Glen Pitt-Pladdy :: BlogPostfix config for noreply@domain.tld | |||
Many websites need to send mail to users directly from the webserver using a "noreply" address - eg. confirmation of registering, order confirmations etc. Using a real address will quickly see it spammed with all the people you may be sending to with compromised machines having addresses harvested. Because of mail fraud some receiving servers go to great lengths to verify email addresses and won't accept mail unless they can complete at least the envelope parts of sending a message, sometimes more. How do you configure a "noreply" sending to avoid these problems? BasicsThe first thing is that you do actually need to configure the "noreply" address - it does need to be a real address since any mail that can't be delivered (eg. has a mangled domain) is going to come back to this address. If you have config problems or something then you really do need to know about it so the best thing is create an alias for this address in /etc/aliases: noreply: someonelistening@yourdomain.tld Then postalias the file (or "newaliases") enable it. Another idea if you have huge volumes to mail is to write a simple script to handle the response instead of forwarding it on. It can do things like extract the failure reason and ping a URL on your site to flag the address and reason for failing in the database. That way you can also mark bad addresses and avoid sending mail to those addresses. You need to do this for every server that sends or receives mail for the domain - ie. your webserver(s) and your mailserver(s) if the webservers run their own instance of Postfix. Creating the rejectionWe need to create a Postfix hash file for any "noreply" addresses we want to handle - say /etc/postfix/toaccesslate containing: noreply@yourdomain.tld REJECT This address does not accept mail When the address matches it rejects messages saying "This address does not accept mail" and you could also include things like a URL for your support contact page or something. It's bad manners to ignore your customers! :-) Postfix allows you to specify different checks to a message at different stages of the SMTP transaction. In this case we want to leave it as late as possible so we are using "smtpd_end_of_data_restrictions" which allows the message body to be delivered before rejecting the mail. This does have the disadvantage that there may be an awful lot of spam messages that waste your bandwidth since the body can be delivered before rejecting the message. One compromise is to use "smtpd_data_restrictions" instead which applies the rules when the DATA command is given (ie. immediately before sending the body), but this may still fall foul of the most paranoid mail verification schemes. To configure this in /etc/postfix/main.cf add:
smtpd_end_of_data_restrictions = That tells Postfix to apply the rules from the file we created, otherwise permit the mail. That's all there is to it. To test you can telnet to the smtp port on each server and talk to it:
Trying xxxx:xxxx:xxxx:xxxx::xxx... All works! |
|||
|
Disclaimer: This is a load of random thoughts, ideas and other nonsense and is not intended to be taken seriously. I have no idea what I am doing with most of this so if you are stupid and naive enough to believe any of it, it is your own fault and you can live with the consequences. More importantly this blog may contain substances such as humor which have not yet been approved for human (or machine) consumption and could seriously damage your health if taken seriously. If you still feel the need to litigate (or whatever other legal nonsense people have dreamed up now), then please address all complaints and other stupidity to yourself as you clearly "don't get it".
Copyright Glen Pitt-Pladdy 2008-2023
|
|||
Comments:
Hi,
after following this, my log complains that it cannot find /etc/postfix/toaccesslate.db. Maybe you want to add some steps on how to generate that from /etc/postfix/toaccesslate.
Yup - quite right. You need to run postmap on it. I'll update the blog when I get time. Thanks!
I've implemented this with virtual domains and postfixadmin (using devnull@ instead of norepy), but I've found one problem which is if I setup an alias - mailer@yourdomain.tld - for the - devnull@yourdomain.tld - email address then the check_recipient_access check no longer catches the email if I send it to mailer@... Do you know how to get this working when the address has been altered because of the alias?
Oct 1 20:50:26 mta-0 postfix/smtpd[27903]: DEB4FC096: discard: DATA from mail-pd0-f173.google.com[209.85.192.173]: <devnull@example.com>: Recipient address triggers DISCARD action; from=<example@gmail.com> to=<devnull@example.com> proto=ESMTP helo=<mail-pd0-f173.google.com>
Oct 1 20:50:35 mta-0 postfix/lmtp[27909]: F3CDDC096: to=<devnull@example.com>, orig_to=<mailer@example.com>, relay=X.X.X.X[X.X.X.X]:2424, delay=1.1, delays=0.69/0.01/0.04/0.33, dsn=2.6.0, status=sent (250 2.6.0 <devnull@example.com> Message accepted for delivery)
I would expect the rejection to be working on the SMPT envelope address, so irrespective of how it is processed after that, that's the address you need to put in toaccesslate. Of course, if you end up with multiple addresses that need processing like this then just put one per line in toaccesslate.
That said, I can't be completely sure exactly what is going on without examining and debugging the particular mail server and all the config relating to it.