important warning to postfix users

a few days ago i woke up in the morning and i checked my mail. i replied to a mail and evolution told me:

Recipient address rejected: Policy Rejection- You have exceeded the maximum(350) number of messages or recipients per hour. Please call Mountain Cablevision Technical Support: 905.389.1393. Thank you.

i instantly panic as i try to figure out which machine in my house has been infected with malware.

“mailq” on my main server says 3000 outgoing deferred messages. ok.

i take a look into the log and discover that the outgoing messages are all bounce replies for non-existent addresses. i’m generating backscatter! what the hell… i thought my postfix was configured properly. since i only receive mail for local users (and nothing fancy is going on) the mails to non-existant users are supposed to be immediately rejected at RCPT time.

the odd thing is that all of the bounces are for non-existent addresses *@kopesetik.desrt.ca.

i check my postfix configuration, and surely enough:

mydestination = desrt.ca

after reading some documentation i find out about another postfix option “relay_domains”. this is the list of domains that postfix will accept mail for (even if not to deliver locally). by default, this is set to be exactly equal to $mydestination, so in theory your mail server by default should only accept mail for domains that it will deliver locally for.

unfortunately there is yet another postfix configuration option. this is the worst setting ever. it is called “parent_domain_matches_subdomains”. this configuration parameter changes the interpretation of other configuration parameters. for each item listed in this parameter the meaning of the value of that item is modified. if for example, item “foo” is listed, and in your configuration file you have “foo = desrt.ca” then the meaning is now actually taken to mean “foo = *.desrt.ca”.

rather moronically, the default for this option is to include relay_domains but not mydestination.

so we have:

mydestination = desrt.ca
relay_domains = $mydestination
…but really, relay_domains = $mydestination plus a bunch of other crap…

this causes your mailserver to accept messages that it can not possibly deliver. in response, it must generate bounce messages. this makes you a source of backscatter and a contributor to the spam problem.

the brokenness can be fixed by setting the “parent_domain_matches_subdomains” option to empty.

broken broken broken.

i tried testing delivering to “nosuchuser@asdf.example.com” against the mailservers of some other people i know and about half of them had this exact problem (the ones with the problem were all running postfix). your mailserver should issue an error immediately on RCPT to such addresses. if the message is accepted for delivery then it is too late. please check your mailserver and fix as appropriate.

7 thoughts on “important warning to postfix users”

  1. I just checked my postfix configuration, and it turns out that having reject_unknown_recipient_domain in smtpd_recipient_restrictions also prevents postfix from accepting mail for random subdomains. This may work out better for folks with a lot of subdomains to administer.

  2. This seems like *two* problems, actually: first, that postfix interprets a setting in a way that will cause it to accept mail it can’t deliver, and second, that postfix generates bounces under any circumstances.

    Seriously, should an MTA *ever* generate a bounce? It should reject a mail or deliver a mail, but never accept and then bounce a mail under any circumstances.

  3. When acting as a relay for trusted clients then you need to be able to bounce messages you accepted for delivery but couldn’t actually deliver – and this is the situation with most mail servers: normally clients don’t deliver directly to their destination but through a local MTA that trust them. This is a good thing, because it allows MTA operators to blacklist all IP addresses that aren’t expected to be used by other MTAs (such as dialups) and thereby minimize the impact of SPAM zombies.

    Also, some servers relay incoming mail for other hosts (more common scenario then what you would expect – for example in DMZs), in which case bounce messages are also expected, though in such cases the administrator would do well to make sure the front-end MTA can resolve and verify recipient addresses during RCPT instead of during delivery.

  4. Basically you shouldn’t add domains in mydestination to relay_domains. If your server is the destination, then it is not relaying them.

    Anyway, the biggest problem with back scatter is, of course, with older MS Exchange servers where you can’t turn off its bounces.

  5. it is actually the default that relay_domains includes mydestination. i think probably the server won’t accept anything not in relay_domains (so really it’s actually more like “accept_mail_for_domains”)

  6. I know people are getting lazy, but please please can you use capital letters at the beginning of your sentences. It really isn’t much work and it makes reading much easier for lots of us.

    Thanks :-)

Comments are closed.