Backscatter on Gateway Mail Servers

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Backscatter on Gateway Mail Servers

Dan Slay
I'm looking for some information on preventing the sending of backscatter from a Postfix gateway mail server.

The server itself does not and will not hold a recipient list, therefore I don't know what the best way forward would be? The server accepts for a number of different domains.

Any advice would be appreciated.

Thanks

Dan.
Reply | Threaded
Open this post in threaded view
|

Re: Backscatter on Gateway Mail Servers

Martijn de Munnik-2
On Tue, 15 Sep 2009 09:45:53 +0100, Dan Slay <[hidden email]>
wrote:
> I'm looking for some information on preventing the sending of backscatter
> from a Postfix gateway mail server.
>
> The server itself does not and will not hold a recipient list, therefore
I
> don't know what the best way forward would be? The server accepts for a
> number of different domains.
>
> Any advice would be appreciated.

I'm using
http://www.postfix.org/postconf.5.html#reject_unverified_recipient

Martijn

>
> Thanks
>
> Dan.

Reply | Threaded
Open this post in threaded view
|

Re: Backscatter on Gateway Mail Servers

Ansgar Wiechers
In reply to this post by Dan Slay
On 2009-09-15 Dan Slay wrote:
> I'm looking for some information on preventing the sending of
> backscatter from a Postfix gateway mail server.
>
> The server itself does not and will not hold a recipient list,

Then you can't avoid sending backscatter. Period. RFC 2821 clearly
states:

| If an SMTP server has accepted the task of relaying the mail and
| later finds that the destination is incorrect or that the mail
| cannot be delivered for some other reason, then it MUST construct
| an "undeliverable mail" notification message and send it to the
| originator of the undeliverable mail

> therefore I don't know what the best way forward would be?

Maintain a recipient list.

Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
Reply | Threaded
Open this post in threaded view
|

Re: Backscatter on Gateway Mail Servers

Dan Slay
Thanks, that's what I have read. Which is why this make things more awkward.

I cannot see that holding a recipient list is a solution. If, for instance, you relay for thousands of domains all going to different MTA's that hold each individual domains recipient list, its not really that straight forward and may impact performance?




On Tue, Sep 15, 2009 at 10:28 AM, Ansgar Wiechers <[hidden email]> wrote:
On 2009-09-15 Dan Slay wrote:
> I'm looking for some information on preventing the sending of
> backscatter from a Postfix gateway mail server.
>
> The server itself does not and will not hold a recipient list,

Then you can't avoid sending backscatter. Period. RFC 2821 clearly
states:

| If an SMTP server has accepted the task of relaying the mail and
| later finds that the destination is incorrect or that the mail
| cannot be delivered for some other reason, then it MUST construct
| an "undeliverable mail" notification message and send it to the
| originator of the undeliverable mail

> therefore I don't know what the best way forward would be?

Maintain a recipient list.

Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky

Reply | Threaded
Open this post in threaded view
|

Re: Backscatter on Gateway Mail Servers

Mark Goodge
Dan Slay wrote:
> Thanks, that's what I have read. Which is why this make things more awkward.
>
> I cannot see that holding a recipient list is a solution. If, for
> instance, you relay for thousands of domains all going to different
> MTA's that hold each individual domains recipient list, its not really
> that straight forward and may impact performance?

Postfix can generate and maintain an internal recipient list by means of
a recipient check on the downstream MTA before accepting mail to a
previously unknown user. See these pages for information on how it works:

http://www.postfix.org/postconf.5.html#reject_unverified_recipient
http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient

Correctly configured, with the right degree of persistance in the cache,
this will have minimal impact on performance while also significantly
reducing backscatter. The actual tradeoff between effectiveness and
performance is dependent on how long data is cached for; if your system
can cope with it then it's best not to cache at all as that's the only
way to ensure zero backscatter. But even a fairly lengthy cache time
will be sufficient to prevent the majority of backscatter, provided that
the recipient email addresses don't get switched off very often.

Mark
Reply | Threaded
Open this post in threaded view
|

Re: Backscatter on Gateway Mail Servers

Martijn de Munnik-2
On Tue, 15 Sep 2009 11:12:52 +0100, Mark Goodge <[hidden email]>
wrote:

> Dan Slay wrote:
>> Thanks, that's what I have read. Which is why this make things more
>> awkward.
>>
>> I cannot see that holding a recipient list is a solution. If, for
>> instance, you relay for thousands of domains all going to different
>> MTA's that hold each individual domains recipient list, its not really
>> that straight forward and may impact performance?
>
> Postfix can generate and maintain an internal recipient list by means of
> a recipient check on the downstream MTA before accepting mail to a
> previously unknown user. See these pages for information on how it works:
>
> http://www.postfix.org/postconf.5.html#reject_unverified_recipient
> http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient
>
> Correctly configured, with the right degree of persistance in the cache,
> this will have minimal impact on performance while also significantly
> reducing backscatter. The actual tradeoff between effectiveness and
> performance is dependent on how long data is cached for; if your system
> can cope with it then it's best not to cache at all as that's the only
> way to ensure zero backscatter. But even a fairly lengthy cache time
> will be sufficient to prevent the majority of backscatter, provided that
> the recipient email addresses don't get switched off very often.

One other minor issue with caching is when a mail is received for a
non-existing mailaddress. The cache remembers this. When the mailaddress is
created mail is rejected during the cache period.

>
> Mark

--
YoungGuns
Kasteleinenkampweg 7b
5222 AX 's-Hertogenbosch
T. 073 623 56 40
F. 073 623 56 39
www.youngguns.nl
KvK 18076568
Reply | Threaded
Open this post in threaded view
|

Re: Backscatter on Gateway Mail Servers

Robert Schetterer
In reply to this post by Mark Goodge
Mark Goodge schrieb:

> Dan Slay wrote:
>> Thanks, that's what I have read. Which is why this make things more
>> awkward.
>>
>> I cannot see that holding a recipient list is a solution. If, for
>> instance, you relay for thousands of domains all going to different
>> MTA's that hold each individual domains recipient list, its not really
>> that straight forward and may impact performance?
>
> Postfix can generate and maintain an internal recipient list by means of
> a recipient check on the downstream MTA before accepting mail to a
> previously unknown user. See these pages for information on how it works:
>
> http://www.postfix.org/postconf.5.html#reject_unverified_recipient
> http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient
>
> Correctly configured, with the right degree of persistance in the cache,
> this will have minimal impact on performance while also significantly
> reducing backscatter. The actual tradeoff between effectiveness and
> performance is dependent on how long data is cached for; if your system
> can cope with it then it's best not to cache at all as that's the only
> way to ensure zero backscatter. But even a fairly lengthy cache time
> will be sufficient to prevent the majority of backscatter, provided that
> the recipient email addresses don't get switched off very often.
>
> Mark

additional you may have problems with mail servers using greylisting
during recipient verification, so normally you should only do this if
you sure that no greylisting is done for your servers ip on the
verification servers and they give a i.e 550 for not existing mail
adresses as well your server should do so after verification result,
therefor having a recipient list is the right way

--
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria
Reply | Threaded
Open this post in threaded view
|

Re: Backscatter on Gateway Mail Servers

ib-6
In reply to this post by Dan Slay
Dan Slay schrieb:
> Thanks, that's what I have read. Which is why this make things more awkward.
>
> I cannot see that holding a recipient list is a solution.
[...]

Hello Dan and others

Has anybody experiences with the sendmail milter 'scam-backscatter' by Eland
Systems? Maybe it may solve your problem...


kind regards

Ilja Beeskow
Reply | Threaded
Open this post in threaded view
|

Re: Backscatter on Gateway Mail Servers

Stan Hoeppner
In reply to this post by Ansgar Wiechers
Ansgar Wiechers put forth on 9/15/2009 4:28 AM:

> Then you can't avoid sending backscatter. Period. RFC 2821 clearly
> states:
>
> | If an SMTP server has accepted the task of relaying the mail and
> | later finds that the destination is incorrect or that the mail
> | cannot be delivered for some other reason, then it MUST construct
> | an "undeliverable mail" notification message and send it to the
> | originator of the undeliverable mail
>
>> therefore I don't know what the best way forward would be?
>
> Maintain a recipient list.

This is your starting point:
http://www.postfix.org/postconf.5.html#relay_recipient_maps

This might be useful for AD/LDAP:
http://www2.origogeneris.com:4000/relay_recipients.html

Google for other solutions.  Lots of info on this topic out there.

FYI my Postfix MX is strictly an anti-spam/gateway server as well, and I use relay_recipients.  Granted, I've got less than 100 valid email addresses that change rarely, but even if it were 100,000 it still wouldn't be that much trouble to maintain, assuming I have timely access to address adds/changes on the downstream MTA(s), which I do.

--
Stan
Reply | Threaded
Open this post in threaded view
|

Re: Backscatter on Gateway Mail Servers

Stan Hoeppner
Stan Hoeppner put forth on 9/15/2009 5:44 AM:

> Ansgar Wiechers put forth on 9/15/2009 4:28 AM:
>
>> Then you can't avoid sending backscatter. Period. RFC 2821 clearly
>> states:
>>
>> | If an SMTP server has accepted the task of relaying the mail and
>> | later finds that the destination is incorrect or that the mail
>> | cannot be delivered for some other reason, then it MUST construct
>> | an "undeliverable mail" notification message and send it to the
>> | originator of the undeliverable mail
>>
>>> therefore I don't know what the best way forward would be?
>> Maintain a recipient list.
>
> This is your starting point:
> http://www.postfix.org/postconf.5.html#relay_recipient_maps
>
> This might be useful for AD/LDAP:
> http://www2.origogeneris.com:4000/relay_recipients.html
>
> Google for other solutions.  Lots of info on this topic out there.
>
> FYI my Postfix MX is strictly an anti-spam/gateway server as well, and I use relay_recipients.  Granted, I've got less than 100 valid email addresses that change rarely, but even if it were 100,000 it still wouldn't be that much trouble to maintain, assuming I have timely access to address adds/changes on the downstream MTA(s), which I do.

Sorry, should have included this the first time:

http://www.postfix.org/STANDARD_CONFIGURATION_README.html#firewall

That's your starting point (if you've not read it already).

--
Stan
Reply | Threaded
Open this post in threaded view
|

Re: Backscatter on Gateway Mail Servers

Egoitz Aurrekoetxea Aurre-2
In reply to this post by Robert Schetterer
Don't bounce you're overquota messages... just reject them :) at mail
gateway level at smtp dialogue, this way you will be saving resources on
scanning and later perhaps on bouncing them from any place :)

http://postfixquotareject.ramattack.net

:) :)

> Mark Goodge schrieb:
>> Dan Slay wrote:
>>> Thanks, that's what I have read. Which is why this make things more
>>> awkward.
>>>
>>> I cannot see that holding a recipient list is a solution. If, for
>>> instance, you relay for thousands of domains all going to different
>>> MTA's that hold each individual domains recipient list, its not really
>>> that straight forward and may impact performance?
>>
>> Postfix can generate and maintain an internal recipient list by means of
>> a recipient check on the downstream MTA before accepting mail to a
>> previously unknown user. See these pages for information on how it
>> works:
>>
>> http://www.postfix.org/postconf.5.html#reject_unverified_recipient
>> http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient
>>
>> Correctly configured, with the right degree of persistance in the cache,
>> this will have minimal impact on performance while also significantly
>> reducing backscatter. The actual tradeoff between effectiveness and
>> performance is dependent on how long data is cached for; if your system
>> can cope with it then it's best not to cache at all as that's the only
>> way to ensure zero backscatter. But even a fairly lengthy cache time
>> will be sufficient to prevent the majority of backscatter, provided that
>> the recipient email addresses don't get switched off very often.
>>
>> Mark
>
> additional you may have problems with mail servers using greylisting
> during recipient verification, so normally you should only do this if
> you sure that no greylisting is done for your servers ip on the
> verification servers and they give a i.e 550 for not existing mail
> adresses as well your server should do so after verification result,
> therefor having a recipient list is the right way
>
> --
> Best Regards
>
> MfG Robert Schetterer
>
> Germany/Munich/Bavaria
>