virtual users, mailer daemon send mails to non existant recipient and dovecot store it
Hello,
Sometime when we receive a spam or virus that is detected as it, mailer daemon send a reply to the sender to inform that the message is a spam or content viruses.
The problem is that the sender of the spam as something like voicemail@ourdomain.fr ( the user voicemail doesn't exist in our database )
And sometimes dovecot create the directory and store the reply 's mail...
Aug 23 16:07:31 mail3 postfix/cleanup[15687]: C7EEB406FFFD: message-id=<20160823140731.C7EEB406FFFD@mail3.ourdomain.fr> Aug 23 16:07:31 mail3 postfix/qmgr[12987]: C7EEB406FFFD: from=<>, size=14280, nrcpt=1 (queue active) Aug 23 16:07:31 mail3 postfix/bounce[15800]: 824D7406FFFC: sender non-delivery notification: C7EEB406FFFD Aug 23 16:07:31 mail3 postfix/qmgr[12987]: 824D7406FFFC: removed Aug 23 16:07:31 mail3 dovecot: auth: Debug: master in: USER#0111#011voicemail#011service=lda Aug 23 16:07:31 mail3 dovecot: auth: Debug: userdb out: USER#0111#011voicemail#011uid=1001#011gid=1001#011home=/home/vmail/voicemail Aug 23 16:07:31 mail3 dovecot: lda(voicemail): msgid=<20160823140731.C7EEB406FFFD@mail3.ourdomain.fr>: saved mail to INBOX Aug 23 16:07:31 mail3 postfix/pipe[15791]: C7EEB406FFFD: to=<voicemail@ourdomain.fr>, relay=dovecot, delay=0.02, delays=0/0/0/0.01, dsn=2.0.0, status=sent (delivered via dovecot service) Aug 23 16:07:31 mail3 postfix/qmgr[12987]: C7EEB406FFFD: removed
here is the stored mail :
Return-Path: <MAILER-DAEMON> Delivered-To: voicemail@ourdomain.fr Received: by mail3.ourdomain.fr (Postfix) id C7EEB406FFFD; Tue, 23 Aug 2016 16:07:31 +0200 (CEST) Date: Tue, 23 Aug 2016 16:07:31 +0200 (CEST) From: MAILER-DAEMON@ourdomain.fr (Mail Delivery System) Subject: Undelivered Mail Returned to Sender To: voicemail@ourdomain.fr Auto-Submitted: auto-replied MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary="824D7406FFFC.1471961251/mail3.ourdomain.fr" Message-Id: <20160823140731.C7EEB406FFFD@mail3.ourdomain.fr>
This is a MIME-encapsulated message.
--824D7406FFFC.1471961251/mail3.ourdomain.fr Content-Description: Notification Content-Type: text/plain; charset=us-ascii
This is the mail system at host mail3.ourdomain.fr.
I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below.
For further assistance, please send mail to postmaster.
If you do so, please include this problem report. You can delete your own text from the attached returned message.
The mail system<existing.user@ourdomain.com> (expanded from <existing.user@ourdomain.fr>): host mails.collaboration-sfr.com[86.64.240.34] said: 552 5.2.0 <ae7X1t00115ZlG601e7Xvw> reject for policy reason : spam detected in your mail (in reply to end of DATA command)
--824D7406FFFC.1471961251/mail3.ourdomain.fr Content-Description: Delivery report Content-Type: message/delivery-status
Reporting-MTA: dns; mail3.ourdomain.fr X-Postfix-Queue-ID: 824D7406FFFC X-Postfix-Sender: rfc822; voicemail@ourdomain.fr Arrival-Date: Tue, 23 Aug 2016 16:07:29 +0200 (CEST)
Final-Recipient: rfc822; existing.user@ourdomain.com Original-Recipient: rfc822;existing.user@ourdomain.fr Action: failed Status: 5.2.0 Remote-MTA: dns; mails.collaboration-sfr.com Diagnostic-Code: smtp; 552 5.2.0 <ae7X1t00115ZlG601e7Xvw> reject for policy reason : spam detected in your mail
--824D7406FFFC.1471961251/mail3.ourdomain.fr Content-Description: Undelivered Message Content-Type: message/rfc822
Return-Path: <voicemail@ourdomain.fr> Received: from 177.222.108.254.dynamic.on.com.br (unknown [177.222.108.254]) by mail3.ourdomain.fr (Postfix) with ESMTP id 824D7406FFFC for <existing.user@ourdomain.fr>; Tue, 23 Aug 2016 16:07:29 +0200 (CEST) From:voicemail@ourdomain.fr To:existing.user@ourdomain.fr Subject: [Vigor2820 Series] New voice mail message from 01425939048 on 2016/08/23 11:07:28 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="5A1b791c537d41f1"
--5A1b791c537d41f1 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline
Dear existing.user : There is a message for you from 01425939048, on 2016/08/23 11:07:28 . You might want to check it when you get a chance.Thanks!
--5A1b791c537d41f1 Content-Type: audio/x-wav; name="Message_from_01425939048.wav.zip" Content-Transfer-Encoding: BASE64 Content-Description: Voicemail sound attachment. Content-Disposition: attachment; filename="Message_from_01425939048.wav.zip"
UEsDBBQAAAAIAGZiF0n9ycl98x4AAE54AAAQAAAAODU5MjE2MjE1MDA4LndzZuxbW2/jWHJ+ dgP9H9hCMJbaHrWuljW2e2FJlCz1iLJk3T39QJG0SIkXNS/WpcdAZgYJctmXBNgE+7jAArkB uTzkKUD+jLFJ9l+kDnl4Ubd4KM/0dIBgG6ZskfVV1amqU6fqHPb5L1aK/IvXz5+dL1huzk4F 9OdMm1ASf3HYuCq9YZqHr891SzUlBT17/ozC/855weB0aWFKmvo6cPvV9n3nyfkrl8W585CS WXVqgTyQcmPfATEvbsuVy+7lLULdmLqkTpMLXTM1c70QkhPBMDVZ40SVFQW9X+85P6ZpavCP ...
I don't understand why I don't have the same behavior that when I send a mail to a non existant address ( <tottttt@ourdomain.fr>: Recipient address rejected: User unknown in virtual mailbox table )
How can I fix it?
Thanks a lot!
Samuel
On August 23, 2016 at 6:57 PM Sam <sr42354@gmail.com> wrote:
Hello,
Sometime when we receive a spam or virus that is detected as it, mailer daemon send a reply to the sender to inform that the message is a spam or content viruses.
The problem is that the sender of the spam as something like voicemail@ourdomain.fr ( the user voicemail doesn't exist in our database )
And sometimes dovecot create the directory and store the reply 's mail...
<snip/>
I don't understand why I don't have the same behavior that when I send a mail to a non existant address ( <tottttt@ourdomain.fr>: Recipient address rejected: User unknown in virtual mailbox table )
How can I fix it?
Thanks a lot!
Samuel
Please provide doveconf -n output.
Aki
Hello Aki, here is the output:
# 2.2.10: /etc/dovecot/dovecot.conf # OS: Linux 3.10.0-327.el7.x86_64 x86_64 CentOS Linux release 7.2.1511 (Core) auth_debug = yes auth_master_user_separator = * auth_mechanisms = plain login mail_location = maildir:~/Maildir managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave mbox_write_locks = fcntl namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam } passdb { args = /etc/dovecot/sieve.creds driver = passwd-file master = yes } plugin { quota = maildir quota_grace = 10%% quota_rule2 = Trash:storage=+100M sieve = ~/.dovecot.sieve sieve_dir = ~/sieve } protocols = imap pop3 lmtp sieve service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service managesieve-login { inet_listener sieve { port = 4190 } } ssl = required ssl_cert = </etc/letsencrypt/live/mail3.albertville.fr/fullchain.pem ssl_key = </etc/letsencrypt/live/mail3.albertville.fr/privkey.pem userdb { args = uid=1001 gid=1001 home=/home/vmail/%Lu allow_all_users=yes driver = static } protocol lmtp { mail_plugins = " sieve" } protocol lda { mail_plugins = " quota sieve" postmaster_address = postmaster@%d } protocol imap { mail_plugins = " quota imap_quota" }
Le 23/08/2016 à 18:08, Aki Tuomi a écrit :
doveconf -n output
On 24.08.2016 09:43, Sam wrote:
Hello Aki, here is the output:
userdb { args = uid=1001 gid=1001 home=/home/vmail/%Lu allow_all_users=yes driver = static }
You basically accept all users here, this is why things get delivered. If you don't like this, change this to some other userdb, preferably same you are using for auth db.
Aki
Does it works with pam? Can I set it like this :
userdb { driver = pam args = uid=1001 gid=1001 home=/home/vmail/%Lu allow_all_users=no }
Thanks Aki
Le 24/08/2016 à 08:45, Aki Tuomi a écrit :
On 24.08.2016 09:43, Sam wrote:
Hello Aki, here is the output:
userdb { args = uid=1001 gid=1001 home=/home/vmail/%Lu allow_all_users=yes driver = static } You basically accept all users here, this is why things get delivered. If you don't like this, change this to some other userdb, preferably same you are using for auth db.
Aki
You can just remove the allow_all_users setting.
Aki
On 24.08.2016 10:18, Sam wrote:
Does it works with pam? Can I set it like this :
userdb { driver = pam args = uid=1001 gid=1001 home=/home/vmail/%Lu allow_all_users=no }
Thanks Aki
Le 24/08/2016 à 08:45, Aki Tuomi a écrit :
On 24.08.2016 09:43, Sam wrote:
Hello Aki, here is the output:
userdb { args = uid=1001 gid=1001 home=/home/vmail/%Lu allow_all_users=yes driver = static } You basically accept all users here, this is why things get delivered. If you don't like this, change this to some other userdb, preferably same you are using for auth db.
Aki
You can remove the setting even when using static userdb, this will cause dovecot to perform passdb lookup to verify user.
Aki
On 24.08.2016 10:29, Aki Tuomi wrote:
You can just remove the allow_all_users setting.
Aki
On 24.08.2016 10:18, Sam wrote:
Does it works with pam? Can I set it like this :
userdb { driver = pam args = uid=1001 gid=1001 home=/home/vmail/%Lu allow_all_users=no }
Thanks Aki
Le 24/08/2016 à 08:45, Aki Tuomi a écrit :
On 24.08.2016 09:43, Sam wrote:
Hello Aki, here is the output:
userdb { args = uid=1001 gid=1001 home=/home/vmail/%Lu allow_all_users=yes driver = static } You basically accept all users here, this is why things get delivered. If you don't like this, change this to some other userdb, preferably same you are using for auth db.
Aki
On Tue, Aug 23, 2016 at 05:57:37PM +0200, Sam wrote:
Hello,
Sometime when we receive a spam or virus that is detected as it, mailer daemon send a reply to the sender to inform that the message is a spam or content viruses.
You probably shouldn't do this. The vast majority of spam / virus emails are sent from compromised machines / botnets, use fake return paths, and either don't monitor replies, or just use replies to verify that the email address is valid and send more spam to it. Or worse, it can turn your server into a spamming machine if the return addresses are set to other people's email addresses.
There are several valid ways of handling spam, depending on how your mail architecture works. One is to reject incoming spam messages at the receiving mailserver. The downside is that this leaks information to the spammers about what spam methods actually get through or not.
Another method is to accept all incoming messages, then sort / quarantine / blackhole any spam. The downside is that this makes your server seem more accepting, which may attract more spam.
I personally take the second approach, though which is better will definitely depend on how your specific system works.
If you're really dead set on having some sort of auto reply, at the very least make it only reply to senders that have historically sent good messages (e.g. some sort of whitelist).
--Sean
Hello Sean,
You're right, I going to switch off the return message too.
Thanks!
Samuel
Le 23/08/2016 à 20:07, Sean Greenslade a écrit :
On Tue, Aug 23, 2016 at 05:57:37PM +0200, Sam wrote:
Hello,
Sometime when we receive a spam or virus that is detected as it, mailer daemon send a reply to the sender to inform that the message is a spam or content viruses. You probably shouldn't do this. The vast majority of spam / virus emails are sent from compromised machines / botnets, use fake return paths, and either don't monitor replies, or just use replies to verify that the email address is valid and send more spam to it. Or worse, it can turn your server into a spamming machine if the return addresses are set to other people's email addresses.
There are several valid ways of handling spam, depending on how your mail architecture works. One is to reject incoming spam messages at the receiving mailserver. The downside is that this leaks information to the spammers about what spam methods actually get through or not.
Another method is to accept all incoming messages, then sort / quarantine / blackhole any spam. The downside is that this makes your server seem more accepting, which may attract more spam.
I personally take the second approach, though which is better will definitely depend on how your specific system works.
If you're really dead set on having some sort of auto reply, at the very least make it only reply to senders that have historically sent good messages (e.g. some sort of whitelist).
--Sean
Hey Sam,
My view on this is that your Postfix actually send this reply to your system because the bounce is inbound traffic and when you send it from outside is is outbound traffic therefore the virtual file is checked and successfuly blocked this kind of request.
Greetings dominik
Am 23. August 2016 17:57:37 MESZ, schrieb Sam <sr42354@gmail.com>:
Hello,
Sometime when we receive a spam or virus that is detected as it, mailer
daemon send a reply to the sender to inform that the message is a spam or content viruses.
The problem is that the sender of the spam as something like voicemail@ourdomain.fr ( the user voicemail doesn't exist in our database )
And sometimes dovecot create the directory and store the reply 's mail...
Aug 23 16:07:31 mail3 postfix/cleanup[15687]: C7EEB406FFFD: message-id=<20160823140731.C7EEB406FFFD@mail3.ourdomain.fr> Aug 23 16:07:31 mail3 postfix/qmgr[12987]: C7EEB406FFFD: from=<>, size=14280, nrcpt=1 (queue active) Aug 23 16:07:31 mail3 postfix/bounce[15800]: 824D7406FFFC: sender non-delivery notification: C7EEB406FFFD Aug 23 16:07:31 mail3 postfix/qmgr[12987]: 824D7406FFFC: removed Aug 23 16:07:31 mail3 dovecot: auth: Debug: master in: USER#0111#011voicemail#011service=lda Aug 23 16:07:31 mail3 dovecot: auth: Debug: userdb out: USER#0111#011voicemail#011uid=1001#011gid=1001#011home=/home/vmail/voicemail Aug 23 16:07:31 mail3 dovecot: lda(voicemail): msgid=<20160823140731.C7EEB406FFFD@mail3.ourdomain.fr>: saved mail to INBOX Aug 23 16:07:31 mail3 postfix/pipe[15791]: C7EEB406FFFD: to=<voicemail@ourdomain.fr>, relay=dovecot, delay=0.02, delays=0/0/0/0.01, dsn=2.0.0, status=sent (delivered via dovecot service) Aug 23 16:07:31 mail3 postfix/qmgr[12987]: C7EEB406FFFD: removed
here is the stored mail :
Return-Path: <MAILER-DAEMON> Delivered-To: voicemail@ourdomain.fr Received: by mail3.ourdomain.fr (Postfix) id C7EEB406FFFD; Tue, 23 Aug 2016 16:07:31 +0200 (CEST) Date: Tue, 23 Aug 2016 16:07:31 +0200 (CEST) From: MAILER-DAEMON@ourdomain.fr (Mail Delivery System) Subject: Undelivered Mail Returned to Sender To: voicemail@ourdomain.fr Auto-Submitted: auto-replied MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary="824D7406FFFC.1471961251/mail3.ourdomain.fr" Message-Id: <20160823140731.C7EEB406FFFD@mail3.ourdomain.fr>
This is a MIME-encapsulated message.
--824D7406FFFC.1471961251/mail3.ourdomain.fr Content-Description: Notification Content-Type: text/plain; charset=us-ascii
This is the mail system at host mail3.ourdomain.fr.
I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below.
For further assistance, please send mail to postmaster.
If you do so, please include this problem report. You can delete your own text from the attached returned message.
The mail system<existing.user@ourdomain.com> (expanded from <existing.user@ourdomain.fr>): host mails.collaboration-sfr.com[86.64.240.34] said: 552 5.2.0 <ae7X1t00115ZlG601e7Xvw> reject for policy reason : spam detected in your mail (in reply to end of DATA command)
--824D7406FFFC.1471961251/mail3.ourdomain.fr Content-Description: Delivery report Content-Type: message/delivery-status
Reporting-MTA: dns; mail3.ourdomain.fr X-Postfix-Queue-ID: 824D7406FFFC X-Postfix-Sender: rfc822; voicemail@ourdomain.fr Arrival-Date: Tue, 23 Aug 2016 16:07:29 +0200 (CEST)
Final-Recipient: rfc822; existing.user@ourdomain.com Original-Recipient: rfc822;existing.user@ourdomain.fr Action: failed Status: 5.2.0 Remote-MTA: dns; mails.collaboration-sfr.com Diagnostic-Code: smtp; 552 5.2.0 <ae7X1t00115ZlG601e7Xvw> reject for policy reason : spam detected in your mail
--824D7406FFFC.1471961251/mail3.ourdomain.fr Content-Description: Undelivered Message Content-Type: message/rfc822
Return-Path: <voicemail@ourdomain.fr> Received: from 177.222.108.254.dynamic.on.com.br (unknown [177.222.108.254]) by mail3.ourdomain.fr (Postfix) with ESMTP id 824D7406FFFC for <existing.user@ourdomain.fr>; Tue, 23 Aug 2016 16:07:29 +0200 (CEST) From:voicemail@ourdomain.fr To:existing.user@ourdomain.fr Subject: [Vigor2820 Series] New voice mail message from 01425939048 on 2016/08/23 11:07:28 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="5A1b791c537d41f1"
--5A1b791c537d41f1 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline
Dear existing.user : There is a message for you from 01425939048, on 2016/08/23 11:07:28 . You might want to check it when you get a chance.Thanks!
--5A1b791c537d41f1 Content-Type: audio/x-wav; name="Message_from_01425939048.wav.zip" Content-Transfer-Encoding: BASE64 Content-Description: Voicemail sound attachment. Content-Disposition: attachment; filename="Message_from_01425939048.wav.zip"
UEsDBBQAAAAIAGZiF0n9ycl98x4AAE54AAAQAAAAODU5MjE2MjE1MDA4LndzZuxbW2/jWHJ+ dgP9H9hCMJbaHrWuljW2e2FJlCz1iLJk3T39QJG0SIkXNS/WpcdAZgYJctmXBNgE+7jAArkB uTzkKUD+jLFJ9l+kDnl4Ubd4KM/0dIBgG6ZskfVV1amqU6fqHPb5L1aK/IvXz5+dL1huzk4F 9OdMm1ASf3HYuCq9YZqHr891SzUlBT17/ozC/855weB0aWFKmvo6cPvV9n3nyfkrl8W585CS WXVqgTyQcmPfATEvbsuVy+7lLULdmLqkTpMLXTM1c70QkhPBMDVZ40SVFQW9X+85P6ZpavCP ...
I don't understand why I don't have the same behavior that when I send a mail to a non existant address ( <tottttt@ourdomain.fr>: Recipient address rejected: User unknown in virtual mailbox table )
How can I fix it?
Thanks a lot!
Samuel
-- Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
On 8/23/2016 11:57 AM, Sam <sr42354@gmail.com> wrote:
The problem is that the sender of the spam as something like voicemail@ourdomain.fr ( the user voicemail doesn't exist in our database )
And sometimes dovecot create the directory and store the reply 's mail...
Don't accept mail for non-existent (invalid) users
Don't accept mail from domains that you control that don't originate from your smtp server(s)
Problem solved.
On 8/24/2016 8:08 AM, Tanstaafl <tanstaafl@libertytrek.org> wrote:
- Don't accept mail from domains that you control that don't originate from your smtp server(s)
Problem solved.
Oops, that should of course read:
- Don't accept mail that is both TO & FROM a (the same) domain that you control that doesn't originate from your SMTP server(s)
participants (5)
-
Aki Tuomi
-
Dominik Breu
-
Sam
-
Sean Greenslade
-
Tanstaafl