Gentoo Archives: gentoo-server

From: Michael Orlitzky <michael@××××××××.com>
To: gentoo-server@l.g.o
Subject: Re: [gentoo-server] Disclaimer to forwarded mails to external domain?
Date: Tue, 04 Sep 2012 14:15:31
Message-Id: 50460CD7.5080501@orlitzky.com
In Reply to: Re: [gentoo-server] Disclaimer to forwarded mails to external domain? by "Vinícius Ferrão"
1 On 09/03/2012 05:07 PM, Vinícius Ferrão wrote:
2 >>
3 >> Is this so that people won't mark those messages as spam (thus pinning
4 >> the blame on your mail server)?
5 >>
6 >> If so, let me assure you that it will be ignored. I've even called some
7 >> of our customers with forwarded addresses on the phone and personally
8 >> asked them to stop marking stuff as spam. They still ignore me.
9 >
10 > Actually we have user that automatic redirect messages to their personal
11 > accounts. And this behaviour is not 100% approved by the university. So
12 > I want to put a disclaimer in those people, as
13 > example: john@××××××××××.com <mailto:john@××××××××××.com> redirects
14 > to john@×××××.com <mailto:john@×××××.com>. I want to put a disclaimer in
15 > *ALL* messages redirected to external domains.
16 >
17
18 OK disregard my cynicism then =)
19
20
21 >>
22 >>> The tricky part is how to detected which messages are automatically
23 >>> forwarded to an external domain.
24 >>
25 >> If this is a filtering gateway, I'm guessing all of your recipients are
26 >> listed in relay_recipient_maps? If so, you should be able to override
27 >> the default_transport (which defaults to smtp:).
28 >>
29 >> For example, you could set up a disclaimer-only instance of amavis on
30 >> port 10029, and then set the default_transport to
31 >> smtp:[localhost]:10029. I would beware of unintended consequences,
32 >> though. You're liable to stick a disclaimer on some things by accident.
33 >
34 > There's no recipient check in my mail filtering gateway. I leave this
35 > job to my final destination. It's not easy to get the final destination
36 > since we have some different end destination servers and a separate
37 > mailman server.
38
39 Although it isn't related to your current problem, you really must check
40 recipient validity at receipt time. Otherwise, you're a backscatter source.
41
42 If I send spam to you (To: user@invalid) claiming to be from
43 user@×××××××.com, you'll accept it, because you aren't validating the
44 recipient. When you try to send it to its final destination, it will
45 reject it, because user@invalid doesn't live there. Now, you're stuck
46 with the message, and your filtering server will try to return it to the
47 sender. But the sender was forged! So you wind up returning my spam to
48 user@×××××××.com.
49
50 If it's not possible to get a list of valid recipients, you can fall
51 back to address verification:
52
53 http://www.postfix.org/ADDRESS_VERIFICATION_README.html
54
55 Basically, postfix will put the sender on hold, contact the destination
56 server in the background, check that the recipient is valid, and relay
57 the answer to the sender.
58
59
60 > I can't really understand your example: in this situation everything
61 > will be "disclaimed"; and I just want to modify messages to people that
62 > receive their corporate emails in their personal account.
63
64 It depends on how you're set up. There are two transports that are
65 basically the same[1]: 'relay' and 'smtp'. If your domains are listed in
66 relay_domains, mail to them will be relayed to the destination via the
67 'relay' transport.
68
69 The idea was, if all of your domains are listed in relay_domains, then
70 any mail using the default_transport='smtp' instead of 'relay' must be
71 going off-site. The only stuff going off-site should be mail that's
72 being forwarded to external domains. Unfortunately, unless you validate
73 your recipients, you'll be bouncing messages, and those go off-site too
74 so the reasoning doesn't hold.
75
76 The first thing I would do is fix your recipient validation. Once that's
77 done, it's probably safe to add the disclaimer to the 'smtp' transport.
78 I would also ask on the postfix-users list -- there are people there who
79 know a lot more than I do and might be able to point out a reason why it
80 wouldn't work. But the first thing they would tell you to do is fix the
81 recipient validation, so you might as well get that out of the way!
82
83
84
85 [1] http://www.postfix.org/ADDRESS_CLASS_README.html