Glen Pitt-Pladdy :: BlogPostfix config for noreply@domain.tld | |||
Many websites need to send mail to users directly from the webserver using a "noreply" address - eg. confirmation of registering, order confirmations etc. Using a real address will quickly see it spammed with all the people you may be sending to with compromised machines having addresses harvested. Because of mail fraud some receiving servers go to great lengths to verify email addresses and won't accept mail unless they can complete at least the envelope parts of sending a message, sometimes more. How do you configure a "noreply" sending to avoid these problems? BasicsThe first thing is that you do actually need to configure the "noreply" address - it does need to be a real address since any mail that can't be delivered (eg. has a mangled domain) is going to come back to this address. If you have config problems or something then you really do need to know about it so the best thing is create an alias for this address in /etc/aliases: noreply: someonelistening@yourdomain.tld Then postalias the file (or "newaliases") enable it. Another idea if you have huge volumes to mail is to write a simple script to handle the response instead of forwarding it on. It can do things like extract the failure reason and ping a URL on your site to flag the address and reason for failing in the database. That way you can also mark bad addresses and avoid sending mail to those addresses. You need to do this for every server that sends or receives mail for the domain - ie. your webserver(s) and your mailserver(s) if the webservers run their own instance of Postfix. Creating the rejectionWe need to create a Postfix hash file for any "noreply" addresses we want to handle - say /etc/postfix/toaccesslate containing: noreply@yourdomain.tld REJECT This address does not accept mail When the address matches it rejects messages saying "This address does not accept mail" and you could also include things like a URL for your support contact page or something. It's bad manners to ignore your customers! :-) Postfix allows you to specify different checks to a message at different stages of the SMTP transaction. In this case we want to leave it as late as possible so we are using "smtpd_end_of_data_restrictions" which allows the message body to be delivered before rejecting the mail. This does have the disadvantage that there may be an awful lot of spam messages that waste your bandwidth since the body can be delivered before rejecting the message. One compromise is to use "smtpd_data_restrictions" instead which applies the rules when the DATA command is given (ie. immediately before sending the body), but this may still fall foul of the most paranoid mail verification schemes. To configure this in /etc/postfix/main.cf add:
smtpd_end_of_data_restrictions = That tells Postfix to apply the rules from the file we created, otherwise permit the mail. That's all there is to it. To test you can telnet to the smtp port on each server and talk to it:
Trying xxxx:xxxx:xxxx:xxxx::xxx... All works! |
|||
This is a bunch of random thoughts, ideas and other nonsense, and is not intended to be taken seriously. I'm experimenting and mostly have no idea what I am doing with most of this so it should be taken with cuation and at your own risk. Intrustive technologies are minimised where possible. For the purposes of reducing abuse and other risks hCaptcha is used and has it's own policies linked from the widget.
Copyright Glen Pitt-Pladdy 2008-2023
|