|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: reject_unverified_recipient 450 error message exposes VPN addreses
From: Wietse Venema (wietse
porcupine.org)
Date: Fri Dec 02 2005 - 12:07:11 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Alex Schuilenburg:
[ Charset ISO-8859-1 unsupported, converting... ]
> I have recently turned on reject_unverified_recipient for our backup MX
> host which simply acts as a relay. This was done in an attempt to cut
> down on the spam that gets queued there to non-existant local addresses.
>
> Unfortunately I have since found out that the 450 message any sender
> includes the internal VPN addresses and host names of the verification
> host. The message they see is:
>
> 450 <fooecoscentric.com>: Recipient address rejected: unverified
> address: host <internal name>[<internal addr>] said: 450
> <fooecoscentric.com>: Recipient address rejected: User unknown in local
> recipient table (in reply to RCPT TO command)
>
> with <internal name> and <internal addr> being names and addresses of
> hosts on our VPN.
>
> Is there any configuration option of postfix to hide these names and
> addresses for verification hosts?
No. It is not practical to filter SMTP server replies except perhaps
to extract the SMTP reply code and the enhanced status code at the
start of the reply. Everything else in the remote server reply is
too unpredictable.
So it the remote server replies with
550 5.1.1 <foohidden.com>: Recipient address rejected: User unknown...
Then a future Postfix version might take the two first words and
stuff them into its own reply like this:
550 5.1.1 <foovisible.com>: Address not verified
The 5.1.1 will be sufficient for client MUAs to deduce that the
address does not exist.
On the other hand, if Postfix were to reply with just this:
550 <foovisible.com>: Address not verified
The response may not be useful when someone makes an honest
typing error.
Wietse
> I know can get round this by setting the relayhost to be the externally
> visible i/f of the mail host (and primary MX) - and have it currently
> configured like this. This will only show the visible interface.
> However, the mail host eventually will reside only on the vpn behind a
> firewall so these addresses and names ideally need to be hidden from the
> user.
>
> Thanks
> -- Alex
>
>
>
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]