Accepting mail for postmaster

Unanswered Question
Feb 6th, 2008
User Badges:

Hi all.

My Ironport C300 is set up to check the validity of local recipients in incoming mail with a LDAP query.

In my mail system however, the postmaster e-mail address is not LDAP-checkable by default...
All postmaster mail for all our domains goes there, so it would need to check OK for several e-mail addresses.
So mail sent to postmaster is rejected for all but our main domain.

I tried adding "postmaster@" to the RAT, but this will allow postmaster mail even for non-existing domains.
I could try and add a [email protected] entry for each domain entry in the RAT, and tag it not to use LDAP, but that seems unclean and error prone.

What's the Right Way (tm) to do this ?
Is it possible to tell ASyncOS to ALWAYS accept postmaster@ adresses for local domains ?

TIA,

Nicolas.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
staylor_ironport Thu, 02/07/2008 - 16:04
User Badges:

You could add a RAT entry for the full e-mail address on every domain i.e.
[email protected]
[email protected]
[email protected] etc etc

The above would be the most secure way of doing this, and you could add all of them in one RAT entry. and mark as bypass ldap.

I personally wouldn't add postmaster@ as that will make you a open relay for all postmaster@ addresses.

Donald Nash Thu, 02/07/2008 - 21:51
User Badges:


Rejecting postmaster mail goes against RFCs by the way...
I'll try and contact Ironport's support about this.

My personal opinion is that they're already doing it correctly. You're right about RFC compliance, but I'd prefer that AsyncOS not make any RAT decisions for me. It's easy enough to make your RAT look something like this:
domain1
[email protected]
domain2
[email protected]

is easy enough, if somewhat verbose.
Nicolas Melay Thu, 02/07/2008 - 23:11
User Badges:

Hmm, I thought about it again, and realized adding a postmaster@ entry in the RAT wasn't such a bad idea at all. :D

If I do it, mail sent to [email protected] will end up in my postmaster box anyway (since it's my mail system's default behavior), it won't get relayed anywhere else.
And spammers got to my gateway with one of my domain names to start with, so there's no reason for them to try and forge the domain part, and even if they did, I couldn't care less.

Well, the bottom line is I won't get more spam in my postmaster box and I won't end-up relaying stuff unknowingly with a postmaster@ entry in my RAT, so I'll stick with that.

Sorry for bothering. ;)

staylor_ironport Fri, 02/08/2008 - 08:22
User Badges:

Hi, in the nicest possible way this is a really bad idea.
When spammers find that you are a open relay for postmaster addresses and they will find out, you have the possibility of your Senderbase score being lowered.
Also it doesn't matter how your internal servers are set up, when the IronPort accepts the mail based on the RAT postmaster@ it will process and then use DNS to deliver. You could add a SMTP route to point at /DEV/NULL for all the postmaster addresses so that they aren't rerouted.
Please get in contact with your local IronPort SE in regards to this.

Best Regards

Rayman_Jr Fri, 02/08/2008 - 08:32
User Badges:

I fully agree with monkeymadness. There is a great risk of getting your SBRS lowered and finally end up into DNSBLs.

If you really want to accept all [email protected] and deliver those into your postmaster box you need an additional Incoming Content Filter which change the recipient to your "[email protected]. That way you prevent open relay for postmaster.

Condition: rcpt-to == "^postmaster@"
Action: alt-rcpt-to ("[email protected]")

staylor_ironport Sun, 02/10/2008 - 11:26
User Badges:


I fully agree with monkeymadness. There is a great risk of getting your SBRS lowered and finally end up into DNSBLs.

If you really want to accept all [email protected] and deliver those into your postmaster box you need an additional Incoming Content Filter which change the recipient to your "[email protected] That way you prevent open relay for postmaster.

Condition: rcpt-to == "^postmaster@"
Action: alt-rcpt-to ("[email protected]")


That content filter will change every postmaster to a internal one which you don't want.
Ideally you need a Message filter that will count the rcpt's make sure that it's only goimng to [email protected] and drop if it's not to your domain. (I will work on this and get back to you)

P.S. The better option is still to restrict your RAT that way no content filter is needed :lol:
Nicolas Melay Mon, 02/11/2008 - 21:19
User Badges:

Ouch, right. I completely overlooked the routing part here. :?
And since Spamhaus got the bright idea to list the IP address I use for testing in its PBL last week, I couldn't complete my tests.

Back to a saner setup. :)

staylor_ironport Tue, 02/19/2008 - 18:06
User Badges:

Just in case you didn't know, there is plenty of sites out there that can send test mail to your organisation, and you can make them appear to be from and to anyone you like :)

Actions

This Discussion