mapi; Wed, 19 Nov 2014
 15:35:32 +0300
From: Elias Sleiman eslei...@unitedgroup.com.sa
mailto:eslei...@unitedgroup.com.sa 
To: ion...@akigroup.com mailto:ion...@akigroup.com  ion...@akigroup.com
mailto:ion...@akigroup.com 
Date: Wed, 19 Nov 2014 15:35:25 +0300
Subject: Burger fuel - Cheese supply
Thread-Topic: Burger fuel - Cheese supply
Thread-Index: AdAD9Ur5R5GMhgiWRbSB/MLhQRJW8g==
Message-ID:
4f4e9a676dd5c94aaca1d2fe1342d3104452ae9...@srv-exchange.unitedgroup.com.sa
mailto:4F4E9A676DD5C94AACA1D2FE1342D3104452AE951D@SRV-EXCHANGE.unitedgroup.
com.sa 
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/related;
 
boundary=_005_4F4E9A676DD5C94AACA1D2FE1342D3104452AE951DSRVEXCHANGEun_;
type=multipart/alternative
MIME-Version: 1.0

 

 

Ejaz

Re: HTML bounces

[li...@rhsoft.net]

Am 17.10.2014 um 07:49 schrieb Andre Rodier:

I have a few users who don't understand bounced messages, and consider
them as an error from our system. I won't even try to educate them.

I would like to know if there is a way to use HTML messages to send
beautiful bounces messages (internally) but continue to send standard
text format externally.


it don't matter if they are beautiful, the point is not that users 
don#t understand bounces, they just don't try it


especially internally: educate them and leave the world in peace with 
HTML bounces, each time i get such one i'd like to seek and destroy the 
admin on the other side (also for the backscattering, other topic)

Re: HTML bounces

[Wietse Venema]

Andre Rodier:
 Hi,
 
 I have a few users who don't understand bounced messages, and consider 
 them as an error from our system. I won't even try to educate them.
 
 I would like to know if there is a way to use HTML messages to send 
 beautiful bounces messages (internally) but continue to send standard 
 text format externally.

So this is a double request:

1) HTML format in addition to text.

 Different formats for different recipients.

Neither is supported. The harder you try, the fewer people will
read your bounce message.

Wietse

 I already configured my bounce_template_file, but it only allows me to 
 do it as text.
 
 If you have a perl/python/... scripted solution, I am interested as well.
 
 Thanks,
 Andr?.
 

Re: HTML bounces

[LuKreme]

On 17 Oct 2014, at 04:51 , Wietse Venema wie...@porcupine.org wrote:
 The harder you try, the fewer people will read your bounce message.

Honestly, I do not think it is possible for there to be fewer people who read 
bounces.

Customized LOCAL bounce messages would be nifty. I don't want HTML ones but 
customizing the messages for local users would be nice. Some extensibility to 
the variables available might be nice too, to allow more customizations to the 
bounce message.

Not a feature request, per se, but if it showed up somewhere down the line it's 
a feature I'd use.


-- 
'I think, if you want thousands, you've got to fight for one.'

Re: HTML bounces

[jdebert]

On Fri, 17 Oct 2014 10:49:15 -0600
LuKreme krem...@kreme.com wrote:

 On 17 Oct 2014, at 04:51 , Wietse Venema wie...@porcupine.org wrote:
  The harder you try, the fewer people will read your bounce message.
 
 Honestly, I do not think it is possible for there to be fewer people
 who read bounces.
 
 Customized LOCAL bounce messages would be nifty. I don't want HTML
 ones but customizing the messages for local users would be nice. Some
 extensibility to the variables available might be nice too, to allow
 more customizations to the bounce message.
 
 Not a feature request, per se, but if it showed up somewhere down the
 line it's a feature I'd use.
 
 

That would be a bit more helpful to end users who have no idea
how things work.

Otherwise...

Local FAQ re bounces? 

A custom error message to direct local users to said FAQ?

A monthly user newsletter reminding local users to peruse the FAQ for
useful information?

A monthly user newsletter periodically containing a FAQ topic or three?

Cluehammer as a last resort? (not a feature request?)

jd?

Re: HTML bounces

[Noel Jones]

On 10/17/2014 12:32 PM, jdebert wrote:
 On Fri, 17 Oct 2014 10:49:15 -0600
 LuKreme krem...@kreme.com wrote:
 
 On 17 Oct 2014, at 04:51 , Wietse Venema wie...@porcupine.org wrote:
 The harder you try, the fewer people will read your bounce message.

 Honestly, I do not think it is possible for there to be fewer people
 who read bounces.

 Customized LOCAL bounce messages would be nifty. I don't want HTML
 ones but customizing the messages for local users would be nice. Some
 extensibility to the variables available might be nice too, to allow
 more customizations to the bounce message.

 Not a feature request, per se, but if it showed up somewhere down the
 line it's a feature I'd use.


 
 That would be a bit more helpful to end users who have no idea
 how things work.
 
 Otherwise...
 
 Local FAQ re bounces? 
 
 A custom error message to direct local users to said FAQ?
 
 A monthly user newsletter reminding local users to peruse the FAQ for
 useful information?
 
 A monthly user newsletter periodically containing a FAQ topic or three?
 
 Cluehammer as a last resort? (not a feature request?)
 
 jd?
 


For bounces created by your own system (which is all you can
control), you can use the smtpd_reject_footer feature to add a web
link to helpful information (in your local language).  Few people
will bother clicking on it, but it might help a little.  I'm always
a little surprised when people really do contact me through this.

http://www.postfix.org/postconf.5.html#smtpd_reject_footer




  -- Noel Jones

Re: HTML bounces

[Benny Pedersen]

On October 17, 2014 7:49:34 AM Andre Rodier an...@rodier.me wrote:


I have a few users who don't understand bounced messages, and consider
them as an error from our system. I won't even try to educate them.


So thay understand more if it was html ?, hmm


I would like to know if there is a way to use HTML messages to send
beautiful bounces messages (internally) but continue to send standard
text format externally.


Text msgs is beautiful, no ?


I already configured my bounce_template_file, but it only allows me to
do it as text.


You can show a link in bounce to bugzilla on own domain, and hope users 
will use it, but historical postfix is not a webmaster



If you have a perl/python/... scripted solution, I am interested as well.


-1000

HTML bounces

[Andre Rodier]

Hi,

I have a few users who don't understand bounced messages, and consider 
them as an error from our system. I won't even try to educate them.


I would like to know if there is a way to use HTML messages to send 
beautiful bounces messages (internally) but continue to send standard 
text format externally.


I already configured my bounce_template_file, but it only allows me to 
do it as text.


If you have a perl/python/... scripted solution, I am interested as well.

Thanks,
André.

Bounces are not sent sometimes.

[Patrik Båt]

Hello list!

I'm having problem with a bounce that was never send to the sender.

*Here is the log when it fails:*
Jul  2 13:03:05 smtp9 postfix-out/qmgr[5316]: 575C227A388:
from=custo...@domain1.tld, size=125355, nrcpt=1 (queue active)
Jul  2 13:03:05 smtp9 postfix-out/smtp[8391]: 575C227A388:
to=user.n...@domain2.tld, relay=none, delay=0.11, delays=0.01/0/0.1/0,
dsn=5.4.4, status=bounced (Host or domain name not found. Name service
error for name=domain2.tld type=: Host not found)
Jul  2 13:03:05 smtp9 postfix-out/qmgr[5316]: 575C227A388: removed

*And here is a log when it works (same rcpt):*
Jul  3 10:41:17 smtp9 postfix-out/qmgr[25574]: 1CE9A27A4CB:
from=m...@domain1.tld, size=8514, nrcpt=1 (queue active)
Jul  3 10:41:17 smtp9 postfix-out/smtp[24245]: 1CE9A27A4CB:
to=user.n...@domain2.tld, relay=none, delay=0, delays=0/0/0/0,
dsn=5.4.4, status=bounced (Host or domain name not found. Name service
error for name=domain2.tld type=: Host not found)
Jul  3 10:41:17 smtp9 postfix-out/bounce[11424]: 1CE9A27A4CB: sender
non-delivery notification: 1E32427A509
Jul  3 10:41:17 smtp9 postfix-out/qmgr[25574]: 1CE9A27A4CB: removed

Can it somehow be a bug or related somehow to the sender? (there is 2
different senders, but from the same domain)
What I can see, the differences between the emails is the SIZE, one need
truncating and the other doesn't. might that be a problem?

Bounce configuration:
smtp9:~# postconf -c /etc/postfix-outgoing | grep bounce
2bounce_notice_recipient = postmaster
address_verify_sender = $double_bounce_sender
backwards_bounce_logfile_compatibility = yes
bounce_notice_recipient = postmaster
bounce_queue_lifetime = 5d
bounce_service_name = bounce
bounce_size_limit = 5
bounce_template_file =
disable_verp_bounces = no
double_bounce_sender = double-bounce
lmtp_sasl_auth_soft_bounce = yes
multi_recipient_bounce_reject_code = 550
smtp_sasl_auth_soft_bounce = yes
soft_bounce = no

Im using postfix 2.9.6 from debian wheezy repo:
smtp9:~# dpkg --list | grep postfix
ii  postfix 
2.9.6-2amd64High-performance mail
transport agent
ii  postfix-mysql   
2.9.6-2amd64MySQL map support for
Postfix
ii  postfix-pcre
2.9.6-2amd64PCRE map support for Postfix

Any thoughts or ides are welcome!



signature.asc
Description: OpenPGP digital signature

Re: Bounces are not sent sometimes.

[Wietse Venema]

Patrik B?t:
 I'm having problem with a bounce that was never send to the sender.
 
 *Here is the log when it fails:*
 Jul  2 13:03:05 smtp9 postfix-out/qmgr[5316]: 575C227A388:
 from=custo...@domain1.tld, size=125355, nrcpt=1 (queue active)
 Jul  2 13:03:05 smtp9 postfix-out/smtp[8391]: 575C227A388:
 to=user.n...@domain2.tld, relay=none, delay=0.11, delays=0.01/0/0.1/0,
 dsn=5.4.4, status=bounced (Host or domain name not found. Name service
 error for name=domain2.tld type=: Host not found)
 Jul  2 13:03:05 smtp9 postfix-out/qmgr[5316]: 575C227A388: removed
 
 *And here is a log when it works (same rcpt):*

This could be because:

0) The sender is .

1) The sender sent mail with RCPT TO: address NOTIFY=NONE.

2) You are using a Milter application that adds a recipient with
NOTIFY=NONE. 

2.5) I vaguely recall that old Postfix milter clients always used
NOTIFY=NONE when adding a recipient, but I may be mistaken.

3) You are using an older Postfix implementation that always used
NOTIFY=NONE when adding a BCC recipient.

Wietse

Re: Bounces are not sent sometimes.

[Wietse Venema]

Wietse Venema:
 Patrik B?t:
  I'm having problem with a bounce that was never send to the sender.
  
  *Here is the log when it fails:*
  Jul  2 13:03:05 smtp9 postfix-out/qmgr[5316]: 575C227A388:
  from=custo...@domain1.tld, size=125355, nrcpt=1 (queue active)
  Jul  2 13:03:05 smtp9 postfix-out/smtp[8391]: 575C227A388:
  to=user.n...@domain2.tld, relay=none, delay=0.11, delays=0.01/0/0.1/0,
  dsn=5.4.4, status=bounced (Host or domain name not found. Name service
  error for name=domain2.tld type=: Host not found)
  Jul  2 13:03:05 smtp9 postfix-out/qmgr[5316]: 575C227A388: removed
  
  *And here is a log when it works (same rcpt):*
 
 This could be because:
 
 0) The sender is .
 
 1) The sender sent mail with RCPT TO: address NOTIFY=NONE.
 
 2) You are using a Milter application that adds a recipient with
 NOTIFY=NONE. 
 
 2.5) I vaguely recall that old Postfix milter clients always used
 NOTIFY=NONE when adding a recipient, but I may be mistaken.
 
 3) You are using an older Postfix implementation that always used
 NOTIFY=NONE when adding a BCC recipient.

4) You are using MailScanner or other software that manipulates
Postfix queue files. This is not supported.

Wietse

Re: Bounces are not sent sometimes.

[Wietse Venema]

Wietse Venema:
 Wietse Venema:
  Patrik B?t:
   I'm having problem with a bounce that was never send to the sender.
   
   *Here is the log when it fails:*
   Jul  2 13:03:05 smtp9 postfix-out/qmgr[5316]: 575C227A388:
   from=custo...@domain1.tld, size=125355, nrcpt=1 (queue active)
   Jul  2 13:03:05 smtp9 postfix-out/smtp[8391]: 575C227A388:
   to=user.n...@domain2.tld, relay=none, delay=0.11, delays=0.01/0/0.1/0,
   dsn=5.4.4, status=bounced (Host or domain name not found. Name service
   error for name=domain2.tld type=: Host not found)
   Jul  2 13:03:05 smtp9 postfix-out/qmgr[5316]: 575C227A388: removed
   
   *And here is a log when it works (same rcpt):*
  
  This could be because:
  
  0) The sender is .
  
  1) The sender sent mail with RCPT TO: address NOTIFY=NONE.
  
  2) You are using a Milter application that adds a recipient with
  NOTIFY=NONE. 
  
  2.5) I vaguely recall that old Postfix milter clients always used
  NOTIFY=NONE when adding a recipient, but I may be mistaken.
  
  3) You are using an older Postfix implementation that always used
  NOTIFY=NONE when adding a BCC recipient.
 
 4) You are using MailScanner or other software that manipulates
 Postfix queue files. This is not supported.

The behavior in 3) exists in all stable Postfix releases. This
is documented behavior.

Wietse

Re: Bounces are not sent sometimes.

[Patrik Båt]

On tor  3 jul 2014 13:10:04, Wietse Venema wrote:
 Wietse Venema:
 Wietse Venema:
 Patrik B?t:
 I'm having problem with a bounce that was never send to the sender.

 *Here is the log when it fails:*
 Jul  2 13:03:05 smtp9 postfix-out/qmgr[5316]: 575C227A388:
 from=custo...@domain1.tld, size=125355, nrcpt=1 (queue active)
 Jul  2 13:03:05 smtp9 postfix-out/smtp[8391]: 575C227A388:
 to=user.n...@domain2.tld, relay=none, delay=0.11, delays=0.01/0/0.1/0,
 dsn=5.4.4, status=bounced (Host or domain name not found. Name service
 error for name=domain2.tld type=: Host not found)
 Jul  2 13:03:05 smtp9 postfix-out/qmgr[5316]: 575C227A388: removed

 *And here is a log when it works (same rcpt):*

 This could be because:

 0) The sender is .

 1) The sender sent mail with RCPT TO: address NOTIFY=NONE.

 2) You are using a Milter application that adds a recipient with
 NOTIFY=NONE.

 2.5) I vaguely recall that old Postfix milter clients always used
 NOTIFY=NONE when adding a recipient, but I may be mistaken.

 3) You are using an older Postfix implementation that always used
 NOTIFY=NONE when adding a BCC recipient.

 4) You are using MailScanner or other software that manipulates
 Postfix queue files. This is not supported.

 The behavior in 3) exists in all stable Postfix releases. This
 is documented behavior.

   Wietse

Hello, Thanks for clearing this out, Wietse!



signature.asc
Description: OpenPGP digital signature

How do I get Postfix to tell me when a message bounces and who sent it

[Rob Tanner]

When a user sends too many messages to bad addresses, it’s probably a spammer 
using a compromised account.  Other than a very messy reading and parsing of 
the log files, is there a way to get postfix to tell me when a message has 
bounced and who the sender was (perhaps a hook in the main.cf or something??).  
 When the number of such messages from a specific user reaches a certain 
threshold, I want to be able to block that user from sending outgoing messages. 
 This latter part is simple enough but getting the bounces information in a way 
I can read it programmatically has got me baffled.

Is that even possible?

Thanks,


Rob Tanner
UNIX Services Manager
Linfield College, McMinnville Oregon

ITS will never ask you for your password.  Please don’t share yours with anyone!

Re: How do I get Postfix to tell me when a message bounces and who sent it

[Wietse Venema]

Rob Tanner:
 When a user sends too many messages to bad addresses, it?s probably
 a spammer using a compromised account.  Other than a very messy
 reading and parsing of the log files, is there a way to get postfix
 to tell me when a message has bounced and who the sender was
 (perhaps a hook in the main.cf or something??).

http://www.postfix.org/postconf.5.html#notify_classes

This can report the sender, recipient, and message header to a
configurable email addresss. These can be piped into a command using
Postfix built-in mechanisms: aliases(5) including .forward files,
mailbox_command_maps, and pipe(8) commands driven by a transport
table.

 When the number of such messages from a specific user reaches a
 certain threshold, I want to be able to block that user from sending
 outgoing messages.  This latter part is simple enough but getting
 the bounces information in a way I can read it programmatically
 has got me baffled.

 Is that even possible?

Yes, provided that you supply the tooling that processes the
notification email messages.

Wietse

Re: SRS bounces not working in postfix

[Jason Woods]

Hi Michael,

This looks like one of my patches broke the TCP table when using -I... :-) It 
should be 500 not 400 it seems. Fruneau will be pleased ^^
I've pushed a fix to my own fork which I'll pull to Fruneau soon - its 
identical to Fruneau's except for this 400-500 fix. My fork is at: 
https://github.com/driskell/pfixtools However, I don't think this is your issue 
- since it should still work without -I

 Thanks again Jason - I get this using your specified telnet test:
 
 500 Hash invalid in SRS address.

This is the reason the decoding isn't happening when you were without -I, so 
you can return to NOT using -I (or use my fork)
Check your secrets file doesn't have blank lines or spaces anywhere in it? And 
is purely just a couple or so lines with a set of random characters in? (max of 
1024 a line) I wonder if there are problems happening with the secrets so it 
can encode but not decode.

Maybe even try telnet to 10001 with: getspacet...@example.comenterctrl+D
Then with the result telnet to 10002 and decode it.

Regards,

Jason

On 4 Feb 2014, at 00.21, Michael McCallister mikemc-post...@terabytemedia.com 
wrote:

 
 
 So I have been playing around with it more now in light of this new 
 information - here is what I have found:
 
 * It works and delivers mail when the -I switch is NOT present (this
   has been my usage in all examples).  However, when I try to decode
   in this mode I get 500 Hash invalid in SRS address. when testing
   in telnet - which could explain why bounces are not working.  Telnet
   encode tests on port 10001 work fine.
 * When the -I switch IS present, it does not deliver mail. However,
   it passes both telnet encode/decode tests.  Here is the delivery
   problem I see in the logs:
 
   Feb  3 16:31:00 quimby0 postfix/smtpd[32357]: connect from
   homer.terabytemedia.com[74.206.115.225]
   Feb  3 16:31:00 quimby0 postfix/smtpd[32357]: warning:
   tcp:127.0.0.1:10002 lookup error for ~us...@forwardingdomain.com~
   Feb  3 16:31:00 quimby0 postfix/smtpd[32357]: NOQUEUE: reject: RCPT
   from homer.terabytemedia.com[74.206.115.225]: 451 4.3.0
   mikeboun...@acermanuals.com: Temporary lookup failure;
   from=mikemc@terabyte[added_to_prevent_spam]media.com
   to=~us...@forwardingdomain.com~ proto=ESMTP
   helo=homer.terabytemedia.com
   Feb  3 16:31:00 quimby0 postfix/smtpd[32357]: disconnect from
   homer.terabytemedia.com[74.206.115.225]
 
   So I am now getting some warning: tcp:127.0.0.1:10002 lookup error
   with the -I switch enabled - but it passes telnet encode/decode tests.
 
 I am confused why it is logging a decoding error with -I as opposed to 
 without -I in the logs above - you would think it would do that in either 
 case since ~us...@forwardingdomain.com~ is not SRS encoded.  One thing that 
 might explain this - when testing on telnet with -I off, I get a 400 
 external domains are ignored error (maybe 4xx errors are warnings to Postfix 
 and it continues to send and moves on to encoding?) - with -I on, I get a 
 500 Not an SRS address. which I assume is fatal.
 
 One fix might be to patch pfix-srsd (I don't program in C but could probably 
 figure it out) to return a 400 error for the 500 Not an SRS address..  I 
 cannot think of any way that opens me up to problems since I assume the 
 address would just not be rewritten by Postfix in this case.
 
 Any ideas?
 
 Michael
 
 

Re: SRS bounces not working in postfix

[Michael McCallister]

On 2/4/2014 2:06 AM, Jason Woods wrote:

Hi Michael,

This looks like one of my patches broke the TCP table when using -I... :-) It 
should be 500 not 400 it seems. Fruneau will be pleased ^^
I've pushed a fix to my own fork which I'll pull to Fruneau soon - its identical to 
Fruneau's except for this 400-500 fix. My fork is at: 
https://github.com/driskell/pfixtools However, I don't think this is your issue - since it 
should still work without -I


Thanks again Jason - I get this using your specified telnet test:

500 Hash invalid in SRS address.

This is the reason the decoding isn't happening when you were without -I, so you can 
return to NOT using -I (or use my fork)
Check your secrets file doesn't have blank lines or spaces anywhere in it? And 
is purely just a couple or so lines with a set of random characters in? (max of 
1024 a line) I wonder if there are problems happening with the secrets so it 
can encode but not decode.

Maybe even try telnet to 10001 with: getspacet...@example.comenterctrl+D
Then with the result telnet to 10002 and decode it.

Regards,

Jason



Thanks again Jason.  Everything works now.  I stumbled across the space 
in the secrets file problem last night and that got hashes validating - 
but thanks for that insight too.  I am running your updated release now 
and it is working as expected.


Hopefully setting up dkim and j-chkmail go smoother than srs did :-)

Re: SRS bounces not working in postfix

[Jason Woods]

On 4 Feb 2014, at 18.51, Michael McCallister mikemc-post...@terabytemedia.com 
wrote:
 
 Thanks again Jason.  Everything works now.  I stumbled across the space in 
 the secrets file problem last night and that got hashes validating - but 
 thanks for that insight too.  I am running your updated release now and it is 
 working as expected.
 
 Hopefully setting up dkim and j-chkmail go smoother than srs did :-)
 

No problem!

Can you describe the issue with the space you encountered? Or steps to 
reproduce?
I'll throw a fix over to Fruneau before I start working more on srs-milter.

Re: SRS bounces not working in postfix

[Michael McCallister]

On 2/4/2014 2:42 PM, Jason Woods wrote:

No problem!

Can you describe the issue with the space you encountered? Or steps to 
reproduce?
I'll throw a fix over to Fruneau before I start working more on srs-milter.


I originally had one line in the secrets file that was probably 200-300 
chars.  It had spaces, periods, etc.  pfix-srsd had problems validating 
hashes it created with that secrets file.  Then I changed it to just 
numbers/letters with no spaces (maybe 50-100 chars) and that problem 
went away.  I wish I had kept the secrets file that exhibited the 
problem, but I just overwrote it.

Re: SRS bounces not working in postfix

[Michael McCallister]

On 2/2/2014 11:47 PM, Jason Woods wrote:

Hi Michael,

I did some tweaks on pfixtools I will have to have a look and check for you (I 
use it too.)

It's not the ideal method though and a milter is really the correct way to do 
SRS as the canonical filters, although giving almost desired effect, aren't 
ideal or intended for this. I'm eventually switching to srs-milter and will be 
improving it.

Can you provide the pfixtools options you are using, and contents if the 
pfix-no-srs? Also the full bounce log entry including the user it showed could 
prove useful.

Thanks

Jason


Thanks Jason,

Here is the information you requested (to continue using my original 
example to illustrate the problem - I will replace certain things with 
domains referenced in the original email to keep things consistent - 
anywhere I do this I will wrap ~ around it i.e. ~srsdomain.com~):


 * pfix-srsd usage (note: srsdomain.com is  in mydestination and the MX
   records for it point to the mail server in question)
 /etc/postfix/pfix-srsd -v -f -p /var/lib/postfix/pfix-srsd.pid -U
   postfix -G postfix ~srsdomain.com~ /etc/postfix/pfix-srs.secrets

 * Contents of the pfix-no-srs.cf file (it gets compiled to
   pfix-no-srs.cf.cdb):
   postmaster@~srsdomain.com~ 12345

 * Log data with notes:

   *Data connection opened from my smtp relay*

   Feb  2 23:20:48 quimby0 postfix/smtpd[19228]: connect from
   homer.terabytemedia.com[74.206.115.225]
   Feb  2 23:20:49 quimby0 postfix/smtpd[19228]: 30D73403ED:
   client=homer.terabytemedia.com[74.206.115.225]
   Feb  2 23:20:49 quimby0 postfix/cleanup[19232]: 30D73403ED:
   message-id=52ef3541.70...@terabytemedia.com

   *RCPT TO gets rewritten properly - from what I can tell*

   Feb  2 23:20:49 quimby0 postfix/qmgr[19227]: 30D73403ED:
   from=SRS0=GUdW=XI=terabytemedia.com=mikemc@~srsdomain.com~,
   size=819, nrcpt=1 (queue active)
   Feb  2 23:20:49 quimby0 postfix/smtpd[19228]: disconnect from
   homer.terabytemedia.com[74.206.115.225]

   *Delivery attempt to gmail.com fails resulting in a bounce generated
   by postfix*

   Feb  2 23:20:52 quimby0 postfix/smtp[19233]: 30D73403ED:
   to=~badaddr...@gmail.com~, orig_to=~us...@forwardingdomain.com~,
   relay=gmail-smtp-in.l.google.com[173.194.68.26]:25, delay=3.7,
   delays=0.25/0.01/0.4/3, dsn=5.1.1, status=bounced (host
   gmail-smtp-in.l.google.com[173.194.68.26] said: 550-5.1.1 The email
   account that you tried to reach does not exist. Please try 550-5.1.1
   double-checking the recipient's email address for typos or 550-5.1.1
   unnecessary spaces. Learn more at 550 5.1.1
   http://support.google.com/mail/bin/answer.py?answer=6596
   b79si14074112qge.129 - gsmtp (in reply to RCPT TO command))
   Feb  2 23:20:52 quimby0 postfix/cleanup[19232]: CC0CB40402:
   message-id=20140203062052.CC0CB40402@~mx1.srsdomain.com~
   Feb  2 23:20:52 quimby0 postfix/qmgr[19227]: CC0CB40402: from=,
   size=3461, nrcpt=1 (queue active)
   Feb  2 23:20:52 quimby0 postfix/bounce[19234]: 30D73403ED: sender
   non-delivery notification: CC0CB40402
   Feb  2 23:20:52 quimby0 postfix/qmgr[19227]: 30D73403ED: removed

   *Postfix attempts a local delivery to
   SRS0=GUdW=XI=terabytemedia.com=mikemc@~srsdomain.com~ (resulting in
   unknown user error) instead of rewriting
   SRS0=GUdW=XI=terabytemedia.com=mikemc@~srsdomain.com~ to my email
   and sending the bounce to a remote host*

   Feb  2 23:20:52 quimby0 postfix/local[19235]: CC0CB40402:
   to=SRS0=GUdW=XI=terabytemedia.com=mikemc@~srsdomain.com~,
   relay=local, delay=0.02, delays=0.01/0.01/0/0, dsn=5.1.1,
   status=bounced (unknown user: srs0=gudw=xi=terabytemedia.com=mikemc)
   Feb  2 23:20:52 quimby0 postfix/qmgr[19227]: CC0CB40402: removed

I am very appreciative of your help.  Please let me know if any 
additional information is needed.


Michael

Re: SRS bounces not working in postfix

[Jason Woods]

Hi Michael,

It all looks fine config wise. But seems the bounce, although going through 
cleanup according to log, isn't rewriting.

All I can suggest is to check there's no conflicting config elsewhere regarding 
canonical etc. such as master.cf overriding it etc.

And maybe test the decoding by Telnet 127.0.0.1 10002
And send the following line:
getspaceaddresstodecodeenter
Example:
get SRS0==XX=test.com=t...@domain.com

(Use the address you see in logs, bearing in mind it is only valid for a period 
of time.)

It will either return reason it's not working, or confirm it is working and 
confirm it's something postfix side preventing the canonical rewriting from 
processing.

Regards,

Jason

Re: SRS bounces not working in postfix

[Michael McCallister]

Thanks again Jason - I get this using your specified telnet test:

500 Hash invalid in SRS address.

So I have been playing around with it more now in light of this new 
information - here is what I have found:


 * It works and delivers mail when the -I switch is NOT present (this
   has been my usage in all examples).  However, when I try to decode
   in this mode I get 500 Hash invalid in SRS address. when testing
   in telnet - which could explain why bounces are not working.  Telnet
   encode tests on port 10001 work fine.
 * When the -I switch IS present, it does not deliver mail. However,
   it passes both telnet encode/decode tests.  Here is the delivery
   problem I see in the logs:

   Feb  3 16:31:00 quimby0 postfix/smtpd[32357]: connect from
   homer.terabytemedia.com[74.206.115.225]
   Feb  3 16:31:00 quimby0 postfix/smtpd[32357]: warning:
   tcp:127.0.0.1:10002 lookup error for ~us...@forwardingdomain.com~
   Feb  3 16:31:00 quimby0 postfix/smtpd[32357]: NOQUEUE: reject: RCPT
   from homer.terabytemedia.com[74.206.115.225]: 451 4.3.0
   mikeboun...@acermanuals.com: Temporary lookup failure;
   from=mikemc@terabyte[added_to_prevent_spam]media.com
   to=~us...@forwardingdomain.com~ proto=ESMTP
   helo=homer.terabytemedia.com
   Feb  3 16:31:00 quimby0 postfix/smtpd[32357]: disconnect from
   homer.terabytemedia.com[74.206.115.225]

   So I am now getting some warning: tcp:127.0.0.1:10002 lookup error
   with the -I switch enabled - but it passes telnet encode/decode tests.

I am confused why it is logging a decoding error with -I as opposed to 
without -I in the logs above - you would think it would do that in 
either case since ~us...@forwardingdomain.com~ is not SRS encoded.  One 
thing that might explain this - when testing on telnet with -I off, I 
get a 400 external domains are ignored error (maybe 4xx errors are 
warnings to Postfix and it continues to send and moves on to encoding?) 
- with -I on, I get a 500 Not an SRS address. which I assume is fatal.


One fix might be to patch pfix-srsd (I don't program in C but could 
probably figure it out) to return a 400 error for the 500 Not an SRS 
address..  I cannot think of any way that opens me up to problems since 
I assume the address would just not be rewritten by Postfix in this case.


Any ideas?

Michael