Ok, i have looked into the problem some more, and found out that it's not backscatter after all.
The problem is this: Regular spam mail is sent to my server to some random addresses. The domain of the recipient of the mail is hosted on my server, but the mailbox does not exist.
Normally i think this mail should just be bounced, but instead it is placed in the deferred queue. Because the domain gets lots of spam, the deferred queue fills up over time.
So my question is: How can i bounce mail that has an invalid recipient, instead of putting it in the deferred queue?
Here is an example of a deferred mail, which sould be bounced, taken from my mail.log with "cat /var/log/mail.log | grep 208401FBE28F"
Apr 5 11:33:36 server1 postfix/smtpd: 208401FBE28F: client=localhost[127.0.0.1]
Apr 5 11:33:36 server1 postfix/cleanup: 208401FBE28F: message-id=<8831100462.V72J0A8X259818@DomainOnMyServer.at>
Apr 5 11:33:36 server1 postfix/qmgr: 208401FBE28F: from=<firstname.lastname@example.org>, size=2094, nrcpt=1 (queue active)
Apr 5 11:33:36 server1 amavis: (10827-11) Passed SPAMMY, [220.127.116.11] [18.104.22.168] <email@example.com> -> <wintgen@DomainOnMyServer.at>, Message-ID: <8831100462.V72J0A8X259818@DomainOnMyServer.at>, mail_id: XJtN3LKSUg5z, Hits: 14.574, size: 1276, queued_as: 208401FBE28F, 405 ms
Apr 5 11:33:36 server1 postfix/smtp: 8F1C81FBE27F: to=<wintgen@DomainOnMyServer.at>, relay=127.0.0.1[127.0.0.1]:10024, delay=5.7, delays=5.3/0/0/0.41, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=10827-11, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 208401FBE28F)
Apr 5 11:33:36 server1 postfix/pipe: 208401FBE28F: to=<wintgen@anotherDomainOnMyServer.at>, orig_to=<wintgen@DomainOnMyServer.at>, relay=maildrop, delay=0.13, delays=0.12/0/0/0.01, dsn=4.3.0, status=deferred (temporary failure. Command output: ERR: authdaemon: s_connect() failed: Permission denied /usr/bin/maildrop: Unable to create a dot-lock at /var/vmail/anotherDomainOnMyServer.at/wintgen/11907.0.server1. )
As you can see, the mail get's sent to "@domainOnMyServer.at", and then gets relayed to "@anotherDomainOnMyServer.at", where it finally get's deferred. The relay happens because i have a mail alias in ISPConfig from domainOnMyServer.at to anotherDomainOnMyServer.at
As far as i found out, all mail that lands in the deferred queue follows this pattern. It get's sent to the first domain, then relayed to the second domain, and there it get's deferred with the Message :
"status=deferred (temporary failure. Command output: ERR: authdaemon: s_connect() failed: Permission denied /usr/bin/maildrop: Unable to create a dot-lock at /var/vmail/anotherDomainOnMyServer.at/wintgenwintgen/14080.0.server1."
I thought "local_recipient_maps" and "relay_recipient_maps" should handle that such mail should get bounced, and not deferred, but may it be that the alias for the whole domain screws something up here?
I whould be thankful for any help or insight into this.