Results 1 to 7 of 7

Thread: Domain aliases without backscattering?

  1. #1
    tobia is offline Starter Member
    Join Date
    Oct 2011
    Posts
    3
    Rep Power
    3

    Exclamation Domain aliases without backscattering?

    Hello

    As you may know, there is a problem with domain aliases and backscattering, that make them unusable and dangerous in a public mail server deployment. This was known and reported four years ago (at the very least) and it still applies to the current release.

    The problem is that zimbraMailCatchAllForwardingAddress makes Zimbra accept mail for *any* email address on the domain alias. Only then will it bounce the email back if the user doesn't exist on the destination domain.

    Bouncing an email (as in: sending a Delivery Status Notification) to a remote address, when the original destination address didn't even exist, is a practice called "backscattering" and is punished by inclusion in various RBL services.

    Domain aliases (by which I mean: accepting email for company.com, company.net, and company.de) is a somewhat common practice, and the only way to make it work correctly in Zimbra, without generating backscatter, is to create specific aliases for all the accounts in the domain, both for current and future users.

    This is tedious and error-prone. Does Zimbra have or plan to implement a better solution to this problem?

  2. #2
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,201
    Rep Power
    56

    Default

    Quote Originally Posted by tobia View Post
    As you may know, there is a problem with domain aliases and backscattering, that make them unusable and dangerous in a public mail server deployment. This was known and reported four years ago (at the very least) and it still applies to the current release.
    That's a) not a domain alias, it's a catchall address and b) that's not a bug and c) it was never reported as a bug, that's just a forum thread.

    Quote Originally Posted by tobia View Post
    The problem is that zimbraMailCatchAllForwardingAddress makes Zimbra accept mail for *any* email address on the domain alias. Only then will it bounce the email back if the user doesn't exist on the destination domain.
    That's why you should never use a 'catchall' address on a mail server except in some specific (and limited) scenarios.

    Quote Originally Posted by tobia View Post
    Bouncing an email (as in: sending a Delivery Status Notification) to a remote address, when the original destination address didn't even exist, is a practice called "backscattering" and is punished by inclusion in various RBL services.
    Indeed, that's true but using a 'catchall' address doesn't make the Zimbra server send backscatter, it just receives it.

    Quote Originally Posted by tobia View Post
    Domain aliases (by which I mean: accepting email for company.com, company.net, and company.de) is a somewhat common practice, and the only way to make it work correctly in Zimbra, without generating backscatter, is to create specific aliases for all the accounts in the domain, both for current and future users.
    That is the only solution, if you think there's some other solution for Postfix then search the internet and feel free to report it as a bug.

    Quote Originally Posted by tobia View Post
    This is tedious and error-prone. Does Zimbra have or plan to implement a better solution to this problem?
    I wouldnít think so, what exactly would you suggest as the solution? The correct place for filing bugs and RFEs is in bugzilla and not these forums.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    tobia is offline Starter Member
    Join Date
    Oct 2011
    Posts
    3
    Rep Power
    3

    Default

    Hi, thank you for your quick assessment

    Quote Originally Posted by phoenix View Post
    The correct place for filing bugs and RFEs is in bugzilla and not these forums.
    I'm not knowledgeable enough about Zimbra to be certain it is a bug, a RFE, or neither of the two. That's why I'm raising the issue here.

    Quote Originally Posted by phoenix View Post
    using a 'catchall' address doesn't make the Zimbra server send backscatter, it just receives it.
    I beg to differ.

    Setting a catchall address for company.net to a local domain @company.com will make Zimbra accept *any* mail for company.net, even for addresses that don't exist on company.com. This would be the right behavior if the destination domain was remote, but for a local domain, one would expect the MTA to know existing users from non-existing ones.

    The net result is that mail directed to non-existant Company users on the domain alias company.net will be accepted at the SMTP level, only to be bounced back afterwards. This is, by any definition, backscatter generated by the Zimbra server.

    Quote Originally Posted by phoenix View Post
    That's not a domain alias, it's a catchall address [...] you should never use a 'catchall' address on a mail server except in some specific (and limited) scenarios.
    Very well, this means that the suggested (by some) recipe of making domain aliases using catchall, as found on the wiki and various forum posts, is bad advice.

    Does Zimbra have a proper means to set up a domain alias? One that doesn't require the administrator to set up and maintain thousands of individual account aliases?

    Quote Originally Posted by phoenix View Post
    That is the only solution, if you think there's some other solution for Postfix then search the internet and feel free to report it as a bug.
    Technically, if Postfix doesn't provide domain aliases as a configuration item, they could be 'faked' by creating individual account aliases behind the scenes. But I didn't mean to start a discussion on implementation details. I only wanted to know, from an end-user (or end-admin) point of view, what are the options to have a domain alias without incurring in backscattering.

    If you can confirm that this is not provided by Zimbra, I shall go ahead and post a RFE.

  4. #4
    devicegrip's Avatar
    devicegrip is offline Active Member
    Join Date
    May 2011
    Posts
    33
    Rep Power
    3

    Default

    I currently have zimbraMailCatchAllAddress and zimbraMailCatchAllForwardingAddress set on my server while I finish my migration from the old server.

    My users are receiving spam e-mails from users@domain.com and they are bypassing spamassassin. A few users had e-mails with viruses attached and I posted all of the logs I had on the forums. Are the catchall settings allowing these e-mails, supposedly from within our domain, to make it to our users bypassing all filters?

    Currently (until migration is complete) I have mail coming in the legacy server and forwarded to the Zimbra server. MX records still point to the legacy server.

    Thanks

  5. #5
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,201
    Rep Power
    56

    Default

    Quote Originally Posted by devicegrip View Post
    Are the catchall settings allowing these e-mails,.....
    Yes, that's what a catchall address does and why I'd never recommend using it (except for a migration such as yours).
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  6. #6
    devicegrip's Avatar
    devicegrip is offline Active Member
    Join Date
    May 2011
    Posts
    33
    Rep Power
    3

    Default

    Will the settings from
    Managing Domains - Zimbra :: Wiki
    help in my case? Or should I just finish my migration and remove the catchall?

    zmlocalconfig -e postfix_enable_smtpd_policyd=yes
    zmprov mcf +zimbraMtaRestriction "check_policy_service unixrivate/policy"
    postfix stop
    postfix start

    Thanks

  7. #7
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,201
    Rep Power
    56

    Default

    Quote Originally Posted by devicegrip View Post
    Or should I just finish my migration and remove the catchall?
    I'd just finish the migration and remove the catchall.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Domain Aliases in GAL (LDAP)
    By Erik in forum Administrators
    Replies: 0
    Last Post: 10-05-2010, 01:47 AM
  2. Replies: 7
    Last Post: 04-27-2009, 02:49 AM
  3. Replies: 20
    Last Post: 03-18-2008, 05:37 AM
  4. Listing Domain Aliases
    By ray.perea in forum Administrators
    Replies: 1
    Last Post: 01-28-2008, 04:11 AM
  5. Domain aliases not covered in the wiki
    By srandall in forum Administrators
    Replies: 0
    Last Post: 01-24-2008, 11:55 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •