Bounce at SMTPD level

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

Bounce at SMTPD level

Thomas Bolioli
http://forum.qmailrocks.org/archive/index.php/t-1623.html

I found the above link when looking for a how to for configuring postfix
to bounce email BEFORE the initial MTA transaction is complete. I can't
seem to find one for postfix. I want a sending MTAs to get a 550 error
if spamc/spamd determine a mail is spammy so non spam senders get some
sort of feedback that their message has been tossed and not delivered.
For obvious reasons you can't do this as a bounce to the From: or
Reply-To: header emails so it has to happen during the initial MTA
transaction. Can someone point me to a how to for this?
Thanks,
Tom
Reply | Threaded
Open this post in threaded view
|

Re: Bounce at SMTPD level

Seth Mattinen
Thomas Bolioli wrote:

> http://forum.qmailrocks.org/archive/index.php/t-1623.html
>
> I found the above link when looking for a how to for configuring postfix
> to bounce email BEFORE the initial MTA transaction is complete. I can't
> seem to find one for postfix. I want a sending MTAs to get a 550 error
> if spamc/spamd determine a mail is spammy so non spam senders get some
> sort of feedback that their message has been tossed and not delivered.
> For obvious reasons you can't do this as a bounce to the From: or
> Reply-To: header emails so it has to happen during the initial MTA
> transaction. Can someone point me to a how to for this?
> Thanks,
> Tom


You probably want a before-queue filter or milter:

http://www.postfix.org/SMTPD_PROXY_README.html
http://www.postfix.org/MILTER_README.html

~Seth
Reply | Threaded
Open this post in threaded view
|

Re: Bounce at SMTPD level

Marty Anstey
In reply to this post by Thomas Bolioli

> http://forum.qmailrocks.org/archive/index.php/t-1623.html
>
> I found the above link when looking for a how to for configuring
> postfix to bounce email BEFORE the initial MTA transaction is
> complete. I can't seem to find one for postfix. I want a sending MTAs
> to get a 550 error if spamc/spamd determine a mail is spammy so non
> spam senders get some sort of feedback that their message has been
> tossed and not delivered. For obvious reasons you can't do this as a
> bounce to the From: or Reply-To: header emails so it has to happen
> during the initial MTA transaction. Can someone point me to a how to
> for this?
> Thanks,
> Tom

I don't think you can pass messages directly to spamc/spamd in a
before-queue scenario.

Check out spampd
(http://www.worlddesign.com/Content/rd/mta/spampd/spampd.html) and
spamass-milter (http://savannah.nongnu.org/projects/spamass-milt/)

We had some trouble with SpamPD under load, so we ended up using
Spamass-Milter patched for our needs.

I don't think either project is being currently maintined however.

-M

Reply | Threaded
Open this post in threaded view
|

Re: Bounce at SMTPD level

Terry Carmen
In reply to this post by Thomas Bolioli

> http://forum.qmailrocks.org/archive/index.php/t-1623.html
>
> I found the above link when looking for a how to for configuring postfix
> to bounce email BEFORE the initial MTA transaction is complete. I can't
> seem to find one for postfix. I want a sending MTAs to get a 550 error
> if spamc/spamd determine a mail is spammy so non spam senders get some
> sort of feedback that their message has been tossed and not delivered.
> For obvious reasons you can't do this as a bounce to the From: or
> Reply-To: header emails so it has to happen during the initial MTA
> transaction. Can someone point me to a how to for this?

Unless I'm misunderstanding you, what you really want is to not accept the
message if it's spam. Bouncing it implies accepting it and then sending back
an NDR.

Although you can accomplish this with a  Before Queue Filter:
http://www.postfix.org/SMTPD_PROXY_README.html, it may become a performance
problem and it probably not an optimal solution.

Aside from anything else, it will really annoy the senders if the mail is
legitimate.

Terry




Reply | Threaded
Open this post in threaded view
|

Re: Bounce at SMTPD level

Marty Anstey

>> http://forum.qmailrocks.org/archive/index.php/t-1623.html
>>
>> I found the above link when looking for a how to for configuring postfix
>> to bounce email BEFORE the initial MTA transaction is complete. I can't
>> seem to find one for postfix. I want a sending MTAs to get a 550 error
>> if spamc/spamd determine a mail is spammy so non spam senders get some
>> sort of feedback that their message has been tossed and not delivered.
>> For obvious reasons you can't do this as a bounce to the From: or
>> Reply-To: header emails so it has to happen during the initial MTA
>> transaction. Can someone point me to a how to for this?
>>    
>
> Unless I'm misunderstanding you, what you really want is to not accept the
> message if it's spam. Bouncing it implies accepting it and then sending back
> an NDR.
>
> Although you can accomplish this with a  Before Queue Filter:
> http://www.postfix.org/SMTPD_PROXY_README.html, it may become a performance
> problem and it probably not an optimal solution.
>
> Aside from anything else, it will really annoy the senders if the mail is
> legitimate.
>
> Terry
>
>  
Agreed, you would only want to run your before-queue configuration on a
lightly loaded mail system, unless you can engineer a creative way of
distributing the load.

However, I don't see how it would annoy the senders, unless something
was configured poorly and you generated a lot of false positives.. If
your FP potential is low, you would be just fine running this way.

Rejecting messages inline is a far better solution than generating a
bounce or simply dropping the message. Most, if not all spam has a
forged sender so generating a bounce is a very bad idea. Rejecting
inline is much better than dropping message; at least that way the
sender will get an NDR from their MTA.

-M


Reply | Threaded
Open this post in threaded view
|

Re: Bounce at SMTPD level

Thomas Harold-3
On 12/10/2009 8:09 PM, Marty Anstey wrote:
>
> Rejecting messages inline is a far better solution than generating a
> bounce or simply dropping the message. Most, if not all spam has a
> forged sender so generating a bounce is a very bad idea. Rejecting
> inline is much better than dropping message; at least that way the
> sender will get an NDR from their MTA.
>

Agreed.  Never bounce, except to internal email addresses or in cases
where you can prove that it won't result in backscatter.

Our solution to the original issue is that we simply quarantine
extra-spammy messages in a special folder in each user's account, then
we delete anything in there over 90 days old.  We have to do it that way
because we're doing post-queue spam-scoring, so it's too late to 5xx
reject the message.

(We do as much SMTP time blocking as possible, using HELO checks, SPF
checks, anti-virus filtering, and a few other tricks.  Everything else
gets fed to the spam filter and scored.  Low scoring stuff goes in the
inbox, high scoring stuff goes in a quarantine folder.)
Reply | Threaded
Open this post in threaded view
|

Re: Bounce at SMTPD level

Ralf Hildebrandt
In reply to this post by Thomas Bolioli
* Thomas Bolioli <[hidden email]>:
> http://forum.qmailrocks.org/archive/index.php/t-1623.html

The document describes rejection of unknown recipients.
The document is misnomed, since no bouncing takes place but a simple
rejection.

> I found the above link when looking for a how to for configuring
> postfix to bounce email BEFORE the initial MTA transaction is
> complete. I can't seem to find one for postfix.

Postfix does that by default.

> I want a sending MTAs to get a 550 error if spamc/spamd determine a
> mail is spammy so non spam senders get some sort of feedback that their
> message has been tossed and not delivered. For obvious reasons you
> can't do this as a bounce to the From: or Reply-To: header emails so it
> has to happen during the initial MTA transaction. Can someone point me
> to a how to for this? Thanks, Tom

Run amavisd-new as smtpd_proxy_server

--
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  [hidden email] | http://www.charite.de
           
Reply | Threaded
Open this post in threaded view
|

Re: Bounce at SMTPD level

Ralf Hildebrandt
In reply to this post by Marty Anstey
* Marty Anstey <[hidden email]>:

> I don't think you can pass messages directly to spamc/spamd in a
> before-queue scenario.

Yes, that's because it doesn't speak SMTP

--
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  [hidden email] | http://www.charite.de
           
Reply | Threaded
Open this post in threaded view
|

Re: Bounce at SMTPD level

Thomas Bolioli
In reply to this post by Terry Carmen
Aside from anything else, it will really annoy the senders if the mail is
legitimate.
  
What annoys them even more is their message looking like it got through and it ended up in the junk folder or dropped to dev null.

Terry Carmen wrote:
http://forum.qmailrocks.org/archive/index.php/t-1623.html

I found the above link when looking for a how to for configuring postfix
to bounce email BEFORE the initial MTA transaction is complete. I can't
seem to find one for postfix. I want a sending MTAs to get a 550 error
if spamc/spamd determine a mail is spammy so non spam senders get some
sort of feedback that their message has been tossed and not delivered.
For obvious reasons you can't do this as a bounce to the From: or
Reply-To: header emails so it has to happen during the initial MTA
transaction. Can someone point me to a how to for this?
    

Unless I'm misunderstanding you, what you really want is to not accept the
message if it's spam. Bouncing it implies accepting it and then sending back
an NDR.

Although you can accomplish this with a  Before Queue Filter:
http://www.postfix.org/SMTPD_PROXY_README.html, it may become a performance
problem and it probably not an optimal solution.

Aside from anything else, it will really annoy the senders if the mail is
legitimate.

Terry



  
Reply | Threaded
Open this post in threaded view
|

Re: Bounce at SMTPD level

Thomas Bolioli
In reply to this post by Thomas Harold-3
Our recipient users are not keeping up with their obligations in this
scheme and instead are blaming us. We are trying to both remove reliance
on the user and put the onus on the sender to fix their issues as most
of the email getting bounced is poorly configured MTAs on the sender side.

> (We do as much SMTP time blocking as possible, using HELO checks, SPF
> checks, anti-virus filtering, and a few other tricks.  Everything else
> gets fed to the spam filter and scored.  Low scoring stuff goes in the
> inbox, high scoring stuff goes in a quarantine folder.)
We are trying to combine these two steps. May as well spam score and
reject at the same time. It seems like the most reasonable solution if
it's technically possible.

Thanks,
Tom

Thomas Harold wrote:

> On 12/10/2009 8:09 PM, Marty Anstey wrote:
>>
>> Rejecting messages inline is a far better solution than generating a
>> bounce or simply dropping the message. Most, if not all spam has a
>> forged sender so generating a bounce is a very bad idea. Rejecting
>> inline is much better than dropping message; at least that way the
>> sender will get an NDR from their MTA.
>>
>
> Agreed.  Never bounce, except to internal email addresses or in cases
> where you can prove that it won't result in backscatter.
>
> Our solution to the original issue is that we simply quarantine
> extra-spammy messages in a special folder in each user's account, then
> we delete anything in there over 90 days old.  We have to do it that
> way because we're doing post-queue spam-scoring, so it's too late to
> 5xx reject the message.
>
> (We do as much SMTP time blocking as possible, using HELO checks, SPF
> checks, anti-virus filtering, and a few other tricks.  Everything else
> gets fed to the spam filter and scored.  Low scoring stuff goes in the
> inbox, high scoring stuff goes in a quarantine folder.)
Reply | Threaded
Open this post in threaded view
|

Re: Bounce at SMTPD level

Thomas Bolioli
In reply to this post by Ralf Hildebrandt
This is an interesting. You are saying run amavisd as an MTA in between postfix and the sending MTA to reject the spammy/virus messages inbound and then send off to postfix everything else for delivery. What happens to non deliverables? They will make it through the first transaction. Or does amavisd reference postfix's configuration at all?
Thanks,
Tom

Ralf Hildebrandt wrote:
* Thomas Bolioli [hidden email]:
  
http://forum.qmailrocks.org/archive/index.php/t-1623.html
    

The document describes rejection of unknown recipients.
The document is misnomed, since no bouncing takes place but a simple
rejection.

  
I found the above link when looking for a how to for configuring
postfix to bounce email BEFORE the initial MTA transaction is
complete. I can't seem to find one for postfix.
    

Postfix does that by default. 

  
I want a sending MTAs to get a 550 error if spamc/spamd determine a
mail is spammy so non spam senders get some sort of feedback that their
message has been tossed and not delivered. For obvious reasons you
can't do this as a bounce to the From: or Reply-To: header emails so it
has to happen during the initial MTA transaction. Can someone point me
to a how to for this? Thanks, Tom
    

Run amavisd-new as smtpd_proxy_server

  
Reply | Threaded
Open this post in threaded view
|

Backscatter? What's happened here?

vince-51
In reply to this post by Thomas Bolioli
Hello,
Can someone tell me what has happened to cause this message
to come to me from my server?
I don't generally get rejected spam messages
What made this message different from a simple rejected spam?
What's the trick?
 
Here's the source version of the message:
 
=====================
 
Return-Path: <MAILER-DAEMON>
Delivered-To: [hidden email]
Received: from localhost (localhost [127.0.0.1])
 by server.example.org (Postfix) with ESMTP id 415FF7D15
 for <[hidden email]>; Fri, 11 Dec 2009 10:50:01 -0500 (EST)
Content-Type: multipart/report; report-type=delivery-status;
 boundary="----------=_1260546601-11071-0"
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
Subject: Considered UNSOLICITED BULK EMAIL, apparently from you
In-Reply-To: <[hidden email]>
Message-ID: <[hidden email]>
From: "Content-filter at server.example.org" <[hidden email]>
To: <[hidden email]>
Date: Fri, 11 Dec 2009 10:50:00 -0500 (EST)
 
This is a multi-part message in MIME format...
 
------------=_1260546601-11071-0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
 
A message from <[hidden email]> to:
-> [hidden email]
 
was considered unsolicited bulk e-mail (UBE).
 
Our internal reference code for your message is 11071-05/EVdi7Wo0zW8o
 
The message carried your return address, so it was either a genuine mail
from you, or a sender address was faked and your e-mail address abused
by third party, in which case we apologize for undesired notification.
 
We do try to minimize backscatter for more prominent cases of UBE and
for infected mail, but for less obvious cases of UBE some balance
between losing genuine mail and sending undesired backscatter is sought,
and there can be some collateral damage on both sides.
 
First upstream SMTP client IP address: [187.13.204.132]
According to a 'Received:' trace, the message originated at: [187.13.204.132],
  18713204132.user.veloxzone.com.br unknown [187.13.204.132]
 
Return-Path: <[hidden email]>
Message-ID: <[hidden email]>
Subject: Dear [hidden email] 82% 0FF on PFIZER !
 
Non-encoded 8-bit data (char AE hex): From: VIAGRA \256 Official Site [...]
 

Delivery of the email was stopped!
 
------------=_1260546601-11071-0
Content-Type: message/delivery-status; name="dsn_status"
Content-Disposition: inline; filename="dsn_status"
Content-Transfer-Encoding: 7bit
Content-Description: Delivery error report
 
Reporting-MTA: dns; server.example.org
Received-From-MTA: smtp; server.example.org ([127.0.0.1])
Arrival-Date: Fri, 11 Dec 2009 10:50:00 -0500 (EST)
 
Original-Recipient: rfc822;[hidden email]
Final-Recipient: rfc822;[hidden email]
Action: failed
Status: 5.7.0
Diagnostic-Code: smtp; 554 5.7.0 Reject, id=11071-05 - SPAM
Last-Attempt-Date: Fri, 11 Dec 2009 10:50:00 -0500 (EST)
Final-Log-ID: 11071-05/EVdi7Wo0zW8o
 
------------=_1260546601-11071-0
Content-Type: text/rfc822-headers; name="header"
Content-Disposition: inline; filename="header"
Content-Transfer-Encoding: 8bit
Content-Description: Message header section
 
Return-Path: <[hidden email]>
Received: from 18713204132.user.veloxzone.com.br (unknown [187.13.204.132])
 by server.example.org (Postfix) with SMTP id D382C7D0E
 for <[hidden email]>; Fri, 11 Dec 2009 10:49:35 -0500 (EST)
From: VIAGRA ® Official Site <[hidden email]>
To: <[hidden email]>
Subject: Dear [hidden email] 82% 0FF on PFIZER !
MIME-Version: 1.0
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <[hidden email]>
Date: Fri, 11 Dec 2009 10:49:35 -0500 (EST)
 
------------=_1260546601-11071-0--
Reply | Threaded
Open this post in threaded view
|

Re: Bounce at SMTPD level

Noel Jones-2
In reply to this post by Thomas Bolioli
On 12/11/2009 12:53 PM, Thomas Bolioli wrote:
> This is an interesting. You are saying run amavisd as an MTA in between
> postfix and the sending MTA to reject the spammy/virus messages inbound
> and then send off to postfix everything else for delivery. What happens
> to non deliverables? They will make it through the first transaction. Or
> does amavisd reference postfix's configuration at all?
> Thanks,
> Tom

Please don't top-post.

The suggestions are to use an smtpd_proxy_filter (amavisd-new
works well for this), or a milter that supports spamd (google
for "spamd milter" for a hundred choices).  Either of these
approaches will allow postfix to reject unknown users and the
filter to reject unwanted mail during the SMTP transaction.

Reading the documentation should answer most of your questions.
http://www.postfix.org/SMTPD_PROXY_README.html
http://www.postfix.org/MILTER_README.html

 From an external viewpoint, there is no difference between
using a milter or a postfix smtpd_proxy_filter -- they offer
identical end results.  Which one you choose depends more on
what filter software you want to use and which configuration
you're more comfortable with rather than technical merits.

You can also integrate clamav into the filter to reject
viruses.  If you do use clamav, I highly recommend the
Sanesecurity add-on signatures to detect phish and spam.
http://www.sanesecurity.com/usage.htm

   -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Bounce at SMTPD level

Thomas Bolioli


Noel Jones wrote:

> On 12/11/2009 12:53 PM, Thomas Bolioli wrote:
>> This is an interesting. You are saying run amavisd as an MTA in between
>> postfix and the sending MTA to reject the spammy/virus messages inbound
>> and then send off to postfix everything else for delivery. What happens
>> to non deliverables? They will make it through the first transaction. Or
>> does amavisd reference postfix's configuration at all?
>> Thanks,
>> Tom
>
> Please don't top-post.
>
> The suggestions are to use an smtpd_proxy_filter (amavisd-new works
> well for this), or a milter that supports spamd (google for "spamd
> milter" for a hundred choices).  Either of these approaches will allow
> postfix to reject unknown users and the filter to reject unwanted mail
> during the SMTP transaction.
>
> Reading the documentation should answer most of your questions.
> http://www.postfix.org/SMTPD_PROXY_README.html
> http://www.postfix.org/MILTER_README.html
>
> From an external viewpoint, there is no difference between using a
> milter or a postfix smtpd_proxy_filter -- they offer identical end
> results.  Which one you choose depends more on what filter software
> you want to use and which configuration you're more comfortable with
> rather than technical merits.
>
> You can also integrate clamav into the filter to reject viruses.  If
> you do use clamav, I highly recommend the Sanesecurity add-on
> signatures to detect phish and spam.
> http://www.sanesecurity.com/usage.htm
>
>   -- Noel Jones

Thank you for the help.  
Reply | Threaded
Open this post in threaded view
|

Re: Bounce at SMTPD level

Ralf Hildebrandt
In reply to this post by Thomas Bolioli
* Thomas Bolioli <[hidden email]>:

> This is an interesting. You are saying run amavisd as an MTA in
> between postfix and the sending MTA to reject the spammy/virus
> messages inbound and then send off to postfix everything else for
> delivery. What happens to non deliverables? They will make it through
> the first transaction. Or does amavisd reference postfix's
> configuration at all?

Postfix doesn't accept mail to non-existing recipients by default.

--
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  [hidden email] | http://www.charite.de
           
Reply | Threaded
Open this post in threaded view
|

Re: Bounce at SMTPD level

Wietse Venema
Ralf Hildebrandt:

> * Thomas Bolioli <[hidden email]>:
>
> > This is an interesting. You are saying run amavisd as an MTA in
> > between postfix and the sending MTA to reject the spammy/virus
> > messages inbound and then send off to postfix everything else for
> > delivery. What happens to non deliverables? They will make it through
> > the first transaction. Or does amavisd reference postfix's
> > configuration at all?
>
> Postfix doesn't accept mail to non-existing recipients by default.

The OP does not understand that Postfix rejects non-existent recipients
BEFORE it hands the mail to the content filter.

Perhaps a picture clarifies the situation:
http://www.postfix.org/SMTPD_PROXY_README.html

        Wietse