4

I am using postfix as mail server for "myDomain.com". Further I have installed a forwarding service to gmail. That works fine so far. But when someone sends me an e-mail with e.g. an executable, gmail bounces the mail. This notification mail from gmail will be relayed to the original sender, but not to me. What I want to accomplish:

  • "A" sends an executable to my address at "myDomain.com".
  • The email will be forwarded to gmail. -> gmail bounces the mail back with a notification.
  • I want to receive this bounced email in my mailbox at "myDomain.com".
  • the original sender "A" doesn't get anything from gmail.

Any ideas at how to accomplish that? Thank You!

Kevin Reid
  • 37,492
  • 13
  • 80
  • 108
user1346201
  • 41
  • 1
  • 4
  • This question should be moved to serverfault.com, where it would probably get a good answer. – GnP May 07 '15 at 19:01

2 Answers2

4
  • The email will be forwarded to gmail. -> gmail bounces the mail back with a notification.
  • I want to receive this bounced email in my mailbox at "myDomain.com".
  • the original sender "A" doesn't get anything from gmail.

Gmail is not sending a bounce to the original sender.

The communications flow is like this:

Step 1: Original sender mail server communicates with your server (lets call it mx.example.com)

HELO originalsendermx
250 mx.example.com
MAIL FROM: originalsender@spammy.example
250 2.1.0 Ok
RCPT TO: a@example.com
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
Subject: this is a virus in an executable for a@example.com
<base64encodedvirusexe>
.
250 2.0.0 Ok: queued as C9F786427FA
QUIT
221 2.0.0 Bye

Step 2: your postfix server has a rule to forward all mail to a@example.com to b@example.org, so it connects to mx.example.org:

HELO mx.example.com
250 mx.example.org
MAIL FROM originalsender@spammy.example
250 2.1.0 Ok
RCPT TO: b@example.org
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
Subject: this is a virus in an executable for a@example.com
<base64encodedvirusexe>
.
550 5.2.3 The content of this message is not allowed
QUIT
221 2.0.0 Bye

So your server accepted the mail from original sender, but example.org (or gmail in your case) didn't accept the mail from your server. According to RFC 2821 your server should generate a Non-Delivery notification and send it to original sender:

If an SMTP server has accepted the task of relaying the mail and later finds that the destination is incorrect or that the mail cannot be delivered for some other reason, then it MUST construct an "undeliverable mail" notification message and send it to the originator of the undeliverable mail.

And this is the default behaviour of postfix. OTOH, common sense dictates you shouldn't send a bounce in this situation, and RFC5321 agrees.

The fastest way to accomplish this would be to modify master.cf to never send bounces:

bounce    unix  -       -       n       -       0       discard

But it's a little extreme and probably undoable in many environments. You could use header_checks to narrow it down a little.

The important bit is that gmail isn't bouncing anything, it's just rejecting it. Your server is the one bouncing it.

Community
  • 1
  • 1
GnP
  • 531
  • 1
  • 3
  • 17
  • 1
    Can you elaborate on how `header_checks` could be used here? (I assume as an option to `bounce` (instead of `discard`)? Could this match `Action: failed`, `Status: 5.7.1`, `Remote-MTA: dns; mx4.mail.icloud.com` etc from the (to be) generated bounce message? On the other hand I would still rather like to reject them in the first place, but for this Postfix would need to try delivering them right away, before queuing (holding open the receiving connection), similar to the "Before-Queue Content Filter", but this does not appear to be possible, is it? (it is only a small mail system) – blueyed Oct 10 '18 at 00:54
  • 1
    Since the original question is really about something different after all, I've created a new question: https://serverfault.com/questions/934760/postfix-do-not-create-bounce-message-for-virtual-alias-maps-with-remote-servers – blueyed Oct 10 '18 at 01:35
2

I've had more or less the same problem; I've noticed that Gmail uses the SMTP response code 421 in this case. Since it's not a 5xx code, that means that the mail is queued for a later retry and sits in the deferred queue. So I built a cronjob to clear these mails out of the queue every hour, running the following command:

mailq | egrep -i -B 1 'google.com.*421-4.7.0.*gsmtp' | egrep -v '^\(|--' | cut -d' ' -f1 | postsuper -v -d -

Exact error message format may vary, but 421-4.7.0 seems to be the common denominator.

Florian Echtler
  • 2,148
  • 1
  • 15
  • 28
  • 1
    I found this answer incredibly useful. The problem is with Gmail: if they don't want to accept the message, they should issue a 5xx code! But how on earth does one write to Gmail and tell them "your mailserver is misconfigured" :-) – gbe Jan 26 '17 at 23:55
  • @gbe, you don't write to gmail, but you explain to their users why they should stop using it; not because of the mail server configuration, but because when a user loses access to their account there is literally no way to get back in, and if this isn't the worst customer service, I don't know what is. – Sam Sirry Feb 25 '23 at 00:56