address verification and tarpitting

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

address verification and tarpitting

A. Schulze
Hello,

we're facing the following problem:
postfix is configured to verify recipient addresses. The backend servers are mostly Exchange in various versions.
Many of them use tarpitting. We guess that are default values.
The address probe sent by postfix receive a result after 5 seconds delay. reason: tarpitting.
Meanwhile postfix accept the message and we generate bounces later :-/
The next message to a - now known undeliverable - address is directly rejected by postfix. That's expected.

Does the parameter address_verify_poll_count and address_verify_poll_delay control these timings?
Looking at the defaults it matches perfect to the volume of affected messages here.

Am I right to interpret address_verify_poll_count=3 + address_verify_poll_delay=1 (under stress)
is to short for 5 seconds tarpitting? If so, what are the suggested changes?
I would try address_verify_poll_delay=2 first. 3x2 seconds = 6s > 5s tarpitting

Opinions?
Andreas
Reply | Threaded
Open this post in threaded view
|

Re: address verification and tarpitting

Wietse Venema
A. Schulze:
> Hello,
>
> we're facing the following problem:
> postfix is configured to verify recipient addresses. The backend servers are mostly Exchange in various versions.
> Many of them use tarpitting. We guess that are default values.
> The address probe sent by postfix receive a result after 5 seconds delay. reason: tarpitting.
> Meanwhile postfix accept the message and we generate bounces later :-/

That's because you configured it to accept mail.

http://www.postfix.org/postconf.5.html#unverified_recipient_tempfail_action
http://www.postfix.org/postconf.5.html#unverified_sender_tempfail_action

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: address verification and tarpitting

Viktor Dukhovni
In reply to this post by A. Schulze
On Wed, Oct 04, 2017 at 11:20:14PM +0200, A. Schulze wrote:

> We're facing the following problem:
> Postfix is configured to verify recipient addresses. The backend servers
> are mostly Exchange in various versions.

Do you administer them, or these customer operated servers?  Either
way, they need to whitelist your relay and not tarpit RCPT TO
commands you send.

> Many of them use tarpitting. We guess that are default values.

If you're providing a front-end inbound SMTP service to these
systems, then any tarpitting is up to you, and no further
tarpitting should happen downstream.  Work witht the Exchange
administrators to make it so.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: address verification and tarpitting

A. Schulze
In reply to this post by Wietse Venema

wietse:

> A. Schulze:
>> Hello,
>>
>> we're facing the following problem:
>> postfix is configured to verify recipient addresses. The backend  
>> servers are mostly Exchange in various versions.
>> Many of them use tarpitting. We guess that are default values.
>> The address probe sent by postfix receive a result after 5 seconds  
>> delay. reason: tarpitting.
>> Meanwhile postfix accept the message and we generate bounces later :-/
>
> That's because you configured it to accept mail.
>
> http://www.postfix.org/postconf.5.html#unverified_recipient_tempfail_action
> http://www.postfix.org/postconf.5.html#unverified_sender_tempfail_action
>
> Wietse

ok, thanks

I currently fail on reproducint the "error". Maybe because my server  
isn't under stress now.
May I force smtpd act with stress=1 for a specific smtp client?

@Viktor:
yes, you're right, our back-end servers shouldn't tarpitting our  
front-end servers.
but that's a long term goal and require reconfiguration on customers  
back-end servers...

Andreas



Reply | Threaded
Open this post in threaded view
|

Re: address verification and tarpitting

Wietse Venema
A. Schulze:

>
> wietse:
>
> > A. Schulze:
> >> Hello,
> >>
> >> we're facing the following problem:
> >> postfix is configured to verify recipient addresses. The backend  
> >> servers are mostly Exchange in various versions.
> >> Many of them use tarpitting. We guess that are default values.
> >> The address probe sent by postfix receive a result after 5 seconds  
> >> delay. reason: tarpitting.
> >> Meanwhile postfix accept the message and we generate bounces later :-/
> >
> > That's because you configured it to accept mail.
> >
> > http://www.postfix.org/postconf.5.html#unverified_recipient_tempfail_action
> > http://www.postfix.org/postconf.5.html#unverified_sender_tempfail_action
> >
> > Wietse
>
> ok, thanks
>
> I currently fail on reproducint the "error". Maybe because my server  
> isn't under stress now.
> May I force smtpd act with stress=1 for a specific smtp client?

SMTP server `stress' is a service feature, not a client feature.
You can offer customer-dependent MX service by using MX records
that resolve to different IP addresses.

> @Viktor:
> yes, you're right, our back-end servers shouldn't tarpitting our  
> front-end servers.
> but that's a long term goal and require reconfiguration on customers  
> back-end servers...

It all depends on who pays for it.

        Wietse