Just to be clear on what you need do Sim, here's a few more precise pointers:
In MailScanner.conf change
Check Watermarks With No Sender = yes
to
Check Watermarks With No Sender = %rules-dir%/check.watermark.rules
and in the ruleset file (in the rules subdirectory of your MailScanner
etc directory (probably /etc/MailScanner/rules/check.watermark.rules)
create tre rules
-------- Start ------
# Our MailStore server(s) IP addresses should have a "no" for this
From: 192.168.3.140 no
# Under no circumstances should this be changed to "no".
FromOrTo: default yes
-------- End ------
Please be sure to separate the colums ("From:" is the first column,
"192.168.3.140" is the second etc) with <TAB> character(s). Reload or
restart mailScanner after this change and you'll not check watermarks
for internally generated non-delivery-notices, out-of-office messages
etc, and hence will not break the RFSs in such a bad way as before.
Also, consider either setting (in MailScanner.conf)
Treat Invalid Watermarks With No Sender as Spam = spam
or
Treat Invalid Watermarks With No Sender as Spam = 7
(or some other low-scoring spam number), since elsewise you run a
definite risk of losing non-delivery-reports genereted on outside
systems that do not preserve the watermark header... Better that they
violate the RFCs than you;-)
And finally, you can easily configure RECIPIENT address verification
in postfix by adding something like
reject_unverified_recipient
to your smtpd_recipient_restrictions in main.cf ... or something
similar (I actually don't use this feature, since I don't trust our
mailstoree to properly reject things, so use a relay_recipient_map
instead... that I generate with LDAP every 15 minutes.. Same effect,
different approach). If you didn't find it anywhere else, your systems
package for Postfix probably installed the readme somewhere like:
/usr/share/doc/postfix-*/README_FILES/ADDRESS_VERIFICATION_README
... See the warnings at the top, and heed the one about SENDER address
verification.
Cheers
--
-- Glenn (who had a few minutes to spend on this:-)
Post by Glenn Steen# Do you want to check watermarks?
# This can also be the filename of a ruleset.
Check Watermarks With No Sender = yes
... And simply avoid checking the watermark on your mailstore systems
IP address.
Probably the simplest fix of all;-).
Cheers!
--
-- Glenn
Post by Glenn SteenYou have the watermark feature enabled, to handle all those faked
bounces/NDRs/NDNs (in reality, where the envelope sender is <>), but
when your own mailstore (the server/servers protected by your
MX/MailScanner system) generate a bounce these also lack the watermark
(which is just a specific header with a checksum cryptagraphically
protected...) and thus get handled as "bad". Many systems
implementation of OoO will fall into this category as well. Regular
bounces SHOULD NOT lack the watermark, but this is up to the
mailstore, whether the watermark is present in the NDN or not.
- Don't mark them as "High scoring spam". Just mark as Spam and they
will actually get delivered, thus making your system RFC compliant (or
at least a tad more so:-).
- Try to make your mailstore system(s) generate or preserve a valid
watermark header for bounces etc. This is a lot less trivial than the
first step, and in many cases close to impossible... In many cases,
just implementing the first step above is the only real option... at
least from a time management perspective:-):-).
So... this problem of yours is mostly a problem outside of
mailScanner, but entirely caused be the use of the watermark feature.
i wouldn't recommend turning it off, without first doing a thorough
analysis of the effectiveness of the feature...;)
Cheers!
--
-- Glenn
Post by SimThanks for reply...
But in other case the bounce is generated for other reasons
For example if the mailbox for the user is over quota, etc..
In this case the bounce is "dropped".
The question is why this "postfix/cleanup - MailScanner" header is too short
...and how to extend it :-(
Thanks again
---
Sim
Post by Glenn SteenActually... All you need do is configure recipient verification in postfix
(this is in-built and documented well several places, like the postfix doc
site or the MailScanner wiki). Alternatively maintain a relay recipient map
or an access map (both are fairly trivial to set up).
Doing any of these will reject instead of bounce, for unknown recipients.
Flip side of the coin is that you may expose your recipient "universe", for
easy mapping (regardless if you have disabled vrfy), but... That's just how
it is:-)
Cheers
--
-- Glenn
Quite an easy solution is to simply don't bounce. E-mail to non-existing
users is probably (uncought) spam and they rarely come from legit e-mail
addresses. You are spamming the actual owners of the e-mail addresses being
abused by sending backscatter to them. It might even get you listed on a
backscatter dnsbl.
If you want to provide legit mail senders with a "this user doesn't
exist" message, configure all legit users on your edge server so mail to
non-existing users is being blocked on smtp level. (This will also reject
~90% of spam) The sending party can than implement any backscatter/messages
they want with this information, it's not your problem.
Post by SimHello to all!
I've a little issue...
At this time my internal "Mailbox Server" generate a bounce for not
exiting "nomail" account.
This bounce is detected as SPAM from MailScanner.
- The IP of Mailbox Server is in "Whitelist"
- The LAN (/24) of Mailbox Server is in "Trusted Network"
- The LAN (/24) of Mailbox Server is in "Outbound mail relay"
- All other email sent from "Mailbox Server" are detected as "white list"
postfix/cleanup[20872]: C1C2960069: hold: header Received: from
srv.mydomain.local (unknown [192.168.0.10])??(using TLSv1 with cipher
AES128-SHA (128/128 bits))??(No client certificate requested)??by
mail.mydomain.com (Postfix) w from unknown[192.168.0.10]; from=<>
[..]
MailScanner[19852]: Spam Checks: Starting
MailScanner[19852]: Message C1C2960069.AEB15 from 192.168.0.10 has no
(or invalid) watermark or sender address, marked as high-scoring spam
MailScanner[19852]: Spam Checks: Found 1 spam messages
The header of postifx/cleanup is incomplete!!!!
Looking for full header i've seen: "(Postfix) with ESMTPS id
C1C2960069?" and not only "(Postfix) w"
How to increase this "check of the header limit" in postfix, cleanup or
MailScanner ?
Thanks
--
MailScanner mailing list
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
--
MailScanner mailing list
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
--
MailScanner mailing list
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
--
MailScanner mailing list
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
--
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
--
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
--
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
--
MailScanner mailing list
***@lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!