[OT] postmaster@ for customers' domains?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

[OT] postmaster@ for customers' domains?

Martin Strand-4
We're an email service provider hosting ~3000 domains. Customers can delegate their domains to our nameservers and administer email accounts with a web interface.

I figured it would be a good idea to reserve the postmaster@ and abuse@ addresses for hosted domains and forward them to our own postmaster account.

Now one of these customers wants to create a [hidden email] account and use it for his personal email...
I just want to ask what you guys think about this policy, am I just being silly when reserving these addresses in the customer's own domain? Should I drop that restriction and leave their domains alone?

Thanks,
Martin
Reply | Threaded
Open this post in threaded view
|

Re: [OT] postmaster@ for customers' domains?

Gerald V. Livingston II-2
Martin Strand wrote:

> We're an email service provider hosting ~3000 domains. Customers can
> delegate their domains to our nameservers and administer email
> accounts with a web interface.
>
> I figured it would be a good idea to reserve the postmaster@ and
> abuse@ addresses for hosted domains and forward them to our own
> postmaster account.
>
> Now one of these customers wants to create a [hidden email]
> account and use it for his personal email... I just want to ask what
> you guys think about this policy, am I just being silly when
> reserving these addresses in the customer's own domain? Should I drop
> that restriction and leave their domains alone?
>
> Thanks, Martin

You need to tell the user to read RFC 2821 and get over it. "postmaster"
is not for personal mail.

Any system that includes an SMTP server supporting mail relaying or
    delivery MUST support the reserved mailbox "postmaster" as a case-
    insensitive local name.  This postmaster address is not strictly
    necessary if the server always returns 554 on connection opening (as
    described in section 3.1).  The requirement to accept mail for
    postmaster implies that RCPT commands which specify a mailbox for
    postmaster at any of the domains for which the SMTP server provides
    mail service, as well as the special case of "RCPT TO:<Postmaster>"
    (with no domain specification), MUST be supported.

As noted above, if the domain doesn't reserve the postmaster address
then it must return a 554 for every incoming connection and *NOT* accept
*ANY* mail for *ANY* address on the domain (eg. a smtp server intended
for use only on a private WAN could accept mail for its member cidr
ranges but must 554 all mail from outside unless postmaster is reserved
and working for its intended purpose).

Gerald
Reply | Threaded
Open this post in threaded view
|

Re: [OT] postmaster@ for customers' domains?

Neil-16
In reply to this post by Martin Strand-4

On 7 Nov 2008, at 20:08, Martin Strand wrote:

> We're an email service provider hosting ~3000 domains. Customers can  
> delegate their domains to our nameservers and administer email  
> accounts with a web interface.
>
> I figured it would be a good idea to reserve the postmaster@ and  
> abuse@ addresses for hosted domains and forward them to our own  
> postmaster account.
>
> Now one of these customers wants to create a  
> [hidden email] account and use it for his personal email...
> I just want to ask what you guys think about this policy, am I just  
> being silly when reserving these addresses in the customer's own  
> domain? Should I drop that restriction and leave their domains alone?
>

In general, instead of reserving postmaster@domain and abuse@domain, I  
would instead set those mailboxes up with a BCC or similar to your own  
mailboxes.  Then if the customer wants to set them up for him/herself,  
they can.  If I were a customer of yours, I would want to be able to  
see what arrives at those mailboxes as well (for any number of reasons).

That said, a couple points:
1. I would advise your customer not to use postmaster@hisdomain as a  
personal mailbox.
2. If you do make the arrangement I recommend above, the fact that all  
his personal mail is going to your mailbox might be enough to dissuade  
him.

For all but one of your customers, the BCC-ing (or however you choose  
to do it) is a pure gain for them, since now they can do a little more  
than they could do before.  For this one customer...well, other people/
admins are going to treat the postmaster@domain as the postmaster  
address, regardless of how he decides to use it; and as a result, you  
are somewhat obligated to too.

Anyways...those are just my thoughts on the matter.  It's obviously up  
to you.

-Neil.



Reply | Threaded
Open this post in threaded view
|

Re: [OT] postmaster@ for customers' domains?

Scott Kitterman-4
In reply to this post by Gerald V. Livingston II-2
On Fri, 07 Nov 2008 20:58:25 -0600 "Gerald V. Livingston II"
<[hidden email]> wrote:

>Martin Strand wrote:
>> We're an email service provider hosting ~3000 domains. Customers can
>> delegate their domains to our nameservers and administer email
>> accounts with a web interface.
>>
>> I figured it would be a good idea to reserve the postmaster@ and
>> abuse@ addresses for hosted domains and forward them to our own
>> postmaster account.
>>
>> Now one of these customers wants to create a [hidden email]
>> account and use it for his personal email... I just want to ask what
>> you guys think about this policy, am I just being silly when
>> reserving these addresses in the customer's own domain? Should I drop
>> that restriction and leave their domains alone?
>>
>> Thanks, Martin
>
>You need to tell the user to read RFC 2821 and get over it. "postmaster"
>is not for personal mail.
>
>Any system that includes an SMTP server supporting mail relaying or
>    delivery MUST support the reserved mailbox "postmaster" as a case-
>    insensitive local name.  This postmaster address is not strictly
>    necessary if the server always returns 554 on connection opening (as
>    described in section 3.1).  The requirement to accept mail for
>    postmaster implies that RCPT commands which specify a mailbox for
>    postmaster at any of the domains for which the SMTP server provides
>    mail service, as well as the special case of "RCPT TO:<Postmaster>"
>    (with no domain specification), MUST be supported.
>
>As noted above, if the domain doesn't reserve the postmaster address
>then it must return a 554 for every incoming connection and *NOT* accept
>*ANY* mail for *ANY* address on the domain (eg. a smtp server intended
>for use only on a private WAN could accept mail for its member cidr
>ranges but must 554 all mail from outside unless postmaster is reserved
>and working for its intended purpose).
>

Well yes, but whose domain is it?  

The domain owner is responsible for monitoring these addresses.  If the
domain owner chooses to delegate that responsibility to their domain host
chooses to host and the domain host chooses to offer that service, I think
it's perfectly appropriate.  I think its reasonable for a domain host
insist that these addresses exist and be deliverable.  OTOH, if a provider
prevented me from controlling these addresses in my domains so I could
monitor postmaster/abuse, I'd definitely be cancelling my account.

If you choose to continue this policy it should be clearly explained in
your terms of service.

Scott K
Reply | Threaded
Open this post in threaded view
|

Re: [OT] postmaster@ for customers' domains?

Martin Strand-4
In reply to this post by Gerald V. Livingston II-2
On Sat, 08 Nov 2008 03:58:25 +0100, Gerald V. Livingston II <[hidden email]> wrote:

> Martin Strand wrote:
>> We're an email service provider hosting ~3000 domains. Customers can
>> delegate their domains to our nameservers and administer email
>> accounts with a web interface.
>>
>> I figured it would be a good idea to reserve the postmaster@ and
>> abuse@ addresses for hosted domains and forward them to our own
>> postmaster account.
>>
>> Now one of these customers wants to create a [hidden email]
>> account and use it for his personal email... I just want to ask what
>> you guys think about this policy, am I just being silly when
>> reserving these addresses in the customer's own domain? Should I drop
>> that restriction and leave their domains alone?
>>
>> Thanks, Martin
>
> You need to tell the user to read RFC 2821 and get over it. "postmaster"
> is not for personal mail.
>
> Any system that includes an SMTP server supporting mail relaying or
>     delivery MUST support the reserved mailbox "postmaster" as a case-
>     insensitive local name.  This postmaster address is not strictly
>     necessary if the server always returns 554 on connection opening (as
>     described in section 3.1).  The requirement to accept mail for
>     postmaster implies that RCPT commands which specify a mailbox for
>     postmaster at any of the domains for which the SMTP server provides
>     mail service, as well as the special case of "RCPT TO:<Postmaster>"
>     (with no domain specification), MUST be supported.
>
> As noted above, if the domain doesn't reserve the postmaster address
> then it must return a 554 for every incoming connection and *NOT* accept
> *ANY* mail for *ANY* address on the domain (eg. a smtp server intended
> for use only on a private WAN could accept mail for its member cidr
> ranges but must 554 all mail from outside unless postmaster is reserved
> and working for its intended purpose).
>
> Gerald

Our customers are extremely non-technical (some believe the Internet is "that blue 'e' on the computer") so I have little hope in explaining why postmaster is a reserved mailbox. :)
This particular customer registered his domain somewhere else and now decided to switch to our services. His previous provider automatically created a postmaster@ account for him and he's been using it as his personal mailbox for years.

This was exactly what I was looking for:
"postmaster at any of the domains for which the SMTP server provides mail service, ..., MUST be supported."
So, I'll continue to monitor all postmaster mailboxes, even for customer domains.

Neil's bcc suggestion is definitely a better idea, but since I'm dealing with such non-technical customers they will likely never be interested in actual postmaster mail so I'll leave everything the way it is for now. Perhaps that'll have to change some day.


Thanks for your input guys!
Reply | Threaded
Open this post in threaded view
|

Re: [OT] postmaster@ for customers' domains?

Stefan Foerster-2
In reply to this post by Martin Strand-4
* Martin Strand <[hidden email]> wrote:
> Now one of these customers wants to create a
> [hidden email] account and use it for his personal
> email...  I just want to ask what you guys think about this policy,
> am I just being silly when reserving these addresses in the
> customer's own domain? Should I drop that restriction and leave
> their domains alone?

Apart from the workarounds and valid concers which were already
pointed out, for me, the main reason to avoid using the postmaster
localpart for personal mail is the special treatment it receives at
many sites:

I've made it a habit for systems I set up to drastically lower the
amount of filtering, both in terms of smtpd_mumble_restrictions and
content filtering, that postmaster and abuse addresses receive. After
all, postmaster is the address that other admins will use to contact
you if they have problems receiving mail from or sending it to your
system, so you don't want that address to receive your usual
filtering.

This has never been a problem for me because the amount of junk email
sent to postmaster and abuse is absolutely negligible. I don't want to
know what happens, though, if that address was used every day...


Ciao
Stefan
--
Stefan Förster     http://www.incertum.net/     Public Key: 0xBBE2A9E9
FdI #181: Internet - Das Internet ist durch die preußische Landordnung
vorhergesagt worden. (BMJ-Mitarbeiter Dr. Matthias Korte interpretiert
Bundesverwaltungsrichter Prof. Dr. Dr. Jörg Berkemann)
Reply | Threaded
Open this post in threaded view
|

Re: [OT] postmaster@ for customers' domains?

mouss-2
In reply to this post by Martin Strand-4
Martin Strand wrote:
> Our customers are extremely non-technical (some believe the Internet is "that blue 'e' on the computer") so I have little hope in explaining why postmaster is a reserved mailbox. :)
> This particular customer registered his domain somewhere else and now decided to switch to our services. His previous provider automatically created a postmaster@ account for him and he's been using it as his personal mailbox for years.
>
> This was exactly what I was looking for:
> "postmaster at any of the domains for which the SMTP server provides mail service, ..., MUST be supported."
> So, I'll continue to monitor all postmaster mailboxes, even for customer domains.

why? if customer wants to monitor it, let him monitor it.

If we have a problem, we will lookup the IP and the corresponding whois
infos and will hopefully find you.

>
> Neil's bcc suggestion is definitely a better idea, but since I'm dealing with such non-technical customers they will likely never be interested in actual postmaster mail so I'll leave everything the way it is for now. Perhaps that'll have to change some day.
>

No. if customer uses it as a personal address, you should not read it,
bcc it, ... etc.


Reply | Threaded
Open this post in threaded view
|

Re: [OT] postmaster@ for customers' domains?

Neil-16
On 8 Nov 2008, at 03:46, Stefan Förster wrote:
> This has never been a problem for me because the amount of junk email
> sent to postmaster and abuse is absolutely negligible. I don't want to
> know what happens, though, if that address was used every day...

I've noticed the same in the past, and it always puzzled me a  
little...  I suppose spamming the abuse/postmaster is a somewhat  
faster way to find oneself blacklisted; but on the other hand, I don't  
really understand why spammers would take the effort to avoid those  
addresses...afterall, it's easier to guess "postmaster" and "abuse"  
than the random letter/number strings I'm seeing in my mail logs.

On 8 Nov 2008, at 04:41, mouss wrote:

> Martin Strand wrote:
>>
>> Neil's bcc suggestion is definitely a better idea, but since I'm  
>> dealing with such non-technical customers they will likely never be  
>> interested in actual postmaster mail so I'll leave everything the  
>> way it is for now. Perhaps that'll have to change some day.
>
> No. if customer uses it as a personal address, you should not read  
> it, bcc it, ... etc.
>

I agree...with a caveat:

If the customer, "Don't monitor postmaster & abuse for me, I'll handle  
everything.", I think I would simply shrug and oblige the customer,  
after reminding him that we will have to part ways if he affects  
service for everyone else in some fashion (one scenario that comes to  
mind is an amateurish spammer).  And then I'd leave it to him, until  
there was a problem.  Hopefully, in this scenario, the customer has an  
idea of what he's doing, so I don't have to do it.

However, this customer does not sound like he knows what he's  
doing...if he did, I think he'd know not to use the postmaster address  
for personal mail (or if he didn't know better at the time, he  
would've migrated out of it by now).  As such, I would be inclined to  
want to continue monitoring his postmaster and abuse addresses (as if  
they weren't being used by him) because it will help me to help him if  
there's a problem, and he doesn't seem like he can handle it entirely  
on his own.

So, to that end, I would simply tell him that we've made it a general  
policy to do the BCC/monitoring thing on postmaster and abuse address  
in the hope that, hearing that, he'll migrate away from using  
postmaster (and I would be happy to help him with that, setting up  
redirects/filters/etc.).  Basically, I'd be using a little social  
engineering; and perhaps its a bit dirty to do so, but I think I could  
sleep at night with that, since I think it would be in his best  
interest.  I wouldn't force the issue though; if he insisted, I'd be  
fine with letting him have his way.

But, to be clear, I'm not advocating monitoring his personal mailbox,  
whatever it may be.

Neil.
Reply | Threaded
Open this post in threaded view
|

Re: [OT] postmaster@ for customers' domains?

Stefan Foerster-2
* Neil <[hidden email]> wrote:

> On 8 Nov 2008, at 03:46, Stefan Förster wrote:
>> This has never been a problem for me because the amount of junk email
>> sent to postmaster and abuse is absolutely negligible. I don't want to
>> know what happens, though, if that address was used every day...
>
> I've noticed the same in the past, and it always puzzled me a
> little...  I suppose spamming the abuse/postmaster is a somewhat
> faster way to find oneself blacklisted; but on the other hand, I don't
> really understand why spammers would take the effort to avoid those
> addresses...afterall, it's easier to guess "postmaster" and "abuse"
> than the random letter/number strings I'm seeing in my mail logs.

I think that most of the poeple out there sending UBE/UCE want to make
money, but the folks reading postmaster@ and abuse@ are in general not
the ones who buy anything from spammers or get easily fooled by some
Nigerian scam. From a spammers point of view, there is nothing to gain
by sending UBE/UCE to abuse@ and postmaster@.


Cheers
Stefan
--
Stefan Förster     http://www.incertum.net/     Public Key: 0xBBE2A9E9
25 Zeichen, daß Du erwachsen bist, Nummer 24:
Du trinkst nicht mehr zu Hause, um Geld zu sparen, bevor Du ausgehst.
Reply | Threaded
Open this post in threaded view
|

Re: [OT] postmaster@ for customers' domains?

Robert Schetterer
In reply to this post by Martin Strand-4
Martin Strand schrieb:
> We're an email service provider hosting ~3000 domains. Customers can delegate their domains to our nameservers and administer email accounts with a web interface.
>
> I figured it would be a good idea to reserve the postmaster@ and abuse@ addresses for hosted domains and forward them to our own postmaster account.
>
> Now one of these customers wants to create a [hidden email] account and use it for his personal email...
> I just want to ask what you guys think about this policy, am I just being silly when reserving these addresses in the customer's own domain? Should I drop that restriction and leave their domains alone?
>
> Thanks,
> Martin

Hi Martin, we create postmaster,webmaster,hostmaster,abuse addresses
auto at domain creation time as aliases to our hostmasteraddress
but we are allowing to change this aliases eihter additional to
some domain mailboxes or use them total by their owner
postfixadmin gives you good configure choices for such stuff

--
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria
Reply | Threaded
Open this post in threaded view
|

Re: [OT] postmaster@ for customers' domains?

mouss-2
Robert Schetterer wrote:

> Martin Strand schrieb:
>> We're an email service provider hosting ~3000 domains. Customers can delegate their domains to our nameservers and administer email accounts with a web interface.
>>
>> I figured it would be a good idea to reserve the postmaster@ and abuse@ addresses for hosted domains and forward them to our own postmaster account.
>>
>> Now one of these customers wants to create a [hidden email] account and use it for his personal email...
>> I just want to ask what you guys think about this policy, am I just being silly when reserving these addresses in the customer's own domain? Should I drop that restriction and leave their domains alone?
>>
>> Thanks,
>> Martin
>
> Hi Martin, we create postmaster,webmaster,hostmaster,abuse addresses
> auto at domain creation time as aliases to our hostmasteraddress
> but we are allowing to change this aliases eihter additional to
> some domain mailboxes or use them total by their owner
> postfixadmin gives you good configure choices for such stuff
>


virtual_alias_maps =
        ...
        ...
        $builtin_valias


then set builtin_valias to define postmaster@ and abuse@ for the domains
you manage if they aren't listed in other virtual alias maps (the ones
listed before $builtin_valias).


Reply | Threaded
Open this post in threaded view
|

Re: [OT] postmaster@ for customers' domains?

j debert
In reply to this post by Stefan Foerster-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stefan Förster さんは書きました:
|
| I think that most of the poeple out there sending UBE/UCE want to make
| money, but the folks reading postmaster@ and abuse@ are in general not
| the ones who buy anything from spammers or get easily fooled by some
| Nigerian scam. From a spammers point of view, there is nothing to gain
| by sending UBE/UCE to abuse@ and postmaster@.

I disagree: Spammers, by and large, are agents, like legitimate
advertising agencies, selling their service to businesses seeking to
advertise. These agents don't care about whether anyone actually reads
the spam because they are paid for sending the ads, whether or not
they are delivered or read.

All-out war was threatened because spammers had targetted postmaster
and other admin addresses in the past. The spammers backed off and now
such addresses are generally considered untouchable.

==
jd
Once ... in the wilds of Afghanistan, I lost my corkscrew, and we were
forced to live on nothing but food and water for days.
~                -- W. C. Fields, "My Little Chickadee"
- --

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4-svn0 (GNU/Linux)

iD8DBQFJFfh8hpL3F+HeDrIRAmtvAJoCgTlBl+Wq+PPUv5Pkz8EPq7fxGgCdEzWq
YJRGFAiFXH6zlTJNHF+ekYE=
=gnLL
-----END PGP SIGNATURE-----

Reply | Threaded
Open this post in threaded view
|

Re: [OT] postmaster@ for customers' domains?

Daniel V. Reinhardt
In reply to this post by Stefan Foerster-2



>
> * Neil wrote:
> > On 8 Nov 2008, at 03:46, Stefan Förster wrote:
> >> This has never been a problem for me because the amount of junk email
> >> sent to postmaster and abuse is absolutely negligible. I don't want to
> >> know what happens, though, if that address was used every day...
> >
> > I've noticed the same in the past, and it always puzzled me a
> > little...  I suppose spamming the abuse/postmaster is a somewhat
> > faster way to find oneself blacklisted; but on the other hand, I don't
> > really understand why spammers would take the effort to avoid those
> > addresses...afterall, it's easier to guess "postmaster" and "abuse"
> > than the random letter/number strings I'm seeing in my mail logs.
>
> I think that most of the poeple out there sending UBE/UCE want to make
> money, but the folks reading postmaster@ and abuse@ are in general not
> the ones who buy anything from spammers or get easily fooled by some
> Nigerian scam. From a spammers point of view, there is nothing to gain
> by sending UBE/UCE to abuse@ and postmaster@.
>
>
> Cheers
> Stefan


If a spammer can successfully send enough spam to system aliases, then they can effectively cause a system wide denial of service for email and other logging function as /var would be at capacity.  So spammers do have a lot to gain by spamming those mail boxes which is why you set up an email address to forward those emails too so your /var or your /mail/spool directories dont get full.




Reply | Threaded
Open this post in threaded view
|

Re: [OT] postmaster@ for customers' domains?

Stefan Foerster-2
* "Daniel V. Reinhardt":

> Stefan Förster:
>> I think that most of the poeple out there sending UBE/UCE want to
>> make money, but the folks reading postmaster@ and abuse@ are in
>> general not the ones who buy anything from spammers or get easily
>> fooled by some Nigerian scam. From a spammers point of view, there
>> is nothing to gain by sending UBE/UCE to abuse@ and postmaster@.
>
> If a spammer can successfully send enough spam to system aliases,
> then they can effectively cause a system wide denial of service for
> email and other logging function as /var would be at capacity.  So
> spammers do have a lot to gain by spamming those mail boxes which is
> why you set up an email address to forward those emails too so your
> /var or your /mail/spool directories dont get full.

Your logic is flawed: Causing a denial of service against your MTA
deters them from spamming your users.

Besides, the RFCs which require us to have postmaster and abuse
addresses don't require storage of those mails on the same filesystem
that holds our syslog data.


Cheers
Stefan
--
Stefan Förster     http://www.incertum.net/     Public Key: 0xBBE2A9E9
Servicepack 5 für Windows NT wurde erfolgreich deinstalliert. Stand ist jetzt
Servicepack 5.
Reply | Threaded
Open this post in threaded view
|

Re: [OT] postmaster@ for customers' domains?

mouss-2
In reply to this post by Daniel V. Reinhardt
Daniel V. Reinhardt wrote:
>
> If a spammer can successfully send enough spam to system aliases, then they can effectively cause a system wide denial of service for email and other logging function as /var would be at capacity.  So spammers do have a lot to gain by spamming those mail boxes which is why you set up an email address to forward those emails too so your /var or your /mail/spool directories dont get full.


spammers don't want to DoS you (unless you cause them problems, in which
case they target you, but then postmaster and others are irrelevant as
there are more effective DoS attacks).

anyway, let's kill this thread now.
Reply | Threaded
Open this post in threaded view
|

Re: [OT] postmaster@ for customers' domains?

Mark Goodge
In reply to this post by Martin Strand-4


Martin Strand wrote:
>
> Our customers are extremely non-technical (some believe the Internet
> is "that blue 'e' on the computer") so I have little hope in
> explaining why postmaster is a reserved mailbox. :) This particular
> customer registered his domain somewhere else and now decided to
> switch to our services. His previous provider automatically created a
> postmaster@ account for him and he's been using it as his personal
> mailbox for years.

That's fine. So long as postmaster@domain is being read by a human, then
the requirements are fulfilled. If the customer is happy to read it
himself, there's no reason not to let him.

Your responsibility, as the mailservice operator, is merely to ensure
that postmaster@domain is read by someone else if the customer doesn't
do it.

> This was exactly what I was looking for: "postmaster at any of the
> domains for which the SMTP server provides mail service, ..., MUST be
> supported." So, I'll continue to monitor all postmaster mailboxes,
> even for customer domains.

No, that's bad. If a customer wants to get his own postmaster and/or
abuse mail, then you should let him. There may well be reasons why they
need to - for example, if they are running an operation where they in
turn have downstream customers who may offend against the law or
netiquette and need to be able to respond to abuse reports promptly.
Don't restrict their ability to be a good internet citizen by
intercepting their mail unless they're happy for you to do so.

> Neil's bcc suggestion is definitely a better idea, but since I'm
> dealing with such non-technical customers they will likely never be
> interested in actual postmaster mail so I'll leave everything the way
> it is for now. Perhaps that'll have to change some day.

No. That's even worse. Other than where necessary for technical reasons
(eg, in order to resolve a problem reported by your customer), you
shouldn't be reading your customer's email.

Mark
--
http://mark.goodge.co.uk - my pointless blog
http://www.good-stuff.co.uk - my less pointless stuff