how to check email delivered via MX backup host

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

how to check email delivered via MX backup host

Jon LaBadie
When I try to block spam from repeaters, via access.db,
firewall, ... the first thing that happens is the blocked
mail gets delivered via my MX backup host.  Mail received
by this route does not seem to be checked against the
access database.

Is there something I'm not turning on to enable checks
of mail received via the MX backup host?

Jon
--
Jon H. LaBadie                 [hidden email]
 11226 South Shore Rd.          (703) 787-0688 (H)
 Reston, VA  20190              (703) 935-6720 (C)
Reply | Threaded
Open this post in threaded view
|

Re: how to check email delivered via MX backup host

Dominic Raferd


On Sun, 31 Mar 2019 at 07:40, Jon LaBadie <[hidden email]> wrote:
When I try to block spam from repeaters, via access.db,
firewall, ... the first thing that happens is the blocked
mail gets delivered via my MX backup host.  Mail received
by this route does not seem to be checked against the
access database.

Is there something I'm not turning on to enable checks
of mail received via the MX backup host?

I presume the MX backup host is a third party service not under your full control?

Does the MX backup host deliver to your primary host, and if so does it do so with authenticated access?

If the answer to both questions is yes, I suspect that your primary host is not applying the same anti-spam tests to connections with authenticated access as it applies to non-authenticated. This is a common set up but in your case it allows spam accepted by the MX backup host to reach your mailboxes because they bypass the checks on your primary host. If so, I suggest you change the settings on your primary host to apply the same tests to authenticated as to non-authenticated clients.

A better solution, but maybe not possible for you, would be to have your MX backup host apply the same anti-spam tests as your primary.
Reply | Threaded
Open this post in threaded view
|

Re: how to check email delivered via MX backup host

Bill Cole-3
In reply to this post by Jon LaBadie
On 31 Mar 2019, at 2:38, Jon LaBadie wrote:

> When I try to block spam from repeaters, via access.db,
> firewall, ... the first thing that happens is the blocked
> mail gets delivered via my MX backup host.  Mail received
> by this route does not seem to be checked against the
> access database.
>
> Is there something I'm not turning on to enable checks
> of mail received via the MX backup host?

No, because the whole concept of "MX backup host" is antiquated and
obsolete, dating from a time when >99.9% of email was wanted and
legitimate. If you cannot replicate the edge filtering across all MX
hosts for a domain and
assure that acceptance at any MX will result in delivery to some
recipient-accessible mailbox, you should not have multiple MX hosts.

Beyond that, MTAs such as Postfix are not generally designed to examine
and parse the audit trail of Received headers added by past SMTP hops in
an attempt to figure out what happened somewhere else in the travel of a
piece of email. With the exception of the extremely limited
header_checks and body_checks features (which are INTENTIONALLY weak and
simplistic) all of the access controls in Postfix operate on the
parameters of the SMTP transaction: the connecting IP and its reverse
DNS name, HELO name, authentication and related authorizxation state,
sender address, and recipient addresses. The pure sender and recipient
access restrictions in Postfix still work with email arriving via a
backup MX but everything else about the SMTP transaction is different.
However, if you use REJECT with those restrictions you will generate
backscatter at innocent forgery victims, while using DISCARD puts you at
risk of dropping some valid wanted mail into a black hole.

You can get *some* filtering nuance for mail routed via a trusted
secondary MX from robust filtering tools like SpamAssassin that have a
logical model for such circumstances where you need to interpret and
trust what another host claims has happened to a message but to do
something more nuanced than simply rejecting or discarding messages that
the filter determines to be probable unwanted junk.

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole
Reply | Threaded
Open this post in threaded view
|

Re: how to check email delivered via MX backup host

Jon LaBadie
In reply to this post by Dominic Raferd
On Sun, Mar 31, 2019 at 06:59:40AM +0000, Dominic Raferd wrote:

> On Sun, 31 Mar 2019 at 07:40, Jon LaBadie <[hidden email]> wrote:
>
> > When I try to block spam from repeaters, via access.db,
> > firewall, ... the first thing that happens is the blocked
> > mail gets delivered via my MX backup host.  Mail received
> > by this route does not seem to be checked against the
> > access database.
> >
> > Is there something I'm not turning on to enable checks
> > of mail received via the MX backup host?
> >
>
> I presume the MX backup host is a third party service not under your full
> control?

Correct.  And I have no input to its administration.
>
> Does the MX backup host deliver to your primary host, and if so does it do
> so with authenticated access?

Delivers to my primary host, but NOT authenticated access.
>
> If the answer to both questions is yes, I suspect that your primary host is
> not applying the same anti-spam tests to connections with authenticated
> access as it applies to non-authenticated. This is a common set up but in
> your case it allows spam accepted by the MX backup host to reach your
> mailboxes because they bypass the checks on your primary host. If so, I
> suggest you change the settings on your primary host to apply the same
> tests to authenticated as to non-authenticated clients.

Embarrassed to say, I set it up from a "recipie" which included authentication.
But I never set up any authentication method(s).  Thus I "advertise" authentication
and I guess forwarding, but no one ever succeeds.  Generates lots of log messages ;)
>
> A better solution, but maybe not possible for you, would be to have your MX
> backup host apply the same anti-spam tests as your primary.

Would that I could :(  Thanks for the input.

Jon
--
Jon H. LaBadie                 [hidden email]
 11226 South Shore Rd.          (703) 787-0688 (H)
 Reston, VA  20190              (703) 935-6720 (C)