Accepting mail for postmaster

Nicolas Melay · ‎02-06-2008

Hi all.

My Ironport C300 is set up to check the validity of local recipients in incoming mail with a LDAP query.

In my mail system however, the postmaster e-mail address is not LDAP-checkable by default...
All postmaster mail for all our domains goes there, so it would need to check OK for several e-mail addresses.
So mail sent to postmaster is rejected for all but our main domain.

I tried adding "postmaster@" to the RAT, but this will allow postmaster mail even for non-existing domains.
I could try and add a postmaster@domain entry for each domain entry in the RAT, and tag it not to use LDAP, but that seems unclean and error prone.

What's the Right Way (tm) to do this ?
Is it possible to tell ASyncOS to ALWAYS accept postmaster@ adresses for local domains ?

TIA,

Nicolas.

Donald Nash · ‎02-06-2008

When I had this same problem, I had the folks who run the LDAP put "postmaster" in it. Using the RAT to allow "postmaster@domain" didn't work for me.

staylor_ironport · ‎02-07-2008

You could add a RAT entry for the full e-mail address on every domain i.e.
postmaster@domain.com
postmaster@domain2.com
postmaster@domain3.com etc etc

The above would be the most secure way of doing this, and you could add all of them in one RAT entry. and mark as bypass ldap.

I personally wouldn't add postmaster@ as that will make you a open relay for all postmaster@ addresses.

Nicolas Melay · ‎02-07-2008

OK, thanks all.
I was hoping for a better solution...

Adding a RAT entry seems the safest bet, since I need to add any new domain here anyway.
Just wish the postmaster@domain entry was implicit.

Rejecting postmaster mail goes against RFCs by the way...
I'll try and contact Ironport's support about this.

Donald Nash · ‎02-07-2008

Rejecting postmaster mail goes against RFCs by the way...
I'll try and contact Ironport's support about this.

My personal opinion is that they're already doing it correctly. You're right about RFC compliance, but I'd prefer that AsyncOS not make any RAT decisions for me. It's easy enough to make your RAT look something like this:

domain1
postmaster@domain1
domain2
postmaster@domain2

is easy enough, if somewhat verbose.

Nicolas Melay · ‎02-07-2008

I guess a per-RAT-entry checkbox would be the right solution.

Nicolas Melay · ‎02-07-2008

Hmm, I thought about it again, and realized adding a postmaster@ entry in the RAT wasn't such a bad idea at all. :D

If I do it, mail sent to postmaster@anydomain will end up in my postmaster box anyway (since it's my mail system's default behavior), it won't get relayed anywhere else.
And spammers got to my gateway with one of my domain names to start with, so there's no reason for them to try and forge the domain part, and even if they did, I couldn't care less.

Well, the bottom line is I won't get more spam in my postmaster box and I won't end-up relaying stuff unknowingly with a postmaster@ entry in my RAT, so I'll stick with that.

Sorry for bothering. ;)

staylor_ironport · ‎02-08-2008

Hi, in the nicest possible way this is a really bad idea.
When spammers find that you are a open relay for postmaster addresses and they will find out, you have the possibility of your Senderbase score being lowered.
Also it doesn't matter how your internal servers are set up, when the IronPort accepts the mail based on the RAT postmaster@ it will process and then use DNS to deliver. You could add a SMTP route to point at /DEV/NULL for all the postmaster addresses so that they aren't rerouted.
Please get in contact with your local IronPort SE in regards to this.

Best Regards

Rayman_Jr · ‎02-08-2008

I fully agree with monkeymadness. There is a great risk of getting your SBRS lowered and finally end up into DNSBLs.

If you really want to accept all postmaster@anydomain and deliver those into your postmaster box you need an additional Incoming Content Filter which change the recipient to your "postmaster@mydomain. That way you prevent open relay for postmaster.

Condition: rcpt-to == "^postmaster@"
Action: alt-rcpt-to ("postmaster@mydomain.com")

staylor_ironport · ‎02-10-2008

I fully agree with monkeymadness. There is a great risk of getting your SBRS lowered and finally end up into DNSBLs.

If you really want to accept all postmaster@anydomain and deliver those into your postmaster box you need an additional Incoming Content Filter which change the recipient to your "postmaster@mydomain. That way you prevent open relay for postmaster.

Condition: rcpt-to == "^postmaster@"
Action: alt-rcpt-to ("postmaster@mydomain.com")

That content filter will change every postmaster to a internal one which you don't want.
Ideally you need a Message filter that will count the rcpt's make sure that it's only goimng to Postmaster@domain.com and drop if it's not to your domain. (I will work on this and get back to you)

P.S. The better option is still to restrict your RAT that way no content filter is needed :lol:

Nicolas Melay · ‎02-11-2008

Ouch, right. I completely overlooked the routing part here. :?
And since Spamhaus got the bright idea to list the IP address I use for testing in its PBL last week, I couldn't complete my tests.

Back to a saner setup. :)

staylor_ironport · ‎02-19-2008

Just in case you didn't know, there is plenty of sites out there that can send test mail to your organisation, and you can make them appear to be from and to anyone you like :)