looking for any options to better deal with mail looping

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

looking for any options to better deal with mail looping

Fazzina, Angelo

Hi, I have a domain that has MX point to O365 and then O365 relays mail to Postfix server.

Currently, Postfix does a lookup in a MySql table to know where to relay the email to, AFA next hop. If not found in table Postfix looks up MX and relays the email.

 

I want to know if there is a more graceful way of dealing with mail loops caused by sending to invalid addresses ?

 

Example:

A.      TO: [hidden email]  -> O365 -> postfix -> relay to destination server [cuz found in table]

B.      TO: [hidden email] -> O365 -> postfix ->  lookup MX and relay        [cuz not found in table ] ->O365 -> Postfix -> you get the idea

 

For “B” I tested and it finally sends me the bounce back after 9 loops

 

[216.32.180.170] said: 554

    5.4.14 Hop count exceeded - possible mail loop ATTR1

 

Is there a savvy setting in Postfix to deal with this scenario [ like telling postfix, for this domain, if you don’t find entry in table bounce and don’t look up MX ?]  Or is Postfix already doing the best it can.

 

Thank you.

 

 

 

-ANGELO FAZZINA

 

ITS Service Manager:

Spam and Virus Prevention

Mass Mailing

G Suite/Gmail

 

[hidden email]

University of Connecticut,  ITS, SSG, Server Systems

860-486-9075

 

Reply | Threaded
Open this post in threaded view
|

Re: looking for any options to better deal with mail looping

Wietse Venema
Fazzina, Angelo:
> Hi, I have a domain that has MX point to O365 and then O365 relays
> mail to Postfix server.  Currently, Postfix does a lookup in a
> MySql table to know where to relay the email to, AFA next hop. If
> not found in table Postfix looks up MX and relays the email.

Postfix should first verfy that the recipient exists, before accepting
the mail. Perhaps you can use the MySQL table with relay_recipient_maps.

For more info on inbound recipient validation:

http://www.postfix.org/STANDARD_CONFIGURATION_README.html
http://www.postfix.org/ADDRESS_VERIFICATION_README.html

Basically, have a list of valid recipients, or dynamically build
a cache with reject_unverified_recipient.

        Wietse
Reply | Threaded
Open this post in threaded view
|

RE: looking for any options to better deal with mail looping

luistkd4
In reply to this post by Fazzina, Angelo
Do you have a wildcard in table?

De: [hidden email] <[hidden email]> em nome de Fazzina, Angelo <[hidden email]>
Enviado: quarta-feira, 7 de novembro de 2018 14:27
Para: Postfix users
Assunto: looking for any options to better deal with mail looping
 

Hi, I have a domain that has MX point to O365 and then O365 relays mail to Postfix server.

Currently, Postfix does a lookup in a MySql table to know where to relay the email to, AFA next hop. If not found in table Postfix looks up MX and relays the email.

 

I want to know if there is a more graceful way of dealing with mail loops caused by sending to invalid addresses ?

 

Example:

A.      TO: [hidden email]  -> O365 -> postfix -> relay to destination server [cuz found in table]

B.      TO: [hidden email] -> O365 -> postfix ->  lookup MX and relay        [cuz not found in table ] ->O365 -> Postfix -> you get the idea

 

For “B” I tested and it finally sends me the bounce back after 9 loops

 

[216.32.180.170] said: 554

    5.4.14 Hop count exceeded - possible mail loop ATTR1

 

Is there a savvy setting in Postfix to deal with this scenario [ like telling postfix, for this domain, if you don’t find entry in table bounce and don’t look up MX ?]  Or is Postfix already doing the best it can.

 

Thank you.

 

 

 

-ANGELO FAZZINA

 

ITS Service Manager:

Spam and Virus Prevention

Mass Mailing

G Suite/Gmail

 

[hidden email]

University of Connecticut,  ITS, SSG, Server Systems

860-486-9075

 

Reply | Threaded
Open this post in threaded view
|

RE: looking for any options to better deal with mail looping

Fazzina, Angelo
In reply to this post by Wietse Venema
I changed my config and added/changed in main.cf

smtpd_recipient_restrictions = reject_unknown_recipient_domain, reject_unverified_recipient, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
address_verify_poll_count = ${stress?1}${stress:3}
address_verify_poll_delay = 3s
address_verify_map = btree:$data_directory/verify_cache
relay_recipient_maps =  mysql:/etc/postfix/files/mysql_pn.cf

I did a test
postmap /etc/postfix/files/mysql_pn.cf
systemctl restart postfix

THEN
[root@mta5 postfix]# telnet localhost 25
Connected to localhost.
Escape character is '^]'.
220 mta5.uits.uconn.edu ESMTP Postfix (2.10.1)
ehlo uconn.edu
250-mta5.uits.uconn.edu
250-PIPELINING
250-SIZE 31457280
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:[hidden email]
250 2.1.0 Ok
rcpt to:[hidden email]
250 2.1.5 Ok
quit
221 2.0.0 Bye

[root@mta5 postfix]# mlgrep 2F56E3000A39 /var/log/maillog

Nov  7 14:49:02 mta5 postfix/cleanup[32604]: 2F56E3000A39: message-id=<[hidden email]>
Nov  7 14:49:02 mta5 postfix/qmgr[31379]: 2F56E3000A39: from=<[hidden email]>, size=284, nrcpt=1 (queue active)
Nov  7 14:49:02 mta5 postfix/smtp[32607]: 2F56E3000A39: to=<[hidden email]>, relay=darwin-eeb-uconn-edu.mail.protection.outlook.com[207.46.163.106]:25, delay=0.39, delays=0.01/0.02/0.23/0.14, dsn=2.1.5, status=deliverable (250 2.1.5 Recipient OK)
Nov  7 14:49:02 mta5 postfix/qmgr[31379]: 2F56E3000A39: removed


MY QUESTION:
Why do logs show " status=deliverable" ? I get this no matter if "TO" is real or a fake address BTW.
Is it due to the relay[207.46.163.106] blindly accepting all mail with "TO" of  [hidden email] ?

Have I misinterpreted how to use relay_recipient_maps =  mysql:/etc/postfix/files/mysql_pn.cf ?? From logs I think postfix is not using this setting....

-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

[hidden email]
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

-----Original Message-----
From: [hidden email] <[hidden email]> On Behalf Of Wietse Venema
Sent: Wednesday, November 7, 2018 11:38 AM
To: Postfix users <[hidden email]>
Subject: Re: looking for any options to better deal with mail looping

Fazzina, Angelo:
> Hi, I have a domain that has MX point to O365 and then O365 relays
> mail to Postfix server.  Currently, Postfix does a lookup in a
> MySql table to know where to relay the email to, AFA next hop. If
> not found in table Postfix looks up MX and relays the email.

Postfix should first verfy that the recipient exists, before accepting
the mail. Perhaps you can use the MySQL table with relay_recipient_maps.

For more info on inbound recipient validation:

https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.postfix.org%2FSTANDARD_CONFIGURATION_README.html&amp;data=02%7C01%7Cangelo.fazzina%40uconn.edu%7C6af734f1e965454dce3008d644cf81a0%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C636772055359110475&amp;sdata=T1YWt5JhrZOFA3vvfgqfawCBeFGJBeGE0bAHUlwEaYA%3D&amp;reserved=0
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.postfix.org%2FADDRESS_VERIFICATION_README.html&amp;data=02%7C01%7Cangelo.fazzina%40uconn.edu%7C6af734f1e965454dce3008d644cf81a0%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C636772055359110475&amp;sdata=xGbSWP8WYDX%2BpiCjOFVbpz%2F1BMsYpbzXLRhcf3CCo14%3D&amp;reserved=0

Basically, have a list of valid recipients, or dynamically build
a cache with reject_unverified_recipient.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: looking for any options to better deal with mail looping

Viktor Dukhovni
> On Nov 7, 2018, at 3:26 PM, Fazzina, Angelo <[hidden email]> wrote:
>
> relay_recipient_maps =  mysql:/etc/postfix/files/mysql_pn.cf
>
> I did a test
> postmap /etc/postfix/files/mysql_pn.cf

There's no point in trying to "postmap" MySQL, LDAP, PosgreSQL, "pcre", "regexp", ...
tables.

Only tables that have an on-disk *indexed* format need "postmap":

        - cdb
        - btree
        - hash
        - lmdb
        - dbm  (obsolete)
        - sdbm (obsolete)

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

RE: looking for any options to better deal with mail looping

Fazzina, Angelo
Hi, thank you Viktor, i deleted the .db file.
i reread the docs and removed all my previous changes and started over.

Wietse, thanks for the tip "relay_recipient_maps"

My old config was :

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

transport_maps = hash:/etc/postfix/maps/transport
        /etc/postfix/maps/transport .....
        darwin.eeb.uconn.edu            smtp:[darwin.eeb.uconn.edu]

My new config is :

smtpd_recipient_restrictions = reject_unknown_recipient_domain, reject_unverified_recipient, permit_mynetworks, permit_sasl_auth
enticated, reject_unauth_destination

relay_recipient_maps =  mysql:/etc/postfix/files/mysql_pn.cf

the transport stuff was left untouched.

RAN  systemctl reload postfix
tested
[root@mta4 postfix]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mta4.uits.uconn.edu ESMTP Postfix (2.10.1)
ehlo uconn.edu
250-mta4.uits.uconn.edu
250-PIPELINING
250-SIZE 31457280
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:[hidden email]
250 2.1.0 Ok
rcpt to:[hidden email]
450 4.1.1 <[hidden email]>: Recipient address rejected: unverified address: host darwin.eeb.uconn.edu[137.99.139.139] said: 550 5.1.1 <[hidden email]>: Recipient address rejected: User unknown in local recipient table (in reply to RCPT TO command)
rcpt to:[hidden email]
250 2.1.5 Ok
quit
221 2.0.0 Bye

I think it's working as desired, only one thing I can't understand.
My server mta4 gave the 450 4.1.1 and server Darwin.eeb.uconn.edu gave 550 5.1.1, so why is it taking so long to get an NDR ?

[ I did another test with my outlook client and got same response  as seen here from O365 message trace details]
Reason: [{LED=450 4.1.1 <[hidden email]>: Recipient address rejected: unverified address: host darwin.eeb.uconn.edu[137.99.139.139] said: 550 5.1.1 <[hidden email]>: Recipient address rejected: User unknown in local recipient table (in reply to RCPT TO command)};{MSG=};{FQDN=smtp.uconn.edu};{IP=137.99. OutboundProxyTargetIP: 137.99.25.243. OutboundProxyTargetHostName: smtp.uconn.edu

Is it as simple as changing this parameter in main.cf ?
unverified_recipient_defer_code (default: 450)


-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

[hidden email]
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

-----Original Message-----
From: [hidden email] <[hidden email]> On Behalf Of Viktor Dukhovni
Sent: Wednesday, November 7, 2018 4:55 PM
To: postfix users <[hidden email]>
Subject: Re: looking for any options to better deal with mail looping

> On Nov 7, 2018, at 3:26 PM, Fazzina, Angelo <[hidden email]> wrote:
>
> relay_recipient_maps =  mysql:/etc/postfix/files/mysql_pn.cf
>
> I did a test
> postmap /etc/postfix/files/mysql_pn.cf

There's no point in trying to "postmap" MySQL, LDAP, PosgreSQL, "pcre", "regexp", ...
tables.

Only tables that have an on-disk *indexed* format need "postmap":

        - cdb
        - btree
        - hash
        - lmdb
        - dbm  (obsolete)
        - sdbm (obsolete)

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: looking for any options to better deal with mail looping

Viktor Dukhovni


> On Nov 13, 2018, at 4:22 PM, Fazzina, Angelo <[hidden email]> wrote:
>
> Is it as simple as changing this parameter in main.cf ?
> unverified_recipient_defer_code (default: 450)

Yes.

--
        Viktor.