Communication between Postfix and Dovecot LDA

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Communication between Postfix and Dovecot LDA

Daniel Ryšlink
Hello,

I am trying to solve a problem with error mails clogging my queue on a
system with the following components:

Incoming mail -> Postfix -> DSpam -> reinjection back to postfix queue
-> Dovecot LDA

The system also handles outgoing mail for non-local users, for any mail
address not found in a table of local users, Postfix just tries to
deliver it according to the MX records.

However, the Postfix handling the incoming messages for local users
(before DSpam) has incomplete information whether the local delivery
will be successful. I would like to immediately reject mails for
mailboxes that are full, for example, but the Postfix does not have this
information. That means that the mail is initially accepted, passed to
DSPam, and only the Dovecot LDA founds out that the mailbox is full, and
generates an error mail message, that is often not deliverable and clogs
the mailqueue.

I would like to reject as many mails as possible during the intial SMTP
session, as a part of the "check_recipient_access" phase. Is there any
way for Postfix to ask dovecot-lda "Will you be able to locally deliver
a message to this user"? I have read dovecot-lda man page, but did not
find any option of "dry" or test delivery. I understand that Postfix can
use a "policy server" - an external script or daemon that could query
dovecot for this information, but so far I have failed to find a proper
way to query dovecot to find out if a specific mail would be deliverable.

I know I will be probably referred to Dovecot mailing lists, but I
thought some of you could know the answer.

Thank you in advance for any hint or advice.

--
S pozdravem,
Daniel Ryšlink
System Administrator

Dial Telecom a. s.
Křižíkova 36a/237
186 00 Praha 3, Česká Republika
Tel.:+420.226204627
[hidden email]
-----------------------------------------------
www.dialtelecom.cz
Dial Telecom, a.s.
Jednoduše se připojte
-----------------------------------------------

Reply | Threaded
Open this post in threaded view
|

Re: Communication between Postfix and Dovecot LDA

Christian Kivalo
On 2017-09-18 14:21, Daniel Ryšlink wrote:

> Hello,
>
> I am trying to solve a problem with error mails clogging my queue on a
> system with the following components:
>
> Incoming mail -> Postfix -> DSpam -> reinjection back to postfix queue
> -> Dovecot LDA
>
> The system also handles outgoing mail for non-local users, for any
> mail address not found in a table of local users, Postfix just tries
> to deliver it according to the MX records.
>
> However, the Postfix handling the incoming messages for local users
> (before DSpam) has incomplete information whether the local delivery
> will be successful. I would like to immediately reject mails for
> mailboxes that are full, for example, but the Postfix does not have
> this information. That means that the mail is initially accepted,
> passed to DSPam, and only the Dovecot LDA founds out that the mailbox
> is full, and generates an error mail message, that is often not
> deliverable and clogs the mailqueue.
>
> I would like to reject as many mails as possible during the intial
> SMTP session, as a part of the "check_recipient_access" phase. Is
> there any way for Postfix to ask dovecot-lda "Will you be able to
> locally deliver a message to this user"? I have read dovecot-lda man
> page, but did not find any option of "dry" or test delivery. I
> understand that Postfix can use a "policy server" - an external script
> or daemon that could query dovecot for this information, but so far I
> have failed to find a proper way to query dovecot to find out if a
> specific mail would be deliverable.
Dovecot provides a quota service, a policy service that can be used by
postfix.

Take a look at the dovecot wiki for the quota service:
https://wiki2.dovecot.org/Quota

 From the wiki:
Quota service

The quota service allows postfix to check quota before delivery:

service quota-status {
     executable = quota-status -p postfix
     inet_listener {
         port = 12340
         # You can choose any port you want
     }
     client_limit = 1
}

And then have postfix check_policy_service check that:

smtpd_recipient_restrictions =
     ...
     check_policy_service inet:mailstore.example.com:12340

For more about this service see
https://sys4.de/en/blog/2013/04/08/postfix-dovecot-mailbox-quota/


> I know I will be probably referred to Dovecot mailing lists, but I
> thought some of you could know the answer.
>
> Thank you in advance for any hint or advice.
>
> --
> S pozdravem,
> Daniel Ryšlink
> System Administrator
>
> Dial Telecom a. s.
> Křižíkova 36a/237
> 186 00 Praha 3, Česká Republika
> Tel.:+420.226204627
> [hidden email]
> -----------------------------------------------
> www.dialtelecom.cz
> Dial Telecom, a.s.
> Jednoduše se připojte
> -----------------------------------------------

--
  Christian Kivalo
Reply | Threaded
Open this post in threaded view
|

Re: Communication between Postfix and Dovecot LDA

Daniel Ryšlink
Thank you very much, this is most useful.

One more question, if I may - besides full mailboxes, there is also a
problem with domain aliases containing non-existent mailboxes.

For example, I have this definition in virtual_mailbox_domains:

@prefix.domain.com            @domain.com

That means mail to [hidden email] is delivered to [hidden email].

However, if [hidden email] does not exist, the Postfix that handles
incoming mail accepts the mail, passes it to DSpam, and only Dovecot-lda
finds out that the actual mailbox does not exist, and an error mail is
generated.

I would like to limit backscatter mail generated by my server, because I
have found out that there are attacks employing bogus domains that put
the target machine into their MX records and then send mails from these
bogus domains to users with full mailboxes, etc, which results in
flooding of the target server with backscatter mail.

So, is there a way for the postfix to determine that a particular
mailbox @prefix.domain.com will accept the incoming mail, before it
accepts the mail and hands it over to DSpam?

I am sorry, I have the feeling that I have overlooked something basic
here, but I have spent much time on this problem, and I promise this is
my last question regarding the topic.

Thank you very much in advance for any hints.

--
S pozdravem,
Daniel Ryšlink
System Administrator

Dial Telecom a. s.
Křižíkova 36a/237
186 00 Praha 3, Česká Republika
Tel.:+420.226204627
[hidden email]
-----------------------------------------------
www.dialtelecom.cz
Dial Telecom, a.s.
Jednoduše se připojte
-----------------------------------------------

On 18.9.2017 14:31, Christian Kivalo wrote:

> On 2017-09-18 14:21, Daniel Ryšlink wrote:
>> Hello,
>>
>> I am trying to solve a problem with error mails clogging my queue on a
>> system with the following components:
>>
>> Incoming mail -> Postfix -> DSpam -> reinjection back to postfix queue
>> -> Dovecot LDA
>>
>> The system also handles outgoing mail for non-local users, for any
>> mail address not found in a table of local users, Postfix just tries
>> to deliver it according to the MX records.
>>
>> However, the Postfix handling the incoming messages for local users
>> (before DSpam) has incomplete information whether the local delivery
>> will be successful. I would like to immediately reject mails for
>> mailboxes that are full, for example, but the Postfix does not have
>> this information. That means that the mail is initially accepted,
>> passed to DSPam, and only the Dovecot LDA founds out that the mailbox
>> is full, and generates an error mail message, that is often not
>> deliverable and clogs the mailqueue.
>>
>> I would like to reject as many mails as possible during the intial
>> SMTP session, as a part of the "check_recipient_access" phase. Is
>> there any way for Postfix to ask dovecot-lda "Will you be able to
>> locally deliver a message to this user"? I have read dovecot-lda man
>> page, but did not find any option of "dry" or test delivery. I
>> understand that Postfix can use a "policy server" - an external script
>> or daemon that could query dovecot for this information, but so far I
>> have failed to find a proper way to query dovecot to find out if a
>> specific mail would be deliverable.
> Dovecot provides a quota service, a policy service that can be used by
> postfix.
>
> Take a look at the dovecot wiki for the quota service:
> https://wiki2.dovecot.org/Quota
>
> From the wiki:
> Quota service
>
> The quota service allows postfix to check quota before delivery:
>
> service quota-status {
>     executable = quota-status -p postfix
>     inet_listener {
>         port = 12340
>         # You can choose any port you want
>     }
>     client_limit = 1
> }
>
> And then have postfix check_policy_service check that:
>
> smtpd_recipient_restrictions =
>     ...
>     check_policy_service inet:mailstore.example.com:12340
>
> For more about this service see
> https://sys4.de/en/blog/2013/04/08/postfix-dovecot-mailbox-quota/
>
>
>> I know I will be probably referred to Dovecot mailing lists, but I
>> thought some of you could know the answer.
>>
>> Thank you in advance for any hint or advice.
>>
>> --
>> S pozdravem,
>> Daniel Ryšlink
>> System Administrator
>>
>> Dial Telecom a. s.
>> Křižíkova 36a/237
>> 186 00 Praha 3, Česká Republika
>> Tel.:+420.226204627
>> [hidden email]
>> -----------------------------------------------
>> www.dialtelecom.cz
>> Dial Telecom, a.s.
>> Jednoduše se připojte
>> -----------------------------------------------
>