OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: Experiences with BATV?

From: mouss (moussnetoyen.net)
Date: Sat Sep 20 2008 - 07:41:30 CDT


Bernd-Ludwig Wenning wrote:
> Hello,
>
> I'm currently thinking about adding BATV to our mailserver (which is
> Postfix 2.5.5), because we receive backscatter waves to valid addresses
> from time to time. When searching the web I came across the following
> two solutions:
> http://sourceforge.net/projects/batv-milter/
> http://babel.de/batv.html
> Batv-milter is written for Sendmail, and I am not sure whether it is
> working with Postfix.
> Does anyone have experience with one of these BATV implementations or
> with another one? If so, is it working well or should I go for another
> solution to fight the backscatter?
>

I'm not sure BATV will become a standard in the future, and in any case,
this is not going to happen in the near future. As a result, MUAs will
not implement it. This means that you can't rewrite the envelope if mail
is not sent through your MTAs.

and if all outbound mail goes through your MTAs, there is no need for
BATV. there are two implementaion problems here:
1-(output) you need something to rewrite the sender using BATV
2-(input) you need to handle BATV tagged addresses at reception time
(for recipient validation, delivery, per recipient access control, ...).

In particular, the "input" problem requires some work. if you use sql or
ldap as a backend, you can write queries to handle this. Otherwise, you
need more work. one available implementation uses a proxy_filter "trick"
(the "normal" smtpd doesn't do recipient validation. it passes mail to a
proxy_filter that removes BATV tags and passes mail to another smtpd
where recipient validation is done).

an alternative to BATV in this case (when all mail goes via your MTAs)
is to use "sub-addresses" (extensions):
-(output) use smtp_generic_maps to rewrite the envelope sender (only the
envelope sender. no header rewrite): fooexample.com becomes
foo+yourtagexample.com (replace '+' with your preferred choice of
extension delimiter). (note that foo+barexample.com would become
foo+bar+yourtagexample.com).
-(input) there is nothing to do since extensions are built in postfix.
when you get a bounce, if it has "+yourtagexample.com", then you can
pass it (whitelist). otherwise, you can consider it as suspicious and do
more checks (reject without further checks would be too aggressive I
think).

regarding "yourtag", if this is constant, you won't have problems with
greylisters and list managers (some use the envelope sender to validate
membership). but you may still get some load of BS. you could change
this from time to time: change the tag every day, but at reception still
accept "recent" tags (you may accept tags for 1 month for instance. in
any case, you should accept them for at least one week). but with a
variable tag, you need to find a workaround for lists that check the
envelope sender.