Postfix with relayhost - relay access denied for bounces

email postfix smtp email-bounces
5,529

Bounce messages intentionally do not have a sender address. This is to prevent email loops. Sending email without an address has been used to send spam, intentionally or not. If your relay requires you to provide credentials before sending to verify the sender, it will not be able to verify the sender for bounce messages.

You can avoid the issue of not being able to send out bounce messages after accepting the message by bouncing the message before accepting it. Bouncing a message after receipt is a source of backscatter spam. It is common for spam to have faked source addresses. By accepting the message before bouncing it, you will be spamming the faked address rather than rejecting the incoming message.

One way to avoid backscatter spam, is to use BATV (bounce address tag validation). This adds a signed value to the return path. Only legitimate bounce messages should have this signature, so other bounces from the Internet can be ignored.

EDIT: It is no longer unusual to quietly drop emails to invalid addresses. This prevents the receiving system from being classified as a spam source when it sends backscatter spam. Postfix accepts all recipients by default, and is therefore prone to producing backscatter spam. If possible, I would recommend enabling recipient verofication. I prefer Exim, which rejects mail for unknown recipients by default.

Share:
5,529

Related videos on Youtube

Alex
Author by

Alex

Updated on September 18, 2022

Comments

  • Alex
    Alex over 1 year

    I have set up a Postfix Mailserver, outgoing mail is being sent through a smarthost/relayhost which requires authentification. That works great, internal clients can send to foreign recipients though this relayhost.

    However, when an external mail for a local, non-existent user arrives at the server, postfix tries to send a non-delivery notification to the sender. This mail is also sent through the relayhost obviously, but it fails with error 554 5.7.1 : Relay access denied

    This gets logged to the mail.log: 

    Nov  9 10:26:42 mail postfix/local[5051]: 6568CC1383: to=<[email protected]>, relay=local, delay=0.13, delays=0.02/0.02/0/0.09, dsn=5.1.1, status=bounced (unknown user: "test")
Nov  9 10:26:42 mail postfix/cleanup[5045]: 85DF9BFECD: message-id=<[email protected]>
Nov  9 10:26:42 mail postfix/qmgr[4912]: 85DF9BFECD: from=<>, size=3066, nrcpt=1 (queue active)
Nov  9 10:26:42 mail postfix/bounce[5052]: 6568CC1383: sender non-delivery notification: 85DF9BFECD
Nov  9 10:26:42 mail postfix/qmgr[4912]: 6568CC1383: removed
Nov  9 10:26:43 mail postfix/smtp[5053]: 85DF9BFECD: to=<[email protected]>, relay=mail.provider.com[168.84.25.111]:587, delay=0.48, delays=0.02/0.01/0.26/0.18, dsn=5.7.1, status=bounced (host mail.provider.com[168.84.25.111] said: 554 5.7.1 <[email protected]>: Relay access denied (in reply to RCPT TO command))
Nov  9 10:26:43 mail postfix/qmgr[4912]: 85DF9BFECD: removed

    According to this error, I suppose that postfix does not login at the relayhost when sending those bounces. Why? Normal outgoing mail works just fine.

    This is how my main.cf looks like: http://pastebin.com/Uu1Dryxy And of course /etc/postfix/sasl_password contains the correct credentials for the relayhost.

    Thanks in advance!

  • Alex
    Alex over 10 years
    OK so the issue here is not the failed authentication, it is the missing sender address? Do you have an example how I could implement BATV in my case? I am pretty new to mail servers so this BATV topic sounds very complex to me... is there an easier way maybe?
  • BillThor
    BillThor over 10 years
    @Alex The problem is Postfix trying to send a bounce message after accepting the message rather while receiving the message. This forces the bounce message to use your relay server. If you are using a relay it is best to avoid sending bounce messages. BATV is more useful to prevent incoming bounce messages, rather than resolving your outgoing issue. You should either enable recipient verifcation during message receipt, or drop invalid recipients rather than bounce them.
  • Alex
    Alex over 10 years
    Thank you! I did now configure catch-all so no more bounces are being sent for non existent users. I already tried that previously but the problem was that I have also a lot of non-local recipients that are forwarded to another internal machine. I specified now all valid recipients manually in the virtual alias maps and it seems to work fine :-)

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Gmail smtp SASL authentication
Procmail with Postfix and virtual mailboxes
How can I install and configure an SMTP server?
How to change Helo Address?
Relay access denied when using SMTP to external recipients POSTFIX FREEBSD
Why I can't send mail to remote mailbox?
How to configure Postfix so that I can authenticate via SMTP to localhost
Postfix allows unauthenticated users to send emails
Postfix Relay Access Denied When Sending To Gmail With Telnet
Postfix: relay mail to smart host for specifc users