a few days ago i woke up in the morning and i checked my mail. i replied to a mail and evolution told me:
Recipient address rejected: Policy Rejection- You have exceeded the maximum(350) number of messages or recipients per hour. Please call Mountain Cablevision Technical Support: 905.389.1393. Thank you.
i instantly panic as i try to figure out which machine in my house has been infected with malware.
“mailq” on my main server says 3000 outgoing deferred messages. ok.
i take a look into the log and discover that the outgoing messages are all bounce replies for non-existent addresses. i’m generating backscatter! what the hell… i thought my postfix was configured properly. since i only receive mail for local users (and nothing fancy is going on) the mails to non-existant users are supposed to be immediately rejected at RCPT time.
the odd thing is that all of the bounces are for non-existent addresses *@kopesetik.desrt.ca.
i check my postfix configuration, and surely enough:
mydestination = desrt.ca
after reading some documentation i find out about another postfix option “relay_domains”. this is the list of domains that postfix will accept mail for (even if not to deliver locally). by default, this is set to be exactly equal to $mydestination, so in theory your mail server by default should only accept mail for domains that it will deliver locally for.
unfortunately there is yet another postfix configuration option. this is the worst setting ever. it is called “parent_domain_matches_subdomains”. this configuration parameter changes the interpretation of other configuration parameters. for each item listed in this parameter the meaning of the value of that item is modified. if for example, item “foo” is listed, and in your configuration file you have “foo = desrt.ca” then the meaning is now actually taken to mean “foo = *.desrt.ca”.
rather moronically, the default for this option is to include relay_domains but not mydestination.
so we have:
mydestination = desrt.ca
relay_domains = $mydestination
…but really, relay_domains = $mydestination plus a bunch of other crap…
this causes your mailserver to accept messages that it can not possibly deliver. in response, it must generate bounce messages. this makes you a source of backscatter and a contributor to the spam problem.
the brokenness can be fixed by setting the “parent_domain_matches_subdomains” option to empty.
broken broken broken.
i tried testing delivering to “firstname.lastname@example.org” against the mailservers of some other people i know and about half of them had this exact problem (the ones with the problem were all running postfix). your mailserver should issue an error immediately on RCPT to such addresses. if the message is accepted for delivery then it is too late. please check your mailserver and fix as appropriate.