ISPConfig, Postfix and Backscatter

Discussion in 'Server Operation' started by juliuswt, Nov 30, 2011.

  1. juliuswt

    juliuswt New Member

    I setup ISPConfig 3.0.2.1 with Postfix quite some time ago and there's only one problem that's got me stumped. We use email domain aliases and I cannot get Postfix to reject email during connection to non-existent mailboxes when the email is to a domain that's aliased.

    For instance, say I have @myotherdomain.com aliased to @mydomain.com and we get an email to [email protected], which doesn't exist. Postfix will accept the email, close the connection, then attempt to deliver the email to [email protected]. Then it realizes that [email protected] doesn't exist and it mails the sender a DNR instead of simply rejecting the email in the first place like I would hope. If the mail was to [email protected] it would reject it just fine, but aliased domains it doesn't. This has been causing us trouble with backscatter. :(

    Here's an example from our logs:
    Code:
    Nov 29 23:26:49 mail postfix/smtpd[2479]: connect from remote-server.com[xxx.xxx.xxx.xxx]
    Nov 29 23:26:49 mail postfix/smtpd[2479]: NOQUEUE: filter: RCPT from remote-server.com[xxx.xxx.xxx.xxx]: <[email protected]>: Sender address triggers FILTER amavis:[127.0.0.1]:10026; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<remote-server.com>
    Nov 29 23:26:49 mail postfix/smtpd[2479]: NOQUEUE: filter: RCPT from remote-server.com[xxx.xxx.xxx.xxx]: <[email protected]>: Sender address triggers FILTER amavis:[127.0.0.1]:10024; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<remote-server.com>
    Nov 29 23:26:49 mail postfix/policy-spf[2483]: : SPF pass (Mechanism 'ip4:xxx.xxx.xxx.xxx' matched): Envelope-from: [email protected]
    Nov 29 23:26:49 mail postfix/policy-spf[2483]: : Policy action=PREPEND Received-SPF: pass (remote-domain.com: xxx.xxx.xxx.xxx is authorized to use [email protected]' in 'mfrom' identity (mechanism 'ip4:xxx.xxx.xxx.xxx' matched)) receiver=mail.maindomain.net; identity=mailfrom; envelope-from="[email protected]"; helo=remote-server.com; client-ip=xxx.xxx.xxx.xxx
    Nov 29 23:26:49 mail postfix/smtpd[2479]: 86EC4AE203C: client=remote-server.com[xxx.xxx.xxx.xxx]
    Nov 29 23:26:49 mail postfix/cleanup[2430]: 86EC4AE203C: message-id=<[email protected]>
    Nov 29 23:26:49 mail postfix/qmgr[2382]: 86EC4AE203C: from=<[email protected]>, size=1812, nrcpt=1 (queue active)
    Nov 29 23:26:49 mail postfix/smtpd[2479]: disconnect from remote-server.com[xxx.xxx.xxx.xxx]
    Nov 29 23:26:50 mail postfix/smtpd[2999]: 09775AE206D: client=unknown[127.0.0.1]
    Nov 29 23:26:50 mail postfix/cleanup[2430]: 09775AE206D: message-id=<[email protected]>
    Nov 29 23:26:50 mail postfix/qmgr[2382]: 09775AE206D: from=<[email protected]>, size=2270, nrcpt=1 (queue active)
    Nov 29 23:26:50 mail amavis[1188]: (01188-16) Passed CLEAN, [xxx.xxx.xxx.xxx] [xxx.xxx.xxx.xxx] <[email protected]> -> <[email protected]>, Message-ID: <[email protected]>, mail_id: avByfcOGm2uj, Hits: -6.902, size: 1811, queued_as: 09775AE206D, 492 ms
    Nov 29 23:26:50 mail postfix/smtp[2872]: 86EC4AE203C: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=1, delays=0.52/0/0/0.49, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=01188-16, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 09775AE206D)
    Nov 29 23:26:50 mail postfix/qmgr[2382]: 86EC4AE203C: removed
    Nov 29 23:26:50 mail postfix/pipe[2476]: 09775AE206D: to=<[email protected]>, orig_to=<[email protected]>, relay=dovecot, delay=0.03, delays=0.01/0/0/0.02, dsn=5.1.1, status=bounced (user unknown)
    Nov 29 23:26:50 mail postfix/cleanup[2430]: 10DD0AE203C: message-id=<[email protected]>
    Nov 29 23:26:50 mail postfix/bounce[3002]: 09775AE206D: sender non-delivery notification: 10DD0AE203C
    Nov 29 23:26:50 mail postfix/qmgr[2382]: 10DD0AE203C: from=<>, size=4194, nrcpt=1 (queue active)
    Nov 29 23:26:50 mail postfix/qmgr[2382]: 09775AE206D: removed
    Nov 29 23:26:50 mail postfix/smtp[2912]: certificate verification failed for remote-server.com[xxx.xxx.xxx.xxx]:25: untrusted issuer /L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http:[email protected]
    Nov 29 23:26:50 mail postfix/smtp[2912]: 10DD0AE203C: to=<[email protected]>, relay=remote-server.com[xxx.xxx.xxx.xxx]:25, delay=0.08, delays=0/0/0.05/0.02, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 227D4262097)
    Nov 29 23:26:50 mail postfix/qmgr[2382]: 10DD0AE203C: removed
    
    output of postconf -n:
    Code:
    alias_database = hash:/etc/aliases
    alias_maps = hash:/etc/aliases, hash:/etc/mailman/aliases
    body_checks = regexp:/etc/postfix/body_checks
    broken_sasl_auth_clients = yes
    command_directory = /usr/sbin
    config_directory = /etc/postfix
    content_filter = amavis:[127.0.0.1]:10024
    daemon_directory = /usr/libexec/postfix
    data_directory = /var/lib/postfix
    debug_peer_level = 2
    disable_vrfy_command = yes
    header_checks = regexp:/etc/postfix/header_checks
    html_directory = no
    inet_interfaces = all
    inet_protocols = ipv4
    mail_owner = postfix
    mailbox_size_limit = 0
    mailq_path = /usr/bin/mailq.postfix
    manpage_directory = /usr/share/man
    message_size_limit = 0
    mime_header_checks = regexp:/etc/postfix/mime_header_checks
    mydestination = mail.maindomain.net, localhost, localhost.localdomain
    mydomain = mail.maindomain.net
    myhostname = mail.maindomain.net
    mynetworks = 127.0.0.0/8,xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx....
    nested_header_checks = regexp:/etc/postfix/nested_header_checks
    newaliases_path = /usr/bin/newaliases.postfix
    owner_request_special = no
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
    queue_directory = /var/spool/postfix
    readme_directory = /usr/share/doc/postfix-2.7.0/README_FILES
    receive_override_options = no_address_mappings
    recipient_delimiter = +
    relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
    relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
    relayhost =
    sample_directory = /usr/share/doc/postfix-2.7.0/samples
    sendmail_path = /usr/sbin/sendmail.postfix
    setgid_group = postdrop
    smtp_tls_loglevel = 0
    smtp_tls_note_starttls_offer = yes
    smtp_tls_security_level = may
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    smtp_use_tls = yes
    smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
    smtpd_data_restrictions = reject_unauth_pipelining,            permit
    smtpd_delay_reject = yes
    smtpd_recipient_restrictions = permit_sasl_authenticated,   reject_invalid_hostname,   reject_non_fqdn_sender,   reject_non_fqdn_recipient,   reject_unknown_sender_domain,   reject_unknown_recipient_domain,   reject_unauth_pipelining,   permit_mynetworks,   reject_unauth_destination,   check_policy_service unix:private/policy,   check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf,   permit
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_authenticated_header = yes
    smtpd_sasl_local_domain = maindomain.net
    smtpd_sasl_path = private/auth
    smtpd_sasl_security_options = noanonymous
    smtpd_sasl_tls_security_options = noanonymous
    smtpd_sasl_type = dovecot
    smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf    check_sender_access regexp:/etc/postfix/tag_as_originating.re    permit_mynetworks    permit_sasl_authenticated    permit_tls_clientcerts    check_sender_access regexp:/etc/postfix/tag_as_foreign.re
    smtpd_tls_auth_only = no
    smtpd_tls_cert_file = /etc/postfix/smtpd.cert
    smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem
    smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
    smtpd_tls_eecdh_grade = strong
    smtpd_tls_key_file = /etc/postfix/smtpd.key
    smtpd_tls_loglevel = 0
    smtpd_tls_received_header = yes
    smtpd_tls_security_level = may
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtpd_tls_session_cache_timeout = 3600s
    smtpd_use_tls = yes
    tls_random_source = dev:/dev/urandom
    transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
    unknown_local_recipient_reject_code = 550
    virtual_alias_domains =
    virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf, hash:/etc/mailman/virtual-mailman
    virtual_gid_maps = static:5000
    virtual_mailbox_base = /var/vmail
    virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
    virtual_mailbox_limit = 0
    virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
    virtual_transport = dovecot
    virtual_uid_maps = static:5000
    
    master.cf:
    Code:
    smtp      inet  n       -       n       -       -       smtpd
    587       inet  n       -       -       -       -       smtpd
    
    smtps     inet  n       -       n       -       -       smtpd
       -o smtpd_tls_wrappermode=yes
       -o smtpd_sasl_auth_enable=yes
    
    pickup    fifo  n       -       n       60      1       pickup
    cleanup   unix  n       -       n       -       0       cleanup
    qmgr      fifo  n       -       n       300     1       qmgr
    
    tlsmgr    unix  -       -       n       1000?   1       tlsmgr
    rewrite   unix  -       -       n       -       -       trivial-rewrite
    bounce    unix  -       -       n       -       0       bounce
    defer     unix  -       -       n       -       0       bounce
    trace     unix  -       -       n       -       0       bounce
    verify    unix  -       -       n       -       1       verify
    flush     unix  n       -       n       1000?   0       flush
    proxymap  unix  -       -       n       -       -       proxymap
    proxywrite unix -       -       n       -       1       proxymap
    smtp      unix  -       -       n       -       -       smtp
    
    relay     unix  -       -       n       -       -       smtp
            -o smtp_fallback_relay=
    
    showq     unix  n       -       n       -       -       showq
    error     unix  -       -       n       -       -       error
    retry     unix  -       -       n       -       -       error
    discard   unix  -       -       n       -       -       discard
    local     unix  -       n       n       -       -       local
    virtual   unix  -       n       n       -       -       virtual
    lmtp      unix  -       -       n       -       -       lmtp
    anvil     unix  -       -       n       -       1       anvil
    scache    unix  -       -       n       -       1       scache
    
    maildrop  unix  -       n       n       -       -       pipe
      flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} ${extension} ${recipient} ${user} ${nexthop} ${sender}
    
    mailman   unix  -       n       n       -       -       pipe
      flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
      ${nexthop} ${user}
    
    dovecot   unix  -       n       n       -       -       pipe
      flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${user}@${nexthop}
    
    amavis unix - - - - 2 smtp
            -o smtp_data_done_timeout=1200
            -o smtp_send_xforward_command=yes
    
    127.0.0.1:10025 inet n - - - - smtpd
            -o content_filter=
            -o local_recipient_maps=
            -o relay_recipient_maps=
            -o smtpd_restriction_classes=
            -o smtpd_client_restrictions=
            -o smtpd_helo_restrictions=
            -o smtpd_sender_restrictions=
            -o smtpd_recipient_restrictions=permit_mynetworks,reject
            -o mynetworks=127.0.0.0/8
            -o strict_rfc821_envelopes=yes
            -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
            -o smtpd_bind_address=127.0.0.1
    
    127.0.0.1:10027    inet    n    -    n    -    -    smtpd
            -o content_filter=
            -o local_recipient_maps=
            -o relay_recipient_maps=
            -o smtpd_restriction_classes=
            -o smtpd_client_restrictions=
            -o smtpd_helo_restrictions=
            -o smtpd_sender_restrictions=
            -o smtpd_recipient_restrictions=permit_mynetworks,reject
            -o mynetworks=127.0.0.0/8
            -o strict_rfc821_envelopes=yes
            -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
            -o smtpd_bind_address=127.0.0.1
            -o milter_default_action=accept
            -o milter_macro_daemon_name=ORIGINATING
    
    policy  unix  -       n       n       -       0       spawn
                user=nobody argv=/usr/local/lib/policyd-spf-perl
    

    Any help with this issue, or any other misconfiguration noticed, would be greatly appreciated.


    Thanks,

    Julius
     

Share This Page