Many websites need to send mail to users directly from the webserver using a "noreply" address - eg. confirmation of registering, order confirmations etc. Using a real address will quickly see it spammed with all the people you may be sending to with compromised machines having addresses harvested.

Because of mail fraud some receiving servers go to great lengths to verify email addresses and won't accept mail unless they can complete at least the envelope parts of sending a message, sometimes more.

How do you configure a "noreply" sending to avoid these problems?

Basics

The first thing is that you do actually need to configure the "noreply" address - it does need to be a real address since any mail that can't be delivered (eg. has a mangled domain) is going to come back to this address. If you have config problems or something then you really do need to know about it so the best thing is create an alias for this address in /etc/aliases:

noreply: someonelistening@yourdomain.tld

Then postalias the file (or "newaliases") enable it. Another idea if you have huge volumes to mail is to write a simple script to handle the response instead of forwarding it on. It can do things like extract the failure reason and ping a URL on your site to flag the address and reason for failing in the database. That way you can also mark bad addresses and avoid sending mail to those addresses.

You need to do this for every server that sends or receives mail for the domain - ie. your webserver(s) and your mailserver(s) if the webservers run their own instance of Postfix.

Creating the rejection

We need to create a Postfix hash file for any "noreply" addresses we want to handle - say /etc/postfix/toaccesslate containing:

noreply@yourdomain.tld REJECT This address does not accept mail

When the address matches it rejects messages saying "This address does not accept mail" and you could also include things like a URL for your support contact page or something. It's bad manners to ignore your customers! :-)

Postfix allows you to specify different checks to a message at different stages of the SMTP transaction. In this case we want to leave it as late as possible so we are using "smtpd_end_of_data_restrictions" which allows the message body to be delivered before rejecting the mail.

This does have the disadvantage that there may be an awful lot of spam messages that waste your bandwidth since the body can be delivered before rejecting the message. One compromise is to use "smtpd_data_restrictions" instead which applies the rules when the DATA command is given (ie. immediately before sending the body), but this may still fall foul of the most paranoid mail verification schemes.

To configure this in /etc/postfix/main.cf add:

smtpd_end_of_data_restrictions =
        check_recipient_access hash:/etc/postfix/toaccesslate,
        permit

That tells Postfix to apply the rules from the file we created, otherwise permit the mail.

That's all there is to it. To test you can telnet to the smtp port on each server and talk to it:

Trying xxxx:xxxx:xxxx:xxxx::xxx...
Connected to yourserver.yourdomain.tld.
Escape character is '^]'.
220 yourserver.yourdomain.tld ESMTP Postfix (Debian/GNU)
HELO yourclient.yourdomain.tld
250 yourserver.yourdomain.tld
MAIL FROM: testuser@yourdomain.tld
250 2.1.0 Ok
RCPT TO: noreply@yourdomain.tld
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
Subject: test

test

.
554 5.7.1 <noreply@yourdomain.tld>: Recipient address rejected: This address does not accept mail
quit
221 2.0.0 Bye
Connection closed by foreign host.

All works!