My MX servers have no mailboxes. They either relay email to an external
domain address the user asked to have set up, or they relay to one of three
servers within our domain. We use :
virtual_alias_maps = hash:/etc/postfix/relocated
hash:/etc/postfix/class_lists hash:/etc/postfix/virtual
virtual_alias_domains = $virtual_alias_maps, mydomain.ca
The virtual file contains every address we handle in one of these ways.
I can't see using reject_unverified_recipient for the volume of email we
have,
and it is pointless to do when we have a valid list of all addresses
the MX should handle.
In main.cf I see:
# The relay_domains parameter restricts what destinations this system will
# relay mail to.
The list of domains we forward to, based on the virtual mapping file,
will vary over time, so there is no easy way to satisfy the
requirements of relay_recipient_map.
Based on what I'm seeing in our logs, and from swaks talking to our MX
I have to conclude that relay_recipient_map is not the only way to disable
backscatter. The documentation should include mention of virtual_alias_maps
as being another alternative which allows reject prior to queueing.
With relay_domain and mydestination set to null, we are getting useful
rejects. From swaks I test email to non-existant address:
=== Trying nexa.mydomain.ca:9077...
=== Connected to nexa.mydomain.ca.
<- 220 nexa.mydomain.ca ESMTP Postfix
-> EHLO somewhere.ca
<- 250-nexa.mydomain.ca
<- 250-PIPELINING
<- 250-SIZE 10000000
<- 250-ETRN
<- 250-ENHANCEDSTATUSCODES
<- 250-8BITMIME
<- 250 DSN
-> MAIL FROM:< ... at somewhere dot ca>
<- 250 2.1.0 Ok
-> RCPT TO:<donald. ... at mydomain dot ca>
<** 550 5.1.1 <donald. ... at mydomain dot ca>: Recipient address rejected: User
unknown in virtual alias table
-> QUIT
<- 221 2.0.0 Bye
=== Connection closed with remote host.
Comments
Re: preventing backscatter with virtual_alias_maps
By mouss at 11/21/2008 - 03:39D G Teed a écrit :
if you have no domains in relay_domains, then you don't need
relay_recipient_maps nor reject_unverified_domains.
you are using a "non standard" setup in the sense that you are declaring
the domains as virtual_alias_domains when they are relay_domains.
if you have wildcard aliases (alias for the whole domain), then you may
have a backscatter problem. see below.
test with a domain for which you have a wildcard alias in one of your
virtual_alias_maps. so if you have a line like
@example.com @example.org
then try sending mail (with telnet or a MUA that uses smtp) to
<a href="mailto: ... at example dot com"> ... at example dot com</a>.
Re: preventing backscatter with virtual_alias_maps
By D G Teed at 11/21/2008 - 09:06Perhaps "non standard" but it works best for us.
98% of our virtual map is mapped to one of three inbox
servers, while the other 2% want to forward their
stuff to gmail or some special service. It seems
the most flexible way to run a mapping.
We only serve one domain as MX on this server.
if you have wildcard aliases (alias for the whole domain), then you may
We have no wildcards. For every recipient there is one
mapping entry.
I think the Postfix docs should include this method as
a valid one for preventing backscatter. So many answers
I've read say you require relay_recipient_maps to prevent
backscatter generation, while one can get the same
prevention with the right virtual mapping set up.
Thanks for the confirmation on that.
--Donald
Re: preventing backscatter with virtual_alias_maps
By mouss at 11/21/2008 - 15:12D G Teed a écrit :
but it is not. actually, relay_domains is the most flexible. and if not,
then virtual_mailbox_domains is my second choice. but let me not get
into this.
did you read ADDRESS CLASS README? because it doesn't help to debate
docs improvements with people who didn't read nad understand the
available docs.
There are many ways to setup a mail system. there are many ways to get
it right, and there are many more ways to get it wrong. if you can get
it right, feel free to be as imaginative as you can/want. but if you are
not as confident, then follow general setup advice. if you need non-free
(audit|consulting|securing|tuning|washing your sockets|...), some of us
here will be pleased to "help" you.
Re: preventing backscatter with virtual_alias_maps
By Wietse Venema at 11/21/2008 - 09:14D G Teed:
If you choose to use "what works" instead of the documented
guidelines, then you should not be surprised when things "stop
working" after migration to a different Postfix version.
Wietse
Re: preventing backscatter with virtual_alias_maps
By D G Teed at 11/28/2008 - 12:50Thanks, I've taken than under advisement.
I don't know why the previous admin(s) set it up
via virtual_alias_domains. I suppose once it was
functional, that was good enough.
On my dev system I'm now using:
virtual_alias_maps = hash:/etc/postfix/relocated
hash:/etc/postfix/class_lists hash:/etc/postfix/virtual
smtpd_recipient_restrictions = reject_unknown_recipient_domain,
reject_unauth_destination, check_recipient_access
hash:/etc/postfix/campus_overquota, check_recipient_access
hash:/etc/postfix/recipient_access, check_sender_access
hash:/etc/postfix/whitelist, check_client_access hash:/etc/postfix/access,
reject_non_fqdn_recipient, reject_rbl_client
LICENSEKEYOBSCURED.r.mail-abuse.com, reject_rbl_client zen.spamhaus.org,
permit
relay_domains = mydomain.ca
relay_recipient_maps = hash:/etc/postfix/recipient
smtpd_client_restrictions = reject_unlisted_recipient, check_client_access
cidr:
/etc/postfix/client.cidr, check_sender_access hash:/etc/postfix/whitelist,
check
_recipient_access hash:/etc/postfix/recipient_access, check_client_access
hash:/
etc/postfix/access, reject_invalid_hostname, reject_unknown_client
This rejects and delivers as desired.
Re: preventing backscatter with virtual_alias_maps
By D G Teed at 11/21/2008 - 12:11I'd like to see an example of a set up where we could use relay_domains
and provide the flexibility of sending to any of our inbox servers
within our domain, or forwarding a particular addresses email
to an outside email address like gmail.com
I'm sorry but it just isn't adding up to me from the docs.
When I tried relay_domains and a recipient maps file on a dev
server using swaks to deliver to a non-existant address, then I
saw the undesirable bounce as a new message.
--Donald
Re: preventing backscatter with virtual_alias_maps
By mouss at 11/21/2008 - 15:20D G Teed a écrit :
it doesn't take more than:
relay_domains = hash:/etc/postfix/relay_domains
relay_recipient_maps = hash:/etc/postfix/relay_recipients
if you want to forward, simply add entries to vritual_alias_maps.
or do you confuse virtual_alias_maps and virtual_alias_domains? These
are completely different concepts.
if it doesn't work for you, then you did it wrong.