double-bounce address?
Michael Tokarev
Looks like $double_bounce_sender always treated as a localpart and
is qualified with @$myhostname, no matter what - regardless of the
value of $myorigin, and even if I set double_bounce_sender to a
complete email address, not just a localpart. From the docs:
double_bounce_sender (default: double-bounce)
The sender address of postmaster notifications that are
generated by the mail system. All mail to this address is
silently discarded, in order to terminate mail bounce loops.
It is not at all clear (in the above doc text) that this parameter
should be just a localpart of an address (in code it's used like
that).
But the problem is this.
We have quite some subdomains for one of our domains, each with
it's own servers (sometimes several for each). I want to receive
postfix notifications (notify_classes). And I also need to validate
sender address of emails, to ensure they all use correct (at least
existing) addresses - our central mailhub knows all valid addresses
in all domains. When such a notification comes from some server,
it has sender address as double...@host.sub.dom.ain, which,
according to the address list, does not exist, so email gets rejected.
I tried to set double_bounce_sender to be double...@dom.ain,
but it turns into "double...@dom.ain"@host.sub.dom.ain, which
is even more wrong. Myorigin on all servers are set to
sub.dom.ain, so I expected double-bounce to come with that
domain name appended... but no, it's not.
And also, when such email comes to "outside world" (using
postmaster forwarding), it gets rejected by other systems
too, for the same reason: bogus address (non-existing domain
name in this case; or, in case of wildcard MX, sender
address verification callout fails).
I probably can map it into double...@dom.ain (not even
sub.dom.ain) on the main mail gateway.. but is there any
better solution for this problem?
Thanks.
/mjt
Wietse Venema
> A (hopefully) small question.
> Looks like $double_bounce_sender always treated as a localpart and
> is qualified with @$myhostname, no matter what - regardless of the
> value of $myorigin, and even if I set double_bounce_sender to a
> complete email address, not just a localpart. From the docs:
The double-bounce address is a safety mechanism. It is magic cookie
that has meaning only for the MTA that generates the cookie. It
must not specify a destination other than the MTA itself, as that
would break the safety mechanism.
> It is not at all clear (in the above doc text) that this parameter
> should be just a localpart of an address (in code it's used like
> that).
I guess this is just like the text that describes the MAILER-DAEMON
address which is another magic cookie for content filters that use
pipe-to-command and the Postfix sendmail command; here the two have
to agree on a protocol to preserve the single bounce sender address
(i.e. the empty string).
> But the problem is this.
You can use virtual aliases if you must override the sender, but
you do so at your own risk. If the bounces go to a machine that
does not understand the double-bounce magic then a mail
avalanche is possible.
Wietse
Michael Tokarev
> Michael Tokarev:
>
>>A (hopefully) small question.
>>Looks like $double_bounce_sender always treated as a localpart and
>>is qualified with @$myhostname, no matter what - regardless of the
>>value of $myorigin, and even if I set double_bounce_sender to a
>>complete email address, not just a localpart. From the docs:
>
> The double-bounce address is a safety mechanism. It is magic cookie
> that has meaning only for the MTA that generates the cookie. It
> must not specify a destination other than the MTA itself, as that
> would break the safety mechanism.
I know why it's here. But the question (albied not very clear) was
why it's the only place where postfix exposes its own hostname (which
may be invalid on the internet - think about internal mailservers),
and not uses $myorigin as in every other place.
As a sort-of workaround, postfix can treat both double-bounce@myhostname
AND double-bounce@myorigin equally, and use the latter as a sender
address? Or why at all use myhostname? Or, after all, why not to
allow it to be really configurable ($double-bounce-address with
@domainname)? What this variant will break?
[]
>>But the problem is this.
[invalid - non-existing domain or unverifiable - double-bounce address]
> You can use virtual aliases if you must override the sender, but
> you do so at your own risk. If the bounces go to a machine that
> does not understand the double-bounce magic then a mail
> avalanche is possible.
You mean canonical maps? As I need to change *sender* address on a
gateway host, where virtual aliases will not help. In my configuration
it's safe to do, and it will be correct - when double bounce comes from
a mailserver handling the subdomain, it may be returned and THAT server
will throw it away (the message will not even leave the queue); but
once main gateway accepted the message, it changes the address to be
ITS OWN double-bounce address, so in case of further delivery prob
*it* will be the one who will trhow the message away.
Or I can create all the double-bounce@subdomain addresses on the main
gateway, to be delivered to discard: transport (which is what I did
yesterday). Still I don't want to use wildcard (pcre) map, to be
double-bounce@*.dom.ain, to match all possible HOST.sub.dom.ain combinations
(almost all of which are invalid anyway, only sub.dom.ain exists not
HOST.sub.dom.ain).
If double_bounce_sender can be configured "properly" (with complete
address, not just localpart), I can set it to be double...@dom.ain,
and ANY host in the whole network will know to throw away mail coming
to that address, and no additional ugly configuration will be necessary.
How about this:
if double-bounce-sender is set to localpart, qualify it with myorigin
(or, to be backward-compatible and not introduce possible surprizes,
with myhostname).
if it's specified to a complete email address, use that.
when verifiyin if the given recipient is our double-bounce address,
compare whole two email addresses, not two separate parts before
and after the "@".
I can roll a patch for that if it all looks ok.
Thanks.
/mjt
Wietse Venema
> Wietse Venema wrote:
> > Michael Tokarev:
> >
> >>A (hopefully) small question.
> >>Looks like $double_bounce_sender always treated as a localpart and
> >>is qualified with @$myhostname, no matter what - regardless of the
> >>value of $myorigin, and even if I set double_bounce_sender to a
> >>complete email address, not just a localpart. From the docs:
> >
> > The double-bounce address is a safety mechanism. It is magic cookie
> > that has meaning only for the MTA that generates the cookie. It
> > must not specify a destination other than the MTA itself, as that
> > would break the safety mechanism.
>
> I know why it's here. But the question (albied not very clear) was
> why it's the only place where postfix exposes its own hostname (which
> may be invalid on the internet - think about internal mailservers),
> and not uses $myorigin as in every other place.
I already answered that in the text that you quote above, in the
last sentence to be precise. I will not make it easy for amateurs
to break Postfix's safety mechanisms.
If the sender address is not valid because of site configuration
details (address verification with send-only clients), then you
can modify the sender address with a sender canonical mapping.
I also observe that there is never a need for internal mail servers
to send double bounces outside the domain, so the problem is minor.
Wietse