[nSLUG] Whither to bounce unknown recipient address?

Aaron Spanik a.spanik at ns.sympatico.ca
Thu Aug 30 21:04:35 ADT 2007


On Thu, 30 Aug 2007 13:16:15 -0300
"D G Teed" <donald.teed at gmail.com> wrote:

> I read the postfix backscatter readme today.
> 
> http://www.postfix.org/BACKSCATTER_README.html
> 
> Up until now it seemed like a good idea to always bounce
> undeliverable email, so people can realize their typos.
> But this seems to be a spammer technique to deliver
> via forged from addresses.
> 
> I'll have to convince people setting
> 
>    unknown_local_recipient_reject_code = 550
> 
> in postfix is a good idea.
> 
> How many of you use this (or similar) in your MX server?

I can't decide whether it sounds like things have changed since I last
saw the configuration you're looking at ;)

I would point out, however, that I suspect

	unknown_local_recipient_reject_code = 550

will have no effect whatsoever unless you're setting it on the mailbox
server (and I'm pretty sure you wouldn't be).  So I believe the setting
you're actually interested in is one of

	unknown_virtual_alias_reject_code = 550
	unknown_virtual_mailbox_reject_code = 550

and the default appears to be 550 for both of them.

But that's not what you're really talking about.  The difference between
450 and 550 is NOT whether to bounce mail or not.  The difference is
whether you're telling the mail server that's trying to pass you mail
"This is a temporary failure, please try again," which is what a 4xx
error means, or "This is a permanent failure, please don't try again,"
which is what a 5xx error means.

It is then the job of the mail server that was trying to pass the mail
to you to either send or not send a delivery status notification
failure message (i.e. a "bounce" message).

Most people in fact PREFER that you put a 5xx there, because a message
for which a 4xx error was passed will sit in the queue for the
maximum queue lifetime (standard is 5 days) as the server tries to
resend it again and again.  With a 5xx error, someone who typo'd knows
in seconds that they typo'd because they immediately get a bounce back
rather than some 5 days later.

As for the DNS lookups, I seem to recall zone transfers being used for
some of the larger blacklists to a caching DNS server running on the
local machine, meaning DNS rarely "failed" (but was occasionally
slightly stale).  I also recall somebody trying to be very prudent
about blacklist selection and trying to stick to things like
dynamic and dial-up host spaces and "responsible" lists.

The other thing I'll say in defense of these measures, having actually
been in Donald's shoes, is that few people can fathom what it's like to
try to run a mail system that sees in excess of 1,000,000 distinct
connects per day, accepts 60,000 mails, tags 50,000 as probably SPAM,
and delivers the other 10,000 cleanly.  And, to top it all off, has to
take shit from everybody in the organization who ever has the slightest
problem with sending or receiving a mail.  I remember one particular
"customer" who told me that the way we were handling mail was
"unacceptable".  I offered to remove all filters and checks on mail
sent to that person's address.  Later that afternoon I got an email,
"please turn it all back on, I've received over 500 emails this
afternoon," or something to that effect.

There are definite downsides to running mail for a domain that's been on
the "internet" in one form or another since the mid-eighties.

/a




More information about the nSLUG mailing list