Groups Home Click on a group’s star icon to add it to your favourites Recently viewed Privacy - Terms of Service mailing.postfix.users › Mail forwarding loop 16 posts by 6 authors Daniele Nicolodi 08/11/2012 Hello, I think I have a problem with my simple mail server. I noticed several bounce mails in the queue, which postfix in unable to deliver. > C0B0160EC 12730 Thu Nov 8 12:35:47 MAILER-DAEMON > (lost connection with eforward5.registrar-servers.com[38.101.213.202] while receiving the initial server greeting) > Instant....@designakeackson.info All of them destined to what look to be fake addresses. The original mails that originate the bounce are indeed spam. On this server I use spamassassin as content filter, which re-injects the mail into postfix after scanning it via local delivery. Spam is then discarded via a sieve rule (not bounced). It looks like postfix detects a mail forwarding loop when the mail is re-injected by spamassassin via local delivery. Why isn't the loop detected when the mail is received by the smtpd? I do not like to generate unnecessary bounce mails. Is this a real problem? How can I fix it? Here is what I think is a relevant log excerpt: > # egrep 2ABF060A6\|BCDF560EF\|C0B0160EC\|FD01D4DD-1DEF-1BC3-9A2A-5EDE8F9DD6C5 /var/log/mail.log > Nov 8 12:35:46 zed postfix/smtpd[2515]: 2ABF060A6: client=designakeackson.info[176.126.174.9] > Nov 8 12:35:46 zed postfix/cleanup[2517]: 2ABF060A6: message-id=<FD01D4DD-1DEF-1BC3-9A2A-5EDE8F9DD6C5@designakeackson.info> > Nov 8 12:35:46 zed postfix/qmgr[3850]: 2ABF060A6: from=<Instant....@designakeackson.info>, size=9793, nrcpt=1 (queue active) > Nov 8 12:35:46 zed spamd[2282]: spamd: processing message <FD01D4DD-1DEF-1BC3-9A2A-5EDE8F9DD6C5@designakeackson.info> for daniele:1000 > Nov 8 12:35:47 zed spamd[2282]: spamd: result: Y 5 - BAYES_50,HTML_MESSAGE,RP_MATCHES_RCVD,SPF_SOFTFAIL,T_FILL_THIS_FORM_SHORT,URIBL_DBL_SPAM,URIBL_JP_SURBL,URIBL_WS_SURBL scantime=1.4,size=9786,user=daniele,uid=1000,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=60966,mid=<FD01D4DD-1DEF-1BC3-9A2A-5EDE8F9DD6C5@designakeackson.info>,bayes=0.500000,autolearn=no > Nov 8 12:35:47 zed postfix/pickup[2485]: BCDF560EF: uid=65534 from=<Instant....@designakeackson.info> > Nov 8 12:35:47 zed postfix/cleanup[2517]: BCDF560EF: message-id=<FD01D4DD-1DEF-1BC3-9A2A-5EDE8F9DD6C5@designakeackson.info> > Nov 8 12:35:47 zed postfix/pipe[2518]: 2ABF060A6: to=<dan...@grinta.net>, relay=spamassassin, delay=1.7, delays=0.24/0.01/0/1.4, dsn=2.0.0, status=sent (delivered via spamassassin service) > Nov 8 12:35:47 zed postfix/qmgr[3850]: BCDF560EF: from=<Instant....@designakeackson.info>, size=10941, nrcpt=1 (queue active) > Nov 8 12:35:47 zed postfix/qmgr[3850]: 2ABF060A6: removed > Nov 8 12:35:47 zed postfix/local[2522]: BCDF560EF: to=<dan...@grinta.net>, relay=local, delay=0.02, delays=0/0.01/0/0.01, dsn=5.4.6, status=bounced (mail forwarding loop for dan...@grinta.net) > Nov 8 12:35:47 zed postfix/cleanup[2517]: C0B0160EC: message-id=<20121108123547.C0B0160EC@zed.grinta.net> > Nov 8 12:35:47 zed postfix/bounce[2523]: BCDF560EF: sender non-delivery notification: C0B0160EC > Nov 8 12:35:47 zed postfix/qmgr[3850]: C0B0160EC: from=<>, size=12730, nrcpt=1 (queue active) > Nov 8 12:35:47 zed postfix/qmgr[3850]: BCDF560EF: removed > Nov 8 12:35:52 zed postfix/smtp[2512]: C0B0160EC: host eforward3.registrar-servers.com[209.105.246.196] said: 450 4.1.1 <Instant....@designakeackson.info>: Recipient address rejected: unverified address: unknown user: "instant....@designakeackson.info" (in reply to RCPT TO command) > Nov 8 12:35:52 zed postfix/smtp[2512]: C0B0160EC: host eforward1.registrar-servers.com[69.160.33.82] refused to talk to me: 421 4.3.2 All server ports are busy > Nov 8 12:35:54 zed postfix/smtp[2512]: C0B0160EC: to=<Instant....@designakeackson.info>, relay=eforward2.registrar-servers.com[209.105.246.195]:25, delay=7.2, delays=0/0/7/0.17, dsn=4.1.1, status=deferred (host eforward2.registrar-servers.com[209.105.246.195] said: 450 4.1.1 <Instant....@designakeackson.info>: Recipient address rejected: unverified address: unknown user: "instant....@designakeackson.info" (in reply to RCPT TO command)) > Nov 8 12:45:42 zed postfix/qmgr[3850]: C0B0160EC: from=<>, size=12730, nrcpt=1 (queue active) > Nov 8 12:45:43 zed postfix/smtp[2566]: C0B0160EC: host eforward3.registrar-servers.com[209.105.246.196] refused to talk to me: 421 4.3.2 All server ports are busy > Nov 8 12:46:05 zed postfix/smtp[2566]: C0B0160EC: host eforward2.registrar-servers.com[209.105.246.195] said: 450 4.1.1 <Instant....@designakeackson.info>: Recipient address rejected: unverified address: unknown user: "instant....@designakeackson.info" (in reply to RCPT TO command) > Nov 8 12:46:06 zed postfix/smtp[2566]: C0B0160EC: host eforward1.registrar-servers.com[69.160.33.82] refused to talk to me: 421 4.3.2 All server ports are busy > Nov 8 12:46:06 zed postfix/smtp[2566]: C0B0160EC: host eforward4.registrar-servers.com[69.160.33.74] refused to talk to me: 421 4.3.2 All server ports are busy > Nov 8 12:46:06 zed postfix/smtp[2566]: C0B0160EC: to=<Instant....@designakeackson.info>, relay=eforward5.registrar-servers.com[38.101.213.202]:25, delay=619, delays=595/0.04/24/0, dsn=4.3.2, status=deferred (host eforward5.registrar-servers.com[38.101.213.202] refused to talk to me: 421 4.3.2 All server ports are busy) My configuration: # postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases allow_min_user = no append_dot_mydomain = no biff = no config_directory = /etc/postfix disable_vrfy_command = yes home_mailbox = Maildir/ inet_interfaces = all inet_protocols = ipv4 mailbox_command = /usr/lib/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT" mailbox_size_limit = 0 message_size_limit = 0 mydestination = grinta.net, zed, zed.grinta.net, localhost myhostname = zed.grinta.net mynetworks = 127.0.0.0/8 myorigin = /etc/mailname owner_request_special = no readme_directory = no recipient_delimiter = + relayhost = smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = $myhostname ESMTP smtpd_data_restrictions = reject_unauth_pipelining, permit smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_recipient_restrictions = permit_sasl_authenticated reject_invalid_hostname reject_non_fqdn_hostname reject_non_fqdn_sender reject_non_fqdn_recipient reject_unknown_sender_domain reject_unknown_recipient_domain permit_mynetworks reject_unauth_destination reject_rbl_client zen.spamhaus.org reject_rbl_client bhnc.njabl.org reject_rbl_client dul.dnsbl.sorbs.net permit smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/postfix/postfix.cert smtpd_tls_key_file = /etc/postfix/postfix.key smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache unknown_local_recipient_reject_code = 550 Thanks in advance for your help. Cheers, Daniele Jeroen Geilman 08/11/2012 On 11/08/2012 05:25 PM, Daniele Nicolodi wrote: > Hello, > > I think I have a problem with my simple mail server. I noticed several > bounce mails in the queue, which postfix in unable to deliver. > >> C0B0160EC 12730 Thu Nov 8 12:35:47 MAILER-DAEMON >> (lost connection with eforward5.registrar-servers.com[38.101.213.202] while receiving the initial server greeting) >> Instant....@designakeackson.info > All of them destined to what look to be fake addresses. The original > mails that originate the bounce are indeed spam. > > On this server I use spamassassin as content filter, which re-injects > the mail into postfix after scanning it via local delivery. Spam is then > discarded via a sieve rule (not bounced). > > It looks like postfix detects a mail forwarding loop when the mail is > re-injected by spamassassin via local delivery. Why isn't the loop > detected when the mail is received by the smtpd? Postfix cannot detect a mail loop if it has never seen the message before. You are not re-injecting the filtered message, you are calling sendmail(1), which in turn invokes pickup(8): - show quoted text - -- J. Jeroen Geilman 08/11/2012 On 11/08/2012 11:12 PM, Jeroen Geilman wrote: > On 11/08/2012 05:25 PM, Daniele Nicolodi wrote: >> Hello, >> >> I think I have a problem with my simple mail server. I noticed several >> bounce mails in the queue, which postfix in unable to deliver. >> >>> C0B0160EC 12730 Thu Nov 8 12:35:47 MAILER-DAEMON >>> (lost connection with >>> eforward5.registrar-servers.com[38.101.213.202] while receiving the >>> initial server greeting) >>> Instant....@designakeackson.info >> All of them destined to what look to be fake addresses. The original >> mails that originate the bounce are indeed spam. >> >> On this server I use spamassassin as content filter, which re-injects >> the mail into postfix after scanning it via local delivery. Spam is then >> discarded via a sieve rule (not bounced). >> >> It looks like postfix detects a mail forwarding loop when the mail is >> re-injected by spamassassin via local delivery. Why isn't the loop >> detected when the mail is received by the smtpd? > > And now without thick-fingering CTRL-Enter: Postfix cannot detect a mail loop if it has never seen the message before. You are not re-injecting the filtered message, you are (or, rather, SA is) calling sendmail(1), which in turn invokes pickup(8): Nov 8 12:35:47 zed postfix/pickup[2485]: BCDF560EF: uid=65534 from=<Instant....@designakeackson.info> This means a different path is followed from the original submission over SMTP; sendmail-submitted mail generally lacks features that allow such loops to be detected. In this case, you are using the "nobody" user to re-submit the message, which will throw postfix off further, since it has no MAIL FROM: to match it with. Re-inject the message over a separate smtpd(8) instance instead; the content filter loopback will not alter the envelope, thus enabling postfix to detect a loop. smtpd(8): MAIL FROM: joe@home, RCPT TO: jim@work -> Spamassassin -> SMTP re-inject: MAIL FROM: joe@home, RCPT TO: jim@work. sendmail(1): MAIL FROM: joe@home, RCPT TO: jim@work -> Spamassassin -> sendmail: MAIL FROM: nobody (uid=65534), RCPT TO: jim@work. Note the "nobody" above. - show quoted text - Daniele Nicolodi 08/11/2012 On 08/11/2012 23:21, Jeroen Geilman wrote: > Postfix cannot detect a mail loop if it has never seen the message before. > You are not re-injecting the filtered message, you are (or, rather, SA > is) calling sendmail(1), which in turn invokes pickup(8): > > Nov 8 12:35:47 zed postfix/pickup[2485]: BCDF560EF: uid=65534 > from=<Instant....@designakeackson.info> > > This means a different path is followed from the original submission > over SMTP; sendmail-submitted mail generally lacks features that allow > such loops to be detected. > In this case, you are using the "nobody" user to re-submit the message, > which will throw postfix off further, since it has no MAIL FROM: to > match it with. > > Re-inject the message over a separate smtpd(8) instance instead; the > content filter loopback will not alter the envelope, thus enabling > postfix to detect a loop. > > smtpd(8): MAIL FROM: joe@home, RCPT TO: jim@work -> Spamassassin -> SMTP > re-inject: MAIL FROM: joe@home, RCPT TO: jim@work. > sendmail(1): MAIL FROM: joe@home, RCPT TO: jim@work -> Spamassassin -> > sendmail: MAIL FROM: nobody (uid=65534), RCPT TO: jim@work. > > Note the "nobody" above. Hello Jeroen, thank you for your reply, but I do not follow you. My problem is that a mail forwarding loop is detected where I suppose there should be none, not the opposite. The same log you quite, imho shows that a proper FROM was indeed provided by sendmail, as I believe that Postfix reports the envelope sendere and not the From: header in its logs. My configuration is basically what described as "Simple content filter example" in the documentation: http://www.postfix.org/FILTER_README.html Cheers, Daniele David Rees 08/11/2012 On Thu, Nov 8, 2012 at 8:25 AM, Daniele Nicolodi <dan...@grinta.net> wrote: > I think I have a problem with my simple mail server. I noticed several > bounce mails in the queue, which postfix in unable to deliver. You're seeing the same issue as was posted the other day in the thread "Best way to handle a Delivered-To exploit??". Searching the archives similar issues have come up before, but no real good solutions that I could find. -Dave Jeroen Geilman 08/11/2012 - show quoted text - Ah, I see. I misread the question, then. See David's response for a possible explanation. > My configuration is basically what described as "Simple content filter > example" in the documentation: http://www.postfix.org/FILTER_README.html > > Cheers, > Daniele > > -- J. Jamie Paul Griffin 08/11/2012 / David Rees wrote on Thu 8.Nov'12 at 14:59:01 -0800 / - show quoted text - If you want to use content filtering with postfix, you might have better results if you use amavisd-new + spamassassin + clamav. It's just a suggestion but it does work well and it's dead easy to configure. May I also recommend the unofficial clamav signatures as well with my suggested filtering set-up. I believe plenty of postfix users have good results with this filtering method. Daniele Nicolodi 09/11/2012 - show quoted text - Hello Jamie, I do not understand your hint. What does this have to do with incoming messages having a bogus Delivered-To header? As far as I know neither spamassassin or clamav have a feature that detects those. Best, Daniele Jamie Paul Griffin 09/11/2012 / Daniele Nicolodi wrote on Fri 9.Nov'12 at 10:06:14 +0100 / - show quoted text - Of course, you're right but having read the follow-ups from others, the issue looks as though there is some configuration issue with your spamassassin set-up so I thought it might be useful to suggest that you try using spamassassin with amavisd-new. I didn't mean to confuse you, and my comments may have seemed a bit random so sorry about that. :-) Daniele Nicolodi 09/11/2012 On 09/11/2012 10:35, Jamie Paul Griffin wrote: > / Daniele Nicolodi wrote on Fri 9.Nov'12 at 10:06:14 +0100 / > >> On 09/11/2012 08:40, Jamie Paul Griffin wrote: >>> >>> If you want to use content filtering with postfix, you might have >>> better results if you use amavisd-new + spamassassin + clamav. It's >>> just a suggestion but it does work well and it's dead easy to >>> configure. May I also recommend the unofficial clamav signatures as >>> well with my suggested filtering set-up. I believe plenty of postfix >>> users have good results with this filtering method. >> >> Hello Jamie, >> >> I do not understand your hint. What does this have to do with incoming >> messages having a bogus Delivered-To header? As far as I know neither >> spamassassin or clamav have a feature that detects those. >> >> Best, >> Daniele > > Of course, you're right but having read the follow-ups from others, > the issue looks as though there is some configuration issue with your > spamassassin set-up so I thought it might be useful to suggest that > you try using spamassassin with amavisd-new. I didn't mean to confuse > you, and my comments may have seemed a bit random so sorry about > that. :-) > Can you please pinpoint the configuration issues you are mentioning? I believe my system is configured just right for what it is supposed to do. Cheers, Daniele Jamie Paul Griffin 10/11/2012 / Daniele Nicolodi wrote on Fri 9.Nov'12 at 11:01:54 +0100 / - show quoted text - It's difficult to know how you've set up your spam filter. Some more information would help more. On the machine i'm using now, I don't use postfix, but I do use spamassassin. I have procmail recipies that use spamc to filter the messages. On my Mac I do use postfix and use amavisd-new, with spamassassin and clamav. That isn't especially relevent to you but it's just to highlight that people use different methods - your method isn't clear to me from the information you've posted so far. Sorry I can't be more helpful right now. It shouldn't take too long to provide a solution with more info. Daniele Nicolodi 10/11/2012 On 10/11/2012 11:16, Jamie Paul Griffin wrote: > It's difficult to know how you've set up your spam filter. Some more > information would help more. > > On the machine i'm using now, I don't use postfix, but I do use > spamassassin. I have procmail recipies that use spamc to filter the > messages. On my Mac I do use postfix and use amavisd-new, with > spamassassin and clamav. That isn't especially relevent to you but > it's just to highlight that people use different methods - your > method isn't clear to me from the information you've posted so far. > Sorry I can't be more helpful right now. It shouldn't take too long > to provide a solution with more info. I don't really get why you would like to help me fix something that is working just fine. The problem I'm asking advice for is completely unrelated to spamassassin. What I observe is that postfix is receiving messages containing a forged Delivered-To header that makes postfix think it is seeing a mail forwarding loop. The local(8) daemon bounces the messages, but those messages are spam and the from addresses are invalid, therefore the bounces get stock in the delivery queue. This is not a problem in itself, but I do not like to generate bounces for spam messages. Best, Daniele Sahil Tandon 10/11/2012 On Sat, 2012-11-10 at 16:09:24 +0100, Daniele Nicolodi wrote: > ... > What I observe is that postfix is receiving messages containing a > forged Delivered-To header that makes postfix think it is seeing a > mail forwarding loop. The local(8) daemon bounces the messages, but > those messages are spam and the from addresses are invalid, therefore > the bounces get stock in the delivery queue. This is not a problem in > itself, but I do not like to generate bounces for spam messages. See the list archives for previous discussion of this issue. For example: http://thread.gmane.org/gmane.mail.postfix.user/148887 Read the entire thread before trying to implement the suggestion "solutions". -- Sahil Tandon Noel Jones 10/11/2012 On 11/10/2012 9:09 AM, Daniele Nicolodi wrote: > > What I observe is that postfix is receiving messages containing a forged > Delivered-To header that makes postfix think it is seeing a mail > forwarding loop. The local(8) daemon bounces the messages, but > those messages are spam and the from addresses are invalid, therefore > the bounces get stock in the delivery queue. This is not a problem in > itself, but I do not like to generate bounces for spam messages. > If it's just a handful of messages, probably "do nothing" is the best solution. It's also worth examining the spam to see if there is some common feature other the the Delivered-to header you can use to reject them. If you are seeing a lot of these, there is no perfect solution, but there are some things you can do. Do whatever seems to work best in your environment, or do nothing. Separate incoming and outgoing - If you happen to have (or care to set up) multiple postfix instances to separate incoming and outgoing mail, it is somewhat safe to REJECT incoming internet mail containing a Delivered-to @yourdomain. Don't do this on outgoing mail; your users won't be able to forward messages. Plus-1 loop detection - Use header_checks something like /^X-Loop.*@example\.com$/ REJECT /^(Delivered-to: .*@example\.com)$/ REPLACE X-Loop-$1 This will push the loop detection back one loop. I can imagine cases where this will break horribly. Nuclear option - Remove the Delivered-To header and hope real loops get detected by the presence of too many Received: headers before something melts. /^Delivered-To: .*@example.com/ IGNORE Some forwarding methods alter/remove Received: headers, so this is Not Recommended. Use this as a temporary crutch if you're getting hammered with forged headers and can't tell which are legit and which aren't. Run spamasssassin sooner - detect spam before local(8) gets the mail by using a smtpd_proxy_filter or milter to detect and reject spam before it enters your server. amavisd-new and spamass-milter are popular and effective choices. Note running spamassassin pre-queue may require more resources than running it during delivery since there's a time limit involved; your server must be able to finish scanning the mail before the remote server disconnects. Good luck. -- Noel Jones Daniele Nicolodi 12/11/2012 - show quoted text - Hello Noel, thank you for the detailed response. I think that the delayed loop detection with header rewriting is the best suited solution in my setup. Best, Daniele Daniele Nicolodi 12/11/2012 On 10/11/2012 17:52, Sahil Tandon wrote: > On Sat, 2012-11-10 at 16:09:24 +0100, Daniele Nicolodi wrote: >> ... >> What I observe is that postfix is receiving messages containing a >> forged Delivered-To header that makes postfix think it is seeing a >> mail forwarding loop. The local(8) daemon bounces the messages, but >> those messages are spam and the from addresses are invalid, therefore >> the bounces get stock in the delivery queue. This is not a problem in >> itself, but I do not like to generate bounces for spam messages. > > See the list archives for previous discussion of this issue. For > example: > > http://thread.gmane.org/gmane.mail.postfix.user/148887 > > Read the entire thread before trying to implement the suggestion > "solutions". Hello Sahil, thank for your reply. I searched the list archives as previously suggested, but I found only a thread where no solution was proposed, somehow I missed this one. Best, Daniele