Groups
	
	
Home
Click on a group’s star icon to add it to your favourites
Recently viewed
Privacy - Terms of Service
mailing.postfix.users ›
Mail forwarding loop
16 posts by 6 authors
	Daniele Nicolodi 	
08/11/2012
Hello,

I think I have a problem with my simple mail server. I noticed several
bounce mails in the queue, which postfix in unable to deliver.

> C0B0160EC     12730 Thu Nov  8 12:35:47  MAILER-DAEMON
> (lost connection with eforward5.registrar-servers.com[38.101.213.202] while receiving the initial server greeting)
>                                          Instant....@designakeackson.info

All of them destined to what look to be fake addresses. The original
mails that originate the bounce are indeed spam.

On this server I use spamassassin as content filter, which re-injects
the mail into postfix after scanning it via local delivery. Spam is then
discarded via a sieve rule (not bounced).

It looks like postfix detects a mail forwarding loop when the mail is
re-injected by spamassassin via local delivery. Why isn't the loop
detected when the mail is received by the smtpd? I do not like to
generate unnecessary bounce mails. Is this a real problem? How can I fix it?

Here is what I think is a relevant log excerpt:

> # egrep 2ABF060A6\|BCDF560EF\|C0B0160EC\|FD01D4DD-1DEF-1BC3-9A2A-5EDE8F9DD6C5 /var/log/mail.log
> Nov  8 12:35:46 zed postfix/smtpd[2515]: 2ABF060A6: client=designakeackson.info[176.126.174.9]
> Nov  8 12:35:46 zed postfix/cleanup[2517]: 2ABF060A6: message-id=<FD01D4DD-1DEF-1BC3-9A2A-5EDE8F9DD6C5@designakeackson.info>
> Nov  8 12:35:46 zed postfix/qmgr[3850]: 2ABF060A6: from=<Instant....@designakeackson.info>, size=9793, nrcpt=1 (queue active)
> Nov  8 12:35:46 zed spamd[2282]: spamd: processing message <FD01D4DD-1DEF-1BC3-9A2A-5EDE8F9DD6C5@designakeackson.info> for daniele:1000
> Nov  8 12:35:47 zed spamd[2282]: spamd: result: Y 5 - BAYES_50,HTML_MESSAGE,RP_MATCHES_RCVD,SPF_SOFTFAIL,T_FILL_THIS_FORM_SHORT,URIBL_DBL_SPAM,URIBL_JP_SURBL,URIBL_WS_SURBL scantime=1.4,size=9786,user=daniele,uid=1000,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=60966,mid=<FD01D4DD-1DEF-1BC3-9A2A-5EDE8F9DD6C5@designakeackson.info>,bayes=0.500000,autolearn=no
> Nov  8 12:35:47 zed postfix/pickup[2485]: BCDF560EF: uid=65534 from=<Instant....@designakeackson.info>
> Nov  8 12:35:47 zed postfix/cleanup[2517]: BCDF560EF: message-id=<FD01D4DD-1DEF-1BC3-9A2A-5EDE8F9DD6C5@designakeackson.info>
> Nov  8 12:35:47 zed postfix/pipe[2518]: 2ABF060A6: to=<dan...@grinta.net>, relay=spamassassin, delay=1.7, delays=0.24/0.01/0/1.4, dsn=2.0.0, status=sent (delivered via spamassassin service)
> Nov  8 12:35:47 zed postfix/qmgr[3850]: BCDF560EF: from=<Instant....@designakeackson.info>, size=10941, nrcpt=1 (queue active)
> Nov  8 12:35:47 zed postfix/qmgr[3850]: 2ABF060A6: removed
> Nov  8 12:35:47 zed postfix/local[2522]: BCDF560EF: to=<dan...@grinta.net>, relay=local, delay=0.02, delays=0/0.01/0/0.01, dsn=5.4.6, status=bounced (mail forwarding loop for dan...@grinta.net)
> Nov  8 12:35:47 zed postfix/cleanup[2517]: C0B0160EC: message-id=<20121108123547.C0B0160EC@zed.grinta.net>
> Nov  8 12:35:47 zed postfix/bounce[2523]: BCDF560EF: sender non-delivery notification: C0B0160EC
> Nov  8 12:35:47 zed postfix/qmgr[3850]: C0B0160EC: from=<>, size=12730, nrcpt=1 (queue active)
> Nov  8 12:35:47 zed postfix/qmgr[3850]: BCDF560EF: removed
> Nov  8 12:35:52 zed postfix/smtp[2512]: C0B0160EC: host eforward3.registrar-servers.com[209.105.246.196] said: 450 4.1.1 <Instant....@designakeackson.info>: Recipient address rejected: unverified address: unknown user: "instant....@designakeackson.info" (in reply to RCPT TO command)
> Nov  8 12:35:52 zed postfix/smtp[2512]: C0B0160EC: host eforward1.registrar-servers.com[69.160.33.82] refused to talk to me: 421 4.3.2 All server ports are busy
> Nov  8 12:35:54 zed postfix/smtp[2512]: C0B0160EC: to=<Instant....@designakeackson.info>, relay=eforward2.registrar-servers.com[209.105.246.195]:25, delay=7.2, delays=0/0/7/0.17, dsn=4.1.1, status=deferred (host eforward2.registrar-servers.com[209.105.246.195] said: 450 4.1.1 <Instant....@designakeackson.info>: Recipient address rejected: unverified address: unknown user: "instant....@designakeackson.info" (in reply to RCPT TO command))
> Nov  8 12:45:42 zed postfix/qmgr[3850]: C0B0160EC: from=<>, size=12730, nrcpt=1 (queue active)
> Nov  8 12:45:43 zed postfix/smtp[2566]: C0B0160EC: host eforward3.registrar-servers.com[209.105.246.196] refused to talk to me: 421 4.3.2 All server ports are busy
> Nov  8 12:46:05 zed postfix/smtp[2566]: C0B0160EC: host eforward2.registrar-servers.com[209.105.246.195] said: 450 4.1.1 <Instant....@designakeackson.info>: Recipient address rejected: unverified address: unknown user: "instant....@designakeackson.info" (in reply to RCPT TO command)
> Nov  8 12:46:06 zed postfix/smtp[2566]: C0B0160EC: host eforward1.registrar-servers.com[69.160.33.82] refused to talk to me: 421 4.3.2 All server ports are busy
> Nov  8 12:46:06 zed postfix/smtp[2566]: C0B0160EC: host eforward4.registrar-servers.com[69.160.33.74] refused to talk to me: 421 4.3.2 All server ports are busy
> Nov  8 12:46:06 zed postfix/smtp[2566]: C0B0160EC: to=<Instant....@designakeackson.info>, relay=eforward5.registrar-servers.com[38.101.213.202]:25, delay=619, delays=595/0.04/24/0, dsn=4.3.2, status=deferred (host eforward5.registrar-servers.com[38.101.213.202] refused to talk to me: 421 4.3.2 All server ports are busy)

My configuration:

# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
allow_min_user = no
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
disable_vrfy_command = yes
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = ipv4
mailbox_command = /usr/lib/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT"
mailbox_size_limit = 0
message_size_limit = 0
mydestination = grinta.net, zed, zed.grinta.net, localhost
myhostname = zed.grinta.net
mynetworks = 127.0.0.0/8
myorigin = /etc/mailname
owner_request_special = no
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_sasl_authenticated
reject_invalid_hostname reject_non_fqdn_hostname reject_non_fqdn_sender
reject_non_fqdn_recipient reject_unknown_sender_domain
reject_unknown_recipient_domain permit_mynetworks
reject_unauth_destination reject_rbl_client zen.spamhaus.org
reject_rbl_client bhnc.njabl.org reject_rbl_client dul.dnsbl.sorbs.net
permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/postfix.cert
smtpd_tls_key_file = /etc/postfix/postfix.key
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
unknown_local_recipient_reject_code = 550


Thanks in advance for your help.

Cheers,
Daniele

	Jeroen Geilman 	
08/11/2012
On 11/08/2012 05:25 PM, Daniele Nicolodi wrote:
> Hello,
>
> I think I have a problem with my simple mail server. I noticed several
> bounce mails in the queue, which postfix in unable to deliver.
>
>> C0B0160EC     12730 Thu Nov  8 12:35:47  MAILER-DAEMON
>> (lost connection with eforward5.registrar-servers.com[38.101.213.202] while receiving the initial server greeting)
>>                                           Instant....@designakeackson.info
> All of them destined to what look to be fake addresses. The original
> mails that originate the bounce are indeed spam.
>
> On this server I use spamassassin as content filter, which re-injects
> the mail into postfix after scanning it via local delivery. Spam is then
> discarded via a sieve rule (not bounced).
>
> It looks like postfix detects a mail forwarding loop when the mail is
> re-injected by spamassassin via local delivery. Why isn't the loop
> detected when the mail is received by the smtpd?

Postfix cannot detect a mail loop if it has never seen the message before.
You are not re-injecting the filtered message, you are calling
sendmail(1), which in turn invokes pickup(8):
- show quoted text -
-- 
J.

	Jeroen Geilman 	
08/11/2012
On 11/08/2012 11:12 PM, Jeroen Geilman wrote:
> On 11/08/2012 05:25 PM, Daniele Nicolodi wrote:
>> Hello,
>>
>> I think I have a problem with my simple mail server. I noticed several
>> bounce mails in the queue, which postfix in unable to deliver.
>>
>>> C0B0160EC     12730 Thu Nov  8 12:35:47 MAILER-DAEMON
>>> (lost connection with
>>> eforward5.registrar-servers.com[38.101.213.202] while receiving the
>>> initial server greeting)
>>> Instant....@designakeackson.info
>> All of them destined to what look to be fake addresses. The original
>> mails that originate the bounce are indeed spam.
>>
>> On this server I use spamassassin as content filter, which re-injects
>> the mail into postfix after scanning it via local delivery. Spam is then
>> discarded via a sieve rule (not bounced).
>>
>> It looks like postfix detects a mail forwarding loop when the mail is
>> re-injected by spamassassin via local delivery. Why isn't the loop
>> detected when the mail is received by the smtpd?
>
>

And now without thick-fingering CTRL-Enter:

Postfix cannot detect a mail loop if it has never seen the message before.
You are not re-injecting the filtered message, you are (or, rather, SA
is) calling sendmail(1), which in turn invokes pickup(8):

     Nov  8 12:35:47 zed postfix/pickup[2485]: BCDF560EF: uid=65534
from=<Instant....@designakeackson.info>

This means a different path is followed from the original submission
over SMTP; sendmail-submitted mail generally lacks features that allow
such loops to be detected.
In this case, you are using the "nobody" user to re-submit the message,
which will throw postfix off further, since it has no MAIL FROM: to
match it with.

Re-inject the message over a separate smtpd(8) instance instead; the
content filter loopback will not alter the envelope, thus enabling
postfix to detect a loop.

smtpd(8): MAIL FROM: joe@home, RCPT TO: jim@work -> Spamassassin -> SMTP
re-inject: MAIL FROM: joe@home, RCPT TO: jim@work.
sendmail(1): MAIL FROM: joe@home, RCPT TO: jim@work -> Spamassassin ->
sendmail: MAIL FROM: nobody (uid=65534), RCPT TO: jim@work.

Note the "nobody" above.
- show quoted text -
	Daniele Nicolodi 	
08/11/2012
On 08/11/2012 23:21, Jeroen Geilman wrote:
> Postfix cannot detect a mail loop if it has never seen the message before.
> You are not re-injecting the filtered message, you are (or, rather, SA
> is) calling sendmail(1), which in turn invokes pickup(8):
>
>      Nov  8 12:35:47 zed postfix/pickup[2485]: BCDF560EF: uid=65534
> from=<Instant....@designakeackson.info>
>
> This means a different path is followed from the original submission
> over SMTP; sendmail-submitted mail generally lacks features that allow
> such loops to be detected.
> In this case, you are using the "nobody" user to re-submit the message,
> which will throw postfix off further, since it has no MAIL FROM: to
> match it with.
>
> Re-inject the message over a separate smtpd(8) instance instead; the
> content filter loopback will not alter the envelope, thus enabling
> postfix to detect a loop.
>
> smtpd(8): MAIL FROM: joe@home, RCPT TO: jim@work -> Spamassassin -> SMTP
> re-inject: MAIL FROM: joe@home, RCPT TO: jim@work.
> sendmail(1): MAIL FROM: joe@home, RCPT TO: jim@work -> Spamassassin ->
> sendmail: MAIL FROM: nobody (uid=65534), RCPT TO: jim@work.
>
> Note the "nobody" above.

Hello Jeroen,

thank you for your reply, but I do not follow you. My problem is that a
mail forwarding loop is detected where I suppose there should be none,
not the opposite. The same log you quite, imho shows that a proper FROM
was indeed provided by sendmail, as I believe that Postfix reports the
envelope sendere and not the From: header in its logs.

My configuration is basically what described as "Simple content filter
example" in the documentation: http://www.postfix.org/FILTER_README.html

Cheers,
Daniele

	David Rees 	
08/11/2012
On Thu, Nov 8, 2012 at 8:25 AM, Daniele Nicolodi <dan...@grinta.net> wrote:
> I think I have a problem with my simple mail server. I noticed several
> bounce mails in the queue, which postfix in unable to deliver.

You're seeing the same issue as was posted the other day in the thread
"Best way to handle a Delivered-To exploit??". Searching the archives
similar issues have come up before, but no real good solutions that I
could find.

-Dave

	Jeroen Geilman 	
08/11/2012
- show quoted text -
Ah, I see. I misread the question, then.
See David's response for a possible explanation.

> My configuration is basically what described as "Simple content filter
> example" in the documentation: http://www.postfix.org/FILTER_README.html
>
> Cheers,
> Daniele
>
>


-- 
J.

	Jamie Paul Griffin 	
08/11/2012
/ David Rees wrote on Thu  8.Nov'12 at 14:59:01 -0800 /
- show quoted text -
If you want to use content filtering with postfix, you might have better results if you use amavisd-new + spamassassin + clamav. It's just a suggestion but it does work well and it's dead easy to configure. May I also recommend the unofficial clamav signatures as well with my suggested filtering set-up. I believe plenty of postfix users have good results with this filtering method.

	Daniele Nicolodi 	
09/11/2012
- show quoted text -
Hello Jamie,

I do not understand your hint. What does this have to do with incoming
messages having a bogus Delivered-To header? As far as I know neither
spamassassin or clamav have a feature that detects those.

Best,
Daniele

	Jamie Paul Griffin 	
09/11/2012
/ Daniele Nicolodi wrote on Fri  9.Nov'12 at 10:06:14 +0100 /
- show quoted text -
Of course, you're right but having read the follow-ups from others, the issue looks as though there is some configuration issue with your spamassassin set-up so I thought it might be useful to suggest that you try using spamassassin with amavisd-new. I didn't mean to confuse you, and my comments may have seemed a bit random so sorry about that. :-)

	Daniele Nicolodi 	
09/11/2012
On 09/11/2012 10:35, Jamie Paul Griffin wrote:
> / Daniele Nicolodi wrote on Fri  9.Nov'12 at 10:06:14 +0100 /
>
>> On 09/11/2012 08:40, Jamie Paul Griffin wrote:
>>>
>>> If you want to use content filtering with postfix, you might have
>>> better results if you use amavisd-new + spamassassin + clamav. It's
>>> just a suggestion but it does work well and it's dead easy to
>>> configure. May I also recommend the unofficial clamav signatures as
>>> well with my suggested filtering set-up. I believe plenty of postfix
>>> users have good results with this filtering method.
>>
>> Hello Jamie,
>>
>> I do not understand your hint. What does this have to do with incoming
>> messages having a bogus Delivered-To header? As far as I know neither
>> spamassassin or clamav have a feature that detects those.
>>
>> Best,
>> Daniele
>
> Of course, you're right but having read the follow-ups from others,
> the issue looks as though there is some configuration issue with your
> spamassassin set-up so I thought it might be useful to suggest that
> you try using spamassassin with amavisd-new. I didn't mean to confuse
> you, and my comments may have seemed a bit random so sorry about
> that. :-)
>

Can you please pinpoint the configuration issues you are mentioning? I
believe my system is configured just right for what it is supposed to do.

Cheers,
Daniele

	Jamie Paul Griffin 	
10/11/2012
/ Daniele Nicolodi wrote on Fri  9.Nov'12 at 11:01:54 +0100 /
- show quoted text -
It's difficult to know how you've set up your spam filter. Some more information would help more.

On the machine i'm using now, I don't use postfix, but I do use spamassassin. I have procmail recipies that use spamc to filter the messages. On my Mac I do use postfix and use amavisd-new, with spamassassin and clamav. That isn't especially relevent to you but it's just to highlight that people use different methods - your method isn't clear to me from the information you've posted so far. Sorry I can't be more helpful right now. It shouldn't take too long to provide a solution with more info.

	Daniele Nicolodi 	
10/11/2012
On 10/11/2012 11:16, Jamie Paul Griffin wrote:
> It's difficult to know how you've set up your spam filter. Some more
> information would help more.
>
> On the machine i'm using now, I don't use postfix, but I do use
> spamassassin. I have procmail recipies that use spamc to filter the
> messages. On my Mac I do use postfix and use amavisd-new, with
> spamassassin and clamav. That isn't especially relevent to you but
> it's just to highlight that people use different methods - your
> method isn't clear to me from the information you've posted so far.
> Sorry I can't be more helpful right now. It shouldn't take too long
> to provide a solution with more info.

I don't really get why you would like to help me fix something that is
working just fine. The problem I'm asking advice for is completely
unrelated to spamassassin.

What I observe is that postfix is receiving messages containing a forged
Delivered-To header that makes postfix think it is seeing a mail
forwarding loop. The local(8) daemon bounces the messages, but
those messages are spam and the from addresses are invalid, therefore
the bounces get stock in the delivery queue. This is not a problem in
itself, but I do not like to generate bounces for spam messages.

Best,
Daniele

	Sahil Tandon 	
10/11/2012
On Sat, 2012-11-10 at 16:09:24 +0100, Daniele Nicolodi wrote:
> ...
> What I observe is that postfix is receiving messages containing a
> forged Delivered-To header that makes postfix think it is seeing a
> mail forwarding loop. The local(8) daemon bounces the messages, but
> those messages are spam and the from addresses are invalid, therefore
> the bounces get stock in the delivery queue. This is not a problem in
> itself, but I do not like to generate bounces for spam messages.

See the list archives for previous discussion of this issue.  For
example:

 http://thread.gmane.org/gmane.mail.postfix.user/148887

Read the entire thread before trying to implement the suggestion
"solutions".

-- 
Sahil Tandon

	Noel Jones 	
10/11/2012
On 11/10/2012 9:09 AM, Daniele Nicolodi wrote:
>
> What I observe is that postfix is receiving messages containing a forged
> Delivered-To header that makes postfix think it is seeing a mail
> forwarding loop. The local(8) daemon bounces the messages, but
> those messages are spam and the from addresses are invalid, therefore
> the bounces get stock in the delivery queue. This is not a problem in
> itself, but I do not like to generate bounces for spam messages.
>


If it's just a handful of messages, probably "do nothing" is the
best solution.  It's also worth examining the spam to see if there
is some common feature other the the Delivered-to header you can use
to reject them.

If you are seeing a lot of these, there is no perfect solution, but
there are some things you can do.  Do whatever seems to work best in
your environment, or do nothing.

Separate incoming and outgoing - If you happen to have (or care to
set up) multiple postfix instances to separate incoming and outgoing
mail, it is somewhat safe to REJECT incoming internet mail
containing a Delivered-to @yourdomain.  Don't do this on outgoing
mail; your users won't be able to forward messages.

Plus-1 loop detection - Use header_checks something like
/^X-Loop.*@example\.com$/  REJECT
/^(Delivered-to: .*@example\.com)$/  REPLACE X-Loop-$1
This will push the loop detection back one loop.  I can imagine
cases where this will break horribly.

Nuclear option - Remove the Delivered-To header and hope real loops
get detected by the presence of too many Received: headers before
something melts.
/^Delivered-To: .*@example.com/ IGNORE
Some forwarding methods alter/remove Received: headers, so this is
Not Recommended.  Use this as a temporary crutch if you're getting
hammered with forged headers and can't tell which are legit and
which aren't.

Run spamasssassin sooner - detect spam before local(8) gets the mail
by using a smtpd_proxy_filter or milter to detect and reject spam
before it enters your server.  amavisd-new and spamass-milter are
popular and effective choices.  Note running spamassassin pre-queue
may require more resources than running it during delivery since
there's a time limit involved; your server must be able to finish
scanning the mail before the remote server disconnects.


Good luck.




  -- Noel Jones

	Daniele Nicolodi 	
12/11/2012
- show quoted text -
Hello Noel,

thank you for the detailed response. I think that the delayed loop
detection with header rewriting is the best suited solution in my setup.

Best,
Daniele

	Daniele Nicolodi 	
12/11/2012
On 10/11/2012 17:52, Sahil Tandon wrote:
> On Sat, 2012-11-10 at 16:09:24 +0100, Daniele Nicolodi wrote:
>> ...
>> What I observe is that postfix is receiving messages containing a
>> forged Delivered-To header that makes postfix think it is seeing a
>> mail forwarding loop. The local(8) daemon bounces the messages, but
>> those messages are spam and the from addresses are invalid, therefore
>> the bounces get stock in the delivery queue. This is not a problem in
>> itself, but I do not like to generate bounces for spam messages.
>
> See the list archives for previous discussion of this issue.  For
> example:
>
>  http://thread.gmane.org/gmane.mail.postfix.user/148887
>
> Read the entire thread before trying to implement the suggestion
> "solutions".

Hello Sahil,

thank for your reply. I searched the list archives as previously
suggested, but I found only a thread where no solution was proposed,
somehow I missed this one.

Best,
Daniele