Email Redirects not going through rspamd/Postfix-restrictions!?

Discussion in 'ISPConfig 3 Priority Support' started by jeensg, Jun 12, 2022.

  1. jeensg

    jeensg Member

    I have the following problem:
    - Mail from Spammer is sent to address, that is a redirect to another address (internal or external), e.g.
    Code:
    Jun  9 14:15:33 $myhostname postfix/qmgr[3259609]: EE22221F28: from=<[email protected]>, size=75977, nrcpt=3 (queue active)
    - Mail is relayed / redirected to external address:
    Code:
    Jun  9 14:15:34 $myhostname postfix/smtp[482807]: EE22221F28: to=<[email protected]>, orig_to=<[email protected]>, relay=externalmailserver.de[$IP]:25, delay=3.2, delays=2.4/0.01/0.66/0.06, dsn=4.7.1, status=deferred (host externalmailserver.de[$IP] said: 451 4.7.1 Service unavailable - try again later (in reply to end of DATA command
    (- I checked, that I can send Mail to external Mailserver directly without problems!)
    - Mail is then rejected:
    Code:
    Jun  9 17:52:41 $myhostname postfix/qmgr[3259609]: EE22221F28: from=<[email protected]>, size=75977, nrcpt=3 (queue active)
    Jun  9 17:52:42 $myhostname postfix/smtp[502959]: EE22221F28: to=<[email protected]>, orig_to=<[email protected]>, relay=externalmailserver[$IP]:25, delay=13031, delays=13030/0.01/0.12/1.1, dsn=5.7.1, status=bounced (host externalmailserver[$IP] said: 550 5.7.1 Command rejected (in reply to end of DATA command))
    - Bounce is sent:
    Code:
    Jun  9 17:52:42 $myhostname postfix/bounce[502960]: EE22221F28: sender non-delivery notification: 4981E22FF8
    - Bounce can't be sent:
    Code:
    Jun  9 17:52:43 $myhostname postfix/smtp[502959]: 4981E22FF8: to=<[email protected]>, relay=mx.bellaliant.net[209.71.212.24]:25, delay=0.93, delays=0.01/0/0.92/0, dsn=4.4.2, status=deferred (lost connection with mx.bellaliant.net[209.71.212.24] while performing the HELO handshake)
    -> this seems to me, that the mailserver shouldn't have been able to send the mail in the first place, since HELO doesn't work!?
    -> Are these redirected mails processed by Postfix-restrictions and/or Rspamd?

    While writing, I was wondering whether this shouldn't be addressed in smtpd_relay_restrictions !? Are they seperate from smtpd_helo_restrictions and I should add some there? Does anybody have similar experience or any clew? I do have the same Problem with different mail-providers like Gmail, T-Online or Posteo. Do I miss something or is it just misconfigured mailserver? Maybe I missed out some hardening parts for redirected mails? Thanks in advance.
     
  2. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Forwarding email is becoming more and more problematic as various methods of authenticating the source of the email are being implemented, and there is no panacea, there are down sides to every forwarding approach commonly used, so it becomes a matter of "choose your poison". Per a recent thread on the mailop list, the best current practice for forwarding mail to gmail is: don't do it. Rather, configure gmail to pull mail from your server via pop3/imap. The same would apply with any other service you forward to.

    That said, there are surely numerous improvements to how ISPConfig configures things and in what you can do locally to improve forwarding, and those are well worth exploring.

    Your scenario is the local server generating a bounce for a spam message that it attempted to forward, and the bounce itself to the original sender's address cannot be delivered. First, your questions:
    The HELO which didn't complete is when your server attempted to deliver the bounce to the spammer, it does not relate in any way to the original message which the spammer sent to your server. You can use sender address verification to perform some checks for deliverability of sender addresses which might catch this, though there are limitations you should be aware of and problems which make this a bad idea.

    Surely they are processed by some postfix restrictions, and I would expect the message does pass through rspamd, though I don't know with what envelope recipient offhand (check rspamd.log for more info). You may have to create a spamfilter rule for the destination/external address to filter those? I would have to setup some tests to be sure.

    No, you are not relaying mail for the spammer, you are accepting the message for delivery to a local address, and then forwarding that on.
    Relay restrictions are certainly a separate thing from helo restrictions; I probably don't understand your question.
    It is just the nature of mail forwarding. You can try to improve your local filtering so you forward less stuff that would be rejected (resulting in the problematic bounce messages being generated). What would be ideal is a way to attempt the forward while the original smtp connection is still open, so a failure could be returned via SMTP code instead of a bounce; I don't know of any way to do that offhand, though it is possible there might be one. Maybe pose that question on the postfix-users list?
     
    Last edited: Jun 15, 2022
    jeensg likes this.
  3. jeensg

    jeensg Member

    Thanks in the first place for your good and thoughtful answer @Jesse Norell and sorry for not getting back earlier.
    Obviously this will be the way to go ... thanks for the thought with rather pulling mail, if the people want to use these external services / mail clients. Sometimes it is only quite hard to explain the people why mail is not the easiest thing anymore to handle and that it would be better, if they could change their habits :)
    I did well understand that, just couldn't believe, that my mailserver is accepting this mail for (local) delivery and the others not. I did have similar things now with gmail and Posteo. At the end, I wouldn't even notice (we talk about Spam-Mails not being sent :)) and the users probably also not, if I wouldn't check logs and queues everyonce in a while.
    I got that now, thank you.
    By the way: I do have obviously problems with sender callouts (or misdirected bounces), since our IP is listed everyonce in a while on Backscatterer.org This is a different topic, but I cannot find out what causes these listings, since no mail is sent during the times they report incidents :-( so I already got in contact with these problems, although I never actively "activated" any Sender address verification. Do you know how I can check this or is this also too Postfix-related?
    With the next mail I find of this type I will check rspamd. I was only wondering whether rspamd is accepting these Spammails for local delivery. If not, it would be nice to not forward them if they are declared Spam :)
    Sounds nice, but for me soem footsteps too high the ladder :) and as for the different restrictions I think I just couldn't explain or didn't actually know what I wanted to do ... no, actually I was thinking of this HELO in a backwards way. If HELO doesn't work for sending the bounce, then I thought it shouldn't be possible to hand in the actual mail, but this doesn't work obviously...
     

Share This Page