0

I have set up a Postfix Mailserver, outgoing mail is being sent through a smarthost/relayhost which requires authentification. That works great, internal clients can send to foreign recipients though this relayhost.

However, when an external mail for a local, non-existent user arrives at the server, postfix tries to send a non-delivery notification to the sender. This mail is also sent through the relayhost obviously, but it fails with error 554 5.7.1 : Relay access denied

This gets logged to the mail.log: 

Nov  9 10:26:42 mail postfix/local[5051]: 6568CC1383: to=<test@mydomain.com>, relay=local, delay=0.13, delays=0.02/0.02/0/0.09, dsn=5.1.1, status=bounced (unknown user: "test")
Nov  9 10:26:42 mail postfix/cleanup[5045]: 85DF9BFECD: message-id=<20131109092642.85DF9BFECD@mail.mydomain.com>
Nov  9 10:26:42 mail postfix/qmgr[4912]: 85DF9BFECD: from=<>, size=3066, nrcpt=1 (queue active)
Nov  9 10:26:42 mail postfix/bounce[5052]: 6568CC1383: sender non-delivery notification: 85DF9BFECD
Nov  9 10:26:42 mail postfix/qmgr[4912]: 6568CC1383: removed
Nov  9 10:26:43 mail postfix/smtp[5053]: 85DF9BFECD: to=<xyz@somebody.com>, relay=mail.provider.com[168.84.25.111]:587, delay=0.48, delays=0.02/0.01/0.26/0.18, dsn=5.7.1, status=bounced (host mail.provider.com[168.84.25.111] said: 554 5.7.1 <xyz@somebody.com>: Relay access denied (in reply to RCPT TO command))
Nov  9 10:26:43 mail postfix/qmgr[4912]: 85DF9BFECD: removed

According to this error, I suppose that postfix does not login at the relayhost when sending those bounces. Why? Normal outgoing mail works just fine.

This is how my main.cf looks like: http://pastebin.com/Uu1Dryxy And of course /etc/postfix/sasl_password contains the correct credentials for the relayhost.

Thanks in advance!

Alex
  • 322
  • 1
  • 4
  • 12

1 Answers1

2

Bounce messages intentionally do not have a sender address. This is to prevent email loops. Sending email without an address has been used to send spam, intentionally or not. If your relay requires you to provide credentials before sending to verify the sender, it will not be able to verify the sender for bounce messages.

You can avoid the issue of not being able to send out bounce messages after accepting the message by bouncing the message before accepting it. Bouncing a message after receipt is a source of backscatter spam. It is common for spam to have faked source addresses. By accepting the message before bouncing it, you will be spamming the faked address rather than rejecting the incoming message.

One way to avoid backscatter spam, is to use BATV (bounce address tag validation). This adds a signed value to the return path. Only legitimate bounce messages should have this signature, so other bounces from the Internet can be ignored.

EDIT: It is no longer unusual to quietly drop emails to invalid addresses. This prevents the receiving system from being classified as a spam source when it sends backscatter spam. Postfix accepts all recipients by default, and is therefore prone to producing backscatter spam. If possible, I would recommend enabling recipient verofication. I prefer Exim, which rejects mail for unknown recipients by default.

BillThor
  • 27,737
  • 3
  • 37
  • 69
  • OK so the issue here is not the failed authentication, it is the missing sender address? Do you have an example how I could implement BATV in my case? I am pretty new to mail servers so this BATV topic sounds very complex to me... is there an easier way maybe? – Alex Nov 09 '13 at 14:57
  • @Alex The problem is Postfix trying to send a bounce message after accepting the message rather while receiving the message. This forces the bounce message to use your relay server. If you are using a relay it is best to avoid sending bounce messages. BATV is more useful to prevent incoming bounce messages, rather than resolving your outgoing issue. You should either enable recipient verifcation during message receipt, or drop invalid recipients rather than bounce them. – BillThor Nov 10 '13 at 03:10
  • Thank you! I did now configure catch-all so no more bounces are being sent for non existent users. I already tried that previously but the problem was that I have also a lot of non-local recipients that are forwarded to another internal machine. I specified now all valid recipients manually in the virtual alias maps and it seems to work fine :-) – Alex Nov 10 '13 at 09:10
  • 1
    Hi @BillThor, about this "Postfix accepts all recipients by default" can you tell me where are your source to say that ? Because according to http://www.postfix.org/postconf.5.html#smtpd_reject_unlisted_recipient Postfix SMTP server rejects mail for unknown recipient addresses, even when no explicit reject_unlisted_recipient access restriction is specified. – Imylor Oct 15 '22 at 14:16
  • @lmylor I may not have been clear. Due to the design, messages are accepted before many spam filtering mechanisms are applied. This can result in backscatter if a rejection message is sent to the sender. – BillThor Oct 17 '22 at 15:01