The envelope_from
address which is used to direct bounces caught via the SenderReply exception is not guaranteed to be a valid return address. Some authentication-related checking may be necessary.
We could perhaps simply use the body From
header's address for most SenderReply bounces (and also add In-Reply-To
via Message-ID
), but this won't be guarantee to if the original message fails DKIM. We need a better method to handle bounces before or during DKIM checks.
In the following exchange, an unauthorized server (de.andrewyu.org
) attempts to make mail.andrewyu.org
think that it's (as in make the latter think the former is) mail.noisytoot.org
, and attempts to send mail as andrew@noisytoot.org
in both the envelope and From
header. It attempts to send to the user alwaysbounce@andrewyu.org
, which has a local delivery agent script set in .forward
that always fails, so Postfix should be handling the bounce.
andrew@de.andrewyu.org ~ $ nc mail.andrewyu.org 25
220 mail.andrewyu.org ESMTP andrewyu.org (Debian/GNU)
HELO mail.noisytoot.org
250 mail.andrewyu.org
MAIL FROM: andrew@noisytoot.org
250 2.1.0 Ok
RCPT TO: alwaysbounce@andrewyu.org
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
From: andrew@noisytoot.org
To: alwaysbounce@andrewyu.org
Subject: Sending to an address that Postfix bounces, from an impersonated envelope from, and impersonated MIME From
Too lazy to write content.
.
250 2.0.0 Ok: queued as 9372AFC0FE
When I then checked the mailbox for andrew@noisytoot.org
, I found the bounce laying there. So apparently Postfix doesn't have a good way either.
Now I'm thinking of checking SPF (alignment with envelope from) and such, but that has two problems:
If we act as our own receiving MTA and directly process connections from outside servers (which isn't hard in-and-of-itself, but would not easily and peacefully coexist with Postfix as only one process could bind to relevant ports such as 25), perhaps there's something in the SMTP envelope RFC that allows us to reject mail as we're reading through the DATA? (And of course, in that case we could easily reject invalid RCPT TO's.)
Is it possible to let Postfix outright reject an email during DATA or immediatly after the end of DATA, instead of giving SMTP 250 Ok?
Or just delegate it to the MTA that launched our MDA.
pipe.8
saysCommand exit status codes are expected to follow the conventions defined in <sysexits.h>. Exit status 0 means normal successful completion. In the case of a non-zero exit status, a limited amount of command output is logged, and reported in a delivery status notification. When the output begins with a 4.X.X or 5.X.X enhanced status code, the status code takes precedence over the non-zero exit status (Postfix version 2.3 and later). After successful delivery (zero exit status) a limited amount of command output is logged, and reported in "success" delivery status notifications (Postfix 3.0 and later). This command output is not examined for the presence of an enhanced status code.
Similer for
local.8
.
19:31 <AndrewYu> Hi... how does a receiving MTA properly determine return path when needing to bounce? 19:32 <AndrewYu> https://todo.sr.ht/~runxiyu/smlmp/6 context 19:33 <lunaphyte> return path is just [yet another] fancy term for the envelope sender 19:34 <lunaphyte> when an mta accepts a message, it records the envelope sender as part of its queuing process. if it decides to create a bounce message due to deliverability problem [or whatever], it references the envelope sender it recorded when it accepted the message 19:37 <AndrewYu> Yes... My question is, how does the MTA determine the envelope sender to be valid. let me attempt to rephrase 19:37 <lunaphyte> using other values to determine where to send bounce messages is a bad, bad, idea. please don't do that 19:38 <lunaphyte> here is the actual question you need to be asking: "why are there bounce messages getting generated?" 19:38 <lunaphyte> define" valid" 19:51 [AndrewYu away: sleep] 00:50 <AndrewYu> lunaphyte: My (custom) mailing list manager has detected a problem in a message and needs to reject the email 01:38 <lunaphyte> what problem? 01:57 <AndrewYu> Something like, "this user does not have permission to send to this list", or "MIME attachments are not allowed" 02:16 <@rob0> the MLM typically sets its own envelope sender address. That's the address that receives list bounces. 02:27 <pj> AndrewYu: I would recommend that you attempt to reject the message instead of sending a bounce, otherwise your server will become a backscatter source. 02:31 <pj> It basically means that your MTA needs to have a mechanism to reject the message before it's queued, postfix can do this given the proper configuration, as well as most other major MTAs. 02:34 <pj> !t AndrewYu backscatter 02:34 <dig-dug> AndrewYu: backscatter: Backscatter are bounces sent to innocent systems. A spammer sent email in behalf of the victim's system. Undeliverable emails get bounced to the victim. See https://en.wikipedia.org/wiki/Backscatter_(email) 03:10 <lunaphyte> your philosophy is flawed. do not accept messages and then decide if you want them. decide if you want them before you accept them, and if not, reject them 03:11 <lunaphyte> why are you attempting to write more mailing list software? this is something that requires a comprehensive understanding of email, and how to operate email infrastructure responsibly 03:12 <lunaphyte> a mailing list needs to require confirmed opt in before accepting messages from a given sender, which makes it easy to know if someone has permission to send to a list