|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: virtual_alias_maps: rewriting outbound
From: Sandy Drobic (postfix-users
japantest.homelinux.com)
Date: Sun Jul 02 2006 - 14:40:37 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Chris McKeever wrote:
> On 7/2/06, Magnus Bäck <magnusdsek.lth.se> wrote:
>> On Sunday, July 02, 2006 at 20:35 CEST,
>> Chris McKeever <techjedigmail.com> wrote:
>>
>> > On 7/2/06, Magnus Bäck <magnusdsek.lth.se> wrote:
>> >
>> > > But you don't want bounces. Bounces are bad. You want rejections. It
>> > > is true that virtual alias rewriting is performed recursively -- but
>> > > the recipient validation made by smtpd(8) is NOT recursive. If a
>> > > lookup returns a result, the address it valid. This means that your
>> > > Postfix will accept any address with a dot in it, e.g.
>> > > blah.blahexample.com, and later bounce the invalid recipient
>> > > bblahexample.com.
>
>>
>> What server produces this bounce? Without that information the
>> above bounce message snippet is utterly and completely useless.
>>
>> Never show bounce messages. Always show logs from your server.
>>
>
> Magnus - thanks for helping me through this:
>
> both messages are coming from the same server, here are the logs - one
> sent with the 'dot' format and one without - both generate the same
> unknown user log message
>
> Jul 2 14:18:00 prupref-mailgate postfix/virtual[28097]: F0F07C8EBE:
> to=<nonesemailexample.com>, orig_to=<no.onesemailexample.com>,
> relay=virtual, delay=3, status=bounced (unknown user:
> "nonesemailexample.com")
>
> Jul 2 14:18:12 prupref-mailgate postfix/virtual[28097]: 7C1A3C8FBD:
> to=<nonesemailexample.com>, relay=virtual, delay=0, status=bounced
> (unknown user: "nonesemailexample.com")
If this is one of your servers and example.com is one of the domains that
your server is hosting, then you will sooner or later be exploited to send
spam as a backscatter source.
See the thread "Tarpit "User unknown in local recipient table"?" as an
example of that.
Restricting the pattern to only match your own domain like Magnus said
will help a bit, but it is better to use such a virtual alias expansion
only AFTER you have received the mail with a configuration that only
allows valid recipients or not at all and use a script or database for
such address rewriting.
In any case, you either need access to a database with valid recipient
addresses or you a flat text file with the list of valid recipients. How
the textfile is created is up to you and your scripting skills. (^-^)
Sandy
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]