How to setup a no-answer email properly

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

How to setup a no-answer email properly

Dirk Stöcker
Hello,

I'm operating a bug tracker which sends out emails to participants
notifying of ticket changes. For new submitters it often happened, that
they simply did reply by mail which wont work with this instance.

Now I changed our setup a bit

In postfix main.cf:
smtpd_recipient_restrictions = ...check_recipient_access hash:/etc/postfix/recipient_access...

and
recipient_access:
[hidden email] reject This trac does not have an e-mail input functionality.

This works like a charm, but then today something new did pop up. Sender
verify. It seems there are mail servers outside which connect back to the
original server and check for errors:

     550-Verification failed for <[hidden email]> 550-Previous
     (cached) callout verification failure 550 Sender verify failed (in reply to
     RCPT TO command)

This prevents to notify them completely, as their servers wont accept any
mail from the ticket system. Turning off that feature I'd need to manually
inform mail senders again which I want to prevent.

Is there any solution to satisfy the "no-reply" mail address feature and
these sender verifiers. They don't actually send a mail, so maybe my
reject can come a bit later in the mail receiving process?

Ciao
--
http://www.dstoecker.eu/ (PGP key available)
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to setup a no-answer email properly

Wietse Venema
Dirk St?cker:

> Hello,
>
> I'm operating a bug tracker which sends out emails to participants
> notifying of ticket changes. For new submitters it often happened, that
> they simply did reply by mail which wont work with this instance.
>
> Now I changed our setup a bit
>
> In postfix main.cf:
> smtpd_recipient_restrictions = ...check_recipient_access hash:/etc/postfix/recipient_access...
>
> and
> recipient_access:
> [hidden email] reject This trac does not have an e-mail input functionality.
>
> This works like a charm, but then today something new did pop up. Sender
> verify. It seems there are mail servers outside which connect back to the
> original server and check for errors:
>
>      550-Verification failed for <[hidden email]> 550-Previous
>      (cached) callout verification failure 550 Sender verify failed (in reply to
>      RCPT TO command)
>
> This prevents to notify them completely, as their servers wont accept any
> mail from the ticket system. Turning off that feature I'd need to manually
> inform mail senders again which I want to prevent.
>
> Is there any solution to satisfy the "no-reply" mail address feature and
> these sender verifiers. They don't actually send a mail, so maybe my
> reject can come a bit later in the mail receiving process?

Whitelist the address up-stream:

    ....
    reject_unauth_destination
    check_recipient_access inline:{[hidden email]=permit}
    reject_unverified_recipient
    ....

or the equivalent idiom for a non-Postfix system that makes the callout.

        Wietse
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to setup a no-answer email properly

Dirk Stöcker
On Sat, 18 Mar 2017, Wietse Venema wrote:

>> I'm operating a bug tracker which sends out emails to participants
>> notifying of ticket changes. For new submitters it often happened, that
>> they simply did reply by mail which wont work with this instance.
>>
>> Now I changed our setup a bit
>>
>> In postfix main.cf:
>> smtpd_recipient_restrictions = ...check_recipient_access hash:/etc/postfix/recipient_access...
>>
>> and
>> recipient_access:
>> [hidden email] reject This trac does not have an e-mail input functionality.
>>
>> This works like a charm, but then today something new did pop up. Sender
>> verify. It seems there are mail servers outside which connect back to the
>> original server and check for errors:
>>
>>      550-Verification failed for <[hidden email]> 550-Previous
>>      (cached) callout verification failure 550 Sender verify failed (in reply to
>>      RCPT TO command)
>>
>> This prevents to notify them completely, as their servers wont accept any
>> mail from the ticket system. Turning off that feature I'd need to manually
>> inform mail senders again which I want to prevent.
>>
>> Is there any solution to satisfy the "no-reply" mail address feature and
>> these sender verifiers. They don't actually send a mail, so maybe my
>> reject can come a bit later in the mail receiving process?
>
> Whitelist the address up-stream:
>
>    ....
>    reject_unauth_destination
>    check_recipient_access inline:{[hidden email]=permit}
>    reject_unverified_recipient
>    ....
>
> or the equivalent idiom for a non-Postfix system that makes the callout.

You mean on the receivers side? I don't have control over their systems.
I can change only the sending server. Maybe I've been unclear? The error
message is an excerpt from the local postfix for an email I sent - Here's
the full text:

<[hidden email]>: host mail.remotemail.tld[X.X.X.X] said:
     550-Verification failed for <[hidden email]> 550-Called:
     Y.Y.Y.Y 550-Sent:     RCPT TO:<[hidden email]>
     550-Response: 554 5.7.1 <[hidden email]>: Recipient address
     rejected: THis trac does not have an e-mail input functionality. 550 Sender
     verify failed (in reply to RCPT TO command)

or in a second mail

<[hidden email]>: host mail.remotemail.org[X.X.X.X] said:
     550-Verification failed for <[hidden email]> 550-Previous
     (cached) callout verification failure 550 Sender verify failed (in reply to
     RCPT TO command)

I got two rejects, because I did not properly handle mail rejects for this
address (all the others had an owner-xxx, except this one :-(. That should
be fixed now.

Ciao
--
http://www.dstoecker.eu/ (PGP key available)
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to setup a no-answer email properly

Wietse Venema
Dirk St?cker:
> <[hidden email]>: host mail.remotemail.tld[X.X.X.X] said:
>      550-Verification failed for <[hidden email]> 550-Called:
>      Y.Y.Y.Y 550-Sent:     RCPT TO:<[hidden email]>
>      550-Response: 554 5.7.1 <[hidden email]>: Recipient address
>      rejected: THis trac does not have an e-mail input functionality. 550 Sender
>      verify failed (in reply to RCPT TO command)

Options:

- On your side, don't reject RCPT TO for the no-reply address.

- On your side, add a telepathic policy service that can distinguish
between RCPT TO to verify an address, and RCPT to deliver mail.

smtpd_recipient_restrictions =
    ....
    reject_unauth_destination
    check_policy_service unix:/some/where/telepathic-service
    check_recipient_access inline:{
        { [hidden email] = reject this address does not receive email }
    }

        Wietse
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [SPAM?] Re: How to setup a no-answer email properly

Richard Damon
On 3/18/17 11:39 AM, Wietse Venema wrote:

> Dirk St?cker:
>> <[hidden email]>: host mail.remotemail.tld[X.X.X.X] said:
>>       550-Verification failed for <[hidden email]> 550-Called:
>>       Y.Y.Y.Y 550-Sent:     RCPT TO:<[hidden email]>
>>       550-Response: 554 5.7.1 <[hidden email]>: Recipient address
>>       rejected: THis trac does not have an e-mail input functionality. 550 Sender
>>       verify failed (in reply to RCPT TO command)
> Options:
>
> - On your side, don't reject RCPT TO for the no-reply address.
>
> - On your side, add a telepathic policy service that can distinguish
> between RCPT TO to verify an address, and RCPT to deliver mail.
>
> smtpd_recipient_restrictions =
>      ....
>      reject_unauth_destination
>      check_policy_service unix:/some/where/telepathic-service
>      check_recipient_access inline:{
>          { [hidden email] = reject this address does not receive email }
>      }
>
> Wietse
>
Couldn't you do something where you accept at the RCPT TO, and then
reject at End of Data having it just reject everything as spam?


--
Richard Damon

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to setup a no-answer email properly

Dirk Stöcker
On Sat, 18 Mar 2017, Richard Damon wrote:

>>  - On your side, don't reject RCPT TO for the no-reply address.
>>
>>  - On your side, add a telepathic policy service that can distinguish
>>  between RCPT TO to verify an address, and RCPT to deliver mail.
>>
>>  smtpd_recipient_restrictions =
>>       ....
>>       reject_unauth_destination
>>       check_policy_service unix:/some/where/telepathic-service
>>       check_recipient_access inline:{
>>           { [hidden email] = reject this address does not receive email }
>>       }
>>
>>   Wietse
>>
> Couldn't you do something where you accept at the RCPT TO, and then reject at
> End of Data having it just reject everything as spam?

http://www.postfix.org/SMTPD_PROXY_README.html

When its even possible to check spam without generating a bounce message,
why do I need telepathy to reject a mail for a known situation in a later
stage of mail delivery?

It is a bit of overkill to write a filter for that. I hoped there would be
an easier way.

Could it work to "Configure the Postfix SMTP pass-through proxy feature"
with the after filter SMTP server being directly the target (i.e. omitting
the filter) and putting the recipient reject on this one instead of the
initial connect?

Ciao
--
http://www.dstoecker.eu/ (PGP key available)
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to setup a no-answer email properly

Wietse Venema
Dirk St?cker:

> On Sat, 18 Mar 2017, Richard Damon wrote:
>
> >>  - On your side, don't reject RCPT TO for the no-reply address.
> >>
> >>  - On your side, add a telepathic policy service that can distinguish
> >>  between RCPT TO to verify an address, and RCPT to deliver mail.
> >>
> >>  smtpd_recipient_restrictions =
> >>       ....
> >>       reject_unauth_destination
> >>       check_policy_service unix:/some/where/telepathic-service
> >>       check_recipient_access inline:{
> >>           { [hidden email] = reject this address does not receive email }
> >>       }
> >>
> >>   Wietse
> >>
> > Couldn't you do something where you accept at the RCPT TO, and then reject at
> > End of Data having it just reject everything as spam?

Rejecting mail for a do-not-reply address at DATA or end-of-data?
That might work, but keep in mind that this rejects mail for all
recipients of the message, not just the do-not-reply address.

        Wietse
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to setup a no-answer email properly

Peter Ajamian
In reply to this post by Dirk Stöcker
On 19/03/17 02:26, Dirk Stöcker wrote:

> Hello,
>
> I'm operating a bug tracker which sends out emails to participants
> notifying of ticket changes. For new submitters it often happened, that
> they simply did reply by mail which wont work with this instance.
>
> Now I changed our setup a bit
>
> In postfix main.cf:
> smtpd_recipient_restrictions = ...check_recipient_access
> hash:/etc/postfix/recipient_access...
>
> and
> recipient_access:
> [hidden email] reject This trac does not have an e-mail input functionality.
>
> This works like a charm, but then today something new did pop up. Sender
> verify. It seems there are mail servers outside which connect back to
> the original server and check for errors:
>
>     550-Verification failed for <[hidden email]> 550-Previous
>     (cached) callout verification failure 550 Sender verify failed (in
> reply to
>     RCPT TO command)

I would move your check_recipient_access to smtpd_data_restrictions,
then it should work that it will not reject until the DATA command, but
servers performing address verification will have bailed by that point.
So you end up rejecting actual messages but not verification probes.


Peter
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to setup a no-answer email properly

Mike Guelfi
In reply to this post by Dirk Stöcker
If people want to use a non RFC compliant verification system, then  
they're going to have problems with false positives on their spam  
filter.

The operative word being: they.

Your customer needs to get their email vendor to whitelist your trac  
instance. You don't need to do anything....

--
Mike.

Quoting Dirk Stöcker <[hidden email]>:

> On Sat, 18 Mar 2017, Richard Damon wrote:
>
>>> - On your side, don't reject RCPT TO for the no-reply address.
>>>
>>> - On your side, add a telepathic policy service that can distinguish
>>> between RCPT TO to verify an address, and RCPT to deliver mail.
>>>
>>> smtpd_recipient_restrictions =
>>>      ....
>>>      reject_unauth_destination
>>>      check_policy_service unix:/some/where/telepathic-service
>>>      check_recipient_access inline:{
>>>          { [hidden email] = reject this address does not receive email }
>>>      }
>>>
>>>  Wietse
>>>
>> Couldn't you do something where you accept at the RCPT TO, and then  
>> reject at End of Data having it just reject everything as spam?
>
> http://www.postfix.org/SMTPD_PROXY_README.html
>
> When its even possible to check spam without generating a bounce  
> message, why do I need telepathy to reject a mail for a known  
> situation in a later stage of mail delivery?
>
> It is a bit of overkill to write a filter for that. I hoped there  
> would be an easier way.
>
> Could it work to "Configure the Postfix SMTP pass-through proxy  
> feature" with the after filter SMTP server being directly the target  
> (i.e. omitting the filter) and putting the recipient reject on this  
> one instead of the initial connect?
>
> Ciao
> --
> http://www.dstoecker.eu/ (PGP key available)
>
>



Cheers,

--
Mike.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to setup a no-answer email properly

Dirk Stöcker
In reply to this post by Peter Ajamian
On Sun, 19 Mar 2017, Peter wrote:

> I would move your check_recipient_access to smtpd_data_restrictions,
> then it should work that it will not reject until the DATA command, but
> servers performing address verification will have bailed by that point.
> So you end up rejecting actual messages but not verification probes.

Thanks. Seems to work without negative side effects (till the
communication to the next strange configured system happens :-).

The "keep in mind that this rejects mail for all recipients of the
message" comment by Wietse is not an issue here, as there are no valid
other addresses at the same server. Only admin and standard accounts. And
I have no problem when they would get rejected if they are addressed
together with the message to the no-answer mail-address.

Ciao
--
http://www.dstoecker.eu/ (PGP key available)
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to setup a no-answer email properly

Dirk Stöcker
In reply to this post by Mike Guelfi
On Tue, 21 Mar 2017, Mike Guelfi wrote:

> If people want to use a non RFC compliant verification system, then they're
> going to have problems with false positives on their spam filter.
>
> The operative word being: they.
>
> Your customer needs to get their email vendor to whitelist your trac
> instance. You don't need to do anything....

In real world that does not work. In the last time I looked deeper into
DMARC and sent some failure descriptions about bad DMARC setups. My
success rate ATM is 1:10 - means one postmaster answered and fixed his
setup afterwards. If I had sent 50 mails I assume my success rate would be
1:50.

But if you are willing to volunteer - you can start with AT&T or
Microsoft. They have blocking on large network segments and each
mailserver needs to individually register with them to send mail. Please
convince them to use proper systems instead.

Ciao
--
http://www.dstoecker.eu/ (PGP key available)
Loading...