How to have postfix not generate a bounce message when an email is rejected for a specific reason.

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

How to have postfix not generate a bounce message when an email is rejected for a specific reason.

LaGatorVII
Ok here is the problem. My postfix server is the front end for 2 exchange servers running Symantec Mail Security with spam filtering. The most important thing is to cut down the spam as much as possible. We go to great pains to maintain a proper list of recipients so we don't have "User Unknown" bounce messages. The problem is that some times mail gets through the postfix filters, but then is rejected by the Exchange servers with the message "550 5.7.1 Requested action not taken: message refused" This will then generate a bounce to an email that, because it was spam in the first place does not have a proper email server. So my deferred queue eventually gets huge.

To help stay on top of this issue, I have been manually making sure that both exchange servers are up and then running 'postsuper -d ALL deferred' on the postfix server to get rid of those bounces the server is constantly trying to send. I have figured out that there are about 25 per day. So if they stay in the queue after one week the server is constantly retrying to send 175 messages in addition to the normal load which is huge.

I see two possible solutions, both of which I am not savvy enough to do on my own:

1) Some setting or filter in Postfix to not generate a bounce message when an email is rejected for the above reason.

2) Some script to delete mail messages via a cron job if they include the above rejection reason. "550 5.7.1 Requested action not taken: message refused". I might be able to figure out a script that can delete the files at the file level but I am not sure what this would do to Postfix.

Please note that the Postfix server is locked down pretty good. All of the helo, sender and recipient restrictions are in place, as well as two RBL filters. It is just that about 25 times per day the Exchange servers are a little better at filtering, and we do not want those extra mails to get through to the users.

Any help is greatly appreciated. Thanks in advance.

Robert White
Reply | Threaded
Open this post in threaded view
|

Re: How to have postfix not generate a bounce message when an email is rejected for a specific reason.

Heiko Wundram-8
Am Wednesday 26 November 2008 18:15:05 schrieb LaGatorVII:
> <snip>
> ...
> I see two possible solutions, both of which I am not savvy enough to do on
> my own:
>
> 1) Some setting or filter in Postfix to not generate a bounce message when
> an email is rejected for the above reason.

And what about a message being rejected by Exchange because the SPAM filtering
has failed (i.e., generated a false positive), being from a "correct" sender?
Refusing delivery (or bouncing) of a message is one thing, silently throwing
it away is another. Generally, you'll never, ever want to do this (and it
directly violates SMTP protocol and also [at least here in germany] your
_legal_ obligations as a mail carrier AFAIK).

> 2) Some script to delete mail messages via a cron job if they include the
> above rejection reason. "550 5.7.1 Requested action not taken: message
> refused". I might be able to figure out a script that can delete the files
> at the file level but I am not sure what this would do to Postfix.

See above. Additionally, even if you only delete bounces after they are n
hours old, the bounce recipient might not have been reachable in that time
(greylisting with sav comes to mind), so you might also delete "good" bounces
(even though I personally find this approach to be better than the first, but
objectionable nevertheless).

> Please note that the Postfix server is locked down pretty good. All of the
> helo, sender and recipient restrictions are in place, as well as two RBL
> filters. It is just that about 25 times per day the Exchange servers are a
> little better at filtering, and we do not want those extra mails to get
> through to the users.

From what I can tell, your Postfix isn't locked down enough. The
implementation we run does all SPAM-filtering and content refusal directly at
entry (i.e., on the Postfix side, using amavis in combination with milter),
which then sends things on to the Exchange server(s) we maintain (and which
don't do any further content filtering of their own).

As the amavis integration into the Postfix delivery system is done using
milter, there is no problem refusing a message at EOM (which is not [easily]
possible in the case that you have a Dual-MTA setup [the amavis default for
Postfix], which is similar to your case with Postfix relaying to Exchange).

If you can't move the mail filtering infrastructure to the Postfix system
(i.e., to the initial mail dialog when you accept responsibility for the
message), the only sensible thing to do would be for the Exchange systems to
not reject the messages, but mark them as SPAM and then do server/client-side
filtering. From what you tell, the amount of SPAM that gets through is so
miminal (25 messages a day for I guess quite a lot of users), that explicitly
moving them to a spam folder for the user to decide what to do should be a
perfectly acceptable policy, and a policy that is in compliance with your
obligations.

HTH!

--
Heiko Wundram
Gehrkens.IT GmbH

FON 0511-59027953 | http://www.gehrkens.it
FAX 0511-59027957 | http://www.xencon.net

Gehrkens.IT GmbH
Strasse der Nationen 5
30539 Hannover

Registergericht: Amtsgericht Hannover, HRB 200551
Geschäftsführer: Harald Gehrkens, Daniel Netzer
Reply | Threaded
Open this post in threaded view
|

Re: How to have postfix not generate a bounce message when an email is rejected for a specific reason.

Victor Duchovni
In reply to this post by LaGatorVII
On Wed, Nov 26, 2008 at 09:15:05AM -0800, LaGatorVII wrote:

>
> Ok here is the problem. My postfix server is the front end for 2 exchange
> servers running Symantec Mail Security with spam filtering. The most
> important thing is to cut down the spam as much as possible. We go to great
> pains to maintain a proper list of recipients so we don't have "User
> Unknown" bounce messages. The problem is that some times mail gets through
> the postfix filters, but then is rejected by the Exchange servers with the
> message "550 5.7.1 Requested action not taken: message refused" This will
> then generate a bounce to an email that, because it was spam in the first
> place does not have a proper email server. So my deferred queue eventually
> gets huge.
>
> To help stay on top of this issue, I have been manually making sure that
> both exchange servers are up and then running 'postsuper -d ALL deferred' on
> the postfix server to get rid of those bounces the server is constantly
> trying to send. I have figured out that there are about 25 per day. So if
> they stay in the queue after one week the server is constantly retrying to
> send 175 messages in addition to the normal load which is huge.

You can stop right there. 25 messages a day is insignificant. Don't
worry about it.

If you can, with reasonable effort, get the Internal servers to move
incoming junk into the Spam folder instead of refusing delivery, that's
what you should try and do. Otherwise, you are fine.

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Reply | Threaded
Open this post in threaded view
|

Re: How to have postfix not generate a bounce message when an email is rejected for a specific reason.

LaGatorVII
Thank you for your response. However you didn't answer my question. Our server keeps mail for 14days because it is a gateway for our customer's exchange servers. We WANT it that way so in the event of a server outage our server can keep the mail queued for the exchange servers until they get back up. Even with so few a day we get thousands of messages rejected for "message refused" in the deferred queue and postfix reties to send them like once per hour wasting our precious colo bandwidth.

If you really want to help you can tell me if it will hurt anything, other than thinking we'll delete "good bounces" because only the spam filter uses this exact message and if it fails al messages are accepted by the server not rejected, to delete these mail files because I am now using the following script.

#!/bin/sh
#
cd /var/spool/postfix/deferred
find * | xargs grep -l "Requested action not taken: message refused" | xargs rm

Does it mess up Postfix if you manually delete files like this? Is there a command we can use resynch the queues if it does?

Thanks

Robert White
Reply | Threaded
Open this post in threaded view
|

Re: How to have postfix not generate a bounce message when an email is rejected for a specific reason.

Victor Duchovni
On Fri, Nov 28, 2008 at 06:43:44AM -0800, LaGatorVII wrote:

>
> Thank you for your response. However you didn't answer my question. Our
> server keeps mail for 14days because it is a gateway for our customer's
> exchange servers. We WANT it that way so in the event of a server outage our
> server can keep the mail queued for the exchange servers until they get back
> up. Even with so few a day we get thousands of messages rejected for
> "message refused" in the deferred queue and postfix reties to send them like
> once per hour wasting our precious colo bandwidth.

The bandwidth for refused recipients is negligible, and you increase
your maximal_backoff_time to 2 or even 4 hours if you want to shave
off another factor of 2 or more.

> If you really want to help you can tell me if it will hurt anything, other
> than thinking we'll delete "good bounces" because only the spam filter uses
> this exact message and if it fails al messages are accepted by the server
> not rejected, to delete these mail files because I am now using the
> following script.

The correct solution is not to delete bounces, but to prevent them. Your
bounce delete logic will never be sufficiently precise to avoid harm.

The backlog you report is not significant. You can just ignore it, or take
action to reduce the quantity of mail rejected at the internal relays.

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.