From: Vasya Pupkin on
Hello.

First, I have spent two days reading articles and searching web for
solution but failed there. I am using postfix as an mx for my domains,
it accpets mail for different addresses withing my domains which is
then forwarded to other external domains, i.e. google.com and other
mail services. Mail for unknown users is rejected, many other check
are performed, but still sometimes my system acts as a backscatterer
when something like this happens:

1. Incoming mail passes all tests, it's coming to one of the addresses
within my domain, i.e. existing-user(a)mydomain.tld
2. Postfix then forwards mail to external domain, i.e. myemail(a)mailservice.tld
3. For some reason mailservice.tld rejects this mail, i.e. it doesn't
like it's content or size.
4. Postfix then bounces mail to sender, which can be forged, and thus,
becoming a backscatterer.

Is there any way to prevent postfix from sending bounces anywhere?

From: Wietse Venema on
Vasya Pupkin:
> Hello.
>
> First, I have spent two days reading articles and searching web for
> solution but failed there. I am using postfix as an mx for my domains,
> it accpets mail for different addresses withing my domains which is
> then forwarded to other external domains, i.e. google.com and other
> mail services. Mail for unknown users is rejected, many other check
> are performed, but still sometimes my system acts as a backscatterer
> when something like this happens:
>
> 1. Incoming mail passes all tests, it's coming to one of the addresses
> within my domain, i.e. existing-user(a)mydomain.tld
> 2. Postfix then forwards mail to external domain, i.e. myemail(a)mailservice.tld
> 3. For some reason mailservice.tld rejects this mail, i.e. it doesn't
> like it's content or size.
> 4. Postfix then bounces mail to sender, which can be forged, and thus,
> becoming a backscatterer.
>
> Is there any way to prevent postfix from sending bounces anywhere?

The best conutermeasure is not to forward spam.

The second-best solution requires the ability to predict if a
specific message will be rejected down-stream. Let me know when
you solve that, so I can add it to Postfix.

Wietse

From: Mikael Bak on
Vasya Pupkin wrote:
> Hello.
>
> First, I have spent two days reading articles and searching web for
> solution but failed there. I am using postfix as an mx for my domains,
> it accpets mail for different addresses withing my domains which is
> then forwarded to other external domains, i.e. google.com and other
> mail services. Mail for unknown users is rejected, many other check
> are performed, but still sometimes my system acts as a backscatterer
> when something like this happens:
>
> 1. Incoming mail passes all tests, it's coming to one of the addresses
> within my domain, i.e. existing-user(a)mydomain.tld
> 2. Postfix then forwards mail to external domain, i.e. myemail(a)mailservice.tld
> 3. For some reason mailservice.tld rejects this mail, i.e. it doesn't
> like it's content or size.
> 4. Postfix then bounces mail to sender, which can be forged, and thus,
> becoming a backscatterer.
>
> Is there any way to prevent postfix from sending bounces anywhere?

Hi Vasya,

To be sure to not acting as a backscatter you will have to configure the
front mx to be as restrictive regarding content and mail sizes as the
final destination is. Otherwise you will see problems like the theese.

HTH,
Mikael