Preventing Postfix from _sending_ backscatter
Rob
We run a Postfix server which handles email for a number of our
customers domains. Most have mailboxes on the server, which all works
fine, but the problem is for domains where the mail is forwarded to
another server. This can cause our server to generate backscatter,
which I would like to stop.
The problem happens when a piece of spam is sent to
us...@ourcustomer.com from anoth...@forgeddomain.com. This is
forwarded to us...@ultimatedestination.com. The ultimatedestination.com
server rejects the message (normally due to a spam filter), which
causes our server to generate a bounce message sent to
anoth...@forgeddomain.com.
I would like to prevent that bounce message being generated, and only
send bounce messages to local users, but I can't find an appropriate
setting to do so. I've read http://www.postfix.org/BACKSCATTER_README.html
but that seems to be only telling me how to stop receiving
backscatter, not sending.
Am I being stupid? I can't be the only one wanting to do this.
Thanks in advance.
Rob
Alex
> Hi
>
> We run a Postfix server which handles email for a number of our
> customers domains. Most have mailboxes on the server, which all works
> fine, but the problem is for domains where the mail is forwarded to
> another server. This can cause our server to generate backscatter,
> which I would like to stop.
>
> The problem happens when a piece of spam is sent to
> forwarded to u...@ultimatedestination.com. The ultimatedestination.com
> server rejects the message (normally due to a spam filter), which
> causes our server to generate a bounce message sent to
>
> I would like to prevent that bounce message being generated, and only
> send bounce messages to local users, but I can't find an appropriate
> but that seems to be only telling me how to stop receiving
> backscatter, not sending.
>
> Am I being stupid? I can't be the only one wanting to do this.
>
> Thanks in advance.
>
> Rob
Hi, the one way I fould to stop Backscatter was to use DISCARD instead
of REJECT.
You can check this post here http://taint.org/2007/05/30/164456a.html
(the last comment is mine). Maybe you'll find it useful.
Good luck.
kre...@gmail.com
1. Do not allow your local users to send e-mail using SMTP Port 25. Port 25 should be used only for SMTP (MTA) data transfer
2. Enable Port 587 (submission) and/or Port 465 (SMTPs) in master.cf like this:
smtp inet n - - - - smtpd
-o smtpd_sasl_auth_enable=no
-o smtpd_discard_ehlo_keywords=silent-discard,dsn
submission inet n - - - - smtpd
-o smtpd_sasl_auth_enable=yes
-o smtpd_enforce_tls=yes
-o smtpd_tls_security_level=encrypt
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
smtps inet n - - - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_enforce_tls=yes
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
You see the following:
SMTP:
- No SASL Auth enabled (no local user can authenticate on this port)
- smtpd_discard_ehlo_keywords <-- means: do NOT answer to sender notifications. This is very important to prevent massive backscattering. And that's what will answer your origin question.
SUBMISSION/SMTPs:
- Enable SASL Auth
- Enforce encryption / TLS Security (very much recommended to not allow users to connect to your server using plain passwords)
- client restrictions: only allow authenticated connections (reject everything else)
I hope this helps anyone else trying to optimize the postfix backscattering configuration.
Of course - in addition to that - you can introduce additional header and body checks as described here which would also be recommended: http://www.postfix.org/BACKSCATTER_README.html