looking for any options to better deal with mail looping

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

looking for any options to better deal with mail looping

Fazzina, Angelo

Hi, I have a domain that has MX point to O365 and then O365 relays mail to Postfix server.

Currently, Postfix does a lookup in a MySql table to know where to relay the email to, AFA next hop. If not found in table Postfix looks up MX and relays the email.

 

I want to know if there is a more graceful way of dealing with mail loops caused by sending to invalid addresses ?

 

Example:

A.      TO: [hidden email]  -> O365 -> postfix -> relay to destination server [cuz found in table]

B.      TO: [hidden email] -> O365 -> postfix ->  lookup MX and relay        [cuz not found in table ] ->O365 -> Postfix -> you get the idea

 

For “B” I tested and it finally sends me the bounce back after 9 loops

 

[216.32.180.170] said: 554

    5.4.14 Hop count exceeded - possible mail loop ATTR1

 

Is there a savvy setting in Postfix to deal with this scenario [ like telling postfix, for this domain, if you don’t find entry in table bounce and don’t look up MX ?]  Or is Postfix already doing the best it can.

 

Thank you.

 

 

 

-ANGELO FAZZINA

 

ITS Service Manager:

Spam and Virus Prevention

Mass Mailing

G Suite/Gmail

 

[hidden email]

University of Connecticut,  ITS, SSG, Server Systems

860-486-9075

 

Reply | Threaded
Open this post in threaded view
|

Re: looking for any options to better deal with mail looping

Wietse Venema
Fazzina, Angelo:
> Hi, I have a domain that has MX point to O365 and then O365 relays
> mail to Postfix server.  Currently, Postfix does a lookup in a
> MySql table to know where to relay the email to, AFA next hop. If
> not found in table Postfix looks up MX and relays the email.

Postfix should first verfy that the recipient exists, before accepting
the mail. Perhaps you can use the MySQL table with relay_recipient_maps.

For more info on inbound recipient validation:

http://www.postfix.org/STANDARD_CONFIGURATION_README.html
http://www.postfix.org/ADDRESS_VERIFICATION_README.html

Basically, have a list of valid recipients, or dynamically build
a cache with reject_unverified_recipient.

        Wietse
Reply | Threaded
Open this post in threaded view
|

RE: looking for any options to better deal with mail looping

luistkd4
In reply to this post by Fazzina, Angelo
Do you have a wildcard in table?

De: [hidden email] <[hidden email]> em nome de Fazzina, Angelo <[hidden email]>
Enviado: quarta-feira, 7 de novembro de 2018 14:27
Para: Postfix users
Assunto: looking for any options to better deal with mail looping
 

Hi, I have a domain that has MX point to O365 and then O365 relays mail to Postfix server.

Currently, Postfix does a lookup in a MySql table to know where to relay the email to, AFA next hop. If not found in table Postfix looks up MX and relays the email.

 

I want to know if there is a more graceful way of dealing with mail loops caused by sending to invalid addresses ?

 

Example:

A.      TO: [hidden email]  -> O365 -> postfix -> relay to destination server [cuz found in table]

B.      TO: [hidden email] -> O365 -> postfix ->  lookup MX and relay        [cuz not found in table ] ->O365 -> Postfix -> you get the idea

 

For “B” I tested and it finally sends me the bounce back after 9 loops

 

[216.32.180.170] said: 554

    5.4.14 Hop count exceeded - possible mail loop ATTR1

 

Is there a savvy setting in Postfix to deal with this scenario [ like telling postfix, for this domain, if you don’t find entry in table bounce and don’t look up MX ?]  Or is Postfix already doing the best it can.

 

Thank you.

 

 

 

-ANGELO FAZZINA

 

ITS Service Manager:

Spam and Virus Prevention

Mass Mailing

G Suite/Gmail

 

[hidden email]

University of Connecticut,  ITS, SSG, Server Systems

860-486-9075

 

Reply | Threaded
Open this post in threaded view
|

RE: looking for any options to better deal with mail looping

Fazzina, Angelo
In reply to this post by Wietse Venema
I changed my config and added/changed in main.cf

smtpd_recipient_restrictions = reject_unknown_recipient_domain, reject_unverified_recipient, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
address_verify_poll_count = ${stress?1}${stress:3}
address_verify_poll_delay = 3s
address_verify_map = btree:$data_directory/verify_cache
relay_recipient_maps =  mysql:/etc/postfix/files/mysql_pn.cf

I did a test
postmap /etc/postfix/files/mysql_pn.cf
systemctl restart postfix

THEN
[root@mta5 postfix]# telnet localhost 25
Connected to localhost.
Escape character is '^]'.
220 mta5.uits.uconn.edu ESMTP Postfix (2.10.1)
ehlo uconn.edu
250-mta5.uits.uconn.edu
250-PIPELINING
250-SIZE 31457280
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:[hidden email]
250 2.1.0 Ok
rcpt to:[hidden email]
250 2.1.5 Ok
quit
221 2.0.0 Bye

[root@mta5 postfix]# mlgrep 2F56E3000A39 /var/log/maillog

Nov  7 14:49:02 mta5 postfix/cleanup[32604]: 2F56E3000A39: message-id=<[hidden email]>
Nov  7 14:49:02 mta5 postfix/qmgr[31379]: 2F56E3000A39: from=<[hidden email]>, size=284, nrcpt=1 (queue active)
Nov  7 14:49:02 mta5 postfix/smtp[32607]: 2F56E3000A39: to=<[hidden email]>, relay=darwin-eeb-uconn-edu.mail.protection.outlook.com[207.46.163.106]:25, delay=0.39, delays=0.01/0.02/0.23/0.14, dsn=2.1.5, status=deliverable (250 2.1.5 Recipient OK)
Nov  7 14:49:02 mta5 postfix/qmgr[31379]: 2F56E3000A39: removed


MY QUESTION:
Why do logs show " status=deliverable" ? I get this no matter if "TO" is real or a fake address BTW.
Is it due to the relay[207.46.163.106] blindly accepting all mail with "TO" of  [hidden email] ?

Have I misinterpreted how to use relay_recipient_maps =  mysql:/etc/postfix/files/mysql_pn.cf ?? From logs I think postfix is not using this setting....

-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

[hidden email]
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

-----Original Message-----
From: [hidden email] <[hidden email]> On Behalf Of Wietse Venema
Sent: Wednesday, November 7, 2018 11:38 AM
To: Postfix users <[hidden email]>
Subject: Re: looking for any options to better deal with mail looping

Fazzina, Angelo:
> Hi, I have a domain that has MX point to O365 and then O365 relays
> mail to Postfix server.  Currently, Postfix does a lookup in a
> MySql table to know where to relay the email to, AFA next hop. If
> not found in table Postfix looks up MX and relays the email.

Postfix should first verfy that the recipient exists, before accepting
the mail. Perhaps you can use the MySQL table with relay_recipient_maps.

For more info on inbound recipient validation:

https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.postfix.org%2FSTANDARD_CONFIGURATION_README.html&amp;data=02%7C01%7Cangelo.fazzina%40uconn.edu%7C6af734f1e965454dce3008d644cf81a0%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C636772055359110475&amp;sdata=T1YWt5JhrZOFA3vvfgqfawCBeFGJBeGE0bAHUlwEaYA%3D&amp;reserved=0
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.postfix.org%2FADDRESS_VERIFICATION_README.html&amp;data=02%7C01%7Cangelo.fazzina%40uconn.edu%7C6af734f1e965454dce3008d644cf81a0%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C636772055359110475&amp;sdata=xGbSWP8WYDX%2BpiCjOFVbpz%2F1BMsYpbzXLRhcf3CCo14%3D&amp;reserved=0

Basically, have a list of valid recipients, or dynamically build
a cache with reject_unverified_recipient.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: looking for any options to better deal with mail looping

Viktor Dukhovni
> On Nov 7, 2018, at 3:26 PM, Fazzina, Angelo <[hidden email]> wrote:
>
> relay_recipient_maps =  mysql:/etc/postfix/files/mysql_pn.cf
>
> I did a test
> postmap /etc/postfix/files/mysql_pn.cf

There's no point in trying to "postmap" MySQL, LDAP, PosgreSQL, "pcre", "regexp", ...
tables.

Only tables that have an on-disk *indexed* format need "postmap":

        - cdb
        - btree
        - hash
        - lmdb
        - dbm  (obsolete)
        - sdbm (obsolete)

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

RE: looking for any options to better deal with mail looping

Fazzina, Angelo
Hi, thank you Viktor, i deleted the .db file.
i reread the docs and removed all my previous changes and started over.

Wietse, thanks for the tip "relay_recipient_maps"

My old config was :

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

transport_maps = hash:/etc/postfix/maps/transport
        /etc/postfix/maps/transport .....
        darwin.eeb.uconn.edu            smtp:[darwin.eeb.uconn.edu]

My new config is :

smtpd_recipient_restrictions = reject_unknown_recipient_domain, reject_unverified_recipient, permit_mynetworks, permit_sasl_auth
enticated, reject_unauth_destination

relay_recipient_maps =  mysql:/etc/postfix/files/mysql_pn.cf

the transport stuff was left untouched.

RAN  systemctl reload postfix
tested
[root@mta4 postfix]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mta4.uits.uconn.edu ESMTP Postfix (2.10.1)
ehlo uconn.edu
250-mta4.uits.uconn.edu
250-PIPELINING
250-SIZE 31457280
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:[hidden email]
250 2.1.0 Ok
rcpt to:[hidden email]
450 4.1.1 <[hidden email]>: Recipient address rejected: unverified address: host darwin.eeb.uconn.edu[137.99.139.139] said: 550 5.1.1 <[hidden email]>: Recipient address rejected: User unknown in local recipient table (in reply to RCPT TO command)
rcpt to:[hidden email]
250 2.1.5 Ok
quit
221 2.0.0 Bye

I think it's working as desired, only one thing I can't understand.
My server mta4 gave the 450 4.1.1 and server Darwin.eeb.uconn.edu gave 550 5.1.1, so why is it taking so long to get an NDR ?

[ I did another test with my outlook client and got same response  as seen here from O365 message trace details]
Reason: [{LED=450 4.1.1 <[hidden email]>: Recipient address rejected: unverified address: host darwin.eeb.uconn.edu[137.99.139.139] said: 550 5.1.1 <[hidden email]>: Recipient address rejected: User unknown in local recipient table (in reply to RCPT TO command)};{MSG=};{FQDN=smtp.uconn.edu};{IP=137.99. OutboundProxyTargetIP: 137.99.25.243. OutboundProxyTargetHostName: smtp.uconn.edu

Is it as simple as changing this parameter in main.cf ?
unverified_recipient_defer_code (default: 450)


-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

[hidden email]
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

-----Original Message-----
From: [hidden email] <[hidden email]> On Behalf Of Viktor Dukhovni
Sent: Wednesday, November 7, 2018 4:55 PM
To: postfix users <[hidden email]>
Subject: Re: looking for any options to better deal with mail looping

> On Nov 7, 2018, at 3:26 PM, Fazzina, Angelo <[hidden email]> wrote:
>
> relay_recipient_maps =  mysql:/etc/postfix/files/mysql_pn.cf
>
> I did a test
> postmap /etc/postfix/files/mysql_pn.cf

There's no point in trying to "postmap" MySQL, LDAP, PosgreSQL, "pcre", "regexp", ...
tables.

Only tables that have an on-disk *indexed* format need "postmap":

        - cdb
        - btree
        - hash
        - lmdb
        - dbm  (obsolete)
        - sdbm (obsolete)

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: looking for any options to better deal with mail looping

Viktor Dukhovni


> On Nov 13, 2018, at 4:22 PM, Fazzina, Angelo <[hidden email]> wrote:
>
> Is it as simple as changing this parameter in main.cf ?
> unverified_recipient_defer_code (default: 450)

Yes.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

RE: looking for any options to better deal with mail looping

Fazzina, Angelo
Hi again,
Even though my configuration does what I need it to do, it seems to have broken something else that needs to still work.
Did I forget something or just did this wrong ?
Will this setting allow whitelisting something to help the issue "smtpd_sender_restrictions"
I maybe just confusing the processing Postfix does AFA  envelope TO and FROM and header TO and FROM...?

Here is the test showing what is broken:

[root@mta5 ~]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mta5.uits.uconn.edu ESMTP Postfix (2.10.1)
ehlo listserv.uconn.edu
250-mta5.uits.uconn.edu
250-PIPELINING
250-SIZE 31457280
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:[hidden email]
250 2.1.0 Ok
rcpt to:[hidden email]
450 4.1.1 <[hidden email]>: Recipient address rejected: unverified address: Address verification in progress
quit
221 2.0.0 Bye
Connection closed by foreign host.

Here is my current config in main.cf :
smtpd_recipient_restrictions = reject_unknown_recipient_domain, reject_unverified_recipient, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
relay_recipient_maps = hash:/etc/postfix/files/sender_relay_domains,  mysql:/etc/postfix/files/mysql_pn.cf
        [root@mta5 files]# more sender_relay_domains
        @listserv.uconn.edu      OK

Here is [most of] the headers of a real email that gets delivered to my [hidden email] address even though it does not appear anywhere in the headers :

Received: from SN4PR0501MB3808.namprd05.prod.outlook.com
 (2603:10b6:406:a8::38) by BN7PR05MB5859.namprd05.prod.outlook.com with HTTPS
 via BN7PR11CA0025.NAMPRD11.PROD.OUTLOOK.COM; Fri, 16 Nov 2018 16:00:54 +0000
Received: from SN4PR0501CA0078.namprd05.prod.outlook.com
 (2603:10b6:803:22::16) by SN4PR0501MB3808.namprd05.prod.outlook.com
 (2603:10b6:803:49::22) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1339.11; Fri, 16 Nov
 2018 16:00:52 +0000
Received: from SN1NAM01FT027.eop-nam01.prod.protection.outlook.com
 (2a01:111:f400:7e40::206) by SN4PR0501CA0078.outlook.office365.com
 (2603:10b6:803:22::16) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1339.14 via Frontend
 Transport; Fri, 16 Nov 2018 16:00:51 +0000
Authentication-Results: spf=none (sender IP is 137.99.25.243)
 smtp.mailfrom=LISTSERV.UCONN.EDU; uconn.mail.onmicrosoft.com; dkim=pass
 (signature was verified)
 header.d=mta4.uits.uconn.edu;uconn.mail.onmicrosoft.com; dmarc=bestguesspass
 action=none header.from=LISTSERV.UCONN.EDU;
Received-SPF: None (protection.outlook.com: LISTSERV.UCONN.EDU does not
 designate permitted sender hosts)
Received: from mta4.uits.uconn.edu (137.99.25.243) by
 SN1NAM01FT027.mail.protection.outlook.com (10.152.65.58) with Microsoft SMTP
 Server id 15.20.1339.10 via Frontend Transport; Fri, 16 Nov 2018 16:00:49
 +0000
Received: from MSB-P-Listserv (MSB-P-Listserv.grove.ad.uconn.edu [137.99.30.25])
        by mta4.uits.uconn.edu (Postfix) with ESMTP id 2A8B0180AC15;
        Fri, 16 Nov 2018 11:00:47 -0500 (EST)
DKIM-Filter: OpenDKIM Filter v2.11.0 mta4.uits.uconn.edu 2A8B0180AC15
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mta4.uits.uconn.edu;
        s=dkim1; t=1542384047;
        bh=23m3HvmPkkiL8AhD31WJX+Es7CXHECqjFcBk/2u1CNA=;
        h=Date:Reply-To:From:Subject:To:List-Help:List-Unsubscribe:
         List-Subscribe:List-Owner:List-Archive:From;
        b=vqj2Xt564wl9mezVZt3B/Im27ZlxA1mAZD7NtBbxQXvOoQRhpFhhqHdCgKvLZ/Czv
         mC1ETdTEpntS9dsNmt16ZXQcB0bk76C2TBz0Uso7sMiXtus5Gx/dn107ZIl1VF7mRM
         krEhqkeI0hu9LAAbEbxvxFGOyyONuDqg+QdpeJa8=
Received: by LISTSERV.UCONN.EDU (LISTSERV-TCP/IP release 16.0) with spool id
          18870947 for [hidden email]; Fri, 16 Nov 2018
          11:00:07 -0500
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable
Message-ID: <UCONN_EMPLOYEES-L%[hidden email]>
Date: Fri, 16 Nov 2018 11:00:07 -0500
Reply-To: [hidden email]
Sender: All UConn Employees and Graduate Students
        <[hidden email]>
From: UConn Daily Digest <[hidden email]>
Subject: [UCONN_EMPLOYEES-L] Faculty/Staff Daily Digest
To: [hidden email]
Precedence: list
List-Help: <https://ListServ.Uconn.edu/scripts/wa.exe?LIST=UCONN_EMPLOYEES-L>,
           <mailto:[hidden email]?body=INFO%20UCONN_EMPLOYEES-L>
List-Unsubscribe:
 <mailto:[hidden email]>
List-Subscribe: <mailto:[hidden email]>
List-Owner: <mailto:[hidden email]>
List-Archive: <https://ListServ.Uconn.edu/scripts/wa.exe?LIST=UCONN_EMPLOYEES-L>
Return-Path: [hidden email]
X-MS-Exchange-Organization-ExpirationStartTime: 16 Nov 2018 16:00:51.8366
 (UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval: 2:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id:
 0a4efb32-d35a-449f-e496-08d64bdcaee0
X-EOPAttributedMessage: 0
X-MS-Exchange-Organization-MessageDirectionality: Originating
X-Forefront-Antispam-Report:
 CIP:137.99.25.243;IPV:CAL;SCL:-1;CTRY:US;EFV:NLI;SFV:SKN;SFS:;DIR:INB;SFP:;SCL:-1;SRVR:SN4PR0501MB3808;H:mta4.uits.uconn.edu;FPR:;SPF:None;LANG:en;
X-MS-Exchange-Organization-SCL: -1
X-Microsoft-Exchange-Diagnostics:
 1;SN1NAM01FT027;1:PZzZoGAKUxBT9R17nn4wTMBrtIq5f1Sl3Tb4MN5cfhDVh+TdGNuPlSoWWxfnOmrZGMaAdheQeGzojD4hLrG0YknZbsf7Pl1IJT5+uxfpBLFnditOeRybjUThWSYiHeE4
X-MS-Exchange-Organization-AuthSource:
 SN1NAM01FT027.eop-nam01.prod.protection.outlook.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-OriginatorOrg: uconn.onmicrosoft.com
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 0a4efb32-d35a-449f-e496-08d64bdcaee0
X-Microsoft-Antispam:
 BCL:0;PCL:0;RULEID:(2390098)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(4608076)(2017052603328)(7153060);SRVR:SN4PR0501MB3808;
X-Microsoft-Exchange-Diagnostics:
 1;SN4PR0501MB3808;3:b1PemKe27pMQg+4aKjxrUsj4AvGHh49PJXVLiPX3avepFYwgnRdUHI3kM3/PB/YAIiUcHAn3f9YSZHPAOdYcbtK14uHE2IFapaE/OSW2KBeR33VZc7Bu9fODurUsJBb78D4q+wB8uknH5d+zPJj1gEwJ4iNaMLrvNNvEairCkRkhIZg+/tXa4nrK84bOfwFsY5xjCfN8ryoimSNiQdfXHN1TqazV85onjJsw5JTmkP7T+nGns9l1wfyvYh1xrJXaLMqh9HZGjvfNjHaD/2XE9s6ZlQIvHA+ol9qf51/O+0YE/4TGWJlXKupLNI8MJ+XsteRT3f14NIWwiyfZ+WkXCajqD/8edxmzctP/fxizD5E=;25:H+n/QpU3xz6XLZrIfa5TP4KtPq4sZx/nE3Q2iWxbH8EYxQw+iwBFvJun3QxUdqtKywpHUxr7ZuM/bFyK9OAs4JNCQTwYpWo/jxk5hdT56xkP6sTo5EXeBCYV9N5ZPZ3ylt33a7/4adSRhflJhnwVFV2L+A5+rtRnThnJMCNexVvcu3Uor24SXn6ulJVPK0WSz4iENeMbopsZzNVe0vDxWwVQA5Lu9QwrI2sjBKX+JC/tzLbi/DUtxcuY9T+gIpVADN0WRwk4HRyv+BXQ52a8yXmyQZcLTCKTT0gXIJ0fEbmy0/BMTTFCRN6GcgJ7nQ3hTafkQyNwhTxJ5Z98+3wMGQ==
X-MS-TrafficTypeDiagnostic: SN4PR0501MB3808:
X-MS-Exchange-AtpMessageProperties: sap=1;slp=1;
X-MS-Exchange-Safelinks-Url-KeyVer: 1
X-MS-Exchange-ATPSafeLinks-Stat: 1
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: SKN
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Nov 2018 16:00:49.1803
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 0a4efb32-d35a-449f-e496-08d64bdcaee0
X-MS-Exchange-CrossTenant-Id: 17f1a87e-2a25-4eaa-b9df-9d439034b080
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=17f1a87e-2a25-4eaa-b9df-9d439034b080;Ip=[137.99.25.243];Helo=[mta4.uits.uconn.edu]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN4PR0501MB3808
X-MS-Exchange-Transport-EndToEndLatency: 00:00:05.1047330
X-MS-Exchange-Processed-By-BccFoldering: 15.20.1339.000



Thank you for any breadcrumbs to get this working without breaking existing functionality.


-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

[hidden email]
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

-----Original Message-----
From: [hidden email] <[hidden email]> On Behalf Of Viktor Dukhovni
Sent: Tuesday, November 13, 2018 4:30 PM
To: Postfix users <[hidden email]>
Subject: Re: looking for any options to better deal with mail looping



> On Nov 13, 2018, at 4:22 PM, Fazzina, Angelo <[hidden email]> wrote:
>
> Is it as simple as changing this parameter in main.cf ?
> unverified_recipient_defer_code (default: 450)

Yes.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: looking for any options to better deal with mail looping

Noel Jones-2
On 11/16/2018 2:41 PM, Fazzina, Angelo wrote:
> Hi again,
> Even though my configuration does what I need it to do, it seems to have broken something else that needs to still work.
> Did I forget something or just did this wrong ?
> Will this setting allow whitelisting something to help the issue "smtpd_sender_restrictions"
> I maybe just confusing the processing Postfix does AFA  envelope TO and FROM and header TO and FROM...?

The To: From: headers have no relation to postfix delivery. All
delivery is based on envelope addresses.


>
> Here is the test showing what is broken:
>...
> 250 2.1.0 Ok
> rcpt to:[hidden email]
> 450 4.1.1 <[hidden email]>: Recipient address rejected: unverified address: Address verification in progress
>...

Nothing wrong here.  The address verification is in progress and the
client is free to retry delivery.  Presumably the verification
completed a few seconds later.  This will be noted in the log.

If you wish to exempt some recipient from verification, add a
check_recipient_access map before the reject_unverified_recipient


> Here is my current config in main.cf :
> smtpd_recipient_restrictions = reject_unknown_recipient_domain, reject_unverified_recipient, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

Typically, reject_unverified_recipient would be after
reject_unauth_destination to prevent verifying random internet
recipients, or in a check_recipient_access map to limit the scope of
the checks.  Something like:

[hidden email]  DUNNO
listserv.example.com  DUNNO
example.com  reject_unverified_recipient


> relay_recipient_maps = hash:/etc/postfix/files/sender_relay_domains,  mysql:/etc/postfix/files/mysql_pn.cf
> [root@mta5 files]# more sender_relay_domains
> @listserv.uconn.edu      OK

relay_recipient_maps does not exempt addresses from the
reject_unverified_recipient check.  See the above example for how to
exempt addresses from verification.


>
> Here is [most of] the headers of a real email that gets delivered to my [hidden email] address even though it does not appear anywhere in the headers :

Headers are irrelevant for this discussion.  Postfix logs will show
what is happening.




  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

RE: looking for any options to better deal with mail looping

Fazzina, Angelo
Hi, I am still lost with how this all works together, sadly.  Do you see obvious errors or am I misunderstanding the limits of what can be done ?

I am not sure yet what is relevant
My current settings:
relay_recipient_maps = mysql:/etc/postfix/files/mysql_pn.cf
smtpd_recipient_restrictions =  reject_unknown_recipient_domain,  
                                check_recipient_access hash:/etc/postfix/files/sender_relay_domains,
                                reject_unverified_recipient,
                                permit_mynetworks,
                                permit_sasl_authenticate
smtpd_relay_restrictions =  check_recipient_access hash:/etc/postfix/maps/block_to, permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination

[root@mta5 files]# more sender_relay_domains
## -ALF This should allow Listerv addresses even though they are not in PerName DB
listserv.uconn.edu      DUNNO

[root@mta5 maps]# more transport
#  Domains *relayed*  by pn.uconn.edu and which map to the hosts' A record.
ad.uconn.edu                    smtp:[uconn-edu.mail.protection.outlook.com]
darwin.eeb.uconn.edu            smtp:[darwin.eeb.uconn.edu]
listserv.uconn.edu              smtp:[listserv.uconn.edu]



My goal is to allow all mail TO  [hidden email] but still check recipient for other domains like darwin.eeb.uconn.edu

MY testing:

Connected to localhost.
Escape character is '^]'.
220 mta5.uits.uconn.edu ESMTP Postfix (2.10.1)
ehlo uconn.edu
250-mta5.uits.uconn.edu
250-PIPELINING
250-SIZE 31457280
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:[hidden email]
250 2.1.0 Ok
rcpt to:[hidden email]
450 4.1.1 <[hidden email]>: Recipient address rejected: unverified address: Address verification in progress
rcpt to:[hidden email]
250 2.1.5 Ok
rcpt to:[hidden email]
450 4.1.1 <[hidden email]>: Recipient address rejected: unverified address: Address verification in progress
quit
221 2.0.0 Bye
Connection closed by foreign host.

-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

[hidden email]
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

-----Original Message-----
From: [hidden email] <[hidden email]> On Behalf Of Noel Jones
Sent: Friday, November 16, 2018 4:10 PM
To: [hidden email]
Subject: Re: looking for any options to better deal with mail looping

On 11/16/2018 2:41 PM, Fazzina, Angelo wrote:
> Hi again,
> Even though my configuration does what I need it to do, it seems to have broken something else that needs to still work.
> Did I forget something or just did this wrong ?
> Will this setting allow whitelisting something to help the issue "smtpd_sender_restrictions"
> I maybe just confusing the processing Postfix does AFA  envelope TO and FROM and header TO and FROM...?

The To: From: headers have no relation to postfix delivery. All
delivery is based on envelope addresses.


>
> Here is the test showing what is broken:
>...
> 250 2.1.0 Ok
> rcpt to:[hidden email]
> 450 4.1.1 <[hidden email]>: Recipient address rejected: unverified address: Address verification in progress
>...

Nothing wrong here.  The address verification is in progress and the
client is free to retry delivery.  Presumably the verification
completed a few seconds later.  This will be noted in the log.

If you wish to exempt some recipient from verification, add a
check_recipient_access map before the reject_unverified_recipient


> Here is my current config in main.cf :
> smtpd_recipient_restrictions = reject_unknown_recipient_domain, reject_unverified_recipient, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

Typically, reject_unverified_recipient would be after
reject_unauth_destination to prevent verifying random internet
recipients, or in a check_recipient_access map to limit the scope of
the checks.  Something like:

[hidden email]  DUNNO
listserv.example.com  DUNNO
example.com  reject_unverified_recipient


> relay_recipient_maps = hash:/etc/postfix/files/sender_relay_domains,  mysql:/etc/postfix/files/mysql_pn.cf
> [root@mta5 files]# more sender_relay_domains
> @listserv.uconn.edu      OK

relay_recipient_maps does not exempt addresses from the
reject_unverified_recipient check.  See the above example for how to
exempt addresses from verification.


>
> Here is [most of] the headers of a real email that gets delivered to my [hidden email] address even though it does not appear anywhere in the headers :

Headers are irrelevant for this discussion.  Postfix logs will show
what is happening.




  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: looking for any options to better deal with mail looping

Noel Jones-2
On 11/28/2018 4:02 PM, Fazzina, Angelo wrote:

> Hi, I am still lost with how this all works together, sadly.  Do you see obvious errors or am I misunderstanding the limits of what can be done ?
>
> I am not sure yet what is relevant
> My current settings:
> relay_recipient_maps = mysql:/etc/postfix/files/mysql_pn.cf
> smtpd_recipient_restrictions =  reject_unknown_recipient_domain,  
> check_recipient_access hash:/etc/postfix/files/sender_relay_domains,
> reject_unverified_recipient,
> permit_mynetworks,
> permit_sasl_authenticate

This should look like:
smtpd_recipient_restrictions =
  reject_unknown_recipient_domain
  check_recipient_access hash:/etc/postfix/maps/block_to
  check_recipient_access hash:/etc/postfix/files/sender_relay_domains


> smtpd_relay_restrictions =  check_recipient_access hash:/etc/postfix/maps/block_to, permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination

smtpd_relay_restrictions =
  permit_mynetworks
  permit_sasl_authenticated
  reject_unauth_destination


>
> [root@mta5 files]# more sender_relay_domains
> ## -ALF This should allow Listerv addresses even though they are not in PerName DB
> listserv.uconn.edu      DUNNO


# sender_relay_domains
listserv.uconn.edu  DUNNO
uconn.edu  reject_unverified_recipient





  -- Noel Jones