Domain aliases without backscattering?

[tobia]

Hello

As you may know, there is a problem with domain aliases and backscattering, that make them unusable and dangerous in a public mail server deployment. This was known and reported four years ago (at the very least) and it still applies to the current release.

The problem is that zimbraMailCatchAllForwardingAddress makes Zimbra accept mail for *any* email address on the domain alias. Only then will it bounce the email back if the user doesn't exist on the destination domain.

Bouncing an email (as in: sending a Delivery Status Notification) to a remote address, when the original destination address didn't even exist, is a practice called "backscattering" and is punished by inclusion in various RBL services.

Domain aliases (by which I mean: accepting email for company.com, company.net, and company.de) is a somewhat common practice, and the only way to make it work correctly in Zimbra, without generating backscatter, is to create specific aliases for all the accounts in the domain, both for current and future users.

This is tedious and error-prone. Does Zimbra have or plan to implement a better solution to this problem?

[phoenix]

Quote:

Originally Posted by tobia

As you may know, there is a problem with domain aliases and backscattering, that make them unusable and dangerous in a public mail server deployment. This was known and reported four years ago (at the very least) and it still applies to the current release.

That's a) not a domain alias, it's a catchall address and b) that's not a bug and c) it was never reported as a bug, that's just a forum thread.

Quote:

Originally Posted by tobia

The problem is that zimbraMailCatchAllForwardingAddress makes Zimbra accept mail for *any* email address on the domain alias. Only then will it bounce the email back if the user doesn't exist on the destination domain.

That's why you should never use a 'catchall' address on a mail server except in some specific (and limited) scenarios.

Quote:

Originally Posted by tobia

Bouncing an email (as in: sending a Delivery Status Notification) to a remote address, when the original destination address didn't even exist, is a practice called "backscattering" and is punished by inclusion in various RBL services.

Indeed, that's true but using a 'catchall' address doesn't make the Zimbra server send backscatter, it just receives it.

Quote:

Originally Posted by tobia

Domain aliases (by which I mean: accepting email for company.com, company.net, and company.de) is a somewhat common practice, and the only way to make it work correctly in Zimbra, without generating backscatter, is to create specific aliases for all the accounts in the domain, both for current and future users.

That is the only solution, if you think there's some other solution for Postfix then search the internet and feel free to report it as a bug.

Quote:

Originally Posted by tobia

This is tedious and error-prone. Does Zimbra have or plan to implement a better solution to this problem?

I wouldn’t think so, what exactly would you suggest as the solution? The correct place for filing bugs and RFEs is in bugzilla and not these forums.

[tobia]

Hi, thank you for your quick assessment

Quote:

Originally Posted by phoenix

The correct place for filing bugs and RFEs is in bugzilla and not these forums.

I'm not knowledgeable enough about Zimbra to be certain it is a bug, a RFE, or neither of the two. That's why I'm raising the issue here.

Quote:

Originally Posted by phoenix

using a 'catchall' address doesn't make the Zimbra server send backscatter, it just receives it.

I beg to differ.

Setting a catchall address for company.net to a local domain @company.com will make Zimbra accept *any* mail for company.net, even for addresses that don't exist on company.com. This would be the right behavior if the destination domain was remote, but for a local domain, one would expect the MTA to know existing users from non-existing ones.

The net result is that mail directed to non-existant Company users on the domain alias company.net will be accepted at the SMTP level, only to be bounced back afterwards. This is, by any definition, backscatter generated by the Zimbra server.

Quote:

Originally Posted by phoenix

That's not a domain alias, it's a catchall address [...] you should never use a 'catchall' address on a mail server except in some specific (and limited) scenarios.

Very well, this means that the suggested (by some) recipe of making domain aliases using catchall, as found on the wiki and various forum posts, is bad advice.

Does Zimbra have a proper means to set up a domain alias? One that doesn't require the administrator to set up and maintain thousands of individual account aliases?

Quote:

Originally Posted by phoenix

That is the only solution, if you think there's some other solution for Postfix then search the internet and feel free to report it as a bug.

Technically, if Postfix doesn't provide domain aliases as a configuration item, they could be 'faked' by creating individual account aliases behind the scenes. But I didn't mean to start a discussion on implementation details. I only wanted to know, from an end-user (or end-admin) point of view, what are the options to have a domain alias without incurring in backscattering.

If you can confirm that this is not provided by Zimbra, I shall go ahead and post a RFE.

[devicegrip]

I currently have zimbraMailCatchAllAddress and zimbraMailCatchAllForwardingAddress set on my server while I finish my migration from the old server.

My users are receiving spam e-mails from users@domain.com and they are bypassing spamassassin. A few users had e-mails with viruses attached and I posted all of the logs I had on the forums. Are the catchall settings allowing these e-mails, supposedly from within our domain, to make it to our users bypassing all filters?

Currently (until migration is complete) I have mail coming in the legacy server and forwarded to the Zimbra server. MX records still point to the legacy server.

Thanks

[phoenix]

Quote:

Originally Posted by devicegrip

Are the catchall settings allowing these e-mails,.....

Yes, that's what a catchall address does and why I'd never recommend using it (except for a migration such as yours).

[devicegrip]

Will the settings from
Managing Domains - Zimbra :: Wiki
help in my case? Or should I just finish my migration and remove the catchall?

zmlocalconfig -e postfix_enable_smtpd_policyd=yes
zmprov mcf +zimbraMtaRestriction "check_policy_service unixrivate/policy"
postfix stop
postfix start

Thanks

[phoenix]

Quote:

Originally Posted by devicegrip

Or should I just finish my migration and remove the catchall?

I'd just finish the migration and remove the catchall.