02-06-2008 01:57 AM
Hi all.
My Ironport C300 is set up to check the validity of local recipients in incoming mail with a LDAP query.
In my mail system however, the postmaster e-mail address is not LDAP-checkable by default...
All postmaster mail for all our domains goes there, so it would need to check OK for several e-mail addresses.
So mail sent to postmaster is rejected for all but our main domain.
I tried adding "postmaster@" to the RAT, but this will allow postmaster mail even for non-existing domains.
I could try and add a postmaster@domain entry for each domain entry in the RAT, and tag it not to use LDAP, but that seems unclean and error prone.
What's the Right Way (tm) to do this ?
Is it possible to tell ASyncOS to ALWAYS accept postmaster@ adresses for local domains ?
TIA,
Nicolas.
02-06-2008 05:40 PM
When I had this same problem, I had the folks who run the LDAP put "postmaster" in it. Using the RAT to allow "postmaster@domain" didn't work for me.
02-07-2008 04:04 PM
You could add a RAT entry for the full e-mail address on every domain i.e.
postmaster@domain.com
postmaster@domain2.com
postmaster@domain3.com etc etc
The above would be the most secure way of doing this, and you could add all of them in one RAT entry. and mark as bypass ldap.
I personally wouldn't add postmaster@ as that will make you a open relay for all postmaster@ addresses.
02-07-2008 09:36 PM
OK, thanks all.
I was hoping for a better solution...
Adding a RAT entry seems the safest bet, since I need to add any new domain here anyway.
Just wish the postmaster@domain entry was implicit.
Rejecting postmaster mail goes against RFCs by the way...
I'll try and contact Ironport's support about this.
02-07-2008 09:51 PM
Rejecting postmaster mail goes against RFCs by the way...
I'll try and contact Ironport's support about this.
domain1
postmaster@domain1
domain2
postmaster@domain2
02-07-2008 10:33 PM
I guess a per-RAT-entry checkbox would be the right solution.
02-07-2008 11:11 PM
Hmm, I thought about it again, and realized adding a postmaster@ entry in the RAT wasn't such a bad idea at all. :D
If I do it, mail sent to postmaster@anydomain will end up in my postmaster box anyway (since it's my mail system's default behavior), it won't get relayed anywhere else.
And spammers got to my gateway with one of my domain names to start with, so there's no reason for them to try and forge the domain part, and even if they did, I couldn't care less.
Well, the bottom line is I won't get more spam in my postmaster box and I won't end-up relaying stuff unknowingly with a postmaster@ entry in my RAT, so I'll stick with that.
Sorry for bothering. ;)
02-08-2008 08:22 AM
Hi, in the nicest possible way this is a really bad idea.
When spammers find that you are a open relay for postmaster addresses and they will find out, you have the possibility of your Senderbase score being lowered.
Also it doesn't matter how your internal servers are set up, when the IronPort accepts the mail based on the RAT postmaster@ it will process and then use DNS to deliver. You could add a SMTP route to point at /DEV/NULL for all the postmaster addresses so that they aren't rerouted.
Please get in contact with your local IronPort SE in regards to this.
Best Regards
02-08-2008 08:32 AM
I fully agree with monkeymadness. There is a great risk of getting your SBRS lowered and finally end up into DNSBLs.
If you really want to accept all postmaster@anydomain and deliver those into your postmaster box you need an additional Incoming Content Filter which change the recipient to your "postmaster@mydomain. That way you prevent open relay for postmaster.
Condition: rcpt-to == "^postmaster@"
Action: alt-rcpt-to ("postmaster@mydomain.com")
02-10-2008 11:26 AM
I fully agree with monkeymadness. There is a great risk of getting your SBRS lowered and finally end up into DNSBLs.
If you really want to accept all postmaster@anydomain and deliver those into your postmaster box you need an additional Incoming Content Filter which change the recipient to your "postmaster@mydomain. That way you prevent open relay for postmaster.
Condition: rcpt-to == "^postmaster@"
Action: alt-rcpt-to ("postmaster@mydomain.com")
02-11-2008 09:19 PM
Ouch, right. I completely overlooked the routing part here. :?
And since Spamhaus got the bright idea to list the IP address I use for testing in its PBL last week, I couldn't complete my tests.
Back to a saner setup. :)
02-19-2008 06:06 PM
Just in case you didn't know, there is plenty of sites out there that can send test mail to your organisation, and you can make them appear to be from and to anyone you like :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide