Postfix - how to make zimbra respond 550 unknown user rather than bounce?

[jdell]

Bounce emails are polite, but with spam these days, probably 98%+ bounce messages are to bogus addresses because they are spam with forged sender/reply to address.

By default, Zimbra bounces for unknown users which results in the spam message being sent along with the failed delivery message to be sent to whoever had the fortune of having their email address as the forged sender.

Not sure where I read it, but most mail admins will advocate that a better way to handle unknown user is to make postfix reject the email with a '550: Recipient Address Rejected: User unknown in local recipient table'. It is then up to the MTA that originated the connection to Zimra to determine what it should do with the email (spam).

This eliminates a lot of wasted traffic and makes Zimbra a good netizen for not bouncing spam around the internet.

So, my question, how can one configure Zimbra to give a 550 reject rather than a bounce?

In other postfix installations, I was able to do this using the local_recipient_maps setting like so (main.cf):

Code:

# Set this because this causes local postfix to generate a 550 reject
# response to the SMTP server that initiated the connection
# rather than sending a bounce email to a likely bogus address
unknown_local_recipient_reject_code = 550
local_recipient_maps  = $virtual_mailbox_maps

But this setting doesn't seem to work with default zimbra setup.

Has anybody done this?

[jdell]

This FAQ says what I'm getting at:
http://www.seaglass.com/postfix/faq.html#ubenousr

And this README explains about local_recipient_maps:
http://www.postfix.org/LOCAL_RECIPIENT_README.html

This got me wondering about how Zimbra postfix config is really working.

For example, there is not local_transport specified in main.cf. I assume it is 'virtual', but I wonder if 'local' is still enabled?

Also, I don't see a mydestination, which seems to be necessary. Is there an implicit or default mydestination somewhere?

I'm hoping a Zimbra employee/postfix guru can explain how this stuff is working. I've used postfix quite a bit before, but I always seem to learn just enough to get it working

[JoshuaPrismon]

This FAQ says what I'm getting at:
http://www.seaglass.com/postfix/faq.html#ubenousr

And this README explains about local_recipient_maps:
http://www.postfix.org/LOCAL_RECIPIENT_README.html

This got me wondering about how Zimbra postfix config is really working.

For example, there is not local_transport specified in main.cf. I assume it is 'virtual', but I wonder if 'local' is still enabled?

Also, I don't see a mydestination, which seems to be necessary. Is there an implicit or default mydestination somewhere?

I'm hoping a Zimbra employee/postfix guru can explain how this stuff is working. I've used postfix quite a bit before, but I always seem to learn just enough to get it working

I am pretty sure i get error messages about my main domain being both in the virtual and local_transport tables. I need to dig into a bit more, but I am also seeing a lot of traffic generated from bounces from addresses that don't exist in the first place.

[jdell]

I am pretty sure i get error messages about my main domain being both in the virtual and local_transport tables. I need to dig into a bit more, but I am also seeing a lot of traffic generated from bounces from addresses that don't exist in the first place.

As far as the error messages about domain, I think you are referring to this bug: http://bugzilla.zimbra.com/show_bug.cgi?id=11630 which may be fixed in next release (target milestone for bug is Frank), but nothing checked in yet.

I noticed today that I was averaging probably 50 bounces an hour to addresses that don't exist and never did exist for my domain, and the bounces were going to what looked like legitimate external addresses, so in effect, our Zimbra server is part of the spam problem, not part of the solution

[jdell]

I found a document that explains why it is important not to bounce, but rather to reject emails.

Basically, your mail server can find itself on a spam blacklist because of misdirected bounces. Specifically, spammers began using this 'bounce' technique to get around blacklists (sending emails to unknown users in your domain knowing it will bounce to their intended spam destination). As a result, spamcop.net is blacklisting mail servers that produce lots of bounce spam.

http://www.spamcop.net/fom-serve/cache/329.html

I am very curious at the lack of response to this thread... I know that it will be interesting and a really important issue if you find your server is blacklisted!

[jdell]

Ok, well a combination of circumstances conspired against me.

The short answer is that postfix by default sets mynetworks_style = subnet. Because smtpd_recipient_restrictions has permit_mynetworks before reject_unath_destination, this means anybody sending from a client IP in my subnet will bounce rather than reject.

The proper fix is to set mynetworks_style = host

The long answer on why this was difficult for me to figure out is that because I'm at a university (lots of mail traffic), we have gateway SMTP servers that have the official MX record for my domain. The gatways then forward to Zimbra, so effectively everything I received was considered in my subnet, hence all the bounces! Doh!

Even though postfix configures mynetworks_style = subnet by default, I think this really isn't the best default given the nature of spam these days. I think you should start with the most restrictive setting and loosen it up as appropriate. I think I might file a bug to request that as a default. At a minimum, I'll add this to the wiki.

For thoroughness, the only change needed is /opt/zimbra/conf/zmmta.conf (add the following line right before 'RESTART mta'):

Code:

        POSTCONF mynetworks_style         host

Then 'postfix reload' for changes to take effect.

[jdell]

After chatting with the university gateway mail administrator, effectively I've only pushed the bounce 'upstream' because my Zimbra doesn't have the MX record. That is, now that Zimbra is rejecting, the university gateway servers now bounce.

The university is planning to soon add a 'valid email addresses' list for the gateways so they can reject rather than bounce which will fully and completely solve the problem.

To do this, we will likely setup some simple LDAP polling of Zimbra with a cron job to automate pulling this 'valid email addresses' from Zimbra LDAP into a local file on the gateways.