Question about address verification in MX2 when primary MX is down...

classic Classic list List threaded Threaded
18 messages Options
Reply | Threaded
Open this post in threaded view
|

Question about address verification in MX2 when primary MX is down...

Santiago Romero-2

 Hi!.

 I have a secondary MX server and I'm trying to configure it to "check"
recipient addresses against primary SMTP servers to reject emails
directed to non existing addresses.

I've read the following:

http://www.postfix.org/ADDRESS_VERIFICATION_README.html

 So I added this to my main.cf:

address_verify_map = btree:/var/lib/postfix/verify
address_verify_positive_refresh_time = 14d

 and:

smtpd_recipient_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_pipelining,
    reject_non_fqdn_recipient,
    reject_unknown_recipient_domain,
    reject_unauth_destination,
    reject_rbl_client bl.spamcop.net,
    reject_rbl_client dnsbl.ahbl.org,
    reject_rbl_client zen.spamhaus.org,
    check_policy_service unix:private/policy-spf,
    reject_unverified_recipient,         <--------------- This
    permit

 This works nicely when MX1 servers are working and answering RCPT-TO
checks, but then I asked ... what happens if my server can't reach the
primary MX (server stopped, misconfiguration, power outage...) ?

 In that case my server reacts rejecting ALL email because if cannot be
verified with "Recipient address rejected: unverified address: Address
verification in progress".

 Is it possible to change behaviour to ACCEPT all email when the primary
MX cannot be contacted for address verification?. I mean:

- If MX can be contacted -> check it and reject if 550.
- If MX cannot be contacted -> just accept it.

 This machine is a secondary MX server for some domains so I'm supposed
to accept email for them when they are not available...

 I'm using postfix 2.5.1 .

 Thanks a lot, and sorry if this is a very obvious question...


--
Santiago Romero

Reply | Threaded
Open this post in threaded view
|

Re: Question about address verification in MX2 when primary MX is down...

Brian Evans - Postfix List
Santiago Romero wrote:

>
> This works nicely when MX1 servers are working and answering RCPT-TO
> checks, but then I asked ... what happens if my server can't reach the
> primary MX (server stopped, misconfiguration, power outage...) ?
>
> In that case my server reacts rejecting ALL email because if cannot be
> verified with "Recipient address rejected: unverified address: Address
> verification in progress".
>
> Is it possible to change behaviour to ACCEPT all email when the
> primary MX cannot be contacted for address verification?. I mean:
If you want this behavior,  do not use reject_unverified*.
Instead, use a relay_recipient_maps that can be checked locally.

Postfix will then know the mail is valid and will queue the mail for
when the primary *is* available.
Reply | Threaded
Open this post in threaded view
|

Re: Question about address verification in MX2 when primary MX is down...

Charles Marcus
In reply to this post by Santiago Romero-2
On 8/3/2009, Santiago Romero ([hidden email]) wrote:
> This works nicely when MX1 servers are working and answering RCPT-TO
> checks, but then I asked ... what happens if my server can't reach
> the primary MX (server stopped, misconfiguration, power outage...) ?
>
> In that case my server reacts rejecting ALL email because if cannot
> be verified with "Recipient address rejected: unverified address:
> Address verification in progress".

Unless you have a really good reason, you'd be much better off just
losing the MX2, and let smtp work as designed (retries if the primary is
down)...

The only time I personally would try to keep a secondary is if my
primary was prone to going down for extended lengths of time - but of
course it woul dbe better to solve that problem (worst case, host with
someone more reliable) than put a band-aid on it...

--

Best regards,

Charles
Reply | Threaded
Open this post in threaded view
|

Re: Question about address verification in MX2 when primary MX is down...

Santiago Romero-2
In reply to this post by Brian Evans - Postfix List

> If you want this behavior,  do not use reject_unverified*.
> Instead, use a relay_recipient_maps that can be checked locally.
>  

 Hi.

 This server is a secondary MX server for our customers. Those customers
have their own "private" primary MX servers, so It's not possible for me
to have a local database of "existing accounts".

 That's why I wanted to use reject_unverified_recipient, to let postfix
guess if an account is valid or not using RCPT TO. And this behaviour is
perfect, except when primary MX doesn't answer. It would be really
perfect to be able to force postfix to accept the incoming emails when
the dest address cannot be validated...

> Unless you have a really good reason, you'd be much better off just
> losing the MX2,

 Customers paying for "MX BACKUP SERVER" service is a good reason to not loose MX2 :-)

 Really, reject_unverified_recipient feature is very nice, but rejecting all mail when primary MX doesn't answers breaks it for us :(

 Any idea? :?


Reply | Threaded
Open this post in threaded view
|

Re: Question about address verification in MX2 when primary MX is down...

Mikael Bak
Santiago Romero wrote:
>
> Really, reject_unverified_recipient feature is very nice, but rejecting
> all mail when primary MX doesn't answers breaks it for us :(
>
> Any idea? :?
>

Hi,

Quoting the documentation[1]:

"The unverified_recipient_defer_code parameter (default 450) specifies
the numerical Postfix SMTP server reply code when a recipient address
probe fails with some temporary error. Some sites insist on changing
this into 250. NOTE: This change turns MX servers into backscatter
sources when the load is high."

So you are not rejecting any email if the MX is down. You are just
delaying reject or accept until the MX is asked if there is such user or
not. We're very happy with this over here.

HTH,
Mikael

[1] http://www.postfix.org/ADDRESS_VERIFICATION_README.html
Reply | Threaded
Open this post in threaded view
|

Re: Question about address verification in MX2 when primary MX is down...

Brian Evans - Postfix List
Mikael Bak wrote:

> Santiago Romero wrote:
>  
>> Really, reject_unverified_recipient feature is very nice, but rejecting
>> all mail when primary MX doesn't answers breaks it for us :(
>>
>> Any idea? :?
>>    
>
> Hi,
>
> Quoting the documentation[1]:
>
> "The unverified_recipient_defer_code parameter (default 450) specifies
> the numerical Postfix SMTP server reply code when a recipient address
> probe fails with some temporary error. Some sites insist on changing
> this into 250. NOTE: This change turns MX servers into backscatter
> sources when the load is high."
>
> So you are not rejecting any email if the MX is down. You are just
> delaying reject or accept until the MX is asked if there is such user or
> not. We're very happy with this over here.
>  

No, you are not "delaying reject".
You are bouncing and possibly BackSattering because you really don't
know if the recipient is valid.

Many, many envelope recipients are forged these days.
So you end up bouncing to the wrong place and sending spam to a 3rd party.

A good MTA in the world will hold a 450 for 3 to 5 days and keep retrying.
If it doesn't retry, it's usually a bot and bad for your health.

Reply | Threaded
Open this post in threaded view
|

Re: Question about address verification in MX2 when primary MX is down...

Mikael Bak
Brian Evans - Postfix List wrote:

> Mikael Bak wrote:
>> Santiago Romero wrote:
>>  
>>> Really, reject_unverified_recipient feature is very nice, but rejecting
>>> all mail when primary MX doesn't answers breaks it for us :(
>>>
>>> Any idea? :?
>>>    
>> Hi,
>>
>> Quoting the documentation[1]:
>>
>> "The unverified_recipient_defer_code parameter (default 450) specifies
>> the numerical Postfix SMTP server reply code when a recipient address
>> probe fails with some temporary error. Some sites insist on changing
>> this into 250. NOTE: This change turns MX servers into backscatter
>> sources when the load is high."
>>
>> So you are not rejecting any email if the MX is down. You are just
>> delaying reject or accept until the MX is asked if there is such user or
>> not. We're very happy with this over here.
>>  
>
> No, you are not "delaying reject".
> You are bouncing and possibly BackSattering because you really don't
> know if the recipient is valid.
>
> Many, many envelope recipients are forged these days.
> So you end up bouncing to the wrong place and sending spam to a 3rd party.
>
> A good MTA in the world will hold a 450 for 3 to 5 days and keep retrying.
> If it doesn't retry, it's usually a bot and bad for your health.
>

Hi Brian,
Well, thank you for sharing this with me.

IMO this setup does not bounce as you say, it sends a "450 Address
verification in progress. Try later.". When the client tries next time
there is either an OK the address exists, or a 550 User does not exist.

Maybe I don't understand what you try to say. I just don't see why this
would generate bounces or backscatter.

Mikael

Reply | Threaded
Open this post in threaded view
|

Re: Question about address verification in MX2 when primary MX is down...

Brian Evans - Postfix List
Mikael Bak wrote:

> Brian Evans - Postfix List wrote:
>  
>> Mikael Bak wrote:
>>    
>>> Santiago Romero wrote:
>>>  
>>>      
>>>> Really, reject_unverified_recipient feature is very nice, but rejecting
>>>> all mail when primary MX doesn't answers breaks it for us :(
>>>>
>>>> Any idea? :?
>>>>    
>>>>        
>>> Hi,
>>>
>>> Quoting the documentation[1]:
>>>
>>> "The unverified_recipient_defer_code parameter (default 450) specifies
>>> the numerical Postfix SMTP server reply code when a recipient address
>>> probe fails with some temporary error. Some sites insist on changing
>>> this into 250. NOTE: This change turns MX servers into backscatter
>>> sources when the load is high."
>>>
>>> So you are not rejecting any email if the MX is down. You are just
>>> delaying reject or accept until the MX is asked if there is such user or
>>> not. We're very happy with this over here.
>>>  
>>>      
>> No, you are not "delaying reject".
>> You are bouncing and possibly BackSattering because you really don't
>> know if the recipient is valid.
>>
>> Many, many envelope recipients are forged these days.
>> So you end up bouncing to the wrong place and sending spam to a 3rd party.
>>
>> A good MTA in the world will hold a 450 for 3 to 5 days and keep retrying.
>> If it doesn't retry, it's usually a bot and bad for your health.
>>
>>    
>
> Hi Brian,
> Well, thank you for sharing this with me.
>
> IMO this setup does not bounce as you say, it sends a "450 Address
> verification in progress. Try later.". When the client tries next time
> there is either an OK the address exists, or a 550 User does not exist.
>
> Maybe I don't understand what you try to say. I just don't see why this
> would generate bounces or backscatter.
>
> Mikael
>
>  
I was referring to the "change to 250" that was quoted.
I inferred that was the advice being given.

If this was incorrect, then, yes, it is just fine to use.
Reply | Threaded
Open this post in threaded view
|

Re: Question about address verification in MX2 when primary MX is down...

Mikael Bak
Brian Evans - Postfix List wrote:

> Mikael Bak wrote:
>> Brian Evans - Postfix List wrote:
>>  
>>> Mikael Bak wrote:
>>>    
>>>> Santiago Romero wrote:
>>>>  
>>>>      
>>>>> Really, reject_unverified_recipient feature is very nice, but rejecting
>>>>> all mail when primary MX doesn't answers breaks it for us :(
>>>>>
>>>>> Any idea? :?
>>>>>    
>>>>>        
>>>> Hi,
>>>>
>>>> Quoting the documentation[1]:
>>>>
>>>> "The unverified_recipient_defer_code parameter (default 450) specifies
>>>> the numerical Postfix SMTP server reply code when a recipient address
>>>> probe fails with some temporary error. Some sites insist on changing
>>>> this into 250. NOTE: This change turns MX servers into backscatter
>>>> sources when the load is high."
>>>>
>>>> So you are not rejecting any email if the MX is down. You are just
>>>> delaying reject or accept until the MX is asked if there is such user or
>>>> not. We're very happy with this over here.
>>>>  
>>>>      
>>> No, you are not "delaying reject".
>>> You are bouncing and possibly BackSattering because you really don't
>>> know if the recipient is valid.
>>>
>>> Many, many envelope recipients are forged these days.
>>> So you end up bouncing to the wrong place and sending spam to a 3rd party.
>>>
>>> A good MTA in the world will hold a 450 for 3 to 5 days and keep retrying.
>>> If it doesn't retry, it's usually a bot and bad for your health.
>>>
>>>    
>> Hi Brian,
>> Well, thank you for sharing this with me.
>>
>> IMO this setup does not bounce as you say, it sends a "450 Address
>> verification in progress. Try later.". When the client tries next time
>> there is either an OK the address exists, or a 550 User does not exist.
>>
>> Maybe I don't understand what you try to say. I just don't see why this
>> would generate bounces or backscatter.
>>
>> Mikael
>>
>>  
> I was referring to the "change to 250" that was quoted.
> I inferred that was the advice being given.
>
> If this was incorrect, then, yes, it is just fine to use.

Hi Brian,
I knew that we were misunderstanding eachother. :-)

So to clarify. We have the unverified_recipient_defer_code parameter set
to its default (450).

Mikael
Reply | Threaded
Open this post in threaded view
|

Re: Question about address verification in MX2 when primary MX is down...

Santiago Romero-2
In reply to this post by Mikael Bak

> Hi,
>
> Quoting the documentation[1]:
>
> "The unverified_recipient_defer_code parameter (default 450) specifies
> the numerical Postfix SMTP server reply code when a recipient address
> probe fails with some temporary error. Some sites insist on changing
> this into 250. NOTE: This change turns MX servers into backscatter
> sources when the load is high."
>
>  

 So, do you mean that changing this parameter to 250 would make postfix
to accept the email?

 Thanks a lot.

Reply | Threaded
Open this post in threaded view
|

Re: Question about address verification in MX2 when primary MX is down...

Mikael Bak
Santiago Romero wrote:

>
>> Hi,
>>
>> Quoting the documentation[1]:
>>
>> "The unverified_recipient_defer_code parameter (default 450) specifies
>> the numerical Postfix SMTP server reply code when a recipient address
>> probe fails with some temporary error. Some sites insist on changing
>> this into 250. NOTE: This change turns MX servers into backscatter
>> sources when the load is high."
>>
>>  
>
> So, do you mean that changing this parameter to 250 would make postfix
> to accept the email?
>

Hi,

No. You should leave this parameter in its default value.

I realize now that I shouldn't have quoted the entire piece from the
documentation, only the relevant part. You're not the only one who
misinterpreted my post. Sorry for that.

I only wanted to quote this:

"The unverified_recipient_defer_code parameter (default 450) specifies
the numerical Postfix SMTP server reply code when a recipient address
probe fails with some temporary error."

This is the relevant part, and answers the question you had. Everything
else is irrelevant - and as Brian Evans ponted out earlier (and the
documentation too), setting this parameter to 250 will generate bounces
and backscatter. And that is very bad!

Using "reject_unverified_recipient" should produce the behaviour you are
asking for. I also set "unverified_recipient_reject_code = 550". This
makes postfix permanently reject when the recipient address is confirmed
 not existing.

When postfix does not know it'll reject the connection with a 450 (or
whatever unverified_recipient_defer_code is set to), which should be
fine for most cases.

When the address is confirmed to exist, everything is cool and mail is
accepted.

Maybe I should add that I use Postfix v2.6.2 just in case there are
differences in default values between versions.

HTH,
Mikael

Reply | Threaded
Open this post in threaded view
|

Re: Question about address verification in MX2 when primary MX is down...

Noel Jones-2
In reply to this post by Santiago Romero-2
Santiago Romero wrote:

>
>> Hi,
>>
>> Quoting the documentation[1]:
>>
>> "The unverified_recipient_defer_code parameter (default 450) specifies
>> the numerical Postfix SMTP server reply code when a recipient address
>> probe fails with some temporary error. Some sites insist on changing
>> this into 250. NOTE: This change turns MX servers into backscatter
>> sources when the load is high."
>>
>>  
>
> So, do you mean that changing this parameter to 250 would make postfix
> to accept the email?
>
> Thanks a lot.
>

Yes, that's what the docs say.
450 = default, defer mail if the address can't be verified.
250 = if the address can't be verified, accept it anyway. Not
recommended.

   -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Question about address verification in MX2 when primary MX is down...

Charles Marcus
In reply to this post by Mikael Bak
On 8/5/2009, Mikael Bak ([hidden email]) wrote:
>> So, do you mean that changing this parameter to 250 would make postfix
>> to accept the email?

> No.

Actually, the answer to his question is yes.

> You should leave this parameter in its default value.

Correct - but he specifically asked if he CHANGED this to 250 - which
means it accepted the mail...

--

Best regards,

Charles
Reply | Threaded
Open this post in threaded view
|

Re: Question about address verification in MX2 when primary MX is down...

Mikael Bak
Charles Marcus wrote:

> On 8/5/2009, Mikael Bak ([hidden email]) wrote:
>>> So, do you mean that changing this parameter to 250 would make postfix
>>> to accept the email?
>
>> No.
>
> Actually, the answer to his question is yes.
>
>> You should leave this parameter in its default value.
>
> Correct - but he specifically asked if he CHANGED this to 250 - which
> means it accepted the mail...
>

Charles,

You are right. I was too much into his original question about how he
could get the functionality he originally asked for.

Mikael

Reply | Threaded
Open this post in threaded view
|

Re: Question about address verification in MX2 when primary MX is down...

Santiago Romero-2
In reply to this post by Noel Jones-2

>
> Yes, that's what the docs say.
> 450 = default, defer mail if the address can't be verified.
> 250 = if the address can't be verified, accept it anyway. Not
> recommended.

 So, summarizing. (And, please, correct me before doing a wrong change
in my config file):

 My current server now is a backscatter source, because it accepts mail
to ANY recipient address for the domains listed in relay_domains
(domains I'm work as a secondary MX for).

 By adding the following to my main.cf, I'll check RCPT TO addresses
against primary MX, except when PRIMARY MX doesn't answer. In that case,
I'll accept any destination for my relay_domains list, just like I was
doing before adding those lines:

address_verify_map = btree:/var/lib/postfix/verify
address_verify_positive_refresh_time = 14d
unverified_recipient_defer_code = 250

smtpd_recipient_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    (...)
    reject_unverified_recipient,
    permit


 If the above is true, I'm in a "better" state than before: when the
primary MX works, I reject "non existing accounts", and when it does not
work, I accept ALL (as I was doing).

 Is that right?

 Thanks.

Reply | Threaded
Open this post in threaded view
|

Re: Question about address verification in MX2 when primary MX is down...

Charles Marcus
On 8/6/2009, Santiago Romero ([hidden email]) wrote:
> By adding the following to my main.cf, I'll check RCPT TO addresses
> against primary MX, except when PRIMARY MX doesn't answer. In that case,
> I'll accept any destination for my relay_domains list, just like I was
> doing before adding those lines:
>
> address_verify_map = btree:/var/lib/postfix/verify
> address_verify_positive_refresh_time = 14d
> unverified_recipient_defer_code = 250

You are correct, but this is NOT the recommended way...

Don't change the unverified_recipient_defer_code to 250... leave it at
its default 450. This way you will not be a backscatter source ever, and
the worst that will happen if their primary MX is down is some mail
might be delayed a little.

Also, if I'm understanding the way this works correctly, you can also
use the address_verify_map parameter to cache hits (both negative and
positive), which will allow you to continue accepting mail for
recipients who are still in the cache even if the primary MX is down.

http://postfix.mirrorspace.org/postconf.5.html#address_verify_map

--

Best regards,

Charles
Reply | Threaded
Open this post in threaded view
|

Re: Question about address verification in MX2 when primary MX is down...

Aaron Wolfe
On Thu, Aug 6, 2009 at 8:39 AM, Charles Marcus<[hidden email]> wrote:

> On 8/6/2009, Santiago Romero ([hidden email]) wrote:
>> By adding the following to my main.cf, I'll check RCPT TO addresses
>> against primary MX, except when PRIMARY MX doesn't answer. In that case,
>> I'll accept any destination for my relay_domains list, just like I was
>> doing before adding those lines:
>>
>> address_verify_map = btree:/var/lib/postfix/verify
>> address_verify_positive_refresh_time = 14d
>> unverified_recipient_defer_code = 250
>
> You are correct, but this is NOT the recommended way...
>
> Don't change the unverified_recipient_defer_code to 250... leave it at
> its default 450. This way you will not be a backscatter source ever, and
> the worst that will happen if their primary MX is down is some mail
> might be delayed a little.
>

Which is also exactly what would happen if they didn't pay this guy
for a backup MX.
He's looking for some way to think his service has value, and doesn't
mind being a
nuisance by backscattering so long as he can make a buck.

lame.

> Also, if I'm understanding the way this works correctly, you can also
> use the address_verify_map parameter to cache hits (both negative and
> positive), which will allow you to continue accepting mail for
> recipients who are still in the cache even if the primary MX is down.
>
> http://postfix.mirrorspace.org/postconf.5.html#address_verify_map
>
> --
>
> Best regards,
>
> Charles
>
Reply | Threaded
Open this post in threaded view
|

Re: Question about address verification in MX2 when primary MX is down...

Charles Marcus
On 8/6/2009 12:29 PM, Aaron Wolfe wrote:
>>>> address_verify_map = btree:/var/lib/postfix/verify
>>>> address_verify_positive_refresh_time = 14d
>>>> unverified_recipient_defer_code = 250

>>> You are correct, but this is NOT the recommended way...
>>>
>>> Don't change the unverified_recipient_defer_code to 250... leave it at
>>> its default 450. This way you will not be a backscatter source ever, and
>>> the worst that will happen if their primary MX is down is some mail
>>> might be delayed a little.

>> Also, if I'm understanding the way this works correctly, you can also
>> use the address_verify_map parameter to cache hits (both negative and
>> positive), which will allow you to continue accepting mail for
>> recipients who are still in the cache even if the primary MX is down.
>>
>> http://postfix.mirrorspace.org/postconf.5.html#address_verify_map

> Which is also exactly what would happen if they didn't pay this guy
> for a backup MX.

I know... ;)

> He's looking for some way to think his service has value, and doesn't
> mind being a nuisance by backscattering so long as he can make a
> buck.

Well, as long as he uses the address_verify_maps and caches, he could
add a little value (accept a lot of the messages that would otherwise be
deferred).

Also, his server is the internet facing one, so the target of any attack
(maybe he has big iron and security experts on staff).

--

Best regards,

Charles