Results 1 to 7 of 7

Thread: Postfix - how to make zimbra respond 550 unknown user rather than bounce?

  1. #1
    jdell is offline Project Contributor
    Join Date
    Jul 2006
    Location
    Reno, NV, USA
    Posts
    203
    Rep Power
    8

    Question Postfix - how to make zimbra respond 550 unknown user rather than bounce?

    Bounce emails are polite, but with spam these days, probably 98%+ bounce messages are to bogus addresses because they are spam with forged sender/reply to address.

    By default, Zimbra bounces for unknown users which results in the spam message being sent along with the failed delivery message to be sent to whoever had the fortune of having their email address as the forged sender.

    Not sure where I read it, but most mail admins will advocate that a better way to handle unknown user is to make postfix reject the email with a '550: Recipient Address Rejected: User unknown in local recipient table'. It is then up to the MTA that originated the connection to Zimra to determine what it should do with the email (spam).

    This eliminates a lot of wasted traffic and makes Zimbra a good netizen for not bouncing spam around the internet.

    So, my question, how can one configure Zimbra to give a 550 reject rather than a bounce?

    In other postfix installations, I was able to do this using the local_recipient_maps setting like so (main.cf):

    Code:
    # Set this because this causes local postfix to generate a 550 reject
    # response to the SMTP server that initiated the connection
    # rather than sending a bounce email to a likely bogus address
    unknown_local_recipient_reject_code = 550
    local_recipient_maps  = $virtual_mailbox_maps
    But this setting doesn't seem to work with default zimbra setup.

    Has anybody done this?
    Last edited by jdell; 11-28-2006 at 03:15 PM.

  2. #2
    jdell is offline Project Contributor
    Join Date
    Jul 2006
    Location
    Reno, NV, USA
    Posts
    203
    Rep Power
    8

    Default Some more info on this and external references

    This FAQ says what I'm getting at:
    http://www.seaglass.com/postfix/faq.html#ubenousr

    And this README explains about local_recipient_maps:
    http://www.postfix.org/LOCAL_RECIPIENT_README.html

    This got me wondering about how Zimbra postfix config is really working.

    For example, there is not local_transport specified in main.cf. I assume it is 'virtual', but I wonder if 'local' is still enabled?

    Also, I don't see a mydestination, which seems to be necessary. Is there an implicit or default mydestination somewhere?

    I'm hoping a Zimbra employee/postfix guru can explain how this stuff is working. I've used postfix quite a bit before, but I always seem to learn just enough to get it working

  3. #3
    JoshuaPrismon is offline Zimlet Guru & Moderator
    Join Date
    Nov 2005
    Posts
    477
    Rep Power
    9

    Default

    Quote Originally Posted by jdell View Post
    This FAQ says what I'm getting at:
    http://www.seaglass.com/postfix/faq.html#ubenousr

    And this README explains about local_recipient_maps:
    http://www.postfix.org/LOCAL_RECIPIENT_README.html

    This got me wondering about how Zimbra postfix config is really working.

    For example, there is not local_transport specified in main.cf. I assume it is 'virtual', but I wonder if 'local' is still enabled?

    Also, I don't see a mydestination, which seems to be necessary. Is there an implicit or default mydestination somewhere?

    I'm hoping a Zimbra employee/postfix guru can explain how this stuff is working. I've used postfix quite a bit before, but I always seem to learn just enough to get it working
    I am pretty sure i get error messages about my main domain being both in the virtual and local_transport tables. I need to dig into a bit more, but I am also seeing a lot of traffic generated from bounces from addresses that don't exist in the first place.

  4. #4
    jdell is offline Project Contributor
    Join Date
    Jul 2006
    Location
    Reno, NV, USA
    Posts
    203
    Rep Power
    8

    Default

    Quote Originally Posted by lostknight View Post
    I am pretty sure i get error messages about my main domain being both in the virtual and local_transport tables. I need to dig into a bit more, but I am also seeing a lot of traffic generated from bounces from addresses that don't exist in the first place.
    As far as the error messages about domain, I think you are referring to this bug: http://bugzilla.zimbra.com/show_bug.cgi?id=11630 which may be fixed in next release (target milestone for bug is Frank), but nothing checked in yet.

    I noticed today that I was averaging probably 50 bounces an hour to addresses that don't exist and never did exist for my domain, and the bounces were going to what looked like legitimate external addresses, so in effect, our Zimbra server is part of the spam problem, not part of the solution

  5. #5
    jdell is offline Project Contributor
    Join Date
    Jul 2006
    Location
    Reno, NV, USA
    Posts
    203
    Rep Power
    8

    Unhappy Here is a important reason why bouncing is bad!

    I found a document that explains why it is important not to bounce, but rather to reject emails.

    Basically, your mail server can find itself on a spam blacklist because of misdirected bounces. Specifically, spammers began using this 'bounce' technique to get around blacklists (sending emails to unknown users in your domain knowing it will bounce to their intended spam destination). As a result, spamcop.net is blacklisting mail servers that produce lots of bounce spam.

    http://www.spamcop.net/fom-serve/cache/329.html

    I am very curious at the lack of response to this thread... I know that it will be interesting and a really important issue if you find your server is blacklisted!

  6. #6
    jdell is offline Project Contributor
    Join Date
    Jul 2006
    Location
    Reno, NV, USA
    Posts
    203
    Rep Power
    8

    Talking figured it out

    Ok, well a combination of circumstances conspired against me.

    The short answer is that postfix by default sets mynetworks_style = subnet. Because smtpd_recipient_restrictions has permit_mynetworks before reject_unath_destination, this means anybody sending from a client IP in my subnet will bounce rather than reject.

    The proper fix is to set mynetworks_style = host

    The long answer on why this was difficult for me to figure out is that because I'm at a university (lots of mail traffic), we have gateway SMTP servers that have the official MX record for my domain. The gatways then forward to Zimbra, so effectively everything I received was considered in my subnet, hence all the bounces! Doh!

    Even though postfix configures mynetworks_style = subnet by default, I think this really isn't the best default given the nature of spam these days. I think you should start with the most restrictive setting and loosen it up as appropriate. I think I might file a bug to request that as a default. At a minimum, I'll add this to the wiki.

    For thoroughness, the only change needed is /opt/zimbra/conf/zmmta.conf (add the following line right before 'RESTART mta'):
    Code:
            POSTCONF mynetworks_style         host
    Then 'postfix reload' for changes to take effect.

  7. #7
    jdell is offline Project Contributor
    Join Date
    Jul 2006
    Location
    Reno, NV, USA
    Posts
    203
    Rep Power
    8

    Lightbulb more discussion

    After chatting with the university gateway mail administrator, effectively I've only pushed the bounce 'upstream' because my Zimbra doesn't have the MX record. That is, now that Zimbra is rejecting, the university gateway servers now bounce.

    The university is planning to soon add a 'valid email addresses' list for the gateways so they can reject rather than bounce which will fully and completely solve the problem.

    To do this, we will likely setup some simple LDAP polling of Zimbra with a cron job to automate pulling this 'valid email addresses' from Zimbra LDAP into a local file on the gateways.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Zimbra Install Problem - getDirectContext
    By bsimzer in forum Installation
    Replies: 27
    Last Post: 07-19-2007, 10:12 AM
  2. dspam logrotate errors
    By michaeln in forum Users
    Replies: 7
    Last Post: 02-19-2007, 12:45 PM
  3. Unable to start tomcat
    By chanck in forum Administrators
    Replies: 11
    Last Post: 06-11-2006, 12:58 AM
  4. Fedora Core 3, Clean Install - Not working!
    By pcjackson in forum Installation
    Replies: 17
    Last Post: 03-05-2006, 07:38 PM
  5. Network edition - strange behavior
    By goetzi in forum Installation
    Replies: 6
    Last Post: 11-16-2005, 03:08 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •