[Dovecot] Using Dovecot-auth to return error code 450 (or other 4xx) to Postfix when user is on vacation

Mark Sapiro mark at msapiro.net
Sun Jan 15 23:50:02 EET 2012


On 11:59 AM, Charles Marcus wrote:
> On 2012-01-14 12:23 PM, IVO GELOV (CRM) <ivo at crm.walltopia.com> wrote:
>> I have downloaded the latest version 4.0 - but it seems there is no
>> way to prevent spammers to use forged email addresses. I decided to
>> remove the vacation feature from our corporate mail server, because
>> it actually opens a backdoor (even though only when someone decides
>> to activate his vacation auto-reply) for spammers and puts a risk on
>> the company (our server can be blacklisted).
> 
> Sorry, I misread your message...
> 
> However, (I *think*) there *is* a simple solution to your problem, if I
> now understand it correctly...
> 
> Simply disallow anyone sending from an email address in your domain from
> sending without SASL_AUTHing...


I don't see how this will help. The scenario the OP is concerned about
is spammer at foreign.domain sends a message with forged From: and maybe
envelope sender victim at other.foreign.domain to his user on vacation. The
vacation program sends an autoresponse to the victim.

However, why worry about this minimal backscatter? A good vacation
program will not send more that one autoresponse per long time (a week?)
for a given sender/recipient and won't include the original spam
payload. So, even though a spammer might use this backdoor to cause your
server to send messages to multiple recipients, the messages should not
have spam payloads and shouldn't be sent more that once to a given end
recipient.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan




More information about the dovecot mailing list