relay_domains vs virtual_mailbox_domains
in [Postfix]
|
From: Mikael Bak on 8 Sep 2009 05:47 Steve Heaven wrote: > On Mon, 2009-09-07 at 11:50 -0400, Sahil Tandon wrote: > >> >> You should not accept mail for invalid recipients. Use existing >> functionality to build a cache/database of valid recipients "on the fly". >> See: http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient > > We have no way of knowing if the recipient address is valid or not as we > are only acting as a relay for the final destination. > We cannot build a database of recipients on the fly as that information > is held on the various servers of our clients, to which we do not have > access. > Sahil Tandon gave you a link containing the solution to you problem. I suggest you read it before you say it can't be done. Tip: scoll up to "How address verification works". Mikael
From: Clunk Werclick on 8 Sep 2009 05:57 From: Clunk Werclick <mailbackup19(a)googlemail.com> Reply-to: mailbackup19(a)googlemail.com Cc: postfix-users(a)postfix.org Subject: Re: relay_domains vs virtual_mailbox_domains Date: Tue, 08 Sep 2009 09:28:36 +0100 Mailer: Evolution 2.24.3 On Tue, 2009-09-08 at 08:52 +0100, Steve Heaven wrote: > On Mon, 2009-09-07 at 11:50 -0400, Sahil Tandon wrote: > > > > > You should not accept mail for invalid recipients. Use existing > > functionality to build a cache/database of valid recipients "on the fly". > > See: http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient > > We have no way of knowing if the recipient address is valid or not as > we are only acting as a relay for the final destination. > We cannot build a database of recipients on the fly as that > information is held on the various servers of our clients, to which we > do not have access. > Please forgive the bluntness - and drifting off a bit as I've not seen all of this; If you are acting as a relay and not able to verify the final recipients exist - you will quickly run into serious problems and side effects. Postfix provides a probing/discovery mechanism that spares you the need to build maps - it's not ideal when compared to the sheer speed of SQL, MAPS or LDAP, but it exists - so there is no excuse to accept mail for invalid recipients with Postfix. The link given tells you how this 'probing' works. Failing to verify final recipients means you will probably accept mail that is sequentially refused, leaving you holding the baby and having to bounce it. (Old Chinese Proverb say, man who gives 250 OK to SMTP, take ownership and responsibility). With invalid recipients, the sender is usually forged and as your relay has nothing left to do but bounce the message, your IP(s) are going to become really unpopular *fast*, and probably have it blacklisted in no time at all. This is, of course, not only limited to invalid recipients. Accepting any kind of mail for a destination that cannot be delivered gives the same problem. Perhaps the recipient is valid, but the destination refused the message because of the content/spam. You end up holding the baby again. If you really need the ability to catch all without bounce then the final destination needs to absolutely white list everything your throw at it - regardless of recipient or content. That is most certainly *not* ideal without some serious UCE measures on the relay itself. In commercial solutions I have seen, RELAYS have held the message and not given a 250 until the final destination has taken it -or- (less ideal) taken the message and put it into an 'outbound' Postfixen where it is retried for 48-72 hours. This gives the Relay admin time to see it and liase with the final destination host admin. This would be a real headache if you wind up with thousands of messages in the queue for invalid recipients, bringing us full circle to the topic once more. Good luck with what it is you are doing. -- ----------------------------------------------------------- C Werclick .Lot Technical incompetent Loyal Order Of The Teapot. This e-mail and its attachments is intended only to be used as an e-mail and an attachment. Any use of it for other purposes other than as an e-mail and an attachment will not be covered by any warranty that may or may not form part of this e-mail and attachment.
From: mouss on 8 Sep 2009 18:27 Steve Heaven a écrit : > On Mon, 2009-09-07 at 11:50 -0400, Sahil Tandon wrote: > >> >> You should not accept mail for invalid recipients. Use existing >> functionality to build a cache/database of valid recipients "on the fly". >> See: http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient > > We have no way of knowing if the recipient address is valid or not as we > are only acting as a relay for the final destination. > We cannot build a database of recipients on the fly as that information > is held on the various servers of our clients, to which we do not have > access. the old: "try to pass to next, until final server accepts or rejects" is n more acceptable. recipients must be checked at the "edge". postfix provides reject_unverified_recipient to help you for that (assuming the next relay really validates the recipient). It's been a time that most people acknowledge that backscatter is a problem. those who take a selfish approach to mail should not be surprised if they are blacklisted, and should not ask for help.
From: mouss on 8 Sep 2009 18:28 yar mailer got borked? Clunk Werclick a �crit : > From: > Clunk Werclick > <mailbackup19(a)googlemail.com> > Reply-to: > mailbackup19(a)googlemail.com > Cc: > postfix-users(a)postfix.org > Subject: > Re: relay_domains > vs > virtual_mailbox_domains > Date: > Tue, 08 Sep 2009 > 09:28:36 +0100 > Mailer: > Evolution 2.24.3 > > > > On Tue, 2009-09-08 at 08:52 +0100, Steve Heaven wrote: >> On Mon, 2009-09-07 at 11:50 -0400, Sahil Tandon wrote: >> >>> You should not accept mail for invalid recipients. Use existing >>> functionality to build a cache/database of valid recipients "on the > fly". >>> See: > http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient >> We have no way of knowing if the recipient address is valid or not as >> we are only acting as a relay for the final destination. >> We cannot build a database of recipients on the fly as that >> information is held on the various servers of our clients, to which we >> do not have access. >> > Please forgive the bluntness - and drifting off a bit as I've not seen > all of this; If you are acting as a relay and not able to verify the > final recipients exist - you will quickly run into serious problems and > side effects. > > Postfix provides a probing/discovery mechanism that spares you the need > to build maps - it's not ideal when compared to the sheer speed of SQL, > MAPS or LDAP, but it exists - so there is no excuse to accept mail for > invalid recipients with Postfix. The link given tells you how this > 'probing' works. > > Failing to verify final recipients means you will probably accept mail > that is sequentially refused, leaving you holding the baby and having to > bounce it. (Old Chinese Proverb say, man who gives 250 OK to SMTP, take > ownership and responsibility). With invalid recipients, the sender is > usually forged and as your relay has nothing left to do but bounce the > message, your IP(s) are going to become really unpopular *fast*, and > probably have it blacklisted in no time at all. > > This is, of course, not only limited to invalid recipients. Accepting > any kind of mail for a destination that cannot be delivered gives the > same problem. Perhaps the recipient is valid, but the destination > refused the message because of the content/spam. You end up holding the > baby again. > > If you really need the ability to catch all without bounce then the > final destination needs to absolutely white list everything your throw > at it - regardless of recipient or content. That is most certainly *not* > ideal without some serious UCE measures on the relay itself. > > In commercial solutions I have seen, RELAYS have held the message and > not given a 250 until the final destination has taken it -or- (less > ideal) taken the message and put it into an 'outbound' Postfixen where > it is retried for 48-72 hours. This gives the Relay admin time to see it > and liase with the final destination host admin. This would be a real > headache if you wind up with thousands of messages in the queue for > invalid recipients, bringing us full circle to the topic once more. > > Good luck with what it is you are doing. > >
From: Steve Heaven on 9 Sep 2009 02:16 On Wed, 2009-09-09 at 00:27 +0200, mouss wrote: > Steve Heaven a �crit : > > > > > the old: "try to pass to next, until final server accepts or rejects" > is n more acceptable. recipients must be checked at the "edge". > > postfix provides reject_unverified_recipient to help you for that > (assuming the next relay really validates the recipient). That's the problem. Most of our clients that we relay mail for run Microsoft SBS Exchange which doesnt verify probes. It accepts mail for any user and sends an undeliverable report back to the sender. -- thorNET Internet Services, Consultancy & Training www.thornet.co.uk
First
|
Prev
|
Next
|
Last
Pages: 1 2 3 Prev: SMTP Greet Pause (re: Feature 20090228) Next: Coping with relayed spam? |