recipient restriction on known address?

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

recipient restriction on known address?

Carconni

I need to set up a "blacklist" of sorts on our mail server.  One of  
our client servers handles approximately a million emails a day and  
we've been experiencing some delivery delays.  In addition, we  
occasionally get blocked for SPAM and while getting unlisted is easy,  
I'd like to find more ways of preventing it.  Is there a means of  
setting up a file that postfix will check before delivery?  I don't  
want to restrict based on domain, but rather by address and I would  
prefer not to use my alias file to move bad addresses to /dev/null.  
Because our client base is so varied and in many cases we don't have  
access to the email database, I need to try and find alternatives on  
the mail server itself.

For example, lets say one of our client's users signed up for  
notifications on a particular service, but she's new to it all and  
she types in the wrong address.  Our application system sends an  
email to the user and it bounces back from the ISP as undeliverable  
because of a bad address.  How can prevent mail from being delivered  
to that bad address in the future?  So if [hidden email] comes back  
as a 450/550, I want to be able to block mail sent to  
[hidden email] but not block any other mail that may be going to  
yahoo.com

I've taken a look at http://www.postfix.org/postconf.
5.html#smtpd_client_restrictions but I'm not sure how to apply it for  
what I need, can anyone advise me on how to set this up?  (I've also  
looked at http://www.postfix.org/ADDRESS_VERIFICATION_README.html; 
but the README states quite clearly that this feature is designed for  
low traffic sites)

Thank you very much


Reply | Threaded
Open this post in threaded view
|

Re: recipient restriction on known address?

Noel Jones-2
carconni wrote:

>
> I need to set up a "blacklist" of sorts on our mail server.  One of our
> client servers handles approximately a million emails a day and we've
> been experiencing some delivery delays.  In addition, we occasionally
> get blocked for SPAM and while getting unlisted is easy, I'd like to
> find more ways of preventing it.  Is there a means of setting up a file
> that postfix will check before delivery?  I don't want to restrict based
> on domain, but rather by address and I would prefer not to use my alias
> file to move bad addresses to /dev/null.  Because our client base is so
> varied and in many cases we don't have access to the email database, I
> need to try and find alternatives on the mail server itself.
>
> For example, lets say one of our client's users signed up for
> notifications on a particular service, but she's new to it all and she
> types in the wrong address.  Our application system sends an email to
> the user and it bounces back from the ISP as undeliverable because of a
> bad address.  How can prevent mail from being delivered to that bad
> address in the future?  So if [hidden email] comes back as a 450/550,
> I want to be able to block mail sent to [hidden email] but not block
> any other mail that may be going to yahoo.com
>
> I've taken a look at
> http://www.postfix.org/postconf.5.html#smtpd_client_restrictions but I'm
> not sure how to apply it for what I need, can anyone advise me on how to
> set this up?  (I've also looked at
> http://www.postfix.org/ADDRESS_VERIFICATION_README.html; but the README
> states quite clearly that this feature is designed for low traffic sites)
>
> Thank you very much
>
>


Use the check_recipient_access restriction to set up a
recipient blacklist.  One way:
# main.cf
smtpd_recipient_restrictions
   permit_mynetworks
   permit_sasl_authenticated
   reject_unauth_destination
   check_recipient_access hash:/etc/postfix/recipient_blacklist


And the blacklist itself would look like:
# recipient blacklist
[hidden email]  REJECT
[hidden email]  REJECT

After making changes to recipient_blacklist, be sure to run
"postmap recipient_blacklist"
to create the hash file that postfix needs.

It might be easier to have postfix do automatic verification
of recipients in your relay domains, and reject mail to all
undeliverable recipients.
http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient
This does add some load to the server, but in the end it's a
lot less load than handling the undeliverable messages.


--
Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: recipient restriction on known address?

Wesley-20
In reply to this post by Carconni
carconni wrote:

>
> I need to set up a "blacklist" of sorts on our mail server.  One of
> our client servers handles approximately a million emails a day and
> we've been experiencing some delivery delays.  In addition, we
> occasionally get blocked for SPAM and while getting unlisted is easy,
> I'd like to find more ways of preventing it.  Is there a means of
> setting up a file that postfix will check before delivery?  I don't
> want to restrict based on domain, but rather by address and I would
> prefer not to use my alias file to move bad addresses to /dev/null.  
> Because our client base is so varied and in many cases we don't have
> access to the email database, I need to try and find alternatives on
> the mail server itself.
>
> For example, lets say one of our client's users signed up for
> notifications on a particular service, but she's new to it all and she
> types in the wrong address.  Our application system sends an email to
> the user and it bounces back from the ISP as undeliverable because of
> a bad address.  How can prevent mail from being delivered to that bad
> address in the future?  So if [hidden email] comes back as a
> 450/550, I want to be able to block mail sent to [hidden email] but
> not block any other mail that may be going to yahoo.com
>
> I've taken a look at
> http://www.postfix.org/postconf.5.html#smtpd_client_restrictions but
> I'm not sure how to apply it for what I need, can anyone advise me on
> how to set this up?  (I've also looked at
> http://www.postfix.org/ADDRESS_VERIFICATION_README.html; but the
> README states quite clearly that this feature is designed for low
> traffic sites)
>
> Thank you very much
>
>
Not that I can help you with that but what if the address is created
after that you've blocked it?

And is this the reason that your clients server gets blocked? seems
unlikely.

--
Wesley

Reply | Threaded
Open this post in threaded view
|

Re: recipient restriction on known address?

Carconni
Actually Wesley, it does.  You see, if you continue to send  
undeliverable mail to an ISP like Yahoo, you can get flagged.  See  
here: http://help.yahoo.com/l/us/yahoo/mail/postmaster/ 
postmaster-01.html & http://help.yahoo.com/l/us/yahoo/mail/postmaster/ 
postmaster-31.html.

If you send to too many dead or invalid addresses, you run the risk  
of looking like a spammer.  Since we know we aren't being used as an  
open relay, we are trying to reduce the number of bad email  
addresses.  If an address that was previously blacklisted turns out  
to later be a valid address, the client will notify us and we will  
remove that address at their request.  In addition, sometimes, you  
have a user who just doesn't want the email anymore but doesn't know  
how or (doesn't read the unsubscribe directions at the bottom of the  
email) and it's all too easy to click the spam button in their mail  
client.  I've checked my dns and reverse dns and we are using  
domainkeys - I'm just looking for more options to address this problem.

Thanks you though for looking at my post.


On Aug 12, 2008, at 12:29 PM, Wesley wrote:

> carconni wrote:
>>
>> I need to set up a "blacklist" of sorts on our mail server.  One  
>> of our client servers handles approximately a million emails a day  
>> and we've been experiencing some delivery delays.  In addition, we  
>> occasionally get blocked for SPAM and while getting unlisted is  
>> easy, I'd like to find more ways of preventing it.  Is there a  
>> means of setting up a file that postfix will check before  
>> delivery?  I don't want to restrict based on domain, but rather by  
>> address and I would prefer not to use my alias file to move bad  
>> addresses to /dev/null.  Because our client base is so varied and  
>> in many cases we don't have access to the email database, I need  
>> to try and find alternatives on the mail server itself.
>>
>> For example, lets say one of our client's users signed up for  
>> notifications on a particular service, but she's new to it all and  
>> she types in the wrong address.  Our application system sends an  
>> email to the user and it bounces back from the ISP as  
>> undeliverable because of a bad address.  How can prevent mail from  
>> being delivered to that bad address in the future?  So if  
>> [hidden email] comes back as a 450/550, I want to be able to  
>> block mail sent to [hidden email] but not block any other mail  
>> that may be going to yahoo.com
>>
>> I've taken a look at http://www.postfix.org/postconf.
>> 5.html#smtpd_client_restrictions but I'm not sure how to apply it  
>> for what I need, can anyone advise me on how to set this up?  
>> (I've also looked at http://www.postfix.org/ 
>> ADDRESS_VERIFICATION_README.html; but the README states quite  
>> clearly that this feature is designed for low traffic sites)
>>
>> Thank you very much
>>
>>
> Not that I can help you with that but what if the address is  
> created after that you've blocked it?
>
> And is this the reason that your clients server gets blocked? seems  
> unlikely.
>
> --
> Wesley
>
>

Reply | Threaded
Open this post in threaded view
|

Re: recipient restriction on known address?

Wesley-20
carconni wrote:

> Actually Wesley, it does.  You see, if you continue to send
> undeliverable mail to an ISP like Yahoo, you can get flagged.  See
> here:
> http://help.yahoo.com/l/us/yahoo/mail/postmaster/postmaster-01.html &
> http://help.yahoo.com/l/us/yahoo/mail/postmaster/postmaster-31.html.
>
> If you send to too many dead or invalid addresses, you run the risk of
> looking like a spammer.  Since we know we aren't being used as an open
> relay, we are trying to reduce the number of bad email addresses.  If
> an address that was previously blacklisted turns out to later be a
> valid address, the client will notify us and we will remove that
> address at their request.  In addition, sometimes, you have a user who
> just doesn't want the email anymore but doesn't know how or (doesn't
> read the unsubscribe directions at the bottom of the email) and it's
> all too easy to click the spam button in their mail client.  I've
> checked my dns and reverse dns and we are using domainkeys - I'm just
> looking for more options to address this problem.
>
> Thanks you though for looking at my post.
>

Right I was looking at it differently :)

If there is going to be a check anyway why not put it in your
subscription page
or whatever it is you use and deny the address to be listed with a
waiting period
so "not so friendly" users can't abuse this.

--
Wesley

Reply | Threaded
Open this post in threaded view
|

Re: recipient restriction on known address?

mouss-2
Wesley wrote:

>
>
> Right I was looking at it differently :)
>
> If there is going to be a check anyway why not put it in your
> subscription page
> or whatever it is you use and deny the address to be listed with a
> waiting period
> so "not so friendly" users can't abuse this.
>

This is problematic:

- it requires implementing mail routing in the subscription page. so
you're going to duplicate mx lookup and transports functionality in
php/perl/python/java/... etc.

- if the system must use specific outbound relays, there is no way to
validate addresses in real time. Many people don't allow smtp
connections from web servers except to specific mail relays.

- what if there is a temp failure? even with ajax, it is still not
possible to "pause" the user (my brain dumps core if it gets a ctrl-z,
except in drunk daemon mode, but then I don't surf the net :)

- it is easier to do more checks offline. no need to worry about latency
and usability.

- in particular, it is easier to fight robots offline.

- if a million users subscribe at the same time, you don't want to start
one million smtp connections in real time. some people don't even check
the domain validity for this reason.

Reply | Threaded
Open this post in threaded view
|

Re: recipient restriction on known address?

Carconni
In reply to this post by Noel Jones-2
Okay - I've tried this but it isn't working.  Emails are still being  
delivered (and rejected) despite being added to the blacklist.  I  
really need postfix to check a file for bad email addresses  before  
attempting to deliver an email - can Postfix do that?

For instance my recipient_blacklist shows:

[hidden email] reject

in my main.cf file:

smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/
sender_access,check_recipient_accesshash:/etc/postfix/
recipient_blacklist, hash:/etc/postfix/
permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,pe
rmit

but my mail log shows:
Aug 27 15:32:01 ourmailserver postfix/smtp[13606]: DB60B128A19E9:  
to=<[hidden email]>, relay=relay.verizon.net[206.46.232.11],  
delay=1, status=bounced (host relay.verizon.net[206.46.232.11] said:  
550 4.2.1 mailbox temporarily disabled: [hidden email] (in  
reply to RCPT TO command))


On Aug 12, 2008, at 12:28 PM, Noel Jones wrote:

> carconni wrote:
>> I need to set up a "blacklist" of sorts on our mail server.  One  
>> of our client servers handles approximately a million emails a day  
>> and we've been experiencing some delivery delays.  In addition, we  
>> occasionally get blocked for SPAM and while getting unlisted is  
>> easy, I'd like to find more ways of preventing it.  Is there a  
>> means of setting up a file that postfix will check before  
>> delivery?  I don't want to restrict based on domain, but rather by  
>> address and I would prefer not to use my alias file to move bad  
>> addresses to /dev/null.  Because our client base is so varied and  
>> in many cases we don't have access to the email database, I need  
>> to try and find alternatives on the mail server itself.
>> For example, lets say one of our client's users signed up for  
>> notifications on a particular service, but she's new to it all and  
>> she types in the wrong address.  Our application system sends an  
>> email to the user and it bounces back from the ISP as  
>> undeliverable because of a bad address.  How can prevent mail from  
>> being delivered to that bad address in the future?  So if  
>> [hidden email] comes back as a 450/550, I want to be able to  
>> block mail sent to [hidden email] but not block any other mail  
>> that may be going to yahoo.com
>> I've taken a look at http://www.postfix.org/postconf.
>> 5.html#smtpd_client_restrictions but I'm not sure how to apply it  
>> for what I need, can anyone advise me on how to set this up?  
>> (I've also looked at http://www.postfix.org/ 
>> ADDRESS_VERIFICATION_README.html; but the README states quite  
>> clearly that this feature is designed for low traffic sites)
>> Thank you very much
>
>
> Use the check_recipient_access restriction to set up a recipient  
> blacklist.  One way:
> # main.cf
> smtpd_recipient_restrictions
>   permit_mynetworks
>   permit_sasl_authenticated
>   reject_unauth_destination
>   check_recipient_access hash:/etc/postfix/recipient_blacklist
>
>
> And the blacklist itself would look like:
> # recipient blacklist
> [hidden email]  REJECT
> [hidden email]  REJECT
>
> After making changes to recipient_blacklist, be sure to run  
> "postmap recipient_blacklist"
> to create the hash file that postfix needs.
>
> It might be easier to have postfix do automatic verification of  
> recipients in your relay domains, and reject mail to all  
> undeliverable recipients.
> http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient
> This does add some load to the server, but in the end it's a lot  
> less load than handling the undeliverable messages.
>
>
> --
> Noel Jones
>

Reply | Threaded
Open this post in threaded view
|

Re: recipient restriction on known address?

Bill Weiss-5
carconni([hidden email])@Wed, Aug 27, 2008 at 03:39:16PM -0700:

> Okay - I've tried this but it isn't working.  Emails are still being
> delivered (and rejected) despite being added to the blacklist.  I really
> need postfix to check a file for bad email addresses  before attempting to
> deliver an email - can Postfix do that?
>
> For instance my recipient_blacklist shows:
>
> [hidden email] reject
>
> in my main.cf file:
>
> smtpd_recipient_restrictions = check_sender_access
> hash:/etc/postfix/sender_access,check_recipient_accesshash:/etc/postfix/recipient_blacklist,
> hash:/etc/postfix/permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,permit

Note that that says _smtpd_ ...

> but my mail log shows:
> Aug 27 15:32:01 ourmailserver postfix/smtp[13606]: DB60B128A19E9:
> to=<[hidden email]>, relay=relay.verizon.net[206.46.232.11],
> delay=1, status=bounced (host relay.verizon.net[206.46.232.11] said: 550
> 4.2.1 mailbox temporarily disabled: [hidden email] (in reply to
> RCPT TO command))

... and this says _smtp_.  I would fix that before trying anything else.

--
Bill Weiss
 
...like an intruder, that shoots you in the knee caps, sexually assaults
you, ransacks your house, and then leaves a business card...
    -- Gene Spafford, about mobile code

Reply | Threaded
Open this post in threaded view
|

Re: recipient restriction on known address?

Noel Jones-2
In reply to this post by Carconni
carconni wrote:

> Okay - I've tried this but it isn't working.  Emails are still being
> delivered (and rejected) despite being added to the blacklist.  I really
> need postfix to check a file for bad email addresses  before attempting
> to deliver an email - can Postfix do that?
>
> For instance my recipient_blacklist shows:
>
> [hidden email] reject
>
> in my main.cf file:
>
> smtpd_recipient_restrictions = check_sender_access
> hash:/etc/postfix/sender_access,check_recipient_accesshash:/etc/postfix/recipient_blacklist,
> hash:/etc/postfix/permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,permit
>
>
> but my mail log shows:
> Aug 27 15:32:01 ourmailserver postfix/smtp[13606]: DB60B128A19E9:
> to=<[hidden email]>, relay=relay.verizon.net[206.46.232.11],
> delay=1, status=bounced (host relay.verizon.net[206.46.232.11] said: 550
> 4.2.1 mailbox temporarily disabled: [hidden email] (in reply to
> RCPT TO command))
>

[please don't top post]

OK, your log shows the bad address leaving postfix.  How did
it get in?

Your main.cf snipping looks odd, but could just be a cut+paste
artifact.  Did you verify your settings by examining "postconf
-n" output?  Typos can be hard to spot eyeballing main.cf entries.

Note that smtpd_* restrictions are only effective on mail
submitted via SMTP and logged by the postfix "smtpd" daemon.
Messages submitted locally via the command line are not
affected; these are logged by the postfix "pickup" daemon.

If the mail enters via SMTP, stop here and find out why your
table didn't work.


If the mail entered via the postfix "pickup" daemon, it's
possible to tell postfix to discard these messages instead of
delivering them (assuming sufficiently recent postfix) by
adding a transport_maps entry for the bad user.

# main.cf
transport_maps = hash:/etc/postfix/transport

# transport
[hidden email]   discard:unauthorized recipient

But it's always better to stop the garbage from coming into
postfix in the first place rather than trying to stop it from
going out.  So if the mail entered via "pickup", the better
approach is to find whatever is submitting it and fix it there.

--
Noel Jones