Specifying a transport for bounce messages

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Specifying a transport for bounce messages

Jose Maria Sanchez de Ocana
My expertise with email servers & protocols is very limited. That
being said, here is a problem I've been dealing with for a few hours
now without finding a suitable solution:

I run a box in Amazon's EC2, and I use postfix. In order to avoid
being marked as a SPAM source because of EC2's IPs being dynamically
assigned, I use AuthSMTP as a relay for my outbound email. My setup
pretty much matches what is described at http://is.gd/3Qfay .

Actually this is not true for ALL outbound emails. I actually love
Gmail as a MUA, so I have most of my own domain's email accounts
mapped to gmail accounts. For example, all incoming emails for my
account [hidden email] are forwarded to [hidden email] .

Thus, in order to save AuthSMTP quota, and since Gmail servers deal
correctly with EC2 IPs (they don't take them for SPAM sources), I
actually use the transport_maps directive as follows:

[/etc/postfix/main.cf]:
transport_maps = hash:/etc/postfix/transport

[/etc/postfix/transport]:
# Syntax: .domain transport:relay_host
gmail.com       smtp:
*               :

If I got it right, this makes all emails bound for gmail.com accounts
to be sent directly by postfix via SMTP, whereas all other emails will
be sent through the AuthSMTP relay.

OK, so now here is my problem: When my postfix receives a SPAM message
bound for one of my accounts, this email is forwarded to gmail's SMTP
server directly. But then gmail's SPAM filter rejects this message and
here starts my problem. AFAIK what postfix should do is bounce the
message to the SPAM source address.

But according to my transport file, unless the SPAM source address is
a gmail account, postfix will attempt to send the bounce through my
AuthSMTP relay, and my AuthSMTP quota gets quickly exhausted with all
these SPAM bounce messages.

What I have done is I have included the following line in my main.cf file:
soft_bounce = yes

This prevents the bounces to be sent through AuthSMTP, but I can see
them getting stacked in postfix's queue:

root@mydomain:/etc/postfix# mailq
-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
233898A289    16603 Thu Oct  1 12:04:31  [hidden email]
(host gmail-smtp-in.l.google.com[209.85.212.99] said: 552-5.7.0 Our
system detected an illegal attachment on your message. Please
552-5.7.0 visit
http://mail.google.com/support/bin/answer.py?answer=6590 to 552 5.7.0
review our attachment guidelines. 39si713908vws.28 (in reply to end of
DATA command))
                                         [hidden email]

A04908A222    68107 Thu Oct  1 11:42:23  [hidden email]
(host gmail-smtp-in.l.google.com[209.85.212.20] said: 552-5.7.0 Our
system detected an illegal attachment on your message. Please
552-5.7.0 visit
http://mail.google.com/support/bin/answer.py?answer=6590 to 552 5.7.0
review our attachment guidelines. 28si15619914vws.148 (in reply to end
of DATA command))
                                         [hidden email]


I understand that this is not a real fix, and that after a time limit
(default 5 days, I believe), postfix will eventually try to send those
bounces through AuthSMTP anyway.

Any ideas on how I should deal with these SPAM bounces in order to
preserve my AuthSMTP quota?
Is there any way I could force postfix to send bounces directly via
SMTP instead of looking at my transport table?

Many thanks,
Jose
Reply | Threaded
Open this post in threaded view
|

Re: Specifying a transport for bounce messages

Wietse Venema
Jose Maria Sanchez de Ocana:
> OK, so now here is my problem: When my postfix receives a SPAM message
> bound for one of my accounts, this email is forwarded to gmail's SMTP
> server directly. But then gmail's SPAM filter rejects this message and
> here starts my problem. AFAIK what postfix should do is bounce the
> message to the SPAM source address.

The REAL mistake in your setup is that you forward SPAM into gmail.
This causes gmail to treat your machine as a SPAMMER, and may affect
legitimate mail that you do want to receive.

You must NEVER bounce SPAM to the sender address, because in most
cases that is not the sender.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Specifying a transport for bounce messages

Stan Hoeppner
Wietse Venema put forth on 10/1/2009 12:34 PM:

> The REAL mistake in your setup is that you forward SPAM into gmail.
> This causes gmail to treat your machine as a SPAMMER, and may affect
> legitimate mail that you do want to receive.

110% correct.

> You must NEVER bounce SPAM to the sender address, because in most
> cases that is not the sender.

Exactly.  Most MAIL FROM: addresses in spam are forged.  Bouncing spam
messages after you receive them merely creates outscatter
http://en.wikipedia.org/wiki/Backscatter_(e-mail), and makes your MX a
spam source in the eyes of receivers.  You need to reject all spam (or
as much as possible) at the inbound SMTP stage on your Postfix MX.

Welcome to the world of spam fighting Jose.  It's probably as important
as any other aspect of running an MX host in 2009 and beyond.  You need
to implement some basic anti spam/UCE controls on your Postfix MX asap.
 Adding the following to your main.cf and restarting Postfix would be a
good place to start immediately:

disable_vrfy_command = yes

smtpd_client_restrictions =
        reject_unknown_reverse_client_hostname

smtpd_helo_required = yes
smtpd_helo_restrictions =
        reject_non_fqdn_helo_hostname,
        reject_invalid_helo_hostname,
        reject_unknown_helo_hostname

smtpd_recipient_restrictions =
        permit_mynetworks,
        reject_unauth_destination,
        reject_rbl_client zen.spamhaus.org,
        reject_rbl_client dnsbl.sorbs.net,
        reject_rbl_client bl.spamcop.net,
        reject_rbl_client psbl.surriel.com

This is just a basic setup and will help kill most of the spam you're
currently receiving.  As time passes and more spammers get ahold of the
email addresses at your domain, you'll need to implement additional
measures.  There is plenty of Postfix antispam/UCE documentation
available on the Postfix website and other places easily found with
Google.  There are also many antispam mailing lists you could join to
gain knowledge and experience on the subject as well.  Probably the
first thing you should look at implementing is Postgrey:
http://postgrey.schweikert.ch/

If you can, install the version available through your operating
system's package management system, instead of manually installing all
the components from the Postgrey website.

Hope this gets you off to a good start.

--
Stan