Menu
Index

Contact
LinkedIn
GitHub
Atom Feed
Comments Atom Feed



Tweet

Recent Articles

23/04/2017 14:21
Raspberry Pi SD Card Test
07/04/2017 10:54
DNS Firewall (blackhole malicious, like Pi-hole) with bind9
28/03/2017 13:07
Kubernetes to learn Part 4
23/03/2017 16:09
Kubernetes to learn Part 3
21/03/2017 15:18
Kubernetes to learn Part 2

Glen Pitt-Pladdy :: Blog

Postfix config for noreply@domain.tld

 

Many websites need to send mail to users directly from the webserver using a "noreply" address - eg. confirmation of registering, order confirmations etc. Using a real address will quickly see it spammed with all the people you may be sending to with compromised machines having addresses harvested.

Because of mail fraud some receiving servers go to great lengths to verify email addresses and won't accept mail unless they can complete at least the envelope parts of sending a message, sometimes more.

How do you configure a "noreply" sending to avoid these problems?

Basics

The first thing is that you do actually need to configure the "noreply" address - it does need to be a real address since any mail that can't be delivered (eg. has a mangled domain) is going to come back to this address. If you have config problems or something then you really do need to know about it so the best thing is create an alias for this address in /etc/aliases:

noreply: someonelistening@yourdomain.tld

Then postalias the file (or "newaliases") enable it. Another idea if you have huge volumes to mail is to write a simple script to handle the response instead of forwarding it on. It can do things like extract the failure reason and ping a URL on your site to flag the address and reason for failing in the database. That way you can also mark bad addresses and avoid sending mail to those addresses.

You need to do this for every server that sends or receives mail for the domain - ie. your webserver(s) and your mailserver(s) if the webservers run their own instance of Postfix.

Creating the rejection

We need to create a Postfix hash file for any "noreply" addresses we want to handle - say /etc/postfix/toaccesslate containing:

noreply@yourdomain.tld REJECT This address does not accept mail

When the address matches it rejects messages saying "This address does not accept mail" and you could also include things like a URL for your support contact page or something. It's bad manners to ignore your customers! :-)

Postfix allows you to specify different checks to a message at different stages of the SMTP transaction. In this case we want to leave it as late as possible so we are using "smtpd_end_of_data_restrictions" which allows the message body to be delivered before rejecting the mail.

This does have the disadvantage that there may be an awful lot of spam messages that waste your bandwidth since the body can be delivered before rejecting the message. One compromise is to use "smtpd_data_restrictions" instead which applies the rules when the DATA command is given (ie. immediately before sending the body), but this may still fall foul of the most paranoid mail verification schemes.

To configure this in /etc/postfix/main.cf add:

smtpd_end_of_data_restrictions =
        check_recipient_access hash:/etc/postfix/toaccesslate,
        permit

That tells Postfix to apply the rules from the file we created, otherwise permit the mail.

That's all there is to it. To test you can telnet to the smtp port on each server and talk to it:

Trying xxxx:xxxx:xxxx:xxxx::xxx...
Connected to yourserver.yourdomain.tld.
Escape character is '^]'.
220 yourserver.yourdomain.tld ESMTP Postfix (Debian/GNU)
HELO yourclient.yourdomain.tld
250 yourserver.yourdomain.tld
MAIL FROM: testuser@yourdomain.tld
250 2.1.0 Ok
RCPT TO: noreply@yourdomain.tld
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
Subject: test

test

.
554 5.7.1 <noreply@yourdomain.tld>: Recipient address rejected: This address does not accept mail
quit
221 2.0.0 Bye
Connection closed by foreign host.

All works!

Comments:

Salvatore Iovene Image  27/12/2012 19:23 :: Salvatore Iovene

Hi,
after following this, my log complains that it cannot find /etc/postfix/toaccesslate.db. Maybe you want to add some steps on how to generate that from /etc/postfix/toaccesslate.

Glen Pitt-Pladdy Image  27/12/2012 19:30 :: Glen Pitt-Pladdy

Yup - quite right. You need to run postmap on it. I'll update the blog when I get time. Thanks!

regan Image  01/10/2013 09:50 :: regan

I've implemented this with virtual domains and postfixadmin (using devnull@ instead of norepy), but I've found one problem which is if I setup an alias - mailer@yourdomain.tld - for the - devnull@yourdomain.tld - email address then the check_recipient_access check no longer catches the email if I send it to mailer@... Do you know how to get this working when the address has been altered because of the alias?

Oct  1 20:50:26 mta-0 postfix/smtpd[27903]: DEB4FC096: discard: DATA from mail-pd0-f173.google.com[209.85.192.173]: <devnull@example.com>: Recipient address triggers DISCARD action; from=<example@gmail.com> to=<devnull@example.com> proto=ESMTP helo=<mail-pd0-f173.google.com>

Oct  1 20:50:35 mta-0 postfix/lmtp[27909]: F3CDDC096: to=<devnull@example.com>, orig_to=<mailer@example.com>, relay=X.X.X.X[X.X.X.X]:2424, delay=1.1, delays=0.69/0.01/0.04/0.33, dsn=2.6.0, status=sent (250 2.6.0 <devnull@example.com> Message accepted for delivery)

Glen Pitt-Pladdy Image  05/10/2013 18:06 :: Glen Pitt-Pladdy

I would expect the rejection to be working on the SMPT envelope address, so irrespective of how it is processed after that, that's the address you need to put in toaccesslate. Of course, if you end up with multiple addresses that need processing like this then just put one per line in toaccesslate.

That said, I can't be completely sure exactly what is going on without examining and debugging the particular mail server and all the config relating to it.




Are you human? (reduces spam)
Note: Identity details will be stored in a cookie. Posts may not appear immediately